17.5

New Features

Point-to-Point vSOC Instance Synchronization

An Instance Management module has been introduced as an alternative to the Tenant Management module. The key distinction is that the Instance Management module operates within a point-to-point system architecture. Unlike the master-tenant model, no instance serves a central or controlling role—all instances can directly exchange data with one another.

How to Sync Resources Across vSOC Instances

In the vSOC instances that receive content:

Generate an instance key.
1. Navigate to the Configuration module.
2. Click on on Application Settings menu option.
3. Click on the Instance Registration selection.
4. Click on the Generate a New Key button.
Add the new key.
1. Click on the Generate New Key button.
2. Securely store the key.
3. Click on the Add button.

In the vSOC instance that shares content:

Navigate to Configuration > Instance Management > Instances, then click the + Add Instance button.
Enter the URL and key of the receiving vSOC instance, then click on the Register and Initiate button.
Verify that the connection status is displayed as , then click on the Shared Content tab.
Select the instance, choose the content to share, then click on the Share button.

READER NOTE

The new model and the master-tenant model are mutually exclusive.
The new point-to-point model does not currently support synchronization of artifact type configurations.

Quick Actions in the Incident Workspace

Quick actions in the Incident Overview panel enable users to run integration or utility commands with custom parameters directly from the workspace header. Administrators can configure these actions for ad hoc execution, enhancing efficiency and usability without navigating through the full Execute Command interface.

Exporting Reporting Dashboards as PDF

The export-to-PDF feature enables users to export reporting dashboards in PDF format. Users can customize the export by defining the overall report name, uploading a logo, selecting dashboards to exclude (by default, all dashboards are included), and configuring chart sizes, names, and descriptions. Chart sizes, names, and descriptions can be customized per chart.

How to Export a Reporting Dashboard

Users can find the option to download a reporting dashboard as a PDF in the following steps:

Navigate to the Reporting Dashboard module, then click on the dashboard to export.
Click on the icon, then select the Export (.pdf) option.
Configure the basic details.
1. Name the report.
2. Upload a logo.
3. Add a note describing the purpose of the report.
4. Select the Include Data Table chart as CSV file in export checkbox to download an additional CSV file containing the underlying data of unhidden Data Table widgets.
  The file contains only a limited subset of the data.
Customize the charts (widgets) in the report, then export it.
1. Reposition a chart using the grab handle.
2. Click on the icon to include or exclude a widget from the PDF.
3. Click the icon to:
  - Rename the chart
  - Modify the chart description
  - Resize the chart
4. Click on the Export button to download the PDF report and any accompanying CSV files.

Enhancements

General Enhancements

Expanded Configuration Audit Logging Coverage

Configuration audit logging, viewable via the Get D3 Log utility command, has been expanded to capture a wider range of user activities.

View Additional Logged Items

Agent Management *

Agent creation
Agent deletion
Agent data modification
Agent status change (Connected/Disconnected)

Application Settings *

Ad Hoc Task Configuration modification
Login Authentication modification
Artifact Type Visibility modification
Dashboard Columns modification
Logo Customization modification
Incident Statuses modification
Email Domain Whitelist modification
Temporary Login Lock modification
Enforce Password Policy modification
ROI Configuration modification
SIEM Syslog Configuration modification
SLA List modification
Web Config modification
Date/Time Format modification
SMTP Server and Email modification
Sorting Options modification
Update Mitre Tactics and Techniques modification
Playbook Input Method modification
E-Alert modification

Artifacts *

Artifact type creation
Artifact type deletion
Artifact type modification
- Fields for Extracting Artifacts creation
- Fields for Extracting Artifacts modification
- Fields for Extracting Artifacts deletion
- Fields for Additional Information creation
- Fields for Additional Information deletion
- Artifact relationship creation
- Artifact relationship deletion

Commands *

Python library saves

Global Lists *

Global list creation
Global list deletion
Global list data modification

Incident Type Manager *

Incident form creation
Section modifications within the incident form builder

Integrations *

Connection creation
Connection modification

Playbooks *

Preprocessing playbook deletion
Investigation playbook deletion

Cross-Instance Data Synchronization for Artifacts and Incident Types

Artifact types, artifact relationships and incident types can now be synchronized across vSOC instances. Incident type synchronization is supported across both the Instance Management and Tenant modules, while artifact type and relationship synchronization is available only through the latter one.

Artifact Synchronization

READER NOTE

Artifact type synchronization is currently supported only under the master-tenant synchronization approach. The point-to-point approach does not support this capability.

Navigate to the Configuration > Tenant Management > Shared Content > Artifacts.
Share the desired artifact types and relationships.
- Sharing artifact types:
  This does not share artifact relationships. See the next bullet point.
- Sharing artifact relationships:
  The selected relationships are shared together with all associated artifact types' data. If configured with a Source Condition, the associated integration is also shared.
Share EFM artifact settings (after successfully synchronizing artifact types).

READER NOTE *

Ensure that appears under the Shared to Tenants column for the shared artifact types before attempting to synchronize EFM artifact settings.

Incident Type Synchronization

Navigate to the Configuration > Tenant Management > Shared Content > Incident Types.
Select the desired incident types to share or update, then click on the Share button.

System Widgets Date Range Alignment

Enhancing user control, operational transparency, and insight generation, system widgets within the Reporting Dashboard now dynamically align data with the user-selected date range.

