Integrate Zerofox with Google SecOps
Integration version: 1.0
Integration Parameters
The Zerofox integration requires the following parameters:
| Parameter | Description |
|---|---|
| API Root | Required. The API root of the Zerofox instance. |
| API Token | Required. The Zerofox API token. |
| Verify SSL | Required. If selected, the integration validates the SSL certificate when connecting to Zerofox. Selected by default. The default value is |
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Ping
Use the Ping action to test the connectivity to Zerofox.
The action doesn't run on any entities.
Action inputs
The Ping action doesn't require any parameters.
Action Outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Ping action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Zerofox server with
the provided connection parameters! |
The action succeeded. |
Failed to connect to the Zerofox server! Error
is {0}".format(exception.stacktrace)
|
The action failed. |
Script Result
The following table describes the values for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Request Takedown
Use the Request Takedown action to request a takedown in Zerofox.
This action doesn't run on Google SecOps entities.
Action inputs
The Request Takedown action requires the following parameters:
| Parameter | Description |
|---|---|
| Alert ID | Required. The ID of the Zerofox Alert. |
Action outputs
The Request Takedown action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Request Takedown action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully requested takedown for alert with ID {alert id}
|
The action succeeded. |
|
The action failed. |
Script Result
The following table describes the values for the script result output when using the Request Takedown action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Close Alert
Use the Close Alert action to close an alert in Zerofox.
This action doesn't run on Google SecOps entities.
Action inputs
The Close Alert action requires the following parameters:
| Parameter | Description |
|---|---|
| Alert ID | Required. The ID of the Zerofox Alert. |
Action Outputs
The Close Alert action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Script Result
The following table describes the values for the script result output when using the Close Alert action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Output messages
The Close Alert action provides the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
|
The action failed. |
Add Note To Alert
Use the Add Note To Alert action to add a note to an alert in Zerofox.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Note To Alert action requires the following parameters:
| Parameter | Description |
|---|---|
| Alert ID | Required. The ID of the Zerofox Alert. |
| Note | Required. The note for the alert. |
Action outputs
The Add Note To Alert action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Note To Alert action provides the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
|
The action failed. |
Script Result
The following table describes the values for the script result output when using the Add Note To Alert action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Evidence To Alert
Use the Add Evidence To Alert action to add evidence to an alert in Zerofox.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Evidence To Alert action requires the following parameters:
| Parameter | Description |
|---|---|
| Alert ID | Required. The ID of the Zerofox Alert. |
| Filepath | Required. The absolute path for the evidence submitted to the alert. |
Action outputs
The Add Evidence To Alert action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Evidence To Alert action provides the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
|
The action failed. |
Script Result
The following table describes the values for the script result output when using the Add Evidence To Alert action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Need more help? Get answers from Community members and Google SecOps professionals.