Command Tasks | docs.d3security

Last updated: mar 21, 2025

Command tasks refer to integration or utility commands, which can be D3-built or user-built (custom). Built-in and custom commands may be implemented through Python scripts or codeless playbooks.

Integration Commands

These commands execute actions related to external systems or services, such as retrieving threat intelligence, managing cloud resources, or automating tasks in areas like analytics, SIEM/XDR operations, and identity management.

Access Locations - Integration Commands

Playbook Task Menu

Hover over the command task.
Ensure that the Integration Commands tab is selected.

Integration Commands Tab

Task Configuration Popover

Connect a command task to the root playbook node.
Name the command task.
Click on the icon.
Select All Integration from the Category dropdown menu.

Integrations Module

Users can access the Integrations module to explore all available commands for an integration and execute them outside of a playbook with the Test Command function.

Search and click into a specific integration to view its commands.
Select a command to execute.
Execute the command.
1. Navigate to the Test tab.
2. Select an existing connection or create a new one.
3. Enter input parameters as necessary.
4. Click on the Test Command button.

READER NOTE

On the incident-level, commands can be executed on-the-fly using the Execute Command button in the general information header panel.

Utility commands

These commands primarily support internal operations, including data manipulation, updating incident details, and generating reports, with occasional exceptions like facilitating email communications.

Access Locations - Utility Commands

Playbook Task Menu

Hover over the command task.
Click on the Utility Commands tab.

Utility Commands Tab

Task Configuration Popover

Connect a command task to the root playbook node.
Name the command task.
Click on the icon.
Select All Utilities from the Category dropdown menu.

Utility Commands Module

Users can access the Utility Commands module to explore all utility commands and execute them outside of a playbook with the Test Command function.

Navigate to the Utility Commands module.
Search and select a command to execute.
Execute the command.
1. Navigate to the Test tab.
2. Select a site.
3. Enter input parameters as necessary.
4. Click on the Test Command button.

READER NOTE

On the incident-level, commands can be executed on-the-fly using the Execute Command button in the general information header panel.

Integration Command Examples

Checking the Reputation of a URL

Objective Set up and run a command task that checks the reputation of a URL.

Search for and drag the Check URL Reputation command task from VirusTotal v3 to the On Playbook Start trigger.
Name the task, ensure that the Testable option is selected, then click on the Next button.
Configure the task details, then save the task.
1. Enter a URL in text array format.
  For the demo, the data is hardcoded, but it should almost always be dynamically retrieved from a data source (e.g., an event or incident) using the Format Builder function.
2. Select an existing connection to use or create a new one.
3. Select the Auto Run checkbox.
4. Click on the button to save the task.
Click on the Test Playbook button, then click on the the Run Test button in the popover.

RESULT

The Check URL Reputation command provides reputation data for a URL, enabling analysts to assess its safety and determine if blocking is necessary.

Interacting with Slack Interactivity Elements

See Send Interactivity examples.

Utility Command Examples

Sending an Email with Attachments

Objective Send an email from the vSOC platform, including any files attached to the incident as email attachments.

Search for and drag the Send Email utility command task to the On Playbook Start trigger.
Name the task, ensure that the Testable option is selected, then click on the Next button.
Configure the task details, then save the task.
1. Enter the recipient's email address.
2. Enter the email subject.
3. Enter the email body.
4. Enter the CC recipient.
5. Choose Incident Attachment File as the file source.
6. Select the Dynamic toggle.
7. Dynamically retrieve the value for the File ID. Refer to Dynamically Selecting Data for more information.
  {{ $.PlaybookData.DataSource.incident.File[*].FileId }}
8. Select the Auto Run checkbox.
  For information about the Reply Mode and Reply Due Time parameters, refer to this documentation.
9. Click on the button to save the task.
Test the playbook.
1. Click on the Test Playbook button.
2. Select a site.
3. Select an incident.
  Testing the playbook on an incident will impact the incident. To avoid unintended effects, perform all testing involving the Test Playbook functionality in a demo instance of vSOC.
4. Click on the Run Test button.

RESULT

The Send Email command task sends an email based on the specified task configurations, delivering it to the primary recipient and any CC or BCC recipients defined. Any files uploaded to the incident workspace are included as an attachment.

Retrieving Global List Metadata

Objective Extract the description of a global list titled Demo Global List.

Ensure Demo Global List is available for use in select sites.
Connect a command task to the On Playbook Start trigger.
Name the command task, then click on the Next button.
Select the Auto Run checkbox, then click on the icon.
Select the Get Global List MetaData utility command.
Specify the search type and global list name, then save the task.
Click on the Test Playbook button, then click on the the Run Test button in the popover.
Click on the command's task icon.
Click on the Return Data tab to view the extracted description.

Mixed Command Use Example

Mixed Command Use Example - Generating a CSV File Using Domain IP Reputation Results

Objective Create a CSV file that includes information about the IP reputation linked to domain names.

Search for and drag the Get Ips by Domain Names utility command task to the On Playbook Start trigger.
Name the task, ensure that the Testable option is selected, then click on the Next button.
Configure the task details, then save the task.
1. Enter the domain names whose IPs will be retrieved, such as this compromised domain listed by Zone Files:
  [shopsabz.com]
  For the demo, the data is hardcoded, but it should almost always be dynamically retrieved from a data source (e.g., an event or incident) using the Format Builder function.
2. Select the Auto Run checkbox.
3. Click on the button to save the task.
Repeat steps 1 and 2 to add the Get IP Reputation command task from the VirusTotal V3 integration to the previous task.
Configure the task details, then save the task.
1. Dynamically retrieve the value for the IPs, the output data of the previous task.
  {{PlaybookData | jsonpath('$.["Get IP by Domain"].outputData.IPAddresses')}}
2. Select an existing connection to use or create a new one.
3. Select the Auto Run checkbox.
4. Click on the button to save the task.
Repeat steps 1 and 2 to add the Convert HTML to JSON utility command task to the previous task.
Configure the task details, then save the task.
1. Click on the Dynamic toggle.
2. Dynamically retrieve the value for the HTML Text, the result of the previous task.
  {{ $.PlaybookData.["Get IP Reputation"].result }}
3. Select the True option.
4. Select the Auto Run checkbox.
5. Click on the button to save the task.
Repeat steps 1 and 2 to add the Convert JSON Array to CSV utility command task to the previous task.
Configure the task details, then save the task.
1. Dynamically retrieve the value for the JSON Array to Convert the return data of the previous task.
  {{ $.PlaybookData.["Convert HTML Table to JSON"].returnData }}
2. (Optional) Rename the file.
3. Select the Auto Run checkbox.
4. Click on the button to save the task.
Click on the Test Playbook button, then click on the the Run Test button in the popover.

RESULT

Users will be able to download the "result" CSV file by navigating to the playbook task details > Result tab, then clicking on the result.csv file.