Breadcrumbs

Multi-Tenancy

Last updated: Mar 26, 2025

Overview

Multi-tenancy allows a single master source to share content with multiple tenant destinations. This model consists of one master instance and one or more tenant instances. The master instance acts as the source of shared data, while tenant instances receive the shared content. This relationship is one-way. Only the master instance can distribute data to tenant instances, and tenant instances cannot edit or delete shared items.

READER NOTE

A tenant instance functions like a standard instance of D3. However, certain capabilities are limited due to the multi-tenancy relationship:

  • Tenant instances cannot make edits to any shared content from the master instance

  • Tenant instances cannot create their own sites: the master instance creates sites for each specific tenant

  • Tenant instances cannot request updates from the master instance

Tenant Onboarding

To establish a connection between the master and tenant instances, users must first onboard the tenant in the master instance.

Instance Registration

In Tenant Instance

  1. Navigate to the Master Instance Registration page, then generate a new one-time key.

    Frame 76-20240929-164458.png

    1. Click on the Configuration navigational bar.

    2. Click on the Application Settings module.

    3. Click on the Master Instance Registration setting.

    4. Click on the Generate New Key button.

  2. Copy this one-time key and pass it securely to the administrator overseeing the Master instance.

    Frame 77-20240929-165640.png

    1. Click on the Generate New Key button in the popup.

    2. Click on the Copy button, then store it in a secure location for the Master instance administrator.

    3. Click on the Add button.

In Master Instance

  1. Register and initiate the tenant within the Tenant Management page.

    Frame 78-20240929-171136.png

    1. Click on the Configuration navigational bar.

    2. Click on the Tenant Management module.

    3. Click on the + Add Tenant button.

    4. Enter the tenant instance’s vSOC login URL.

    5. Enter the one-time key obtained from step 2b in the Tenant Instance section.

    6. Click on the Register and Initiate button.

RESULT *

The tenant instance is now connected to the master instance.

Instance Initialization

Once a successful connection is established between a master and tenant instance, each of the instances will perform the following initialization procedures:

In Tenant Instance

Navigate to Configuration > Master Instance Details to view information about the master instance, including the URL, IP address, and connection status.

  • A new connection named Master will be created under Built-in Integrations. This connection is view-only.

  • User, Group, and Role information will be received from the master instance.

  • The corresponding Region D3 Agent will be automatically synchronized.

In Master Instance

Navigate to Configuration > Tenant Management to view information about the new tenant instance, including the URL, IP address, and connection status.

  • A new connection named after the tenant instance will be created under D3 Integration.

  • All User, Group, and Role data in the tenant instance will be cleared.

  • User, Group, and Role information from the master instance will be pushed to the tenant.

  • The corresponding Region D3 Agent will be automatically synchronized.

Master Instance

The master instance includes features for managing, creating, and sharing data across tenant instances:

View as Tenant Instance

The master instance can access any of its associated tenant instances.

To navigate to a tenant instance

  1. Click on the instance dropdown positioned off-center to the right.

    Frame 80-20240929-174537.png

  2. Select the tenant instance.

RESULT *

The system opens the tenant instance in a new window.

READER NOTE *

Click the (i) button next to the dropdown to view information about the current instance.

Tenant Management

Frame 79 (1)-20240929-175652.png

View connected tenant information in the Tenant Management module under Configuration > Tenant Management. In this module, users can perform the following actions:

  1. Add a new Tenant

  2. View Tenant Information

    1. Tenant Details

    2. Tenant Sites

Adding a New Tenant

See the Instance Registration section.

Viewing Tenant Information

Tenant Details

Tenants are grouped by region and displayed in a table view. Users can view tenant information, including:

  1. ID

  2. Name

  3. URL

  4. IP Address

  5. Connection

  6. Connection Status

  7. Initialization Status

Tenant Sites
Frame 81-20240929-180834.png

The tenant sites are displayed in a table view, which includes the following columns:

Column Name

Description

Tenant Site Name

Name of the tenant instance's site.

Active

Status of the site (active or inactive).

Sync Status

Results of the latest synchronization action (successful or failed).

Last Synced Date 

Date of the last synchronization action.
To activate or deactivate a tenant site

MSSPs can purge and manage client data during offboarding. Select a site checkbox, then click Disable.

Frame 82-20240929-181410.png

The site's status is indicated in the Status column, which can display two possible values: Successful and Failed. In case the action fails, an information icon will appear, and hovering over it will provide details about the failure. When a site is successfully deactivated, this site will be removed from the tenant instance.

