Preprocessing Playbooks
LAST UPDATED: FEB 10, 2025
Preprocessing playbooks are used to automate preparatory operations on newly ingested, normalized activity data (see Configuring Data Ingestion). Preparatory operations commonly include deduplication, data enrichment, triage, and correlation.
On the landing page of the Preprocessing Playbooks module, users can search for existing playbooks or create new ones.
-20250121-230038.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Playbook Search Panel
Purpose: Allows users to search, browse, and create custom preprocessing playbook categories.
Key Features:
Search Bar: Provides text-based search functionality for quick access to specific playbooks.
Playbook Categories: Organizes playbooks into predefined categories.
Custom Folders: Enables users to create and organize playbooks into custom folders.
%201-20250121-231459.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Playbook Count: Displays the number of playbooks available in each category or folder.
Playbook Addition Menu (Top Left Dropdown)
Purpose: Enables users to add new playbooks using various methods.
Key Features:
Manual Builder: Opens an interface for manual creation of playbooks.
%201-20250121-231828.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
AI Builder: Uses AI to assist in generating playbooks.
%201-20250121-232044.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Import Playbook: Allows importing existing playbooks. See step 3b in Using a Template.
%201-20250121-004617.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Playbook Listing Panel
Purpose: Displays a grid view of available playbooks within the selected category or folder.
Key Features:
Playbook Cards – Each playbook is represented as a card that includes:
Playbook Name: Clearly labeled for easy identification.
-20250121-233706.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Task Count: Indicates the total number of tasks in the playbook.
-20250121-233719.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Permission: Whether the user is a viewer, editor, or owner of the playbook.
-20250121-233754.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Operational Mode and Availability Indicator: The operational mode of a current playbook—orange for
%201%20(1)-20250121-011219.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
mode and green for %201%20(1)-20250121-011246.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
mode.-20250121-233828.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
-20250121-233844.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Description: A summary or use case for the playbook.
-20250121-233457.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
-20250121-233644.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
Sorting Options: Organizes playbooks by integration, last modified time, or alphabetical order.
Playbook Library (Top Right Button)
See Playbook Library.
Life Cycle
The life cycle of a preprocessing playbook starts when raw data is ingested from an integration. The data undergoes field mapping, and a D3 event is created following the execution of the preprocessing playbook.
READER NOTE
See Event-Incident Correlation for details.
Preprocessing Playbook Types
Built-in Investigation Playbooks
Built-in preprocessing playbooks are preconfigured by D3, serving as templates for customization.
EXAMPLE
-20250122-001104.png?inst-v=6798c1ab-130a-491a-a9e4-b9ecc9e7d788)
SentinelOne Event Playbook
Custom Investigation Playbooks
Custom preprocessing playbooks are user-defined workflows used to address unique operational needs.
READER NOTE
See My Second Playbook to create your first playbook.
D3 engineers assist in designing playbooks tailored to unique business requirements. Contact us today.
[February 2025] New AI-assisted playbook builder is under development! Stay tuned.