Skip to main content
Skip table of contents

Connections

Overview

A Connection is the relationship between the D3 SOAR system and a third-party application. Having an established Connection enables you to ingest data from third-party systems, and use Integration Commands.

In D3 SOAR, there are two ways to manage credentials for connecting to third-party integrations:

  1. Manually enter username, password or API key in the connection

  2. Use password vault

The Connections module contains a list of Connections added across all Integrations for scalable and ease of deployment. In this module, you can conduct the following tasks:

  • Filter Connections by Sites to see exactly which Connections have been configured for which clients (for MSSPs).

  • Bulk add and edit the Connection used for each Integration (for SOC engineers).

  • Monitor the Health Status of all Connections (for all users).

The Health Status for Connections can be configured for some connections by activating the Connection Health Check option inside the connection details.

Adding a Connection

To begin using a System Integration, you have to add an Integration Connection. Not every integration connection will look the same, some may differ based on required parameters. A general The steps are listed below:

  1. Search and select the Integration you want to use from the Integration List.

  2. Click on the + Add Integration Connection button.

  3. The New Connection panel will appear. You can fill in the following Connection Details after selecting an Integration:

    1. Connection Name

    2. Sites: Set which Site can use this Connection.

      • A connection can be shared between all internal sites and client sites, and used for individual sites.

    3. Select the Recipient site for events from connections Shared to Internal Sites

    4. Agent Name (Optional): select the Proxy Agent that you have set up previously

    5. Description (Optional): add a description of how this Connection should be used

    6. Tenant: enable toggle to share connection to a tenant site

    7. Active: ensure this checkbox is selected so that the Connection is available for use

    8. System: this section contains the parameters that have been predefined by D3 Security specifically for this Integration.

    9. Enable Password Vault: select the password vault connection you have set up

    10. Connection Health Check: check this box to configure a recurring health check on this Connection

    11. Test Connection: click this to verify the account credentials and network connection. Sometimes a Connection failure may indicate that there’s no network connection between the D3 SOAR platform and the third-party tool.
      Note: The latest Test Connection results will display within this window for reference

    12. Clone Connection to Site : Select which Sites this Connection should be cloned to

    13. User Permission: configure who has access to this Connection

      Note: Sections l and m only show up when editing the Connection.

Alert

If your connection is Shared to Internal Sites, you can configure the Recipient site for events from connections Shared to Internal Sites here as well. Please note that the site selection here will be applied globally – all events ingested through connections that are shared to internal sites will now belong to the newly selected site.

Password Vault

The processes of using password vault (e.g., Hashicorp, CyberArk) for an integration are listed below:

  1. Set up a General Password Vault connection

  2. Set up an Integration Connection (SIEM, Threat Intel or EDR) with Password Vault enabled

Reader Note

D3 SOAR integrates with external credential vaults, which enables you to use them in D3 SOAR without hard coding or exposing the credentials of third-party applications (SIEM, EDR or Threat Intel). The credentials are not stored in D3 SOAR, rather, the integration fetches the credentials from the external vault when called.

Set up a General Password Vault connection

Connections to third-party environments are centrally managed in the Home > Configuration > Connections page

Creating a New Connection

  1. To create a new Connection, click on the + Add Integration Connection button in a selected site.

Reader Note

If a Connection can be globally shared across multiple sites, the Connection can be added in Shared to all sites.

  1. In the New Connection window, you can select “General Password Vault” from the drop down list.

  1. Next, specify a unique Connection Name.

  1. Upon selecting the Integration, the corresponding System Connections Parameters will display.

  1. Connection credentials configuration:

    1. Select Authentication Types

    2. Enter Key for the Authentication, and its Value

    3. If Add to Header is enabled, the key value pair will be automatically added to the header.

    4. If Add to Query Params is enabled, the key value pair will be automatically added to the query URL

    5. Add Server URL along with the directory of stored password

    6. Select GET Method to query password

    7. (optional) Header and Body

  1. Test connection

    1. Click Test Connection to ensure the authentication to the configured password vault is properly set up

  1. Configure mapping

    1. Navigate to Home > Integration > General Password Vault

    2. Test command “Fetch Credentials” using the configured connection

    3. The password data is stored under $.data in the example of Hashicorp

    4. Configure Data JSON Path

      • Enter Root Path of in “Data Json Path” $.data

      • Note: Different password vault could have different root JSON paths. In order to identify the root JSON path of a given password vault, test the “Fetch Credentials” command to check on the response payload for the JSON path structure.

    5. Construct Mapping

      • Go the corresponding Integration Home > Configuration > Integrations

      • Click on Connection Parameters

      • Note down the connection parameters needed to be replaced from the password vault, example (username, password, serverurl)

        JSON Keys for mapping match connection parameter (username, password)

      • JSON Value is keys under Data JSON Path ( $.username, $.password)

Reader Note

Mapping format: {"key":"value" }

Key is the Connection Parameter.

Value is the third-party JSON source path.

Set up an Integration Connection

The Integration refers to intended integration such as SIEM, Threat Intel or EDR, to be set up in D3 SOAR.

Follow the similar process of setting up a new integration connection (e.g., Cybereason)

Set up Connection:

  1. Enter the Server URL

  2. Select the Password Vault that has been configured

  3. Test Connection to verify the connection is established to the third-party integration (e.g., Cybereason)

Configuring Access Control

Access the connections user permissions by clicking the share button on the top right of the configurations panel. By default, only the connection creator can have viewing and editing privileges and will assume the owner role.

  • Viewers—Viewers have no edit permission, and can only view the connection.

  • Editors—Editors can edit and save the connection.

  • Owners—The owner(s) of the connection can edit and delete, as well as change the permission of the connection.

If there are overlaps in permission levels, the greatest permission level will be granted. For example, if your user is the owner, but your role is a viewer, the owner's permission will take precedence.

Reader Note

There must be at least one owner for each connection. The last owner cannot be deleted or reassigned to the viewer/editor.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.