Creating Event Workflows

This topic describes how to create an automated workflow that enriches your events with external data from your environment. You can also split, combine, extract, and update event data automatically using workflow actions.

Before you begin

What information do you want in your alerts that isn't already there?

Before you set up an event workflow, you need to evaluate your current alerts and identify the data that you want to add. Go to the Alerts table and examine the data fields in your alerts. What contextual information do you want to add? (Events form the raw data of alerts; by enriching your events, you ensure that the new information is included in the resulting alerts.)

A key enrichment consideration is to ensure that your alerts include the necessary information to correlate your alerts into the incidents that you want. See Good practices for defining correlations.

You can enrich your events with any information you and your operators find useful. The Events schema includes a tags field that you can use to add custom information.

In some cases, you might also want to update some event fields based on other data in the same event. Example use cases include:

  • You want to use the hostname for the source but the raw events have the hostname embedded in a tag.

  • You want to update the event description, using information in other data fields, so that all event descriptions are formatted consistently.

  • You want to classify the event service or check based on information in other fields or tags.

Create the data catalog

To add external information to your events, you first need to create one or more catalogs. See Creating Data Catalogs.

Workflow Editor

workflow-sidebar.png

The workflow editor (Settings > Workflow Engine) provides a simple drag-and-click interface for creating workflows.

Each workflow consists of a trigger and one or more actions. The trigger is an event filter; if a new event matches the trigger, the workflow processes the event.

Each action updates the event and passes it to the next action.

When a workflow finishes processing an event, it passes the event to the next workflow. The workflow engine processes each workflow in the order in which they are listed in the Workflows table.

When all workflows are finished processing an event, the event gets deduplicated into an alert. The alert then gets passed to the correlation engine.

Available actions include: