Skip to main content
Skip table of contents

Utility Commands

LAST UPDATED: DEC 4, 2024

In D3 SOAR, Utility Commands are out-of-the-box commands that you can use to manipulate system data. Our platform provides hundreds of Built-In Utility Commands to automate data manipulation, enrichment, and actions within the system. You can also create and customize your own Utility Command to perform data-processing and utility functions, with maximum flexibility and control.

Frame 1 (27)-20241011-220807.png

The Utility Commands module is a central repository of all Commands accessible to you. This module provides you with an editor interface to build your own custom Commands using Codeless Playbook or Python implementation. As you build your Commands, you have maximum flexibility in creating the custom tool that fits best into your workflow.

Anatomy of the Utility Commands Module

You can access the Utility Commands module in Configurations by clicking on the Tool icon in the left side navigation bar.

Additional Utility Commands can also be accessed in Playbooks

The Utility Command module consists of the main Command Editor canvas and a panel for configuring its basic details and input/output data. The following is an overview of:

  • Action Bar

  • Command Details

  • Command Editor

0d418dc9-3656-4612-8ba8-2a6bc44a269c.png

Action Bar

The Action Bar provides quick access to key actions that you can take on a custom Utility Command:

  • Back button: Navigate back to the previous page.

  • Live / Edit Mode: The Edit and Live modes allow you to make changes to an existing Command without affecting the Commands currently being used in other Playbooks.

  • Submit: Submit this Command to be used by others after editing.

  • More Button

5273ca88-79a6-48cc-ba19-ed993323720b.png
  • Clone Command: Make a copy of the current Command.

  • Delete Command: Delete the Live or Draft version of the Command. You’ll need to delete both in order to completely remove the Command.

  • Command Reference: See the relationships between other Playbooks and Commands. This feature is only available for Commands built with the Playbooks.

READER NOTE

Editing features of the Action Bar are only available for custom Commands. For System commands, users are not allowed to edit them.

Command Details

Command Details is located on the left side of the screen and provides high-level information about the selected Command. This panel provides you with the following tabs, depending on the type of implementation:

  • Overview

    • Settings

    • Inputs

    • Outputs

  • New Task (Playbook only): displays a list of Playbook Tasks, Integration, and Utility Commands for configuring your Playbook.

  • Test (Python only): Test your Python implemented Command

Overview

The Overview tab allows you to configure the basic essential information of a Command such as name, description, and so on. It also provides a space to configure the Input and Output parameters of the Command.

There are 300+ out-of-the-box Utility Commands ready for use immediately. These system commands will not be editable. To create your own custom Command, use the + button. See Creating a Utility Command for more details.

Custom commands will require either python implementation or codeless playbook implementation. This will determine the view of the Command Editor, and cannot be changed later.

Settings

The Settings tab provides you with a view of the Command’s basic information, and the ability to edit these basic fields.

05a7c571-b1b7-4308-aab8-4b64df8a1342.png
Inputs

Inputs are the parameters this Command requires to execute. For a custom command, you can add input parameters you may need.

d345a4bb-2531-40d1-91d3-588dde530a0b.png
Outputs

Outputs defines the type of output this Command can return after execution.

a6bf23ba-f84b-476e-9d51-b22b2ea3dab0.png

You can define 4 different types of outputs for increased flexibility

  1. Key Fields: the most important fields to be extracted out as individual fields.

  2. Return Data: shows the Success / Failure status of a Task for Integration Commands. For Transformation and Condition Commands, the return data is specified with corresponding output data types.

  3. Context Data: the raw data that has been parsed and formatted which can then be stored in D3 Playbooks for data sharing.

  4. Raw Data: shows the unformatted and raw output data

You can also set the Sample Data fields to show an example of the data this Command can output.

Command Editor

The workspace in which you can create a Command, in 2 ways of implementation: as a Codeless Playbook, or in Python script. Each implementation method has a different editor interface.

Implementation Method

Screenshot

Python

This method is suitable for those with advanced experience in writing Python scripts. It allows them to create and edit the Python scripts used to execute the Custom Command.

5867c192-85c0-4311-9e86-db0006b6cdf9.png

Codeless Playbook

This method allows you to create a Codeless Playbook that will execute the Custom Command.

This implementation type contains the same interface as the Incident Playbook Editor, where you can simply drag and drop the relevant task nodes from the right panel to create their desired workflow.

5a1919be-c231-472b-b3f2-5edc242bbd02.png

Categories of Utility Commands

There are 3 main categories of Utility Commands: Basic Utility, Cyber Utility, and System Utility.

