Breadcrumbs

Introduction to Utility Commands

last updated: mar 21, 2025

Utility commands are directives that perform operations at various levels of abstraction and scope. They can be executed within automation workflows or as standalone actions, and are—similar to integration commands—either built-in or user-defined. Both built-in and user-defined commands may be of Python or Codeless Playbook implementation.

image 24 (2)-20250117-033025.png

Diverse functionalities of utility commands include converting JSON arrays into HTML tables for structured data presentation, creating incidents for correlation, updating incident fields for investigation and record-keeping, sending system emails, and linking extracted IOCs to incidents for downstream threat intelligence workflows.

Examples by Utility Command Category

Frame 132 (3)-20250116-175012.png

  1. Data Manipulations: Handles simple data processing on the following data types:
    array
    Example
    - Add Text to Empty Array
    Boolean
    Example
    - Is False
    DateTime
    Example
    - Get Current UTC Time
    HTML
    Example
    - Strip Tags
    JSON Object
    Example
    - Convert JSON Array to HTML Table
    Number
    Example
    - Get Maximum Number
    Text
    Example
    - Ends with

  2. Agent: Manages agent-related operations.
    Example
    - Get Agent Details

  3. AI: Executes artificial intelligence-related operations.

    Example
    - Set Al Investigation Detail

  4. Artifact: Handles artifact-related operations.

    Example
    - Get Related Incidents by Artifact

  5. Automation Rule: Performs automation rule-related operations.

    Example
    - Sync Event Automation Rule

  6. Case: Supports case management.

    Example
    - Remove Case Attachment

  7. Communication: Facilitates interaction with external systems or services.

    Example
    - Send Email

  8. Connection: Manages connections.

    Example
    - Sync Connection

  9. Data Ingestion: Handles data ingestion-related operations.

    Example
    - Create Incident With Conditions

  10. Domain: Performs domain-related operations.

    Example
    - Get from URLs

  11. Dynamic Form: Performs dynamic form-related operations.

    Example
    - Set Incident Dynamic Field Values

  12. Email: Manages email-based operations.

    Example
    - Extract Basic Information from Email File

  13. Event: Performs event-related operations.

    Example
    - Get Events

  14. File: Handles file-related operations.

    Example
    - Encrypt File with Password Protection

  15. Global List: Performs global list-related operations.

    Example
    - Check Value Exists in Global List

  16. Hash: Performs hash-related operations.

    Example
    - Extract Hashes from Array of JSON Objects

  17. Hostname: Performs hostname-related operations.

    Example
    - Get Hostname for IP Addresses

  18. IOC: Performs operations related to indicators of compromise.

    Example
    - Extract IOCs

  19. IP: Performs IP-related operations.

    Example
    - Get IP Addresses Reputation

  20. Local Shared Data: Performs operations involving locally shared data.

    Example
    - Add Root Key for Local Shared Data

  21. Logging: Performs logging-related operations.

    Example
    - Get D3 Log

  22. Metrics: Performs metrics-related operations.

    Example
    - Get D3 Application Metrics

  23. MITRE: Performs operations related to MITRE frameworks to analyze and map threats or tactics.

    Example
    - Update Mitre Tactics and Techniques

  24. Multitenancy: Performs operations related to multi-tenancy.

    Example
    - Sync Global List

  25. Playbook: Performs playbook-related operations.

    Example
    - Delay

  26. Reporting: Performs reporting-related operations.

    Example
    - Generate Incident Summary Report

  27. Site: Performs site-related operations.

    Example
    - Create Site

  28. SLA: Performs service level agreement-related operations.

    Example
    - Pause SLA

  29. System Counter: Performs system counter-related operations.

    Example
    - Set System Counter

  30. Tactics & Techniques: Performs tactics and techniques-related operations.

    Example
    - Add Tactics & Techniques to Incident

  31. Trigger Output Data: Performs trigger output data-related operations.

    Example
    - Add Fields in Trigger Output Data

  32. Uncategorized Folder: Performs miscellaneous operations.

  33. URL: Performs URL-related operations.

    Example
    - Get URLs Reputation

  34. User: Performs user-related operations.

    Example
    - Get All Users with Specific Role

  35. Widget: Performs widget-related operations.

    Example
    - Get Reporting Widget

Learning More About Utility Commands

D3 offers hundreds of utility commands, with ongoing development adding new ones.

Browse through utility command documentations here →

Learn to build your first custom utility command here →

Anatomy of the Utility Command Module

Search Page

image-20250116-194422.png
UI Breakdown - Search Page

Search Panel (Left)

  • Search Utility Commands: Users can enter keywords into the search bar, or select from the categories, to locate specific commands.

  • Add New Command: The + button allows users to create or configure new utility commands.

  • Custom Categories: Users can add, edit and delete custom utility command categories.
    Adding

    Frame 138 (5)-20250116-202619.png
    Frame 139 (3)-20250116-202634.png
    image 23 (2)-20250116-202326.png

    Editing

    Frame 140 (3)-20250116-224359.png
    Frame 142 (2)-20250116-224415.png

    Deleting

    Frame 143 (3)-20250116-224716.png
    Frame 141 (3)-20250116-224727.png
    Frame 144 (4)-20250116-225005.png

Results Panel (Right)

  • Utility Command Cards: Displays a grid of commands based on the current search or filter selection. Each card contains the utility command's name, description, and its implementation type.

  • Sort Commands: Users can sort the displayed commands based on:

    • Type (Built-In or Custom)

    • Tags

    • Featured

    • Most Used

    • Last Modified Time (Latest or Oldest first)

    • Alphabetical name order (A-Z or Z-A)

  • Pagination: Navigates through multiple pages of results.

Operations Console

Frame 145 (3)-20250117-003042.png
UI Breakdown - Operations Console

Command Details Panel (Left)

  • Command Name and Description: Basic command information.

  • Implementation Type: System, Python or Codeless Playbook.

  • Command Category: See Categories and Examples of Utility Commands.

  • Tags: Labels that give a general sense of the topics or areas to which commands are related, and that enable filtering in the results panel.

  • Role Access: Whether to restrict this command for the exclusive use of privileged users.

  • Command Application Scope: Where this command will be available for use.

Command Editor Panel (Right)

  • Command Code Editor: The place to write or modify the command logic using Python.

  • Save and Undo Buttons:

    • Save: Saves the code changes for this draft.

    • Undo Changes: Reverts the command editor to its state before the previous action.

Command Application Scope

By default, commands are not enabled for any scope. They must be explicitly assigned to one or more of the following application contexts:

Command Task (Preprocessing and Investigation Playbooks)

Frame 6 (30)-20241213-032945.png

Conditional Task (Preprocessing and Investigation Playbooks)

Frame 3 (37)-20241213-024309.png

Transform Command: This feature was designed for earlier versions of the D3 vSOC platform, and has been deprecated since version 14. Data transformations are now primarily handled by the Data Formatter task. The Transform Command UI components are subject to removal in future releases.

Ad-hoc Command (Incident Workspace)

Frame 4 (35)-20241213-030514.png

Alert Reformatter (Schedule and Webhook Data Ingestion)

Frame 5 (23)-20241213-032750.png