ZeroFox CTI (using Azure Functions) connector for Microsoft Sentinel
The ZeroFox CTI data connectors provide the capability to ingest the different ZeroFox cyber threat intelligence alerts into Microsoft Sentinel.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ZeroFox_CTI_advanced_dark_web_CL ZeroFox_CTI_botnet_CL ZeroFox_CTI_breaches_CL ZeroFox_CTI_C2_CL ZeroFox_CTI_compromised_credentials_CL ZeroFox_CTI_credit_cards_CL ZeroFox_CTI_dark_web_CL ZeroFox_CTI_discord_CL ZeroFox_CTI_disruption_CL ZeroFox_CTI_email_addresses_CL ZeroFox_CTI_exploits_CL ZeroFox_CTI_irc_CL ZeroFox_CTI_malware_CL ZeroFox_CTI_national_ids_CL ZeroFox_CTI_phishing_CL ZeroFox_CTI_phone_numbers_CL ZeroFox_CTI_ransomware_CL ZeroFox_CTI_telegram_CL ZeroFox_CTI_threat_actors_CL ZeroFox_CTI_vulnerabilities_CL |
| Data collection rules support | Not currently supported |
| Supported by | ZeroFox |
Query samples
ZeroFox CTI C2-domains Logs
ZeroFox_CTI_C2_CL
| sort by TimeGenerated desc
ZeroFox CTI Email Addresses Logs
ZeroFox_CTI_email_addresses_CL
| sort by TimeGenerated desc
ZeroFox CTI Malware Logs
ZeroFox_CTI_malware_CL
| sort by TimeGenerated desc
Prerequisites
To integrate with ZeroFox CTI (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- ZeroFox API Credentials/permissions: ZeroFox Username, ZeroFox Personal Access Token are required for ZeroFox CTI REST API.
Vendor installation instructions
Note
This connector uses Azure Functions to connect to the ZeroFox CTI REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.
(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.
STEP 1 - Retrieval of ZeroFox credentials:
Follow these instructions for set up logging and obtain credentials.
- Log into ZeroFox's website. using your username and password 2 - Click into the Settings button and go to the Data Connectors Section. 3 - Select the API DATA FEEDS tab and head to the bottom of the page, select Reset in the API Information box, to obtain a Personal Access Token to be used along with your username.
**STEP 2 - Deploy the Azure Function data connectors using the Azure Resource Manager template: **
IMPORTANT: Before deploying the ZeroFox CTI data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), readily available.
Preparing resources for deployment.
Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group, Log analytics Workspace and Location.
Enter the Workspace ID, Workspace Key, ZeroFox Username, ZeroFox Personal Access Token
Click Review + Create to deploy.
Next steps
For more information, go to the related solution in the Azure Marketplace.