Version: 3.2.0

Event Automation

This chapter explains how the AME Event automation works for Rules and Notifications.

The following image shows how AME turns Splunk alerts into events. Events can trigger rules and notifications.

Automation Flow

An Alert gets triggered and creates or updates an Event
The event triggers the rule engine. If a rule is found and all conditions are fulfilled the event gets updated
(Optional) If a keyword is defined, the keyword is also written into the Notification Queue.
The event is updated, and a copy of the event data is written into the Notification Queue.
The Notification Engine tracks the notification queue
If a matching flow is found, the Notification Queue is updated with information about targets (channels) to be notified
A worker process is sending Notifications to the specified targets.

Besides event data fields, the Rule Engine has following event metadata available to use for conditions:

Field Name	Description	Type	Example
`ame.assignee`	The current assignee of the an event	String	`admin`
`ame.count`	The duplicate count	Integer	`1`
`ame.event_title`	The event title	String	`Alert for host xyz`
`ame.event_ttl`	The event TTL	Integer	`600`
`ame.first_seen`	The first seen timestamp	Integer	`1711401172`
`ame.impact`	Event impact	String	`low`
`ame.most_recent`	The most recent timestamp	Integer	`1711401172`
`ame.notifications`	The notification UID	String	`63d76e6be87c1840f142114`
`ame.notable_fields`	The notable fields	Stringlist	`src_ip,dest_ip,count`
`ame.priority`	Event priority value	Integer	`1`
`ame.priority_name`	The priority name	String	`low`
`ame.resolution`	The resolution UID	String	`63d76e6be87c1840f142114`
`ame.resolution_name`	The resolution	String	`True positive`
`ame.search_name`	The name of the saved search	String	`myalert`
`ame.status`	The status UID of the event	String	`63d76e6be87c1840f142114`
`ame.status_name`	The status name	String	`in_progress`
`ame.tenant_uid`	The name of the tenant	String	`default`
`ame.template`	The template UID	String	`63d76e6be87c1840f142114`
`ame.template_name`	The template name	String	`default`
`ame.ttl_target`	The next status for the event	String	`resolved`
`ame.urgency`	Event urgency	String	`low`

Besides event data fields, the Notification Engine has the following event metadata available to use for conditions:

Field Name	Description	Type	Example
`ame.assignee`	The current assignee of the an event	String	`admin`
`ame.count`	The duplicate count	Integer	`1`
`ame.event_title`	The event title	String	`Alert for host xyz`
`ame.event_ttl`	The event TTL	Integer	`600`
`ame.first_seen`	The first seen timestamp	Integer	`1711401172`
`ame.impact`	Event impact	String	`low`
`ame.most_recent`	The most recent timestamp	Integer	`1711401172`
`ame.notifications`	The notification UID	String	`63d76e6be87c1840f142114`
`ame.notable_fields`	The notable fields	Stringlist	`src_ip,dest_ip,count`
`ame.priority`	Event priority value	Integer	`1`
`ame.priority_name`	The priority name	String	`low`
`ame.resolution`	The resolution UID	String	`63d76e6be87c1840f142114`
`ame.resolution_name`	The resolution	String	`True positive`
`ame.search_name`	The name of the saved search	String	`myalert`
`ame.status`	The status UID of the event	String	`63d76e6be87c1840f142114`
`ame.status_name`	The status name	String	`in_progress`
`ame.tenant_uid`	The name of the tenant	String	`default`
`ame.template`	The template UID	String	`63d76e6be87c1840f142114`
`ame.template_name`	The template name	String	`default`
`ame.ttl_target`	The next status for the event	String	`resolved`
`ame.urgency`	Event urgency	String	`low`

Additionally, trigger condition fields are available:

Field Name	Description	Type	Example
`changed`	The field that has changed	Stringlist	`ame.status_name,ame.assignee`
`values`	The value of the field that has changed	Stringlist	`new,admin`
`keyword`	A keyword that is passed from a rule	Stringlist	`mykeyword`