Zero Trust Analytics Platform

Details
Content
Dependencies
Version History

Provides view of raised alerts within ZTAP.

The backbone of highly effective managed detection and response (MDR) is the Zero Trust Analytics Platform (ZTAP) utilized by elite security analysts to resolve every alert.

What does this pack do?

This pack enables you to:

Sync and update escalated ZTAP alerts.
Respond to Critical Start analysts directly from the XSOAR platform.

This pack includes the integration, the ZTAP Alert incident type, and an incident layout that displays information.

Custom Classifier

If using a custom classifier the following fields are required for bidirectional sync

Input Field	Output Field
xsoar_mirror_id	dbotMirrorId
xsoar_mirror_direction	dbotMirrorDirection
xsoar_mirror_instance	dbotMirrorInstance
xsoar_mirror_last_sync	dbotMirrorLastSync
xsoar_mirror_tags	dbotMirrorTags

Custom Playbook

If using a custom playbook comments from before the alert was escalated will not be fetched.
In order to fetch them call ztap-get-alert-entries during initial processing.
Note that the escalation comment will be fetched during this step.

The backbone of highly effective managed detection and response (MDR) is the Zero Trust Analytics Platform (ZTAP) utilized by elite security analysts to resolve every alert.

What does this pack do?

This pack enables you to:

Sync and update escalated ZTAP alerts.
Respond to Critical Start analysts directly from the XSOAR platform.

This pack includes the integration, the ZTAP Alert incident type, and an incident layout that displays information.

Custom Classifier

If using a custom classifier the following fields are required for bidirectional sync

Input Field	Output Field
xsoar_mirror_id	dbotMirrorId
xsoar_mirror_direction	dbotMirrorDirection
xsoar_mirror_instance	dbotMirrorInstance
xsoar_mirror_last_sync	dbotMirrorLastSync
xsoar_mirror_tags	dbotMirrorTags

Custom Playbook

Automations

Name	Description
ZTAPParseFields	Parses ZTAP event fields to display as key/value pairs in a dynamic table.
ZTAPBuildTimeline	Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline.
ZTAPExtractFields	Extracts ZTAP fields into a format parsable to grab as indicators
ZTAPViewTimeline	View notes only relating to ZTAP.
ZTAPParseLinks	Parses ZTAP external links to display in a dynamic table.

Classifiers

Name	Description
ZeroTrustAnalyticsPlatform - Incoming Mapper	Maps incoming ZeroTrustAnalyticsPlatform incidents fields.
ZeroTrustAnalyticsPlatform - Outgoing Mapper	Maps outgoing ZTAP incidents fields.

Incident Fields

Name	Description
ZTAP Triggers
ZTAP Priority
ZTAP Status
ZTAP Alert ID
ZTAP Assigned Organization
ZTAP Alert Link
ZTAP Source Organization
ZTAP Input Tag
ZTAP Product Status
ZTAP Trigger Count

Incident Types

Name	Description
ZTAP Alert

Integrations

Name	Description
ZeroTrustAnalyticsPlatform (Partner Contribution)	Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service.

Layouts

Name	Description
ZTAP Alert

Playbooks

Name	Description
ZTAP Alert	This playbok is triggered by fetching escalated ZTAP Alerts. The playbook fetches newly escalated alerts. Then, the playbook performs enrichment on the incident's indicators. Lastly, it adds comments/logs as Evidence.

Automations

Name	Description
ZTAPBuildTimeline	Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline.
ZTAPParseLinks	Parses ZTAP external links to display in a dynamic table.
ZTAPViewTimeline	View notes only relating to ZTAP.
ZTAPExtractFields	Extracts ZTAP fields into a format parsable to grab as indicators
ZTAPParseFields	Parses ZTAP event fields to display as key/value pairs in a dynamic table.

Classifiers

Name	Description
ZeroTrustAnalyticsPlatform - Incoming Mapper	Maps incoming ZeroTrustAnalyticsPlatform incidents fields.
ZeroTrustAnalyticsPlatform - Outgoing Mapper	Maps outgoing ZTAP incidents fields.

Incident Fields

Name	Description
ZTAP Trigger Count
ZTAP Assigned Organization
ZTAP Alert ID
ZTAP Source Organization
ZTAP Triggers
ZTAP Product Status
ZTAP Priority
ZTAP Alert Link
ZTAP Status
ZTAP Input Tag

Incident Types

Name	Description
ZTAP Alert

Integrations

Name	Description
ZeroTrustAnalyticsPlatform (Partner Contribution)	Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service.

Playbooks

Name	Description
ZTAP Alert	This playbok is triggered by fetching escalated ZTAP Alerts. The playbook fetches newly escalated alerts. Then, the playbook performs enrichment on the alert's indicators. Lastly, it adds comments/logs as Evidence.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (8)

Pack Name	Pack By
Aggregated Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.1.19 - 9264184 (May 25, 2026)

Integrations

ZeroTrustAnalyticsPlatform

Documentation and metadata improvements.

Related pull requests:
- 44363
- 44358
- 42667
- 43952
- 43732
- 44181
- 44008
- 44052
- 44349
- 44357
- 44339
- 44344
- 43700

Download

1.1.18 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.1.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.1.16 - 4770511 (September 4, 2025)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Scripts

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.1.15 - R3980324 (June 26, 2025)

Integrations

ZeroTrustAnalyticsPlatform

Documentation and metadata improvements.

Related pull requests:
- 40195

Download

1.1.14 - R3474673 (May 20, 2025)

Integrations

ZeroTrustAnalyticsPlatform

Metadata and documentation improvements.

Scripts

ZTAPViewTimeline

Metadata and documentation improvements.

ZTAPExtractFields

Metadata and documentation improvements.

ZTAPParseLinks

Metadata and documentation improvements.

ZTAPParseFields

Metadata and documentation improvements.

Related pull requests:
- 39024

Download

1.1.13 - 2763721 (March 12, 2025)

Zero Trust Analytics Platform

Ensure that mirroring fields only appear in XSOAR integrations.

Related pull requests:
- 38998

Download

1.1.12 - R2040490 (January 22, 2025)

Scripts

ZTAPViewTimeline

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37732

Download

1.1.11 - 1748140 (December 4, 2024)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.11.10.115186.

Scripts

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

1.1.10 - R1709192 (November 26, 2024)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.14.90585.

Scripts

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.10.14.90585.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.10.14.90585.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.10.14.90585.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.1.9 - 752611 (January 9, 2024)

Scripts

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 32030

Download

1.1.8 - R5866730 (July 25, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27936

Download

1.1.7 - 5450895 (June 5, 2023)

Scripts

ZTAPExtractFields

Updated the enabled yml key to true.
Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27187

Download

1.1.6 - R5170573 (May 2, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.10.51930.
Fix outbound tag priority (escalation now takes priority over comments)

Layouts

ZTAP Alert
Update original section to "ZTAP Info"
Add additional section for "ZTAP Timeline"

Scripts

New: ZTAPViewTimeline

View notes only relating to ZTAP

Related pull requests:
- 25595
- 25490

Download

1.1.5 - R4718798 (March 1, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.10.48392.
Removed mirroring parameters from cortex XSIAM.

Related pull requests:
- 24220

Download

1.1.4 - R4646022 (February 19, 2023)

Layouts

ZTAP Alert
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.1.3 - R4372591 (January 11, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Fix fetching comments when downloading comments with attachments
Updated the Docker image to: demisto/python3:3.10.9.42476.

Related pull requests:
- 23586
- 23558

Download

1.1.2 - R3917401 (October 26, 2022)

Integrations

ZeroTrustAnalyticsPlatform

Updated formatting of integration parameters.

Related pull requests:
- 18819

Download

1.1.1 - 2811376 (April 24, 2022)

WARNING: This version is invalid. Please install a different version.

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.4.28442.
Fixed an issue where alerts failed to ingest if they were assigned to a user.

Related pull requests:
- 18663
- 18672
- 20109

Download

1.1.0 - 2704575 (April 5, 2022)

Incident Fields

Deprecated ZTAP Input Tag
ZTAP Alert Link

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.4.27798.
Add url field to new incidents
Simplify comments to use text instead of JSON
Remove audit log ingestion
Change default to mirror in both directions by default
Update branding

Layouts

ZTAP Alert

Add ZTAP Alert Link
Remove unused Escalate Organization

Mappers

ZeroTrustAnalyticsPlatform - Incoming Mapper

Add ZTAP Alert Link

Playbooks

ZTAP Alert

Remove ZTAPBuildTimeline

Scripts

ZTAPBuildTimeline

Deprecated. Removed from default ZTAP Alert playbook.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.10.4.27798.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.10.4.27798.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.10.4.27798.

