Skip to main content
Skip table of contents

17.0

New Features

My Dashboards

Frame 70 (1).png

The new My Dashboards feature on the investigation dashboard enables users to add dashboards configured in the Reporting Dashboard tab, allowing them to personalize their data visualization to focus on the metrics most critical to their operational needs.

Refer to My Dashboards for details.

Frame 26.png

Two new interaction task reply channels have been introduced for use in conjunction: Create Interaction Response Link and Await Interaction Response Result. The former one generates a response link that can be shared with recipients. The latter one monitors the specified link, awaiting a response within a defined timeframe and updating the task status accordingly.

View Example

Suppose the following investigation playbook is provided:

  1. Set up the first interaction task.

    Frame 7.png

  2. Set up the second interaction task.

    Frame 75-20250310-230204.png

  3. Test the playbook, then click on the Frame 3.png icon for the first interaction task to obtain the response URL.

    Frame 18.png

  4. Send the URL to the relevant recipients. The form accessed via the URL will appear as follows:

    lab190.d3securityonline.net_16_8_VSOC_IT_CmdLxRmtRkyVD8ebDvmxvQ (1) 1 (1).png

  5. Click on the Frame 3.png icon for the second interaction task to check on the response status.

    • If the recipient does not respond within the allotted timeframe, an overdue message will be displayed in the Key Fields and Context Data tabs.

      Frame 19.png

      Frame 20.png

    • If the recipient responds by submitting the form within the allotted timeframe, their response will be displayed in the Key Fields and Context Data tabs.

      Frame 22.png
      lab190.d3securityonline.net_16_8_VSOC_IT_TgYQCg0ia0OgT0q8XU9L3w (1) 1.png
      Frame 15.png
      Frame 21.png

Log Request Details

Frame 25.png

The Log Request Details feature allows users to view raw data sent and received by built-in and custom integration commands. Users can select the Log Request Details checkbox to view the request details in the Result Log after testing the command.

View Details

  • This feature is restricted to users with Debug Mode and Playbook access.

    Frame 27.png

  • Sensitive data, such as tokens in the header, may be revealed by the functionality.

  • This feature is available for Python commands, covering 90% of D3's built-in integration commands.

Download Button for Query Results

Users can now download query results in the Reporting Dashboard as a .xlsx file by clicking the Download button. They can download results after running a query or from an existing widget on the dashboard.

Frame 28.png

After Running a Query

Frame 29.png

From Existing Widget

Save Draft

Previously, version history was limited to live playbooks. A Save Draft button has been introduced for playbooks and user-defined commands, allowing users to save progress without submitting changes.

Before vs. After

Before

After

Frame 47.png
Frame 48.png

Playbook Dashboard Filters

Frame 32.png

Users can now filter playbooks by integrations used and last modified time on the Incident Playbook and Event Playbook dashboards. These filters are available as dropdown options.

Notification for Triage Updates

Frame 76.png

Users viewing a custom triage they do not own will now receive a notification when it is updated or removed by the triage owner. Refer to the Editing and Deleting Custom Triages collapsible item in Managing Custom Triages for details.

Enhancements

General Enhancements

Investigation Dashboard Custom Triage

Frame 31.png

The process for creating and reordering custom triages has been refined for a smoother experience. Refer to Setting Up a Custom Triage for details.

Adding Artifacts from Overview

Frame 30 (1).png

Users can add artifacts from the Overview tab in the incident workspace using the Linked Artifacts widget.

View Details

Users can click the Group 171.png button to link an existing artifact to the incident or create a new artifact to link to the incident.

Frame 77.png

After linking artifacts to the incident, users can access their details and execute commands on them. Linked artifacts are also displayed in the Link Analysis tab.

Frame 78.png

Incident Workspace Description Editor

The incident description editor has been enhanced for improved usability and performance.

Before vs. After

Before

Frame 71.png

After

Frame 72.png

Playbook Enhancements

Playbook Dashboards UI

Frame 67.png

The Incident Playbook and Event Playbook dashboards now feature a folder structure on the left with filters to view all, built-in, or custom playbooks. On the right, users can see playbook details, including name, live or draft status, task count, top three integrations (if any), and user permissions.

Custom Python Command Icon

Frame 49 (2).png

All custom Python commands in a playbook are now marked with a icon. Commands using a previous version without the latest Python updates applied are marked with the icon.

Clicking on the and icons will render the code and code comparison windows respectively.

View Code Window and Code Comparison Window

Code Window

Code Comparison Window

Parent-to-Child Playbook Incident Data and Command Input Persistence

Previously, retesting a child playbook command required re-entering input, and separately caused the loss of incident data from the parent playbook. Now, users can retest a nested playbook while preserving both command input and incident data.

