Using the Create Event Widget

This widget accepts inputs from evaluation and generates events based on evaluated output data from the evaluation widget

In Scenario Pipelines, the Create Event widget is the final part of the pipeline and is used to produce an event. An event is a record of one or more pattern matches in a detection run, which is a signal for further investigation.
The Create Event widget can only be attached to an Evaluation widget. Multiple Evaluation widgets can be connected to one Create Event widget.

To create an event, follow these steps:

  1. In the Pipeline Designer page, select the pipeline where you want to add or modify the Create Event widget. The Pipeline Canvas displays.
  2. To add Create Event to an Evaluation, click Add To Add To icon, and then select Create EventCreate Event widget. Alternately, you can right-click on the Canvas to display the list of widgets, select Create Event and associate the Create Event widget with the Evaluation.
  3. Click Options Options iconthen click EditEdit icon. The Create Event pane displays.
  4. Under Basic Configuration, select the Event Type from the drop-down list.
    You can add additional Event Types, using the steps in Creating Event Types.
    You must define the Focus associated with events generated from this widget.
    • Select the required Focus Table from the drop-down list. The values which display are based on the tables you mapped in the Data Forge widget.
    • Select the required Focus Column from the drop-down list. The values which display are based on the columns you mapped in the Data Forge widget.

      Note:

      You can only select one value in each drop-down list. The column selected should be a column which is unique to the table.
    • Use the Bind IDs Configuration tab to choose which types of information you want to display in the generated events. You must select at least one Bind ID. For more information about this tab, see Configuring Bind IDs.
  5. The Highlights tab displays any Highlights associated with this pipeline.
    Highlights include the most salient facts associated with a match or alert, and are intended to aid with the understanding and possible disposition of an event. This tab includes the following details:
    • Highlight Name
    • New Highlight Name
    • Column
    You can add a new highlight by clicking Add, and following these steps:
    1. Select the Attribute from the drop-down list.
    2. Enter a Name for this highlight.
    3. Click Save.
  6. The Bind IDs Configuration tab displays the tables and columns which you have mapped in the Data Forge widget. Use the selector to choose the Bind IDs you are associating with the Focus of the events generated by this widget.

    Note:

    You must select at least one Bind ID.
  7. When you have finished configuring the Create Event widget, click Save.