Observables
Observables in Alert Manager Enterprise (AME) is a powerful feature that collects identity and asset information through a Splunk Alert Action, merging this data into a KV Store collection.
Requires an AME subscription for for than 100 assets and more than 100 identities
Overview
Observables enables AME to gather and manage critical data, such as user identities and asset details, via Splunk Alert Actions. This data is stored in a flexible KV Store collection, allowing for dynamic enrichment of search results or AME events.
Key Capabilities
- Data Collection: Captures identity (e.g., user details) and asset (e.g., device information) data through Splunk Alert Actions.
- Storage: Merges collected data into a KV Store collection for centralized management.
- Enrichment: Enhances Splunk search results using lookup tables or enriches AME events with additional context.
- Flexibility: Supports any field in identity and asset tables, enabling customization for specific use cases.
Use Cases
- Enrich event investigations with identity and asset details for deeper analysis.
- Improve search accuracy by integrating observable data into Splunk lookups.
- Enhance AME event management by adding contextual information, such as user roles or asset ownership.
Configuration
Access and customize Observables through the dedicated Observables menu, featuring tabs for managing data: Overview, Groups, Refinements, and Configuration. These settings shape how identity and asset data is processed, grouped, refined, and aged in AME (see Working with Events for usage).
Overview
Filter and display both aggregated and individual observables in the Observables table. Use the Observable Type Filter (e.g., Assets) and Add filter options to narrow results, displaying only one asset type (e.g., users or devices) at a time for focused visibility. Click Find Observables to update the view (see Event Summary Configuration).
Observable Groups
Aggregate observables into groups and add enrichment information (e.g., Missed Assets, CH Assets) to streamline analysis, accessible via the Groups tab in the Observables menu. This feature exists to organize related assets or identities into "Asset Groups" or "Identity Groups," applied in the order listed, labeled as "Aggregated by observable-group" in the UI. Use the Reorder, Preview, Recalculate, and Add Asset Group buttons to manage groups, ensuring each asset belongs to only one group.
Configuring Observable Groups
Configure groups in the UI with these fields:
| Field | Description |
|---|---|
| Group Name | Unique name for the group (e.g., Missed Assets, CH Assets). |
| Tenant | Specifies the tenant (e.g., default) the group applies to. |
| Description | Optional description for the group’s purpose. |
| Scope | Defines the target scope (e.g., Asset or Identity). |
| AND Conditions | Logical conditions (e.g., {country = "CH"}) to match observables. |
| Additional Fields | Custom fields (e.g., contact.email, servicenow.assignment.group) to enrich group data. |
Use the Add Asset Group button to create groups, and Reorder to adjust their order. Examples include grouping assets by country (e.g., CH Assets for Swiss assets) or status (e.g., Missed Assets for untracked assets), with additional fields like contact.email for context (see Working with Events for usage).
Refinements
Refine and enrich observables by defining rules that apply changes based on matching criteria, accessible via the Refinements tab in the Observables menu. Use "Asset Refinement Rules" or "Identity Refinement Rules" to customize observable data, persisting changes as a data source—deleting a rule won’t revert changes. Rules are evaluated by highest confidence, then alphabetically, ensuring precise data management.
Configuring Refinement Rules
Configure refinement rules in the UI with these fields:
| Field | Description |
|---|---|
| Refinement Rule Name | Unique name for the rule (e.g., Fix platform_type). |
| Tenant | Specifies the tenant (e.g., default) the rule applies to. |
| Description | Optional description for the rule’s purpose. |
| Scope | Defines the target scope (e.g., Asset or Identity). |
| Confidence | Numerical value (e.g., 10) indicating rule priority (higher first). |
| Condition | Logical condition (e.g., {os = "Windows"}) to match observables. |
| Field Set | Values to set (e.g., os.group = Windows) when conditions match. |
Use the Add Asset Refinement Rule or Add Identity Refinement Rule buttons to create rules, and the Recalculate button to reapply rules. Examples include setting os.group to Windows, MAC OSX, or Linux based on os conditions (see Working with Events for usage).
Configuration
Set Observables settings for the default tenant or specific tenants (if multi-tenancy is enabled):
- Days Before Observable Ages Out: Set to 90 days unless the observable is seen again, controlling data lifespan.
How to Add Data to Observables Using a Splunk Alert Action
Observables in Alert Manager Enterprise (AME) allow you to collect and manage identity and asset data through Splunk Alert Actions, enriching your security and IT operations with contextual information. Here’s a step-by-step guide to adding data to Observables using a Splunk search and alert action, based on asset data from a CMDB source.
1. Create a Splunk Search to Generate Observable Data
Start by crafting a Splunk search that retrieves asset data from your CMDB source, focusing on fields relevant to assets or identities for ingestion into AME Observables. Below is an example search:
index=assetdata sourcetype=cmdb
| eval uid=coalesce(hostname, fqdn, ip)
| table hostname ip fqdn uid
This search filters network logs, sets fields like criticality, name, and IP, then uses the ame_alert_action macro to send data to AME’s Observables collection for the default tenant. Configure the Alert Action in Splunk to store observables in the KV Store, enriching them with groups or refinements (see Alert Action).
Configuration
Access and customize Observables through the dedicated Observables menu, featuring tabs for managing data: Overview, Groups, Refinements, and Configuration. These settings shape how identity and asset data is processed, grouped, refined, and aged in AME (see Working with Events for usage).
