Skip to main content
Version: 3.2.0

Rules

AME Rules provide a way to apply attribute updates during the creation of an event or when appending a new alert to an event.

To understand when and how the AME Rule Engines applies rules, see

Event Automation for more details.

info

See Role Overview for capabilities required to manage rules.

info

Some features require an active subscription. See Features for details.

Managing Rules

The following image shows the rules UI:

info

Only if a user is in the tenant's user list will this tenant be shown as an option to create a rule.

The search field can be used to filter by rule name.

Use the following buttons to manage rules:

ButtonFunction
Add Rule
Clone Rule
Save Rule
Delete Rule
Add Condition / Updates / Keyword / Rule Notification Trigger
Delete Condition / Updates / Keyword / Rule Notification Trigger
Change Condition Boolean
Add Nested Condition

Set up a rule

To create a rule that will apply to all events managed by Alert Manager Enterprise:

  1. Click the Add Rule button at the top of the list. A modal window will open.
  2. Give the rule a unique name.
  3. Select a time range in which the rule should affect the events.
  4. Adjust the Scheduled Rule (Subscription required)
  5. Add a Condition by using the Add Condition Button
  6. Add Rule Notification Triggers by using the Add Rule Notification Trigger Button (Subscription required).

How to create an Event Rule Condition

For a rule to be triggered by an event, at least one condition has to be defined.

  1. Enable the Event Rule with the slider
  2. Click the Add Condition button under event rules
  3. A row that consists of a field, a condition, and a value gets added. The Field-Input takes any field present in the event and also metadata about the event. See AME Event Automation for a complete field list.

The condition dropdown has the following comparators:

ComparatorTypeExampleNotes
equalsStringsuccess, fail*Supports Wildcards
not equalStringsuccessSupports Wildcards
less thanInteger4
greather than or equalInteger5
less than or equalInteger3
CIDR matchingIP Address in CIDR Notation10.10.10.0/24
inStringlistapple banana cherry
containsStringappleThe comparison field must be a list
info

The free version of AME only supports one condition for event rules.

How to create an Update Rule Condition

info

This feature requires an AME subscription.

For a rule to be triggered by an update of an AME Field, at least one condition has to be defined.

  1. Enable the Update Rule with the slider
  2. Click the Add Condition button under update rules
  3. A row that consists of a field, a condition, and a value gets added. The Field-Input takes any field present in the event and also metadata about the event. See AME Event Automation for a complete field list.

The condition dropdown has the following comparators:

ComparatorTypeExampleNotes
equalsStringsuccess, fail*Supports Wildcards
not equalStringsuccessSupports Wildcards
less thanInteger4
greather than or equalInteger5
less than or equalInteger3
CIDR matchingIP Address in CIDR Notation10.10.10.0/24
inStringlistapple banana cherry
containsStringappleThe comparison field must be a list

Advanced Rule Conditions

info

This feature requires an AME subscription.

Using boolean operators it is possible to create more complex rules. Let's assume we have two searches, one is looking for root logins on unix systems, whereas the other search looks for Administrator logins on Windows hosts. We only want the rule to apply when hosts in two different networks are affected.

In pseudo-code, this would look like this:

(ame.savedsearch_name == 'bruteforce_unix_root' AND dest_ip="10.10.10.0/24") 
OR
(ame.savedsearch_name == 'bruteforce_windows_administrator' AND dest_ip="10.10.11.0/24")

Using the Add nested condition button and adding conditions with the Add condition button, the result would look like this:

Examples

Create a rule that changes the status
Create a rule that changes the urgency

Updates

When a rule gets triggered, one or more attributes of an event can be updated.

info

A subscription is required to update more than one attribute at a time.

AttibuteNotes
StatusThe selected status to be a valid next status
Urgency
Impact
Notifications
Resolution
Event TTL
TTL Target
TagsSelected tags will be added to existing tags
info

All updates will be ignored if an attribute update is invalid. A Splunk message will be displayed, and an event will be logged.

Rule Notification Triggers

Rule Notification Triggers are used for triggering notifications when a rule has been triggered.

A Rule Notification Trigger consists of one (or multiple) Keyword, which can be used as a filter a Notification Scheme, and a message. The message text can be used in a notification.

See more about notifications here

info

A subscription is required to use Rule Notification Triggers.

Cron Syntax

The cron syntax is used to match events on an interval basis and follows standard cron format without the command to execute.

The cron string matches the alert time, and then the expression evaluates to either true or false.

# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12)
# │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
Examples
# Match on Weekends: 
* * * * 0,6

# Match on Mondays between 01 and 05:
* 1-5 * * 1

# Match on Tuesdays and Wednesdays between 12-13 and 19-20:
0-59 12,19 * * 2,4

Update, clone, and delete rules and configuration items

Revise the information and press the Save button to update a rule or configuration item. Where available, use the Clone button. To delete a rule or items, press the Delete button.