Skip to main content
Skip table of contents

16.0

Reporting Dashboard Revamp

The Reporting & Analytics dashboard module has been completely revamped as the Reporting Dashboard, with a new user interface and new functionalities. The new reporting features offer personalized dashboards to security executives and managers to visualize and monitor their Key Performance Indicators (KPIs) in real time.

This module comprises two main parts: Widgets and Dashboards.

Widgets provide visual representations of data extracted from four sources: Artifact, Event, Global List, and Incident. You can create queries using the query builder to extract data from these sources and select specific time ranges and sites to display within the widget. Once created, these widgets can be added to Dashboards.

Dashboards are collections of widgets that can be tailored to meet different reporting needs, including KPI monitoring, SLA monitoring, and SOC team management. The dashboard view can also be filtered by sites and time range and exported as PNG.

In addition, you can use the email scheduler feature to automate the sharing of dashboards, by conveniently scheduling one-time or recurring emails to recipients. Recipients receive a viewable link in the email, providing easy access to the interactive dashboard without requiring additional logins, facilitating streamlined communication and data-driven decision-making.

MSSP Client Access Portal

The MSSP (Managed Security Service Provides) client portal is an innovative addition enhancing communication, visibility, and collaboration between MSSPs and their clients.

Once the MSSP client portal license is purchased and activated, MSSPs can create user accounts with customized roles specifically designed for their clients. These roles, configured with the "Client" access type, provide MSSP clients with limited access to the SOAR platform, including the investigation dashboard and reporting dashboard. Here are some highlighted key features:

  • Incident Review: Clients can view incidents and events from the investigation dashboard, allowing them to view summarized and in-depth incident details.

  • Interaction Capabilities: Clients can take limited actions, such as running ad hoc commands and responding to pending tasks that require SLA approvals.

  • Messaging: MSSPs can improve response times and promote collaboration by using the portal to communicate with their clients and request approvals via the message center.

  • Reporting and Analytics Dashboard: MSSPs can curate reports and data visualizations to provide clients with valuable insights into their security operations.

  • Investigations Tab: Clients can view insights on each incident curated by the MSSP, organized by Summary, Findings, Mitigations, and Recommendations.

The client portal serves as a centralized hub, consolidating all necessary functionalities for efficient and effective collaboration. It empowers MSSPs and their clients to seamlessly interact, share information, and work together towards their security goals.

Incident Workspace Enhancement

Key Fields

The Incident Summary section within the Overview Tab has been renamed to Key Fields, allowing for the inclusion of custom fields. Just like the previous Incident Summary section, Key Fields displays and allows you to edit the default incident fields filled in by an analyst or playbook during the event escalation or incident intake process. The notable enhancement is the introduction of the Custom Fields section, which provides flexibility in field mapping. Previously, these fields were limited to a predetermined set of system fields.

Your Pending Tasks

The Your Pending Tasks section provides an overview of your top six most urgent ad-hoc tasks and playbook tasks related to the selected incident. This section will only display tasks assigned to you.

The tasks are organized based on their due dates. From left to right, these tasks are colour-coded based on urgency, with red indicating the tasks past their due dates, followed by yellow for tasks due within one hour. Tasks without a coloured stripe are those with deadlines further in the future or no deadline. Tasks with a required tag must be completed before an incident can be closed, while suggested playbook tasks need your input to run or skip the task. Clicking on a task will bring up the full task details.

Investigations Tab

The Investigations Tab is a brand new tab added to Incident Workspace.

This tab is a centralized location designed for analysts to input and manage investigation information related to an incident. It consists of four sections: Summary, Findings, Remediations & Mitigations, and Recommendations. Analysts can input incident investigation information to the appropriate sections by using JSON-defined data tables or HTML, allowing them to record details such as notes, findings, and recommendations. The Findings section is further divided into subsections for Initial Findings, Data Enrichments, Data Correlations, Indicators of Attack (IOA), and Indicators of Compromise (IOC). Analysts can manually input information through the user interface or use utility commands in playbooks for automated data population, saving time and ensuring accurate capture of critical details.

Two new utility commands are available to help automate populating the investigation sections.

Export Incident Report Enhancement

The incident template has been revised to match the updated and new components of the Incident Workspace. These revisions apply to both the exported templates in Microsoft Word and PDF formats.

Incident Messaging

Incident messaging allows SOC analysts to communicate about investigations, and for MSSPs to collaborate with clients. New features include mentioning and direct messaging, requesting approval, and Slack integration. Plans for integration with other messaging services are in development for future releases.

