ZeroFox Cloud Platform Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.27.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Partner |
</div>
The ZeroFox Platform integration collects and parses data from the the ZeroFox Alert APIs.
This integration supports the ZeroFox API v1.0
Contains alert data received from the ZeroFox Cloud Platform
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset name. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| dataset.name | Dataset name. | constant_keyword |
| dataset.namespace | Dataset namespace. | constant_keyword |
| dataset.type | Dataset type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| zerofox.content_actions | keyword | |
| zerofox.darkweb_term | keyword | |
| zerofox.entity.entity_group.id | The entity group identifier. | integer |
| zerofox.entity.entity_group.name | The entity group name. | keyword |
| zerofox.entity.id | The entity identifier. | keyword |
| zerofox.entity.image | The entity default image url. | keyword |
| zerofox.entity.labels.id | The entity label identifier | keyword |
| zerofox.entity.labels.name | The entity label text | keyword |
| zerofox.entity.name | The entity name. | keyword |
| zerofox.entity_account | keyword | |
| zerofox.entity_term.deleted | boolean | |
| zerofox.entity_term.id | keyword | |
| zerofox.entity_term.name | keyword | |
| zerofox.escalated | boolean | |
| zerofox.last_modified | date | |
| zerofox.metadata | flattened | |
| zerofox.notes | text | |
| zerofox.perpetrator.account_number | keyword | |
| zerofox.perpetrator.content | keyword | |
| zerofox.perpetrator.destination_account_number | keyword | |
| zerofox.perpetrator.display_name | keyword | |
| zerofox.perpetrator.id | keyword | |
| zerofox.perpetrator.image | keyword | |
| zerofox.perpetrator.name | keyword | |
| zerofox.perpetrator.network | keyword | |
| zerofox.perpetrator.parent_post_account_number | keyword | |
| zerofox.perpetrator.parent_post_number | keyword | |
| zerofox.perpetrator.parent_post_url | keyword | |
| zerofox.perpetrator.post_number | keyword | |
| zerofox.perpetrator.post_type | keyword | |
| zerofox.perpetrator.timestamp | keyword | |
| zerofox.perpetrator.type | keyword | |
| zerofox.perpetrator.url | keyword | |
| zerofox.perpetrator.username | keyword | |
| zerofox.protected_account | keyword | |
| zerofox.protected_locations | keyword | |
| zerofox.protected_social_object | keyword | |
| zerofox.reviewed | boolean | |
| zerofox.reviews | keyword | |
| zerofox.status | keyword | |
| zerofox.tags | keyword |
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.27.0 | pass:[] Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.26.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.25.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.24.0 | pass:[] Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.23.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.22.1 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.22.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.21.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.20.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
8.7.1 or higher |
| 1.19.0 | pass:[] Enhancement (View pull request) Set partner owner type. |
8.7.1 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest. |
8.7.1 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) Document valid duration units. |
8.7.1 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.10.0 | pass:[] Enhancement (View pull request) Update package-spec version to 2.7.0. |
8.7.1 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
7.14 or higher 8.0.0 or higher |
| 1.7.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
7.14 or higher 8.0.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
7.14 or higher 8.0.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
7.14 or higher 8.0.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
7.14 or higher 8.0.0 or higher |
| 1.4.1 | pass:[] Enhancement (View pull request) Update package name and description to align with standard wording |
7.14 or higher 8.0.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
7.14 or higher 8.0.0 or higher |
| 1.3.1 | pass:[] Enhancement (View pull request) update readme added a ink to zerofox readme |
7.14 or higher 8.0.0 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update to ECS 8.2 |
7.14 or higher 8.0.0 or higher |
| 1.2.1 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
7.14 or higher 8.0.0 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Update to ECS 8.0 |
7.14 or higher 8.0.0 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Add 8.0.0 version constraint |
7.14 or higher 8.0.0 or higher |
| 1.0.3 | pass:[] Enhancement (View pull request) Uniform with guidelines |
7.14 or higher |
| 1.0.2 | pass:[] Enhancement (View pull request) Update Title and Description. |
— |
| 1.0.1 | pass:[] Bug fix (View pull request) Fix logic that checks for the forwarded tag |
— |
| 1.0.0 | pass:[] Enhancement (View pull request) GA package |
— |
| 0.2.0 | pass:[] Enhancement (View pull request) Update to ECS 1.12.0 |
— |
| 0.1.1 | pass:[] Enhancement (View pull request) Escape special characters in docs |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) initial release |
— |