17.1

New Features

Task Node Action Bar

An action bar has been added to playbook task nodes, appearing on hover to provide quick access to key task management controls, and to display the task node ID for identification and reference. Users can activate or deactivate a task node using the image 21 (2)-20241224-024544.png toggle. Deactivating a node blocks its execution as well as that of all subsequent task nodes. The (delete) button permanently removes the task node from the playbook.

Incident Type Manager Sub-Module

The new Incident Type Manager sub-module serves as the centralized interface for managing all incident types, with the Incident Form Editor now integrated within it. General configuration for each incident type is now available through a new interface under the General tab. Each incident type also includes an independently managed workspace library, enabling the creation of custom incident workspace dashboards composed of selected widgets.

View UI

READER NOTE

The former Incident Form Editor sub-module is now available as a tab named Incident Form Builder within each incident type in the Incident Type Manager sub-module.

Incident Workspace Builder

The incident workspace builder enables users to design and assign customized workspaces for specific incident types. Through a drag-and-drop interface, users can arrange widgets on a canvas, name the layout, and configure workspace settings.

Example - Building and Applying a Custom Incident Workspace

Navigate to the Incident Type Manager module.
(Optional) Create a new incident type.
Search for and select an incident type of choice.
Click on the button, or click on an existing workspace.
Drag and drop the desired widgets onto the canvas, then adjust their size and position as needed.
Click the Settings tab, then assign the workspace to the appropriate incident types, roles, and groups under the Assign Workspace section.
Hover over the dropdown, then click on Incident.
Add a new incident of the same type created or selected in step 2 or step 3.
Verify that the custom workspace appears as configured in step 5.

READER NOTE

Use the (layout switcher) icon at the top-right corner of the header panel to apply the custom layout.

Stage Tracker

A stage timeline component has been added to the incident header panel to dynamically display progress based on the most recently added playbook, irrespective of its status ( image 6 (1)-20250402-213624.png , image 5 (1)-20250402-213606.png , or image 3-20250402-213515.png ). The timeline displays a maximum of seven stages—the current stage, along with up to six before and six after. Clicking a stage opens a selection menu to view either the playbook task details or the overall playbook execution progress.

Note on Stage Timeline Display in Parallel Execution

Even when stage tasks run in parallel within a playbook, the stage timeline displayed in the incident workspace header panel will remain linear, reflecting progression based on execution timestamps.

EXAMPLE

Playbook 1

Playbook 2

Both playbooks above will render the stage timeline component as shown below.

Escalate and Dismiss Task Nodes

Two new task types—Escalate and Dismiss—are now available to streamline event-incident correlation workflows. The Escalate task provides direct access to the Create Incident With Conditions utility command, while the Dismiss task simplifies event dismissal actions.

Insert Task Nodes Between Existing Ones

Speeding up workflow adjustments, users can now insert new task nodes between existing ones without the need to manually drag and drop a task into place, connect it to the following task node, and remove the original link.

Example - Task Node Insertion

Users can insert a task node between existing ones in the following steps:

Select the connecting arrow.
Click on the button.
Choose the task type to add.

Hide System Artifacts in Event Field Mappings

From the Application Settings page, administrators can tailor system artifact type visibility to align with organizational workflows, ensuring that artifact types not relevant to specific use cases are excluded from new artifact creation.

WARNING

Hidden system artifact types cannot be unhidden from the application. Contact D3 Support to request reactivation.

View Details

Hiding an Artifact Type

READER NOTE

Only administrators can access Application Settings to configure system artifact type visibility.
For new clients, composite artifact types such as URL, Email Address, and File are hidden from the front end.
For existing clients, these types appear with the Legacy tag.

Users can hide artifacts in the following steps:

Search for the artifact type.
Select the artifact type to hide.
Click the Save button to apply the changes.

READER NOTE

If an artifact type is hidden after it was previously used, existing artifacts of that type will remain in the data and are not deleted. However, no new artifacts will be created from that type going forward.

Enhancements

General Enhancements

Redesigned Login Screen and Smooth Page Animations

The login screen has been updated with a more modern design. Page transitions are now enhanced with animations for a smoother navigation experience.

View Animations

Login Page

Page Switch

Utility Commands Layout Redesign

Utility commands are now displayed in a card layout on the right for improved readability, creating a more modern and organized browsing experience.

Custom Triage Renamed to Custom Views

Custom Triage has been renamed to Custom Views as part of a rebranding effort, with the functionality remaining the same while offering a clearer representation of its purpose in managing personalized views on the Investigation Dashboard.

Playbook Enhancements

Event and Incident Playbooks Rebranded

Event and incident playbooks have been rebranded to align with the product architecture and provide clearer context during user selection.

Modernized Styling for Playbook Task Nodes

Playbook task nodes have been redesigned with a sleek, modern color pallet—such as deep navy for the root node, electric violet for command nodes, and rich terracotta for stage nodes.

View Task Configuration Pop-over and Node Menu

Similarly, the task configuration pop-over and node menu now feature an updated, modernized design.

Customizable Trigger Options for the Playbook Root Node

Users can now control which trigger options appear in the playbook root node. Previously, all available triggers were shown by default. With the 17.1 release, users can selectively show or hide triggers, reducing visual clutter during playbook configuration.

Plus Button Added for Task Insertion

Users can now add playbook tasks by clicking the plus (+) button directly on a task node, providing an alternative to dragging tasks from the task panel.

Incident Workspace Enhancements

Incident Header Panel Revamp

The incident header panel features a modern layout with improved visual hierarchy. Key details—incident type, severity, disposition, and ownership—are now more prominent. Offering immediate visual context and highlighting urgency, the background color of the header panel dynamically reflects incident severity levels:

Red ( )
Persimmon ( )
Amber ( )
Grey ( , )

Creating and Managing Dispositions

Within the newly introduced Incident Type Manager sub-module, users can create and manage the dispositions available for each incident type. In addition to out-of-the-box options, users can add custom dispositions tailored to their needs and remove any inapplicable to the selected incident type.

Adding or Removing Dispositions

Users can add custom dispositions and remove both system and custom dispositions from an incident type by following these steps.

Navigate to the Configuration module, then select the Incident Type Manager sub-module.
Select an existing incident type (i.e., New Feature Request) or add a new one by clicking the + New Incident Type button.
Add a custom disposition.
1. Click the Edit Dispositions button.
2. Click the + button.
3. Enter a name for the disposition.
4. Click the button to add it.
Select the dispositions to add to this incident type, including the newly added custom disposition.
Deselect any dispositions that should be removed, such as system defaults or others not relevant to the incident type, then click the Done button to apply the changes.

RESULT

All incidents of the New Feature Request type will use the configured set of dispositions.

File Previewer

Users can now preview files using the new Preview option within the Files widget. This eliminates the need to download files for a quick look. Supported formats include PDF, DOCX, XLSX, XLS, CSV, MP4, JPG, PNG, and TXT.

Notes Widget Revamped

The Notes widget UI has been updated with a modern, streamlined layout. Users can now search for notes using the built-in search bar to quickly locate relevant entries.

Export Incident Report Now Supports Section Selection

Users can now select which sections to include when exporting an incident report to a PDF file. By default, all sections are selected for export.

Adding Timeline Entries with Rich Text Editor

Users can now add notes to an incident’s timeline using a rich text editor, available for the Notes, Description, and Summary fields in the pop-up window. Notes can be added via the Add Note button in the Timeline tab or the Add to Timeline button in the Command Centre tab.

View Details

Add Note in Timeline Tab

Add to Timeline in Command Centre Tab

Example - Adding a Table Using HTML

Users can add a table using the rich text editor in the following steps:

Click the button.

Enter the table structure using HTML, then click the OK button.

Inline CSS may be used to apply styling.

HTML

<table style="border-collapse: collapse; width: 100%; font-family: Arial, sans-serif;">
<tbody>
<tr>
<th style="border: 1px solid #dddddd; text-align: left; padding: 8px; background-color: #f2f2f2;"><span style="color: #000000;">Company</span></th>
<th style="border: 1px solid #dddddd; text-align: left; padding: 8px; background-color: #f2f2f2;"><span style="color: #000000;">Contact</span></th>
<th style="border: 1px solid #dddddd; text-align: left; padding: 8px; background-color: #f2f2f2;"><span style="color: #000000;">Country</span></th>
</tr>
<tr>
<td style="border: 1px solid #dddddd; padding: 8px;">Alfreds Futterkiste</td>
<td style="border: 1px solid #dddddd; padding: 8px;">Maria Anders</td>
<td style="border: 1px solid #dddddd; padding: 8px;">Germany</td>
</tr>
<tr>
<td style="border: 1px solid #dddddd; padding: 8px;">Centro comercial Moctezuma</td>
<td style="border: 1px solid #dddddd; padding: 8px;">Francisco Chang</td>
<td style="border: 1px solid #dddddd; padding: 8px;">Mexico</td>
</tr>
</tbody>
</table>

Click the Save button.

