diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py index 224606ae636f..6867d6c6946f 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py +++ b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py @@ -4,7 +4,8 @@ """ IMPORTS """ from dateparser import parse as parse_date -from typing import Any +from datetime import datetime +from typing import Any, TypedDict from collections.abc import Callable from requests import Response from copy import deepcopy @@ -14,6 +15,18 @@ """ GLOBALS / PARAMS """ FETCH_TIME_DEFAULT = "3 days" CLOSED_ALERT_STATUS = ["Closed", "Deleted"] +DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%f" +MAX_ALERT_IDS_STORED = 200 + +""" Types """ +FetchIncidentsStorage = TypedDict("FetchIncidentsStorage", { + "last_fetched": str, + "last_offset": str, + "first_run_at": str, + "last_modified_fetched": str, + "last_modified_offset": str, + "zf-ids": list[int], +}) """ CLIENT """ @@ -30,6 +43,7 @@ def __init__( } self.fetch_limit = fetch_limit self.only_escalated = only_escalated + self.auth_token = "" def api_request( self, @@ -101,6 +115,8 @@ def get_authorization_token(self) -> str: """ :return: Returns the authorization token """ + if self.auth_token: + return self.auth_token url_suffix: str = "/1.0/api-token-auth/" response_content = self.api_request( "POST", @@ -110,8 +126,8 @@ def get_authorization_token(self) -> str: headers_builder_type=None, prefix=None, ) - token = response_content.get("token", "") - return token + self.auth_token = response_content.get("token", "") + return self.auth_token def _get_new_access_token(self) -> str: url_suffix: str = "/auth/token/" @@ -139,6 +155,7 @@ def get_api_request_header(self) -> dict[str, str]: "Authorization": f"Token {token}", "Content-Type": "application/json", "Accept": "application/json", + "zf-source": "XSOAR", } def get_cti_request_header(self) -> dict[str, str]: @@ -147,6 +164,7 @@ def get_cti_request_header(self) -> dict[str, str]: "Authorization": f"Bearer {token}", "Content-Type": "application/json", "Accept": "application/json", + "zf-source": "XSOAR", } def get_policy_types(self) -> dict[str, Any]: @@ -535,6 +553,7 @@ def alert_to_incident(alert: dict[str, Any]) -> dict[str, str]: incident = { "rawJSON": json.dumps(alert), "name": f"ZeroFox Alert {alert_id}", + "dbotMirrorId": str(alert_id), "occurred": alert.get("timestamp", ""), } return incident @@ -1017,56 +1036,31 @@ def get_exploits_content( return exploits_content -""" COMMANDS """ - - -def test_module(client: ZFClient) -> str: - """ - Performs basic get request to get item samples - """ - client.get_policy_types() - return "ok" - - -def fetch_incidents( +def get_incidents_data( client: ZFClient, - last_run: dict[str, str], - first_fetch_time: str -) -> tuple[dict[str, str], list[dict[str, Any]]]: - date_format = "%Y-%m-%dT%H:%M:%S.%f" - last_fetched = last_run.get("last_fetched") - last_offset_str: str = last_run.get("last_offset", "") - if last_fetched is None: - last_fetched = first_fetch_time - last_fetched = parse_date(last_fetched, date_formats=(date_format,)) - last_offset = int(last_offset_str) if last_offset_str else 0 - if last_fetched is None: - raise ValueError("last_fetched param is invalid") + params: dict[str, Any], + is_valid_alert: Callable[[dict[str, Any]], bool] | None = None, + timestamp_field: str = "timestamp" +) -> tuple[list[dict[str, Any]], str, str | None, list[int]]: + incidents: list[dict[str, Any]] = [] + next_offset = "0" - response_content = client.list_alerts( - { - "sort_direction": "asc", - "min_timestamp": last_fetched, - "offset": last_offset, - } - ) + response_content = client.list_alerts(params) alerts: list[dict[str, Any]] = response_content.get("alerts", []) - next_run = { - "last_fetched": last_fetched.strftime(date_format), - "last_offset": str(last_offset), - } - incidents: list[dict[str, Any]] = [] - if not alerts: - return next_run, incidents + return incidents, next_offset, None, [] integration_instance = demisto.integrationInstance() + processed_alerts: list[dict[str, Any]] = [] for alert in alerts: + if is_valid_alert and not is_valid_alert(alert): + continue # Fields for mirroring alert alert["mirror_direction"] = "In" alert["mirror_instance"] = integration_instance + processed_alerts.append(alert) incident = alert_to_incident(alert) incidents.append(incident) @@ -1074,29 +1068,149 @@ def fetch_incidents( if next_page: parsed_next_page = urlparse.urlparse(next_page) parsed_query = urlparse.parse_qs(parsed_next_page.query) - next_run["last_offset"] = parsed_query.get("offset", ["0"])[0] - return next_run, incidents + next_offset = parsed_query.get("offset", ["0"])[0] - # max_update_time is the timestamp of the last alert in alerts - # (alerts is a sorted list by timestamp) - last_alert_timestamp = alerts[-1].get("timestamp", "") + # last_alert_timestamp is the oldest timestamp in alerts + parsed_last_alert: str = params.get('min_timestamp') or params.get('last_modified_min_date') or "" + parsed_last_alert_timestamp = parse_date( + parsed_last_alert, + date_formats=(DATE_FORMAT,), + ) + if parsed_last_alert_timestamp is None: + raise ValueError("Incorrect timestamp in params of