Zero Trust Analytics Platform

Details
Content
Dependencies
Version History

Provides view of raised alerts within ZTAP.

The backbone of highly effective managed detection and response (MDR) is the Zero Trust Analytics Platform (ZTAP) utilized by elite security analysts to resolve every alert.

What does this pack do?

This pack enables you to:

Sync and update escalated ZTAP alerts.
Respond to Critical Start analysts directly from the XSOAR platform.

This pack includes the integration, the ZTAP Alert incident type, and an incident layout that displays information.

Custom Classifier

If using a custom classifier the following fields are required for bidirectional sync

Input Field	Output Field
xsoar_mirror_id	dbotMirrorId
xsoar_mirror_direction	dbotMirrorDirection
xsoar_mirror_instance	dbotMirrorInstance
xsoar_mirror_last_sync	dbotMirrorLastSync
xsoar_mirror_tags	dbotMirrorTags

Custom Playbook

If using a custom playbook comments from before the alert was escalated will not be fetched.
In order to fetch them call ztap-get-alert-entries during initial processing.
Note that the escalation comment will be fetched during this step.

The backbone of highly effective managed detection and response (MDR) is the Zero Trust Analytics Platform (ZTAP) utilized by elite security analysts to resolve every alert.

What does this pack do?

This pack enables you to:

Sync and update escalated ZTAP alerts.
Respond to Critical Start analysts directly from the XSOAR platform.

This pack includes the integration, the ZTAP Alert incident type, and an incident layout that displays information.

Custom Classifier

If using a custom classifier the following fields are required for bidirectional sync

Input Field	Output Field
xsoar_mirror_id	dbotMirrorId
xsoar_mirror_direction	dbotMirrorDirection
xsoar_mirror_instance	dbotMirrorInstance
xsoar_mirror_last_sync	dbotMirrorLastSync
xsoar_mirror_tags	dbotMirrorTags

Custom Playbook

Automations

Name	Description
ZTAPParseLinks	Parses ZTAP external links to display in a dynamic table.
ZTAPExtractFields	Extracts ZTAP fields into a format parsable to grab as indicators
ZTAPViewTimeline	View notes only relating to ZTAP.
ZTAPBuildTimeline	Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline.
ZTAPParseFields	Parses ZTAP event fields to display as key/value pairs in a dynamic table.

Classifiers

Name	Description
ZeroTrustAnalyticsPlatform - Outgoing Mapper	Maps outgoing ZTAP incidents fields.
ZeroTrustAnalyticsPlatform - Incoming Mapper	Maps incoming ZeroTrustAnalyticsPlatform incidents fields.

Incident Fields

Name	Description
ZTAP Priority
ZTAP Product Status
ZTAP Assigned Organization
ZTAP Alert Link
ZTAP Trigger Count
ZTAP Status
ZTAP Source Organization
ZTAP Input Tag
ZTAP Triggers
ZTAP Alert ID

Incident Types

Name	Description
ZTAP Alert

Integrations

Name	Description
ZeroTrustAnalyticsPlatform (Partner Contribution)	Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service.

Layouts

Name	Description
ZTAP Alert

Playbooks

Name	Description
ZTAP Alert	This playbok is triggered by fetching escalated ZTAP Alerts. The playbook fetches newly escalated alerts. Then, the playbook performs enrichment on the incident's indicators. Lastly, it adds comments/logs as Evidence.

Automations

Name	Description
ZTAPExtractFields	Extracts ZTAP fields into a format parsable to grab as indicators
ZTAPViewTimeline	View notes only relating to ZTAP.
ZTAPBuildTimeline	Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline.
ZTAPParseFields	Parses ZTAP event fields to display as key/value pairs in a dynamic table.
ZTAPParseLinks	Parses ZTAP external links to display in a dynamic table.

Classifiers

Name	Description
ZeroTrustAnalyticsPlatform - Outgoing Mapper	Maps outgoing ZTAP incidents fields.
ZeroTrustAnalyticsPlatform - Incoming Mapper	Maps incoming ZeroTrustAnalyticsPlatform incidents fields.