RESULT

The table will be rendered with the intended styling, formatting, and content.

Reporting Dashboard Enhancements

New Widget Types Supported: Stacked Area and Sankey

Reporting dashboards now support two new widget types: Stacked Area and Sankey charts.

Sankey

Sankey charts visualize how data flows from one category to another, with the width of each flow representing volume (e.g., the number of artifacts per artifact type).

Follow these steps to create a Sankey widget that visualizes how different artifact types are distributed across risk levels:

Create a new widget.
1. Navigate to the Reporting Dashboard module.
2. Select the Widgets sub-module.
3. Click the + New button.
Configure the data retrieval scope, then execute the query.
1. Select a data source.
2. Choose a site from which to retrieve data.
3. Select the date range for the retrieval.
4. Click the Run Query button.
Click the Next Step: Configure Widget button, choose the Sankey option, then click the Apply button.
Configure the chart settings to define how the data will be visualized.
1. Select the Artifact Type option in the Group By (xField) section.
  This sets the origin point of each flow in the chart, grouping the data by artifact type.
2. Select the Artifact Risk Level option in the Secondary Group By (seriesField) section.
  This defines the destination of each flow, grouping the data by the assigned risk level of each artifact.
3. Select the COUNT option in the Aggregation (yField) section.
  This determines the thickness of each flow by counting how many artifacts fall into each combination of type and risk level.

RESULT

The data is displayed as a Sankey chart that visualizes the flow from artifact type to artifact risk level.

Hover over different parts of the chart to view the number of artifacts at each end of the flow or along the connection paths (i.e., the coloured areas).

Stacked Area

Use Stacked Area charts to track how grouped values change over time. Each area represents a specific group—such as an incident severity level—and shows how its count rises or falls over time.

Follow these steps to create a Stacked Area widget that visualizes how incident counts vary over time by severity level.

Create a new widget.
1. Navigate to the Reporting Dashboard module.
2. Select the Widgets sub-module.
3. Click the + New button.
Configure the data retrieval scope, then execute the query.
1. Select a data source.
2. Choose a site from which to retrieve data.
3. Select the date range for the retrieval.
4. Click the Run Query button.
Click the Next Step: Configure Widget button, choose the Stacked Area option, then click the Apply button.
Configure the chart settings to define how the data will be visualized.
1. Select the Incident Created Utc Time option in the Group By (xField) section.
  This groups the data by the time each incident was created and displays it along the x-axis to show changes over time.
2. Select the Incident Severity option in the Secondary Group By (seriesField) section.
  This breaks down the data further by severity level, allowing users to compare how different severity levels trend over time.
3. Select the COUNT option in the Aggregation (yField) section.
  This calculates the total number of incidents for each severity level and time interval, determining the height of each area in the chart.
(Optional) In the Widget Options section, set the result limit to 100 and sort the data by Incident Severity in ascending order to improve visual clarity.
1. In the Maximum Results field, enter 100 to return up to 100 records.
2. In the Sort Order field, select the Incident Severity option from the left dropdown.
3. In the Sort Order field, choose the Ascending option from the right dropdown.

RESULT

The data now appears as a stacked area chart, illustrating how the number of incidents changes over time, with each area representing a different severity level.

Event Site and Incident Site Fields in Reporting Dashboard

To enhance flexibility for reporting dashboards, Incident Site and Event Site have been added to the list of filterable fields in the Event, Incident, and Artifact data sources for use in widget expression blocks. These additions support scenarios such as events from different sites correlating with one or more incidents, incidents moving between sites, and artifacts linked to multiple incidents and events.

