Skip to main content
Skip table of contents

‎Command Tasks

LAST UPDATED: FEB 13, 2025

Command tasks refer to integration or utility commands, which can be D3-built or user-built (custom). Built-in and custom commands may be implemented through Python scripts or codeless playbooks.

Group 39.png

Integration Commands

These commands execute actions related to external systems or services, such as retrieving threat intelligence, managing cloud resources, or automating tasks in areas like analytics, SIEM/XDR operations, and identity management.

Access Locations

Playbook Task Menu

  1. Hover over the command task.

    Frame 175 (2)-20250125-000750.png

  2. Ensure that the Integration Commands tab is selected.

    image 38 (1)-20250124-232023.png

    Integration Commands Tab

Task Configuration Popover

  1. Connect a command task to the root playbook node.

    Frame 176 (3)-20250125-001407.png

  2. Name the command task.

    Frame 177 (3)-20250125-001641.png

  3. Click on the Anno ellipses.png icon.

    Frame 178 (3)-20250125-001906.png

  4. Select All Integration from the Category dropdown menu.

    Frame 179 (1)-20250125-002116.png

Integrations Module

Users can access the Integrations module to explore all available commands for an integration and execute them outside of a playbook with the Test Command function.

  1. Search and click into a specific integration to view its commands.

    Frame 181 (4)-20250125-003627.png

  2. Select a command to execute.

    Group 34 (1).png

  3. Execute the command.

    Group 35 (1).png

    1. Navigate to the Test tab.

    2. Select an existing connection or create a new one.

    3. Enter input parameters as necessary.

    4. Click on the Test Command button.

READER NOTE

On the incident-level, commands can be executed on-the-fly using the Execute Command button in the general information header panel.

Utility commands

These commands primarily support internal operations, including data manipulation, updating incident details, and generating reports, with occasional exceptions like facilitating email communications.

Access Locations

Playbook Task Menu

  1. Hover over the command task.

    Frame 175 (2)-20250125-000750.png

  2. Click on the Utility Commands tab.

    Utility Commands Tab

Task Configuration Popover

  1. Connect a command task to the root playbook node.

    Frame 176 (3)-20250125-001407.png

  2. Name the command task.

    Frame 177 (3)-20250125-001641.png

  3. Click on the Anno ellipses.png icon.

    Frame 178 (3)-20250125-001906.png

  4. Select All Utilities from the Category dropdown menu.

    Frame 180 (2)-20250125-002227.png

Utility Commands Module

Users can access the Utility Commands module to explore all utility commands and execute them outside of a playbook with the Test Command function.

  1. Navigate to the Utility Commands module.

    Frame 182 (1)-20250125-004034.png

  2. Search and select a command to execute.

    Group 36.png

  3. Execute the command.

    Group 37.png

    1. Navigate to the Test tab.

    2. Select a site.

    3. Enter input parameters as necessary.

    4. Click on the Test Command button.

READER NOTE

On the incident-level, commands can be executed on-the-fly using the Execute Command button in the general information header panel.

Integration Command Examples

Checking the Reputation of a URL
check url.gif

OBJECTIVE Set up and run a command task that checks the reputation of a URL.

  1. Search for and drag the Check URL Reputation command task from VirusTotal v3 to the On Playbook Start trigger.

    check url rep.gif

  2. Name the task, ensure that the Testable option is selected, then click on the Next button.

    Group 9 (3).png

  3. Configure the task details, then save the task.

    Group 10 (1).png

    1. Enter a URL in text array format.
      For the demo, the data is hardcoded, but it should almost always be dynamically retrieved from a data source (e.g., an event or incident) using the Format Builder function.

    2. Select an existing connection to use or create a new one.

    3. Select the Auto Run checkbox.

    4. Click on the Group 147.png button to save the task.

  4. Click on the Test Playbook button, then click on the the Run Test button in the popover.

    Group 2 (1).png

RESULT

The Check URL Reputation command provides reputation data for a URL, enabling analysts to assess its safety and determine if blocking is necessary.

image 39 (4)-20250127-220208.png
check url.gif
Interacting with Slack Interactivity Elements
Frame 111 (3)-20250127-195833.png

See Send Interactivity examples.

Utility Command Examples

Sending an Email with Attachments
Group 21 (1).png

OBJECTIVE Send an email from the vSOC platform, including any files attached to the incident as email attachments.

  1. Search for and drag the Send Email utility command task to the On Playbook Start trigger.

    drag_send_email.gif

  2. Name the task, ensure that the Testable option is selected, then click on the Next button.

    Group 15 (1).png

  3. Configure the task details, then save the task.

    Group 38.png

    1. Enter the recipient’s email address.

    2. Enter the email subject.

    3. Enter the email body.

    4. Enter the CC recipient.

    5. Choose Incident Attachment File as the file source.

    6. Select the Dynamic toggle.

    7. Dynamically retrieve the value for the File ID. Refer to Dynamically Selecting Data for more information.

      CODE 
      {{ $.PlaybookData.DataSource.incident.File[*].FileId }}

    8. Select the Auto Run checkbox.
      For information about the Reply Mode and Reply Due Time parameters, refer to this documentation.