Data Ingestion

MITRE TTP Search and Event Automation Rules Settings

Upon configuring a new data source across different components in D3 SOAR, such as API Keys, JWT, Data Ingestion, Schedule, Upload File (from the Investigation Dashboard), and Ongoing Surveillance Task, two checkboxes will appear that allow you to customize the behaviour of ingested events. The first checkbox enables the automatic mapping of ingested events from the data source to MITRE tactics and techniques. The second checkbox enables event automation rules for event dismissal and escalation.

JWT Authentication

JSON Web Token (JWT) is an open and widely accepted industry standard, defined in RFC 7519. They provide a secure and efficient way of transferring claims between two parties, ensuring the authenticity and integrity of the data. JWTs can now be used to authenticate data ingestion and remote commands via webhook in D3 SOAR. Additionally, token creators have the ability to reassign, regenerate, rename, and delete tokens as needed.

To enable JWT authentication in D3 SOAR, navigate to Configuration > Application Settings > Web Config, and set the value of the "EnableEnhanceWebhookAuthentication" configuration key to True.

IOA/IOC Link Analysis

The IOA/IOC Link Analysis tab under the Investigation Dashboard visualizes the relationships between indicators of attack (IOAs) and indicators of compromise (IOCs) from events and incidents. You can view analyses from the past 7 or 30 days to gather historical attack patterns. Each node represents an artifact entity, coloured red (IOA), yellow (IOC), or both. Arrows show the direction of the labelled relationship. Clicking on a node reveals more information, and the "Add Investigation Details" command lets users define artifact relationships for automated link analysis.

Incident Playbook Enhancements

Trigger: On Incident External Action

The On Incident External Action trigger in incident playbooks combines external action data with raw incident data, allowing users to perform a comprehensive investigation on an incident using a defined playbook workflow. By ingesting events through the D3 API with a unique key, multiple requests with the same key ID are aggregated into a single incident. This trigger feature enables users to initiate additional workflows for investigating a specific incident without the need to log into D3 SOAR directly.

Utility Commands Enhancements

The following utility commands have been added to this release of D3 SOAR.

Commands

Functionality

Add Investigation Details

Adds investigation details in HTML rich text to the sections in the Investigation Tab.

Add Investigation Table Content

Adds data tables defined in JSON format to the relevant Incident Workspace's Investigation Tab. You can use this utility command to populate any of the sections in the Investigation Tab, as well as highlight important key details.

Get Incident Static Field

Returns all static incident fields and corresponding values of the specified incident, which are shown in the overview tab in Incident Workspace.

Get Related Incidents by Artifact

Searches for incidents related to the specified artifact(s).

Link Event To Incident

Searches for a pre-existing incident by applying a specific set of search conditions and updates the custom fields of the first identified incident that meets the search conditions. The corresponding event is also added to the same incident. If no matching incident is found, a new incident is created.

Set Incident Field HTML

Adds HTML content to a specified incident's description, note or conclusion, which is shown in the overview tab in Incident Workspace.

Trigger Incident External Action

Activates the "On Incident External Action" trigger in incident playbooks for the first incident that matches the specified search conditions.

Connections Module Enhancement

The connections module now has a newly added Webhook Keys tab. This tab allows you to efficiently manage and view all the webhook keys you have created and are currently available for your account. This addition is especially beneficial for our MSSP (Managed Security Service Provider) users who need to manage webhook keys for various tenants and client sites. With the Webhook Keys tab, you can conveniently access and remove keys created from your account in a centralized location, streamlining your key management process.

Application Settings Enhancements

Dashboard Columns

With this new update, you can now easily manage the default and custom columns displayed in your investigation dashboard. When you add a new custom column, it will be automatically saved to the investigation dashboard. To enable or disable the column, simply click the "more" icon located on the top right corner of event and investigation lists.

Logo Customization

You can now customize the branding of your incident reports and email approval pages to better reflect your company or MSSP's corporate identity.

By default, the incident report and send email templates are equipped with D3's logo. You can now upload your own logo to replace the default one. Additionally, you can also include your company URL in the header of the incident report. Every time an incident report is generated or an email approval page is sent, your logo will be prominently displayed, providing your team and clients with a consistent and professional brand experience.

Proxy Agent Update

We have released a new version of the proxy agent along side D3 SOAR version 16.0. To ensure compatibility, please upgrade your proxy agent to version 16.0.18.0. For instructions on how to update a proxy agent, please refer to the Agent Management section in the user guide.

