DataDog · shubhamvekariya-crest · Aug 20, 2025 · Aug 20, 2025 · Aug 22, 2025 · Aug 26, 2025
@@ -612,6 +612,11 @@ plaid/assets/logs/                                                  @DataDog/saa
 /klaviyo/manifest.json                                               @DataDog/saas-integrations @DataDog/documentation
 /klaviyo/assets/logs/                                                @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers
 
+/zerofox_cloud_platform/                                             @DataDog/saas-integrations
+/zerofox_cloud_platform/*.md                                         @DataDog/saas-integrations @DataDog/documentation
+/zerofox_cloud_platform/manifest.json                                @DataDog/saas-integrations @DataDog/documentation
+/zerofox_cloud_platform/assets/logs/                                 @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
+
 /beyondtrust_password_safe/                                          @DataDog/saas-integrations @DataDog/agent-integrations
 /beyondtrust_password_safe/*.md                                      @DataDog/saas-integrations @DataDog/agent-integrations @DataDog/documentation
 /beyondtrust_password_safe/manifest.json                             @DataDog/saas-integrations @DataDog/agent-integrations @DataDog/documentation

@@ -749,6 +749,8 @@ integration/zeek:
 - zeek/**/*
 integration/zero_networks:
 - zero_networks/**/*
+integration/zerofox_cloud_platform:
+- zerofox_cloud_platform/**/*
 integration/zk:
 - zk/**/*
 qa/skip-qa:

@@ -0,0 +1,7 @@
+# CHANGELOG - ZeroFox Cloud Platform
+
+## 1.0.0 / 2025-08-20
+
+***Added***:
+
+* Initial Release
@@ -0,0 +1,47 @@
+## Overview
+
+[ZeroFox Cloud Platform][1] is a digital risk protection platform that monitors social, dark web, domains, apps, and collaboration channels to identify brand, executive, and attack surface threats.
+
+This integration ingests the following logs:
+- **Platform Alerts**: Provides information about malicious or suspicious activity that violates defined ZeroFox rules.
+
+Integrate ZeroFox Cloud Platform with Datadog to gain insights into Alerts using pre-built dashboard visualizations. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. Additionally, the integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.
+
+## Setup
+
+### Prerequisites
+
+- Username
+- Password
+
+Note: User account that is associated with a ZeroFox customer enterprise.
+
+### Connect your ZeroFox Cloud Platform Account to Datadog
+
+1. Add your Username and Password.
+   | Parameters | Description |
+   | -------- | ---------------------------------------------- |
+   | Username | The Username of your ZeroFox Platform account. |
+   | Password | The Password of your ZeroFox Platform account. |
-1. Add your Username and Password.
-   | Parameters | Description |
-   | -------- | ---------------------------------------------- |
-   | Username | The Username of your ZeroFox Platform account. |
-   | Password | The Password of your ZeroFox Platform account. |
+1. Add the Username and Password of your ZeroFox Platform account.
-1. Add your Username and Password.
-   | Parameters | Description |
-   | -------- | ---------------------------------------------- |
-   | Username | The Username of your ZeroFox Platform account. |
-   | Password | The Password of your ZeroFox Platform account. |
+1. Add the Username and Password of your ZeroFox Platform account.
+2. Click the Save button to save your settings.
-2. Click the Save button to save your settings.
+2. Click **Save**.
-2. Click the Save button to save your settings.
+2. Click **Save**.
+
+## Data Collected
+
+### Logs
+
+ZeroFox Cloud Platform collects and forwards alerts to Datadog.
+
+### Metrics
+
+ZeroFox Cloud Platform does not include any metrics.
+
+### Events
+
+ZeroFox Cloud Platform does not include any events.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][2].
+
+[1]: https://www.zerofox.com/platform/
+[2]: https://docs.datadoghq.com/help/
@@ -0,0 +1,66 @@
+id: zerofox-cloud-platform
+metric_id: zerofox-cloud-platform
+backend_only: false
+facets: null
+pipeline:
+  type: pipeline
+  name: ZeroFox Cloud Platform
+  enabled: true
+  filter:
+    query: source:zerofox-cloud-platform
+  processors:
+    - type: date-remapper
+      name: Define `last_modified` as the official date of the log
+      enabled: true
+      sources:
+        - last_modified
+    - name: Lookup on `severity` to `risk_rating`
+      enabled: true
+      source: severity
+      target: risk_rating
+      lookupTable: |-
+        5,Critical
+        4,High
+        3,Medium
+        2,Low
+        1,Info
+      type: lookup-processor
+    - name: Lookup on `severity` to `severity_to_status`
+      enabled: true
+      source: severity
+      target: severity_to_status
+      lookupTable: |-
+        5,Alert
+        4,Critical
+        3,Warning
+        2,Notice
+        1,Info
+      type: lookup-processor
+    - type: status-remapper
+      name: Define `severity_to_status` as the official status of the log
+      enabled: true
+      sources:
+        - severity_to_status
+    - type: string-builder-processor
+      name: Build ZeroFox Platform Alert Link
+      enabled: true
+      template: https://cloud.zerofox.com/alerts/%{id}
+      target: alert_link
+      replaceMissing: true
+    - type: string-builder-processor
+      name: Extract actors from logs
+      enabled: true
+      template: "%{logs.actor}"
+      target: actors
+      replaceMissing: true
+    - type: grok-parser
+      name: Convert actors string to array
+      enabled: true
+      source: actors
+      samples:
+        - " ,,ZeroFox Platform Specialist, "
+        - "ZeroFox Platform Specialist,, "
+      grok:
+        supportRules: ""
+        matchRules: extract_actors (%{regex("\\s*"):},)*%{data:actor:array(",",
+          nullIf(""))}