Contexts
Depending on the model and action associated with your events, certain contexts for the event become available. These can be utilised in Notification Templates and details what fields are available by context.
Observables
{
"_key": "69009dabce7cb7827e08d9bb",
"tenant_uid": "soc",
"uid": "ED:C9:9F:E8:43:FD",
"type": "asset",
"first_seen": 1761648042.0,
"last_seen": 1761906472.0,
"observable_group": "69009784ce7cb7827e08a1f0",
"risk": 1920,
"total_risk": 1920,
"criticality": "high",
"fqdn": "server-1981.demo.com",
"name": "server-1981",
"hostname": "server-1981",
"ip": "179.180.210.219",
"mac": "ED:C9:9F:E8:43:FD",
"observable_priority": "high",
"department": "Sales",
"os": "Windows 11",
"platform_type": "ARM",
"criticality_parsed": 2,
"observable_group_definition": {
"name": "Sales",
"description": "Sales",
"scope": "asset"
}
}
| Field | Description |
|---|---|
_key | Unique Observable identifier |
ame_host | Hostname |
criticality | Criticality of the observable |
first_seen | Epoch timestamp of first entry |
last_seen | Epoch timestamp of last seen / update |
observable_group | Foreign key of Observable group |
risk | Risk score associated with the observable |
total_risk | Total risk score associated with the observable, not changed by risk events being marked as inactive |
tenant_uid | Tenant identifier |
type | Observable Type: "asset" or "identiy" |
uid | Unique value for the asset / identity |
<data_field> | Field for your observable data: eg: ip, fqdn, etc |
Risk Events
{
"_key": "690dbd6d845d4628a91134b4",
"tenant_uid": "soc",
"observable_id": "69009dabce7cb7827e08d9bb",
"observable_type": "asset",
"matched_alert_field": "ip",
"matched_observable_field": "ip",
"matched_value": "179.180.210.219",
"related_event": "690dbd6d845d4628a91134b1",
"related_search": "High and Critical on priority Assets",
"comment": null,
"risk_change": 100,
"status": "active",
"occurrence": 1762508127,
"fixed": null,
"realization": {},
"realization_rule": "690481e1ce7cb7827e08e64a",
"observable": {},
"cve": {}
}
| Field | Description |
|---|---|
_key | Unique Risk Event identifier |
observable_id | Foreign key for the observable |
observable_type | Observable Type: "asset" OR "identity" |
matched_alert_field | Matched alert field identifier |
matched_observable_field | Matched observable field; eg: ip |
matched_value | Matched value |
related_event | Related AME event - if any |
related_search | Related search - if any |
comment | Comment related to the risk event |
risk_change | Risk change |
status | Risk Status |
occurrence | Timestamp of occurrence |
fixed | Timestamp of when the risk event was marked as inactive |
realization | Realization - if any |
realization_rule | Realization rule - if any |
CVE
SLA
Realizations
All Contexts
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to instance/app |
Event Update Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame._index | Event index in the database |
ame._key | Unique event identifier |
ame.assignee | User assigned to the event |
ame.count | Event count |
ame.event_title | Event title |
ame.event_ttl | Event time-to-live |
ame.first_seen | First event timestamp |
ame.impact | Event impact |
ame.most_recent | Most recent event timestamp |
ame.notifications | Event notifications |
ame.notable_fields | Notable fields |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | Origin query app context (optional) |
ame.originQuery.description | Origin query description (optional) |
ame.originQuery.query_earliest | Origin query earliest time (optional) |
ame.originQuery.query_latest | Origin query latest time (optional) |
ame.originQuery.query_string | Origin query string (optional) |
ame.originQuery.query_view | Origin query view (optional) |
ame.priority | Event priority |
ame.priority_name | Priority name |
ame.resolution | Event resolution (optional) |
ame.resolution_name | Resolution name (optional) |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.search_name | Search name |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status | Event status |
ame.status_name | Status name |
ame.tags | Event tags |
ame.template | Event template (optional) |
ame.template_name | Template name (optional) |
ame.tenant_uid | Tenant identifier |
ame.ttl_target | TTL target |
ame.urgency | Event urgency |
ame_host | Hostname |
ame_link | Link to instance/app |
comment | Action comment (if applicable) |
link_to_event | Deep-link to event |