View Example

Users can use the newly added fields in the following steps:

Create a new widget.
1. Navigate to the Reporting Dashboard module.
2. Select the Widgets sub-module.
3. Click the + New button.
Configure the data retrieval scope.
1. Select a data source.
2. Choose a site from which to retrieve data.
3. Select the date range for the retrieval.
Filter the queried results using the Event Site and Incident Site fields in an expression block.
1. Choose how multiple conditions in the block are evaluated: use AND to match all conditions, or OR to match any.
2. Click the + Field button.
3. Select the Event Site option from the dropdown.
4. Choose an operator, such as the in option to filter for events occurring at one or more selected sites.
5. Select the sites.
(Optional) Repeat step 3 to filter the results by the Incident Site field.
Click the Run Query button.
Configure the columns to include the Event Site and Incident Site fields in the displayed data.
1. Click the Configure Columns button in the Query Data section.
2. Click the + Add Column button twice.
3. In one dropdown, select Event Site.
4. In the other, select Incident Site.
5. Click Save to apply the changes.

RESULT

The queried data is rendered based on the defined logic and parameters, with the configured columns displayed in the results.

Incident Resolve Time (Day) and (Hour) Added as Aggregation xField Selections

Incident Resolve Time (Day) and Incident Resolve Time (Hour) have been added to the aggregation xField dropdown. These options allow time-based widgets to aggregate data using larger time units.

Filterable Columns Updated to Use Dropdown Inputs

The following widget column filters were changed from text fields to dropdowns:

Incident Owner
Incident Creator
Incident Closed By
Incident Reopened By
Incident Assigned By
Incident Investigation Team Investigator
Event Investigator
Event Assigned By
Event Disposed Action By

This update improves usability by enabling selection from predefined values.

Utility Commands

New Commands

The following utility commands have been added:

Commands	Functionality
Generate Latest Dashboard Link by ID	Generates a direct link to a dashboard using the site and dashboard ID obtained from the Reporting Dashboard module. The link displays all dashboard widgets, excluding table widgets. The dashboard ID must match exactly.
Track Playbook Execution Times	Calculates and tracks playbook execution times for specified incidents. The command returns start and end times, total duration, execution status, and a unique runtime identifier for each execution. Users can input a single incident number or an array of incident numbers to retrieve execution data in bulk within a single run.
Update Global List MetaData	Enables users to modify the global list’s description and status, and manage the list of sites with which it is shared.

Updated Commands

The following utility commands have been updated:

Commands	Changes
Export Incident Report	The Select export sections parameter has been added to allow selection of specific incident report sections for export.
Get Incidents	The Sort Field and Sort Order parameters have been added to support sorting of results by any valid field specified in the Static Fields or Dynamic Fields parameter, in ascending or descending order.
Get Events	The Sort Field and Sort Order parameters have been added to support sorting of results by any valid field specified in the Fields parameter, in ascending or descending order.

Integrations

New Integrations

The following integrations have been added:.

Integration Name	Description
Azure SQL Query	Azure SQL Database is a fully managed cloud-based relational database service built on Microsoft SQL Server technology hosted on Azure Cloud service. This integration enables organizations to query table content of the given Azure SQL server.
Clear NDR (Stamus Networks)	Stamus Clear NDR is a Network Detection and Response (NDR) platform developed by Stamus Networks. It provides advanced threat detection, network visibility, and response capabilities using deep packet inspection (DPI), threat intelligence, and behavioral analysis.
Nucleus Security	Nucleus Security is a platform designed to enhance vulnerability and exposure management for organizations. It unifies and operationalizes vulnerability data, enabling teams to prioritize and mitigate critical exposures efficiently.

Updated Integrations

The following integrations have been updated:

Integration Name	Changes
Cortex XSIAM	New Command(s) Isolate Endpoints Search Endpoints
Dell Secureworks Taegis XDR	Enhanced Command Fetch Event: Added the Investigation Event event source
Halo PSA	New Command List Categories
Microsoft Teams	Connection Added the Microsoft 365 Environment connection parameter, allowing users to specify the environment of their Microsoft 365 instance. Available options include: Commercial & GCC Environment GCC High Environment (L4) DoD Environment (L5)
Office 365	Connection Added the Microsoft 365 Environment connection parameter, allowing users to specify the environment of their Microsoft 365 instance. Available options include: Commercial & GCC Environment GCC High Environment (L4) DoD Environment (L5)
Prisma Cloud	The integration has been updated with revised connection logic, and the current commands have been deprecated and replaced with new ones.
Sophos Central V2	New Commands Get Case Detections Get Case Impacted Entities Get Case Mitre Attack Update Cases Enhanced Command Fetch Event: Added the Cases event source and Case-related input parameters