Incident Fields

Name	Description
ZTAP Priority
ZTAP Product Status
ZTAP Status
ZTAP Trigger Count
ZTAP Triggers
ZTAP Assigned Organization
ZTAP Alert Link
ZTAP Alert ID
ZTAP Source Organization
ZTAP Input Tag

Incident Types

Name	Description
ZTAP Alert

Integrations

Name	Description
ZeroTrustAnalyticsPlatform (Partner Contribution)	Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service.

Playbooks

Name	Description
ZTAP Alert	This playbok is triggered by fetching escalated ZTAP Alerts. The playbook fetches newly escalated alerts. Then, the playbook performs enrichment on the alert's indicators. Lastly, it adds comments/logs as Evidence.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (7)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

1.1.10 - 938811 (April 7, 2024)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.14.90585.

Scripts

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.10.14.90585.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.10.14.90585.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.10.14.90585.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.1.9 - 752611 (January 9, 2024)

Scripts

ZTAPViewTimeline

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 32030

Download

1.1.8 - R5866730 (July 25, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27936

Download

1.1.7 - 5450895 (June 5, 2023)

Scripts

ZTAPExtractFields

Updated the enabled yml key to true.
Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27187

Download

1.1.6 - R5170573 (May 2, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.10.51930.
Fix outbound tag priority (escalation now takes priority over comments)

Layouts

ZTAP Alert
Update original section to "ZTAP Info"
Add additional section for "ZTAP Timeline"

Scripts

New: ZTAPViewTimeline

View notes only relating to ZTAP

Related pull requests:
- 25595
- 25490

Download

1.1.5 - R4718798 (March 1, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.10.48392.
Removed mirroring parameters from cortex XSIAM.

Related pull requests:
- 24220

Download

1.1.4 - R4646022 (February 19, 2023)

Layouts

ZTAP Alert
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.1.3 - R4372591 (January 11, 2023)

Integrations

ZeroTrustAnalyticsPlatform

Fix fetching comments when downloading comments with attachments
Updated the Docker image to: demisto/python3:3.10.9.42476.

Related pull requests:
- 23586
- 23558

Download

1.1.2 - R3917401 (October 26, 2022)

Integrations

ZeroTrustAnalyticsPlatform

Updated formatting of integration parameters.

Related pull requests:
- 18819

Download

1.1.1 - 2811376 (April 24, 2022)

WARNING: This version is invalid. Please install a different version.

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.4.28442.
Fixed an issue where alerts failed to ingest if they were assigned to a user.

Related pull requests:
- 18663
- 18672
- 20109

Download

1.1.0 - 2704575 (April 5, 2022)

Incident Fields

Deprecated ZTAP Input Tag
ZTAP Alert Link

Integrations

ZeroTrustAnalyticsPlatform

Updated the Docker image to: demisto/python3:3.10.4.27798.
Add url field to new incidents
Simplify comments to use text instead of JSON
Remove audit log ingestion
Change default to mirror in both directions by default
Update branding

Layouts

ZTAP Alert

Add ZTAP Alert Link
Remove unused Escalate Organization

Mappers

ZeroTrustAnalyticsPlatform - Incoming Mapper

Add ZTAP Alert Link

Playbooks

ZTAP Alert

Remove ZTAPBuildTimeline

Scripts

ZTAPBuildTimeline

Deprecated. Removed from default ZTAP Alert playbook.

ZTAPExtractFields

Updated the Docker image to: demisto/python3:3.10.4.27798.

ZTAPParseFields

Updated the Docker image to: demisto/python3:3.10.4.27798.

ZTAPParseLinks

Updated the Docker image to: demisto/python3:3.10.4.27798.

Download

1.0.2 - 2674843 (March 30, 2022)

Integrations

ZeroTrustAnalyticsPlatform

Added type validations and other internal code improvements.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 10, 2021
Last Release	April 7, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.