Breadcrumbs

Preprocessing Playbook Triggers

last updated: mar 21, 2025

On Event Ingestion

Frame 87 (7)-20250111-013718.png

Executes tasks either during playbook test run or when the playbook is activated as part of data ingestion through a schedule or webhook.

Playbook Test Run

  1. Click on the Test Playbook button.

    Frame 92 (7)-20250113-212426.png

  2. Select an ingested event, then click on the Run Test button.

    Frame 91 (4)-20250113-212551.png

  3. Verify that tasks execute.

    image-20250113-212757.png
Schedule-Induced Execution (CrowdStrike)

  1. Build a simple playbook that sends an email upon being activated.

    Frame 94 (6)-20250113-215612.png

  2. Submit this playbook.

    Frame 93 (5)-20250113-214947.png

  3. Setup a schedule using the submitted playbook.

    Frame 95 (5)-20250113-231715.png

  4. Wait for data to flow in, then stop ( 10.2.0.134_BetaPreview_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=1f74eadc6dcecf9fce720553ae68fbd20e163ab9292bf608c553ae7f180fecba (4) 1-20250113-235104.png ) the schedule after some events have been automatically created.

    Frame 97 (5)-20250113-233737.png

  5. Check the email to verify that the playbook was triggered.

    Frame 96 (4)-20250113-233815.png
Webhook-Induced Execution (CrowdStrike)

  1. Build a simple playbook that sends an email upon being activated.

    Frame 94 (6)-20250113-215612.png

  2. Submit this playbook.

    Frame 93 (5)-20250113-214947.png

  3. Set up a webhook key.

    Frame 98 (5)-20250114-000417.png

  4. Copy the POST request URL into Postman, then input the following raw JSON data:

    JSON
    {
    "resources": {
        "description": "Created from a webhook push"
    }
}
    Frame 99 (6)-20250114-001309.png
    Frame 108 (3)-20250114-014059.png

READER NOTE *

  • The raw JSON data must include at least the main JSON path (i.e., $.resources for CrowdStrike) to generate a D3 event, which will be used to run the preprocessing playbook.

  • Subsequent POST requests with identical payloads will not generate additional D3 events.

  1. Copy the POST request header key and head value into Postman.

    Frame 101 (6)-20250114-001839.png
    Frame 103 (4)-20250114-003158.png

  2. Select the submitted playbook under Additional Settings.

    Frame 104 (4)-20250114-012140.png

  3. Send the POST request.

    Frame 107 (5)-20250114-013217.png

  4. Check the email to verify that the playbook was triggered.

    Frame 106 (3)-20250114-013057.png


After Event Dismissal

Executes tasks after an event is dismissed.

Ingestion-Dismissal Example (Webhook)

  1. Build a simple playbook that sends an email upon being activated.

    Frame 109 (2)-20250114-022931.png

  2. Add a Dismiss task to the On Event Ingestion trigger.

    10.2.0.134_BetaPreview_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=df1f5306d3e9abdab13595be61dec9cefed1097539f62b026edbbcb85f62b1cb (2) 1-20250114-023412.png

  3. Submit this playbook.

    Frame 93 (5)-20250113-214947.png

  4. Set up a webhook key.

    Frame 98 (5)-20250114-000417.png

  5. Copy the POST request URL into Postman, then input the following raw JSON data:

    JSON
    {
    "resources": {
        "description": "This event will be dismissed."
    }
}
    Frame 99 (6)-20250114-001309.png
    Frame 110 (4)-20250114-024453.png

READER NOTE *

  • The raw JSON data must include at least the main JSON path (i.e., $.resources for CrowdStrike) to generate a D3 event, which will be used to run the preprocessing playbook.

  • Subsequent POST requests with identical payloads will not generate additional D3 events.

