Skip to main content

Workflow Engine overview

Moogsoft Cloud workflows provide automated data manipulation that can add or change data values in your event and incident fields. With workflows, you can customize the way Moogsoft functions without having to write code or pay for additional features.

Workflow types

Moogsoft currently offers two types of workflows: event and incident.

Event workflows

Use event workflows to enrich or normalize event data to create more useful or meaningful alerts.

Event workflow triggers use event field values at the time when the event is ingested. Because event workflows change event information before it is used to create alerts, they can change the way events deduplicate and form alerts. Event workflows behaviors focus on changing individual data fields, discarding irrelevant events, and generally ensuring the data is relevant for creating alerts.

For more information, see Event workflow configuration example.

Incident workflows

Incidents are created from clusters of related alerts. Because event information is passed up to incidents through alerts, changes at the event level due to event workflows are reflected in incidents, too, so incidents are indirectly affected by event workflows. However, incident workflows deal with manipulating data at the incident level. Incident workflows are triggered by either the creation of an incident or a change to the incident. Changes to incident include adding a new alert to the incident, or changing a value at the incident level, like the incident status, assignment, or other incident property. Changes occurring due to event deduplication (adding a new event to an alert, changing severity) are not incident changes, however, and will not trigger a workflow with either a New or changed incidents or a Changed incidents only trigger. Incident workflows also manipulate data fields (at the incident level), but also include incident-specific activities, like user and group assignments, sending the incident to external systems, and delayed incident processing.

Incident workflows make it possible to:

  • Send incidents to external systems via webhook

  • Make automatic user and group assignments

  • Pause workflow incident processing using Delay actions

  • Use templates and a macro language to build incident descriptions and field values

  • Enrich, add, extract, replace, copy, and remove data

For configuration information, see Incident workflow configuration example. Refer to Workflow action reference for supported actions and examples. You can also watch a video showing how to set up an incident workflow.

Workflow processing

All Moogsoft workflows consist of a trigger and at least one action. The trigger defines the conditions that must occur for the workflow to execute. The action determines the change the workflow performs on the data. A workflow can contain multiple actions that act upon the items triggering the workflow. Actions process data in the order in which they appear in the workflow configuration.

Many actions are available for both incidents and events. For a complete list, see the Workflow action reference.

Events and incidents processed by one workflow are then passed to the next workflow in the list for further processing. See Priority in the following section.

The Workflow Engine page

Access the Workflow Engine page by clicking Correlate & Automate > Workflow Engine.

These tabs display on the page:

  • Event Workflows

  • Incident Workflows

  • Enrichment Data Catalogs

Event and Incident Workflows tabs

Event and workflows have many elements in common and are configured in a similar way. The tabs share the same layout and headings:

  • Priority

    The Priority column indicates the order in which the individual workflows listed execute. The workflow with a priority of 1 is processed first, priority 2 is processed next, priority 3 after that, and so on.

    It is important to keep in mind how ordering the workflows will impact your data. For example, if one workflow adds a data field, and another workflow manipulates the data in that field, then you must ensure the workflow creating the data field precedes the workflow that needs to use the field.

    To change the order, click the three-dot menu and click Edit Workflows Order.

    For more on workflow priority, see Change workflow order.

  • Workflow Name

    The Name column provides a user-friendly identifier for individual workflows.

  • Status

    The current workflow status. Possible statuses include Disabled (configured but not yet enabled), and Enabled (configured and enabled). A third status, Deleted, is available through the API endpoint, but does not display in the UI.

  • Created By

    The ID of the user who created the workflow.

  • Last Modified

    The date and time when the workflow was last changed by someone.

To add a new workflow, click Add Workflow at the top of the table. Refer to Event workflow configuration example and Incident workflow configuration example for specific instructions on creating workflows.

Enrichment Data Catalogs tab

Data catalogs include information you can add to events and incidents via workflow using the Query Catalog action.

Each row on the Data Catalog page represents a separate catalog. A catalog includes column headings, which identify the type of data stored in the column, and rows, which are individual records (documents) of data. This data can be referenced via workflow and transferred to event and incident data fields.

See Create data catalogs for further details.