Preprocessing Playbooks
LAST UPDATED: FEB 10, 2025
Preprocessing playbooks are used to automate preparatory operations on newly ingested, normalized activity data (see Configuring Data Ingestion). Preparatory operations commonly include deduplication, data enrichment, triage, and correlation.
On the landing page of the Preprocessing Playbooks module, users can search for existing playbooks or create new ones.
-20250121-230038.png?inst-v=05328674-b079-4c01-ba41-8dd92707b455)
Life Cycle
The life cycle of a preprocessing playbook starts when raw data is ingested from an integration. The data undergoes field mapping, and a D3 event is created following the execution of the preprocessing playbook.
READER NOTE
See Event-Incident Correlation for details.
Preprocessing Playbook Types
Built-in Investigation Playbooks
Built-in preprocessing playbooks are preconfigured by D3, serving as templates for customization.
EXAMPLE
-20250122-001104.png?inst-v=05328674-b079-4c01-ba41-8dd92707b455)
SentinelOne Event Playbook
Custom Investigation Playbooks
Custom preprocessing playbooks are user-defined workflows used to address unique operational needs.
READER NOTE
See My Second Playbook to create your first playbook.
D3 engineers assist in designing playbooks tailored to unique business requirements. Contact us today.
[February 2025] New AI-assisted playbook builder is under development! Stay tuned.