Version: Next

Contexts

Depending on the model and action associated with your events, certain contexts for the event become available. These can be utilised in Notification Templates and details what fields are available by context.

Observables

    {
      "_key": "69009dabce7cb7827e08d9bb",
      "tenant_uid": "soc",
      "uid": "ED:C9:9F:E8:43:FD",
      "type": "asset",
      "first_seen": 1761648042.0,
      "last_seen": 1761906472.0,
      "observable_group": "69009784ce7cb7827e08a1f0",
      "risk": 1920,
      "total_risk": 1920,
      "criticality": "high",
      "fqdn": "server-1981.demo.com",
      "name": "server-1981",
      "hostname": "server-1981",
      "ip": "179.180.210.219",
      "mac": "ED:C9:9F:E8:43:FD",
      "observable_priority": "high",
      "department": "Sales",
      "os": "Windows 11",
      "platform_type": "ARM",
      "criticality_parsed": 2,
      "observable_group_definition": {}
    }

Field	Description
`_key`	Unique Observable identifier
`ame_host`	Hostname
`criticality`	Criticality of the observable
`first_seen`	Epoch timestamp of first entry
`last_seen`	Epoch timestamp of last seen / update
`observable_group`	Foreign key of Observable group
`observable_group_definition`	See Observable Groups Definition below.
`risk`	Risk score associated with the observable
`total_risk`	Total risk score associated with the observable, not changed by risk events being marked as inactive
`tenant_uid`	Tenant identifier
`type`	Observable Type: "asset" or "identiy"
`uid`	Unique value for the asset / identity
`<data_field>`	Field for your observable data: eg: ip, fqdn, etc

Observable Groups

     {
        "name": "Sales",
        "description": "Sales",
        "scope": "asset"
      }

Field	Description
`name`	Name of the observable group
`description`	Description of the observable group
`matches`	Match composite
`scope`	Scope of the observable group
`additional_fields`	Additional fields
`from_action`	Indicates if this group was created by a modular alert action
`from_action_last_seen`	The last time a modular alert action created / updated this group

Risk Events

    {
      "_key": "690dbd6d845d4628a91134b4",
      "tenant_uid": "soc",
      "observable_id": "69009dabce7cb7827e08d9bb",
      "observable_type": "asset",
      "matched_alert_field": "ip",
      "matched_observable_field": "ip",
      "matched_value": "179.180.210.219",
      "related_event": "690dbd6d845d4628a91134b1",
      "related_search": "High and Critical on priority Assets",
      "comment": null,
      "risk_change": 100,
      "status": "active",
      "occurrence": 1762508127,
      "fixed": null,
      "realization": {},
      "realization_rule": "690481e1ce7cb7827e08e64a",
      "observable": {},
      "cve": {}
    }

Field	Description
`_key`	Unique Risk Event identifier
`observable_id`	Foreign key for the observable
`observable_type`	Observable Type: "asset" OR "identity"
`matched_alert_field`	Matched alert field identifier
`matched_observable_field`	Matched observable field; eg: ip
`matched_value`	Matched value
`related_event`	Related AME event - if any
`related_search`	Related search - if any
`comment`	Comment related to the risk event
`risk_change`	Risk change
`status`	Risk Status
`occurrence`	Timestamp of occurrence
`fixed`	Timestamp of when the risk event was marked as inactive
`realization`	Realization - if any
`realization_rule`	Realization rule - if any

CVE

    {
      "_key": "69008b927c7f1492450d32e7",
      "cve": "CVE-2024-38150",
      "title": "Windows DWM Core Library Elevation of Privilege Vulnerability",
      "cna": "microsoft",
      "description": "Windows DWM Core Library Elevation of Privilege Vulnerability",
      "published": 1723572919,
      "updated": 1723659373,
      "cvss_version": "3.1",
      "cvss_score": 7.8,
      "cvss_severity": "HIGH",
      "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "cvss_source": "secure@microsoft.com",
      "cvss": [
        {
          "version": "3.1",
          "score": 7.8,
          "severity": "HIGH",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "source": "secure@microsoft.com"
        }
      ],
      "exploitable": false,
      "has_exploit_tag": false,
      "epss": 0.07452,
      "cwe": [
        "NVD-CWE-noinfo",
        "CWE-416"
      ],
      "capec": [],
      "vendor": "Microsoft",
      "products": [
        "Windows Server 2022",
        "Windows 11 Version 24H2",
        "Windows 11 version 22H2",
        "Windows Server 2022, 23H2 Edition (Server Core installation)",
        "Windows 11 version 21H2",
        "Windows 10 Version 21H2",
        "Windows 10 Version 22H2",
        "Windows 11 version 22H3",
        "Windows 11 Version 23H2"
      ]
    }

