By combining ArcSight ESM for threat detection with D3 SOAR for incident enrichment and response, you can automatically escalate real threats to incident status in D3 and assess their criticality through data enrichment and MITRE ATT&CK matrix correlation. D3 can then trigger an automated response playbook or guide human analysts efficiently through manual steps, all within a single window. When notable events trigger D3’s automated workflows and full-lifecycle playbooks for incident response, analysts no longer have to manually coordinate dozens of triage and response tasks. Response occurs in seconds, not hours.

Once an event has been escalated, D3 automatically correlates IOCs—such as source IP/domain, destination IP/domain, file hashes, etc.— and MITRE ATT&CK techniques against threat intelligence, historical incident data, and potential traces of a larger kill chain, painting a complete picture of the threat. An intuitive link analysis dashboard provides analysts with the dexterity and visualizations needed for complex investigations. Adding D3’s link analysis to ArcSight ESM events provides users with vastly improved triage, the ability to easily spot false positives, and better handling of complex incidents. By bringing the information needed for investigations into a single platform, organizations can reduce SOC fatigue by eliminating context-switching, while improving response through integrated intelligence.