fetch-incidents") + for alert in processed_alerts: + alert_timestamp_str: str = alert.get(timestamp_field, "") + alert_timestamp = parse_date( + alert_timestamp_str, + date_formats=(DATE_FORMAT,), + ) + if alert_timestamp is None: + raise ValueError("Incorrect timestamp in alert of fetch-incidents") + alert_timestamp = alert_timestamp.replace(tzinfo=None) + if alert_timestamp > parsed_last_alert_timestamp: + parsed_last_alert_timestamp = alert_timestamp # add 1 millisecond to last alert timestamp, # in order to prevent duplicated alerts - parsed_last_alert_timestamp = parse_date( - last_alert_timestamp, - date_formats=(date_format,), - ) if parsed_last_alert_timestamp is None: - raise ValueError("Incorrect timestamp in last alert " - "of fetch-incidents") + raise ValueError("Incorrect timestamp in last alert of fetch-incidents") max_update_time = ( parsed_last_alert_timestamp + timedelta(milliseconds=1) - ).strftime(date_format) - next_run["last_fetched"] = max_update_time - next_run["last_offset"] = "0" + ).strftime(DATE_FORMAT) + + def get_alert_ids(alert: dict[str, Any]) -> int: + return alert.get("id") or 0 + processed_alerts_ids: list[int] = list(map(get_alert_ids, processed_alerts)) + + return incidents, next_offset, max_update_time, processed_alerts_ids + + +def parse_last_fetched_date( + last_fetched_str: str | None, + first_fetch_time: str +) -> datetime: + # If no last_fetched present, use default value + if not last_fetched_str: + last_fetched_str = first_fetch_time + last_fetched = parse_date(last_fetched_str, date_formats=(DATE_FORMAT,)) + # If last_fetched is invalid, raise ValueError + if last_fetched is None: + raise ValueError("last_fetched param is invalid") + return last_fetched + + +""" COMMANDS """ + + +def test_module(client: ZFClient) -> str: + """ + Performs basic get request to get item samples + """ + client.get_policy_types() + return "ok" + + +def fetch_incidents( + client: ZFClient, + last_run: FetchIncidentsStorage, + first_fetch_time: str +) -> tuple[FetchIncidentsStorage, list[dict[str, Any]]]: + # Last fetched date + last_fetched_str = last_run.get("last_fetched", "") + last_fetched = parse_last_fetched_date(last_fetched_str, first_fetch_time) + last_fetched_str = last_fetched.strftime(DATE_FORMAT) + + # Saved offset of last run + last_offset_str: str = last_run.get("last_offset", "0") + last_offset = int(last_offset_str) + + # Date of first run + first_run_at_str = last_run.get("first_run_at", "") + first_run_at = parse_last_fetched_date(first_run_at_str, first_fetch_time) + + # Last modified fetch date + last_modified_fetched_str = last_run.get("last_modified_fetched", "") + last_modified_fetched = parse_last_fetched_date(last_modified_fetched_str, first_fetch_time) + last_modified_fetched_str = last_modified_fetched.strftime(DATE_FORMAT) + + # Saved modified alerts offset of last run + last_modified_offset_str: str = last_run.get("last_modified_offset", "0") + last_modified_offset = int(last_modified_offset_str) + + # ZeroFox Alert IDs previously created + zf_ids: list[int] = last_run.get("zf-ids", []) + + next_run: FetchIncidentsStorage = { + "last_fetched": last_fetched_str, + "last_offset": last_offset_str, + "first_run_at": first_run_at.strftime(DATE_FORMAT), + "last_modified_fetched": last_modified_fetched_str, + "last_modified_offset": last_modified_offset_str, + "zf-ids": zf_ids, + } + + # Fetch new alerts + params = { + "min_timestamp": last_fetched.strftime(DATE_FORMAT), + "sort_direction": "asc", + "offset": last_offset, + } + incidents, next_offset, oldest_timestamp, alert_ids = get_incidents_data( + client=client, + params=params, + ) + if len(incidents) > 0: + ingested_alert_ids = alert_ids + zf_ids + next_run["zf-ids"] = ingested_alert_ids[:MAX_ALERT_IDS_STORED] + next_run["last_offset"] = next_offset + if next_offset == "0" and oldest_timestamp: + next_run["last_fetched"] = oldest_timestamp + return next_run, incidents + + # If no new alerts, fetch modified alerts + params = { + "last_modified_min_date": last_modified_fetched.strftime(DATE_FORMAT), + "sort_direction": "asc", + "offset": last_modified_offset, + } + + def is_not_a_new_alert(alert): + return alert.get("id") not in zf_ids + incidents, next_offset, oldest_timestamp, alert_ids = get_incidents_data( + client=client, + params=params, + is_valid_alert=is_not_a_new_alert, + timestamp_field="last_modified", + ) + if len(incidents) > 0: + ingested_alert_ids = alert_ids + zf_ids + next_run["zf-ids"] = ingested_alert_ids[:MAX_ALERT_IDS_STORED] + next_run["last_modified_offset"] = next_offset + if next_offset == "0" and oldest_timestamp: + next_run["last_modified_fetched"] = oldest_timestamp + return next_run, incidents - return next_run, incidents + return next_run, [] def get_modified_remote_data_command( diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml index f0c7556155d8..8faccffa98d6 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml +++ b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml @@ -788,7 +788,7 @@ script: deprecated: false execution: false - name: zerofox-search-compromised-domain - description: Looks for a given domain in Zerofox's CTI feeds + description: Looks for a given domain in Zerofox's CTI feeds. arguments: - name: domain required: true @@ -805,7 +805,7 @@ script: type: string description: Related domains to the threat separated by commas. - name: zerofox-search-compromised-email - description: Looks for a given email in ZeroFox's CTI feeds + description: Looks for a given email in ZeroFox's CTI feeds. arguments: - name: email required: true @@ -823,7 +823,7 @@ script: type: string description: Date in which the email was found related to a threat. - name: zerofox-search-malicious-ip - description: Looks for malicious ips in ZeroFox's CTI feeds + description: Looks for malicious ips in ZeroFox's CTI feeds. arguments: - name: ip required: true @@ -841,7 +841,7 @@ script: type: string description: Date in which the ip was found related to a threat. - name: zerofox-search-malicious-hash - description: Looks for registered hashes in ZeroFox's CTI feeds + description: Looks for registered hashes in ZeroFox's CTI feeds. arguments: - name: hash required: true diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py index f5bf3f41b51e..afad43cb5500 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py +++ b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py @@ -2,7 +2,13 @@ from dateparser import parse as parse_date from datetime import timedelta from ZeroFox import ( + # Constants + DATE_FORMAT, + + # Client ZFClient, + + # Commands fetch_incidents, get_modified_remote_data_command, get_remote_data_command, @@ -30,7 +36,6 @@ BASE_URL = "https://api.zerofox.com" OK_CODES = (200, 201) FETCH_LIMIT = 10 -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%f" def load_json(file: str): @@ -60,7 +65,8 @@ def get_delayed_formatted_date(str_date: str, delay=timedelta(milliseconds=1)): def test_fetch_incidents_first_time_with_no_data(requests_mock, mocker): """ Given - There is 0 alerts + There is 0 new alerts + And 0 modified alerts And last_run is empty When Calling fetch_incidents @@ -69,18 +75,20 @@ def test_fetch_incidents_first_time_with_no_data(requests_mock, mocker): And offset equals to 0 And return last_fetch equals to first_fetch_time And last last_offset equals to 0 + And last first_run_at equals to first_fetch_time + And last last_modified_fetched equals to first_fetch_time + And last last_modified_offset equals to 0 And 0 incidents """ - alerts_response = load_json("test_data/alerts/list_no_records.json") + alerts_empty_response = load_json("test_data/alerts/list_no_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) - requests_mock.get("/1.0/alerts/", json=alerts_response) + requests_mock.get("/1.0/alerts/", response_list=[ + {"json": alerts_empty_response}, + {"json": alerts_empty_response}, + ]) client = build_zf_client() last_run: dict = {} first_fetch_time = "2023-06-01T00:00:00.000000" - first_fetch_time_parsed = parse_date( - first_fetch_time, - date_formats=(DATE_FORMAT,), - ) expected_offset = 0 spy = mocker.spy(client, "list_alerts") @@ -90,20 +98,28 @@ def test_fetch_incidents_first_time_with_no_data(requests_mock, mocker): first_fetch_time, ) - spy.assert_called_once() - list_alert_params = spy.call_args[0][0] - assert list_alert_params.get("min_timestamp") == first_fetch_time_parsed + # One call for new alerts, and another call to modified alerts + assert spy.call_count == 2 + list_alert_params = spy.call_args_list[0].args[0] + assert list_alert_params.get("min_timestamp") == first_fetch_time assert list_alert_params.get("sort_direction") == "asc" assert list_alert_params.get("offset") == expected_offset + list_modified_alert_params = spy.call_args_list[1].args[0] + assert list_modified_alert_params.get("sort_direction") == "asc" + assert list_modified_alert_params.get("offset") == expected_offset + assert list_modified_alert_params.get("last_modified_min_date") == first_fetch_time assert next_run["last_fetched"] == first_fetch_time assert next_run["last_offset"] == str(expected_offset) + assert next_run["first_run_at"] == first_fetch_time + assert next_run["last_modified_fetched"] == first_fetch_time + assert next_run["last_modified_offset"] == str(expected_offset) assert len(incidents) == 0 def test_fetch_incidents_first_time(requests_mock, mocker): """ Given - There are alerts (less than the fetch limit) + There are new alerts (less than the fetch limit) And there is no last_fetched in last_run When Calling fetch_incidents @@ -121,10 +137,6 @@ def test_fetch_incidents_first_time(requests_mock, mocker): client = build_zf_client() last_run: dict = {} first_fetch_time = "2023-06-01T00:00:00.000000" - first_fetch_time_parsed = parse_date( - first_fetch_time, - date_formats=(DATE_FORMAT,), - ) last_alert_timestamp_formatted = get_delayed_formatted_date( last_alert_timestamp, ) @@ -139,7 +151,7 @@ def test_fetch_incidents_first_time(requests_mock, mocker): spy.assert_called_once() list_alert_params = spy.call_args[0][0] - assert list_alert_params.get("min_timestamp") == first_fetch_time_parsed + assert list_alert_params.get("min_timestamp") == first_fetch_time assert list_alert_params.get("sort_direction") == "asc" assert list_alert_params.get("offset") == expected_offset assert