Skip to main content
Skip table of contents

‎Preprocessing Playbook Triggers

LAST UPDATED: MAR 21, 2025

On Event Ingestion

Frame 87 (7)-20250111-013718.png

Executes tasks either during playbook test run or when the playbook is activated as part of data ingestion through a schedule or webhook.

Playbook Test Run

  1. Click on the Test Playbook button.

    Frame 92 (7)-20250113-212426.png

  2. Select an ingested event, then click on the Run Test button.

    Frame 91 (4)-20250113-212551.png

  3. Verify that tasks execute.

    image-20250113-212757.png
Schedule-Induced Execution (CrowdStrike)

  1. Build a simple playbook that sends an email upon being activated.

    Frame 94 (6)-20250113-215612.png

  2. Submit this playbook.

    Frame 93 (5)-20250113-214947.png

  3. Setup a schedule using the submitted playbook.

    Frame 95 (5)-20250113-231715.png

  4. Wait for data to flow in, then stop ( ) the schedule after some events have been automatically created.

    Frame 97 (5)-20250113-233737.png

  5. Check the email to verify that the playbook was triggered.

    Frame 96 (4)-20250113-233815.png
Webhook-Induced Execution (CrowdStrike)

  1. Build a simple playbook that sends an email upon being activated.

    Frame 94 (6)-20250113-215612.png

  2. Submit this playbook.

    Frame 93 (5)-20250113-214947.png

  3. Set up a webhook key.

    Frame 98 (5)-20250114-000417.png

  4. Copy the POST request URL into Postman, then input the following raw JSON data:

    JSON 
    {
    "resources": {
        "description": "Created from a webhook push"
    }
}
    Frame 99 (6)-20250114-001309.png
    Frame 108 (3)-20250114-014059.png

READER NOTE

  • The raw JSON data must include at least the main JSON path (i.e., $.resources for CrowdStrike) to generate a D3 event, which will be used to run the preprocessing playbook.

  • Subsequent POST requests with identical payloads will not generate additional D3 events.

  1. Copy the POST request header key and head value into Postman.

    Frame 101 (6)-20250114-001839.png
    Frame 103 (4)-20250114-003158.png

  2. Select the submitted playbook under Additional Settings.

    Frame 104 (4)-20250114-012140.png

  3. Send the POST request.

    Frame 107 (5)-20250114-013217.png

  4. Check the email to verify that the playbook was triggered.

    Frame 106 (3)-20250114-013057.png

After Event Dismissal

Executes tasks after an event is dismissed.

Ingestion-Dismissal Example (Webhook)

  1. Build a simple playbook that sends an email upon being activated.

    Frame 109 (2)-20250114-022931.png

  2. Add a Dismiss task to the On Event Ingestion trigger.

  3. Submit this playbook.

    Frame 93 (5)-20250113-214947.png

  4. Set up a webhook key.

    Frame 98 (5)-20250114-000417.png

  5. Copy the POST request URL into Postman, then input the following raw JSON data:

    JSON 
    {
    "resources": {
        "description": "This event will be dismissed."
    }
}
    Frame 99 (6)-20250114-001309.png
    Frame 110 (4)-20250114-024453.png

READER NOTE

  • The raw JSON data must include at least the main JSON path (i.e., $.resources for CrowdStrike) to generate a D3 event, which will be used to run the preprocessing playbook.

  • Subsequent POST requests with identical payloads will not generate additional D3 events.

  1. Copy the POST request header key and head value into Postman.

    Frame 101 (6)-20250114-001839.png
    Frame 103 (4)-20250114-003158.png

  2. Select the submitted playbook under Additional Settings.

    Frame 104 (4)-20250114-012140.png

  3. Send the POST request.

    Frame 111 (2)-20250114-024951.png

  4. Check the email to verify that the playbook was triggered.

    Frame 112 (3)-20250114-034311.png

Frame 90 (4)-20250111-014415.png

On Playbook Task Error

Frame 89 (4)-20250111-014301.png

Executes tasks when a playbook task encounters an error.

Example 1 - Error in Current-Level Playbook Task

  1. Set up an error-resulting task on the On Event Ingestion trigger, ensuring that the Error Trigger handling option is checked.

    Frame 124 (3)-20250115-191023.png

  2. Set up a Send Email utility command task for the On Playbook Task Error trigger.

    Frame 125 (3)-20250115-191437.png

  3. Test run this playbook (see On Event Ingestion examples), ensuring that the Error Task results in , and the Send Email task results in .

  4. Check the email for the error message.

    Frame 126 (2)-20250115-192059.png
Example 2 - Error Emitted from Nested Playbook

  1. Create a Codeless Playbook utility command.

    Frame 113 (4)-20250115-174237.png

  2. Setup a task that would result in an error. Click on thebutton to verify.

    Frame 114 (4)-20250115-180256.png

  3. Enable its use as a command task.

    Frame 115 (3)-20250115-180717.png

  4. Use a image 6 (5)-20250110-020837.png passdown task to emit an error message to the parent playbook.

    Frame 116 (4)-20250115-181258.png

  5. Submit this utility command.

    Frame 117 (3)-20250115-181557.png

  6. Create an investigation playbook.

    Frame 118 (3)-20250115-182023.png

  7. Set up the Demo Nested Playbook Utility Command task on the On Event Ingestion trigger, ensuring the Error Trigger checkbox is ticked.

    Frame 121 (4)-20250115-183744.png

  8. Set up a Send Email utility command task for the On Playbook Task Error trigger.

    Frame 122 (5)-20250115-184757.png

  9. Test run this playbook (see On Event Ingestion examples), ensuring that the Demo Nested Playbook Utility Command task results in , and the Send Email task results in .

  10. Check the email for the error message.

    Frame 123 (3)-20250115-185739.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close