Field	Description
`_key`	Unique Risk Event identifier
`observable_id`	Foreign key for the observable
`observable_type`	Observable Type: "asset" OR "identity"
`matched_alert_field`	Matched alert field identifier
`matched_observable_field`	Matched observable field; eg: ip
`matched_value`	Matched value
`related_event`	Related AME event - if any
`related_search`	Related search - if any
`comment`	Comment related to the risk event
`risk_change`	Risk change
`status`	Risk Status
`occurrence`	Timestamp of occurrence
`fixed`	Timestamp of when the risk event was marked as inactive
`realization`	Realization - if any
`realization_rule`	Realization rule - if any

SLA Entries

    {
      "_key": "690dc234845d4628a911366d",
      "tenant_uid": "soc",
      "event_key": "690dbd6d845d4628a91134b1",
      "sla": "69021d19ce7cb7827e08e50a",
      "start_time": 1762509363,
      "window_open_until": 1763124963,
      "violation_time": null,
      "end_time": null,
      "last_notification": null,
      "warning_notifications_sent_for": [],
      "end_comment": null,
      "start_comment": "Staring sla",
      "started_by": "admin",
      "ended_by": null,
      "event_title": "Priority Vulnerability  CVE-2024-38150 for group Sales",
      "sla_definition": {},
      "sla_name": "Time to resolve",
      "formatted_start_time": "2025-11-07 10:56:03",
      "formatted_window_end": "2025-11-14 13:56:03",
      "formatted_violation_time": null,
      "formatted_fulfillment_time": null,
      "formatted_last_notification": null,
    }   

Field	Description
`_key`	Unique SLA Entry identifier
`event_key`	Event key this entry is for
`sla`	SLA this entry is for
`sla_definition`	Definition of the SLA. See SLA Definition below.
`start_time`	Start time of the SLA entry in seconds since epoch
`window_open_until`	Timestamp of the SLA window closing in seconds since epoch
`violation_time`	Violation time of the SLA entry in seconds since epoch
`end_time`	End time of the SLA entry in seconds since epoch
`last_notification`	Last notification time of the SLA entry in seconds since epoch
`warning_notifications_sent_for`	Warning notifications sent for these thresholds in secondsobservable
`end_comment`	Comment for the SLA entry ending
`start_comment`	Comment for the SLA entry starting
`started_by`	User who started the SLA entry
`ended_by`	User who ended the SLA entry
`tenant_uid`	Tenant identifier

SLA Definition

    {
    "_key": "69021d19ce7cb7827e08e50a",
    "tenant_uid": "soc",
    "name": "Time to resolve",
    "description": "SLA to model the time to resolution",
    "start_condition": {
      "component_type": "composite",
      "composite_type": "AND",
      "conditions": [
        {
          "component_type": "leaf",
          "leaf_type": "eq",
          "field": "ame.event_title",
          "value": "*SLA*"
        }
      ]
    },
    "stop_condition": {
      "component_type": "composite",
      "composite_type": "AND",
      "conditions": [
        {
          "component_type": "leaf",
          "leaf_type": "neq",
          "field": "ame.status_type",
          "value": "new"
        },
        {
          "component_type": "leaf",
          "leaf_type": "eq",
          "field": "ame.status_type",
          "value": "done"
        }
      ]
    },
    "threshold": 172800,
    "notification_interval": 3600,
    "warning_notifications_at": [],
    "update_actions_on_violation": [],
    "notify_actions_on_violation": [],
    "update_actions_on_fulfillment": [],
    "notify_actions_on_fulfillment": []
  }

