Contexts
Depending on the model and action associated with your events, certain contexts for the event become available. These can be utilized in Notification Templates and details what fields are available for each context.
Base Models
Base models for AME notifications include:
- Event
- Observable
- Observable Group
- Risk Event
- CVE
- SLA Entry
- SLA Definition
- Realization
They are reused across multiple notification types and actions. The following sections detail the fields available for each base model.
Event
{
"ame._key": "690dbd6d845d4628a91134b1",
"ame._index": "ame_events_splunk_soc",
"ame.event_title": "Priority Vulnerability - CVE-2024-38150 for group Sales",
"ame.tenant_uid": "soc",
"ame.impact": "high",
"ame.urgency": "medium",
"ame.priority": 2,
"ame.priority_name": "high",
"ame.assignee": "admin",
"ame.search_name": "High and Critical on priority Assets",
"ame.originQuery": {
"query_string": "search index=ame_events_splunk_soc severity IN (\"high\", \"critical\") AND priority IN (\"high\", \"critical\")",
"query_earliest": 19176416042,
"query_latest": 19176906472,
"query_app": "AME - Event Searches",
"query_view": "Default",
"description": "High and Critical vulnerabilities on priority assets"
},
"ame.count": 1,
"ame.status": "690dbd6d845d4628a93134b1",
"ame.status_name": "new",
"ame.status_type": "new",
"ame.notifications": "690dbd45d45d3628b93234b1",
"ame.notifications_name": "Default Notification Set",
"ame.tags": [
"vulnerability",
"priority"
],
"ame.notable_fields": [
"cve",
"owner",
"observable_group"
],
"ame.first_seen": 1762508123,
"ame.most_recent": 1762508123,
"ame.event_ttl": 172800,
"ame.ttl_target": "690dbd6d845d4628a93134b2",
"ame.template": "690dbd6d845d4628a93134b3",
"ame.template_name": "Vulnerability Event Template",
"ame.resolution": null,
"ame.resolution_name": null,
"ame.most_recent_notable_fields": {
"cve": "CVE-2024-38150",
"owner": "John Doe",
"observable_group": "Sales"
},
"ame.risk": 1200,
"ame.ticketing_integration": "390dbd6d821d4628a93134b2",
"ame.remote_ticket_id": "INC123456",
"ame.remote_ticket_failed": false
}
| Field | Description |
|---|---|
| ame._key | Unique identifier for the event |
| ame._index | The index where the event is stored |
| ame.event_title | The title of the event |
| ame.tenant_uid | Tenant unique identifier |
| ame.impact | Impact level of the event |
| ame.urgency | Urgency level of the event |
| ame.priority | Priority number of the event |
| ame.assignee | Assigned user for the event |
| ame.search_name | Name of the search that generated the event |
| ame.originQuery.query_string | The query string (optional) |
| ame.originQuery.query_earliest | The earliest time of the origin query (optional) |
| ame.originQuery.query_latest | The latest time of the origin query (optional) |
| ame.originQuery.query_app | The app context of the origin query (optional) |
| ame.originQuery.query_view | The view of the query (optional) |
| ame.originQuery.description | The description of the origin query (optional) |
| ame.count | Count of occurrences for the event |
| ame.status | Status identifier of the event (foreign key) |
| ame.status_name | Human-readable name of the status |
| ame.notifications | Notifications identifier (foreign key) |
| ame.notifications_name | Human-readable name of the notifications |
| ame.tags | Array of tags associated with the event |
| ame.notable_fields | Array of notable fields |
| ame.first_seen | Epoch timestamp of when the event was first seen |
| ame.most_recent | Epoch timestamp of the most recent occurrence |
| ame.event_ttl | Time to live for the event in seconds |
| ame.ttl_target | Target identifier for TTL (foreign key) |
| ame.ttl_target_name | Human-readable name of the TTL target |
| ame.template | Template identifier used for the event (foreign key) |
| ame.template_name | Human-readable name of the template |
| ame.resolution | Resolution identifier of the event (foreign key) |
| ame.resolution_name | Human-readable name of the resolution |
| ame.most_recent_notable_fields | Object containing the most recent values of notable fields |
| ame.risk | Risk score of the event |
| ame.ticketing_integration | Ticketing integration identifier |
| ame.remote_ticket_id | Remote ticket ID |
| ame.remote_ticket_failed | Boolean indicating if remote ticket creation failed |
