What Changed
Added scheduled Analytic Rule to detect D3 Smart SOAR incidents with High or Critical severity. The rule queries the D3SOARIncidents_CL table hourly and creates Microsoft Sentinel incidents for security team triage.
Detection Logic
- Primary data source: D3SOARIncidents_CL
- Core logic: Filters incidents from last hour where IncidentSeverity equals “High” or “Critical”
- Entity mapping: Account entity mapped to IncidentOwner field
- Trigger: Creates alert when any High/Critical incidents are found (threshold > 0)
MITRE Mapping
- T1499 (Endpoint Denial of Service) — based on Impact tactic classification
Security Impact
This detection closes a visibility gap for D3 Smart SOAR deployments where High and Critical severity incidents previously required manual monitoring. Security teams can now receive automated Microsoft Sentinel alerts for their most impactful SOAR cases, enabling faster response to critical security events.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/D3SOARIncidents_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
(packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_D3SOAR.json, mainTemplate.json)