Roles
This page outlines the roles and their capabilities in Alert Manager Enterprise (AME), as detailed in the tables below.
Application
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| AME configuration (license, logging, proxy) | ✅ | ❌ | ❌ | ❌ |
| AME setup | ✅ | ❌ | ❌ | ❌ |
| AME update tasks | ✅ | ✅ | ❌ | ❌ |
| App installation | ✅ | ❌ | ❌ | ❌ |
| App update | ✅ | ❌ | ❌ | ❌ |
Events
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Add and view comments to existing events | ✅ | ✅ | ✅ | ✅ |
| Assign a user to an event | ✅ | ✅ | ✅ | ❌ |
| Delete events | ✅ | ✅ | ❌ | ❌ |
| Edit multiple events at the same time | ✅ | ✅ | ✅ | ❌ |
| Filter events by tag | ✅ | ✅ | ✅ | ✅ |
| Filter events by time range | ✅ | ✅ | ✅ | ✅ |
| Invoke Splunk Workflow Actions | ✅ | ✅ | ✅ | ✅ |
| Modify events | ✅ | ✅ | ✅ | ❌ |
| Search events by priority | ✅ | ✅ | ✅ | ✅ |
| Start the search that created the event | ✅ | ✅ | ✅ | ❌ |
| Tag an event with MITRE ATT&CK or Cyber Kill Chain | ✅ | ✅ | ✅ | ❌ |
| Update the notification scheme | ✅ | ✅ | ✅ | ❌ |
| Update the status of an event | ✅ | ✅ | ✅ | ❌ |
| Update the urgency of an event | ✅ | ✅ | ✅ | ❌ |
| View events | ✅ | ✅ | ✅ | ✅ |
| View the count, history, and result fields | ✅ | ✅ | ✅ | ✅ |
Templates
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Apply template on alert action | ✅ | ✅ | ✅ | ✅ |
| Create template | ✅ | ✅ | ✅ | ❌ |
| Delete template | ✅ | ✅ | ✅ | ❌ |
| Update template | ✅ | ✅ | ✅ | ❌ |
Rules
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Delete status | ✅ | ✅ | ✅ | ❌ |
| Set conditions for automatic event resolution | ✅ | ✅ | ✅ | ❌ |
| Set rules to suppress event alerts | ✅ | ✅ | ✅ | ❌ |
| Set time restrictions for rules | ✅ | ✅ | ✅ | ❌ |
Tags
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Create tags | ✅ | ✅ | ✅ | ❌ |
| Delete tags | ✅ | ✅ | ✅ | ❌ |
| Update predefined MITRE ATT&CK© tags | ✅ | ✅ | ✅ | ❌ |
| Update tags | ✅ | ✅ | ✅ | ❌ |
Tenants
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Configuration templates available | ✅ | ✅ | ❌ | ❌ |
| Create tenants | ✅ | ✅ | ❌ | ❌ |
| Delete tenants | ✅ | ✅ | ❌ | ❌ |
| Initialize tenants with event collection and roles | ✅ | ❌ | ❌ | ❌ |
| Test HEC Connectivity | ✅ | ✅ | ❌ | ❌ |
Notifications
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Assign a status to an event that will trigger notifications | ✅ | ✅ | ✅ | ❌ |
| Configure notifications on status change | ✅ | ✅ | ❌ | ❌ |
| Update and delete a notification scheme | ✅ | ✅ | ❌ | ❌ |
Statuses
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Create statuses | ✅ | ✅ | ❌ | ❌ |
| Delete statuses | ✅ | ✅ | ❌ | ❌ |
| Set description for statuses | ✅ | ✅ | ❌ | ❌ |
| Update statuses | ✅ | ✅ | ❌ | ❌ |
Resolutions
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Create resolution | ✅ | ✅ | ❌ | ❌ |
| Delete resolution | ✅ | ✅ | ❌ | ❌ |
| Set description for resolutions | ✅ | ✅ | ❌ | ❌ |
| Update resolution | ✅ | ✅ | ❌ | ❌ |
SLAs
| Capability | Splunk Admin Role | AME Admin Role | AME Power User | AME User |
|---|---|---|---|---|
| Create SLA | ✅ | ✅ | ❌ | ❌ |
| Delete SLA | ✅ | ✅ | ❌ | ❌ |
| Update SLA | ✅ | ✅ | ❌ | ❌ |