Observable
{
"_key": "69009dabce7cb7827e08d9bb",
"tenant_uid": "soc",
"uid": "ED:C9:9F:E8:43:FD",
"type": "asset",
"first_seen": 1761648042.0,
"last_seen": 1761906472.0,
"observable_group": "69009784ce7cb7827e08a1f0",
"risk": 1920,
"total_risk": 1920,
"criticality": "high",
"criticality_parsed": 2,
"observable_group_definition": {},
"fqdn": "server-1981.demo.com",
"name": "server-1981",
"hostname": "server-1981"
}
| Field | Description |
|---|---|
_key | Unique Observable identifier |
tenant_uid | Tenant identifier |
uid | Unique value for the asset / identity |
type | Observable Type: "asset" or "identity" |
first_seen | Epoch timestamp of first entry |
last_seen | Epoch timestamp of last seen / update |
observable_group | Foreign key of Observable group |
risk | Risk score associated with the observable for active events |
total_risk | Total risk score associated with the observable, not changed by risk events being marked as inactive |
criticality | Criticality of the observable as one of "unknown", "low", "medium", "high" |
criticality_parsed | Criticality of the observable in a machine readable format |
observable_group_definition | See Observable Group Definition below. |
<data_field> | Field for your observable data: example given above fqdn, name, hostname |
Observable Group
{
"name": "Sales",
"description": "Sales",
"matches": {
"component_type": "composite",
"composite_type": "AND",
"conditions": [
{
"component_type": "leaf",
"leaf_type": "eq",
"field": "department",
"value": "Sales"
}
]
},
"scope": "asset",
"additional_fields": {
"owner": "John Doe",
"support_contact": "sales@example.com"
},
"from_action": false,
"from_action_last_seen": null
}
| Field | Description |
|---|---|
name | Name of the observable group |
description | Description of the observable group |
matches | Match composite |
scope | Scope of the observable group (observable type) |
additional_fields | Additional fields |
from_action | Indicates if this group was created by a modular alert action |
from_action_last_seen | The last time a modular alert action created / updated this group |
CVE
{
"_key": "69008b927c7f1492450d32e7",
"cve": "CVE-2024-38150",
"title": "Windows DWM Core Library Elevation of Privilege Vulnerability",
"cna": "microsoft",
"description": "Windows DWM Core Library Elevation of Privilege Vulnerability",
"published": 1723572919,
"updated": 1723659373,
"cvss_version": "3.1",
"cvss_score": 7.8,
"cvss_severity": "HIGH",
"cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cvss_source": "secure@microsoft.com",
"cvss": [
{
"version": "3.1",
"score": 7.8,
"severity": "HIGH",
"vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"source": "secure@microsoft.com"
}
],
"exploitable": false,
"has_exploit_tag": false,
"epss": 0.07452,
"cwe": [
"NVD-CWE-noinfo",
"CWE-416"
],
"capec": [],
"vendor": "Microsoft",
"products": [
"Windows Server 2022",
"Windows 11 Version 24H2"
]
}
| Field | Description |
|---|---|
_key | Unique CVE identifier |
cve | CVE identifier |
title | Title of the CVE |
cna | CNA (CVE Numbering Authority) |
description | Description of the CVE |
published | Published timestamp |
updated | Updated timestamp |
cvss_version | CVSS version |
cvss_score | CVSS score |
cvss_severity | CVSS severity |
cvss_vector | CVSS vector |
cvss_source | CVSS source |
cvss | CVSS details |
exploitable | Whether the CVE is exploitable according to CISA Known Exploited Vulnerabilities Catalog |
has_exploit_tag | Whether the CVE has an exploit tag |
epss | EPSS score |
cwe | List of CWEs associated with the CVE |
capec | List of CAPECs associated with the CVE |
vendor | Vendor associated with the CVE |
products | List of products associated with the CVE |
SLA
{
"_key": "69021d19ce7cb7827e08e50a",
"tenant_uid": "soc",
"name": "Time to resolve",
"description": "SLA to model the time to resolution",
"start_condition": {
"component_type": "composite",
"composite_type": "AND",
"conditions": [
{
"component_type": "leaf",
"leaf_type": "eq",
"field": "ame.event_title",
"value": "*SLA*"
}
]
},
"stop_condition": {
"component_type": "composite",
"composite_type": "AND",
"conditions": [
{
"component_type": "leaf",
"leaf_type": "neq",
"field": "ame.status_type",
"value": "new"
},
{
"component_type": "leaf",
"leaf_type": "eq",
