Building a policy workflow
The policy workflow is a visual representation of how an incoming event matching the event selection criteria will be processed.
When you create an enrichment policy, it goes through a filter of the event selection criteria. If the event matches the event selection criteria it is further processed based on the actions defined in the policy. The actions in the policy define conditions that decide when and how a matching event will be processed. The actions are run in the sequence in which they appear on the policy workflow.
Before you begin
Explore the policy elements to understand the basics. For more information, see Exploring the policy elements.
Identify the use case that you want to achieve via the policy workflow. Note down the type of conditions you want to add and note down the actions that might be most suitable for defining the condition. You can use the following table as a template to describe the condition and the action that will be most appropriate to define that condition. The following table covers some examples.
|Increase the event severity only if event location is Houston||If-Then, Enrich|
|Increase the event priority only when the event severity changes from Minor to greater than or equal to Major||Trigger-If, Enrich|
Basics about building a workflow
Start building a policy workflow by adding an action from the Actions toolbar.
When you add an action, you see the Incoming Event circle at the top which is a logical representation to mark the start of the workflow. This circle appears by default on the workflow canvas.
You can add subsequent actions by clicking the plus sign displayed next to the action on the workflow or from the Actions toolbar. The menu displayed by clicking the Plus sign is a set of possible actions that can be added after the existing action.
When you add an action, a panel with the settings for that action is displayed on the right. Based on the configured settings, the action processes the matching event. Some actions can be defined for existing events. In these scenarios, you can add conditions to match new event information with existing event information and hence for such conditions, you will see slots prefixed with $OLD and $NEW. Slots prefixed with ‘$OLD’ refer to slots of existing events and slots prefixed with ‘$NEW’ refer to slots of incoming or new events.
Each inserted action is represented with a particular block on the workflow canvas. You can zoom in and zoom out or adjust the position of the workflow as needed.
Building a simple workflow
The following table can help you understand how to start building a workflow to achieve a use case and based on identified conditions.
Use case: Suppose you want to change the status of an event based on its source.
|Check if the event is coming from Server A||If|
|If yes, change the event severity to Critical||Then-Enrich|
|Otherwise, change the event severity to Major||Else-Enrich|
Where to go from here
To understand how to build more complex workflows for different use cases, see Workflow examples for advanced enrichment and time-based enrichment.