diff --git a/Packs/ZeroFox/Integrations/ZeroFox/README.md b/Packs/ZeroFox/Integrations/ZeroFox/README.md index 5e5587e4226f..534af730650a 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/README.md +++ b/Packs/ZeroFox/Integrations/ZeroFox/README.md @@ -1,5 +1,5 @@ Cloud-based SaaS to detect risks found on social media and digital channels. -This integration was integrated and tested with version 1.0 and 2.0 of ZeroFox +This integration was integrated and tested with versions 1.0 and 2.0 of ZeroFox. ## Configure ZeroFox on Cortex XSOAR @@ -9,9 +9,10 @@ This integration was integrated and tested with version 1.0 and 2.0 of ZeroFox | **Parameter** | **Required** | | --- | --- | - | URL (e.g., ) | True | + | URL (e.g., https://api.zerofox.com/) | True | | Username | True | | Password | True | + | Fetch only escalated alerts | False | | Trust any certificate (not secure) | False | | Use system proxy settings | False | | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False | @@ -64,16 +65,16 @@ Fetches an alert by ID. | ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | | ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | | ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | -| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted". | -| ZeroFox.Alert.Timestamp | Date | The date-time string when an the alert was created, in ISO-8601 format. | -| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule was deleted. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | | ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | | ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | | ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | | ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | | ZeroFox.Alert.Network | String | The network on which an alert was created. | | ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | -| ZeroFox.Alert.Notes | String | Notes made on an alert by the user. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | | ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | | ZeroFox.Alert.Tags | String | A list of an alert's tags. | | ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | @@ -98,8 +99,38 @@ Assigns an alert to a user. | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.Alert.ID | Number | The ID of an alert. | +| ZeroFox.Alert.AlertType | String | The type of an alert. | +| ZeroFox.Alert.OffendingContentURL | String | The URL to the site containing content that triggered an alert. | | ZeroFox.Alert.Assignee | String | The user to which an alert is assigned. | +| ZeroFox.Alert.Entity.ID | Number | The ID of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Name | String | The name of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Image | String | The URL to the profile image of the entity on which an alert was created. | +| ZeroFox.Alert.EntityTerm.ID | Number | The ID of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Name | String | The name of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Deleted | Boolean | Whether an entity term was deleted. | +| ZeroFox.Alert.ContentCreatedAt | Date | The date-time string indicating when the alerted content was created, in ISO-8601 format. | +| ZeroFox.Alert.ID | Number | The ID of an alert. | +| ZeroFox.Alert.RiskRating | Number | The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". | +| ZeroFox.Alert.Perpetrator.Name | String | For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. | +| ZeroFox.Alert.Perpetrator.URL | String | The URL at which you can view the basic details of the perpetrator. | +| ZeroFox.Alert.Perpetrator.Timestamp | Date | The timestamp of a post created by a perpetrator. | +| ZeroFox.Alert.Perpetrator.Type | String | The type of perpetrator on which an alert was created. Can be an account, page, or post. | +| ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | +| ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | +| ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | +| ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | +| ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | +| ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | +| ZeroFox.Alert.Network | String | The network on which an alert was created. | +| ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | +| ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.Tags | String | A list of an alert's tags. | +| ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | ### zerofox-close-alert @@ -120,8 +151,38 @@ Closes an alert. | **Path** | **Type** | **Description** | | --- | --- | --- | +| ZeroFox.Alert.AlertType | String | The type of an alert. | +| ZeroFox.Alert.OffendingContentURL | String | The URL to the site containing content that triggered an alert. | +| ZeroFox.Alert.Assignee | String | The user to which an alert is assigned. | +| ZeroFox.Alert.Entity.ID | Number | The ID of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Name | String | The name of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Image | String | The URL to the profile image of the entity on which an alert was created. | +| ZeroFox.Alert.EntityTerm.ID | Number | The ID of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Name | String | The name of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Deleted | Boolean | Whether an entity term was deleted. | +| ZeroFox.Alert.ContentCreatedAt | Date | The date-time string indicating when the alerted content was created, in ISO-8601 format. | | ZeroFox.Alert.ID | Number | The ID of an alert. | -| ZeroFox.Alert.Status | String | The status of an alert. | +| ZeroFox.Alert.RiskRating | Number | The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". | +| ZeroFox.Alert.Perpetrator.Name | String | For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. | +| ZeroFox.Alert.Perpetrator.URL | String | The URL at which you can view the basic details of the perpetrator. | +| ZeroFox.Alert.Perpetrator.Timestamp | Date | The timestamp of a post created by a perpetrator. | +| ZeroFox.Alert.Perpetrator.Type | String | The type of perpetrator on which an alert was created. Can be an account, page, or post. | +| ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | +| ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | +| ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | +| ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | +| ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | +| ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | +| ZeroFox.Alert.Network | String | The network on which an alert was created. | +| ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | +| ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.Tags | String | A list of an alert's tags. | +| ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | ### zerofox-alert-request-takedown @@ -140,30 +201,6 @@ Requests a takedown of a specified alert. #### Context Output -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| ZeroFox.Alert.ID | Number | The ID of an alert. | -| ZeroFox.Alert.Status | String | The status of an alert. | - -### zerofox-modify-alert-tags - -*** -Adds tags to and or removes tags from a specified alert. - -#### Base Command - -`zerofox-modify-alert-tags` - -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| action | Adds or removes tags. Possible values are: add, remove. Default