Rules
AME Rules allow you to update event attributes automatically during event creation or when appending new alerts to existing events.
For details on how and when the AME Rule Engine applies rules, refer to Event Automation.
See Role Overview for permissions required to manage rules.
Some features require an active subscription. See Features for more information.
Managing Rules
The Rules UI is shown below:
Only tenants where the user is listed will appear as options for creating rules.
Filter rules by name using the search field.
Manage rules with these buttons:
| Button | Function |
|---|---|
 | Add Rule |
 | Clone Rule |
 | Save Rule |
 | Delete Rule |
 | Add Condition / Updates / Keyword / Rule Notification Trigger |
 | Delete Condition / Updates / Keyword / Rule Notification Trigger |
 | Change Condition Boolean |
 | Add Nested Condition |
Setting Up a Rule
To create a rule affecting all AME-managed events:
- Click
Add Ruleat the top to open the modal. - Enter a unique rule name.
- Specify a time range for the rule to affect events.
- Adjust Scheduled Rule settings (requires subscription).
- Add a condition using the
Add Conditionbutton. - Add Rule Notification Triggers with the
Add Rule Notification Triggerbutton (requires subscription).
Creating an Event Rule Condition
Define at least one condition to trigger a rule based on an event:
- Enable the Event Rule using the slider.
- Click
Add Conditionunder Event Rules. - Add a row specifying a field, condition, and value. The field can be any event field or metadata; see AME Event Automation for a full list or hover over
Event Condition Schema.
Condition dropdown comparators:
| Comparator | Type | Example | Notes |
|---|---|---|---|
| equals | String | success, fail* | Supports Wildcards |
| not equal | String | success | Supports Wildcards |
| less than | Integer | 4 | |
| greater than or equal | Integer | 5 | |
| less than or equal | Integer | 3 | |
| CIDR matching | IP Address in CIDR Notation | 10.10.10.0/24 | |
| in | Stringlist | apple banana cherry |
If the field on the left contains multiple values, the comparator will match any value (OR).
Example
user is a multi-value field containing userA, userB, userC.
Let's assume following condition:
user equals userC
In this case userC would fulfill the condition as it is containt in user
The free AME version supports only one Event Rule condition.
Creating an Update Rule Condition
Requires an AME subscription.
Update Rules are different from event rules in the way that they operate on changes on an event.
In addition to fields that can change (see Update Condition Schema) two additional fields are available
- changed
- values
Both fields contain a list of fields or values that have change, e.g.
changes: [ame.assignee, ame.count]
values: [john, 1337]
Define at least one condition to trigger a rule based on an AME field update:
- Enable the Update Rule using the slider.
- Click
Add Conditionunder Update Rules. - Add a row specifying a field, condition, and value. The field can
changedorvalues
Condition dropdown comparators match those for Event Rules (above).
Advanced Rule Conditions
Requires an AME subscription.
Create complex rules using boolean operators. For example, to trigger a rule for root logins on Unix systems (network 10.10.10.0/24) or Administrator logins on Windows hosts (network 10.10.11.0/24):
Pseudo-code:
(ame.search_name == 'bruteforce_unix_root' AND dest_ip="10.10.10.0/24")
OR
(ame.search_name == 'bruteforce_windows_administrator' AND dest_ip="10.10.11.0/24")
Using the Add nested condition button and adding conditions with the Add condition button, the result would look like this:
Examples
Create a rule that changes the status
Create a rule that changes the urgency
Updates
When a rule gets triggered, one or more attributes of an event can be updated.
A subscription is required to update more than one attribute at a time.
| Attribute | Notes |
|---|---|
Status | The selected status to be a valid next status |
Urgency | |
Impact | |
Notifications | |
Resolution | |
Event TTL | |
TTL Target | |
Tags | Selected tags will be added to existing tags |
All updates will be ignored if an attribute update is invalid. A Splunk message will be displayed, and an event will be logged.
Rule Notification Triggers
Rule Notification Triggers are used for triggering notifications when a rule has been triggered.
A Rule Notification Trigger consists of one (or multiple) Keyword, which can be used as a filter a Notification Scheme,
and a message. The message text can be used in a notification.
See more about notifications here
A subscription is required to use Rule Notification Triggers.
Cron Syntax
The cron syntax is used to match events on an interval basis and follows standard cron format without the command to execute.
The cron string matches the alert time, and then the expression evaluates to either true or false.
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12)
# │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
Examples
# Match on Weekends:
* * * * 0,6
# Match on Mondays between 01 and 05:
* 1-5 * * 1
# Match on Tuesdays and Wednesdays between 12-13 and 19-20:
0-59 12,19 * * 2,4
Update, clone, and delete rules and configuration items
Revise the information and press the Save button to update a rule or configuration item. Where available, use the Clone button.
To delete a rule or items, press the Delete button.