Field	Description
`_key`	Unique SLA identifier
`name`	Name of the SLA
`description`	Description for the SLA
`start_condition`	Match condition for start of SLA
`stop_condition`	Match condition for end of SLA
`threshold`	Threshold of the SLA rule in seconds
`notification_interval`	Notification frequency of the SLA rule in seconds
`warning_notifications_at`	Warning notifications sent at these thresholds before violation in seconds (SLA service hours)
`update_actions_on_violation`	Updates executed when the SLA is violated
`notify_actions_on_violation`	Notification triggers sent when the SLA is violated and when notification_interval is reached
`update_actions_on_fulfillment`	Updates executed when the SLA is fulfilled
`notify_actions_on_fulfillment`	Notification triggers sent when the SLA is fulfilled
`tenant_uid`	Tenant identifier

Realizations

    {
      "_key": "690dbc21845d4628a911348e",
      "tenant_uid": "soc",
      "cve": {},
      "first_seen": 1762507807,
      "last_seen": 1762508064,
      "observable": {},
      "observable_type": "asset",
      "fixed_at": -1,
      "matched_field": "ip",
      "matched_value": "179.180.210.219",
      "source": "ame_gen"
    }

Field	Description
`_key`	Unique Identifier.
`first_seen`	First seen timestamp
`cve`	Enriched CVE information, see CVE
`last_seen`.	Last seen timestamp
`observable`	Observable, see See Observbable
`observable_type`	Type of observable
`fixed_at`	Fixed at timestamp
`matched_field`	Matched field
`matched_value`	Matched value
`source`	Source of the realization, e.g. Defender, Qualys, etc.
`tracking`	Tracking information for the realization
`tenant_uid`	Tenant identifier

All Contexts

Field	Description
`actor`	User invoking the action
`ame_host`	Hostname
`ame_link`	Link to instance/app

Event Update Context

Field	Description
`actor`	User invoking the action
`ame._index`	Event index in the database
`ame._key`	Unique event identifier
`ame.assignee`	User assigned to the event
`ame.count`	Event count
`ame.event_title`	Event title
`ame.event_ttl`	Event time-to-live
`ame.first_seen`	First event timestamp
`ame.impact`	Event impact
`ame.most_recent`	Most recent event timestamp
`ame.notifications`	Event notifications
`ame.notable_fields`	Notable fields
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	Origin query app context (optional)
`ame.originQuery.description`	Origin query description (optional)
`ame.originQuery.query_earliest`	Origin query earliest time (optional)
`ame.originQuery.query_latest`	Origin query latest time (optional)
`ame.originQuery.query_string`	Origin query string (optional)
`ame.originQuery.query_view`	Origin query view (optional)
`ame.priority`	Event priority
`ame.priority_name`	Priority name
`ame.resolution`	Event resolution (optional)
`ame.resolution_name`	Resolution name (optional)
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.search_name`	Search name
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status`	Event status
`ame.status_name`	Status name
`ame.tags`	Event tags
`ame.template`	Event template (optional)
`ame.template_name`	Template name (optional)
`ame.tenant_uid`	Tenant identifier
`ame.ttl_target`	TTL target
`ame.urgency`	Event urgency
`ame_host`	Hostname
`ame_link`	Link to instance/app
`comment`	Action comment (if applicable)
`link_to_event`	Deep-link to event
`updates`	List of updated fields

Event Updates-Item

Field	Description
`attribute`	Updated field
`new_value`	New value
`old_value`	Previous value

Event Assigned Context

Field	Description
`actor`	User invoking the action
`ame._index`	Event index in the database
`ame._key`	Unique event identifier
`ame.assignee`	User assigned to the event
`ame.count`	Event count
`ame.event_title`	Event title
`ame.event_ttl`	Event time-to-live
`ame.first_seen`	First event timestamp
`ame.impact`	Event impact
`ame.most_recent`	Most recent event timestamp
`ame.notifications`	Event notifications
`ame.notable_fields`	Notable fields
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	Origin query app context (optional)
`ame.originQuery.description`	Origin query description (optional)
`ame.originQuery.query_earliest`	Origin query earliest time (optional)
`ame.originQuery.query_latest`	Origin query latest time (optional)
`ame.originQuery.query_string`	Origin query string (optional)
`ame.originQuery.query_view`	Origin query view (optional)
`ame.priority`	Event priority
`ame.priority_name`	Priority name
`ame.resolution`	Event resolution (optional)
`ame.resolution_name`	Resolution name (optional)
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.search_name`	Search name
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status`	Event status
`ame.status_name`	Status name
`ame.tags`	Event tags
`ame.template`	Event template (optional)
`ame.template_name`	Template name (optional)
`ame.tenant_uid`	Tenant identifier
`ame.ttl_target`	TTL target
`ame.urgency`	Event urgency
`ame_host`	Hostname
`ame_link`	Link to instance/app
`assignee`	New assigned user
`link_to_event`	Deep-link to event

