Reports of the death of the SIEM have been greatly exaggerated. Despite all the noise around XDR platforms, EDR tools, and other newer solutions, a SIEM is still the linchpin of most enterprise and MSSP SOCs. While next-generation SOAR tools like D3 Smart SOAR work just as well alongside other tools, any SOAR tool worth its salt should integrate flawlessly with your SIEM.
That doesn’t mean just offering a few basic integrations. Fully meeting customers’ SIEM integration needs requires:
- Integrating well with every SIEM you might use
- Feature-rich, bidirectional integrations
- Integrating with cloud SIEMs as well as on-premise SIEMs
- Supporting multi-SIEM environments
- Supporting MSSP as well as enterprise use cases
- An effective process for triaging and responding to SIEM events once they are ingested
Thanks to our powerful technology and status as an independent vendor, D3 can meet all of these criteria for our customers. In this blog, we’ll look at our major SIEM integrations and explain how innovations like the D3 Event Pipeline transform what SOC teams can do with a SIEM-SOAR integration.
With What SIEMs does D3 Smart SOAR Integrate?
The D3 Smart SOAR tool offers out-of-the-box codeless integrations with every major SIEM, as well as some that are less well known. We’re confident that we have the SIEM integration that you need, and if we don’t, we can easily create a custom connector for you. Here’s a non-exhaustive list of our SIEM integrations, along with some brief descriptions of a few of the most important ones.
Splunk Enterprise Security
D3’s integration with Splunk boasts more than a dozen actions. These include the basics of course, such as ingesting events and querying Splunk for information, however there are also advanced actions like managing Splunk’s repository of threat intelligence from D3’s playbooks.
Read more about D3’s integration with Splunk.
IBM Security QRadar SIEM
D3 has a deep integration with QRadar that has more than 20 actions. This integration is truly bidirectional, allowing D3 users to update the status of offenses in QRadar by adding elements and notes, closing offenses, and managing reference sets.
Read more about D3’s IBM integrations.
McAfee ESM
D3’s integration with McAfee enables more than 20 automated actions. In addition to querying McAfee logs and ingesting alarms, users can manage their McAfee watchlists from the D3 interface.
Read more about D3’s integrations with McAfee tools.
Microsoft Azure Sentinel
D3 is a member of the Microsoft Intelligent Security Association (MISA) on the strength of our integrations with tools like Azure Sentinel. D3 ingests alerts from Azure Sentinel and can query information from the platform in various forms. Users can also update incident comments and statuses from D3 playbooks.
Read more about D3’s Microsoft integrations.
D3 Smart SOAR Integrations with SIEM
Our integrations include, but aren’t limited to, the following SIEM tools (and tools that some organizations use instead of a SIEM):
- Datadog
- FireEye Helix
- FortiSIEM
- Google Chronicle
- LogRhythm
- Micro Focus ArcSight ESM
- Rapid7 InsightIDR
- RSA NetWitness
- SumoLogic
What Differentiates D3’s SIEM Integrations?
It’s not enough to just integrate with a bunch of SIEMs. Beyond our feature-rich integrations, D3 can support a variety of SIEM-centric environments. Like many security tools, SIEMs are increasingly moving to the cloud. D3 is able to support both cloud and on-premise SIEMs equally well, including in the same organization. Users can ingest alerts from the cloud and then orchestrate a response across on-premise systems, or vice versa.
D3 Smart SOAR also helps customers simplify security in multi-SIEM environments. Instead of monitoring separate tools, everything can feed into D3 for triage, enrichment, and response.
For MSSPs, D3 Security supports seamless multi-tenancy. An MSSP can connect its SIEM, or its clients’ SIEMs, to D3 Smart SOAR while maintaining complete segregation between each client’s data, playbooks, and tools. Instead of having to master every SIEM that your clients use, you can run your operations through D3, and simply switch between different sites in the SOAR interface.
How Does Smart SOAR Handle SIEM Alerts?
Since before the name SOAR was even coined, SOAR tools were used to ingest notable SIEM alerts, enrich them with additional intelligence, and orchestrate incident response playbooks to resolve any threats. This sequence still broadly occurs, but a next-gen solution like D3 offers significant twists on this proven formula.
First, D3 runs all incoming SIEM alerts through its Event Pipeline, which is an automated global event playbook. The Event Pipeline normalizes, deduplicates, and triages incoming alerts, such that it can filter out 90% or more of alerts before they require any human attention. Your team will no longer have to waste time on false positives, benign alerts, and other noise. Instead of trying to fine-tune SIEM rules, which runs the risk of missing risky events completely, security teams have great success relying on D3’s Event Pipeline as their primary filter.
To name just one more way that next-gen SOAR solutions differ from their predecessors, let’s look at codeless playbooks. In the past, building, testing, and editing playbooks to remediate SIEM alerts required extensive coding—or more often than not, expensive professional services. With platforms like D3 Smart SOAR, that’s no longer the case. Users can simply drag and drop playbook actions together, including complex automation. Integrations work the same way, making it easy to add or swap a tool in a workflow. Codeless playbooks keep your security team focused on security, instead of expecting them to moonlight as software developers.
