Update ZeroFox table

jpipkin1 · jpipkin1 · commit 0f0b293560ee · 2025-07-21T10:53:13.000-05:00
diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -40,7 +40,7 @@ The `type` object is mapped to the following normalized type values:
 | `binary_string` | `artifact:payload_bin` | 
 | `bitcoin_address` | `url` | 
 | `ip_address` | `ipv4-addr` / `ipv6-addr` |
-| `domain` |  `domain-name` | 
+| `domain` | `domain-name` | 
 | `email_address` | `email-add` | 
 | `file_path` | `file:name` | 
 | `file_name` | `file:name` | 
@@ -56,7 +56,7 @@ The `type` object is mapped to the following normalized type values:
 
 ## Intel 471
 
-You can ingest threat indicators from Intel 471 using the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/). In addition, Sumo Logic provides an out-of-the-box `SumoLogic_ThreatIntel` source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
+You can ingest threat indicators from Intel 471 using the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/). In addition |  Sumo Logic provides an out-of-the-box `SumoLogic_ThreatIntel` source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
 
 Following are the normalized values for Intel 471:
 
@@ -76,7 +76,7 @@ Following are the normalized values for Mandiant:
 
 | Mandiant schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
-| `[]actors` | `actors` | The JSON structure of individual actors are joined with a ", " |
+| `[]actors` | `actors` | The JSON structure of individual actors are joined with a " , " |
 | `id` | `id` | |
 | `threat_rating.confidence_score` | `confidence` | |
 | `unknown` | `threatType` | |
@@ -88,38 +88,110 @@ You can ingest threat indicators from ZeroFox using the [ZeroFox Threat Intel So
 
 Following are the normalized values for ZeroFox:
 