    9. Click on the Group 147.png button to save the task.

  4. Test the playbook.

    Group 13.png

    1. Click on the Test Playbook button.

    2. Select a site.

    3. Select an incident.
      Testing the playbook on an incident will impact the incident. To avoid unintended effects, perform all testing involving the Test Playbook functionality in a demo instance of vSOC.

    4. Click on the Run Test button.

RESULT

The Send Email command task sends an email based on the specified task configurations, delivering it to the primary recipient and any CC or BCC recipients defined. Any files uploaded to the incident workspace are included as an attachment.

Group 21 (1).png
Retrieving Global List Metadata
Frame 183 (1)-20250127-201347.png

OBJECTIVE Extract the description of a global list titled Demo Global List.

  1. Ensure Demo Global List is available for use in select sites.

    Frame 188 (1)-20250127-205228.png

  2. Connect a command task to the On Playbook Start trigger.

    Frame 184 (1)-20250127-201909.png

  3. Name the command task, then click on the Next button.

    Frame 185 (4)-20250127-202132.png

  4. Select the Auto Run checkbox, then click on the Anno ellipses.png icon.

    Frame 186 (1)-20250127-202409.png

  5. Select the Get Global List MetaData utility command.

    Frame 187 (1)-20250127-203126.png

  6. Specify the search type and global list name, then save the task.

    Frame 189 (1)-20250127-205712.png

  7. Click on the Test Playbook button, then click on the the Run Test button in the popover.

    Group 2 (1).png

  8. Click on the command’s Frame 3.png task icon.

    Frame 191 (1)-20250127-210203.png

  9. Click on the Return Data tab to view the extracted description.

    Frame 192-20250127-210643.png

Mixed Command Use Example

Mixed Command Use Example - Generating a CSV File Using Domain IP Reputation Results
Group 30.png

OBJECTIVE Create a CSV file that includes information about the IP reputation linked to domain names.

  1. Search for and drag the Get Ips by Domain Names utility command task to the On Playbook Start trigger.

    add IP.gif

  2. Name the task, ensure that the Testable option is selected, then click on the Next button.

    Group 22 (1).png

  3. Configure the task details, then save the task.

    Group 23.png

    1. Enter the domain names whose IPs will be retrieved, such as this compromised domain listed by Zone Files:

      CODE 
      [shopsabz.com]

      For the demo, the data is hardcoded, but it should almost always be dynamically retrieved from a data source (e.g., an event or incident) using the Format Builder function.

    2. Select the Auto Run checkbox.

    3. Click on the Group 147.png button to save the task.

  4. Repeat steps 1 and 2 to add the Get IP Reputation command task from the VirusTotal V3 integration to the previous task.

    Group 24 (1).png

  5. Configure the task details, then save the task.

    Group 25 (1).png

    1. Dynamically retrieve the value for the IPs, the output data of the previous task.

      CODE 
      {{PlaybookData | jsonpath('$.["Get IP by Domain"].outputData.IPAddresses')}}

    2. Select an existing connection to use or create a new one.

    3. Select the Auto Run checkbox.

    4. Click on the Group 147.png button to save the task.

  6. Repeat steps 1 and 2 to add the Convert HTML to JSON utility command task to the previous task.

    Group 26 (1).png

  7. Configure the task details, then save the task.

    Group 27 (1).png

    1. Click on the Dynamic toggle.

    2. Dynamically retrieve the value for the HTML Text, the result of the previous task.

      CODE 
      {{ $.PlaybookData.["Get IP Reputation"].result }}

    3. Select the True option.

    4. Select the Auto Run checkbox.

    5. Click on the Group 147.png button to save the task.

  8. Repeat steps 1 and 2 to add the Convert JSON Array to CSV utility command task to the previous task.

    Group 28.png

  9. Configure the task details, then save the task.

    Group 29.png

    1. Dynamically retrieve the value for the JSON Array to Convert the return data of the previous task.

      CODE 
      {{ $.PlaybookData.["Convert HTML Table to JSON"].returnData }}

    2. (Optional) Rename the file.

    3. Select the Auto Run checkbox.

    4. Click on the Group 147.png button to save the task.

  10. Click on the Test Playbook button, then click on the the Run Test button in the popover.

    Group 2 (1).png

RESULT

Users will be able to download the “result” CSV file by navigating to the playbook task details > Result tab, then clicking on the result.csv file.

mixedcommand.gif

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close