"field": "ame.status_type",
"value": "done"
}
]
},
"threshold": 172800,
"notification_interval": 3600,
"warning_notifications_at": [],
"update_actions_on_violation": [],
"notify_actions_on_violation": [],
"update_actions_on_fulfillment": [],
"notify_actions_on_fulfillment": []
}
| Field | Description |
|---|---|
_key | Unique SLA identifier |
tenant_uid | Tenant identifier |
name | Name of the SLA |
description | Description for the SLA |
start_condition | Match condition for start of SLA |
stop_condition | Match condition for end of SLA |
threshold | Threshold of the SLA rule in seconds |
notification_interval | Notification frequency of the SLA rule in seconds |
warning_notifications_at | Warning notifications sent at these thresholds before violation in seconds (SLA service hours) |
update_actions_on_violation | Updates executed when the SLA is violated |
notify_actions_on_violation | Notification triggers sent when the SLA is violated and when notification_interval is reached |
update_actions_on_fulfillment | Updates executed when the SLA is fulfilled |
notify_actions_on_fulfillment | Notification triggers sent when the SLA is fulfilled |
SLA Entry
{
"_key": "690dc234845d4628a911366d",
"tenant_uid": "soc",
"event_key": "690dbd6d845d4628a91134b1",
"sla": "69021d19ce7cb7827e08e50a",
"start_time": 1762509363,
"window_open_until": 1763124963,
"violation_time": null,
"end_time": null,
"last_notification": null,
"warning_notifications_sent_for": [],
"end_comment": null,
"start_comment": "Starting sla",
"started_by": "admin",
"ended_by": null,
"event_title": "Priority Vulnerability CVE-2024-38150 for group Sales",
"formatted_start_time": "2025-11-07 10:56:03",
"formatted_window_end": "2025-11-14 13:56:03",
"formatted_violation_time": null,
"formatted_fulfillment_time": null,
"formatted_last_notification": null,
"sla_definition": {},
"sla_name": "Time to resolve"
}
| Field | Description |
|---|---|
_key | Unique SLA Entry identifier |
tenant_uid | Tenant identifier |
event_key | Event key this entry is for (foreign key) |
sla | SLA this entry is for (foreign key) |
sla_definition | Definition of the SLA. See SLA. |
start_time | Start time of the SLA entry in seconds since epoch |
window_open_until | Timestamp of the SLA window closing in seconds since epoch |
violation_time | Violation time of the SLA entry in seconds since epoch |
end_time | End time of the SLA entry in seconds since epoch |
last_notification | Last notification time of the SLA entry in seconds since epoch |
warning_notifications_sent_for | Warning notifications sent for these thresholds in seconds. |
end_comment | Comment for the SLA entry ending |
start_comment | Comment for the SLA entry starting |
started_by | User who started the SLA entry |
ended_by | User who ended the SLA entry |
Realization
{
"_key": "690dbc21845d4628a911348e",
"tenant_uid": "soc",
"first_seen": 1762507807,
"last_seen": 1762508064,
"observable_type": "asset",
"fixed_at": -1,
"matched_field": "ip",
"matched_value": "179.180.210.219",
"source": "Defender",
"cve": {},
"observable": {}
}
| Field | Description |
|---|---|
_key | Unique Identifier. |
tenant_uid | Tenant identifier |
first_seen | First seen timestamp |
last_seen | Last seen timestamp |
observable_type | Type of observable |
fixed_at | Fixed at timestamp (-1 if not fixed) |
matched_field | Matched field |
matched_value | Matched value |
source | Source of the realization, e.g. Defender, Qualys, etc. |
cve | Enriched CVE information, see CVE |
observable | Observable, see Observable |
Risk Event
{
"_key": "690dbd6d845d4628a91134b4",
"tenant_uid": "soc",
"observable_id": "69009dabce7cb7827e08d9bb",
"observable_type": "asset",
"matched_alert_field": "ip",
"matched_observable_field": "ip",
"matched_value": "179.180.210.219",
"related_event": "690dbd6d845d4628a91134b1",
"related_search": "High and Critical on priority Assets",
"comment": null,
"risk_change": 100,
"status": "active",
"occurrence": 1762508127,
"fixed": null,
"realization_rule": "690481e1ce7cb7827e08e64a",
"realization": {},
"observable": {},
"cve": {}
}
| Field | Description |
|---|---|
_key | Unique Risk Event identifier |
tenant_uid | Tenant identifier |
observable_id | Foreign key for the observable |
observable_type | Observable Type: "asset" OR "identity" |
