14.0
Unified Configurations
You can now configure our platform in one area seamlessly and efficiently for your Playbooks, Integrations, Utility Commands, Schedules, Connections, D3 Agents, Global Lists, User Management, and more.
Your work is preserved while navigating across the different pages in the left navigation pane. This way, you can continue where you left off when you come back.
A new Back button allows you to return to the previous pages you visited easily.
Most Configurations modules share a two-panel framework for improved consistency and efficiency.
Playbooks
Playbooks in V14.0 underwent major changes. First, you can now handle the entire lifecycle of an Event with the Event Playbook and the Incident response lifecycle with an Incident Playbook. Second, the functionality of each type of Playbook has been enhanced to allow you to create more complex workflows. Third, the UI of the Playbook editor has been significantly improved based on user feedback to make it even easier to build a complex workflow without the need to code. We have also made a conceptual update to make it even easier to distinguish between a Playbook and a Command.
Revamped Playbook Testing
In V14.0, we have completely rebuilt our testing system and made it the most comprehensive testing tool amongst all SOAR products. We built the new testing system with one aim: to allow users to perform in-depth testing at all levels of a Playbook. Our new testing system allows you to test the entire Playbook, or an individual Task, or an individual input.
Playbook Level
At the Playbook level, you can test the entire Playbook workflow with any ingested data in the system. For example, you can select an ingested Incident as data source to test your Playbook. After your test run, you will see icon(s) appear below each Task. This icon represents the current status of the Playbook task, and you can click on the icon(s) to view the Playbook Task Details in the pop-up window.
Task Level
At the Task level, you can test a Task with specified input parameters and view the resulting output. Testing a Task can help you ensure that it is well configured before moving on to creating the next step of your workflow.
Input Level
At the Input level, you can test your inputs to make sure it satisfies the Command parameters. Testing an input is especially useful when you are configuring a dynamic input - testing here can ensure the correct JSON path has been picked, or the correct data transformation has been applied.
Playbook Triggers
In V14.0, all Incident Playbooks contain a new Trigger Task by default. This allows you to create automated conditional workflows based on specific conditions. These Triggers enhance the Playbook’s capabilities and make them more responsive to Incident form field values. You can connect workflows to the new Trigger Task and these workflows will run based on the specified conditions.
Playbook Permission Control
We have added new permission controls to allow for even more granular control over Playbook permissions. You used to only be able to control Playbook permission by User roles. In V14.0, you can now set specific View, Edit and Publish rights to specific users for each individual Incident Playbook.
Command Preview
A new Command Preview interface provides you with visibility into Input, Key Fields, Context Data, Return Data, Raw Data, and Result when adding or configuring a Playbook Task. With this new feature, you can concretely understand how each Command can be used and configured directly within the Playbook editor.
Playbook Task Enhancements
Data Formatter Task
We have created an all new Data Formatter Task based on the powerful Jinja Template Engine with enhanced capabilities. Boasting over 130+ filters, the new Data Formatter Task has been created to allow you to easily transform your data to fit your needs.
The Data Formatter contains built-in tools such as the Format Builder, Quick Start Guide, and Reference Guide to accommodate users of all levels of technical proficiency.
Data Formatter Reference Documentation
Within the Data Formatter Task, you can access our custom built-in documentation to help you get familiar with the Data Formatters. The documentation walks through the details of a Data Filter, how to use them, and best practices.
The documentation has 3 tabs:
The Quick Start tab provides basic knowledge on Data Formatters’ syntax and structure, and a quick walkthrough on using the Data Formatter Task.
The Data Formatters Reference tab provides a comprehensive list of Data Formatters, sample input and output data, and detailed explanations of how a Formatter operates. You can search directly in this list to find the most appropriate Filters for your workflow.
The Template Documentation tab provides more complex knowledge of Data Formatters, and additional information on their syntax.
Ongoing Surveillance Task
A new Ongoing Surveillance Task has been added to allow you to schedule a Fetch Event command right inside a Playbook. You can configure the type of tactics, techniques, and procedures of the Events right when they are ingested.
All Events fetched from this Task can be viewed in the Ongoing Events tab in the Investigation Dashboard where you can view all Ongoing Surveillances you have, the essential details, and the ability to remove Surveillances that you no longer need.
Merge Task
The Merge Task takes in data from all preceding connected Tasks and combines the data based on specified conditions. Tasks that are connected after the Merge Task can then reuse this combined data.
There are 4 conditions that control how the data is combined:
By Playbook instance
By Task name
By Task instance
By specific JSON path
Other New Playbook Features
Create Playbooks where you can take actions upon event-ingestion. Previously, you could only use Playbooks on an Incident.
Create new Integrations and Utility Commands, and Connections on the fly within Playbooks.
Find Workflows, Integrations, and Utility Commands by searching through the new Command Shortcuts panel.
Manage each Playbook with the simplified menu bar to easily Clone, Share, Submit, and Publish Playbooks.
Integrations Enhancements
You can now view all available Integrations in one list, organized by category. Built-In and Custom Integrations are differentiated with tags, providing more context for your workflow. Furthermore, you can access both the Integration Command Settings and the Editors (Python, Playbook, REST API, SQL) simultaneously.
Utility Commands
With the new Utility Commands interface, you can now view all available Utility Commands in one list, organized by category. Tags have been added to differentiate between Basic, Cyber, and System Utility Commands. Version Control is now available across all Utility Commands. Lastly, you’ll be able to view both Command Settings and Editor (Python, Playbook, REST API, SQL) simultaneously.
D3 Agent Management
With our newly added Agent Management module, you can install Agents via a step-by-step installation wizard, and monitor them directly within the D3 SOAR Platform. You can also update the configured Agents using the installation wizard.
With Agent installation and management now available in the application, you can deploy multiple Agents to your on-premise environment at your discretion without requiring assistance from D3.
Schedules & Data Ingestion
A Schedules & Data Ingestion module has been added to give you a consolidated view of all your scheduled jobs and data intakes in one central location.
You can now see more contextual information within the Log function in Scheduled Jobs and Data Intake. Depending on the type of Command or Data Intake method, the Log allows you to view all Input, Output, and Error data in a list according to each scheduled run. With this, you can determine if your scheduled jobs and data ingestion are working as expected.
Event Automation Rules Enhancements
Event Automation Rules now enable you to have granular control over specific conditions that determine an Event’s escalation/dismissal behavior. You can control how an Event is escalated into Incidents, categorized by: matching fields, individual Event IDs, automation rules, and batches.
Additional Configurations Features
A new Settings module has been added to configure essential platform details such as SMTP Settings, and Time/Date format.
Global List updated to two-panel layout for improved configuration experience.
You can configure Connection Health Checks for Custom Integrations.
All Users, Groups, Roles, Sites pages have been consolidated under one User Management module.
Incident Workspace Improvements
Create Ad-Hoc Tasks
You can now create Ad-Hoc tasks in the Incident Workspace to assign specific tasks to users. This can help you keep track of Incident-related tasks as all created Ad-Hoc tasks will show up in the Pending Tasks tab.