Overview
Filter and display both aggregated and individual observables in the Observables table. Use the Observable Type Filter (e.g., Assets) and Add filter options to narrow results, displaying only one asset type (e.g., users or devices) at a time for focused visibility. Click Find Observables to update the view (see Event Summary Configuration).
Observable Groups
Aggregate observables into groups and add enrichment information (e.g., Missed Assets, CH Assets) to streamline analysis, accessible via the Groups tab in the Observables menu. This feature exists to organize related assets or identities into "Asset Groups" or "Identity Groups," applied in the order listed, labeled as "Aggregated by observable-group" in the UI. Use the Reorder, Preview, Recalculate, and Add Asset Group buttons to manage groups, ensuring each asset belongs to only one group.
Configuring Observable Groups
Configure groups in the UI with these fields:
| Field | Description |
|---|---|
| Group Name | Unique name for the group (e.g., Missed Assets, CH Assets). |
| Tenant | Specifies the tenant (e.g., default) the group applies to. |
| Description | Optional description for the group’s purpose. |
| Scope | Defines the target scope (e.g., Asset or Identity). |
| AND Conditions | Logical conditions (e.g., {country = "CH"}) to match observables. |
| Additional Fields | Custom fields (e.g., contact.email, servicenow.assignment.group) to enrich group data. |
Use the Add Asset Group button to create groups, and Reorder to adjust their order. Examples include grouping assets by country (e.g., CH Assets for Swiss assets, DE Assets for German assets, AT Assets for Austrian assets) or status (e.g., Missed Assets for untracked assets), with additional fields like contact.email for context (see Working with Events for usage).
Refinements
Refine and enrich observables by defining rules that apply changes based on matching criteria, accessible via the Refinements tab in the Observables menu. Use "Asset Refinement Rules" or "Identity Refinement Rules" to customize observable data, persisting changes as a data source—deleting a rule won’t revert changes. Rules are evaluated by highest confidence, then alphabetically, ensuring precise data management.
Configuring Refinement Rules
Configure refinement rules in the UI with these fields:
| Field | Description |
|---|---|
| Refinement Rule Name | Unique name for the rule (e.g., Fix platform_type). |
| Tenant | Specifies the tenant (e.g., default) the rule applies to. |
| Description | Optional description for the rule’s purpose. |
| Scope | Defines the target scope (e.g., Asset or Identity). |
| Confidence | Numerical value (e.g., 10) indicating rule priority (higher first). |
| Condition | Logical condition (e.g., {os = "Windows"}) to match observables. |
| Field Set | Values to set (e.g., os.group = Windows) when conditions match. |
Use the Add Asset Refinement Rule or Add Identity Refinement Rule buttons to create rules, and the Recalculate button to reapply rules. Examples include setting os.group to Windows, MAC OSX, or Linux based on os conditions (see Working with Events for usage).
Configuration
Set Observables settings for the default tenant or specific tenants (if multi-tenancy is enabled):
- Days Before Observable Ages Out: Set to 90 days unless the observable is seen again, controlling data lifespan.
Observables Table
View and manage observables in the table under the Overview or Groups tab, displaying key fields for analysis, split into fixed meta fields and customizable data fields. Click the icon (e.g., checkbox) on the right side of each row to open detailed information about an observable.
Meta Fields
These are inherent, non-configurable fields provided by AME:
| Field | Description |
|---|---|
| Meta Fields | Additional metadata (e.g., UID, First Seen, Last Seen, Criticality, observable-group, Risk). |
| UID | Unique identifier for each observable. |
| First Seen | Timestamp of the observable’s initial detection. |
| Last Seen | Timestamp of the observable’s most recent sighting. |
| Criticality | Severity level (e.g., low, high) of the observable. |
| observable-group | Group category (e.g., Missed Assets) for aggregation. |
| Risk | Risk score or level associated with the observable. |
Data Fields
These are customer-configurable fields, tailored to specific use cases:
| Field | Description |
|---|---|
| IP | IP address linked to the observable. |
| Name | Name of the observable (e.g., device or user name). |
| FQDN | Fully qualified domain name associated with the observable. |
Use the Observable Type Filter, Add filter, and Find Observables options to refine the table, and add charts using the Add chart button to visualize data (e.g., via Hide Charts or Add chart).
Observable Details
Click the icon (e.g., checkbox) on the right side of an observable row in the table to view detailed information in a panel. This includes:
- Observable Details: Displays core metadata—
UID,First Seen,Last Seen,Criticality, andRisk(e.g.,server-1@demo.com,2025-02-19 06:37:04,2025-02-23 01:43:05,low,2000). - Risk Change: Shows a chart tracking risk score changes over time, indicating risk trends.
- Event Participation: Displays a chart of event involvement over time, highlighting observable activity in events.
- Risk Details: A table listing risk occurrences, including
Occurrence,Matched Value,Risk Change, andRelated Search(e.g., IP196.202.66.56withRisk Changeof100linked toAlert Generator). - Events Details: A table summarizing event interactions, including
First Occurrence,Last Occurrence,Total Occurrences,Risk Change,Event Risk,Event Title, andEvent Status(e.g., vulnerability events withCVE-2023-21674).
Use these details to investigate observable context, enrich events, or refine rules (see Working with Events).