is add. | Optional | -| alert_id | The ID of an alert. Can be retrieved by running the zerofox-list-alerts command. | Required | -| tags | A CSV of tags to be added to or removed from an alert. | Required | - -#### Context Output - | **Path** | **Type** | **Description** | | --- | --- | --- | | ZeroFox.Alert.AlertType | String | The type of an alert. | @@ -185,7 +222,7 @@ Adds tags to and or removes tags from a specified alert. | ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | | ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | | ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | -| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted". | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | | ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | | ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | | ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | @@ -199,21 +236,22 @@ Adds tags to and or removes tags from a specified alert. | ZeroFox.Alert.Tags | String | A list of an alert's tags. | | ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | -### zerofox-modify-alert-notes +### zerofox-modify-alert-tags *** -Modify the notes from a specified alert. +Adds tags to and or removes tags from a specified alert. #### Base Command -`zerofox-modify-alert-notes` +`zerofox-modify-alert-tags` #### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | +| action | Adds or removes tags. Possible values are: add, remove. Default is add. | Optional | | alert_id | The ID of an alert. Can be retrieved by running the zerofox-list-alerts command. | Required | -| notes | The modified notes to update in the alert. | Required | +| tags | A CSV of tags to be added to or removed from an alert. | Required | #### Context Output @@ -238,7 +276,7 @@ Modify the notes from a specified alert. | ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | | ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | | ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | -| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted". | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | | ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | | ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | | ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | @@ -379,8 +417,38 @@ Cancels a takedown of a specified alert. | **Path** | **Type** | **Description** | | --- | --- | --- | +| ZeroFox.Alert.AlertType | String | The type of an alert. | +| ZeroFox.Alert.OffendingContentURL | String | The URL to the site containing content that triggered an alert. | +| ZeroFox.Alert.Assignee | String | The user to which an alert is assigned. | +| ZeroFox.Alert.Entity.ID | Number | The ID of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Name | String | The name of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Image | String | The URL to the profile image of the entity on which an alert was created. | +| ZeroFox.Alert.EntityTerm.ID | Number | The ID of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Name | String | The name of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Deleted | Boolean | Whether an entity term was deleted. | +| ZeroFox.Alert.ContentCreatedAt | Date | The date-time string indicating when the alerted content was created, in ISO-8601 format. | | ZeroFox.Alert.ID | Number | The ID of an alert. | -| ZeroFox.Alert.Status | String | The status of an alert. | +| ZeroFox.Alert.RiskRating | Number | The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". | +| ZeroFox.Alert.Perpetrator.Name | String | For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. | +| ZeroFox.Alert.Perpetrator.URL | String | The URL at which you can view the basic details of the perpetrator. | +| ZeroFox.Alert.Perpetrator.Timestamp | Date | The timestamp of a post created by a perpetrator. | +| ZeroFox.Alert.Perpetrator.Type | String | The type of perpetrator on which an alert was created. Can be an account, page, or post. | +| ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | +| ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | +| ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | +| ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | +| ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | +| ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | +| ZeroFox.Alert.Network | String | The network on which an alert was created. | +| ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | +| ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.Tags | String | A list of an alert's tags. | +| ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | ### zerofox-open-alert @@ -401,8 +469,38 @@ Opens an alert. | **Path** | **Type** | **Description** | | --- | --- | --- | +| ZeroFox.Alert.AlertType | String | The type of an alert. | +| ZeroFox.Alert.OffendingContentURL | String | The URL to the site containing content that triggered an alert. | +| ZeroFox.Alert.Assignee | String | The user to which an alert is assigned. | +| ZeroFox.Alert.Entity.ID | Number | The ID of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Name | String | The name of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Image | String | The URL to the profile image of the entity on which an alert was created. | +| ZeroFox.Alert.EntityTerm.ID | Number | The ID of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Name | String | The name of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Deleted | Boolean | Whether an entity term was deleted. | +| ZeroFox.Alert.ContentCreatedAt | Date | The date-time string indicating when the alerted content was created, in ISO-8601 format. | | ZeroFox.Alert.ID | Number | The ID of an alert. | -| ZeroFox.Alert.Status | String | The status of an alert. | +| ZeroFox.Alert.RiskRating | Number | The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". | +| ZeroFox.Alert.Perpetrator.Name | String | For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. | +| ZeroFox.Alert.Perpetrator.URL | String | The URL at which you can view the basic details of the perpetrator. | +| ZeroFox.Alert.Perpetrator.Timestamp | Date | The timestamp of a post created by a perpetrator. | +| ZeroFox.Alert.Perpetrator.Type | String | The type of perpetrator on which an alert was created. Can be an account, page, or post. | +| ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | +| ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | +| ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | +| ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | +| ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | +| ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | +| ZeroFox.Alert.Network | String | The network on which an alert was created. | +| ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | +| ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.Tags | String | A list of an alert's tags. | +| ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | ### zerofox-list-entities @@ -434,14 +532,14 @@ Lists all entities associated with the company of the authorized user. | ZeroFox.Entity.Name | String | The name of the entity. | | ZeroFox.Entity.EmailAddress | String | The email address associated with the entity. | | ZeroFox.Entity.Organization | String | The organization associated with the entity. | -| ZeroFox.Entity.Tags | String | A list of