D3 Smart SOAR Integration: New CCF Connector Enables SOAR Incident Visibility

What Changed

New solution package for D3 Smart SOAR integration, enabling Microsoft Sentinel customers to ingest incident data from D3 Security’s SOAR platform. Version 3.0.0 includes complete CCF connector implementation with DCR, polling configuration, and solution packaging.

Data Source

D3 Smart SOAR is a Security Orchestration, Automation and Response platform that manages security incident workflows and automated response actions. The connector polls incident data including:

• Core incident metadata (IR Number, Title, Status, Severity, Priority)
• Workflow state (Stage, Disposition, Owner, Creator)
• Operational context (Playbook, Investigation Team, Linked Incidents)
• Raw incident and event data for forensic analysis

Ingestion Mechanism

CCF-based connector using RestApiPoller with the following characteristics:

• Target table: D3SOARIncidents_CL (custom log table)
• Polling frequency: 5 minutes via /api/command/GetIncidentsWithNewParameters endpoint
• Authentication: D3 JWT token via APIKey auth type
• Data transformation: DCR KQL normalizes D3 field names to consistent schema with TimeGenerated, DateCreated, DateModified fields and preserves raw data in dynamic columns

Security Impact (Visibility & Fidelity)

This connector addresses a common SOAR visibility gap where security teams lose sight of automated response actions after incidents are handed off to orchestration platforms. Key benefits:

• Response tracking: Incidents processed through D3 Smart SOAR are now visible in Microsoft Sentinel for correlation with other security events
• Workflow visibility: Playbook execution, stage transitions, and disposition outcomes become queryable within Sentinel
• Cross-platform correlation: Enables detection rules to reference SOAR incident context when analyzing related security events
• Audit trail: Complete incident lifecycle preserved with raw event data for compliance and forensic analysis

Configuration prerequisite: D3 Smart SOAR site timezone must be set to UTC for correct timestamp alignment with Sentinel polling windows.

Affected Files

Logos/D3SOAR.svg
Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_DCR.json
Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_DataConnectorDefinition.json
Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_PollingConfig.json
Solutions/D3SmartSOAR/Data Connectors/D3SOAR_CCF/D3SOAR_Table.json
Solutions/D3SmartSOAR/Package/testParameters.json
Solutions/D3SmartSOAR/README.md
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_D3SOAR.json, createUiDefinition.json, mainTemplate.json)