State

Description


Z7ESUHYin_xYowd8DxETA0NLnvdnmaIdNF5RcyR22_YAWnD8oSc94c5tECxdnudue9ocNMTX_5w8fOqnlLqEArPJ7AfPloq22jqHUllbJA9q_1apR9QN9t3YBwe192fSDr9YdRz6QrGe_b8Vpdg9btE

Successful

Site activation was successful.


25HPm_xROla7IFqTAfZTD2H9qNzGTFUfSto__ujWc-9IklpcW1L-pSV05gR3OH64AVSv6Sf-xpFaZEn64Jp3pT4ESWVSjDBw0VYXlDEqCNrZStWiniX_WMfbERnhldDuOfKeiBkYafUD11877fb2JlY

Successful 

Site deactivation was successful.


Z7ESUHYin_xYowd8DxETA0NLnvdnmaIdNF5RcyR22_YAWnD8oSc94c5tECxdnudue9ocNMTX_5w8fOqnlLqEArPJ7AfPloq22jqHUllbJA9q_1apR9QN9t3YBwe192fSDr9YdRz6QrGe_b8Vpdg9btE

Failed ⓘ

Site deactivation failed. Hover over the information icon to view error messages.


82wOptOhgJt5FPwH7DpZe4phVAQac0MxTPkP7y6TXiMuxWgTWAv1T15WnJfyK28EvX0SBaync5Yq-6B116rYATAQEzjR1k0l9vAioxfUYHA5bHSxF1mCr7NgUAYcwA9QuCWYsOFh-k8PllLLuIkLg8U

Failed ⓘ

Site activation failed. Hover over the information icon to view error messages.

Shared Content Management

Frame 83-20240929-182639.png

In the master instance, users can share content with all tenant instances. Shared content is view-only from the tenant perspective. Tenants can use shared content but cannot edit or delete it. The Shared Content module is located under Configuration > Tenant Management. Nine content types are available for sharing and are described in the following sections.

  1. Event Playbooks

  2. Incident Playbooks

  3. Integrations

  4. Utility Commands

  5. Connections

  6. Global Lists

  7. Event Automation Rules

  8. Incident Forms

  9. Users / Groups / Roles

After content is shared, the Shared to Tenants column in the content list displays the overall share status across all tenants. Three status states are available.

State

Description


image-20240110-221201.png

Successful

The content is successfully shared to all tenants


image-20240110-221220.png

Sharing

The content is currently being shared with all tenants


image-20240110-221235.png

Incomplete

The content is not fully shared to all tenants. Depending on the content type, there are multiple reasons that a piece of content might fail to share. In general, there are a few reasons that may cause the sharing to fail:

There is a new version of the content and it is outdated on some of the tenant sites
The master instance was not able to connect to a tenant site when the sharing was initiated
Certain sites were not active when the content was shared (content types with site data only)
Each content type may generate specific errors. View error messages by hovering over the (?) icon in the sharing log.

Not Shared

The content has not been shared yet

If shared content displays the Incomplete status, users can identify the affected tenant in the sharing log. In most cases, the status changes to Incomplete when related data or configurations are modified, causing the shared content to become outdated. Some content types, including incident playbooks, connections, global lists, and event automation rules, contain site-specific data. For these content types, the sharing log provides a detailed breakdown of the sites that caused sharing failures.

To view sharing log details

In this example, one of the incident playbooks "Email Protection - Phishing Playbook" failed to share with all tenants.

  1. Navigate to Configuration > Tenant Management > Shared Content > Incident Playbooks.

  2. Click on the content that has an Incomplete share status.

    Frame 84-20240929-190851.png

  3. In the right-side panel, the X icon identifies the tenant responsible for the failed sharing operation.

  4. Hover over (?) next to the X icon. The tooltip will display the summary message explaining the cause of this error.

  5. Because incident playbooks contain site-specific data, users can also view a detailed breakdown of the sites within the tenant that caused the sharing error.

  6. Click on the tenant with a failed status.

RESULT

The pop-up window will display all the sites that failed to receiv

at failed to receive this item.

Frame 85 (1)-20240929-192814.png

To share/reshare content

In this example, we will share a few selected incident playbooks to all tenants. The same steps apply to resharing content.

Frame 86-20240929-193459.png

  1. Navigate to Configuration > Tenant Management > Shared Content > Incident Playbooks.

  2. Select the content to share or reshare.

  3. Click on the Share button.

RESULT

The selected content will be shared to all tenants. Once it is done sharing, the status will be come Successful or Incomplete.

READER NOTE

Tenants can identify content that was shared with the Shared tag.

Content Types

The following content types support tenant instance setup and management.