tags of the entity | +| ZeroFox.Entity.Tags | String | A list of tags of the entity. | | ZeroFox.Entity.StrictNameMatching | Boolean | Indicates the type of string matching used for comparing entity names to impersonator names. | | ZeroFox.Entity.PolicyID | Number | The policy ID of the entity. | | ZeroFox.Entity.Profile | String | A link to a profile resource, if applicable. | | ZeroFox.Entity.EntityGroupID | Number | The ID of the entity group. | | ZeroFox.Entity.EntityGroupName | String | The name of the entity group. | | ZeroFox.Entity.TypeID | Number | The ID of the type of entity. | -| ZeroFox.Entity.TypeName | String | The name of the type of entity | +| ZeroFox.Entity.TypeName | String | The name of the type of entity. | ### zerofox-get-entity-types @@ -459,7 +557,6 @@ There are no input arguments for this command. #### Context Output There is no context output for this command. - ### zerofox-get-policy-types *** @@ -476,6 +573,58 @@ There are no input arguments for this command. #### Context Output There is no context output for this command. +### zerofox-modify-alert-notes + +*** +Modify the notes of a specified alert. + +#### Base Command + +`zerofox-modify-alert-notes` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| alert_id | The ID of an alert. Can be retrieved running the zerofox-list-alerts command. | Required | +| notes | The notes to add to an alert. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ZeroFox.Alert.AlertType | String | The type of an alert. | +| ZeroFox.Alert.OffendingContentURL | String | The URL to the site containing content that triggered an alert. | +| ZeroFox.Alert.Assignee | String | The user to which an alert is assigned. | +| ZeroFox.Alert.Entity.ID | Number | The ID of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Name | String | The name of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Image | String | The URL to the profile image of the entity on which an alert was created. | +| ZeroFox.Alert.EntityTerm.ID | Number | The ID of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Name | String | The name of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Deleted | Boolean | Whether an entity term was deleted. | +| ZeroFox.Alert.ContentCreatedAt | Date | The date-time string indicating when the alerted content was created, in ISO-8601 format. | +| ZeroFox.Alert.ID | Number | The ID of an alert. | +| ZeroFox.Alert.RiskRating | Number | The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". | +| ZeroFox.Alert.Perpetrator.Name | String | For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. | +| ZeroFox.Alert.Perpetrator.URL | String | The URL at which you can view the basic details of the perpetrator. | +| ZeroFox.Alert.Perpetrator.Timestamp | Date | The timestamp of a post created by a perpetrator. | +| ZeroFox.Alert.Perpetrator.Type | String | The type of perpetrator on which an alert was created. Can be an account, page, or post. | +| ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | +| ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | +| ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | +| ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | +| ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | +| ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | +| ZeroFox.Alert.Network | String | The network on which an alert was created. | +| ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | +| ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.Tags | String | A list of an alert's tags. | +| ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | ### zerofox-submit-threat @@ -500,12 +649,43 @@ Submits potential threats into the ZF alert registry for disruption. | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.Alert.ID | Number | The ID of the alert created. | +| ZeroFox.Alert.AlertType | String | The type of an alert. | +| ZeroFox.Alert.OffendingContentURL | String | The URL to the site containing content that triggered an alert. | +| ZeroFox.Alert.Assignee | String | The user to which an alert is assigned. | +| ZeroFox.Alert.Entity.ID | Number | The ID of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Name | String | The name of the entity corresponding to the triggered alert. | +| ZeroFox.Alert.Entity.Image | String | The URL to the profile image of the entity on which an alert was created. | +| ZeroFox.Alert.EntityTerm.ID | Number | The ID of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Name | String | The name of the entity term corresponding to the triggered alert. | +| ZeroFox.Alert.EntityTerm.Deleted | Boolean | Whether an entity term was deleted. | +| ZeroFox.Alert.ContentCreatedAt | Date | The date-time string indicating when the alerted content was created, in ISO-8601 format. | +| ZeroFox.Alert.ID | Number | The ID of an alert. | +| ZeroFox.Alert.RiskRating | Number | The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". | +| ZeroFox.Alert.Perpetrator.Name | String | For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. | +| ZeroFox.Alert.Perpetrator.URL | String | The URL at which you can view the basic details of the perpetrator. | +| ZeroFox.Alert.Perpetrator.Timestamp | Date | The timestamp of a post created by a perpetrator. | +| ZeroFox.Alert.Perpetrator.Type | String | The type of perpetrator on which an alert was created. Can be an account, page, or post. | +| ZeroFox.Alert.Perpetrator.ID | Number | The ZeroFox resource ID of the alert perpetrator. | +| ZeroFox.Alert.Perpetrator.Network | String | The network containing the offending content. | +| ZeroFox.Alert.RuleGroupID | Number | The ID of the rule group. | +| ZeroFox.Alert.Status | String | The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". | +| ZeroFox.Alert.Timestamp | Date | The date-time string when an alert was created, in ISO-8601 format. | +| ZeroFox.Alert.RuleName | String | The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.LastModified | Date | The date and time at which an alert was last modified. | +| ZeroFox.Alert.DarkwebTerm | String | Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. | +| ZeroFox.Alert.Reviewed | Boolean | Whether an alert was reviewed. | +| ZeroFox.Alert.Escalated | Boolean | Whether an alert was escalated. | +| ZeroFox.Alert.Network | String | The network on which an alert was created. | +| ZeroFox.Alert.ProtectedSocialObject | String | The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, \(account information or an incoming or outgoing content\), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. | +| ZeroFox.Alert.Notes | String | Notes made on an alert. | +| ZeroFox.Alert.RuleID | Number | The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. | +| ZeroFox.Alert.Tags | String | A list of an alert's tags. | +| ZeroFox.Alert.EntityAccount | String | The account associated with the entity. | ### zerofox-search-compromised-domain *** -Looks for a given domain in Zerofox's CTI feeds +Looks for a given domain in Zerofox's CTI feeds. #### Base Command @@ -521,14 +701,14 @@ Looks for a given domain in Zerofox's CTI feeds | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.CompromisedDomains.Domain | string | Domain in which the search domain was found | -| ZeroFox.CompromisedDomains.LastModified | string | Last time that the threat was found | -| ZeroFox.CompromisedDomains.IPs | string | Related domains to the threat separated by commas | +| ZeroFox.CompromisedDomains.Domain | string | Domain in which the search domain was found. | +| ZeroFox.CompromisedDomains.LastModified | string | Last time that the threat was found. | +| ZeroFox.CompromisedDomains.IPs | string | Related domains to the threat separated by commas. | ### zerofox-search-compromised-email *** -Looks for a given email in ZeroFox's CTI feeds +Looks for a given email in ZeroFox's CTI feeds. #### Base Command @@ -544,14 +724,14 @@ Looks for a given email in ZeroFox's CTI feeds | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.CompromisedEmails.Domain | string | Domain in which the search domain was found | -| ZeroFox.CompromisedEmails.Email | string | Email involved in the threat | -| ZeroFox.CompromisedEmails.CreatedAt | string | Date in which the email was found related to a threat | +| ZeroFox.CompromisedEmails.Domain | string | Domain in which the search domain was found. | +| ZeroFox.CompromisedEmails.Email | string | Email involved in the threat. | +| ZeroFox.CompromisedEmails.CreatedAt | string | Date in which the email was found related to a threat. | ### zerofox-search-malicious-ip *** -Looks for malicious ips in ZeroFox's CTI feeds +Looks for malicious ips in ZeroFox's CTI feeds. #### Base Command @@ -567,14 +747,14 @@ Looks for malicious ips in ZeroFox's CTI feeds | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.MaliciousIPs.Domain | string | Domain in which the search domain was found | -| ZeroFox.MaliciousIPs.IPAddress | string | IP in which the search domain was found | -| ZeroFox.MaliciousIPs.CreatedAt | string | Date in which the ip was found related to a threat | +| ZeroFox.MaliciousIPs.Domain | string | Domain in which the search domain was found. | +| ZeroFox.MaliciousIPs.IPAddress | string | IP in which the search domain was found. | +| ZeroFox.MaliciousIPs.CreatedAt | string | Date in which the ip was found related to a threat. | ### zerofox-search-malicious-hash *** -Looks for registered hashes in ZeroFox's CTI feeds +Looks for registered hashes in ZeroFox's CTI feeds. #### Base Command @@ -590,18 +770,18 @@ Looks for registered hashes in ZeroFox's CTI feeds | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.MaliciousHashes.CreatedAt | string | Date in which the ip was found related to a threat | -| ZeroFox.MaliciousHashes.Family | string | Family related threat | -| ZeroFox.MaliciousHashes.MD5 | string | Hash in MD5 format | -| ZeroFox.MaliciousHashes.SHA1 | string | Hash in SHA1 format | -| ZeroFox.MaliciousHashes.SHA256 | string | Hash in SHA256 format | -| ZeroFox.MaliciousHashes.SHA512 | string | Hash in SHA512 format | -| ZeroFox.MaliciousHashes.FoundHash | string | Indicates in which hash format was found the search | +| ZeroFox.MaliciousHashes.CreatedAt | string | Date in which the ip was found related to a threat. | +| ZeroFox.MaliciousHashes.Family | string | Family related threat. | +| ZeroFox.MaliciousHashes.MD5 | string | Hash in MD5 format. | +| ZeroFox.MaliciousHashes.SHA1 | string | Hash in SHA1 format. | +| ZeroFox.MaliciousHashes.SHA256 | string | Hash in SHA256 format. | +| ZeroFox.MaliciousHashes.SHA512 | string | Hash in SHA512 format. | +| ZeroFox.MaliciousHashes.FoundHash | string | Indicates in which hash format was found the search. | ### zerofox-search-exploits *** -Looks for registered exploits in ZeroFox's CTI feeds +Looks for registered exploits in ZeroFox's CTI feeds. #### Base Command @@ -617,15 +797,14 @@ Looks for registered exploits in ZeroFox's CTI feeds | **Path** | **Type** | **Description** | | --- | --- | --- | -| ZeroFox.Exploits.CreatedAt | string | Date in which the ip was found related to a threat | -| ZeroFox.Exploits.CVECode | string | CVE Code to identify the exploit | -| ZeroFox.Exploits.URLs | string | URLs associated to the threat separated by commas | +| ZeroFox.Exploits.CreatedAt | string | Date in which the ip was found related to a threat. | +| ZeroFox.Exploits.CVECode | string | CVE Code to identify the exploit. | +| ZeroFox.Exploits.URLs | string | URLs associated to the threat separated by commas. | ## Incident Mirroring You can enable incident mirroring between Cortex XSOAR incidents and ZeroFox corresponding events (available from Cortex XSOAR version 6.0.0). To set up the mirroring: - 1. Enable *Fetching incidents* in your instance configuration. Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents. diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py index 6867d6c6946f..8b95a910c9fb 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py +++ b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py @@ -628,9 +628,19 @@ def get_alert_contents(alert: dict[str, Any]) -> dict[str, Any]: "AlertType": alert.get("alert_type"), "OffendingContentURL": alert.get("offending_content_url"), "Assignee": alert.get("assignee"), + "Entity": { + "ID": get_nested_key(alert, ["entity", "id"]), + "Name": get_nested_key(alert, ["entity", "name"]), + "Image": get_nested_key(alert, ["entity", "image"]), + }, "EntityID": get_nested_key(alert, ["entity", "id"]), "EntityName": get_nested_key(alert, ["entity", "name"]), "EntityImage": get_nested_key(alert, ["entity", "image"]), + "EntityTerm": { + "ID": get_nested_key(alert, ["entity_term", "id"]), + "Name": get_nested_key(alert, ["entity_term", "name"]), + "Deleted": get_nested_key(alert, ["entity_term", "deleted"]), + }, "EntityTermID": get_nested_key(alert, ["entity_term", "id"]), "EntityTermName": get_nested_key(alert, ["entity_term", "name"]), "EntityTermDeleted": get_nested_key(alert, ["entity_term", "deleted"]), @@ -638,6 +648,14 @@ def get_alert_contents(alert: dict[str, Any]) -> dict[str, Any]: "ID": alert.get("id"), "ProtectedAccount": alert.get("protected_account"), "RiskRating": severity_num_to_string(int(alert.get("severity", ""))), + "Perpetrator": { + "Name": get_nested_key(alert, ["perpetrator", "name"]), + "Url": get_nested_key(alert, ["perpetrator", "url"]), + "TimeStamp": get_nested_key(alert, ["perpetrator", "timestamp"]), + "Type": get_nested_key(alert, ["perpetrator", "type"]), + "ID": get_nested_key(alert, ["perpetrator", "id"]), + "Network": get_nested_key(alert, ["perpetrator", "network"]), + }, "PerpetratorName": get_nested_key(alert, ["perpetrator", "name"]), "PerpetratorUrl": get_nested_key(alert, ["perpetrator", "url"]), "PerpetratorTimeStamp": get_nested_key( diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml index 88460f498074..f856d432218d 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml +++ b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml @@ -113,13 +113,13 @@ script: description: The ID of the rule group. type: Number - contextPath: ZeroFox.Alert.Status - description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted". + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". type: String - contextPath: ZeroFox.Alert.Timestamp - description: The date-time string when an the alert was created, in ISO-8601 format. + description: The date-time string when an alert was created, in ISO-8601 format. type: Date - contextPath: ZeroFox.Alert.RuleName - description: The name of the rule on which an alert was created. Outputs "null" if the rule was deleted. + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. type: String - contextPath: ZeroFox.Alert.LastModified description: The date and time at which an alert was last modified. @@ -140,7 +140,7 @@ script: description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. type: String - contextPath: ZeroFox.Alert.Notes - description: Notes made on an alert by the user. + description: Notes made on an alert. type: String - contextPath: ZeroFox.Alert.RuleID description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. @@ -161,11 +161,101 @@ script: name: username required: true outputs: + - contextPath: ZeroFox.Alert.AlertType + description: The type of an alert. + type: String + - contextPath: ZeroFox.Alert.OffendingContentURL + description: The URL to the site containing content that triggered an alert. + type: String + - contextPath: ZeroFox.Alert.Assignee + description: The user to which an alert is assigned. + type: String + - contextPath: ZeroFox.Alert.Entity.ID + description: The ID of the entity corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.Entity.Name + description: The name of the entity corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.Entity.Image + description: The URL to the profile image of the entity on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.ID + description: The ID of the entity term corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.EntityTerm.Name + description: The name of the entity term corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.Deleted + description: Whether an entity term was deleted. + type: Boolean + - contextPath: ZeroFox.Alert.ContentCreatedAt + description: The date-time string indicating when the alerted content was created, in ISO-8601 format. + type: Date - contextPath: ZeroFox.Alert.ID description: The ID of an alert. type: Number - - contextPath: ZeroFox.Alert.Assignee - description: The user to which an alert is assigned. + - contextPath: ZeroFox.Alert.RiskRating + description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Name + description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.URL + description: The URL at which you can view the basic details of the perpetrator. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.Timestamp + description: The timestamp of a post created by a perpetrator. + type: Date + - contextPath: ZeroFox.Alert.Perpetrator.Type + description: The type of perpetrator on which an alert was created. Can be an account, page, or post. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.ID + description: The ZeroFox resource ID of the alert perpetrator. + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Network + description: The network containing the offending content. + type: String + - contextPath: ZeroFox.Alert.RuleGroupID + description: The ID of the rule group. + type: Number + - contextPath: ZeroFox.Alert.Status + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". + type: String + - contextPath: ZeroFox.Alert.Timestamp + description: The date-time string when an alert was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.RuleName + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: String + - contextPath: ZeroFox.Alert.LastModified + description: The date and time at which an alert was last modified. + type: Date + - contextPath: ZeroFox.Alert.DarkwebTerm + description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. + type: String + - contextPath: ZeroFox.Alert.Reviewed + description: Whether an alert was reviewed. + type: Boolean + - contextPath: ZeroFox.Alert.Escalated + description: Whether an alert was escalated. + type: Boolean + - contextPath: ZeroFox.Alert.Network + description: The network on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.ProtectedSocialObject + description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. + type: String + - contextPath: ZeroFox.Alert.Notes + description: Notes made on an alert. + type: String + - contextPath: ZeroFox.Alert.RuleID + description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: Number + - contextPath: ZeroFox.Alert.Tags + description: A list of an alert's tags. + type: String + - contextPath: ZeroFox.Alert.EntityAccount + description: The account associated with the entity. type: String - name: zerofox-close-alert description: Closes an alert. @@ -174,11 +264,101 @@ script: name: alert_id required: true outputs: + - contextPath: ZeroFox.Alert.AlertType + description: The type of an alert. + type: String + - contextPath: ZeroFox.Alert.OffendingContentURL + description: The URL to the site containing content that triggered an alert. + type: String + - contextPath: ZeroFox.Alert.Assignee + description: The user to which an alert is assigned. + type: String + - contextPath: ZeroFox.Alert.Entity.ID + description: The ID of the entity corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.Entity.Name + description: The name of the entity corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.Entity.Image + description: The URL to the profile image of the entity on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.ID + description: The ID of the entity term corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.EntityTerm.Name + description: The name of the entity term corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.Deleted + description: Whether an entity term was deleted. + type: Boolean + - contextPath: ZeroFox.Alert.ContentCreatedAt + description: The date-time string indicating when the alerted content was created, in ISO-8601 format. + type: Date - contextPath: ZeroFox.Alert.ID description: The ID of an alert. type: Number + - contextPath: ZeroFox.Alert.RiskRating + description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Name + description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.URL + description: The URL at which you can view the basic details of the perpetrator. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.Timestamp + description: The timestamp of a post created by a perpetrator. + type: Date + - contextPath: ZeroFox.Alert.Perpetrator.Type + description: The type of perpetrator on which an alert was created. Can be an account, page, or post. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.ID + description: The ZeroFox resource ID of the alert perpetrator. + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Network + description: The network containing the offending content. + type: String + - contextPath: ZeroFox.Alert.RuleGroupID + description: The ID of the rule group. + type: Number - contextPath: ZeroFox.Alert.Status - description: The status of an alert. + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". + type: String + - contextPath: ZeroFox.Alert.Timestamp + description: The date-time string when an alert was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.RuleName + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: String + - contextPath: ZeroFox.Alert.LastModified + description: The date and time at which an alert was last modified. + type: Date + - contextPath: ZeroFox.Alert.DarkwebTerm + description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. + type: String + - contextPath: ZeroFox.Alert.Reviewed + description: Whether an alert was reviewed. + type: Boolean + - contextPath: ZeroFox.Alert.Escalated + description: Whether an alert was escalated. + type: Boolean + - contextPath: ZeroFox.Alert.Network + description: The network