Event Appended Context

Field	Description
`actor`	User invoking the action
`ame._index`	Event index in the database
`ame._key`	Unique event identifier
`ame.assignee`	Assigned user
`ame.count`	Event count
`ame.event_title`	Event title
`ame.event_ttl`	Event time-to-live
`ame.first_seen`	First event timestamp
`ame.impact`	Event impact
`ame.most_recent`	Most recent event timestamp
`ame.notifications`	Event notifications
`ame.notable_fields`	Notable fields
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	Origin query app context (optional)
`ame.originQuery.description`	Origin query description (optional)
`ame.originQuery.query_earliest`	Origin query earliest time (optional)
`ame.originQuery.query_latest`	Origin query latest time (optional)
`ame.originQuery.query_string`	Origin query string (optional)
`ame.originQuery.query_view`	Origin query view (optional)
`ame.priority`	Event priority
`ame.priority_name`	Priority name
`ame.resolution`	Event resolution (optional)
`ame.resolution_name`	Resolution name (optional)
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.search_name`	Search name
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status`	Event status
`ame.status_name`	Status name
`ame.tags`	Event tags
`ame.template`	Event template (optional)
`ame.template_name`	Template name (optional)
`ame.tenant_uid`	Tenant identifier
`ame.ttl_target`	TTL target
`ame.urgency`	Event urgency
`ame_host`	Hostname
`ame_link`	Link to instance/app
`count`	New count
`link_to_event`	Deep-link to event

Event Commented Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event
`comments`	List of new comments

Event Comment-Item

Field	Description
`text`	Comment
`actor`	User
`timestamp_formatted`	Timestamp of the comment

Rule Matched Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event
`keyword`	Defined keyword
`message`	Defined message
`rule_name`	Rule that was matched

Event Deleted Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.priority_name`	Name of the priority
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event

Event Created Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`search_name`	Name of the search that created the event
`fields`	Alert - fields

info

To access event fields, use following Syntax: {{ alert_data.<field_name> or 'n/a' }}

Bulk Update Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`event_count`	Number of events that were affected
`updates`	List of events that were updated

Bulk Updates-Item

Field	Description
`attribute`	Field that was updated
`new_value`	New value

Bulk Delete Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`event_count`	Number of events that were affected

Additional Single-Event Notification Contexts

Field	Description
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event
`comment`	Comment on the action that caused the change (if applicable)

SLA Fulfilled Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event
`keyword`	Defined keyword
`message`	Defined message
`sla_name`	Name of the SLA
`sla_start_time`	Start time of the SLA
`sla_window_end`	Window end time of the SLA
`sla_fulfilled_time_end`	Fufilled time of the SLA

SLA Violated Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event
`keyword`	Defined keyword
`message`	Defined message
`sla_name`	Name of the SLA
`sla_start_time`	Start time of the SLA
`sla_window_end`	Windows end time of the SLA
`sla_violation_time`	Violation time of the SLA

SLA Violation Imminent Context

Field	Description
`actor`	User that invoked the action
`ame_host`	Hostname
`ame_link`	Link to instance / app
`ame._key`	Unique identifier for the event
`ame._index`	Index of the event in the database
`ame.event_title`	Title of the event
`ame.tenant_uid`	Tenant identifier
`ame.impact`	Impact of the event
`ame.urgency`	Urgency of the event
`ame.priority`	Priority of the event
`ame.assignee`	User assigned to the event
`ame.search_name`	Search name of the event
`ame.count`	Number of events
`ame.status`	Status of the event
`ame.notifications`	Notifications for the event
`ame.resolution`	Resolution of the event (optional)
`ame.tags`	Tags for the event
`ame.notable_fields`	Notable fields for the event
`ame.first_seen`	Timestamp of the first event
`ame.most_recent`	Timestamp of the most recent event
`ame.event_ttl`	Time-to-live for the event
`ame.ttl_target`	Target for the time-to-live
`ame.template`	Template for the event (optional)
`ame.observables`	Count of observables linked to event
`ame.observables_count`	Count of observables linked to event
`ame.originQuery.app`	The app context of the origin query (optional)
`ame.originQuery.description`	The description of the origin query (optional)
`ame.originQuery.query_earliest`	The earliest time of the origin query (optional)
`ame.originQuery.query_latest`	The latest time of the origin query (optional)
`ame.originQuery.query_string`	The query string (optional)
`ame.originQuery.query_view`	The view of the query (optional)
`ame.priority_name`	Name of the priority
`ame.risk_events`	List of risk events linked to event (optional)
`ame.risk_events_count`	Count of risk events linked to event (optional)
`ame.sla_entries`	Count of SLA entries linked to event (optional)
`ame.sla_entries_count`	List of SLA entries linked to event (optional)
`ame.status_name`	Name of the status
`ame.template_name`	Name of the template (optional)
`ame.resolution_name`	Name of the resolution (optional)
`link_to_event`	Deep-Link to the event
`sla_name`	Name of the SLA
`sla_start_time`	Start time of the SLA
`sla_window_end`	Windows end time of the SLA
`sla_violation_in_real_time`	Violation real time of the SLA
`sla_violation_in_service_time`	Violation service time of the SLA