matched_alert_field | Matched alert field identifier |
matched_observable_field | Matched observable field; eg: ip |
matched_value | Matched value |
related_event | Related AME event (foreign key, optional) |
related_search | Related search - if any |
comment | Comment related to the risk event |
risk_change | Risk change for the observable due to this risk event |
status | Risk Status ("active", "inactive") |
occurrence | Timestamp of occurrence |
fixed | Timestamp of when the risk event was marked as inactive |
realization_rule | Realization rule (foreign key, optional) |
realization | Optional realization details, see Realization |
observable | Observable details, see Observable |
cve | Optional CVE details, see CVE |
Specific Notification Contexts
Depending on the notification trigger type, different contexts are available. The following section details the fields available for each notification context with reference to the base models above.
Event Update Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
updates | List of updated fields as a list of Event Updates-Item below |
Event Updates-Item:
| Field | Description |
|---|---|
attribute | Updated field |
new_value | New value |
old_value | Previous value |
Event Assigned Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
assignee | New assigned user |
Event Appended Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
count | New count |
Event Commented Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
comments | List of new comments as a list of Event Comment-Item below |
Event Comment-Item:
| Field | Description |
|---|---|
text | Comment |
actor | User |
timestamp_formatted | Timestamp of the comment |
Rule Matched Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
keyword | Defined keyword |
message | Defined message |
rule_name | Rule that was matched |
Event Deleted Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
Event Created Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
fields | Alert - fields |
info
To access event fields, use following Syntax: {{ alert_data.<field_name> or 'n/a' }}
Bulk Update Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
event_count | Number of events that were affected |
updates | List of updates that were made as a list of Bulk Updates-Item below |
Bulk Updates-Item:
| Field | Description |
|---|---|
attribute | Field that was updated |
new_value | New value |
Bulk Delete Context
| Field | Description |
|---|---|
actor | User that invoked the action |
ame_host | Hostname |
ame_link | Link to instance / app |
event_count | Number of events that were affected |
SLA Fulfilled Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
keyword | Defined keyword |
message | Defined message |
sla_name | Name of the SLA |
sla_start_time | Start time of the SLA |
sla_window_end | Window end time of the SLA |
sla_fulfilled_time_end | Fulfilled time of the SLA |
SLA Violated Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
keyword | Defined keyword |
message | Defined message |
sla_name | Name of the SLA |
sla_start_time | Start time of the SLA |
sla_window_end | Windows end time of the SLA |
sla_violation_time | Violation time of the SLA |
SLA Violation Imminent Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |
sla_name | Name of the SLA |
sla_start_time | Start time of the SLA |
sla_window_end | Windows end time of the SLA |
sla_violation_in_real_time | Violation real time of the SLA |
sla_violation_in_service_time | Violation service time of the SLA |
Risk Events Changed Context
| Field | Description |
|---|---|
actor | User invoking the action |
ame_host | Hostname |
ame_link | Link to AME instance. |
link_to_event | Deep-link to event |
ame.* | Event fields, see Event |
observables_count | Count of observables linked to event |
observables | List of observables in event, see Observable |
risk_events_count | Count of risk events linked to event |
risk_events | List of risk events in event, see Risk Event |
sla_entries_count | Count of SLA entries linked to event |
sla_entries | List of SLA entries in event, see SLA Entry |
cves_count | Count of CVEs linked to event |
cves | List of CVEs in event, see CVE |
realizations_count | Count of realizations linked to event |
realizations | List of realizations in event, see Realization |