Skip to main content
Version: 3.0.0

Release Notes

note

Alert Manager Enterprise Version 2.0 and higher only support Splunk Enterprise 9.0 and higher and Splunk Cloud.

Version 3.0.3

Before proceeding with an update, review the Before upgrading guide for this release.

Fixed issues:

  • AME-528 Hotfix: conflicting app installations // unload modules on Splunk On-Premises for Scientific Python and Splunk Cloud
  • AME-571 Workaround for alert action issue with 9.0.x (dot entity)

Version 3.0.2

What's new:

  • AME-452 Update Reporting Dashboards to support Resolutions
  • AME-563 Log initial query in migration task

Fixed issues:

  • AME-503 remove app from url query
  • AME-513 include resolution dropdown on all status changes
  • AME-514 Removing ref check from status option
  • AME-515 Do not store action_params in originQuery
  • AME-516 Refresh filter does not update on filter change
  • AME-517 Click away the event update modal without closing / submit opens the event
  • AME-519 ameevents and ameenrich should give the status type back
  • AME-520 Filtering with Status All does not work
  • AME-521 Do not use login at SMTP if no credentials configured
  • AME-526 Hide password for validation script
  • AME-527 notification upgrade task expects wrong amount of old_schemes backed up
  • AME-530 Action notifications issues
  • AME-553 User timezone frontend using wrong param
  • AME-555 Filtering by custom tags is using key instead of tag value
  • AME-562 splunk 9.0.7: cannot create entities with . in key // cannot create events

Known issues:

  • AME-528 Hotfix: conflicting app installations // unload modules on Splunk On-Premises for Scientific Python and Splunk Cloud

Version 3.0.1

Unreleased.

Version 3.0.0

What's new:

  • AME-130 Rules scope not specific enough
  • AME-207 Implement resolution functionality
  • AME-219 Add link to Notification Scheme and Template in Event Summary
  • AME-261 Refactor Notifications
  • AME-298 Rule conditions match literal strings, wildcard strings and CIDR
  • AME-299 Set port number to 443 by default for HEC if Splunk Cloud is detected
  • AME-303 Move the refresh time from filters to the icon bar
  • AME-306 Refactor Notifications
  • AME-307 Refactor Tags
  • AME-308 Refactor Rules
  • AME-309 Refactor Templates
  • AME-312 Refactor Event Service
  • AME-313 Refactor Event Report Service
  • AME-321 Refactor Tasks
  • AME-332 Allow easy copy of the event title
  • AME-339 Notable fields order should be kept if only configured from one source
  • AME-342 Add direct link to event (for notifications and sharing)
  • AME-346 AME should cache User/Tenant mappings in a KVStore Collection
  • AME-357 Migration for templates, rules and status_options
  • AME-360 Drop support for non-slackapp (legacy) notification channel
  • AME-365 EventService: Create AppendTrigger on append (if flag is set)
  • AME-366 EventService: Create AssignedTrigger on assignment
  • AME-367 Notification-Migration-Task: Create AppendFlow that sends mail to assignee
  • AME-376 Migrate AM Migration to 3.0 release
  • AME-406 Upgrade migrations.conf to a replicated conf file and remove app.conf setup
  • AME-419 Hitting enter in the event summary filter should run the filter
  • AME-423 Trigger-condition should contain auto-resolved field references instead of reference keys
  • AME-428 Link to Cron Docs should open a new tab
  • AME-429 Resolutions Groundwork

Fixed issues:

  • AME-213 Alert Handler insert_entry failes with API size limit
  • AME-316 Notable Fields column does not scale with long field names
  • AME-317 Search based filter takes a long time
  • AME-337 Ensure cache is bypassed when fetching data from the REST API in the frontend
  • AME-344 Comments missing timezone awareness
  • AME-348 E-Mail Link in Splunk Cloud
  • AME-361 ame_migration: include fix for tags as list
  • AME-383 Exception Handler in create_alert can fail when trying to determine the search_time
  • AME-384 alerts in the ame_alertqueue should be deleted with hard=True to prevent the collection from growing large over time
  • AME-399 Only show power users in frontend for assignee / default assignee
  • AME-420 Set Max-Width for notification-flow-label column

Version 2.0.4

What's new:

  • AME-274 Allow the filtering of Workflow Actions
  • AME-283 Notable Fields should support wildcards to show all fields

Fixed issues:

  • AME-340 Do not show empty notable fields
  • AME-343 ameenrich not showing event for all time search
  • AME-345 Assign to myself filter broken
  • AME-347 E-Mail Link in Splunk Cloud wrong
  • AME-349 Migration some ISO timestamps are epoch
  • AME-350 Bulk edit comment nor reset
  • AME-352 Tag filter for custom tag uses _key instead of tag value
  • AME-356 Improved templates for setup page

Version 2.0.3

Fixed issues:

  • AME-326 Switch everything to v2 search API
  • AME-327 Prevent endless recursion in role manager
  • AME-328 Prevent none type mail recipients
  • AME-329 Tags existing in multiple accessible tenants are all shown in event
  • AME-330 Ignore invalid AM data for migration

Version 2.0.2

Fixed issues:

  • AME-264 Setup page shows "Incomplete Restore KV-Store Data" task when it shouldn't
  • AME-292 Custom tags are not removed from tag manager after deletion
  • AME-297 Premium tags are generated as tenant tags
  • AME-304 Large number of users are not displayed properly in Event Summary
  • AME-316 Notable Fields column does not scale with long field names
  • AME-323 Migration remains failing due to header size

Version 2.0.1

Fixed issues:

  • AME-225 Migrating too many AM Incidents exceeds header limits
  • AME-269 Appending of alert does not check for custom closed status
  • AME-270 Searches get killed by Workload Manager if the timerange is All Time
  • AME-271 Search in alert HTML uses all time and wrong context
  • AME-286 Email Address Validation fixed

Known issues:

  • AME-264 Setup page shows "Incomplete Restore KV-Store Data" task when it shouldn't

Before you upgrade:

  • If you are upgrading from AME <1.x, there have been syntax changes in how tags and notable_events are overriden with event fields and savedsearches.conf attributes. See the Advanced Event Creation page.