on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.ProtectedSocialObject + description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. + type: String + - contextPath: ZeroFox.Alert.Notes + description: Notes made on an alert. + type: String + - contextPath: ZeroFox.Alert.RuleID + description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: Number + - contextPath: ZeroFox.Alert.Tags + description: A list of an alert's tags. + type: String + - contextPath: ZeroFox.Alert.EntityAccount + description: The account associated with the entity. type: String - name: zerofox-alert-request-takedown description: Requests a takedown of a specified alert. @@ -187,11 +367,101 @@ script: name: alert_id required: true outputs: + - contextPath: ZeroFox.Alert.AlertType + description: The type of an alert. + type: String + - contextPath: ZeroFox.Alert.OffendingContentURL + description: The URL to the site containing content that triggered an alert. + type: String + - contextPath: ZeroFox.Alert.Assignee + description: The user to which an alert is assigned. + type: String + - contextPath: ZeroFox.Alert.Entity.ID + description: The ID of the entity corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.Entity.Name + description: The name of the entity corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.Entity.Image + description: The URL to the profile image of the entity on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.ID + description: The ID of the entity term corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.EntityTerm.Name + description: The name of the entity term corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.Deleted + description: Whether an entity term was deleted. + type: Boolean + - contextPath: ZeroFox.Alert.ContentCreatedAt + description: The date-time string indicating when the alerted content was created, in ISO-8601 format. + type: Date - contextPath: ZeroFox.Alert.ID description: The ID of an alert. type: Number + - contextPath: ZeroFox.Alert.RiskRating + description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Name + description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.URL + description: The URL at which you can view the basic details of the perpetrator. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.Timestamp + description: The timestamp of a post created by a perpetrator. + type: Date + - contextPath: ZeroFox.Alert.Perpetrator.Type + description: The type of perpetrator on which an alert was created. Can be an account, page, or post. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.ID + description: The ZeroFox resource ID of the alert perpetrator. + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Network + description: The network containing the offending content. + type: String + - contextPath: ZeroFox.Alert.RuleGroupID + description: The ID of the rule group. + type: Number - contextPath: ZeroFox.Alert.Status - description: The status of an alert. + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". + type: String + - contextPath: ZeroFox.Alert.Timestamp + description: The date-time string when an alert was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.RuleName + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: String + - contextPath: ZeroFox.Alert.LastModified + description: The date and time at which an alert was last modified. + type: Date + - contextPath: ZeroFox.Alert.DarkwebTerm + description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. + type: String + - contextPath: ZeroFox.Alert.Reviewed + description: Whether an alert was reviewed. + type: Boolean + - contextPath: ZeroFox.Alert.Escalated + description: Whether an alert was escalated. + type: Boolean + - contextPath: ZeroFox.Alert.Network + description: The network on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.ProtectedSocialObject + description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. + type: String + - contextPath: ZeroFox.Alert.Notes + description: Notes made on an alert. + type: String + - contextPath: ZeroFox.Alert.RuleID + description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: Number + - contextPath: ZeroFox.Alert.Tags + description: A list of an alert's tags. + type: String + - contextPath: ZeroFox.Alert.EntityAccount + description: The account associated with the entity. type: String - name: zerofox-modify-alert-tags description: Adds tags to and or removes tags from a specified alert. @@ -269,7 +539,7 @@ script: description: The ID of the rule group. type: Number - contextPath: ZeroFox.Alert.Status - description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted". + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". type: String - contextPath: ZeroFox.Alert.Timestamp description: The date-time string when an alert was created, in ISO-8601 format. @@ -519,75 +789,255 @@ script: - contextPath: ZeroFox.Alert.EntityAccount description: The account associated with the entity. type: String - - name: zerofox-create-entity - description: Creates a new entity associated with the company of the authorized user. + - name: zerofox-create-entity + description: Creates a new entity associated with the company of the authorized user. + arguments: + - description: Name of the entity (may be non-unique). + name: name + required: true + secret: false + - default: false + description: |- + Indicates the type of string matching used for comparing entity names + to impersonator names. It must be `true` or `false`. + isArray: false + name: strict_name_matching + - description: |- + Comma-separated list of string tags for tagging the entity. + For example: + label1,label2,label3. + isArray: true + name: tags + - description: The ID of the policy to assign to the new entity. Can be retrieved running the zerofox-get-policy-types command. + name: policy_id + predefined: + - '' + - description: The name of the organization associated with the entity. + name: organization + outputs: + - contextPath: ZeroFox.Entity.Name + description: The name of the entity. + type: String + - contextPath: ZeroFox.Entity.ID + description: The ID of the entity. + type: Number + - contextPath: ZeroFox.StrictNameMatching + description: Indicates the type of string matching used for comparing entity names to impersonator names. + type: Boolean + - contextPath: ZeroFox.Entity.Tags + description: The list of string tags that can be used for tagging the entity. + type: String + - contextPath: ZeroFox.Entity.PolicyID + description: The policy ID of the entity. + type: String + - contextPath: ZeroFox.Entity.Organization + description: The name of the organization associated with the entity. + type: String + - name: zerofox-alert-cancel-takedown + description: Cancels a takedown of a specified alert. + arguments: + - description: The ID of an alert. Can be retrieved running the zerofox-list-alerts command. + name: alert_id + required: true + outputs: + - contextPath: ZeroFox.Alert.AlertType + description: The type of an alert. + type: String + - contextPath: ZeroFox.Alert.OffendingContentURL + description: The URL to the site containing content that triggered an alert. + type: String + - contextPath: ZeroFox.Alert.Assignee + description: The user to which an alert is assigned. + type: String + - contextPath: ZeroFox.Alert.Entity.ID + description: The ID of the entity corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.Entity.Name + description: The name of the entity corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.Entity.Image + description: The URL to the profile image of the entity on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.ID + description: The ID of the entity term corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.EntityTerm.Name + description: The name of the entity term corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.Deleted + description: Whether an entity term was deleted. + type: Boolean + - contextPath: ZeroFox.Alert.ContentCreatedAt + description: The date-time string indicating when the alerted content was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.ID + description: The ID of an alert. + type: Number + - contextPath: ZeroFox.Alert.RiskRating + description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Name + description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.URL + description: The URL at which you can view the basic details of the perpetrator. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.Timestamp + description: The timestamp of a post created by a perpetrator. + type: Date + - contextPath: ZeroFox.Alert.Perpetrator.Type + description: The type of perpetrator on which an alert was created. Can be an account, page, or post. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.ID + description: The ZeroFox resource ID of the alert perpetrator. + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Network + description: The network containing the offending content. + type: String + - contextPath: ZeroFox.Alert.RuleGroupID + description: The ID of the rule group. + type: Number + - contextPath: ZeroFox.Alert.Status + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". + type: String + - contextPath: ZeroFox.Alert.Timestamp + description: The date-time string when an alert was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.RuleName + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: String + - contextPath: ZeroFox.Alert.LastModified + description: The date and time at which an alert was last modified. + type: Date + - contextPath: ZeroFox.Alert.DarkwebTerm + description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. + type: String + - contextPath: ZeroFox.Alert.Reviewed + description: Whether an alert was reviewed. + type: Boolean + - contextPath: ZeroFox.Alert.Escalated + description: Whether an alert was escalated. + type: Boolean + - contextPath: ZeroFox.Alert.Network + description: The network on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.ProtectedSocialObject + description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. + type: String + - contextPath: ZeroFox.Alert.Notes + description: Notes made on an alert. + type: String + - contextPath: ZeroFox.Alert.RuleID + description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: Number + - contextPath: ZeroFox.Alert.Tags + description: A list of an alert's tags. + type: String + - contextPath: ZeroFox.Alert.EntityAccount + description: The account associated with the entity. + type: String + - name: zerofox-open-alert + description: Opens an alert. arguments: - - description: Name of the entity (may be non-unique). - name: name + - description: The ID of an alert. Can be retrieved running the zerofox-list-alerts command. + name: alert_id required: true - secret: false - - default: false - description: |- - Indicates the type of string matching used for comparing entity names - to impersonator names. It must be `true` or `false`. - isArray: false - name: strict_name_matching - - description: |- - Comma-separated list of string tags for tagging the entity. - For example: - label1,label2,label3. - isArray: true - name: tags - - description: The ID of the policy to assign to the new entity. Can be retrieved running the zerofox-get-policy-types command. - name: policy_id - predefined: - - '' - - description: The name of the organization associated with the entity. - name: organization outputs: - - contextPath: ZeroFox.Entity.Name - description: The name of the entity. + - contextPath: ZeroFox.Alert.AlertType + description: The type of an alert. type: String - - contextPath: ZeroFox.Entity.ID - description: The ID of the entity. + - contextPath: ZeroFox.Alert.OffendingContentURL + description: The URL to the site containing content that triggered an alert. + type: String + - contextPath: ZeroFox.Alert.Assignee + description: The user to which an alert is assigned. + type: String + - contextPath: ZeroFox.Alert.Entity.ID + description: The ID of the entity corresponding to the triggered alert. type: Number - - contextPath: ZeroFox.StrictNameMatching - description: Indicates the type of string matching used for comparing entity names to impersonator names. - type: Boolean - - contextPath: ZeroFox.Entity.Tags - description: The list of string tags that can be used for tagging the entity. + - contextPath: ZeroFox.Alert.Entity.Name + description: The name of the entity corresponding to the triggered alert. type: String - - contextPath: ZeroFox.Entity.PolicyID - description: The policy ID of the entity. + - contextPath: ZeroFox.Alert.Entity.Image + description: The URL to the profile image of the entity on which an alert was created. type: String - - contextPath: ZeroFox.Entity.Organization - description: The name of the organization associated with the entity. + - contextPath: ZeroFox.Alert.EntityTerm.ID + description: The ID of the entity term corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.EntityTerm.Name + description: The name of the entity term corresponding to the triggered alert. type: String - - name: zerofox-alert-cancel-takedown - description: Cancels a takedown of a specified alert. - arguments: - - description: The ID of an alert. Can be retrieved running the zerofox-list-alerts command. - name: alert_id - required: true - outputs: + - contextPath: ZeroFox.Alert.EntityTerm.Deleted + description: Whether an entity term was deleted. + type: Boolean + - contextPath: ZeroFox.Alert.ContentCreatedAt + description: The date-time string indicating when the alerted content was created, in ISO-8601 format. + type: Date - contextPath: ZeroFox.Alert.ID description: The ID of an alert. type: Number - - contextPath: ZeroFox.Alert.Status - description: The status of an alert. + - contextPath: ZeroFox.Alert.RiskRating + description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Name + description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. type: String - - name: zerofox-open-alert - description: Opens an alert. - arguments: - - description: The ID of an alert. Can be retrieved running the zerofox-list-alerts command. - name: alert_id - required: true - outputs: - - contextPath: ZeroFox.Alert.ID - description: The ID of an alert. + - contextPath: ZeroFox.Alert.Perpetrator.URL + description: The URL at which you can view the basic details of the perpetrator. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.Timestamp + description: The timestamp of a post created by a perpetrator. + type: Date + - contextPath: ZeroFox.Alert.Perpetrator.Type + description: The type of perpetrator on which an alert was created. Can be an account, page, or post. