Skip to main content

Workflow Engine overview

Moogsoft Cloud workflows provide automated data manipulation that can add or change data values in your event, alert, and incident fields. With workflows, you can customize the way Moogsoft functions without having to write code or pay for additional features.

Workflow types

Moogsoft offers three types of workflows: event, alert, and incident.

Event workflows

Use event workflows to enrich or normalize event data to create more useful or meaningful alerts.

Event workflow triggers use event field values at the time when the event is ingested. Because event workflows change event information before it is used to create alerts, they can change the way events deduplicate and form alerts. Event workflows behaviors focus on changing individual data fields, discarding irrelevant events, and generally ensuring the data is relevant for creating alerts.

For more information, see Event workflow configuration example.

Alert workflows

Alert workflows allow you to work with and modify alerts prior to correlation. Use alert workflows to manipulate the way incidents are formed, or simply to manage your alerts. For example, you can increase the severity of an alert based on the source or service, or drop alerts with certain properties so that they are never correlated into incidents. You can assign alerts to groups or individual users to ensure accountability. You can modify the alert description so that the correlated incident includes the information. Alert workflow gives you access to the properties of alerts to help automate alert management and additional ways to customize correlation. Alert workflows can be triggered by the creation of new alerts, or when an existing alert updates, or both. The alert workflow also gives you the option of choosing to trigger for Changes from anywhere, or only Changes from deduplication (when a new event is added to an existing alert via deduplication).

For more information, see Alert workflow configuration example.

Incident workflows

Incident workflows let you manipulate data at the incident level. They are triggered by either the creation of an incident or a change to an incident. Qualifying "changes" which can trigger incident workflows include:

  • Adding a new alert to the incident

  • Changing a value at the incident level, like the incident status, assignment, or other incident property

Changes occurring due to event deduplication (adding a new event to an alert, changing severity) are not incident changes, however, and will not trigger a workflow with either a New or changed incidents or a Changed incidents only trigger.

Incident workflows manipulate data fields (at the incident level), but also include incident-specific activities, like user and group assignments, sending the incident to external systems, and delayed incident processing. Incident workflows make it possible to:

  • Send incidents to external systems via webhook

  • Make automatic user and group assignments

  • Pause workflow incident processing using Delay actions

  • Use templates and a macro language to build incident descriptions and field values

  • Enrich, add, extract, replace, copy, and remove data

For configuration information, see Incident workflow configuration example. Refer to Workflow action reference for supported actions and examples. You can also watch a video showing how to set up an incident workflow.

Workflow processing

All Moogsoft workflows consist of a trigger and at least one action. The trigger defines the conditions that must occur for the workflow to execute. The action determines the change the workflow performs on the data. A workflow can contain multiple actions that act upon the items triggering the workflow. Actions process data in the order in which they appear in the workflow configuration.

For a complete list of event, alert, and incident actions, see the Workflow action reference.

Events, alerts, and incidents processed by one workflow are then passed to the next workflow in the list for further processing (unless workflow actions which prevent this from happening are present). See Priority in the following section.

The Workflow Engine page

Access the Workflow Engine page by clicking Correlate & Automate > Workflow Engine.

These tabs display on the page:

  • Event Workflows

  • Alert Workflows

  • Incident Workflows

  • Enrichment Data Catalogs

Event, Alert and Incident Workflows tabs

Event, alert, and incident workflows have many common elements and are configured in a similar way. The tabs share the same layout and headings:

  • Priority

    The Priority column indicates the order in which the individual workflows listed execute. The workflow with a priority of 1 is processed first, priority 2 is processed next, priority 3 after that, and so on.

    It is important to keep in mind how ordering the workflows will impact your data. For example, if one workflow adds a data field, and another workflow manipulates the data in that field, then you must ensure the workflow creating the data field precedes the workflow that needs to use the field.

    To change the order, click the three-dot menu and click Edit Workflows Order.

    For more on workflow priority, see Change workflow order.

  • Workflow Name

    The Name column provides a user-friendly identifier for individual workflows.

  • Status

    The current workflow status. Possible statuses include Disabled (configured but not yet enabled), and Enabled (configured and enabled). A third status, Deleted, is available through the API endpoint, but does not display in the UI.

  • Created By

    The ID of the user who created the workflow.

  • Last Modified

    The date and time when the workflow was last changed by someone.

To add a new workflow, click Add Workflow at the top of the table. Refer to Event workflow configuration example, Alert workflow configuration example, and Incident workflow configuration example for specific instructions on creating workflows.

Enrichment Data Catalogs tab

Data catalogs include information you can add to events and incidents via workflow using the Query Catalog action.

Each row on the Data Catalog page represents a separate catalog. A catalog includes column headings, which identify the type of data stored in the column, and rows, which are individual records (documents) of data. This data can be referenced via workflow and transferred to event and incident data fields.

See Create data catalogs for further details.

In this section: