Rules
AME Rules provide a way to apply attribute updates during the creation of an event or when appending a new alert to an event.
To understand when and how the AME Rule Engines applies rules, see
Event Automation for more details.
See Role Overview for capabilities required to manage rules.
Some features require an active subscription. See Features for details.
Managing Rules
The following image shows the rules UI:
Only if a user is in the tenant's user list will this tenant be shown as an option to create a rule.
The search field can be used to filter by rule name.
Use the following buttons to manage rules:
| Button | Function |
|---|---|
 | Add Rule |
 | Clone Rule |
 | Save Rule |
 | Delete Rule |
 | Add Condition / Updates / Keyword / Rule Notification Trigger |
 | Delete Condition / Updates / Keyword / Rule Notification Trigger |
 | Change Condition Boolean |
 | Add Nested Condition |
Set up a rule
To create a rule that will apply to all events managed by Alert Manager Enterprise:
- Click the
Add Rulebutton at the top of the list. A modal window will open. - Give the rule a unique name.
- Select a time range in which the rule should affect the events.
- Adjust the Scheduled Rule (Subscription required)
- Add a Condition by using the
Add ConditionButton - Add Rule Notification Triggers by using the
Add Rule Notification TriggerButton (Subscription required).
How to create an Event Rule Condition
For a rule to be triggered by an event, at least one condition has to be defined.
- Enable the Event Rule with the slider
- Click the
Add Conditionbutton under event rules - A row that consists of a field, a condition, and a value gets added. The Field-Input takes any field present in the event and also metadata about the event. See AME Event Automation for a complete field list.
The condition dropdown has the following comparators:
| Comparator | Type | Example | Notes |
|---|---|---|---|
| equals | String | success, fail* | Supports Wildcards |
| not equal | String | success | Supports Wildcards |
| less than | Integer | 4 | |
| greather than or equal | Integer | 5 | |
| less than or equal | Integer | 3 | |
| CIDR matching | IP Address in CIDR Notation | 10.10.10.0/24 | |
| in | Stringlist | apple banana cherry | |
| contains | String | apple | The comparison field must be a list |
The free version of AME only supports one condition for event rules.
How to create an Update Rule Condition
This feature requires an AME subscription.
For a rule to be triggered by an update of an AME Field, at least one condition has to be defined.
- Enable the Update Rule with the slider
- Click the
Add Conditionbutton under update rules - A row that consists of a field, a condition, and a value gets added. The Field-Input takes any field present in the event and also metadata about the event. See AME Event Automation for a complete field list.
The condition dropdown has the following comparators:
| Comparator | Type | Example | Notes |
|---|---|---|---|
| equals | String | success, fail* | Supports Wildcards |
| not equal | String | success | Supports Wildcards |
| less than | Integer | 4 | |
| greather than or equal | Integer | 5 | |
| less than or equal | Integer | 3 | |
| CIDR matching | IP Address in CIDR Notation | 10.10.10.0/24 | |
| in | Stringlist | apple banana cherry | |
| contains | String | apple | The comparison field must be a list |
Advanced Rule Conditions
This feature requires an AME subscription.
Using boolean operators it is possible to create more complex rules. Let's assume we have two searches, one is looking for root
logins on unix systems, whereas the other search looks for Administrator logins on Windows hosts. We only want the rule to apply
when hosts in two different networks are affected.
In pseudo-code, this would look like this:
(ame.savedsearch_name == 'bruteforce_unix_root' AND dest_ip="10.10.10.0/24")
OR
(ame.savedsearch_name == 'bruteforce_windows_administrator' AND dest_ip="10.10.11.0/24")
Using the Add nested condition button and adding conditions with the Add condition button, the result would look like this:
Examples
Create a rule that changes the status
Create a rule that changes the urgency
Updates
When a rule gets triggered, one or more attributes of an event can be updated.
A subscription is required to update more than one attribute at a time.
| Attibute | Notes |
|---|---|
Status | The selected status to be a valid next status |
Urgency | |
Impact | |
Notifications | |
Resolution | |
Event TTL | |
TTL Target | |
Tags | Selected tags will be added to existing tags |
All updates will be ignored if an attribute update is invalid. A Splunk message will be displayed, and an event will be logged.
Rule Notification Triggers
Rule Notification Triggers are used for triggering notifications when a rule has been triggered.
A Rule Notification Trigger consists of one (or multiple) Keyword, which can be used as a filter a Notification Scheme,
and a message. The message text can be used in a notification.
See more about notifications here
A subscription is required to use Rule Notification Triggers.
Cron Syntax
The cron syntax is used to match events on an interval basis and follows standard cron format without the command to execute.
The cron string matches the alert time, and then the expression evaluates to either true or false.
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12)
# │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
Examples
# Match on Weekends:
* * * * 0,6
# Match on Mondays between 01 and 05:
* 1-5 * * 1
# Match on Tuesdays and Wednesdays between 12-13 and 19-20:
0-59 12,19 * * 2,4
Update, clone, and delete rules and configuration items
Revise the information and press the Save button to update a rule or configuration item. Where available, use the Clone button.
To delete a rule or items, press the Delete button.