  1. Copy the POST request header key and head value into Postman.

    Frame 101 (6)-20250114-001839.png
    Frame 103 (4)-20250114-003158.png

  2. Select the submitted playbook under Additional Settings.

    Frame 104 (4)-20250114-012140.png

  3. Send the POST request.

    Frame 111 (2)-20250114-024951.png
    10.2.0.134_BetaPreview_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=9279fa249f02c54a92c025a154285987d9b65165cd6f8d9288fcddecf05f8ff2 1-20250114-025135.png

  4. Check the email to verify that the playbook was triggered.

    Frame 112 (3)-20250114-034311.png


Frame 90 (4)-20250111-014415.png

On Playbook Task Error

Frame 89 (4)-20250111-014301.png

Executes tasks when a playbook task encounters an error.

Example 1 - Error in Current-Level Playbook Task

  1. Set up an error-resulting task on the On Event Ingestion trigger, ensuring that the Error Trigger handling option is checked.

    Frame 124 (3)-20250115-191023.png

  2. Set up a Send Email utility command task for the On Playbook Task Error trigger.

    Frame 125 (3)-20250115-191437.png

  3. Test run this playbook (see On Event Ingestion examples), ensuring that the Error Task results in lab190.d3securityonline.net_16_8_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=0136de1ab403e957e8f2e3830f55e0d07561dc2f2fc5b0d4be07936dd48d9993 (5) 2-20250110-022826.png , and the Send Email task results in lab190.d3securityonline.net_16_8_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=0136de1ab403e957e8f2e3830f55e0d07561dc2f2fc5b0d4be07936dd48d9993 (5) 3-20250110-022810.png .

    10.2.0.134_BetaPreview_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=4712bb3a03984633155d15526f125a3d45af47ecd8bff88a7afb1ade6b959fa7 (2) 1-20250115-191812.png

  4. Check the email for the error message.

    Frame 126 (2)-20250115-192059.png
Example 2 - Error Emitted from Nested Playbook

  1. Create a Codeless Playbook utility command.

    Frame 113 (4)-20250115-174237.png

  2. Setup a task that would result in an error. Click on the 10.2.0.134_BetaPreview_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=855671b172b4dc0fb9446dc6477bccec07c83e9f1bce382a7ca852f4cd410706 (2) 1 (1)-20250115-174849.png button to verify.

    Frame 114 (4)-20250115-180256.png

  3. Enable its use as a command task.

    Frame 115 (3)-20250115-180717.png

  4. Use a image 6 (5)-20250110-020837.png passdown task to emit an error message to the parent playbook.

    Frame 116 (4)-20250115-181258.png

  5. Submit this utility command.

    Frame 117 (3)-20250115-181557.png

  6. Create an investigation playbook.

    Frame 118 (3)-20250115-182023.png

  7. Set up the Demo Nested Playbook Utility Command task on the On Event Ingestion trigger, ensuring the Error Trigger checkbox is ticked.

    Frame 121 (4)-20250115-183744.png

  8. Set up a Send Email utility command task for the On Playbook Task Error trigger.

    Frame 122 (5)-20250115-184757.png

  9. Test run this playbook (see On Event Ingestion examples), ensuring that the Demo Nested Playbook Utility Command task results in lab190.d3securityonline.net_16_8_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=0136de1ab403e957e8f2e3830f55e0d07561dc2f2fc5b0d4be07936dd48d9993 (5) 2-20250110-022826.png , and the Send Email task results in lab190.d3securityonline.net_16_8_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=0136de1ab403e957e8f2e3830f55e0d07561dc2f2fc5b0d4be07936dd48d9993 (5) 3-20250110-022810.png .

    10.2.0.134_BetaPreview_VSOC_LifeServer.aspx_div=dashboard&Open=Other&t2=855671b172b4dc0fb9446dc6477bccec07c83e9f1bce382a7ca852f4cd410706 (13) 1-20250115-185454.png

  10. Check the email for the error message.

    Frame 123 (3)-20250115-185739.png