Skip to main content
Version: Next

Refinements

Use the Refinements tab in AME's Observables menu to tweak ingested data with refinement rules. Refinement rules allow you to transform your data post ingestion, using an easy to use visual interface.

Example Use-Case

Set a normalized platform for your operating systems. Your analysts are interested on whether a computing resource is running some version of Windows, or some flavour of Unix, such as AIX, HPUX, OpenBSD etc. For your purposes you want to categorise these into either: Windows or Unix

note

The refinement functionality is intended to transform and contextualize your observables post collection. For pre-ingestion normalization, refer to the Ingestion section, where you can use the Splunk command palette, including eval to perform transformations on your data.

How to Add a Refinement Rule

  1. Go to Observables > Refinements.
  2. Click Add Asset Refinement Rule or Add Identity Refinement Rule.
  3. Fill in:
FieldDescriptionExample
NameUnique rule name.Standardize OS
TenantTarget tenant.default
DescriptionOptional purpose note.Set OS Version
ScopeAsset or Identity.Asset
ConfidencePriority (higher evaluated first).95
ConditionLogical filter (e.g., os matches Windows Versions){{os = "Windows NT 10.0" OR os = "Windows NT 10 Build 22621"}}
Field SetNew field value to apply.os = Windows 11

Example

Standardize OS values for assets where os is Windows NT 10.0 or Windows NT 10 Build 22621 to Windows 11.

  • Input values:
uidhostosipconfidencesourceorigin_type
host1host1Windows NT 10 Build 22621192.168.1.2085OS Scannersearch
host2host2Windows NT 10.0192.168.1.2160Legacy Systemsearch
  • Refined Results for Hosts:
uidhostosipsourceorigin_type
host1host1Windows 11192.168.1.20Standardize OSrefinement
host2host2Windows 11192.168.1.21Standardize OSrefinement
  1. Click Recalculate to apply rules instantly.

Next Steps