Stellar Cyber Open XDR

Stellar Cyber Open XDR collects data from disparate security tools and data sources, using AI-powered analysis and correlation to create high-fidelity incidents for genuine threats. Many incidents can be resolved directly via Stellar Cyber’s automated response capabilities. However, major incidents will benefit from the further investigation and response orchestration capabilities of SOAR.

When a high-fidelity incident in Stellar Cyber requires escalation, it can be pulled into D3 NextGen SOAR. Like Stellar Cyber, D3 also distinguishes between the alert and incident level, so the ingested incident stays as an incident in D3, with all of the high-fidelity data retained, including MITRE ATT&CK TTPs and AI-based risk scoring. D3 parses the IOCs from the incident and correlates them against past incident data, integrated threat intelligence sources, and data from integrated security tools.

Based on the incident data from Stellar Cyber and the added context from D3, the user can then trigger an incident-specific automation-powered playbook to remediate the threat. The D3 playbook will orchestrate response actions such as quarantining endpoints, updating firewall rules, deleting malicious emails from inboxes, and more. The TTPs involved will also be mapped against D3’s integrated MITRE ATT&CK dashboard. When the response is complete, the D3 playbook will update the incident in the Stellar Cyber platform, where the user can close the incident or carry out additional actions.

Integrating Open XDR and NextGen SOAR is an evolution beyond the traditional SIEM-to-SOAR model of threat detection and response. By connecting Stellar Cyber’s rich incident data to D3’s powerful playbooks, users can confidently respond to every level of threat with minimal screen-switching, manual tasks, or time spent on false positives. The bidirectional integration ensures that users of either system have up-to-date information on investigations, which eliminates redundant work.

Most SOCs have access to threat intelligence, often from myriad sources. The challenge they face is consistently turning that intelligence into action. Without automation and integrations, security teams struggle to find the time to investigate every piece of threat intelligence to determine their risk and take the appropriate action.

D3 integrates with myriad threat intelligence sources. When threat intelligence is ingested into D3, the tool can parse the IOCs from the report or feed and correlate them against Stellar Cyber’s event space to find out if the threat is present in the environment. The D3 playbook runs a search query via Stellar Cyber’s API to find any instances of IP addresses, processes, and other artifacts that are implicated in the threat intelligence. If anything is found, the information is returned back to D3. The user can then review the evidence and choose to run a playbook to further investigate the extent of the threat and remediate it.

By building an automated, repeatable workflow for checking threat intelligence against Stellar Cyber’s rich database of events, joint users can act on all incoming intel without bogging down their team in additional tasks. D3 and Stellar Cyber users can identify, analyze, and respond to threats across the entire stack.