Custom Command Overview

LAST UPDATED: OCT 15, 2024

D3 offers users the ability to implement custom (do-it-yourself) commands, enabling them to define additional and overriding methods for system data manipulation and to integrate with other security products via third-party APIs. Custom commands prove valuable in situations where a specific integration or command falls outside the scope of the D3 VSOC system, or where the system commands cannot perfectly align with customer operational requirements.

Types of Custom Command

Integration Command

An integration command is a specific action or task executed within the D3 platform that facilitates the software connection with external security products. These commands enable D3 users to interact with external systems, such as querying information from third-party APIs, performing actions in external applications, or automating responses based on predefined conditions. In the absence of a case-specific integration or command within the current version of D3 SOAR, we offer DIY custom integration solutions.

Utility Command

A utility command is an in-house, predefined action or function within the D3 platform that serves a specific purpose related to security operations or incident response. These built-in features are designed to assist users in performing common tasks like data manipulation, analysis, workflow automation, and nested playbook setup. Utility commands are categorized into three types: Basic Utility, System Utility, and Cyber Utility.

Types of Custom Command Implementations

Custom commands can be written with Python scripts and executed within the D3 Python Docker Image. They can also be assembled using a Codeless Playbook workflow.

Python

Each command (system or custom) of Python implementation is associated with a Python function, whose name matches that of the internal name. These Python functions are displayed in integration-specific code files, with their draft versions modifiable through a code editor that opens upon clicking on any of the commands contained within an integration. Upon execution of the Python custom command, the D3 system concatenates the user-customized script and the built-in (ie. system) script to form a final script. These system scripts are visible to users as commented out code. The final script incorporates functions defined within the system script, allowing them to be invoked during execution. It is this final script that runs.

Codeless Playbook

Integration command of Codeless Playbook implementation offers a user-friendly solution, particularly suitable for non-technical users. With its intuitive drag-and-drop interface, users can easily assemble command blocks to construct powerful workflows without requiring extensive programming expertise. Furthermore, Codeless Playbook custom commands are reusable in different event and incident playbooks, enhancing efficiency by enabling the replication of successful workflows across different scenarios.

D3 also provides additional types of custom commands, including those tailored for MS SQL, Oracle, MySQL, and ODBC environments.

READER NOTE

To render a custom command visible as a playbook command task, select the Command Task checkbox under the Overview > Settings > Features section within the command page.

Custom Command Status

There are two statuses for the custom command: Live and Draft. While in Draft status, the command remains editable but cannot be referenced or executed, except for testing purposes. While in Live status, the command cannot be modified but can be referenced and executed within playbooks and schedules. The graph below illustrates the cycle of switching command status:

Each utility command and codeless playbook is unique and maintains its own status. Integration Python commands, on the other hand, are directly linked to their own custom script. Any changes made to the status of a custom command will affect the entire custom script associated with the corresponding integration.

READER NOTE

Given that integration Python commands are hard-linked to the custom script, you will observe the following:

The statuses of Python commands within the same integration are unified, meaning they are either all in Draft status or all in Live status.
Creating a new command will automatically set the statuses of all commands within the custom script to Draft.
Deleting a command in Draft status will induce the deletion of all other Draft status Python commands.
Deleting a command in Draft status will not affect the Live version of the integration script.
Deleting a command in Live status will solely remove the command and its configurations. There will be no alterations to the user-customized script.

Integration Command Status

To view integration command statuses:

Navigate back to the Integration tab on the left sidebar.
Select your integration underneath the breadcrumb.
Navigate to the table at the bottom of the Commands section.
Observe the integration command statuses in the fifth column.

Adjacent to the draft icons within the Status column are the "View Live" anchors, which serve the same purpose as the "View Live" button within a particular command. Clicking on these anchors enables you to access the live versions.

Upon entering the live version, the former "View Live" button transforms into a "View Draft" button, redirecting you to the draft version of the script. Modifying the Draft script does not affect the content of the Live script for the same command unless two conditions are met: i) The Draft script is submitted and ii) command references to the Live script are updated through a subsequent confirmation dialog.

Utility Command Status

To view the utility command statuses:

Navigate back to the Utility Commands tab on the left sidebar.
Select your utility command underneath the breadcrumb.
Click on your utility command within the expanded accordion.
Observe the utility command status near the top right corner.

READER NOTE

To switch from Live to Draft, click on the Edit button located above the code editor.