New UI Highlights
The new UI introduces a clearer, faster way to navigate D3 Morpheus. Core investigation and configuration workflows are now organized around a modern Workspace sidebar, streamlined Configuration areas, and centralized Global Settings.
D3's updated navigation helps users orient faster through a consistent left-side model, reduces clicks to common SOC workflows, and more clearly separates investigation, configuration, and administrative work.
What changed:
-
Workspace now gives quick access to My Dashboards, Events, Incidents, Pending Tasks, Artifacts, Playbook Errors, Tenants, Preprocessing Playbook Viewer, and MITRE ATT&CK Monitor.
-
Configuration is now grouped into Automation, Connectivity, and Management, making key setup areas easier to find.
-
Global Settings now centralizes tenant, user, group, role, site, application setting, session, and license management.
LEGACY NAVIGATION
Looking for an old menu path? See Legacy-to-New Navigation Map.
New Features
VSOC Notifications
Notifications is a new in-app alerting system that surfaces incident updates, such as ownership assignments and @mentions in incident notes, through a notification bell near the top right corner. Each analyst receives only notifications addressed to them in near real time. The notification bell displays an unread-count badge, with counts shown as 99+ at maximum.
AI Triage Columns
The incident list now supports AI triage columns, allowing analysts to identify which incidents were handled by automation and how the system classified each one. The Investigated by AI, AI Confidence Score, and AI Classification columns appear alongside the existing incident columns. Column visibility follows the dashboard column configuration in Application Settings.
Session Timeout Settings
Session timeout settings control when inactive users are signed out. Administrators can configure the inactivity timeout, the warning duration before sign-out, and the login cookie expiry time. These platform-wide settings apply to all sites, and do not support site-specific overrides. Changes take effect for active sessions without requiring a service restart. The warning duration must be shorter than the inactivity timeout.
Preprocessing Viewer Link
Open in Preprocessing Viewer is a contextual deep link in the upper-right corner of the Data Ingestion module. Both the new UI and legacy UI include this link. It opens the Preprocessing Playbook Viewer in a new tab with the corresponding batchId applied as a search filter, helping users quickly find playbook runs for a selected data source.
Playbook Auto Run Defaults
The Application Settings > Web Config panel now supports the following settings for enabling Auto Run by default on newly created tasks.
-
Playbook_EnableDefaultAutoRunForCodeless
Enables Auto Run by default for newly created nested playbooks tasks. -
Playbook_EnableDefaultAutoRunForInvestigation
Enables Auto Run by default for newly created tasks in investigation playbooks.
These settings apply only during task creation and do not affect existing tasks.
Enhancements
Redesigned Web Interface
The new UI is organized around three top-level areas: Workspace, Configuration, and Global Settings. Getting around is faster and more predictable. Nothing was taken away.
See Incident Dashboard Enhancements.
The configuration home page has been updated with a revamped hero banner and a new in-app video panel for quick introductions and setup-connection guidance. Videos can be expanded to full screen by double-clicking the player.
Ingestion Error Handling and Data Reacquire
Error-handling settings are now grouped under the Ingestion Failure Process heading.
-
No Retry (Default) continues scheduled runs without retrying failures.
-
Forward Progress continues scheduled runs while retrying failures in the background.
-
Strict Recovery continues only after retrying failures and catching up missed schedule windows.
-
Email Notification alerts after consecutive main ingestion failures.
Data Reacquire now handles late-arriving events as a separate setting.
SLA Multi-Value Finish Conditions
SLA finish counting conditions now support multiple values. Administrators can configure text-based finish conditions as removable tags, including values that contain commas. Pressing Enter adds each value as a tag. Start counting behavior remains unchanged.
Child Playbook Error Propagation
Child playbook error propagation is now available for utility command nested playbook tasks. When a child playbook contains failed tasks, users can mark the parent command task as Error and view the child task failure summary in the parent task details.
Incident Workspace View Enhancement
The legacy incident summary header now improves readability on narrower browser windows. Incident titles expand to use the available width. Created and Last Modified timestamps now show exact date and time values instead of relative values.
Incident Dashboard Enhancements
Views: System and Custom Views
The view selector turns the incident list into a set of saved, switchable perspectives. System Views provide common perspectives, including incidents assigned to the analyst, incidents created by the analyst, and unassigned incidents. Custom Views store user-defined filters and groupings. A built-in search box helps analysts quickly find the right view, even across long view lists.
Incident Quick View Panel
The quick view panel helps analysts triage incidents directly from the list without losing context. Analysts can review key incident fields, update the disposition, add tags, and write inline notes from the panel. Dedicated tabs show related Tasks, Linked Incidents, and Linked Artifacts, while previous and next controls support one-incident-at-a-time review.
