How Next-Generation SOAR Integrates with SIEMs

Reports of the death of the SIEM have been greatly exaggerated. Despite all the noise around XDR platforms, EDR tools, and other newer solutions, a SIEM is still the linchpin of most enterprise and MSSP SOCs. While next-generation SOAR tools like D3 NextGen SOAR work just as well alongside other tools, any SOAR tool worth its salt should integrate flawlessly with your SIEM.

That doesn’t mean just offering a few basic integrations. Fully meeting customers’ SIEM integration needs requires:

  • Integrating well with every SIEM you might use
  • Feature-rich, bidirectional integrations
  • Integrating with cloud SIEMs as well as on-premise SIEMs
  • Supporting multi-SIEM environments
  • Supporting MSSP as well as enterprise use cases
  • An effective process for triaging and responding to SIEM events once they are ingested

Thanks to our powerful technology and status as an independent vendor, D3 can meet all of these criteria for our customers. In this blog, we’ll look at our major SIEM integrations and explain how innovations like the D3 Event Pipeline transform what SOC teams can do with a SIEM-SOAR integration.

And don’t forget to come see us at RSA Conference 2022, from June 6-9. Our product experts will be showing off our latest release, answering any questions you might have about SOAR, and of course handing out great swag. You can find the D3 Security team at Booth 5466 in the North Hall.

With What SIEMs does D3 NextGen SOAR Integrate?

The D3 NextGen SOAR tool offers out-of-the-box codeless integrations with every major SIEM, as well as some that are less well known. We’re confident that we have the SIEM integration that you need, and if we don’t, we can easily create a custom connector for you. Here’s a non-exhaustive list of our SIEM integrations, along with some brief descriptions of a few of the most important ones.

Splunk Enterprise Security

D3’s integration with Splunk boasts more than a dozen actions. These include the basics of course, such as ingesting events and querying Splunk for information, however there are also advanced actions like managing Splunk’s repository of threat intelligence from D3’s playbooks.

Read more about D3’s integration with Splunk.

IBM Security QRadar SIEM

D3 has a deep integration with QRadar that has more than 20 actions. This integration is truly bidirectional, allowing D3 users to update the status of offenses in QRadar by adding elements and notes, closing offenses, and managing reference sets.

Read more about D3’s IBM integrations.

McAfee ESM

D3’s integration with McAfee enables more than 20 automated actions. In addition to querying McAfee logs and ingesting alarms, users can manage their McAfee watchlists from the D3 interface.

Read more about D3’s integrations with McAfee tools.

Microsoft Azure Sentinel

D3 is a member of the Microsoft Intelligent Security Association (MISA) on the strength of our integrations with tools like Azure Sentinel. D3 ingests alerts from Azure Sentinel and can query information from the platform in various forms. Users can also update incident comments and statuses from D3 playbooks.

Read more about D3’s Microsoft integrations.

D3 NextGen SOAR Integrations with SIEM

Our integrations include, but aren’t limited to, the following SIEM tools (and tools that some organizations use instead of a SIEM):

What Differentiates D3’s SIEM Integrations?

It’s not enough to just integrate with a bunch of SIEMs. Beyond our feature-rich integrations, D3 can support a variety of SIEM-centric environments. Like many security tools, SIEMs are increasingly moving to the cloud. D3 is able to support both cloud and on-premise SIEMs equally well, including in the same organization. Users can ingest alerts from the cloud and then orchestrate a response across on-premise systems, or vice versa.

D3 NextGen SOAR also helps customers simplify security in multi-SIEM environments. Instead of monitoring separate tools, everything can feed into D3 for triage, enrichment, and response.

For MSSPs, D3 Security supports seamless multi-tenancy. An MSSP can connect its SIEM, or its clients’ SIEMs, to D3 NextGen SOAR while maintaining complete segregation between each client’s data, playbooks, and tools. Instead of having to master every SIEM that your clients use, you can run your operations through D3, and simply switch between different sites in the SOAR interface.

How Does Next-Generation SOAR Handle SIEM Alerts?

Since before the name SOAR was even coined, SOAR tools were used to ingest notable SIEM alerts, enrich them with additional intelligence, and orchestrate incident response playbooks to resolve any threats. This sequence still broadly occurs, but a next-gen solution like D3 offers significant twists on this proven formula.

First, D3 runs all incoming SIEM alerts through its Event Pipeline, which is an automated global event playbook. The Event Pipeline normalizes, deduplicates, and triages incoming alerts, such that it can filter out 90% or more of alerts before they require any human attention. Your team will no longer have to waste time on false positives, benign alerts, and other noise. Instead of trying to fine-tune SIEM rules, which runs the risk of missing risky events completely, security teams have great success relying on D3’s Event Pipeline as their primary filter.

To name just one more way that next-gen SOAR solutions differ from their predecessors, let’s look at codeless playbooks. In the past, building, testing, and editing playbooks to remediate SIEM alerts required extensive coding—or more often than not, expensive professional services. With platforms like D3 NextGen SOAR, that’s no longer the case. Users can simply drag and drop playbook actions together, including complex automation. Integrations work the same way, making it easy to add or swap a tool in a workflow. Codeless playbooks keep your security team focused on security, instead of expecting them to moonlight as software developers.

Come See D3 Security at RSA Conference 2022

Whatever your security needs are, we hope you’ll come connect with us in San Francisco at the 2022 RSA Conference. RSA is the premier cyber security conference of 2022, and we’re excited to be back for another year. We’ll be at Booth 5466 in the North Hall of the Moscone Center. Follow this link to get a free Expo Pass, courtesy of D3 Security.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.