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.ID + description: The ZeroFox resource ID of the alert perpetrator. + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Network + description: The network containing the offending content. + type: String + - contextPath: ZeroFox.Alert.RuleGroupID + description: The ID of the rule group. type: Number - contextPath: ZeroFox.Alert.Status - description: The status of an alert. + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". + type: String + - contextPath: ZeroFox.Alert.Timestamp + description: The date-time string when an alert was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.RuleName + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: String + - contextPath: ZeroFox.Alert.LastModified + description: The date and time at which an alert was last modified. + type: Date + - contextPath: ZeroFox.Alert.DarkwebTerm + description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. + type: String + - contextPath: ZeroFox.Alert.Reviewed + description: Whether an alert was reviewed. + type: Boolean + - contextPath: ZeroFox.Alert.Escalated + description: Whether an alert was escalated. + type: Boolean + - contextPath: ZeroFox.Alert.Network + description: The network on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.ProtectedSocialObject + description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. + type: String + - contextPath: ZeroFox.Alert.Notes + description: Notes made on an alert. + type: String + - contextPath: ZeroFox.Alert.RuleID + description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: Number + - contextPath: ZeroFox.Alert.Tags + description: A list of an alert's tags. + type: String + - contextPath: ZeroFox.Alert.EntityAccount + description: The account associated with the entity. type: String - name: zerofox-list-entities description: Lists all entities associated with the company of the authorized user. @@ -717,7 +1167,7 @@ script: description: The ID of the rule group. type: Number - contextPath: ZeroFox.Alert.Status - description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested", or "Whitelisted". + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". type: String - contextPath: ZeroFox.Alert.Timestamp description: The date-time string when an alert was created, in ISO-8601 format. @@ -782,9 +1232,102 @@ script: description: Additional notes to include in submission. type: textArea outputs: + - contextPath: ZeroFox.Alert.AlertType + description: The type of an alert. + type: String + - contextPath: ZeroFox.Alert.OffendingContentURL + description: The URL to the site containing content that triggered an alert. + type: String + - contextPath: ZeroFox.Alert.Assignee + description: The user to which an alert is assigned. + type: String + - contextPath: ZeroFox.Alert.Entity.ID + description: The ID of the entity corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.Entity.Name + description: The name of the entity corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.Entity.Image + description: The URL to the profile image of the entity on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.ID + description: The ID of the entity term corresponding to the triggered alert. + type: Number + - contextPath: ZeroFox.Alert.EntityTerm.Name + description: The name of the entity term corresponding to the triggered alert. + type: String + - contextPath: ZeroFox.Alert.EntityTerm.Deleted + description: Whether an entity term was deleted. + type: Boolean + - contextPath: ZeroFox.Alert.ContentCreatedAt + description: The date-time string indicating when the alerted content was created, in ISO-8601 format. + type: Date - contextPath: ZeroFox.Alert.ID - description: The ID of the alert created. + description: The ID of an alert. + type: Number + - contextPath: ZeroFox.Alert.RiskRating + description: The risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info". + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Name + description: For account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.URL + description: The URL at which you can view the basic details of the perpetrator. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.Timestamp + description: The timestamp of a post created by a perpetrator. + type: Date + - contextPath: ZeroFox.Alert.Perpetrator.Type + description: The type of perpetrator on which an alert was created. Can be an account, page, or post. + type: String + - contextPath: ZeroFox.Alert.Perpetrator.ID + description: The ZeroFox resource ID of the alert perpetrator. + type: Number + - contextPath: ZeroFox.Alert.Perpetrator.Network + description: The network containing the offending content. + type: String + - contextPath: ZeroFox.Alert.RuleGroupID + description: The ID of the rule group. + type: Number + - contextPath: ZeroFox.Alert.Status + description: The status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted". + type: String + - contextPath: ZeroFox.Alert.Timestamp + description: The date-time string when an alert was created, in ISO-8601 format. + type: Date + - contextPath: ZeroFox.Alert.RuleName + description: The name of the rule on which an alert was created. Outputs "null" if the rule has been deleted. + type: String + - contextPath: ZeroFox.Alert.LastModified + description: The date and time at which an alert was last modified. + type: Date + - contextPath: ZeroFox.Alert.DarkwebTerm + description: Details about the dark web term on which an alert was created. Outputs "null" if the alert has no details. + type: String + - contextPath: ZeroFox.Alert.Reviewed + description: Whether an alert was reviewed. + type: Boolean + - contextPath: ZeroFox.Alert.Escalated + description: Whether an alert was escalated. + type: Boolean + - contextPath: ZeroFox.Alert.Network + description: The network on which an alert was created. + type: String + - contextPath: ZeroFox.Alert.ProtectedSocialObject + description: The protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null. + type: String + - contextPath: ZeroFox.Alert.Notes + description: Notes made on an alert. + type: String + - contextPath: ZeroFox.Alert.RuleID + description: The ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted. type: Number + - contextPath: ZeroFox.Alert.Tags + description: A list of an alert's tags. + type: String + - contextPath: ZeroFox.Alert.EntityAccount + description: The account associated with the entity. + type: String deprecated: false execution: false - name: zerofox-search-compromised-domain diff --git a/Packs/ZeroFox/ReleaseNotes/1_2_8.md b/Packs/ZeroFox/ReleaseNotes/1_2_8.md new file mode 100644 index 000000000000..5bd2993121ac --- /dev/null +++ b/Packs/ZeroFox/ReleaseNotes/1_2_8.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### ZeroFox + +- Updated the outputs of the commands related to alerts. diff --git a/Packs/ZeroFox/pack_metadata.json b/Packs/ZeroFox/pack_metadata.json index 1ed826fe5f73..9e3ee0298633 100644 --- a/Packs/ZeroFox/pack_metadata.json +++ b/Packs/ZeroFox/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ZeroFox", "description": "Cloud-based SaaS to detect risks found on social media and digital channels.", "support": "partner", - "currentVersion": "1.2.7", + "currentVersion": "1.2.8", "author": "ZeroFox", "url": "https://www.zerofox.com/contact-us/", "email": "integration-support@zerofox.com", @@ -19,4 +19,4 @@ ], "dependencies": {}, "displayedImages": [] -} +} \ No newline at end of file