Muokkaa

Jaa


ZeroFox CTI (using Azure Functions) connector for Microsoft Sentinel

The ZeroFox CTI data connectors provide the capability to ingest the different ZeroFox cyber threat intelligence alerts into Microsoft Sentinel.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) ZeroFox_CTI_advanced_dark_web_CL
ZeroFox_CTI_botnet_CL
ZeroFox_CTI_breaches_CL
ZeroFox_CTI_C2_CL
ZeroFox_CTI_compromised_credentials_CL
ZeroFox_CTI_credit_cards_CL
ZeroFox_CTI_dark_web_CL
ZeroFox_CTI_discord_CL
ZeroFox_CTI_disruption_CL
ZeroFox_CTI_email_addresses_CL
ZeroFox_CTI_exploits_CL
ZeroFox_CTI_irc_CL
ZeroFox_CTI_malware_CL
ZeroFox_CTI_national_ids_CL
ZeroFox_CTI_phishing_CL
ZeroFox_CTI_phone_numbers_CL
ZeroFox_CTI_ransomware_CL
ZeroFox_CTI_telegram_CL
ZeroFox_CTI_threat_actors_CL
ZeroFox_CTI_vulnerabilities_CL
Data collection rules support Not currently supported
Supported by ZeroFox

Query samples

ZeroFox CTI C2-domains Logs

ZeroFox_CTI_C2_CL

| sort by TimeGenerated desc

ZeroFox CTI Email Addresses Logs

ZeroFox_CTI_email_addresses_CL

| sort by TimeGenerated desc

ZeroFox CTI Malware Logs

ZeroFox_CTI_malware_CL

| sort by TimeGenerated desc

Prerequisites

To integrate with ZeroFox CTI (using Azure Functions) make sure you have:

  • Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
  • ZeroFox API Credentials/permissions: ZeroFox Username, ZeroFox Personal Access Token are required for ZeroFox CTI REST API.

Vendor installation instructions

Note

This connector uses Azure Functions to connect to the ZeroFox CTI REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

STEP 1 - Retrieval of ZeroFox credentials:

Follow these instructions for set up logging and obtain credentials.

  1. Log into ZeroFox's website. using your username and password 2 - Click into the Settings button and go to the Data Connectors Section. 3 - Select the API DATA FEEDS tab and head to the bottom of the page, select Reset in the API Information box, to obtain a Personal Access Token to be used along with your username.

**STEP 2 - Deploy the Azure Function data connectors using the Azure Resource Manager template: **

IMPORTANT: Before deploying the ZeroFox CTI data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), readily available.

Preparing resources for deployment.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred Subscription, Resource Group, Log analytics Workspace and Location.

  3. Enter the Workspace ID, Workspace Key, ZeroFox Username, ZeroFox Personal Access Token

  4. Click Review + Create to deploy.

Next steps

For more information, go to the related solution in the Azure Marketplace.