Skip to main content
Version: Next

Overview

Observables in Alert Manager Enterprise (AME) is a powerful feature that collects, manages, and enriches identity and asset data using Splunk Alert Actions. This data is stored in tenant-specific KV Store collections, enabling dynamic enrichment of AME events and Splunk search results.

info

An AME subscription is required to manage more than 100 assets and 100 identities. The free version supports up to 100 of each.

What Are Observables?

Observables allow AME to gather and organize critical data—like user identities (e.g., usernames, roles) and asset details (e.g., device IPs, hostnames)—through a Splunk Alert Action. This data is stored in KV Store collections, separated by tenant, and can be used to add context to security and IT operations, making investigations and event management more effective.

Key Capabilities

  • Data Collection: Runs scheduled activities to continuously import and update your asset and identity data into AME, through configurable Alert Actions.
  • Tenant-Specific Storage: Stores data in KV Store collections, isolated per tenant for secure management.
  • Event Enrichment: Adds context to AME events, like user roles or asset ownership, for better insights.
  • Search Enhancement: Integrates with Splunk lookups to enrich your event data for improved accuracy and results.
  • Customizable Fields: AME observables support customizable fields, allowing you to bring in any observable metadata that makes sense for your needs

Common Use Cases

  • Event Investigation: Enrich AME events with details like "Who owns this device?" or "What's this user's role?"
  • Event Enrichment: Enhance event handling with added details, such as asset criticality or user department.
  • Search Optimization: Improve Splunk search precision by linking observable data to lookup tables.
  • Contextual Management: Bring in data from your CMDB or asset management system that makes sense for your environment. For example: upcoming changes or outage windows. Correlate these against your events for automatic management/closure.
  • Observable History: Track the presence of an observable across multiple events, allowing analysts to conduct better investigations and root cause analysis.

Getting Started with Observables

Set up Observables by creating a Splunk search and Alert Action to ingest data, then refine, group, and manage it in AME. Follow these guides:

  1. Ingestion - Create a Splunk search to collect observable data and configure the Ingest Observables Alert Action
  2. Usage - Explore how to view and use observables within AME
  3. Refinements - Transform and contextualize your observables post-ingestion with refinement rules
  4. Observable Groups - Organize observables into groups based on common attributes
  5. Reporting Groups - Group observable groups for reporting purposes
  6. Configuring Observables - Configure settings, explore observables, and use lookups

Next Steps

  • Configure templates to map asset and identity information to alert results (see Templates)
  • Use Observables to manage Risks (see Risk Scoring)