SOAR Incident Response
D3 SOAR provides a centralized workspace for you to:
Integrate with third-party tools to ingest data into the system
Apply data-driven decisions on the Events, Incidents, and other cyber-related risks
Build and orchestrate Incident Response plans
This document will cover the Incident Response Life Cycle as they appear in D3 SOAR. For details on integration and data configuration, please refer to the Integration, Event Playbooks and Incident Playbooks documents.
Event Intake and Auto Data Enrichment
All potential threats will first undergo an event intake and data enrichment stage in D3 SOAR.
D3 supports event ingestion from various Integration Sources (e.g. SIEMs, Endpoint Detection & Protection, Threat Intelligence, Network Security and ITSM). After ingesting Events into the system, you can triage, investigate, and take action on security events for your organization in a centralized location.
During the event ingestion process, Artifacts are extracted and auto-enriched via data enrichment tools (e.g. VirusTotal, Webroot, URLScan.io, McAfee TIE, etc). The later sections of this document will cover how these Artifacts surface and the actions you can perform on them.
Example of extracted Artifacts: Email Addresses, External IPs, URLs, Files, and Email Headers, etc.
MITRE ATT&CK and D3 Security
MITRE ATT&CK is a commonly used cybersecurity framework and is fully embedded into D3 SOAR so that you have an enterprise-level vision of Events, Incidents, and other cyber-related risks. You can then leverage the information collected to orchestrate and automate Incident Playbooks.
The integration with MITRE ATT&CK begins with the ingestion of Tactic and Technique information when events and incidents are ingested into the system. These tactics and techniques are detected and marked based on rules and workflows that were configured within the platform. D3 SOAR can mark Tactics and Techniques for events based on user-configured criteria, or they can be manually marked by the user. D3 SOAR can also ingests tactics and techniques identified by third-party tools.