Advanced Search
Advanced search filters incident lists by commonly used criteria, including date range, incident type, status, severity, owner, MITRE tactic, and MITRE technique. Analysts can combine filters to narrow results and clear all criteria in one action.
Active Filters Popover
The active filters popover makes applied column filters easier to review. When filters are applied, a number indicator shows how many of them are active. Opening the popover displays each filter as a separate pill. Users can edit or remove individual filters, or clear all filters and column sorting at once.
Reordering of Table Columns
Table columns, accessed via the Columns submenu within the vertical ellipsis ( ⋮ ) menu, can now be reordered. Users can drag columns into the preferred order, in addition to showing or hiding columns.
Multi-Tenant Management
Multi-tenant management is now available in the Global Settings interface. Administrators can manage tenants, shared content, and cross-tenant dashboards from one location. Single-tenant deployments are not affected.
Organization Management Revamp
The Organization Management module has been redesigned with a consistent table layout across its Users, Groups, Roles, and Sites pages. All existing user, group, role, and site management actions remain available.
Standalone User Sessions Module
User session and audit logs (previously found in the Advanced Settings page) are now accessible within a standalone module under Global Settings. Administrators can review access levels, login status, failed logins, and suspended accounts, and can also unlock suspended users.
Standalone License Information Module
The license information page is now available as a standalone module under Global Settings. It shows license details and current seat usage in a two-panel layout. Licenses expiring within 90 days are flagged, and expired licenses show the number of days since expiry. The read-only license tier is now labeled Limited Access in the interface.
Incident Widget Expansion
Users can now double-click an incident workspace widget header to expand the widget and review its content in a larger workspace area. These widgets are also arranged two per row to align with the overview layout.
Utility Commands
New Commands
The following utility commands have been added to this release of D3 Autonomous SOC.
|
Commands |
Functionality |
|---|---|
|
Get Reports in PDF or PNG |
The Get Reports utility command exports a dashboard report as a PDF or PNG file. Users provide the dashboard ID and choose the export format. The command then finds the matching dashboard, renders the report, and returns the file in the selected format. |
Updated Commands
The following utility commands were updated in this release.
|
Commands |
Functionality |
|---|---|
|
Get Incidents |
The command now supports SLA data in two ways. SLA as an Output Field Adding SLA to the static fields returns an SLA array for each incident. Each SLA entry includes the following fields:
Incidents without SLA data return an empty array. SLA Sub-Field Filtering Incidents can now be filtered by SLA.* sub-fields, such as the following examples:
The command supports the standard filter operators:
When multiple SLA conditions appear in the same AND group, a single SLA entry must satisfy all conditions. Matching selects the incident and does not trim the returned SLA array. |
Integration Commands
New Integrations
|
Integration |
Description |
|---|---|
|
SAP SecurityBridge |
SAP SecurityBridge is an SAP-native security platform that provides real-time threat detection, security monitoring, and compliance management for SAP systems. It captures security-relevant events across SAP landscapes using configurable listeners and transmits them via an OData REST interface for centralized security operations and incident response. |
|
NordStellar Platform Data |
NordStellar is a threat intelligence platform that provides dark web monitoring, data breach detection, malware infection tracking, domain permutation analysis, and attack surface vulnerability management. It enables organizations to detect leaked credentials, monitor dark web forums and marketplaces, and identify external-facing vulnerabilities. |
|
NordStellar Enterprise Data |
NordStellar Enterprise Data connects D3 ASOC to NordStellar's breach intelligence platform. Use it to check whether email addresses or domains have been exposed in data breaches, retrieve credential lists and malware infection logs in bulk, and search dark web forum posts by keyword. |
|
Tines |
Tines is a no-code security automation and case management platform for SOC teams. This integration ingests Tines cases into D3 as events, updates cases from playbooks, and queries Tines teams, stories, records, and record types. |
|
Claroty xDome |
Claroty xDome is an industrial cybersecurity platform that provides comprehensive visibility, threat detection, and vulnerability management for OT, IoT, and IIoT environments. It continuously monitors network assets, detects anomalies and threats, and delivers risk-based vulnerability prioritization across industrial and healthcare networks. |
|
AWS Inspector |
AWS Inspector is an automated vulnerability management service that continuously scans AWS workloads including EC2 instances, ECR container images, and Lambda functions for software vulnerabilities and unintended network exposure. |
Updated Commands
|
Integration |
New Commands |
|---|---|
|
Qualys |
|
|
Microsoft Defender XDR |
|
|
Palo Alto Networks FireWall V10 |
|
|
Anomali ThreatStream |
|
|
SentinelOne Singularity Operations Center |
|