Version 2.0.0

What's new:

  • AME-4 Add UI Theming support
  • AME-59 Improve Search in Event Summary
  • AME-60 Allow sorting columns in event summary
  • AME-177 Backend Filtering Definition + UI Refresh
  • AME-181 Knowledge objects should not be shared globally if not needed
  • AME-194 Verify that the KV Store can be reconstructed from index events
  • AME-201 SPLUNK_BINDIP support
  • AME-204 Validate input validation on all handlers
  • AME-205 Allow custom dashboards to be added to the Reports Menu
  • AME-206 Reporting improvement for Event Analysis
  • AME-210 It should not be possible to set the status to assigned without assigning an assignee
  • AME-216 Create ameenrich transforming command
  • AME-243 Add a link to docs in nav.xml
  • AME-247 Move Multi-Rule License check from Security Pack to the Support License
  • AME-248 Add event summary page for Splunk Mobile app
  • AME-250 Allow the use of template names in savedsearches.conf

Fixed issues:

  • AME-182 Custom status closed is shown open
  • AME-188 Health Overview ame_service_logs data source needs additional criteria
  • AME-232 tag override with multiple tags in savedsearches.conf creates whitespace tags
  • AME-233 notable_fields override in savedsearches.conf should support whitespaces
  • AME-234 Notable fields are not shown when they contain upper-case letters or white-spaces
  • AME-238 Notification modal not loading all alert_actions
  • AME-245 Alerts Action not firing in notifications
  • AME-246 Remove license check from Alert Action Notifications

Known issues:

  • AME-225 Migrating too many AM Incidents exceeds header limits
  • AME-264 Setup page shows "Incomplete Restore KV-Store Data" task when it shouldn't
  • AME-269 Appending of alert does not check for custom closed status
  • AME-270 Searches get killed by Workload Manager if the timerange is All Time
  • AME-271 Search in alert HTML uses all time and wrong context

Version 1.2.6

Fixed issues:

  • AME-192 Timerange is not applied on first fetch
  • AME-215 SHC captain check does not work if cluster uses IPs
  • AME-231 Detecting the SHC Captain does not work reliably in Splunk Cloud Victoria stacks with Search Head Clustering

Version 1.2.5

Fixed issues:

  • AME-188 updated health overview drill down by token
  • AME-189 fixed ame-audit-records behaviour
  • AME-191 fixed path of workflow actions

Known issues:

  • AME-192 Timerange is not applied on first fetch
  • AME-225 Migrating too many AM Incidents exceeds header limits
  • AME-215 SHC captain check does not work if cluster uses IPs (Contact Support for Workaround)
  • AME-231 Detecting the SHC Captain does not work reliably in Splunk Cloud Victoria stacks with Search Head Clustering (Contact Support for Workaround)

Version 1.2.3

What's new:

  • AME-95 added search bar to all tabs in tag manager
  • AME-168 improved loading comments for ack tokens
  • AME-183 Comment preview that displays rendered Markdown
  • AME-184 Comment send on {ctrl}+{enter}, new line on {enter}

Fixed issues:

  • AME-175 updated server.conf and added reload on handler_logging.py
  • AME-179 Rule Manager crashes when trying to enter timerange
  • AME-180 Prevent excessive number of appends to an event
  • AME-182 Custom status *closed- is shown open
  • AME-185 read_tenantlist_auditreport() returns unexpected keyword error
  • AME-186 Alertqueue Consumer log needs more extensive logging

Version 1.2.2

What's new:

  • AME-42 Rule Manager rules for periodic time frames
  • AME-64 Markdown in comments
  • AME-169 Show message to non-admin users on configuration and setup
  • AME-160 Allow additional overrides in savedsearches.conf
  • AME-165 Improve Supportability
  • AME-167 HEC Acknowledgements are possible now

Fixed issues:

  • AME-146 Priority column is now colored in priority color
  • AME-170 Notable Fields are no longer being ordered
  • AME-171 Error fetching tenant and event information
  • AME-173 handler_abstract throws attribute error in module splunklib.results
  • AME-176 CIM Add-on overrides sourcetype and index for ame:modalert sourcetype
  • AME-179 Rule Manager crashes when trying to enter timerange

Version 1.2.1

Fixed issues:

  • AME-150 fixed e2e and alertqueue problem

Version 1.2.0

What's new:

  • AME-26 Use savedsearches.conf annotations to assign tags
  • AME-27 Allow the creation and presentation of tags that are not managed by tag manager
  • AME-37 Existing Splunk Alert Action can be used as additional channels
  • AME-50 Add CIS v7 (CIS20) Tags to Security Knowledge Pack
  • AME-51 Add CIS v8 Tags to Security Knowledge Pack
  • AME-52 Add NIST Tags to Security Knowledge Pack
  • AME-53 Add CVE Tags to Security Knowledge Pack
  • AME-112 Add Paginator for Notable Fields for once per search trigger is selected
  • AME-128 Support new Slack App based Webhooks
  • AME-129 Add flag to enable/disable notifications for appended events
  • AME-135 Roles should be assignable through intermediate roles

Fixed issues:

  • AME-132 % in title prevents events from being generated
  • AME-136 Once per search events should only be counted as one event in trend indicators
  • AME-141 Template Manager allows upper case custom tag definition
  • AME-142 Tenant Manager UI validation does not allow valid Splunk Cloud HEC Host