Download

1.0.2 - 2674843 (March 30, 2022)

Integrations

ZeroTrustAnalyticsPlatform

Added type validations and other internal code improvements.

Download

1.1.19 - 9264184 (May 25, 2026)

Integrations

ZeroTrustAnalyticsPlatform

Documentation and metadata improvements.

Related pull requests:
- 44363
- 44358
- 42667
- 43952
- 43732
- 44181
- 44008
- 44052
- 44349
- 44357
- 44339
- 44344
- 43700

Download

1.1.18 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.1.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.1.16 - 4761438 (September 4, 2025)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Scripts

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.1.15 - R3980324 (June 26, 2025)

Integrations

ZeroTrustAnalyticsPlatform

Documentation and metadata improvements.

Related pull requests:
- 40195

Download

1.1.14 - R3474673 (May 20, 2025)

Integrations

ZeroTrustAnalyticsPlatform

Metadata and documentation improvements.

Scripts

ZTAPViewTimeline

Metadata and documentation improvements.

ZTAPExtractFields

Metadata and documentation improvements.

ZTAPParseLinks

Metadata and documentation improvements.

ZTAPParseFields

Metadata and documentation improvements.

Related pull requests:
- 39024

Download

1.1.13 - 2763721 (March 12, 2025)

Zero Trust Analytics Platform

Ensure that mirroring fields only appear in XSOAR integrations.

Related pull requests:
- 38998

Download

1.1.12 - R2040490 (January 22, 2025)

Scripts

ZTAPViewTimeline

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37732

Download

1.1.11 - 1748140 (December 4, 2024)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.11.10.115186.

Scripts

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

1.1.10 - R1709192 (November 26, 2024)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.14.90585.

Scripts

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.10.14.90585.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.10.14.90585.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.10.14.90585.

1.1.9 - 752611 (January 9, 2024)

Scripts

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 32030

Download

1.1.8 - R5866730 (July 25, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27936

Download

1.1.7 - 5450895 (June 5, 2023)

Scripts

ZTAPExtractFields

Updated the enabled yml key to true.
Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27187

Download

1.1.6 - R5170573 (May 2, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.10.51930.
Fix outbound tag priority (escalation now takes priority over comments)

Scripts

New: ZTAPViewTimeline

View notes only relating to ZTAP

Related pull requests:
- 25595
- 25490

Download

1.1.5 - R4718798 (March 1, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.10.48392.
Removed mirroring parameters from cortex XSIAM.

Related pull requests:
- 24220

Download

1.1.4 - R4646022 (February 19, 2023)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 24223

Download

1.1.3 - R4361094 (January 9, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Fix fetching comments when downloading comments with attachments
Updated the Docker image to: demisto/python3:3.10.9.42476.

Related pull requests:
- 23586
- 23558

Download

1.1.2 - R3917401 (October 26, 2022)

Integrations

ZeroTrustAnalyticsPlatform

Updated formatting of integration parameters.

Related pull requests:
- 18819

Download

1.1.1 - 2811376 (April 24, 2022)

WARNING: This version is invalid. Please install a different version.

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.4.28442.
Fixed an issue where alerts failed to ingest if they were assigned to a user.

Related pull requests:
- 18663
- 18672
- 20109

Download

1.1.0 - 2704575 (April 5, 2022)

Incident Fields

Deprecated ZTAP Input Tag
ZTAP Alert Link

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.4.27798.
Add url field to new incidents
Simplify comments to use text instead of JSON
Remove audit log ingestion
Change default to mirror in both directions by default
Update branding

Layouts

ZTAP Alert

Add ZTAP Alert Link
Remove unused Escalate Organization

Mappers

ZeroTrustAnalyticsPlatform - Incoming Mapper

Add ZTAP Alert Link

Playbooks

ZTAP Alert

Remove ZTAPBuildTimeline

Scripts

ZTAPBuildTimeline

Deprecated. Removed from default ZTAP Alert playbook.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.10.4.27798.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.10.4.27798.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.10.4.27798.

Download

1.0.2 - 2674843 (March 30, 2022)

Integrations

ZeroTrustAnalyticsPlatform

Added type validations and other internal code improvements.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 10, 2021
Last Release	May 25, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.