What Can You Do with AME?

Imagine managing alerts with Alert Manager Enterprise (AME): install it, create and tag events, automate statuses and resolutions, notify users across channels, trigger workflow actions, enforce SLAs, and report outcomes—all within the default tenant.

Prerequisites

• AME installed with Splunk Admin or ame.admin role (see Quick Start).

What You Can Do

1. Install AME: Get AME running on Splunk to manage events (see Quick Start).
2. Define Event Templates: Preset details like medium urgency (see Templates).
3. Tag Events: Apply a PCI tag when subnet 192.168.1.0/24 matches (see Tags).
4. Enrich with Asset Information: Automatically add asset information to the event (see Observables)
5. Increase the Risk Score: Increase the risk score of the asset (see Risk Scoring)
6. Automate Status Changes: Set events to Assigned upon user assignment (see Rules).
7. Set Resolutions: Auto-resolve events based on conditions (see Resolutions).
8. Customize Event Summary: Tailor fields and layouts in the summary view (see Event Summary Configuration).
9. Send Notifications: Alert assignees via email, Slack, or Teams on assignment (see Notifications).
10. Invoke Workflow Actions: Run a Splunk webhook from Notable Fields (see Working with Events).
11. Enforce SLAs: Track a 60-minute response SLA, ending at Assigned (see SLAs).
12. Generate Reports: Review SLA compliance and trends (see Reports).
13. Test the Flow: Create an event, assign a user, and watch AME tag, update, notify via Slack/Teams, trigger a webhook, enforce SLAs, and report (see Working with Events).

Optional: Scale with Tenants

• Add a Sec and and an ops tenant to isolate events across teams (see Tenants).

Explore More

• Enhance automation (see Event Automation).
• Resolve issues (see Troubleshooting).
• Extend via API (see API).