View Example

  1. Create a simple playbook utility command, then click on the root node.

    Frame 58.png

  2. Enable the Command Task setting to use this playbook utility command within a parent playbook.

    Frame 61.png

  3. Configure a command input parameter.

    image-20250301-012739.png
    Frame 63-20250301-012853.png

  4. Submit this playbook utility command.

    Frame 60 (1).png

  5. Create an investigation playbook incorporating the previously submitted playbook utility command, providing a sample value for the configured input parameter, then click on the button.

    Frame 52 (1).png

  6. Select an incident, then click on the Run Test button.

    Frame 53.png

  7. Click on the icon to view the executed playbook utility command.

    Frame 50.png

  8. Click on then within the nested playbook.

    Frame 64.png

    Before version 16.9

    Frame 55.png

    Starting from version 16.9

    Frame 66.png

  9. Click on the Frame 3.png icon of any task node.

    Frame 54.png

    Before version 16.9

    Frame 56.png

    Starting from version 16.9

    Frame 65.png

Playbook Execution Path Performance Enhancement

Frame 69.png

Before optimization (“Before”), frequent query executions increased CPU and worker usage. Now (“After”) repeated executions are reduced, optimizing SQL Server performance.

Playbook execution paths are now cached in memory, reducing SQL Server load by minimizing repetitive calculations. This optimization enhances performance, making large playbook executions faster and more efficient.

Incident Data Retrieval

Incident data retrieval has been enhanced for more efficient data handling. When using JSON paths to retrieve incident data, playbooks fetch only the fields used during execution, rather than loading the entire dataset into memory. If a user references a broad dataset (e.g., {{ PlaybookData | jsonpath('$.DataSource.incident') }}) but only utilizes a specific key-value pair within it, only that required field is fetched in real time.

Before vs. After

Before

Frame 74.png

After

Frame 73.png

READER NOTE

It is recommended that users explicitly define specific JSON paths whenever possible to retrieve only necessary field values and avoid loading large datasets.

Restricting Retrieval of Certain Large Data Fields

A new setting has been introduced that restricts certain large data fields to only be retrieved using their specific JSON paths. If enabled, for example, {{ PlaybookData | jsonpath('$.DataSource.incident') }} will not return the raw data of the incident, but it can instead be retrieved using {{ PlaybookData | jsonpath('$.DataSource.incident.RawData') }}.

By default, this setting is disabled. To enable it, contact D3 Support.

Utility Commands

New Commands

The following utility commands have been added to this release of D3 SOAR.

Commands

Functionality

Add or Update Artifact Reputation

Adds or updates an artifact's reputation based on the selected type and specified name. Reputation details can be viewed in the Overview or Reputation tab within the Artifact Details pop-up window.

Get Global List MetaData

Retrieves the metadata of global lists, including ID, name, description, site list, status, and last modified time, based on global list names, global list IDs, or site names.

Get Site Connections

Retrieves all configured connections for a specified Site, including integration name, connection name, connection status, automated health check status, last test timestamp, and last test result. The returned data enables dynamic connection selection, status monitoring, and management.

Update Global List MetaData

Manages the metadata of a global list by updating its description, adjusting its status, or modifying the shared sites list.

Updated Commands

The following utility commands have been updated in this release of D3 SOAR.

Commands

Changes

Get Event

Sort Field and Sort Order parameters have been added to allow sorting of results by an existing field in ascending or descending order.

Get Incident

Sort Field and Sort Order parameters have been added to allow sorting of results by an existing field in ascending or descending order.

Integrations

New Integrations

The following integrations have been added to this release of D3 SOAR.

Integration Name

Description

Acronis

Acronis is a provider of cybersecurity and data protection solutions, offering a suite of products designed to secure and manage data for individuals, small businesses, and enterprises. This integration allows organizations to ingest alerts into D3 vSOC, as well as create and dismiss alerts.

Big Panda

BigPanda is an IT operations management (ITOM) platform designed to help organizations monitor, analyze, and resolve issues within their IT environments more efficiently. It primarily focuses on IT incident management and event correlation by aggregating alerts from various monitoring tools and systems into a single platform.

Cisco Meraki

Cisco Meraki provides cloud-managed networking for Wi-Fi, routing, security, and IoT. This integration enables organizations to retrieve organization and network details, monitor security events, manage firewall rules, control destination lists, and fetch network alerts and event history.

Cisco Umbrella Cloud Security

Cisco Umbrella Cloud Security is a cloud-based security platform that serves as the first line of defense against internet-based threats. It provides secure web gateways, DNS-layer security, and cloud-delivered firewall capabilities, ensuring comprehensive protection for users, devices, and data across various locations, both on and off the network. This integration enables organizations to manage destination lists, including adding or removing destinations from specified lists.

Deep Instinct V2

Deep Instinct V2 (using latest REST API version v1) is an endpoint security platform that aims to prevent, detect, and respond to zero-day malware, ransomware, and other advanced threats before they can compromise endpoints or networks. It functions as an endpoint detection and response (EDR) tool, among other capabilities, offering flexible and customizable cybersecurity solutions for modern security operations.