View Affected System Widgets

The following system widgets are affected:

Event Playbook Error Rate By Playbook Name
Failed Connection Count by Integration Name
Incident Playbook Error Rate By Playbook Name
Investigator Performance Summary
Max Task Execution Time by Playbook Name
Pending Task Count By Investigator
Playbook Error Rate By Creator
Playbook Error Rate By Incident Type
Task Execution Count Per Minute by Playbook Name
Total Command Execution
Total Task Execution Hours by Playbook Name

READER NOTE

If no date range is selected, the widget defaults to data from the last 7 or 30 days.

Tenants View Enhancements

Auto-Refreshing of the Master Instance Tenants Dashboard

Previously, although the backend processed tenant changes immediately, users had to refresh the master instance's Tenants dashboard to the view updates. Data updates in tenant instances now, without manual refresh, reflect in the master instance with near real-time visibility.

Default Site for the Master Instance Tenants Dashboard

The default site displayed within the Investigation Dashboard > Tenants view has been updated. The dashboard now defaults to All client sites.

Additional Incident Attributes in the Tenants Dashboard

The Investigation Dashboard > Tenants view now includes three additional incident attribute fields:

Incident Type
(Incident) Owner
Disposition

Utility Commands

Updated Commands

The following utility commands have been updated in this release of D3 SOAR.

Commands

Changes

Look Up Artifact Details

The Include Reputation Information parameter has been added.

When set to True, the command returns artifact reputation results. By default, the parameter is set to False.
The command allows users to retrieve artifact reputation information that has been added or updated using the Add or Update Artifact Reputation or a check reputation command (e.g., VirusTotal v3's Check IP Reputation).

READER NOTE

If the Include Reputation Information parameter is set to True, the command also returns the artifact reputation expiry date. To enable this functionality, contact D3 support to set the EnableArtifactReputationUpdateByIntegrationCommand key to True.

Get User by Full Name

The structure of the returned data has been modified to include the additional "groups" array.

View Return Data

JS

{
    "error": "",
    "returnData": [
        {
            "userID": *****,
            "userName": "demoUserName",
            "firstName": "demoFirstName",
            "lastName": "demoLastName",
            "fullName": "demoFullName",
            "timezone": "Pacific Standard Time",
            "timezoneId": *****,
            "roleDescription": "System Administrator",
            "email": "*****@*****.com",
            "phone": "**********",
            "role": "admin",
            "groups": [
                "Administrative Group",
                "Administrators",
                "Analysts",
                "Managers",
                "Security Operations"
            ]
        }
    ]
}

Integrations

New Integrations

The following integrations have been added to this release of D3 SOAR.

Integration Name	Description
Absolute	Absolute is a cybersecurity platform that provides persistent endpoint security and visibility, allowing organizations to track, manage, and protect devices—even if they're off-network or compromised.
Axonius V2	The Axonius Platform serves as the system of record for all digital infrastructure, enabling IT and security teams to gain a complete understanding of assets, their relationships, and business context. The D3–Axonius integration enhances this capability by allowing seamless discovery of devices, users, and other critical assets.
Colortokens Xshield	ColorTokens Xshield is a Zero Trust microsegmentation platform that provides asset visibility, dynamic policy enforcement, and real-time quarantine. It helps organizations isolate threats, reduce lateral movement, and strengthen security across cloud and on-prem environments.
Infoblox NIOS	The Infoblox NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.
Netskope V2	Netskope solutions, including Netskope Intelligent Security Service Edge (SSE) are built on the Netskope Security Cloud, providing unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. This integration leverages Netskope REST API v2.
Trustwave Fusion	Trustwave Fusion is a cloud-native cybersecurity platform that centralizes threat detection, incident response, and compliance management. It provides a unified interface where customers can manage tickets, track investigation status, exchange comments, and securely handle attachments.

Updated Integrations

The following integrations have been updated in this release of D3 SOAR.

Integration Name	Changes
Active Directory V2	New Command(s) Get AD User By SID
Atlassian Jira Software	New Command(s) List Users Assignable to Issue Enhanced Command(s) Assign Issue to User: Updated the Assignee parameter to accept account IDs in addition to names. The display name has also been changed to Assignee ID or Account Name. Create Issue and Edit Issue: Updated the same parameter as Assign Issue to User.
Connectwise PSA	New Command(s) Merge Tickets
Cortex XDR	New Command(s) Add IOCs Delete IOCs Get IOCs Update IOCs
Elastic Security	New Command(s) Get Case by ID Get Case Settings Update Case
Google Chronicle	New Command(s) List Curated Rules Enhanced Command(s) Fetch Event: Added the Curated Rule Detections event type.
iboss	New Command(s) Lookup URL
Microsoft Teams Bot Framework	Connection Added a new Bot App Type parameter to support single-tenant Azure bots following Microsoft's deprecation of multi-tenant bot creation.
Slack	New Command(s) Send Interactivity
Wiz	New Command(s) Add Issue Comments: Replaces the old command with the same name: Enhanced Command(s) Update Issues: Added a Resolved option to the Status parameter, along with new Resolve Reason and Resolution Note parameters. Deprecated Command(s) Add Issue Comments: Renamed Add Issue Comments (Deprecated) and replaced by the new Add Issue Comments command.
Zscaler	New Command(s) Remove URLs from Category