Skip to main content
Skip table of contents

15.2.108

Playbook Enhancements

Playbook Task: Unwind

The new Unwind playbook task allows you to take an array of JSON objects and separate them into individual objects. Each JSON object can then be enriched individually with a different workflow. The unwind task will make it more accessible to manage and process large data sets from the playbook editor menu.

Event Playbook: Select an Existing Event for Testing

You can now select an existing event as test data to simulate the on event ingestion trigger. This eliminates the need to manually build test data. This feature streamlines and speeds up the testing process for event playbooks. The original process of building custom trigger data will still be available by selecting Custom Trigger Event.

Investigation Dashboard Enhancements

Critical and Informational Severity Levels

There are now two new severity levels for incidents: Informational and Critical. These levels are in addition to the existing levels of Low, Medium, and High, with Informational being the least severe and Critical being the most severe. This allows for a more detailed and accurate categorization of incidents and can help improve incident response and management by allowing teams to prioritize and filter incidents based on more precise severity levels.

Auto-Fit Column Width

A new button has been added to let you auto-fit the width of columns, making it easier to navigate and view your data.

New Column for Events: Event Escalation/Dismissal Method

A new column indicating whether an event's escalation or dismissal was manual or automatic has been added to the events dashboard. This new feature allows MSSPs to easily track and use exported event dashboard data to generate reports on event handling, particularly for customers who want to see whether a particular event was processed automatically or manually.

Auto-Refresh Upon Event and Incident Ingestion

The event and incident dashboards will now automatically refresh with real-time data. SOC teams and MSSPs using D3 SOAR can now stay up-to-date on the latest events and incidents as soon as they are ingested from their security tool stack to D3 SOAR. This not only provides a more efficient and streamlined workflow but also allows for faster incident response and improved security posture.

New Columns for Pending Tasks

Additional columns are available on the Pending Tasks dashboard to help you prioritize and manage pending tasks more effectively.

With this update, you will now be able to add the following columns to the pending task dashboard:

  • Incident Owner

  • Incident Title

  • Incident Owner Site

  • Incident Severity

  • Incident Date Created

  • Incident Date Modified

  • Incident Status

  • Incident Playbook

  • Tactic

  • Technique

With these columns, you will be able to quickly identify the most important pending tasks and prioritize your incident management workflow.

Utility Commands

Bulk Action Utility Commands

Two new utility commands have been added to allow bulk actions for setting incident fields and updating dynamic form values. These utility commands can be added to playbooks to streamline the incident management workflow for MSSPs and SOC teams processing large volumes of incidents.

Set Incident Fields In Bulk

You can bulk update incident fields by creating a JSON array with the corresponding incident numbers and incident fields’ key-value pairs.

Update Dynamic Form Value By Incident Number In Bulk

You can bulk update dynamic form values of incidents by creating a JSON array with the corresponding incident numbers and dynamic form fields’ key-value pairs.

Refresh Incidents Overview

The Refresh Incidents Overview utility command allows the system to automatically refresh the incident overview page of specified incidents after processing in playbooks. You will no longer have to manually refresh the incident overview page to see updated information. Incident response and management will be streamlined by providing real-time visibility into the status of incidents, making it easier to track and prioritize incidents based on their current status.

Remove Case Attachment and Remove Incident Attachment

The Remove Case Attachment and Remove Incident Attachment utility commands can be used to remove attachments from specified arrays of case numbers and incident numbers, respectively. You can integrate this with playbook workflows to automate the case and incident management process. This is useful for housekeeping and removing a large number of sensitive attachments from the system, giving you greater control of your data.

Application Settings Enhancement

Customizable Dynamic Input Method for Playbooks

The dynamic input method for playbooks can now be selected at the application level, the playbook level and the playbook task level. This enhancement improves compatibility with playbooks created with previous versions of D3 SOAR and gives you more flexibility in how you use dynamic input methods to build playbooks.

Global List Enhancement

Maximum Size Limit for Global List

We have limited the maximum size of a global list to 20 MB. This will help improve the performance of the VSOC application and ensure seamless data processing between playbooks and global lists.

Event Automation Rules Enhancements

Share Automation Rules Across All Client Sites

Event automation rules can now be easily shared across all client sites. You can realize time-saving benefits by not having to create separate rules for each individual client site. This is beneficial for MSSPs who want to provide a more standardized security management service to their clients, by ensuring that all clients are protected by the same set of automation rules, minimizing the potential for security gaps.

Sharing Automation Rules to Specific Sites

Event Automation Rules can now be shared with specific sites, making it easier to correlate new events with incidents that may be located on different sites when using incident suppression.

With this feature, you can now apply event automation rules to multiple sites, and select the specific sites within the event automation rule itself. This means that you will be able to correlate follow-up events to existing incidents across different sites, rather than just within the same site.

This enhancement improves the correlation of follow-up events to existing incidents and allows MSSPs to better protect clients' security systems across different sites. In turn, it will provide a more comprehensive security management service to clients and increase the efficiency of the incident management process.

Webhook Configuration Enhancement

Setting Up Webhook Keys: Sample Request Body

We have improved the webhook configuration page for commands by including sample request body data, making it easier for you to set up and structure your requests.

Other Enhancements

Login Landing Site Selection

In My Preferences, you can customize your preferred landing site upon logging into VSOC. With this setting configured to the user’s role and responsibilities, SOC analysts and MSSPs can spend less time navigating the platform and more time focusing on incident response and security operations.

UI Updates to the Integrations Module

Small updates to the design of the integrations module have been made for a better user experience. Integrations have been reorganized into more appropriate categories. Additionally, we've made some cosmetic changes such as increasing the size of the integration logos and providing more space for the integration descriptions.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close