D3 integrates with Elasticsearch, the search and analytics engine at the heart of the Elastic stack. Elasticsearch aggregates and stores data and logs for careful monitoring and detailed analysis. Predefined queries in Elasticsearch can generate alerts that are escalated to D3 for investigation of possible security concerns. D3 can also enrich events from other sources by querying Elasticsearch for additional context.
By combining Elasticsearch for search and analytics with D3 SOAR for incident enrichment and response, you can automatically escalate real threats to incident status in D3 and assess their criticality through data enrichment and MITRE ATT&CK matrix correlation. Predefined Elasticsearch queries can be used as the conditions to trigger an automation-powered playbook in D3 for fast and consistent triage and response. When Elasticsearch alerts trigger D3’s automated workflows and full-lifecycle playbooks for incident response, analysts no longer have to manually coordinate dozens of triage and response tasks. Response occurs in seconds, not hours.
D3 has embedded the entire MITRE ATT&CK matrix into its SOAR platform, so when a security alert is ingested, D3 can parse out the elements and correlate them against the criteria for ATT&CK’s hundreds of techniques. The techniques that are detected will start to form the “kill chain” of the incident, which the analyst can visually represent in D3’s dashboards. Having identified the elements of the incident, D3 has narrowed the necessary search range to find events that are part of the same incident. D3 then runs automated searches across Elasticsearch data, based on the known IOCs and techniques. D3 can then use this data to further build out the kill chain of the incident, which can be managed holistically using D3’s case management capabilities.
Our Connected SOAR Security Alliance brings hundreds of vendors together, allowing customers to benefit from our deep industry relationships and fully vendor-agnostic, independent SOAR platform.