How D3 Uses the MITRE ATT&CK Framework for Intelligent Correlation (VIDEO)

D3 SOAR is making the transition from event-based response to intelligent, intent-based response. This means that D3 users will be able to see every security event in the context of adversarial intent, by correlating events with other traces of the same attack. This allows security teams to take a more proactive approach than they can with the event-based model, where every event is treated in isolation.

D3 does this by stripping the indicators of compromise out of the event, identifying what attack techniques are being used, and then searching across the MITRE ATT&CK framework for related events. Our new video gives you a dynamic overview of how this process works.


As you can see from watching the video, these new capabilities have the potential to be of huge value for D3 users, which raises the question: why isn’t any one else doing this? The answer is structured data. D3’s architecture, built on more than a decade of providing incident and case management solutions, is unlike that of any other SOAR platform. One of the differences is the way that D3 structures the data that comes in from a SIEM or other alert source. Other SOAR platforms generally just take all the contextual data from an event and put it in a single text field. Analysts can then go in and sort through it themselves. D3 maps the data from the alert source into equivalent fields in the user interface, so that the analyst can immediately see the IP addresses, URLs, user IDs, and other associated information, all separated out properly. These fields are completely customizable, so they can be matched to the information captured by the alert source.

Structured data also enables D3’s MITRE ATT&CK discovery feature, because D3 already separates out and identifies IOCs. So correlating those IOCs against MITRE techniques and other events is as simple as entering them into a “kill chain discovery” search. But don’t worry, all of this happens below the surface. All you have to do is press a single button, and D3 takes care of the rest. In fact, D3 will even start the process automatically when an event is deemed to be critical.

You can learn more about intent-based response in our SOAR 2.0 Whitepaper.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.