Data Source
ZeroFox Enterprise provides threat intelligence and brand protection services. This connector ingests security alerts from the ZeroFox API covering phishing, malware, social media threats, and brand abuse incidents.
Ingestion Mechanism
CCF/DCR-based connector using JSON polling configuration. Populates the ZeroFoxAlerts_CL table via the Custom-ZeroFoxAlerts_AlertsApi stream with 5-minute polling intervals.
Detection Surface Unlocked
Phishing campaigns, malware distribution, social media impersonation, brand abuse, executive impersonation, and credential theft targeting organization assets. Alerts include perpetrator information, affected entities, and threat classification.
Migration Impact
Replaces deprecated CCP-based connector. Organizations using the legacy connector will need to migrate to this CCF implementation to maintain ZeroFox alert visibility in Microsoft Sentinel.
Affected Files
Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_ConnectorDefinition.json Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_PollerConfig.json (packaging artefacts: mainTemplate.json, createUiDefinition.json, solution metadata) (removed legacy files: connectorDefinition.json, dataConnectorPoller.json, armTemplate.json)