Enriching Events with External Data

You can enrich your ingested data with additional information from your environment. Enrichment can provide more flexibility for clustering your alerts the way you want. It can also make the resulting incidents easier to analyze and troubleshoot.

Event workflows provide enrichment for events. An event workflow is a user-defined, fully-automated sequence of actions applied to each new event:

  1. A new event arrives at the workflow engine, which triggers the workflow.

  2. Each workflow has an initial trigger, which is an event filter that specifies the events that the workflow will process.

  3. The event passes through a series of actions that enhance and update the data in the event.

    A workflow can enrich events with data from external catalogs. You can also create workflows that update fields in an event based on other fields in the same event.

  4. Once the event passes through all actions in all relevant workflows, the data pipeline does the following:

    1. Deduplicates the event into an alert.

    2. Sends the alert to the correlation engine.

The Workflow Engine UI (Settings > Workflow Engine) provides a simple drag-and-drop interface for creating workflows.