Integrations

New Integrations

The following integrations have been added to this release of D3 SOAR.

Integration Name

Description

CrowdStrike Falcon Intelligence

Crowdstrike Falcon Intelligence enables organizations of all sizes to better understand the threats they face and improves the efficacy of their other security investments with actionable and customized intelligence to defend against future attacks, making proactive security a reality.

CrowdStrike Threat Graph

CrowdStrike Threat Graph is the brains behind the Falcon cloud-native platform. The CrowdStrike Security Cloud leverages Threat Graph to correlate trillions of security events per day with indicators of attack, threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities, DevOps, IT assets and configurations. The CrowdStrike Security Cloud creates actionable data, identifies shifts in adversarial tactics, and maps tradecraft in the patented Threat Graph to automatically prevent threats in real-time across CrowdStrike's global customer base.

CyberInt

Cyberint, the Impactful Intelligence company, fuses threat intelligence with attack surface management, providing organizations with extensive integrated visibility into their external risk exposure. Leveraging autonomous discovery of all external-facing assets, coupled with open, deep & dark web intelligence, the solution allows cybersecurity teams to uncover their most relevant known and unknown digital risks - earlier.

D3 Tool Kit

D3 toolkit is a collection of software development tools and resources that help developers increase their productivity and efficiency, improve the quality of their applications, facilitate collaboration among team members, and stay up-to-date with the latest technologies and trends in software development.

Kaspersky Security Center OpenAPI

Kaspersky Security Center takes the complexity out of security administration and IT systems management. The API is for controlling Kaspersky Security Center administration tools. It also allows integration with the ability to periodically retrieve detailed information about events.

Microsoft 365 Defender (Email & collaboration)

Microsoft 365 Defender, part of Microsoft's XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. This integration allows organizations to fetch security incidents, update security incidents and run advanced hunting queries to inspect unusual activity, detect possible threats, and even respond to attacks. D3's integration for Microsoft 365 Defender (Email & collaboration) is using Exchange Online PowerShell to provide the operation on the Tenant Allow/Block list, which allows the user to Allow/Block email addresses, domains, URLs, and files.

Recorded Future - SecurityTrails

SecurityTrails is a total inventory that curates comprehensive domain and IP address data for users and applications that demand clarity. By combining current and historical data of all Internet assets, SecurityTrails is the proven solution for 3rd-party risk assessment, attack surface reduction and threat hunting. This integration enables organizations to query risk issues and correlate domain and IP address data for risk assessment and threat hunting.

Screenshot Machine

The Screenshot Machine is explicitly built to capture a full-page screen or small website thumbnail or to create a PDF from web pages online.

Sevco

Sevco is an Asset Intelligence platform to aggregate inventory of users and devices and the relationships between them and monitor the changes over time. This product is a newly identified Cybersecurity Asset Attack Surface Management (CAASM) as an emerging technology focused on enabling security teams to solve persistent asset visibility and vulnerability challenges.

Sucuri SiteCheck

Sucuri SiteCheck scanner remotely checks any URL for security threats, malware, defacements, out-of-date CMS, blacklisting, and other important security issues. It visits a website like an everyday user would to verify the source code for malicious behaviour or security anomalies.

unshorten.me

Unshorten.me is a free service to Un-Shorten the URLs created by URL shortening services. Unshorten.me can un-shorten URLs created by different services like goo.gl (Google), fb.me (Facebook), t.co (Twitter), bit.ly, TinyURL, ow.ly, among others.

Updated Integrations

The following integrations have been updated in this release of D3 SOAR.

Integration Name

Changes

AlienVault OTX

Converted all existing C# commands to Python

Atlassian Jira Service Management

Enhanced user interface for authenticating connections.

Atlassian Jira Software

New commands: List Fields, Get Account IDs

Create Issue & Edit Issue: Added support for adding and updating custom fields

Assign Issue to User & Edit Issue: Enhanced to support Markdown for the parameters Description, Summary, and Custom Fields.

Add Comment to Issues: Enhanced to support Markdown for the Comment parameter.