-| ZeroFox schema | Normalized schema in the datastore | Notes |
-|:--|:--|:--|
-| `c2_domain` | `indicator` | |
-| `c2_ip_address` | `indicator` | |
-| `created_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
-| `domain` | `indicator` | |
-| `domain-name--{{domain}}` | `id` | |
-| `file:hashes.'SHA-1'` | `type` | |
-| `file:hashes.'SHA-1'--{{sha1}}` | `id` | |
-| `file:hashes.'SHA-256'` | `type` | |
-| `file:hashes.'SHA-256'--{{sha256}}` | `id` | |
-| `file:hashes.'SHA-512'` | `type` | |
-| `file:hashes.'SHA-512'--{{sha512}}` | `id` | |
-| `file:hashes.MD5` | `type` | |
-| `file:hashes.'MD5'--{{md5}}` | `id` | |
-| `ip` | `indicator` | | |
-| `ip_address` | `indicator` | |
-| `ipv4-addr--{{c2_domain}}` | `id` | |
-| `ipv4-addr--{{c2_ip_address}}` | `id` | |
-| `ipv4-addr--{{ip_address}}`  | `id` | |
-| `ipv6-addr--{{c2_ip_address}}` | `id` | |
-| `listed_at` | `validFrom` | |
-| `md5` | `indicator` | |
-| `scanned` | `validFrom` | |
-| `sha1` | `indicator` | |
-| `sha256` | `indicator` | |
-| `sha512` | `indicator` | |
-| `tags` | `confidence` | Set by default to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
-| `updated_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
-| `url` | `indicator` | |
-| `url--{{url}}` | `id` | |
-| *Not applicable*  | `threatType` | All indicators are set to `compromised`. |
+| ZeroFox endpoint | ZeroFox schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|:--|
+| /botnet endpoint with `ip_address` populated | `ipv4-addr--<ip_address>` | `id` | Templated |
+| /botnet endpoint with `ip_address` populated | `ip_address` | `indicator` | |
+| /botnet endpoint with `ip_address` populated |  | `type` | Statically set to `ip_address` |
+| /botnet endpoint with `ip_address` populated |  | `threatType` | Statically set to `compromised` |
+| /botnet endpoint with `ip_address` populated | `listed_at` | `validFrom` | |
+| /botnet endpoint with `ip_address` populated |  | `confidence` | Statically set to `50`
+| /botnet endpoint with `c2_ip_address` populated | `ipv4-addr--<c2_ip_address>` | `id` | Templated |
+| /botnet endpoint with `c2_ip_address` populated | `c2_ip_address` | `indicator` | |
+| /botnet endpoint with `c2_ip_address` populated |  | `type` | Statically set to `ip_address` |
+| /botnet endpoint with `c2_ip_address` populated |  | `threatType` | Statically set to `compromised` |
+| /botnet endpoint with `c2_ip_address` populated | `listed_at` | `validFrom` | |
+| /botnet endpoint with `c2_ip_address` populated | `tags` | `confidence` | Default statically set to `75,  but set to 25 if `c2_domain_top_1m` found as a tag |
+| /botnet endpoint with `c2_domain` populated | `ipv4-addr--<c2_domain>` | `id` | Templated |
+| /botnet endpoint with `c2_domain` populated | `c2_domain` | `indicator` | |
+| /botnet endpoint with `c2_domain` populated |  | `type` | Statically set to `domain-name` |
+| /botnet endpoint with `c2_domain` populated |  | `threatType` | Statically set to `compromised` |
+| /botnet endpoint with `c2_domain` populated | `listed_at` | `validFrom` |  |
+| /botnet endpoint with `c2_domain` populated | `tags` | `confidence` | Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag |
+| /c2-domains endpoint with `domain` populated | `domain-name--<domain>` | `id` | Templated |
+| /c2-domains endpoint with `domain` populated | `domain` | `indicator` | |
+| /c2-domains endpoint with `domain` populated |  | `type` | Statically set to `domain-name` |
+| /c2-domains endpoint with `domain` populated |  | `threatType` | Statically set to `compromised` |
+| /c2-domains endpoint with `domain` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /c2-domains endpoint with `domain` populated | `tags` | `confidence` | Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag |
+| /c2-domains endpoint with each `Ip_addresses` populated | `ipv4-addr--<c2_ip_address>` or `ipv6-addr--<c2_ip_address>` | `id` | Templated. Depends if value is IPv4 or IPv6 |
+| /c2-domains endpoint with each `Ip_addresses` populated | `[]Ip_addresses` | `indicator` | The specific value in the list |
+| /c2-domains endpoint with each `Ip_addresses` populated |  | `type` | Statically set to `ipv4-addr` or `ipv6-addr` |
+| /c2-domains endpoint with each `Ip_addresses` populated |  | `threatType` | Statically set to `compromised` |
+| /c2-domains endpoint with each `Ip_addresses` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /c2-domains endpoint with each `Ip_addresses` populated |  | `confidence` | Statically set to `50` |
+| /disruption endpoint with `url` populated | `url--<url>` | `id` | Templated |
+| /disruption endpoint with `url` populated | `url` | `indicator` | |
+| /disruption endpoint with `url` populated |  | `type` | Statically set to `url` |
+| /disruption endpoint with `url` populated |  | `threatType` | Statically set to `compromised` |
+| /disruption endpoint with `url` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /disruption endpoint with `url` populated |  | `confidence` | Statically set to `100` |
+| /disruption endpoint with `ip` populated | `ipv4-addr--<ip>` | `id` | Templated |
+| /disruption endpoint with `ip` populated | `ip` | `indicator` | |
+| /disruption endpoint with `ip` populated |  | `type` | Statically set to `ipv4-addr` |
+| /disruption endpoint with `ip` populated |  | `threatType` | Statically set to `compromised` |
+| /disruption endpoint with `ip` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /disruption endpoint with `ip` populated |  | `confidence` | Statically set to `50` |
