Keep workflows support enrichment, a powerful feature that allows you to enhance alerts with additional data, making them more actionable and meaningful. Enrichments add custom fields or modify existing ones in an alert directly from your workflow.

Why Enrich Alerts?

  • Provide Context: Add critical information, such as related customer data or ticket IDs.
  • Enable Automation: Use enriched fields in subsequent actions for dynamic processing.
  • Improve Visibility: Surface essential metadata for better decision-making.

How to Enrich Alerts

Using the enrich_alert Directive

The enrich_alert directive is used in actions to add or update fields in the alert. You specify a list of key-value pairs where:
  • key is the field name to add or update.
  • value is the data to assign to the field. It can be a static value or dynamically derived from steps or other parts of the workflow.
  • disposable is an optional attribute that determines whether the enrichment is temporary and should be discarded when a new alert is received. If disposable is set to True, the enrichment is added to disposable_enrichments and marked with dispose_on_new_alert=True.

Example Workflow with Enrichment

workflow:
  id: enrich-alert-example
  description: Demonstrates enriching alerts
  triggers:
    - type: alert
  steps:
    - name: get-customer-details
      provider:
        type: mysql
        config: "{{ providers.mysql-prod }}"
        with:
          query: "SELECT * FROM customers WHERE customer_id = '{{ alert.customer_id }}'"
          single_row: true
  actions:
    - name: enrich-alert-with-customer-data
      provider:
        type: mock
        with:
          enrich_alert:
            - key: customer_name
              value: "{{ steps.get-customer-details.results.name }}"
            - key: customer_tier
              value: "{{ steps.get-customer-details.results.tier }}"
In this example:
  • The get-customer-details step fetches customer data based on the alert.
  • The enrich_alert directive adds customer_name and customer_tier to the alert.

Enrichment Syntax

Key-Value Pairs

Each enrichment is defined as a key-value pair: 
enrich_alert:
  - key: field_name
    value: field_value
    disposable: true
  • Static Values: Use static strings or numbers for straightforward enrichments:
- key: alert_source
  value: "Monitoring System"
Dynamic Values: Use values derived from steps, actions, or the alert itself: 
- key: severity_level
  value: "{{ alert.severity }}"

Conditional Enrichment

You can combine enrichment with conditions to enrich alerts dynamically: 
actions:
  - name: enrich-critical-alert
    if: "{{ alert.severity == 'critical' }}"
    provider:
      type: mock
      with:
        enrich_alert:
          - key: priority
            value: high

Advanced Use Cases

Enrich Alerts with Results from Actions

Enrichments can use results from actions, allowing dynamic updates based on previous steps: 
enrich_alert:
  - key: ticket_id
    value: "{{ actions.create-ticket.results.ticket_id }}"
  - key: ticket_url
    value: "{{ actions.create-ticket.results.ticket_url }}"

Enrichment Workflow Example

This example demonstrates how to enrich an alert with ticket details from ServiceNow: 
workflow:
  id: servicenow-ticket-enrichment
  triggers:
    - type: alert
  steps:
    - name: fetch-alert-details
      provider:
        type: keep
        with:
          filter: "alert_id == '{{ alert.id }}'"
  actions:
    - name: create-servicenow-ticket
      provider:
        type: servicenow
        config: "{{ providers.servicenow }}"
        with:
          table_name: INCIDENT
          payload:
            short_description: "Alert: {{ alert.name }}"
            description: "{{ alert.description }}"
      enrich_alert:
        - key: ticket_id
          value: "{{ results.sys_id }}"
        - key: ticket_url
          value: "{{ results.link }}"

Troubleshooting Enrichment

Enrichment without an Alert/Incident

If there is no alert/incident present in the trigger (for example interval trigger or manual call in workflow page), the enrichment rule would not have an alert/incident to apply to. The enrichment process typically requires an alert/incident to be present to apply the specified enrichments. Without an alert/incident, the enrichment rule would not execute as intended. A workaround is to use a foreach directive and pass it an object containing the “fingerprint” variable.