next_run["last_fetched"] == last_alert_timestamp_formatted @@ -153,7 +165,7 @@ def test_fetch_incidents_first_time(requests_mock, mocker): def test_fetch_incidents_no_first_time(requests_mock, mocker): """ Given - There are alerts + There are new alerts And there are more in the next page And last_fetched is set in last_run And last_offset is set in last_run @@ -188,9 +200,7 @@ def test_fetch_incidents_no_first_time(requests_mock, mocker): spy.assert_called_once() list_alert_params = spy.call_args[0][0] - min_timestamp_called = list_alert_params.get( - "min_timestamp" - ).strftime(DATE_FORMAT) + min_timestamp_called = list_alert_params.get("min_timestamp") assert min_timestamp_called == last_run["last_fetched"] assert list_alert_params.get("sort_direction") == "asc" assert list_alert_params.get("offset") == last_offset_saved @@ -202,6 +212,121 @@ def test_fetch_incidents_no_first_time(requests_mock, mocker): assert "mirror_direction" in incident["rawJSON"] +def test_fetch_incidents_with_modified_alerts_first_call(requests_mock, mocker): + """ + Given + There are no new alerts + And there are modified alerts + And there are more in the next page + And last_modified_fetched is not set in last_run + When + Calling fetch_incidents + Then + It should list alerts with the last_fetched set in last_run + And with the last_offset set in last_run + And return last_fetch equals to last_fetched set + And last_offset equals to the offset set in the "next" link of the response + And 2 incidents correctly formatted + """ + alerts_empty_response = load_json("test_data/alerts/list_no_records.json") + modified_alerts_response = load_json("test_data/alerts/list_10_records_with_modified_and_more.json") + requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) + requests_mock.get("/1.0/alerts/", response_list=[ + {"json": alerts_empty_response}, + {"json": modified_alerts_response}, + ]) + client = build_zf_client() + last_run: dict = { + "zf-ids": [alert["id"] for alert in modified_alerts_response["alerts"]][2:], + } + first_fetch_time = "2023-06-01T00:00:00.000000" + expected_offset = 0 + expected_modified_offset = 20 + spy = mocker.spy(client, "list_alerts") + + next_run, incidents = fetch_incidents( + client, + last_run, + first_fetch_time, + ) + + assert spy.call_count == 2 + list_alert_params = spy.call_args_list[0].args[0] + assert list_alert_params.get("min_timestamp") == first_fetch_time + assert list_alert_params.get("sort_direction") == "asc" + assert list_alert_params.get("offset") == expected_offset + list_modified_alert_params = spy.call_args_list[1].args[0] + assert list_modified_alert_params.get("sort_direction") == "asc" + assert list_modified_alert_params.get("offset") == expected_offset + assert list_modified_alert_params.get("last_modified_min_date") == first_fetch_time + assert next_run["last_fetched"] == first_fetch_time + assert next_run["last_offset"] == str(expected_offset) + assert next_run["first_run_at"] == first_fetch_time + assert next_run["last_modified_fetched"] == first_fetch_time + assert next_run["last_modified_offset"] == str(expected_modified_offset) + assert len(incidents) == 2 + + +def test_fetch_incidents_with_modified_alerts_and_not_first_call(requests_mock, mocker): + """ + Given + There are no new alerts + And there are modified alerts + And there are no more in the next page + And last_modified_fetched is set in last_run + When + Calling fetch_incidents + Then + It should list alerts with the last_modified_fetched set in last_run + And with the last_modified_offset set in last_run + And return last_modified_fetch equals to last modified alert timestamp + 1 millisecond + And last_modified_offset equals to 0 + And 2 incidents correctly formatted + """ + alerts_empty_response = load_json("test_data/alerts/list_no_records.json") + modified_alerts_response = load_json("test_data/alerts/list_10_records_with_modified.json") + requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) + requests_mock.get("/1.0/alerts/", response_list=[ + {"json": alerts_empty_response}, + {"json": modified_alerts_response}, + ]) + client = build_zf_client() + last_modified_fetched = "2023-06-05T12:34:56.678900" + last_run: dict = { + "last_modified_fetched": last_modified_fetched, + "last_modified_offset": "20", + "zf-ids": [alert["id"] for alert in modified_alerts_response["alerts"]][2:], + } + first_fetch_time = "2023-05-31T00:00:00.000000" + expected_offset = 0 + expected_modified_offset = int(last_run["last_modified_offset"]) + spy = mocker.spy(client, "list_alerts") + # The first alert in the modified alerts response is the last modified alert + expected_next_modified_fetched = get_delayed_formatted_date(modified_alerts_response["alerts"][0]["last_modified"]) + + next_run, incidents = fetch_incidents( + client, + last_run, + first_fetch_time, + ) + + assert spy.call_count == 2 + list_alert_params = spy.call_args_list[0].args[0] + assert list_alert_params.get("min_timestamp") == first_fetch_time + assert list_alert_params.get("sort_direction") == "asc" + assert list_alert_params.get("offset") == expected_offset + list_modified_alert_params = spy.call_args_list[1].args[0] + assert list_modified_alert_params.get("sort_direction") == "asc" + assert list_modified_alert_params.get("offset") == expected_modified_offset + assert list_modified_alert_params.get("last_modified_min_date") == last_modified_fetched + assert next_run["last_fetched"] == first_fetch_time + assert next_run["last_offset"] == str(expected_offset) + assert next_run["first_run_at"] == first_fetch_time + assert next_run["last_modified_fetched"] == expected_next_modified_fetched + assert next_run["last_modified_offset"] == str(expected_offset) + assert len(incidents) == 2 + + def test_get_modified_remote_data_command_with_no_data(requests_mock, mocker): """ Given diff --git a/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records_with_modified.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records_with_modified.json new file mode 100644 index 000000000000..a3e3780a1a3d --- /dev/null +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records_with_modified.json @@ -0,0 +1,759 @@ +{ + "count": 10, + "next": null, + "previous": null, + "page_size": 10, + "num_pages": 1, + "alerts": [ + { + "alert_type": "search query", + "logs": [ + { + "id": 390795944, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:55:20+00:00", + "id": 224850127, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "display_name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "id": 424158735, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting Lewis Young Robertson & Burningham, a U.S.-based firm that provide financial advice and consultant to local governments. ZeroFox has detected close to 100 victims of ransomware and digital extortion in the financial services sector in the past year, more than 40 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:55:20+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-05-20T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-15T16:07:32Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390795945, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:54:10+00:00", + "id": 224850128, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: National Association of Home Builders", + "display_name": "Akira Ransomware: National Association of Home Builders", + "id": 424158736, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting National Association of Home Builders, a U.S.-based construction group. ZeroFox has detected more than 150 victims of ransomware and digital extortion in the construction sector in the past year, nearly 55 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:54:10+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-05-25T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-09T10:14:29Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390795946, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:53:04+00:00", + "id": 224850129, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: SK Life Science", + "display_name": "Akira Ransomware: SK Life Science", + "id": 424158738, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting SK Life Science, a U.S.-based pharmaceutical manufacturing company. ZeroFox has detected more than 140 victims of ransomware and digital extortion in the healthcare sector in the past year, nearly 75 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:53:04+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:07:58Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390795949, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:50:15+00:00", + "id": 224850131, + "severity": 4, + "perpetrator": { + "name": "ALPHV Ransomware: Casepoint", + "display_name": "ALPHV Ransomware: Casepoint", + "id": 424158739, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "content": "On June 01, 2023, ZeroFox observed an update on the ALPHV Ransomware leak site targeting the organization Casepoint, an U.S.-based software development company. ZeroFox has detected close to 300 victims of this ransomware in the past year, of which more than 50 percent are based in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:50:15+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:07:59Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800117, + "timestamp": "2023-06-01T07:51:43+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:55:20+00:00", + "id": 224851768, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "display_name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "id": 424158735, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting Lewis Young Robertson & Burningham, a U.S.-based firm that provide financial advice and consultant to local governments. ZeroFox has detected close to 100 victims of ransomware and digital extortion in the financial services sector in the past year, more than 40 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:55:20+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:43+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800118, + "timestamp": "2023-06-01T07:51:44+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:54:10+00:00", + "id": 224851769, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: National Association of Home Builders", + "display_name": "Akira Ransomware: National Association of Home Builders", + "id": 424158736, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting National Association of Home Builders, a U.S.-based construction group. ZeroFox has detected more than 150 victims of ransomware and digital extortion in the construction sector in the past year, nearly 55 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:54:10+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:44+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800119, + "timestamp": "2023-06-01T07:51:44+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:53:04+00:00", + "id": 224851770, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: SK Life Science", + "display_name": "Akira Ransomware: SK Life Science", + "id": 424158738, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting SK Life Science, a U.S.-based pharmaceutical manufacturing company. ZeroFox has detected more than 140 victims of ransomware and digital extortion in the healthcare sector in the past year, nearly 75 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:53:04+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:44+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800120, + "timestamp": "2023-06-01T07:51:44+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:50:15+00:00", + "id": 224851772, + "severity": 4, + "perpetrator": { + "name": "ALPHV Ransomware: Casepoint", + "display_name": "ALPHV Ransomware: Casepoint", + "id": 424158739, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "content": "On June 01, 2023, ZeroFox observed an update on the ALPHV Ransomware leak site targeting the organization Casepoint, an U.S.-based software development company. ZeroFox has detected close to 300 victims of this ransomware in the past year, of which more than 50 percent are based in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:50:15+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:44+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390852476, + "timestamp": "2023-06-01T13:27:19+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35832", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T12:24:03+00:00", + "id": 224870860, + "severity": 4, + "perpetrator": { + "name": "RansomHouse: Mission Community Hospital", + "display_name": "RansomHouse: Mission Community Hospital", + "id": 424205188, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35832", + "content": "On June 1, 2023, ZeroFox observed an update on the RansomHouse leak site targeting Mission Community Hospital, a U.S.-based healthcare provider. ZeroFox has detected over 1900 victims of ransomware and digital extortion in the last year, more than 45 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T12:24:03+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T13:27:19+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T13:27:19Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390852477, + "timestamp": "2023-06-01T13:27:19+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35810", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T12:07:00+00:00", + "id": 224870861, + "severity": 4, + "perpetrator": { + "name": "8Base Ransomware: Groupe Michel Nutrition Animale", + "display_name": "8Base Ransomware: Groupe Michel Nutrition Animale", + "id": 424205198, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35810", + "content": "On June 01, 2023, ZeroFox observed an update on the 8Base ransomware leak site targeting Groupe Michel Nutrition Animale, a France-based farming and livestock group. The leak site noted the post date as February 23, 2023. The data download link provided in the leak site for this victim is not live at the time of reporting this leak. ZeroFox has detected nearly 80 victims of ransomware and digital extortion in the food and agriculture sector in the past year, more than 20 percent of which are in the Europe-Russia region.", + "type": "page", + "timestamp": "2023-06-01T12:07:00+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T13:27:19+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T13:27:19Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + } + ] +} diff --git a/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records_with_modified_and_more.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records_with_modified_and_more.json new file mode 100644 index 000000000000..3ea27855c830 --- /dev/null +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records_with_modified_and_more.json @@ -0,0 +1,759 @@ +{ + "count": 1308, + "next": "https://api.zerofox.com/1.0/alerts/?limit=10&offset=20&sort_direction=asc", + "previous": null, + "page_size": 10, + "num_pages": 131, + "alerts": [ + { + "alert_type": "search query", + "logs": [ + { + "id": 390795944, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:55:20+00:00", + "id": 224850127, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "display_name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "id": 424158735, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting Lewis Young Robertson & Burningham, a U.S.