Command Type

Details

Example Commands

Basic Utility

Enables simple data processing on the following data types:

  • Text

  • Number

  • Boolean

  • DateTime

  • Text Array

  • Number Array

  • Boolean Array

  • DateTime Array

  • JSON Array

  • JSON Object

  • File

  • File Array

The types of data manipulation functions include:

  • Convert

  • Compare

  • Transform

  • Insert

  • Delete

  • Update

  • Transform

  • Query

  • Check if Exists.

Append Text

Contains Number

Contains Text

Convert Number to Text

Ends with

Less or equal

Cyber Utility

Performs cyber-specific data processing that generally focuses on enrichment or extraction of information on your artifacts. Examples of artifacts are:

  • Email

  • Event

  • File

  • HostName

  • Port

  • Process

Extract Artifacts From Excel File

Check Email Authenticity

Extract URLs from JSON Object

System Utility

Performs actions on system objects such as:

  • Incident

  • Context Data

  • Users

  • Global List

  • SLA

  • Send Email

Close Incident

Add to Global List

Generate Summary Report

Resume SLA

Send Email

Add TTP to Incident

Creating a Utility Command

To create a custom Utility Command:

  1. Click the + button.

0aa05492-c8b0-497a-8e6d-f86856448e53.png
  1. In the Add Command pop-up, provide the Command Name, choose your Implementation and Command Category.

READER NOTE

Both the implementation method and category cannot be changed once the Command is created.

  1. Click + Add to create custom Utility Command.

88b52fa5-a92d-413d-8406-b6a433cadabf.png
  1. In the Settings tab, fill out the following details for the Command’s information.

    1. Command Name: sets a name for the Command, which must match the function name used in the Python script.

    2. Command Description: provides a clear description of the Command.

    3. Webhook Authentication: enables the command to be run from outside of D3 using the API Key or JSON Web Token authentication method.

    4. Implementation: provides 2 ways of creating a Command, between Codeless Playbook or Python script. This is selected when you first add the Command and cannot be changed.

    5. Command Category: you can choose one of the following categories: Basic Utility, Cyber Utility, System Utility. This cannot be changed in settings.

    6. Tags: further categorize and improve searchability and classification.

    7. Role Access: chooses the access level for this command. If Privileged is checked, then only roles with Privileged Commands settings can set and use this command.

    8. Features: decides where the Command will be available for use within the D3 SOAR platform.

    9. Schedule: sets specific time intervals and frequency for when the action will run. This action can be performed by selecting the Enable Schedule checkbox. This section will only appear for submitted/live commands.

After clicking on the + New Schedule button, you can create a new schedule and job recurrence for a custom Command. This is only available when the command is live.

Group 272 (1).png

Configuring Input Parameters

Configuring the input parameters allows you to define the type of data the Command can ingest for processing.

In this example, we’re going to create an add_string command that appends two strings. The input parameters for this command are text strings.

image 563.png

Follow the steps below to create an Input Parameter.

  1. Insert the Input Parameter name that is used within the Command.

  2. Define what Display Name will be displayed. The parameter name will be used if this field is blank.
    Select the data type this parameter should have.

  3. In our add_string example, the parameter type will be “Text.”

  4. Define the parameter’s order in which it will appear in the Inputs tab.

  5. Select the type of input this Command can use (Custom Input, Text Template, or HTML template).

  6. Set the pre-filled Default Value for this parameter.

  7. Provide a description of the current parameter’s function and purpose.

  8. Provide a sample of possible input for this Command.

  9. Click on Save

Configuring Output

You can define the sample outputs of a Utility Command to provide context for other users to understand the Utility Command.

  1. Key Fields: the most important fields to be extracted out as individual fields.

  2. Return Data: shows the Success / Failure status of a Task for Integration Commands. For Transformation and Condition Commands, the return data is specified with corresponding output data types.

  3. Context Data: the raw data that has been formatted into a structured JSON object format, which can then be stored in D3 Playbooks for data sharing.

  4. Raw Data: shows the unformatted and raw information of external Events provided by third-party vendors.

You can also set the Sample Data fields to show an example of the data this Command can output.

image 565.png

Testing & Submitting a Command

The D3 SOAR platform allows you to test any custom and built-in Commands to test the function. Each implementation method has a different Test UI, but they function similarly.

To test a Command (Python Implementation)

  1. Select the Command you want to test.

  2. Navigate to the Test tab on the left panel.

Group 275.png
  1. After, specify the following:

    1. Select the Site you want to test the Command on.

    2. Provide the necessary Inputs.

    3. Click Test Command.

Group 279.png
  1. Result: A new Show Test Result button and Test Summary will appear.