updates | List of updated fields |
Event Updates-Item
| Field | Description |
|---|---|
attribute | Updated field |
new_value | New value |
old_value | Previous value |
Event Assigned Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame._index | Event index in the database |
ame._key | Unique event identifier |
ame.assignee | User assigned to the event |
ame.count | Event count |
ame.event_title | Event title |
ame.event_ttl | Event time-to-live |
ame.first_seen | First event timestamp |
ame.impact | Event impact |
ame.most_recent | Most recent event timestamp |
ame.notifications | Event notifications |
ame.notable_fields | Notable fields |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | Origin query app context (optional) |
ame.originQuery.description | Origin query description (optional) |
ame.originQuery.query_earliest | Origin query earliest time (optional) |
ame.originQuery.query_latest | Origin query latest time (optional) |
ame.originQuery.query_string | Origin query string (optional) |
ame.originQuery.query_view | Origin query view (optional) |
ame.priority | Event priority |
ame.priority_name | Priority name |
ame.resolution | Event resolution (optional) |
ame.resolution_name | Resolution name (optional) |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.search_name | Search name |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status | Event status |
ame.status_name | Status name |
ame.tags | Event tags |
ame.template | Event template (optional) |
ame.template_name | Template name (optional) |
ame.tenant_uid | Tenant identifier |
ame.ttl_target | TTL target |
ame.urgency | Event urgency |
ame_host | Hostname |
ame_link | Link to instance/app |
assignee | New assigned user |
link_to_event | Deep-link to event |
Event Appended Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame._index | Event index in the database |
ame._key | Unique event identifier |
ame.assignee | Assigned user |
ame.count | Event count |
ame.event_title | Event title |
ame.event_ttl | Event time-to-live |
ame.first_seen | First event timestamp |
ame.impact | Event impact |
ame.most_recent | Most recent event timestamp |
ame.notifications | Event notifications |
ame.notable_fields | Notable fields |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | Origin query app context (optional) |
ame.originQuery.description | Origin query description (optional) |
ame.originQuery.query_earliest | Origin query earliest time (optional) |
ame.originQuery.query_latest | Origin query latest time (optional) |
ame.originQuery.query_string | Origin query string (optional) |
ame.originQuery.query_view | Origin query view (optional) |
ame.priority | Event priority |
ame.priority_name | Priority name |
ame.resolution | Event resolution (optional) |
ame.resolution_name | Resolution name (optional) |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.search_name | Search name |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status | Event status |
ame.status_name | Status name |
ame.tags | Event tags |
ame.template | Event template (optional) |
ame.template_name | Template name (optional) |
ame.tenant_uid | Tenant identifier |
ame.ttl_target | TTL target |
ame.urgency | Event urgency |
ame_host | Hostname |
ame_link | Link to instance/app |
count | New count |
link_to_event | Deep-link to event |
Event Commented Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
comments | List of new comments |
Event Comment-Item
| Field | Description |
|---|---|
text | Comment |
actor | User |
timestamp_formatted | Timestamp of the comment |
Rule Matched Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
keyword | Defined keyword |
message | Defined message |
rule_name | Rule that was matched |
Event Deleted Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.priority_name | Name of the priority |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
Event Created Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
search_name | Name of the search that created the event |
fields | Alert - fields |
info
To access event fields, use following Syntax: {{ alert_data.<field_name> or 'n/a' }}
Bulk Update Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
event_count | Number of events that were affected |
updates | List of events that were updated |
Bulk Updates-Item
| Field | Description |
|---|---|
attribute | Field that was updated |
new_value | New value |
Bulk Delete Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