-based firm that provide financial advice and consultant to local governments. ZeroFox has detected close to 100 victims of ransomware and digital extortion in the financial services sector in the past year, more than 40 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:55:20+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-05-20T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:07:58Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390795945, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:54:10+00:00", + "id": 224850128, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: National Association of Home Builders", + "display_name": "Akira Ransomware: National Association of Home Builders", + "id": 424158736, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting National Association of Home Builders, a U.S.-based construction group. ZeroFox has detected more than 150 victims of ransomware and digital extortion in the construction sector in the past year, nearly 55 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:54:10+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-05-31T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:07:58Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390795946, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:53:04+00:00", + "id": 224850129, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: SK Life Science", + "display_name": "Akira Ransomware: SK Life Science", + "id": 424158738, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting SK Life Science, a U.S.-based pharmaceutical manufacturing company. ZeroFox has detected more than 140 victims of ransomware and digital extortion in the healthcare sector in the past year, nearly 75 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:53:04+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:07:58Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390795949, + "timestamp": "2023-06-01T07:07:58+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:50:15+00:00", + "id": 224850131, + "severity": 4, + "perpetrator": { + "name": "ALPHV Ransomware: Casepoint", + "display_name": "ALPHV Ransomware: Casepoint", + "id": 424158739, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "content": "On June 01, 2023, ZeroFox observed an update on the ALPHV Ransomware leak site targeting the organization Casepoint, an U.S.-based software development company. ZeroFox has detected close to 300 victims of this ransomware in the past year, of which more than 50 percent are based in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:50:15+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:07:58+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:07:59Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800117, + "timestamp": "2023-06-01T07:51:43+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:55:20+00:00", + "id": 224851768, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "display_name": "Akira Ransomware: Lewis Young Robertson & Burningham", + "id": 424158735, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35803", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting Lewis Young Robertson & Burningham, a U.S.-based firm that provide financial advice and consultant to local governments. ZeroFox has detected close to 100 victims of ransomware and digital extortion in the financial services sector in the past year, more than 40 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:55:20+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:43+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800118, + "timestamp": "2023-06-01T07:51:44+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:54:10+00:00", + "id": 224851769, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: National Association of Home Builders", + "display_name": "Akira Ransomware: National Association of Home Builders", + "id": 424158736, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35804", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting National Association of Home Builders, a U.S.-based construction group. ZeroFox has detected more than 150 victims of ransomware and digital extortion in the construction sector in the past year, nearly 55 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:54:10+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:44+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800119, + "timestamp": "2023-06-01T07:51:44+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:53:04+00:00", + "id": 224851770, + "severity": 4, + "perpetrator": { + "name": "Akira Ransomware: SK Life Science", + "display_name": "Akira Ransomware: SK Life Science", + "id": 424158738, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35805", + "content": "On June 01, 2023, ZeroFox observed an update on the Akira Ransomware leak site targeting SK Life Science, a U.S.