  2. Click Show Test Result

Group 281.png
  1. Result: The test result of the command will appear in a pop-up.
    Outputs are provided for the following (if applicable): Result, Return Data, Context Data, Passdown Data, Raw Data.

  1. Once the Command is working as you intended, you can click Submit to publish the Command. Once submitted, it will be available for use.

Group 282.png


Testing a Command (Codeless Playbook Implementation)

To test a Utility Command built with the Playbook implementation, click the Test Playbook button located at the top of the editor.

Group 285.png

Once the playbook is ran, you can click on the ✅ icon of the first task to view the Test Result of the command. You can also view individual results of each task by clicking on their respective ✅ icons.

Command’s Overall Test Result

In the base task’s Test Result, you can see a list of individual Tasks in the current Command, and their test status. Clicking on a Task will also open the selected Task Details to view the execution and input details.

Pending Tasks did not automatically proceed through the test and could be awaiting further action.

Done Tasks shows all tasks that were able to run through the test. It will contain both failed and successful tasks.

Group 286.png

Remote Utility Command with D3 Webhook API

A Utility Command can be run remotely via third-party or another D3 SOAR Instance through the D3 Webhook API. In order to do so, you must enable Webhook to allow access to the D3 API and use a REST API such as Postman. 

The following is a general how-to for setting up a remote utility command with D3's webhook API.

  1. Find and select the desired utility command. Navigate to Configuration > Utility Commands > [Your Desired Utility Command]. If you are using a custom utility command, verify that it has been submitted.

  2. Under Webhook Authentication, toggle on Remote Command. Select the desired authentication method. 

Authentication Method: API Key
  1. In the Setup API Keys window, you can select an existing key or generate a new one for authentication. To generate a new key, click on the + button adjacent to ALL KEYS

  2. If you are generating a new key, enter an alias for your key. Click Generate.

  1. For detailed information about configuring the remote command API key, refer to the Authentication Method: API Keys subsection under Remote Command in the Webhook Configuration Guide document.

Authentication Method: JSON Web Token (JWT)

  1. In the Setup JWT window, you can select an existing key or generate a new one for authentication. To generate a new key, click on the + button adjacent to ALL KEYS.

  2. If you are generating a new key, enter an alias for your key and select the assigned user. You have the option to allow all users to view the key. Click Generate.

READER NOTE

The assigned user will be recognized as the user when a command requires a user parameter.

  1. For detailed information about configuring the JSON web token, refer to the Authentication Method: JWT subsection under Remote Command in the Webhook Configuration Guide document.

Exporting & Importing Custom Utility Commands

D3 SOAR allows you to export and import custom utility commands from one D3 SOAR environment to another. This document will provide you with the step-by-step instructions on the entire exporting and importing process.

READER NOTE

The prerequisites for using this guide are:

  • An active custom utility command created in D3 SOAR

  • Another D3 SOAR environment to import the custom utility command to

Exporting a Custom Utility Command

  1. Once you are logged into the D3 SOAR environment with the created custom utility command, navigate to Configuration on the top menu bar. On the left side bar menu, click Utility Commands. Use the search box to find and select the custom utility command you want to export.

    Group 289.png
  2. Ensure the command status is Live. You should see an indicator near the top right corner. If the command status is Draft, you will need to submit it to go live. Click the three-dot button, then Version History.

    Group 290 (1).png
  3. Select the version of the custom utility command to export. Click on Export, and then Export to confirm in the pop-up window. The custom utility command will be exported and downloaded as an XML file. You will need this file to import the utility command in later steps.

    Group 294.png

Importing a Custom Utility Command

  1. Log in to the D3 SOAR environment you wish to import the custom utility command to. Navigate to Configuration on the top menu bar. On the left side bar menu, click Utility Commands, then + to add a new custom utility command.

    Group 296.png
  2. Configure the custom utility command to add.

    Group 300.png
    1. Command Name: Enter a relevant name for the command. Please note that the command name must start with a letter, and can only contain letters, numbers and underscores!

    2. Implementation: Select Codeless Playbook for the purposes of importing a custom utility command.

    3. Command Category: Select the appropriate command category for the command you will import. Available categories include Basic Utility, Cyber Utility, and System Utility.

    4. Click Add to confirm and add the custom utility command.

  3. Click on the three-dot button found near the top right corner, then Replace Command.

    Group 304.png
  4. Replace the command with the exported XML file. Click Browse to locate and select the previously exported XML file, then Replace to confirm the configuration.

    Group 306.png
  5. You will see the custom utility command tasks appear in the editor. Click Submit (found at the top right corner) to allow the command to be live and available for use in the D3 SOAR environment.

  6. Done! You have successfully imported a custom utility command from another D3 SOAR environment.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.