17.6.16

New Features

Service Level Agreement (SLA) Module

An SLA module has been introduced to enable users to define, enforce, and monitor incident response service-level commitments. Users can now configure SLA timers, fine-tune time goals, and set up automatic pre-breach and post-breach playbook workflows.

SLA Rule Configuration Overview

Configure the SLA timer start condition.
In this example, the SLA timer for the Demo SLA rule starts when an incident is created. The rule, however, applies only if the conditions defined in step 4 are also met.
Configure the SLA timer end condition.
In this example, the SLA timer for the Demo SLA rule ends when the incident is assigned to a D3 user.

Create an SLA profile.
An SLA profile limits where an SLA rule can apply by restricting it to incidents from specific sites.
Configure time target for the SLA and optional rule-matching conditions.
Both the conditions defined here and the SLA timer start condition must be fulfilled for the SLA rule to apply to an incident.
Define SLA trigger points.
The thresholds configured in this step trigger the automation workflows built in step 6.

Build automated SLA playbook workflows.
Add task nodes to the relevant SLA playbook trigger branches to automatically execute custom logic when the trigger points configured in step 5 occur.

Within the Runtime Log tab, users can view runtime details of incidents that matched a live SLA rule. These include SLA status, playbook runtimes, actual start and end times, planned end time, and elapsed time against the defined SLA goal.

Incident Dashboard SLA Rule Columns

The Application Settings > Dashboard Columns module now supports the SLA Rule custom column type for the incident dashboard, allowing administrators to display SLA-related metrics. Once configured, these custom columns can be displayed in the corresponding sites within the Investigation Dashboard > Incidents module.

Displaying the Custom Columns

SLA Rule custom columns can be displayed (or hidden) in the same way as other columns.

Navigate to the Investigation Dashboard > Incidents > All Incidents module.
Select the relevant site, then click on the … icon.
Select the desired custom column.
Verify that the column is displayed.

OAuth 2 Webhook Authentication

OAuth 2.0 webhook authentication is now supported for more secure execution of D3 commands from external systems. Registering an OAuth application restricts command access to selected sites, users, groups, roles, integrations, and utility commands. The registration process generates a client ID and a one-time client secret, which can be used to obtain a bearer access token with expiration.

View Step-by-Step Guide

Navigate to Configuration > Application Settings > OAuth Application Registration module, then click on the + New Registration button.
Enter an application name, then click on the Next button.
Configure site and principal access.
1. Select the sites in which the OAuth application is authorized to execute commands.
2. Select the users, groups, or roles as which the OAuth application is authorized to execute commands.
3. Click on the Next button.
Configure OAuth access for integrations and utility commands.
1. Select the integrations in which the OAuth application is authorized to execute commands.
2. Select the utility commands the OAuth application is authorized to execute.
3. Click on the Next button.
Review the OAuth application configuration, then click on the Complete button.
Configure token expiration settings and generate OAuth credentials.
1. Enter the Access Token TTL in minutes.
2. Enter the Client Secret TTL in days.
3. Click on the Get Credentials button.
Securely store the OAuth credentials.
1. Copy the Authorization URL for use in step 8b.
2. Expand the Sample Request Body section.
3. Copy the template object for use in step 8e.
4. Copy the Client ID for use in step 8e.
5. Copy the Client Secret for use in step 8e.
6. Tick the confirmation checkbox.
7. Click on the Done button.
Send a request to generate an OAuth access token.
1. Select the POST method.
2. Enter the Authorization URL obtained from step 7a.
3. Click on the Body tab.
4. Select the JSON format.
5. Enter the client ID and client secret copied in step 7d and step 7e.
6. Click on the Send button.
Retrieve the OAuth access token.
1. Copy the access_token value returned in the response body.
2. Click on the Auth tab.
Configure the request authorization using the OAuth access token.
1. Select Bearer Token from the Auth Type dropdown.
2. Paste the access_token value from step 9a into the Token field.
Navigate to the desired command, then retrieve the command request details.
1. Click on Set up Instructions under the Webhook Authentication > OAuth 2.0 section.
2. Copy the request URL for use in step 12a.
3. Copy the request payload for use in step 12b.
Execute the command using the OAuth access token.
1. Paste the request URL from step 11b.
2. Paste the request payload from step 11c, then modify the values as required.
3. Click on the Send button to execute the command and receive the output data.

Enhancements

D3 Forms Module

The Forms configuration under Advanced Settings > E-Alert is now also available through a dedicated module called D3 Forms. This means that for a corresponding form within the form portal, users will see the sections and form fields configured from the D3 Forms module. All other E-Alert settings remain configured under Advanced Settings > E-Alert.

Rendering the D3 Forms Module

The D3 Forms module requires a specific role-based permission to render.

Navigate to the Configuration > Organization Management > Roles page.
Select the relevant role.
Tick the D3 Forms checkbox under the Configuration Modules section, then click Save.

REMINDER

After an E-Alert form submission, information from all non-attachment form fields appears in the Description widget of the associated incident workspace.

Integrations

New Integrations

The following integrations have been added to this release of D3 SOAR.

Integration Name	Description
Cyberhaven	Cyberhaven is a data loss prevention platform that monitors and protects sensitive data by tracking its movement across endpoints, applications, and cloud services.

Updated Integrations

The following integrations have been updated in this release of D3 SOAR.

Integration Name	Changes
Atlassian Confluence Cloud	New Command: Get Content By ID: Retrieves Confluence pages, blog posts, comments, and attachment content by IDs.
Logpoint Director	New Command: Update Incidents: Updates incidents in the LogPoint Director platform by applying actions such as close, comment, reassign, reopen, or resolve. Enhanced Command: Fetch Incident: Retrieves incidents from the LogPoint Director platform based on specified criteria.
Microsoft Defender XDR	New Command: Advanced Hunting V2: Uses advanced-hunting queries to examine up to 30 days of Microsoft Defender XDR event data across multiple Defender products to identify unusual activity, detect potential threats, and support response actions. Advanced Hunting V2 queries advanced hunting tables across more Microsoft Defender XDR products than the original Advanced Hunting command.