ZeroFox Alerts & CTI Connectors

Solution: ZeroFox

ZeroFox Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	ZeroFox
Support Tier	Partner
Support Link	https://www.zerofox.com/contact-us/
Categories	domains
Version	3.2.2
Author	ZeroFox - integration-support@zerofox.com
First Published	2023-07-28
Solution Folder	ZeroFox
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (64%)

The ZeroFox solution for Microsoft Sentinel enables you to ingest ZeroFox Alerts and ZeroFox CTI events into Microsoft Sentinel using the ZeroFox API.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 2 data connector(s):

ZeroFox Enterprise - Alerts (Polling CCF) 🔶
ZeroFox CTI 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 21 table(s):

Table	Used By Connectors	Used By Content
`ZeroFoxAlertPoller_CL` 🔶	ZeroFox Enterprise - Alerts (Polling CCF)	Analytics
`ZeroFox_CTI_C2_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_advanced_dark_web_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_botnet_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_breaches_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_compromised_credentials_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_credit_cards_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_dark_web_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_discord_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_disruption_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_email_addresses_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_exploits_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_irc_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_malware_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_national_ids_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_phishing_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_phone_numbers_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_ransomware_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_telegram_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_threat_actors_CL` 🔶	ZeroFox CTI	-
`ZeroFox_CTI_vulnerabilities_CL` 🔶	ZeroFox CTI	-

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 4 content item(s):

Content Type	Count
Analytic Rules	4

Analytic Rules

Name	Severity	Tactics	Tables Used
ZeroFox Alerts - High Severity Alerts	High	ResourceDevelopment, InitialAccess	`ZeroFoxAlertPoller_CL`
ZeroFox Alerts - Informational Severity Alerts	Informational	ResourceDevelopment, InitialAccess	`ZeroFoxAlertPoller_CL`
ZeroFox Alerts - Low Severity Alerts	Low	ResourceDevelopment, InitialAccess	`ZeroFoxAlertPoller_CL`
ZeroFox Alerts - Medium Severity Alerts	Medium	ResourceDevelopment, InitialAccess	`ZeroFoxAlertPoller_CL`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.2.2	17-11-2025	Added New CCF connector.
3.2.1	26-12-2024	Update alerts data connector version that fix issues in fetching updates
3.2.0	26-09-2024	Changed query parameter in alerts connector for fetching updates
3.1.0	26-07-2024	Updated ZeroFox connector to generate result batches and implemented async Sentinel connector logic
3.0.1	30-04-2024	Fixed Solution Metadata for deployment
3.0.0	04-08-2023	Added Data Connectors for ZeroFox's Alerts and CTI feeds