Building a policy workflow

The policy workflow is a visual representation of how an incoming event matching the event selection criteria will be processed.  

When you create an enrichment policy, it goes through a filter of the event selection criteria. If the event matches the event selection criteria it is further processed based on the actions defined in the policy. The actions in the policy define conditions that decide when and how a matching event will be processed. The actions are run in the sequence in which they appear on the policy workflow. 

Before you begin

Explore the policy elements to understand the basics. For more information, see Exploring the policy elements

Identify the use case that you want to achieve via the policy workflow. Note down the type of conditions you want to add and note down the actions that might be most suitable for defining the condition. You can use the following table as a template to describe the condition and the action that will be most appropriate to define that condition. The following table covers some examples.

ConditionSuitable action(s)
Increase the event severity only if event location is HoustonIf-Then, Enrich
Increase the event priority only when the event severity changes from Minor to greater than or equal to MajorTrigger-If, Enrich
To understand actions, see Actions for advanced enrichment and time-based enrichment.

Basics about building a workflow

Start building a policy workflow by adding an action from the Actions toolbar. 

When you add an action, you see the Incoming Event circle at the top which is a logical representation to mark the start of the workflow. This circle appears by default on the workflow canvas.

You can add subsequent actions by clicking the plus sign displayed next to the action on the workflow or from the Actions toolbar. The menu displayed by clicking the Plus sign is a set of possible actions that can be added after the existing action. 

When you add an action, a panel with the settings for that action is displayed on the right. Based on the configured settings, the action processes the matching event. Some actions can be defined for existing events. In these scenarios, you can add conditions to match new event information with existing event information and hence for such conditions, you will see slots prefixed with $OLD and $NEW. Slots prefixed with ‘$OLD’ refer to slots of existing events and slots prefixed with ‘$NEW’ refer to slots of incoming or new events. 

Each inserted action is represented with a particular block on the workflow canvas. You can zoom in and zoom out or adjust the position of the workflow as needed.

Building a simple workflow

The following table can help you understand how to start building a workflow to achieve a use case and based on identified conditions.

Use case: Suppose you want to change the status of an event based on its source.

Check if the event is coming from Server AIf
If yes, change the event severity to CriticalThen-Enrich
Otherwise, change the event severity to MajorElse-Enrich
The following image shows the expected final output based on the conditions listed in the table.

Where to go from here

To understand how to build more complex workflows for different use cases, see Workflow examples for advanced enrichment and time-based enrichment.

Was this page helpful? Yes No Submitting... Thank you