15.3.72

Incident Workspace Enhancements

Events Summary

The Events Summary section serves as an overview of an incident's source events. The section is logically organized by batches based on the escalation method (i.e., manual, event playbook, task, or automation rule) and presented clearly and concisely.

Each event from a particular batch is readily expandable to reveal additional details such as severity, time of occurrence, the last updated time and other mapped fields. The summary provides a direct link to the source event for quick access. To suit your preferences and incident response workflow, you can opt to only display a customized set of fields for events ingested from a given integration.

UI Enhancement: Editing Incident Summary Fields

Modifying an editable incident summary field is now straightforward and quick. You can hover your cursor over the field and click it to make necessary edits to the incident summary.

Incident Viewing History

The breadcrumb feature for linked incidents within the Incident Workspace is a useful addition to the incident response system. Analysts can trace their steps and understand the context of their incident investigations, making navigating through the incidents easier and ensuring that no critical information is missed.

Integration Enhancements

Built-in Integration: REST API Callback

The new REST API Callback system integration enables you to send asynchronous REST API requests from D3 SOAR. Callbacks enable you to receive data at a specified callback URL when a particular event is triggered.

For example, D3 SOAR may send a REST API call to a ticketing system to create a new ticket for an incident. The ticketing system responds with a callback URL that the D3 SOAR can use to receive notifications about the status of the ticket. D3 SOAR then registers this callback URL with the ticketing system and waits for notifications about the ticket status.

When the ticketing system updates the status of the ticket, it sends a notification to the callback URL registered by the D3 SOAR. D3 SOAR then processes the notification and updates the incident status accordingly.

Event Field Mapping: System Variables for Placeholder Fields

Prior to this update, it was only possible to define placeholder fields for field mapping using previously mapped fields. Placeholder fields let you display customized information from a mapped field when viewing events from the investigation dashboard or event details. We've added the functionality to let you use a list of system variables to define placeholder fields. These system variables, such as SiteName and TimeStamp, can be used out-of-the-box, even if no fields are set up. Some of these fields provide data that was previously inaccessible by normal field mapping, such as connection data.

Playbook Enhancement

Trigger: On Incident Status Change

Incident playbooks can now be configured to trigger automatically whenever there is a change in an incident's status. Any tasks connected to this trigger run immediately after an incident's status changes. This enhancement enables security teams to automate their response efforts and take immediate action as soon as a critical incident occurs. It eliminates the need for manual intervention, ensuring consistency and accuracy in response actions.

Investigation Dashboard Enhancements

Bulk Change Incident Status

You can now bulk change the status of incidents on the Investigation Dashboard.

Incident Status: In Progress and On Hold

Incident statuses represent the different stages of the incident response lifecycle. The "In Progress" and "On Hold" incident status has now been added. This is an addition to the existing statuses of Open and Closed. The ability to indicate whether an incident is in progress or on hold can provide more granular visibility into the investigation process and help organizations better manage their incident response efforts.

Utility Commands Enhancements

Update Identical Event

The Update Identical Event command is exclusively available within the event playbook, designed to streamline incident data management. When you use this command, it queries D3 SOAR's database to find an original event within the same integration matching your input search conditions.

Once the matching event is located, the mapped fields of the original event are updated with the new event's data. This preserves a complete history of all event field data in the newly introduced Events Summary in Incident Workspace. After the update is complete, the new event can be configured in a playbook to be dismissed with an additional playbook task, maintaining a clear and organized record of all incidents. You can view the data history for the mapped fields of the updated event by accessing the events summary in the Incident Workspace.

Link to Related Event Incident

The Link to Related Event Incident command significantly improves and streamlines event correlation. Event correlation is the process of analyzing and identifying relationships between events occurring within an organization's security environment. By understanding these relationships, security teams can quickly identify potential security incidents, assess their impact, and take appropriate remediation actions.

This command is exclusively used in event playbooks to search for related events based on specified search conditions. If any of these related events have an associated incident, the new event will be linked to the incident of related events. By linking events to a common incident, analysts can quickly identify the root cause of an incident and understand the full scope of the incident.

Create Tenant Data Ingestion Schedule

The Create Tenant Data Ingestion Schedule utility command brings automated client onboarding for our Managed Security Service Provider (MSSP) customers. With this new command integrated into a playbook workflow, MSSPs can easily automate data ingestion schedules for specific integrations on a tenant site, simplifying their client onboarding process and reducing the professional hours required for onboarding clients.

Dismiss Event After Creation

The Dismiss Event After Creation utility command is designed to be used after the "On Event Ingestion" trigger in event playbooks, with the purpose of dismissing low-priority events automatically. This effectively frees up your security team's workload by freeing up their time to focus on mission-critical tasks.

Update Owner ID and Site ID

The Update Owner ID and Site ID utility command lets you update an incident's Owner and Site ID. This utility command can be integrated with playbook workflows to automate the process of updating incident ownership and site location information.

Close Incidents in Bulk - New Input Parameter

The Bypass All Required Fields parameter that lets you bypass required fields on incident dynamic forms. If the command is executed by a manual task or a test command, you must have necessary permissions to edit, close, and view the incident. If the command is executed in a playbook, the incident should be in the selected site. This adds greater flexibility and efficiency to bulk incident closing.

Tenant Management Enhancement

Tenant Site Management

A Sites tab has been added to Tenant Management, exclusively for multi-tenant instances. This new feature allows Managed Security Service Providers (MSSPs) to easily activate or deactivate a tenant instance's sites from the master tenant site. The activation and deactivation date of a site is visible, which can be used for record-keeping and auditing purposes. MSSPs can easily purge and manage client data when offboarding, streamlining the overall process.

Append Extra Information to Request URLs for Bi-Directional POST Requests

The D3 SOAR webhook has undergone improvements to support bi-directional POST requests. This upgrade allows for updates to be made to data from both D3 SOAR and external systems, ensuring that corresponding data is updated on both ends. One practical example of this is with ServiceNow, where new incidents are received as tickets and updated tickets are sent back to D3 SOAR after processing. With the use of a webhook, the information to update the corresponding incident is appended to the end of D3 SOAR's webhook request URL (e.g. /UpdateEvents is appended to the request URL as https://demo.d3soar.com/xyz/VSOC/api/Data/ServiceNow/Webhook_Test/CreateEvents/UpdateEvents), which is added to the "WebhookExtraInfo" field in the event data. This additional data can then be incorporated into a playbook workflow, effectively updating the corresponding incident or event in D3 SOAR.