Skip to main content

Event workflow intro

Event workflows provide enrichment for events. An event workflow is a user-defined, fully-automated sequence of actions applied to each new event:

  1. A new event arrives at the workflow engine, which triggers the workflow.

  2. Each workflow has an initial trigger, which is an event filter that specifies the events that the workflow will process.

    • If the event does not pass the trigger filter, the workflow exits.

    • If the workflow passes the filter, the workflow proceeds to the next step.

  3. The event passes through a series of actions that enhance and update the data in the event.

    A workflow can enrich events with data from external catalogs. You can also create workflows that update fields in an event based on other fields in the same event.

  4. Once the event passes through all actions in all relevant workflows, the data pipeline does the following:

    1. Deduplicates the event into an alert.

    2. Sends the alert to the correlation engine.

The Workflow Engine UI (Correlate & Automate > Workflow Engine > Event Workflows) provides a simple drag-and-drop interface for creating event workflows. You can upload an enrichment data catalog in the UI at Correlate & Automate > Workflow Engine > Enrichment Data Catalogs.

Watch how to add a Custom Process to Events in Moogsoft Cloud.