Skip to main content
Version: 3.3.0

Templates

Templates in Alert Manager Enterprise (AME) provide preset values for events created from saved search alerts. The Template Manager allows you to create and manage these templates.

info

See Role Overview for permissions required to manage templates.

tip

See Advanced Event Creation how template settings can be overwritten during by searches

Managing Templates

The Template Manager UI is shown below:

Filter templates by name using the search field.

Manage templates with these buttons:

ButtonFunction
Add Template
Copy Template
Save Template
Delete Template

Creating a Template

To create a template:

  1. Click Add Template at the bottom of the list.
  2. Assign a unique name to the template.
  3. Configure the template values (see Alert Action Setup for details).
  4. Click Save Template in the upper-right corner of the template section.

Available options for the template are listed below:

InformationDescription
Alert Data Lookback DaysNumber of days the append function searches back for existing events.
Append AlertIf enabled, alerts matching defined keys append to existing open events.
Append KeysCriteria (keys) used to group events for appending.
Append ModeMode for appending an alert to existing events (e.g., oldest, newest).
Append StrictIf enabled, all append key values must match exactly for an alert to append.
AssigneeDefault assignee for the AME event.
ImpactEstimated impact of the alert.
Notable FieldsFields displayed in the Notable Fields tab; use a wildcard (*) for all fields, but explicitly list internal AME fields and _raw if needed.
NotificationNotification scheme applied to the event.
Notification on AppendIf enabled, appended alerts trigger notifications.
ResolutionDefault resolution for the event.
StatusDefault status for events created by the alert.
TagsList of tags assigned to the event.
Template NameUnique name of the template.
TenantSpecifies the index and collection where events are stored.
Time-to-Live (TTL)Duration (in minutes) an event remains active.
TTL TargetTarget status for the event after TTL expires, if TTL is set.
UrgencyEstimated urgency of the alert.
info

The default template cannot be deleted.

info

See Event Aggregation for details on appending alerts.

danger

Displaying _raw in notable fields increases KV Store collection size and may cause performance issues over time.

Updating and Deleting a Template

To update a template, revise its details and click Save Template. To delete, click Delete Template next to the save button in the upper-right corner of the template section.

danger

Deleting a template does not update saved searches that rely on it. Update your saved searches beforehand to avoid disruptions.

Observables Settings

Observables can be configured within a template to match alert fields to existing observables in AME, enhancing event details with asset or identity context. This is particularly useful for adjusting event urgency, criticality, or risk based on matched observables. Use the "Observable Matching" section in the template configuration to define how alert fields map to observables.

note

An AME subscription is required to use the risk scoring feature.

Configuration Steps:

  • In the "Observable Matching" section, specify the following:
    • Type: Select the type of observable to match, such as Asset or Identity, depending on the data in your alerts (e.g., Asset for device-related data like IP addresses).
    • Alert Field Name: Enter the field from your Splunk alert that should be used for matching (e.g., ip, hostname, or fqdn).
    • Observable Field: Specify the corresponding field in the Observables collection to match against (e.g., ip for asset observables).
    • Risk Change: Define a numerical value (e.g., 100) to adjust the event’s risk score if a match is found. This value can increase or decrease the risk based on the observable’s criticality or context.

Example:

  • If your alert includes an src_ip field, configure the Observable Matching as:
    • Type: Asset
    • Alert Field Name: src_ip
    • Observable Field: ip
    • Risk Change: 100
  • If a match is found, AME will update the event’s urgency or risk based on the highest criticality of the matched observables. If multiple observables match, only the highest urgency or risk change will be applied.

Notes:

  • A single observable match on multiple alert fields is counted only once, and the highest urgency or risk change will be used.
  • Ensure the fields in your Splunk alerts align with those in your Observables collection (e.g., ip, hostname, fqdn) for accurate matching.
  • This feature requires Observables to be properly configured and populated in AME (see Observables for setup details).