Example Context (Generic)

{
  'observables_count': 1,
  'observables': [
    {
      '_key': '6819b428d8018eaf8d03a639',
      'tenant_uid': 'default',
      'uid': 'A0:B9:23:82:0D:CC',
      'type': 'asset',
      'first_seen': 1746514983.0,
      'last_seen': 1746687787.0,
      'observable_group': None,
      'data_info': {
        'criticality': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        'hostname': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        'ip': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        'mac': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        'department': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        'os': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        'platform_type': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        '1cpu': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        },
        '2cpu': {
          'confidence': 10,
          'origin': 'Observable Generator 5000',
          'origin_type': 'search',
          'first_created': 1746514983,
          'last_updated': 1746687787
        }
      },
      'risk': 20,
      'total_risk': 20,
      'criticality': 'high',
      'hostname': 'server-1',
      'ip': '196.202.66.56',
      'mac': 'A0:B9:23:82:0D:CC',
      'department': 'Sales',
      'os': 'Windows 11',
      'platform_type': 'ARM',
      '1cpu': 'Apple M1',
      '2cpu': 'Apple M2',
      'criticality_parsed': 2,
      'deleted': 0,
      '_user': 'nobody'
    }
  ],
  'risk_events_count': 1,
  'risk_events': [
    {
      '_key': '681c62b3a68009b4070de7f9',
      'tenant_uid': 'default',
      'observable_id': '6819b428d8018eaf8d03a639',
      'observable_type': 'asset',
      'matched_alert_field': 'ip',
      'matched_observable_field': 'ip',
      'matched_value': '196.202.66.56',
      'related_event': '681c62b2a68009b4070de7f3',
      'related_search': 'unknown',
      'comment': None,
      'risk_change': 10,
      'status': 'active',
      'occurrence': 1746690725,
      'fixed': None,
      'observable': Observable(key='6819b428d8018eaf8d03a639',
      tenant_uid='default',
      uid='A0:B9:23:82:0D:CC',
      type='asset',
      first_seen=1746514983.0,
      last_seen=1746687787.0,
      observable_group=None,
      data_info=ObservableDataInfo(criticality=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      hostname=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      ip=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      mac=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      department=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      os=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      platform_type=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      1cpu=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787),
      2cpu=ObservableFieldInfo(confidence=10,
      origin='Observable Generator 5000',
      origin_type=search,
      first_created=1746514983,
      last_updated=1746687787)),
      risk=20,
      total_risk=20,
      criticality='high',
      hostname='server-1',
      ip='196.202.66.56',
      mac='A0:B9:23:82:0D:CC',
      department='Sales',
      os='Windows 11',
      platform_type='ARM',
      1cpu='Apple M1',
      2cpu='Apple M2',
      criticality_parsed=2,
      deleted=0,
      _user='nobody',
      criticality_parsed=<Criticality.HIGH: 2>)
    }
  ],
  'sla_entries_count': 1,
  'sla_entries': [
    {
      '_key': '681c62b3a68009b4070de7f5',
      'tenant_uid': 'default',
      'event_key': '681c62b2a68009b4070de7f3',
      'sla': '681c5f268b34c824cd0eb7b0',
      'start_time': 1746690737,
      'window_open_until': 1746867137,
      'violation_time': None,
      'end_time': None,
      'last_notification': None,
      'warning_notifications_sent_for': [
        