event_count | Number of events that were affected |
Additional Single-Event Notification Contexts
| Field | Description |
|---|---|
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
comment | Comment on the action that caused the change (if applicable) |
SLA Fulfilled Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
keyword | Defined keyword |
message | Defined message |
sla_name | Name of the SLA |
sla_start_time | Start time of the SLA |
sla_window_end | Window end time of the SLA |
sla_fulfilled_time_end | Fufilled time of the SLA |
SLA Violated Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
keyword | Defined keyword |
message | Defined message |
sla_name | Name of the SLA |
sla_start_time | Start time of the SLA |
sla_window_end | Windows end time of the SLA |
sla_violation_time | Violation time of the SLA |
SLA Violation Imminent Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
ame._key | Unique identifier for the event |
ame._index | Index of the event in the database |
ame.event_title | Title of the event |
ame.tenant_uid | Tenant identifier |
ame.impact | Impact of the event |
ame.urgency | Urgency of the event |
ame.priority | Priority of the event |
ame.assignee | User assigned to the event |
ame.search_name | Search name of the event |
ame.count | Number of events |
ame.status | Status of the event |
ame.notifications | Notifications for the event |
ame.resolution | Resolution of the event (optional) |
ame.tags | Tags for the event |
ame.notable_fields | Notable fields for the event |
ame.first_seen | Timestamp of the first event |
ame.most_recent | Timestamp of the most recent event |
ame.event_ttl | Time-to-live for the event |
ame.ttl_target | Target for the time-to-live |
ame.template | Template for the event (optional) |
ame.observables | Count of observables linked to event |
ame.observables_count | Count of observables linked to event |
ame.originQuery.app | The app context of the origin query (optional) |
ame.originQuery.description | The description of the origin query (optional) |
ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
ame.originQuery.query_latest | The latest time of the origin query (optional) |
ame.originQuery.query_string | The query string (optional) |
ame.originQuery.query_view | The view of the query (optional) |
ame.priority_name | Name of the priority |
ame.risk_events | List of risk events linked to event (optional) |
ame.risk_events_count | Count of risk events linked to event (optional) |
ame.sla_entries | Count of SLA entries linked to event (optional) |
ame.sla_entries_count | List of SLA entries linked to event (optional) |
ame.status_name | Name of the status |
ame.template_name | Name of the template (optional) |
ame.resolution_name | Name of the resolution (optional) |
link_to_event | Deep-Link to the event |
sla_name | Name of the SLA |
sla_start_time | Start time of the SLA |
sla_window_end | Windows end time of the SLA |
sla_violation_in_real_time | Violation real time of the SLA |
sla_violation_in_service_time | Violation service time of the SLA |
Example Context (Generic)
{
'observables_count': 1,
'observables': [
{
'_key': '6819b428d8018eaf8d03a639',
'tenant_uid': 'default',
'uid': 'A0:B9:23:82:0D:CC',
'type': 'asset',
'first_seen': 1746514983.0,
'last_seen': 1746687787.0,
'observable_group': None,
'data_info': {
'criticality': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'hostname': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'ip': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'mac': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'department': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'os': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'platform_type': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'1cpu': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
},
'2cpu': {
'confidence': 10,
'origin': 'Observable Generator 5000',
'origin_type': 'search',
'first_created': 1746514983,
'last_updated': 1746687787
}
},
'risk': 20,
'total_risk': 20,
'criticality': 'high',
'hostname': 'server-1',
'ip': '196.202.66.56',
'mac': 'A0:B9:23:82:0D:CC',
'department': 'Sales',
'os': 'Windows 11',
'platform_type': 'ARM',
'1cpu': 'Apple M1',
'2cpu': 'Apple M2',
'criticality_parsed': 2,
'deleted': 0,
'_user': 'nobody'
}
],
'risk_events_count': 1,
'risk_events': [
{
'_key': '681c62b3a68009b4070de7f9',
'tenant_uid': 'default',
'observable_id': '6819b428d8018eaf8d03a639',
