Building a policy workflow for advanced and time-based enrichment

The policy workflow is a visual representation of how an incoming event matching the event selection criteria is processed.  

When you create an enrichment policy, it goes through a filter of the event selection criteria. If the event matches the event selection criteria it is further processed based on the actions defined in the policy. The actions in the policy define conditions that decide when and how a matching event will be processed. The actions are run in the sequence in which they appear on the policy workflow. 

The following video (5:03) helps you understand how you can create an advanced enrichment policy.

 https://youtu.be/TYhpm0h8IEc

Before you begin

• Explore the policy elements to understand the basics. For more information, see Elements-of-advanced-and-time-based-enrichment-policies. 

• Identify the use case that you want to achieve via the policy workflow. Note down the type of conditions you want to add and note down the actions that might be most suitable for defining the condition. You can use the following table as a template to describe the condition and the action that will be most appropriate to define that condition. 

  The following table covers some examples:

  The [confluence_table-plus] macro is a standalone macro and it cannot be used inline.
  To understand actions, see Actions-for-advanced-and-time-based-enrichment.

To build a policy workflow

1. Create an event policy with the type, Advanced Enrichment or Time Based. For creating a refinement policy that is similar to an advanced enrichment policy, select the type, Refinement.
   For more information, see Defining-event-policies-for-enrichment-correlation-notification-and-suppression.
2. Add any action from the Actions toolbar. 
   When you add an action, you see the Incoming Event circle at the top which is a logical representation to mark the start of the workflow. This circle appears by default on the workflow canvas. Each inserted action is represented with a particular block on the workflow canvas. You can zoom in and zoom out or adjust the position of the workflow as needed. 
3. Specify the configuration settings for the action, displayed in the panel on the right.
   Based on the configured settings, the action processes the matching event. Some actions can be defined for existing events. In these scenarios, you can add conditions to match new event information with existing event information and hence for such conditions, you will see slots prefixed with $OLD and $NEW. Slots prefixed with ‘$OLD’ refer to slots of existing events and slots prefixed with ‘$NEW’ refer to slots of incoming or new events. For more information, see Actions-for-advanced-and-time-based-enrichment.
4. Perform the following:
   1. To add subsequent actions, select the current action on the workflow and use the Add Above or Add Below menu options from the mini toolbar available at the bottom of the workflow canvas.
   2. To delete an action, select an action on the workflow and click Delete Item . 
5. Click Save.
6. After saving, enter a policy summary in the field that opens or edit the policy summary in the configuration settings displayed in the panel by clicking Incoming Event.

To build a simple workflow

The following table can help you understand how to start building a workflow to achieve a use case based on identified conditions.

Use case: Suppose you want to change the owner of an event based on its severity and the message it contains

Event selection criteria: 

The following image shows the expected final output based on the conditions listed in the table.

Where to go from here

To understand how to build more complex workflows for different use cases, see Examples: Event policies for enrichment, correlation, notification, and suppression.