      ],
      'end_comment': None,
      'start_comment': 'Started by condition',
      'started_by': 'splunk-system-user',
      'ended_by': None,
      'event_title': ' ',
      'sla_name': 'TEST',
      'formatted_start_time': '2025-05-08 09:52:17',
      'formatted_window_end': '2025-05-10 10:52:17',
      'formatted_violation_time': None,
      'formatted_fulfillment_time': None,
      'formatted_last_notification': None,
      'sla_definition': {
        '_key': '681c5f268b34c824cd0eb7b0',
        'tenant_uid': 'default',
        'name': 'TEST',
        'description': None,
        'start_condition': {
          'component_type': 'composite',
          'composite_type': 'AND',
          'conditions': [
            {
              'component_type': 'leaf',
              'leaf_type': 'eq',
              'field': 'ame.event_title',
              'value': '**'
            }
          ]
        },
        'stop_condition': {
          'component_type': 'composite',
          'composite_type': 'AND',
          'conditions': [
            {
              'component_type': 'leaf',
              'leaf_type': 'eq',
              'field': 'ame.event_title',
              'value': 'tototototot'
            }
          ]
        },
        'threshold': 86400,
        'notification_interval': 3600,
        'warning_notifications_at': [
          
        ],
        'update_actions_on_violation': [
          
        ],
        'notify_actions_on_violation': [
          
        ],
        'update_actions_on_fulfillment': [
          
        ],
        'notify_actions_on_fulfillment': [
          
        ]
      }
    }
  ],
  'ame': {
    '_key': '681c62b2a68009b4070de7f3',
    '_index': 'ame_default',
    'event_title': 'foo bar',
    'tenant_uid': 'default',
    'impact': 'low',
    'urgency': 'high',
    'priority': 2,
    'assignee': 'unassigned',
    'search_name': 'unknown',
    'originQuery': {
      'query_string': '',
      'query_earliest': None,
      'query_latest': None,
      'query_app': 'alert_manager_enterprise',
      'query_view': 'search',
      'description': 'search not found'
    },
    'count': 1,
    'status': '6819ac2d80876952dc014f15',
    'notifications': '6819ac2d80876952dc014f1f',
    'tags': [
      
    ],
    'notable_fields': [
      
    ],
    'first_seen': 1746690725.6888084,
    'most_recent': 1746690725.6888084,
    'event_ttl': -1,
    'ttl_target': None,
    'template': '6819ac2d80876952dc014f20',
    'resolution': None,
    'most_recent_notable_fields': {
      '_time': '1746690725',
      'count': '3',
      'ip': '196.202.66.56'
    },
    'risk': 10,
    'ticketing_integration': '681c5f728b34c824cd0eb7b1',
    'remote_ticket_id': None,
    'remote_ticket_failed': None,
    'priority_name': 'medium',
    'template_name': 'default',
    'notifications_name': 'default',
    'status_name': 'new',
    'status_type': 'new',
    'resolution_name': None
  }
}

Example Context (Search Based)

{
    "data": [
        {
            "somefield": "row1",
            "otherfield": "row1"
        },
        {
            "somefield": "row2",
            "otherfield": "row2"
        }
    ],
    "most_recent_data": {
        "somefield": "row1",
        "otherfield": "row1"
    },
    "title": "set by action",
    "keyword": "set by action",
    "message": "set by action",
    "sid": 0123456789.001836,
    "search_name": "foobar",
    "search_time": 17654726746,
    "search_link": "{self.ame_host}/app/{AppSettings.DEFAULT_APP_NAME}/search?sid={self.sid}"
}

Observables​

Observable Groups​

Risk Events​

CVE​

SLA Entries​

SLA Definition​

Realizations​

All Contexts​

Event Update Context​

Event Updates-Item​

Event Assigned Context​

Event Appended Context​

Event Commented Context​

Event Comment-Item​

Rule Matched Context​

Event Deleted Context​

Event Created Context​

Bulk Update Context​

Bulk Updates-Item​

Bulk Delete Context​

Additional Single-Event Notification Contexts​

SLA Fulfilled Context​

SLA Violated Context​

SLA Violation Imminent Context​

Example Context (Generic)​

Example Context (Search Based)​