17.2

New Feature

Master View of Tenant Incidents and Events

Master tenant users can now manage incidents and events from all connected tenant sites within the investigation dashboard. Tenant instance events are available under Events > All Events (<Tenant>), while tenant instance incidents are available under Incidents > All Incidents (<Tenant>).

Enhancements

Dynamic Python Library Import

Custom Python command pages now include a Libraries tab that allows users to define and manage external library dependencies. Dependencies can be added or edited while the command is in Draft mode, with validation for syntax, duplication, and compatibility against Python 3.9 standards. These dependencies are installed at runtime, and users must still include the appropriate import statements in their code to use them.

Feature Availability

The dynamic Python library import feature is available for all custom integration and utility commands.

For built-in integrations, it becomes available when users extend functionality by adding custom commands. Support for this feature within integration commands is steadily expanding, and integrations that currently support it will display a Libraries tab.

Integrations supporting the dynamic python library feature also include a For Built-in Commands sub-tab. This read-only view shows the libraries used by built-in commands, allowing users to leverage them and avoid duplicate import statements when creating custom commands.

Creating a Custom Utility Command Using an External Library

To demonstrate the use of this feature, follow the steps below to create a translator that accepts an input string and translates it into Spanish using the Google Translator library for use within a playbook.

Navigate to the Configuration module, then select the Utility Commands sub-module.
Add a new custom command.
1. Click the button.
2. Enter the display name for the command (i.e., Translate to Spanish).
3. Ensure that the Python option is selected as the implementation method.
4. Click the + Add button.

Paste the code below into the code editor, replacing any existing content.

PY

from deep_translator import GoogleTranslator  # Imports the translation tool used to convert text into another language
import uuid  # Imports a tool to generate a unique ID for tracking each translation

def TranslateToSpanish(*args):
    """
    Translates user input into Spanish using GoogleTranslator from deep-translator.
    args[0]: input text to translate
    """
    errors = []  # Will store any errors that occur during the process
    returnData = "Successful"  # Default result status
    context = []  # Optional metadata (unused here)
    keyFields = {}  # Optional key field storage (unused here)
    resultData = {}  # Will hold the final output data
    raw = {
        "Results": [],  # Will show the input and translated text
        "D3Errors": []  # Placeholder for any system-specific errors
    }

    trace_id = str(uuid.uuid4())  # Creates a unique ID for tracking this translation request

    try:
        # Checks if the user provided text and if it is not just empty spaces
        if not args or not args[0].strip():
            errors.append("An input phrase is required as the first argument.")  # Adds an error message
            return pb.returnOutputModel({}, "Failed", {}, [], {}, errors)  # Returns a failure result

        original_text = args[0].strip()  # Cleans up the user's input by removing unnecessary spaces

        # Translates the input text into Spanish, automatically detecting the source language
        translated_text = GoogleTranslator(source='auto', target='es').translate(original_text)

        # Prepares the main output data
        resultData = {
            "trace_id": trace_id,  # Unique ID for the request
            "original": original_text,  # Original text provided by the user
            "translated": translated_text  # Translated Spanish version
        }

        # Stores the input/output pair in the results
        raw["Results"].append({
            "Input": original_text,
            "Output": translated_text
        })

    except Exception as err:
        # If something goes wrong, record the error and update the status
        errors.extend(err.args)
        returnData = "Failed"

    # Returns all results, including the translated text, tracking ID, and any errors
    return pb.returnOutputModel(
        resultData,
        returnData,
        keyFields,
        context,
        raw,
        errors
    )

Define the external dependencies used in the code.
1. Navigate to the Libraries tab.
2. Paste the code below into the mini code editor to define any external dependencies used in the command.
  PY
```
deep-translator==1.11.4
```
  The format for each entry is: <library name>==<version number> (e.g., deep-translator==1.11.4).
3. Click the Save button to apply the changes.
Add a field that allows users to input the original text to be translated into Spanish.
1. Navigate to the Inputs tab.
2. Click the + New Input Parameter button.
3. Name the parameter original_text.
4. (Optional) Add a display name to improve clarity for users interacting with the command.
5. (Optional) Provide a description to clarify the purpose of the input parameter.
6. (Optional) Add sample data to illustrate expected input.
7. Click the + Add button.
Enable the command for use in a playbook.
1. Navigate to the Settings tab.
2. Select the Command Task checkbox.
3. Click the Submit button.
4. Click the Submit button on the pop-up window.

RESULT

Users will be able to find and use this custom utility command as a command task in a playbook. If the command executed successfully, users can click the Group 22 (1).png button to view the translated text.

Group 23 (6).png — The original and translated texts shown on the Result tab.

Site-Level Artifact Segregation for Client Sites

Group 7 (4).png — The same artifact appearing on different client sites (e.g., TW Client 1 and TW Client 2) is now treated as a distinct entity on each site. While the artifact value is identical, each instance has a unique artifact ID, clearly indicating separation between client sites.

Artifacts are now scoped to individual client sites to enforce strict data isolation. Identical artifacts detected across different client sites are treated as distinct entities, ensuring that artifact data remains confined to the site where it originated. Existing identical artifacts previously ingested across client sites are now also treated as separate entities within their respective sites.

Mitre Tactics and Techniques Feature Now Supports New TAXII 2.1

The Update Mitre Tactics and Techniques feature now uses the latest TAXII 2.1 API, enabling faster retrieval, improved filtering, and more reliable synchronization of MITRE ATT&CK data.

Utility Commands

Updated Commands

The following utility commands have been updated in this release of D3 SOAR.

Commands	Changes
Update Identical Event	A new parameter, Skip Event Creation, has been added, allowing updates to identical events without creating or dismissing new ones. When enabled, the system updates the existing event and records the update in the ingestion log and event note, including the event ID and a link to the associated playbook execution for reference.

Integrations

New Integrations

The following integrations have been added to this release of D3 SOAR.

Integration Name	Description
FortiEDR	FortiEDR is an Endpoint Detection and Response (EDR) solution developed by Fortinet that provides real-time threat prevention, detection, and automated response on endpoints such as desktops, laptops, and servers.
Syslog Sender	The Syslog Sender integration enables sending event data to a specified remote syslog server using either TCP or UDP, with messages formatted in RFC 5424. It supports both plain text and structured JSON messages, and dynamically calculates priority based on the configured log level and facility.

Updated Integrations

The following integrations have been updated in this release of D3 SOAR.

Integration Name	Changes
Cisco Adaptive Security Appliance	Connection Connection logic has been enhanced to better support REST API, HTTP Automation Interface, and SSH connection methods based on Cisco ASA instance configuration.
Cortex XDR	New Command(s) Cancel Scan Hosts Create Indicator Get Action Status Get XQL Query Results Retrieve Files Retrieve PCAP Packet Scan Hosts Start XQL Query
Observe Data Ingestion	New Command(s) Ingest Over HTTP
Prisma Cloud	New Command(s) Dismiss Alerts (replaced the Dismiss Alerts command) Remediate Alerts Test Connection Deprecated Command(s) Dismiss Alerts (replaced by the new Dismiss Alerts command)
SentinelOne	Updated Command(s) Fetch Event: Added the Threat Time Field optional parameter to filter threat data.
Telegram	New Command(s) Create Webhook Fetch Event (for event ingestion via webhook only) Remove Webhook

[data-colorid=ixciex1tyr]{color:#101520} html[data-color-mode=dark] [data-colorid=ixciex1tyr]{color:#dfe4ef}New Feature