ZeroTrustAnalyticsPlatform
This Integration is part of the Zero Trust Analytics Platform Pack.#
Supported versions
Available on Cortex XSOAR (versions 6.0.0 and later) and Cortex XSIAM.
Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service. This integration was integrated and tested with version 2021-06-25 of ZeroTrustAnalyticsPlatform
Configure ZeroTrustAnalyticsPlatform in Cortex#
| Parameter | Description | Required |
|---|---|---|
| ZTAP server URL | True | |
| API Key | The API Key to use for connection | True |
| Reopen Group | Group to send to when reopening | True |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False | |
| Fetch incidents | False | |
| Incident type | False | |
| Incident Mirroring Direction | False | |
| Comment entry tag | Adding this tag to a Note will sync as a comment in ZTAP | False |
| Escalate entry tag | Adding this tag to a Note will reassign the alert back to Critical Start SOC | False |
| ZTAP input tag | False | |
| Fetch attachments for comments from ZTAP | False | |
| Sync closing incidents with ZTAP | Cortex XSOAR only parameter. | False |
| Sync reopening incidents with ZTAP | False | |
| First fetch timestamp | False | |
| Maximum number of incidents to fetch | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
get-mapping-fields#
Get mapping fields from remote incident.
Base Command#
get-mapping-fields
Input#
| Argument Name | Description | Required |
|---|
Context Output#
There is no context output for this command.
Command Example#
!get-mapping-fields
Human Readable Output#
get-remote-data#
Get remote data from a remote incident. This command should only be called manually for debugging purposes.
Base Command#
get-remote-data
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The remote incident id. | Required |
| lastUpdate | UTC timestamp in seconds. The incident is only updated if it was modified after the last update time. Default is 0. | Optional |
Context Output#
There is no context output for this command.
Command Example#
Human Readable Output#
ztap-get-alert-entries#
Get the entries data from a remote incident.
Base Command#
ztap-get-alert-entries
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The remote incident id. | Required |
Context Output#
There is no context output for this command.
Command Example#
!ztap-get-alert-entries id=1