Advanced Event Creation
This section explains how to override template values in Alert Manager Enterprise (AME) for dynamic event creation.
For details on override precedence, see Overrides Precedence below.
Overriding Template Values
Using Field Value Overrides
AME allows overriding template values with fields from search results.
Use the underscore (_) prefix (e.g., _ame.field) to hide AME fields in search results.
Available fields:
| Field Name | Description | Allowed Values | Examples |
|---|---|---|---|
ame.append_alert _ame.append_alert | Flag to enable append alert | Boolean: 1, true, 0, false | eval ame.append.alert=1 |
ame.append_fields _ame.append_fields | Fields used to aggregate alerts | Comma separated list of strings or multi-value string format, strings with whitespaces enclosed in signle or escaped double double-quotes | eval ame.append_fields="field1,field2,\"field3 with whitespace\"" eval ame.append_fields="field1,field2,'field3 with whitespace'" |
ame.append_mode _ame.append_fields | Mode how to append alerts | oldest, most_recent, all, create_new | eval ame.append_mode="most_recent" |
ame.append_strict _ame.append_strict | Flag to enable appending alerts in strict mode | Boolean: 1, true, 0, false | eval ame.append.strict=1 |
ame.default_assignee _ame.default_assignee | The default assignee for an event. The assignee has to be a valid AME user | String | eval ame.default_assignee="ame_user1" |
ame.impact _ame.impact | Event impact | low, medium, high | eval ame.impact="high" |
ame.notable_fields _ame.notable_fields | Notable Fields | Comma separated list of strings or multi-value string format, strings with whitespaces enclosed in signle or escaped double double-quotes | eval ame.notable_fields="field1,field2,\"field3 with whitespace\"" eval ame.notable_fields="field1,field2,'field3 with whitespace'" |
ame.notifications _ame.notifications | Notification Scheme | String | eval.ame.notifications="default" |
ame.resolution _ame.resolution | The resolution | String | eval.ame.resolution="False positive" |
ame.status _ame.status | Event status | new, assigned, resolved, closed, in_progress , suppressed existing custom value | eval ame.status="closed" |
ame.tags _ame.tags | Event Tags | Comma separated list of strings or multi-value string | eval ame.tags="tag1,tag2,tag3" |
ame.tenant_uid _ame.tenant_uid | The UID of the tenant | String | eval tenant_uid="default" |
ame.title _ame.title | The event title | String | eval ame.title="Alert for host $host$" |
ame.ttl _ame.ttl | The time-to-live for an event | int | eval ame.ttl=86400 |
ame.ttl_target _ame.ttl_target | The target status for a an event that has reached the ttl | String | eval ame.ttl_target="auto_resolved" |
ame.urgency _ame.urgency | Event urgency | low, medium, high | eval ame.urgency="low" |
Example:
<basesearch> | eval ame.tags="tag1,tag2,tag3", _ame.urgency="medium"
Overrides apply only during initial event creation and are ignored during alert appending to preserve user interactions.
In AME 3.0+, ame.time_to_auto_resolve is replaced by ame.ttl and ame.ttl_target, allowing target state specification.
Using savedsearches.conf Attributes
AME supports overriding template values via savedsearches.conf attributes.
Supported AME-specific attributes:
| Attribute Name | Description | Allowed Values | Examples |
|---|---|---|---|
action.create_alert.param.append_alert | Flag to enable append alert | Boolean | 1, true, 0, false |
action.create_alert.param.append_fields | Fields used to aggregate alerts | Comma separated list of strings, strings with whitespaces enclosed in double-quotes | ame.template_name,src_ip |
action.create_alert.param.append_mode | Mode how to append alerts | oldest, most_recent, all, create_new | most_recent |
action.create_alert.param.append_strict | Flag to enable appending alerts in strict mode | Boolean | 1, true, 0, false |
action.create_alert.param.default_assignee | The default assignee for an event. The assignee has to be a valid AME user | String | ame_user1 |
action.create_alert.param.impact | Event impact | low, medium, high | low |
action.create_alert.param.notable_fields | Notable Fields | Comma separated list of strings, strings with whitespaces enclosed in double-quotes | field, "field with whitespace" field1,field2,"field3 with whitespace" |
action.create_alert.param.status | Event status | new, assigned, resolved, closed, in_progress , suppressed or existing custom value | closed |
action.create_alert.param.tags | Event Tags | Comma separated list of strings | tag1,tag2,tag3 |
action.create_alert.param.template | The reference id for the template or the template name | String | 63d76e6be87c1840f1421144 soc |
action.create_alert.param.title | The event title | String | Alert for host $host$ |
action.create_alert.param.urgency | Event urgency | low, medium, high | high |
action.create_alert.param.notifications | Notification Scheme | String | default |
action.create_alert.param.tenant_uid | The UID of the tenant | String | default |
action.create_alert.param.time_to_auto_resolve | The time to live -resolve an event | int | 86400 |
action.create_alert.param.ttl | The time-to-live for an event | int | 86400 |
action.create_alert.param.ttl_target | The target status for a an event that has reached the ttl | int | 86400 |
When using action.create_alert.param.template with a template name, include action.create_alert.param.tenant_uid to identify the template, as names may duplicate across tenants.
In AME 2.1+, action.create_alert.param.time_to_auto_resolve is replaced by action.create_alert.param.ttl and action.create_alert.param.ttl_target, enabling target state selection.
Enterprise Security Content Update (ESCU) App Compatibility
AME supports these ESCU-compatible attributes in JSON format:
action.correlationsearch.annotationsaction.escu.mappings
Supported overrides:
cis20cvenistkill_chain_phasesmitre_attack
Example:
action.correlationsearch.annotations = {"cis20": ["CIS 3", "CIS 5", "CIS 16"], "cve": ["CVE-2022-22965"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]}
Overrides Precedence
When multiple overrides are set during event creation, precedence is applied (highest first):
- Field Value Override
savedsearches.confOverride- Template Override
Exceptions: tags and notable_fields are merged across all override levels.
Custom tags must use lowercase letters only.