Templates
Templates in Alert Manager Enterprise (AME) provide preset values for events created from saved search alerts. The Template Manager allows you to create and manage these templates.
See Role Overview for permissions required to manage templates.
See Advanced Event Creation how template settings can be overwritten during by searches
Managing Templates
The Template Manager UI is shown below:
Filter templates by name using the search field.
Manage templates with these buttons:
Button | Function |
---|---|
Add Template | |
Copy Template | |
Save Template | |
Delete Template |
Creating a Template
To create a template:
- Click
Add Template
at the bottom of the list. - Assign a unique name to the template.
- Configure the template values (see Alert Action Setup for details).
- Click
Save Template
in the upper-right corner of the template section.
Available options for the template are listed below:
Information | Description |
---|---|
Alert Data Lookback Days | Number of days the append function searches back for existing events. |
Append Alert | If enabled, alerts matching defined keys append to existing open events. |
Append Keys | Criteria (keys) used to group events for appending. |
Append Mode | Mode for appending an alert to existing events (e.g., oldest, newest). |
Append Strict | If enabled, all append key values must match exactly for an alert to append. |
Assignee | Default assignee for the AME event. |
Impact | Estimated impact of the alert. |
Notable Fields | Fields displayed in the Notable Fields tab; use a wildcard (*) for all fields, but explicitly list internal AME fields and _raw if needed. |
Notification | Notification scheme applied to the event. |
Notification on Append | If enabled, appended alerts trigger notifications. |
Resolution | Default resolution for the event. |
Status | Default status for events created by the alert. |
Tags | List of tags assigned to the event. |
Template Name | Unique name of the template. |
Tenant | Specifies the index and collection where events are stored. |
Time-to-Live (TTL) | Duration (in minutes) an event remains active. |
TTL Target | Target status for the event after TTL expires, if TTL is set. |
Urgency | Estimated urgency of the alert. |
The default template cannot be deleted.
See Event Aggregation for details on appending alerts.
Displaying _raw
in notable fields increases KV Store collection size and may cause performance issues over time.
Updating and Deleting a Template
To update a template, revise its details and click Save Template
. To delete, click Delete Template
next to the save button in the upper-right corner of the template section.
Deleting a template does not update saved searches that rely on it. Update your saved searches beforehand to avoid disruptions.
Observables Settings
Observables can be configured within a template to match alert fields to existing observables in AME, enhancing event details with asset or identity context. This is particularly useful for adjusting event urgency, criticality, or risk based on matched observables. Use the "Observable Matching" section in the template configuration to define how alert fields map to observables.
An AME subscription is required to use the risk scoring feature.
Configuration Steps:
- In the "Observable Matching" section, specify the following:
- Type: Select the type of observable to match, such as
Asset
orIdentity
, depending on the data in your alerts (e.g.,Asset
for device-related data like IP addresses). - Alert Field Name: Enter the field from your Splunk alert that should be used for matching (e.g.,
ip
,hostname
, orfqdn
). - Observable Field: Specify the corresponding field in the Observables collection to match against (e.g.,
ip
for asset observables). - Risk Change: Define a numerical value (e.g.,
100
) to adjust the event’s risk score if a match is found. This value can increase or decrease the risk based on the observable’s criticality or context.
- Type: Select the type of observable to match, such as
Example:
- If your alert includes an
src_ip
field, configure the Observable Matching as:- Type:
Asset
- Alert Field Name:
src_ip
- Observable Field:
ip
- Risk Change:
100
- Type:
- If a match is found, AME will update the event’s urgency or risk based on the highest criticality of the matched observables. If multiple observables match, only the highest urgency or risk change will be applied.
Notes:
- A single observable match on multiple alert fields is counted only once, and the highest urgency or risk change will be used.
- Ensure the fields in your Splunk alerts align with those in your Observables collection (e.g.,
ip
,hostname
,fqdn
) for accurate matching. - This feature requires Observables to be properly configured and populated in AME (see Observables for setup details).