ExtraHop Reveal(x) v2

ExtraHop Reveal(x) uses wire data and artificial intelligence to analyze the behavior that impacts critical assets.

F5 Application Security Manager (WAF)

F5 Application Security Manager (WAF) is a unified cloud security platform designed for both cloud security and development teams, offering capabilities for prevention, active detection and response.

Grafana

Grafana is an open-source platform for monitoring, observability, and data visualization. It enables organizations to create dynamic, interactive dashboards that display metrics and logs from various sources. This integration enables clients to send Loki log messages and Metrics to Grafana.

HaloPSA

HaloPSA (Professional Services Automation) is a cloud-based software platform designed to help Managed Service Providers (MSPs) and IT service businesses manage their operations efficiently. It provides tools to automate workflows, streamline service delivery, and manage client relationships.

LimaCharlie

Limacharlie is a cloud-based cybersecurity platform designed to provide organizations with powerful tools for threat detection, response, and management. It functions as an endpoint detection and response (EDR) tool, among other capabilities, offering flexible and customizable cybersecurity solutions for modern security operations.

Microsoft Purview eDiscovery V2

Microsoft Purview eDiscovery V2 (formerly known as Microsoft 365 eDiscovery) is a comprehensive solution designed to help organizations locate, preserve, collect, and review electronically stored information (ESI) for compliance, legal, and investigative purposes. It is part of Microsoft's Purview suite of tools, which provide security, compliance, and risk management for organizations using Microsoft 365. This integration works with Microsoft Purview eDiscovery (Premium).

Qualys Cloud Agent

The Qualys Cloud Agent integration enables the management of Cloud Agents, activation keys, and configuration profiles for the agents.

SailPoint IdentityIQ

SailPoint IdentityIQ is an identity and access management software platform custom-built for complex enterprises. It delivers full lifecycle and compliance management for provisioning, access requests, access certifications, and separation of duties.

Shodan

Shodan is a specialized search engine that scans and indexes internet-connected devices and systems.

SOC Radar Incident V3

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), and Cyber Threat Intelligence (CTI). SOCRadar Threat Intelligence is enriched with External Attack Surface Management and Digital Risk Protection, and maximizes the efficiency of your SOC team with false-positive free, actionable, and contextualized threat intelligence. This integration enables organizations to ingest and manage SOC Radar incidents(alarms). This integration is developed based on incident APIv3.

TAXII 2 Threat Feed

Ingest threat indicator feeds from a TAXII 2 server using the Trusted Automated eXchange of Indicator Information (TAXII) protocol version 2.0 or 2.1. This integration enables organizations to retrieve threat intelligence data, which is typically represented in STIX (Structured Threat Information Expression) format.

Vectra AI

Vectra Cognito with its new name Vectra Platform is an AI-driven cloud and network threat detection & response (NDR) platform provides customers a path to protect their journey to hybrid and multi-cloud, harness Security AI to help organizations build cyberattack resilience with broad attack coverage, clarity, and controls from the data center to the cloud.

VulDB V2

VulDB (Vulnerability Database) is an independent vulnerability intelligence platform that provides detailed information on security vulnerabilities across various software, hardware, and network components.

Updated Integrations

The following integrations have been updated in this release of D3 SOAR.

Integration Name

Changes

Fluency

New Command(s)

  • Fetch Incident

FortiGate

New Command(s)

  • List Policies

  • Update Policy

Freshservice

New Command(s)

  • Fetch Event

LogRhythm Rest

Enhanced Command(s)

  • Fetch Event: Added the Including Drilldown parameter and added field mappings.

Microsoft Entra ID Protection (Azure AD Identity Protection)

New Command(s)

  • Fetch Event

Microsoft Entra ID

(Azure Active Directory)

New Command(s)

  • Delete OAuth2 Permission Grants

  • List OAuth2 Permission Grants

Microsoft Intune

New Command(s)

  • Create Windows Update For Business Configuration

  • List Windows Update For Business Configurations

  • Update Windows Update For Business Configuration

Microsoft Sentinel

Enhanced Command(s)

  • Fetch Event: Introduced a new event source type (Event Source for Sentinel Incidents) for improved ingestion.

Office 365

New Command(s)

  • List Message Rules

Enhanced Command(s)

  • Send Email: Renamed the Sender Email parameter to Mailbox Address and added the Send As and Reply To parameters.

Tenable.io

New Command(s)

  • Add Agents To Groups

  • List Agents By Group

  • List Agent Groups

  • Remove Agents From Groups

Veeam

New Command(s)

  • Create Malware Event

Deprecated Integrations

Integration Name

Replacement

Github (Deprecated)

Github

VulDB (Deprecated)

VulDB V2

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close