Advanced Event Creation
This chapter explains how users can override template values for more dynamic event creation.
For more information about the precedence of the overrides see below.
Overriding Template Values
Overrides Using Field Values
AME allows overriding template values with field values from search results.
Utilize the underscore (_) naming convention to conceal the AME fields within the results.
The following fields are available:
| Field Name | Description | Allowed Values | Examples |
|---|---|---|---|
ame.append_alert _ame.append_alert | Flag to enable append alert | Boolean: 1, true, 0, false | eval ame.append.alert=1 |
ame.append_fields _ame.append_fields | Fields used to aggregate alerts | Comma separated list of strings or multi-value string format, strings with whitespaces enclosed in signle or escaped double double-quotes | eval ame.append_fields="field1,field2,\"field3 with whitespace\"" eval ame.append_fields="field1,field2,'field3 with whitespace'" |
ame.append_mode _ame.append_fields | Mode how to append alerts | oldest, most_recent, all, create_new | eval ame.append_mode="most_recent" |
ame.append_strict _ame.append_strict | Flag to enable appending alerts in strict mode | Boolean: 1, true, 0, false | eval ame.append.strict=1 |
ame.default_assignee _ame.default_assignee | The default assignee for an event. The assignee has to be a valid AME user | String | eval ame.default_assignee="ame_user1" |
ame.impact _ame.impact | Event impact | low, medium, high | eval ame.impact="high" |
ame.notable_fields _ame.notable_fields | Notable Fields | Comma separated list of strings or multi-value string format, strings with whitespaces enclosed in signle or escaped double double-quotes | eval ame.notable_fields="field1,field2,\"field3 with whitespace\"" eval ame.notable_fields="field1,field2,'field3 with whitespace'" |
ame.notifications _ame.notifications | Notification Scheme | String | eval.ame.notifications="default" |
ame.resolution _ame.resolution | The resolution | String | eval.ame.resolution="False positive" |
ame.status _ame.status | Event status | new, assigned, resolved, closed, in_progress , suppressed existing custom value | eval ame.status="closed" |
ame.tags _ame.tags | Event Tags | Comma separated list of strings or multi-value string | eval ame.tags="tag1,tag2,tag3" |
ame.tenant_uid _ame.tenant_uid | The UID of the tenant | String | eval tenant_uid="default" |
ame.title _ame.title | The event title | String | eval ame.title="Alert for host $host$" |
ame.ttl _ame.ttl | The time-to-live for an event | int | eval ame.ttl=86400 |
ame.ttl_target _ame.ttl_target | The target status for a an event that has reached the ttl | String | eval ame.ttl_target="auto_resolved" |
ame.urgency _ame.urgency | Event urgency | low, medium, high | eval ame.urgency="low" |
Example:
<basesearch> | eval ame.tags="tag1,tag2,tag3", _ame.urgency="medium"
All overrides will only be used once when the event is created. If an alert is appended, the overrides will be ignored to protect the user interactions with the event.
ame.time_to_auto_resolve has been replaced with ame.ttl and ame.ttl_target
In AME 3.0 and higher a user can now set the target state.
Overrides Using savedsearches.conf Attributes
AME allows overriding template values with savedsearches.conf attributes.
The following AME-specific attributes are supported:
| Attribute Name | Description | Allowed Values | Examples |
|---|---|---|---|
action.create_alert.param.append_alert | Flag to enable append alert | Boolean | 1, true, 0, false |
action.create_alert.param.append_fields | Fields used to aggregate alerts | Comma separated list of strings, strings with whitespaces enclosed in double-quotes | ame.template_name,src_ip |
action.create_alert.param.append_mode | Mode how to append alerts | oldest, most_recent, all, create_new | most_recent |
action.create_alert.param.append_strict | Flag to enable appending alerts in strict mode | Boolean | 1, true, 0, false |
action.create_alert.param.default_assignee | The default assignee for an event. The assignee has to be a valid AME user | String | ame_user1 |
action.create_alert.param.impact | Event impact | low, medium, high | low |
action.create_alert.param.notable_fields | Notable Fields | Comma separated list of strings, strings with whitespaces enclosed in double-quotes | field, "field with whitespace" field1,field2,"field3 with whitespace" |
action.create_alert.param.status | Event status | new, assigned, resolved, closed, in_progress , suppressed or existing custom value | closed |
action.create_alert.param.tags | Event Tags | Comma separated list of strings | tag1,tag2,tag3 |
action.create_alert.param.template | The reference id for the template or the template name | String | 63d76e6be87c1840f1421144 soc |
action.create_alert.param.title | The event title | String | Alert for host $host$ |
action.create_alert.param.urgency | Event urgency | low, medium, high | high |
action.create_alert.param.notifications | Notification Scheme | String | default |
action.create_alert.param.tenant_uid | The UID of the tenant | String | default |
action.create_alert.param.time_to_auto_resolve | The time to live -resolve an event | int | 86400 |
action.create_alert.param.ttl | The time-to-live for an event | int | 86400 |
action.create_alert.param.ttl_target | The target status for a an event that has reached the ttl | int | 86400 |
When using the Attribute action.create_alert.param.template with a template
name, then action.create_alert.param.tenant_uid must be used for
identification of the template, as the same template name can be used in multiple tenants.
action.create_alert.param.time_to_auto_resolve has been replaced
with action.create_alert.param.ttl and action.create_alert.param.ttl_target
in AME 2.1 a user can now set the target state.
Enterprise Security Content Update (ESCU) App Compatible Attributes:
action.correlationsearch.annotationsaction.escu.mappings
The value for the attribute has to be in JSON Format and currently supports following overwrites:
cis20cvenistkill_chain_phasesmitre_attack
Example:
action.correlationsearch.annotations = {"cis20": ["CIS 3", "CIS 5", "CIS 16"], "cve": ["CVE-2022-22965"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1190"], "nist": ["DE.CM"], }
Overrides Precedence
During event creation, multiple overrides can be set, however, there is precedence if multiple overrides apply:
Precedence (highest first):
- Field Value Override
- Savedsearch.conf Override
- Template Override
Exceptions to these rules are tags and notable_fields, which are merged.
Custom Tags can only use lowercase letters.