Skip to main content
Version: 3.2.0

Advanced Event Creation

This chapter explains how users can override template values for more dynamic event creation.

For more information about the precedence of the overrides see below.

Overriding Template Values

Overrides Using Field Values

AME allows overriding template values with field values from search results.

note

Utilize the underscore (_) naming convention to conceal the AME fields within the results.

The following fields are available:

Field NameDescriptionAllowed ValuesExamples
ame.append_alert
_ame.append_alert
Flag to enable append alertBoolean: 1, true, 0, falseeval ame.append.alert=1
ame.append_fields
_ame.append_fields
Fields used to aggregate alertsComma separated list of strings or multi-value string format, strings with whitespaces enclosed in signle or escaped double double-quoteseval ame.append_fields="field1,field2,\"field3 with whitespace\""
eval ame.append_fields="field1,field2,'field3 with whitespace'"
ame.append_mode
_ame.append_fields
Mode how to append alertsoldest, most_recent, all, create_neweval ame.append_mode="most_recent"
ame.append_strict
_ame.append_strict
Flag to enable appending alerts in strict modeBoolean: 1, true, 0, falseeval ame.append.strict=1
ame.default_assignee
_ame.default_assignee
The default assignee for an event. The assignee has to be a valid AME userStringeval ame.default_assignee="ame_user1"
ame.impact
_ame.impact
Event impactlow, medium, higheval ame.impact="high"
ame.notable_fields
_ame.notable_fields
Notable FieldsComma separated list of strings or multi-value string format, strings with whitespaces enclosed in signle or escaped double double-quoteseval ame.notable_fields="field1,field2,\"field3 with whitespace\""
eval ame.notable_fields="field1,field2,'field3 with whitespace'"
ame.notifications
_ame.notifications
Notification SchemeStringeval.ame.notifications="default"
ame.resolution
_ame.resolution
The resolutionStringeval.ame.resolution="False positive"
ame.status
_ame.status
Event statusnew, assigned, resolved, closed, in_progress , suppressed
existing custom value
eval ame.status="closed"
ame.tags
_ame.tags
Event TagsComma separated list of strings or multi-value stringeval ame.tags="tag1,tag2,tag3"
ame.tenant_uid
_ame.tenant_uid
The UID of the tenantStringeval tenant_uid="default"
ame.title
_ame.title
The event titleStringeval ame.title="Alert for host $host$"
ame.ttl
_ame.ttl
The time-to-live for an eventinteval ame.ttl=86400
ame.ttl_target
_ame.ttl_target
The target status for a an event that has reached the ttlStringeval ame.ttl_target="auto_resolved"
ame.urgency
_ame.urgency
Event urgencylow, medium, higheval ame.urgency="low"

Example:

<basesearch> | eval ame.tags="tag1,tag2,tag3", _ame.urgency="medium"

note

All overrides will only be used once when the event is created. If an alert is appended, the overrides will be ignored to protect the user interactions with the event.

note

ame.time_to_auto_resolve has been replaced with ame.ttl and ame.ttl_target In AME 3.0 and higher a user can now set the target state.

Overrides Using savedsearches.conf Attributes

AME allows overriding template values with savedsearches.conf attributes.

The following AME-specific attributes are supported:

Attribute NameDescriptionAllowed ValuesExamples
action.create_alert.param.append_alertFlag to enable append alertBoolean1, true, 0, false
action.create_alert.param.append_fieldsFields used to aggregate alertsComma separated list of strings, strings with whitespaces enclosed in double-quotesame.template_name,src_ip
action.create_alert.param.append_modeMode how to append alertsoldest, most_recent, all, create_newmost_recent
action.create_alert.param.append_strictFlag to enable appending alerts in strict modeBoolean1, true, 0, false
action.create_alert.param.default_assigneeThe default assignee for an event. The assignee has to be a valid AME userStringame_user1
action.create_alert.param.impactEvent impactlow, medium, highlow
action.create_alert.param.notable_fieldsNotable FieldsComma separated list of strings, strings with whitespaces enclosed in double-quotesfield, "field with whitespace"
field1,field2,"field3 with whitespace"
action.create_alert.param.statusEvent statusnew, assigned, resolved, closed, in_progress , suppressed or existing custom valueclosed
action.create_alert.param.tagsEvent TagsComma separated list of stringstag1,tag2,tag3
action.create_alert.param.templateThe reference id for the template or the template nameString63d76e6be87c1840f1421144
soc
action.create_alert.param.titleThe event titleStringAlert for host $host$
action.create_alert.param.urgencyEvent urgencylow, medium, highhigh
action.create_alert.param.notificationsNotification SchemeStringdefault
action.create_alert.param.tenant_uidThe UID of the tenantStringdefault
action.create_alert.param.time_to_auto_resolveThe time to live -resolve an eventint86400
action.create_alert.param.ttlThe time-to-live for an eventint86400
action.create_alert.param.ttl_targetThe target status for a an event that has reached the ttlint86400
caution

When using the Attribute action.create_alert.param.template with a template name, then action.create_alert.param.tenant_uid must be used for identification of the template, as the same template name can be used in multiple tenants.

note

action.create_alert.param.time_to_auto_resolve has been replaced with action.create_alert.param.ttl and action.create_alert.param.ttl_target in AME 2.1 a user can now set the target state.

Enterprise Security Content Update (ESCU) App Compatible Attributes:

  • action.correlationsearch.annotations
  • action.escu.mappings

The value for the attribute has to be in JSON Format and currently supports following overwrites:

  • cis20
  • cve
  • nist
  • kill_chain_phases
  • mitre_attack

Example:

action.correlationsearch.annotations = {"cis20": ["CIS 3", "CIS 5", "CIS 16"], "cve": ["CVE-2022-22965"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], }

Overrides Precedence

During event creation, multiple overrides can be set, however, there is precedence if multiple overrides apply:

Precedence (highest first):

  • Field Value Override
  • Savedsearch.conf Override
  • Template Override
info

Exceptions to these rules are tags and notable_fields, which are merged.

note

Custom Tags can only use lowercase letters.