Converted eight existing C# commands to Python: List Projects, Add Comment To Issues, Create Issue, Delete Issues, Get Comment From Issues, Get Create Meta, Search Issues, Upload File To Issue

BrightCloud Threat Intelligence

New command: Check File Reputation

Checkpoint Firewall

New commands: Show Application Site Categories, Block Domains, Show Policy Packages, Block URLs, Discard Changes, Show Changes, Install Policy, Show Sessions

Cisco Adaptive Security Appliance

Updated all commands to support SSH connections

Cofense Vision

New commands: Search, Get Search Result, Get Attachment

CrowdStrike

New commands: Search Vulnerable Hosts By CVE, List Vulnerabilities, Get Host Vulnerabilities, Get Vulnerability Details, Get Vulnerability Evaluation Details

Converted eight existing C# commands to Python: Fetch Event, Download Files, Find Hosts, Find IOC Observed Host, Isolate Host, Resolve Detection, Upload RealTime Response Script, Execute Command On Single Endpoint(Deprecated)

CrowdStrike Discover

New commands: List Assets, List Accounts, List Logins

Darktrace

New commands: Get Device Info, Get Device Summary, List PCAPs, Create PCAP, Get Status, Tag Devices, Get Device Tags, List Actions, Create Actions, List Tags

Acknowledge & Unacknowledge: Updated to remove key field results, which previously caused an error message to return.

Kenna Security

New commands: Test Connection, Search Assets, listApplications

KnowBe4 PhishER

Added the headers "User-Agent" and "X-KB4-Integration" for all commands, with the values being "KnowBe4/1.0/{Command Display Name}" and "Acme Integration" respectively.

Maltiverse

Check File Reputation: Added support for MD5, SHA-1, SHA-512 hashes.

Microsoft 365 Defender

New command: Fetch Event

Microsoft Purview Audit Logs Activities

Get Audit Log: Added the "User Principal Name" parameter to allow for filtering retrieved logs by user principal name.

Microsoft Sentinel

Fetch Event: The string representation of $.value[].alertDetails[].entities is converted into a JSON array and assigned to the $.value[].alertDetails[].entities_json property.

Update Incident Status: Added an input parameter and a corresponding key field named "Close Comment" to input an incident close comment using the command.

Fetch Incident: Added the "Update Field Mappings" parameter to support bi-directional syncing of incident data in D3 SOAR.

Microsoft Teams

New command: Send Message V2

OpenCTI

New commands: List Connectors, Add Observable, List Observables

Palo Alto Networks Firewall

New command: Retrieve Logs

Proofpoint Targeted Attack Protection

New command: Get Threat Details

Rapid7 InsightVM Cloud

New commands: Search Asset, Search Vulnerability, Get Asset by ID

Splunk v2

New commands: Upload Files, Start Search, Get Search Status, Get Search Result

Updated commands: Fetch Event, Get Recent Notable Events, Search

Fetch Event: Added support for fetching notable events. All field mappings have been updated accordingly to support this change.

Submit Event: Enhanced to allow an event to be created with an event JSON object.

Search & Get Recent Notable Events: Updated to trigger a 2-step API call, initiating a search using startSearch and retrieving results using getResult to obtain events.

Search: Enhanced to handle more flexible search statements, including tstats.

Converted all existing C# commands to Python

Trend Micro Cloud One

Added the "User-Agent" header with the value "TrendMicroCloudOne-D3-Integration-v1" to each command sent, providing identification and information about the integration making the request.

VirusTotal v3

Get IP Report & Get Domain Report: Enhanced to parse and convert WHOIS data retrieved from the path $.data.attributes.whois into JSON format, displaying it under the field $.data.attributes.whois_json. This change is only applicable for raw data and context data outputs.

Deprecated Integration Commands

The following integrations have been deprecated in this release of D3 SOAR.

Integration Name

Deprecated Commands

AlienVault OTX

Get Pulse Details

Search Pulses

Check IP Reputation

Get Domain Information

Get URL Information

Get File Information

Azure Active Directory

Get Managed Device

List Managed Devices

CrowdStrike

Execute Command On Single Endpoint

Microsoft Exchange Server

Block Email

Fetch Event

Search Email

Remove Email

Google Chronicle Search API

Fetch Event by Rule

Run Rule

Get Operation Status

Update Rule

Get Rules Results

Get Rules

Create Rule

Google Cloud PubSub

Fetch Event

iZOOLogic

List Authorised Executives

List Clients

Fetch Event

List Brands

MongoDB

Create DB

Recorded Future

Check IP Reputation

Sophos Central

Fetch Event

Trend Micro Cloud One

Remove Domain Entries From Permit List

Add Domains To Permit List

Create Domain Filter Configuration

List Domain Policy Configurations

Distribute Permit List And Domain Filter To Appliances

Update Domain Filter Config Status

VirusTotal v3

Get Sigma Analysis Reports

Zendesk

Add User

Fetch Event

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.