Keep workflows support enrichment, a powerful feature that allows you to enhance alerts with additional data, making them more actionable and meaningful. Enrichments add custom fields or modify existing ones in an alert directly from your workflow.

Why Enrich Alerts?

  • Provide Context: Add critical information, such as related customer data or ticket IDs.
  • Enable Automation: Use enriched fields in subsequent actions for dynamic processing.
  • Improve Visibility: Surface essential metadata for better decision-making.

How to Enrich Alerts

Using the enrich_alert Directive

The enrich_alert directive is used in actions to add or update fields in the alert. You specify a list of key-value pairs where:

  • key is the field name to add or update.
  • value is the data to assign to the field. It can be a static value or dynamically derived from steps or other parts of the workflow.

Example Workflow with Enrichment

workflow:
  id: enrich-alert-example
  description: Demonstrates enriching alerts
  triggers:
    - type: alert
  steps:
    - name: get-customer-details
      provider:
        type: mysql
        config: "{{ providers.mysql-prod }}"
        with:
          query: "SELECT * FROM customers WHERE customer_id = '{{ alert.customer_id }}'"
          single_row: true
  actions:
    - name: enrich-alert-with-customer-data
      provider:
        type: mock
        with:
          enrich_alert:
            - key: customer_name
              value: "{{ steps.get-customer-details.results.name }}"
            - key: customer_tier
              value: "{{ steps.get-customer-details.results.tier }}"

In this example:

  • The get-customer-details step fetches customer data based on the alert.
  • The enrich_alert directive adds customer_name and customer_tier to the alert.

Enrichment Syntax

Key-Value Pairs

Each enrichment is defined as a key-value pair:

enrich_alert:
  - key: field_name
    value: field_value
  • Static Values: Use static strings or numbers for straightforward enrichments:
- key: alert_source
  value: "Monitoring System"

Dynamic Values: Use values derived from steps, actions, or the alert itself:

- key: severity_level
  value: "{{ alert.severity }}"

Conditional Enrichment

You can combine enrichment with conditions to enrich alerts dynamically:

actions:
  - name: enrich-critical-alert
    if: "{{ alert.severity == 'critical' }}"
    provider:
      type: mock
      with:
        enrich_alert:
          - key: priority
            value: high

Advanced Use Cases

Enrich Alerts with Results from Actions

Enrichments can use results from actions, allowing dynamic updates based on previous steps:

enrich_alert:
  - key: ticket_id
    value: "{{ actions.create-ticket.results.ticket_id }}"
  - key: ticket_url
    value: "{{ actions.create-ticket.results.ticket_url }}"

Enrichment Workflow Example

This example demonstrates how to enrich an alert with ticket details from ServiceNow:

workflow:
  id: servicenow-ticket-enrichment
  triggers:
    - type: alert
  steps:
    - name: fetch-alert-details
      provider:
        type: keep
        with:
          filter: "alert_id == '{{ alert.id }}'"
  actions:
    - name: create-servicenow-ticket
      provider:
        type: servicenow
        config: "{{ providers.servicenow }}"
        with:
          table_name: INCIDENT
          payload:
            short_description: "Alert: {{ alert.name }}"
            description: "{{ alert.description }}"
      enrich_alert:
        - key: ticket_id
          value: "{{ results.sys_id }}"
        - key: ticket_url
          value: "{{ results.link }}"
ForeachSuppressing Alerts Automatically