'observable_type': 'asset',
'matched_alert_field': 'ip',
'matched_observable_field': 'ip',
'matched_value': '196.202.66.56',
'related_event': '681c62b2a68009b4070de7f3',
'related_search': 'unknown',
'comment': None,
'risk_change': 10,
'status': 'active',
'occurrence': 1746690725,
'fixed': None,
'observable': Observable(key='6819b428d8018eaf8d03a639',
tenant_uid='default',
uid='A0:B9:23:82:0D:CC',
type='asset',
first_seen=1746514983.0,
last_seen=1746687787.0,
observable_group=None,
data_info=ObservableDataInfo(criticality=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
hostname=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
ip=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
mac=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
department=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
os=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
platform_type=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
1cpu=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787),
2cpu=ObservableFieldInfo(confidence=10,
origin='Observable Generator 5000',
origin_type=search,
first_created=1746514983,
last_updated=1746687787)),
risk=20,
total_risk=20,
criticality='high',
hostname='server-1',
ip='196.202.66.56',
mac='A0:B9:23:82:0D:CC',
department='Sales',
os='Windows 11',
platform_type='ARM',
1cpu='Apple M1',
2cpu='Apple M2',
criticality_parsed=2,
deleted=0,
_user='nobody',
criticality_parsed=<Criticality.HIGH: 2>)
}
],
'sla_entries_count': 1,
'sla_entries': [
{
'_key': '681c62b3a68009b4070de7f5',
'tenant_uid': 'default',
'event_key': '681c62b2a68009b4070de7f3',
'sla': '681c5f268b34c824cd0eb7b0',
'start_time': 1746690737,
'window_open_until': 1746867137,
'violation_time': None,
'end_time': None,
'last_notification': None,
'warning_notifications_sent_for': [
],
'end_comment': None,
'start_comment': 'Started by condition',
'started_by': 'splunk-system-user',
'ended_by': None,
'event_title': ' ',
'sla_name': 'TEST',
'formatted_start_time': '2025-05-08 09:52:17',
'formatted_window_end': '2025-05-10 10:52:17',
'formatted_violation_time': None,
'formatted_fulfillment_time': None,
'formatted_last_notification': None,
'sla_definition': {
'_key': '681c5f268b34c824cd0eb7b0',
'tenant_uid': 'default',
'name': 'TEST',
'description': None,
'start_condition': {
'component_type': 'composite',
'composite_type': 'AND',
'conditions': [
{
'component_type': 'leaf',
'leaf_type': 'eq',
'field': 'ame.event_title',
'value': '**'
}
]
},
'stop_condition': {
'component_type': 'composite',
'composite_type': 'AND',
'conditions': [
{
'component_type': 'leaf',
'leaf_type': 'eq',
'field': 'ame.event_title',
'value': 'tototototot'
}
]
},
'threshold': 86400,
'notification_interval': 3600,
'warning_notifications_at': [
],
'update_actions_on_violation': [
],
'notify_actions_on_violation': [
],
'update_actions_on_fulfillment': [
],
'notify_actions_on_fulfillment': [
]
}
}
],
'ame': {
'_key': '681c62b2a68009b4070de7f3',
'_index': 'ame_default',
'event_title': 'foo bar',
'tenant_uid': 'default',
'impact': 'low',
'urgency': 'high',
'priority': 2,
'assignee': 'unassigned',
'search_name': 'unknown',
'originQuery': {
'query_string': '',
'query_earliest': None,
'query_latest': None,
'query_app': 'alert_manager_enterprise',
'query_view': 'search',
'description': 'search not found'
},
'count': 1,
'status': '6819ac2d80876952dc014f15',
'notifications': '6819ac2d80876952dc014f1f',
'tags': [
],
'notable_fields': [
],
'first_seen': 1746690725.6888084,
'most_recent': 1746690725.6888084,
'event_ttl': -1,
'ttl_target': None,
'template': '6819ac2d80876952dc014f20',
'resolution': None,
'most_recent_notable_fields': {
'_time': '1746690725',
'count': '3',
'ip': '196.202.66.56'
},
'risk': 10,
'ticketing_integration': '681c5f728b34c824cd0eb7b1',
'remote_ticket_id': None,
'remote_ticket_failed': None,
'priority_name': 'medium',
'template_name': 'default',
'notifications_name': 'default',
'status_name': 'new',
'status_type': 'new',
'resolution_name': None
}
}
Example Context (Search Based)
{
"data": [
{
"somefield": "row1",
"otherfield": "row1"
},
{
"somefield": "row2",
"otherfield": "row2"
}
],
"most_recent_data": {
"somefield": "row1",
"otherfield": "row1"
},
"title": "set by action",
"keyword": "set by action",
"message": "set by action",
"sid": 0123456789.001836,
"search_name": "foobar",
"search_time": 17654726746,
"search_link": "{self.ame_host}/app/{AppSettings.DEFAULT_APP_NAME}/search?sid={self.sid}"
}