Event Playbooks

Event playbooks are pre-determined workflows that are applied to events at different stages of their life cycle. For an event playbook to be eligible to share, it must be submitted at least once. In other words, the event playbook must have at least one live version. The newest version of the playbook will be shared, along with specific content pieces that the playbook uses:

  • Custom Utility Commands

  • Custom Integrations

  • Custom Commands

  • Integration field mapping

Incident Playbooks

Incident playbooks are similar to event playbooks, but applied to incidents instead. One key difference is that incident playbooks require the playbook to be Published in addition to being live. Therefore, when an incident playbook is shared to tenants, it will also be automatically published to all of the tenants’ sites. If any of the sites are inactive, it will return an error and cause the playbook to be Incomplete. The newest version of the playbook will be shared, along with specific content pieces that the playbook uses:

  • Custom Utility Commands

  • Custom Integrations

  • Custom Commands

  • Integration field mapping

Integrations

Integrations connects D3 to various third-party systems in order to exchange data. The following integration information will be shared:

  • Connection Parameters

  • Built-in Commands:

    • Event Field Mapping

    • Incident Field Mapping

  • Custom Commands

Only custom integrations or configured built-in integrations can be shared.

Please note that all connection data will not be shared as it is managed in the Connections section.

Utility Commands

Utility commands are built-in commands used to manipulate data. All custom utility commands are shared automatically. Similar to playbooks, only commands with at least one live version can be shared. When a new command version is submitted, associated playbooks are updated automatically.

Connections

Connections are saved credentials used to connect to different third-party systems. Only connections that have the Tenant toggle activated can be shared.

att_22_for_15499616.png

After enabling the toggle, users can define the applicable region, tenant, and tenant site. When tenant configurations overlap between connections, the more specific configuration takes precedence. For example, a connection assigned to a specific tenant site overrides a connection assigned to all tenant sites.

Connections also support duplicate names through custom properties. This allows different sites to use unique credentials while referencing the same connection name in playbooks. During playbook execution, the system automatically checks for a valid connection with the matching name at the site level.

Global List

Global lists are lists that store reusable data across the system in JSON format. All data related to a global list will be shared, including its Active status. However, site permission data will not apply – the global list will be accessible by all sites within a tenant.

Event Automation Rules

Event automation rules automate event escalation and dismissal based on predefined criteria. Only rules with the Shared by default toggle enabled can be shared with tenants. All automation rule data, including Active status, is shared. Site permissions are not included, and the automation rule becomes accessible to all tenant sites.

att_19_for_15499616.png

Incident Forms

Incident forms are user-defined sections within the incident workspace; each form belongs to a specific incident type. All incident types and their forms can be shared to tenants. All tenant sites will be able to access the shared incident forms.

Users / Groups / Roles

The Users / Groups / Roles configuration in the master instance will be automatically shared to tenants when a tenant instance is initialized. Users can reshare updated configurations to all tenants.

Playbook: Testing with Tenant Connections

All playbooks in D3 support testing with sample data. In the master instance, users can also test playbooks using tenant connection data to verify workflow behavior across tenant site instances.

To test with tenant connections in an event playbook

  1. Click on the Test Playbook button.

    Frame 87-20240929-202734.png

  2. Build the test data as a standard preprocessing (event) playbook.

  3. Enable the Test the event playbook in a Tenant environment toggle.

  4. Select the Tenant Region, Tenant Name, and Tenant Site.
    Example: AMER, AMER Tenant, Security Operations

  5. Click Run Test button.

    Frame 88 (1)-20240929-203814.png

RESULT

The event playbook will be tested with the specified site’s connection information.

To test in Incident Playbook

  1. Click on the Test Playbook button.

    Frame 90-20240929-204627.png

  2. Choose an incident to serve as sample data.

  3. Enable the Test the event playbook in a Tenant environment toggle.

  4. Select the Tenant Region, Tenant Name, and Tenant Site
    Example: AMER, AMER Tenant, Security Operations

  5. Click on the Run Test button.

    Frame 89-20240929-204705.png

RESULT

The incident playbook will be tested with the specified site’s connection information.

Multi-tenancy Utility Commands

User Onboarding/Offboarding

Tenant Onboarding/Offboarding

System Import/Explore

CreateUser

CreateTenantSite

CreateSite

DeleteUser

CreateOrUpdateConnectionByClone

ImportPlaybookFromXML

InactiveUser

SyncConnection

ImportIntegrationFromXML

SyncAllUserGroupRole

SyncEventAutomationRule

ImportCommandFromXML


PublishMasterPlaybookToAllSite

ImportEventAutomationRule


ShareMasterGlobalList

ImportConnection


Create Tenant Data Ingestion Schedule

ImportEventAutomationRule


Update Tenant Site Status

CreateGlobalList



PublishMasterPlaybookToAllSite



ShareMasterGlobalList