Skip to main content
Skip table of contents

‎Playbooks

LAST UPDATED: FEB 14, 2025

D3 playbooks (preprocessing playbooks and investigation playbooks) are built to be reused across multiple instances, automating security operations through three key components:

  • Triggers: The branches of the root playbook node that initiate a playbook workflow when a certain condition is met.

  • Tasks: The playbook nodes that perform actions, either by requiring user input, such as responding to prompts or manually starting tasks, or through automated processes configured in advance.

  • Control Flow: The logic that determines the conditions and sequence for task execution, controlling how tasks progress, branch, coalesce, or repeat.

Preprocessing Playbooks

The preprocessing playbook is used to automate preparatory tasks—deduplication, enrichment, filtration, and correlation—useful before deeper investigation begins.

Frame 129 (3)-20250115-215601.png

Read more about Preprocessing Playbooks here →

Investigation Playbooks

The investigation playbook is the primary playbook type used for automating the analysis and response of incidents.

Frame 130 (3)-20250115-215825.png

Read more about Investigation Playbooks here →

Understanding the Playbook Interface

Frame 131 (3)-20250115-223129.png

The interface for playbooks includes an action bar, editor, execution history information panel, task menu and library.

Playbook Action Bar

Breadcrumbs

Group 392 (1).png

Breadcrumbs indicate the user's location within the platform and allow navigation to previous pages or modules by clicking the corresponding breadcrumb.

Concurrent Users

Group 393.png

All users currently viewing or editing this playbook are displayed here by their initials.

Playbook Controls

Group 394.png

This section displays the playbook's current view mode ( or ) and includes buttons for:

  • Viewing the or status of the playbook

  • Saving drafts without submitting

  • Submitting a newer playbook (and rendering it live)

  • Publishing the playbook to select sites

  • Removing the playbook from all select sites

  • Configuring user permissions

    • Viewer: Can test run the playbook; view the task configurations; view, clone, and export draft submissions; view command references; and access the playbook execution log

    • Editor: Includes all Viewer permissions, with additional capabilities to manage trigger visibility, configure tasks, save drafts, submit drafts, restore submissions, and delete the playbook.

    • Owner: Includes all Editor permissions, with additional capabilities to configure user permissions.

  • Performing version history (all submissions) actions

    • Viewing submissions

    • Cloning submissions

    • Restoring submissions (overwrites the current draft)

    • Exporting submissions

Administrative Actions

Group 395 (1).png

Clicking on the vertical ellipsis button presents the following actions:

  • Clone Playbook: Duplicates the current playbook under a new name, useful for testing variations

  • Replace Playbook: Prompts the user to upload an XML file of another playbook, replacing all tasks beyond the root node.

  • Delete Playbook: Deletes the playbook from the system

  • View Execution Logs: Shows the playbook’s execution log

  • Command References: Lists all integration commands and custom utility commands used in this D3 playbook (or utility command).

Playbook Editor

The editor visually represents all tasks in the playbook and their relationships, providing an overview of the workflow structure and includes a secondary action bar:

Feature

Description

Group 378.png

Search

Highlights matching playbook nodes and displays the total count, helping users locate relevant tasks.

Group 398.png

Show/Hide Overview

Toggles the visibility of the playbook overview.

Frame 146 (3)-20250117-040118.png
Group 398 (1).png

Zoom In/Zoom Out

Allows zooming in and out of the playbook editor.

Group 399.png

Zoom to Fit

Adjusts the view to display the entire playbook within the frame.

Group 400.png

Export

Downloads a snapshot of the playbook ( or ) as a PNG file.

Group 400 (1).png

Refresh

Helps verify whether (queued tasks), (running tasks), or image 26 (4)-20250117-211753.png (pending tasks) are truly still in progress.

Group 401.png

Organize Nodes

Organizes playbook nodes to improve readability.

HEADS-UP

Reorganizing the nodes means overwriting the current layout.

Group 402.png

Show Local Shared Data

JSON data specific to a single playbook, shared among all tasks within that playbook.

READER NOTE

Run the Add Root Key for Local Shared Data command to add a JSON object.

Frame 147 (1)-20250117-210608.png

Group 405.png

Trigger Output Data

The JSON data—initially generated behind the scenes during field mapping and refined in the On Event Ingestion preprocessing workflow—that contain all necessary information to create a D3 event and determine whether to escalate or dismiss it.

Frame 148 (2)-20250117-212728.png

Group 386 (1).png

Test Run

Opens a popover to test run the playbook.

Preprocessing Playbook

  • Testing Data - An upcoming ingestion that will not result in the creation of an event.

  • Existing Event - An existing D3 event in its newly normalized form, as if it had just passed the Data Source node, ready for preprocessing.

Investigation Playbook

  • Test Trigger: Uses an incident (optional for the On Playbook Start / On Playbook Task Error triggers) to test particular triggers.

Group 403.png

Stop Test Run

Terminates a playbook test run, clearing all execution progress and statuses.

Playbook Execution History Information Panel
Playbook Task Menu

The task menu allows users to add tasks to the playbook editor.

Preprocessing Playbook Task Menu

Frame 149 (2)-20250120-202947.png

Investigation Playbook Task Menu

Frame 150 (4)-20250120-203925.png

READER NOTE

For a comprehensive list of playbook tasks and usage examples, refer to Playbook Tasks.

Playbook Library
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.