-based pharmaceutical manufacturing company. ZeroFox has detected more than 140 victims of ransomware and digital extortion in the healthcare sector in the past year, nearly 75 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:53:04+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:44+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390800120, + "timestamp": "2023-06-01T07:51:44+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "asset_term": null, + "assignee": "", + "entity": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T06:50:15+00:00", + "id": 224851772, + "severity": 4, + "perpetrator": { + "name": "ALPHV Ransomware: Casepoint", + "display_name": "ALPHV Ransomware: Casepoint", + "id": 424158739, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35806", + "content": "On June 01, 2023, ZeroFox observed an update on the ALPHV Ransomware leak site targeting the organization Casepoint, an U.S.-based software development company. ZeroFox has detected close to 300 victims of this ransomware in the past year, of which more than 50 percent are based in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T06:50:15+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 6969249, + "name": "Peter Parker", + "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", + "labels": [], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T07:51:44+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T07:51:44Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390852476, + "timestamp": "2023-06-01T13:27:19+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35832", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T12:24:03+00:00", + "id": 224870860, + "severity": 4, + "perpetrator": { + "name": "RansomHouse: Mission Community Hospital", + "display_name": "RansomHouse: Mission Community Hospital", + "id": 424205188, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35832", + "content": "On June 1, 2023, ZeroFox observed an update on the RansomHouse leak site targeting Mission Community Hospital, a U.S.-based healthcare provider. ZeroFox has detected over 1900 victims of ransomware and digital extortion in the last year, more than 45 percent of which are in the U.S.-Canada region.", + "type": "page", + "timestamp": "2023-06-01T12:24:03+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T13:27:19+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T13:27:19Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + }, + { + "alert_type": "search query", + "logs": [ + { + "id": 390852477, + "timestamp": "2023-06-01T13:27:19+00:00", + "actor": "", + "subject": "", + "action": "open" + } + ], + "offending_content_url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35810", + "asset_term": null, + "assignee": "", + "entity": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entity_term": null, + "content_created_at": "2023-06-01T12:07:00+00:00", + "id": 224870861, + "severity": 4, + "perpetrator": { + "name": "8Base Ransomware: Groupe Michel Nutrition Animale", + "display_name": "8Base Ransomware: Groupe Michel Nutrition Animale", + "id": 424205198, + "url": "https://cloud.zerofox.com/intelligence/advanced_dark_web/35810", + "content": "On June 01, 2023, ZeroFox observed an update on the 8Base ransomware leak site targeting Groupe Michel Nutrition Animale, a France-based farming and livestock group. The leak site noted the post date as February 23, 2023. The data download link provided in the leak site for this victim is not live at the time of reporting this leak. ZeroFox has detected nearly 80 victims of ransomware and digital extortion in the food and agriculture sector in the past year, more than 20 percent of which are in the Europe-Russia region.", + "type": "page", + "timestamp": "2023-06-01T12:07:00+00:00", + "network": "advanced_dark_web" + }, + "rule_group_id": 1775, + "asset": { + "id": 560648, + "name": "Virginia Potts", + "image": "https://cdn.zerofox.com/media/entityimages/66bd7e83-1fd.jpg", + "labels": [ + { + "id": 1639880, + "name": "Stark" + } + ], + "entity_group": { + "id": 4636, + "name": "Default" + } + }, + "entered_by": "", + "metadata": "", + "status": "Open", + "timestamp": "2023-06-01T13:27:19+00:00", + "rule_name": "Advanced Dark Web", + "last_modified": "2023-06-01T13:27:19Z", + "protected_locations": null, + "darkweb_term": null, + "business_network": null, + "reviewed": false, + "escalated": false, + "network": "advanced_dark_web", + "protected_social_object": null, + "notes": "", + "reviews": [], + "rule_id": 41785, + "entity_account": null, + "entity_email_receiver_id": null, + "tags": [] + } + ] +} diff --git a/Packs/ZeroFox/ReleaseNotes/1_2_5.md b/Packs/ZeroFox/ReleaseNotes/1_2_5.md new file mode 100644 index 000000000000..e7f686b843a1 --- /dev/null +++ b/Packs/ZeroFox/ReleaseNotes/1_2_5.md @@ -0,0 +1,7 @@ + +#### Integrations + +##### ZeroFox + +- Fixed an issue with ingesting updated escalated alerts from ZeroFox. +- Added a header to identify the source of the request internally. diff --git a/Packs/ZeroFox/pack_metadata.json b/Packs/ZeroFox/pack_metadata.json index 9df75e72c78e..13c398b9f83c 100644 --- a/Packs/ZeroFox/pack_metadata.json +++ b/Packs/ZeroFox/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ZeroFox", "description": "Cloud-based SaaS to detect risks found on social media and digital channels.", "support": "partner", - "currentVersion": "1.2.4", + "currentVersion": "1.2.5", "author": "ZeroFox", "url": "https://www.zerofox.com/contact-us/", "email": "integration-support@zerofox.com",