+| /malware endpoint with `md5` populated | `file:hashes.MD5--<md5>` | `id` | Templated |
+| /malware endpoint with `md5` populated | `md5` | `indicator` |  |
+| /malware endpoint with `md5` populated | `file:hashes.MD5` | `type` |  |
+| /malware endpoint with `md5` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `md5` populated | `created_at` | `validFrom` | |
+| /malware endpoint with `md5` populated |  | `confidence` | Statically set to `75` |
+| /malware endpoint with `sha1` populated | `file:hashes.'SHA-1'--<sha1>` | `id` | Templated |
+| /malware endpoint with `sha1` populated | `sha1` | `indicator` | |
+| /malware endpoint with `sha1` populated | `file:hashes.'SHA-1'` | `type` | |
+| /malware endpoint with `sha1` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `sha1` populated | `created_at` | `validFrom` | 
+| /malware endpoint with `sha1` populated |  | `confidence` | Statically set to `75` |
+| /malware endpoint with `sha256` populated | `file:hashes.'SHA-256'--<sha256>` | `id` | Templated |
+| /malware endpoint with `sha256` populated | `sha256` | `indicator` | |
+| /malware endpoint with `sha256` populated | `file:hashes.'SHA-256'` | `type` | |
+| /malware endpoint with `sha256` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `sha256` populated | `created_at` | `validFrom` | |
+| /malware endpoint with `sha256` populated |  | `confidence` | Statically set to `75` |
+| /malware endpoint with `sha512` populated | `file:hashes.'SHA-512'--<sha512>` | `id` | Templated |
+| /malware endpoint with `sha512` populated | `sha512` | `indicator` | |
+| /malware endpoint with `sha512` populated | `file:hashes.'SHA-512'` | `type` | |
+| /malware endpoint with `sha512` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `sha512` populated | `created_at` | `validFrom` | |
+| /malware endpoint with `sha512` populated |  | `confidence` | Statically set to `75` |
+| /phishing endpoint with `domain` populated |` domain-name--<domain>` | `id` | Templated |
+| /phishing endpoint with `domain` populated | `domain` | `indicator` |  |
+| /phishing endpoint with `domain` populated |  | `type` | Statically set to `domain-name` |
+| /phishing endpoint with `domain` populated |  | `threatType` | Statically set to `compromised` |
+| /phishing endpoint with `domain` populated | `scanned` | `validFrom` | |
+| /phishing endpoint with `domain` populated |  | `confidence` | Statically set to `50` |
+| /phishing endpoint with `url` populated |` url--<domain>` | `id` | Templated |
+| /phishing endpoint with `url` populated | `url` | `indicator` | |
+| /phishing endpoint with `url` populated |  | `type` | Statically set to `url` |
+| /phishing endpoint with `url` populated |  | `threatType` | Statically set to `compromised` |
+| /phishing endpoint with `url` populated | `scanned` | `validFrom` | |
+| /phishing endpoint with `url` populated |  | `confidence` | Statically set to `50` |
+| /ransomware endpoint with `md5` populated | `file:hashes.MD5--<md5>` | `id` | Templated |
+| /ransomware endpoint with `md5` populated | `md5` | `indicator` | |
+| /ransomware endpoint with `md5` populated | `file:hashes.MD5` | `type` | |
+| /ransomware endpoint with `md5` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `md5` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `md5` populated |  | `confidence` | Statically set to `75` |
+| /ransomware endpoint with `sha1` populated | `file:hashes.'SHA-1'--<sha1>` | `id` | Templated |
+| /ransomware endpoint with `sha1` populated | `sha1` | `indicator` | |
+| /ransomware endpoint with `sha1` populated | `file:hashes.'SHA-1'` | `type` | |
+| /ransomware endpoint with `sha1` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `sha1` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `sha1` populated |  | `confidence` | Statically set to `75` |
+| /ransomware endpoint with `sha256` populated | `file:hashes.'SHA-256'--<sha256>` | `id` | Templated |
+| /ransomware endpoint with `sha256` populated | `sha256` | `indicator` |  |
+| /ransomware endpoint with `sha256` populated | `file:hashes.'SHA-256'` | `type` | |
+| /ransomware endpoint with `sha256` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `sha256` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `sha256` populated |  | `confidence` | Statically set to `75` |
+| /ransomware endpoint with `sha512` populated | `file:hashes.'SHA-512'--<sha512>` | `id` | Templated |
+| /ransomware endpoint with `sha512` populated | `sha512` | `indicator` | |
+| /ransomware endpoint with `sha512` populated | `file:hashes.'SHA-512'` | `type` | |
+| /ransomware endpoint with `sha512` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `sha512` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `sha512` populated |  | `confidence` | Statically set to `75` |
 
 ### Type mapping for ZeroFox
 
@@ -133,20 +205,4 @@ The `type` object is mapped to the following normalized type values:
 | `ip` | `ipv4-addr` |
 | `ip_address` | `ip_address` |
 | `Ip_addresses` | `ipv4-addr` or `ipv6-addr` |
-| `url` | `url` |
-
-### Confidence mapping for ZeroFox
-
-The `confidence` field in the datastore has the following values for ZeroFox:
-
-| ZeroFox item | Confidence score in datastore |
-|:--|:--|
-| `domain` | `50` |
-| `ip` | `50` |
-| `ip_address` | `50` |
-| `ip_addresses` | `50` |
-| `md5` | `75` |
-| `sha1` | `75` |
-| `sha256` | `75` |
-| `sha512` | `75` |
-| `url` | `50` for phishing events, and `100` for disruption events |
+| `url` | `url` |
