# Workflows

Dive into the world of advanced security improvement by creating customized workflows using Event Streams. These workflows provide the backbone for even more effective detection of potential attacks. With just a few clicks, you have the ability to correlate different logs and integrate alerts related to created scenarios.

<figure><img src="/files/l96niOOKnJpPXe3UaKBy" alt=""><figcaption></figcaption></figure>

## Create Workflow&#x20;

Click "Add Workflow" to create a new workflow. Assign a unique name and a short description. Below this, define a "severity level". The choices here are: Low, Medium, High and Critical. The selected severity level will be displayed later under [Incidents ](/docs/manual/english/operation/platform/siem/incidents.md)and will help you to prioritize quickly.

Now select an event stream from the list and define the condition under which the workflow is to be triggered. With the help of the text modules, numerous scenarios can be created. \
Add further conditions via the "Add Workflow condition" button to optimally adapt your workflow to your scenario.

Under "Type" you have the choice between:

* **Filter** \
  Set a field name here, which is relevant for the event. Under Operator you can now decide whether this field should be equal or unequal to a value.&#x20;
* **Group** \
  Use this field to consider the connection within the protocols. Example: Imagine you want to track events where a user logs in and then logs out within a short period of time. By setting the process ID to "Group", you can analyze a user's logon behavior. This way you avoid the alert being triggered every time user A logs in and user B logs out.&#x20;
* **Display Field** \
  Specify fields here that you want to be displayed directly in the captured event (without having to browse the detail view first).

By clicking on "**Add Refinement**", you can include further fields of the previously defined stream.&#x20;

By clicking on "**Add workflow condition**", you can also include events from other streams.&#x20;

Finally, add your workflow by clicking on the "**Add Workflow**" field.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enginsight.com/docs/manual/english/operation/platform/siem/workflows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.