Electric utilities face some of the world's strictest cybersecurity mandates. NERC CIP standards require continuous monitoring, rigorous access controls, fully auditable incident handling, and strict separation of critical assets - all without ever moving sensitive data outside your secure perimeter.

Alert Manager Enterprise (AME) helps grid operators meet these requirements with a structured, auditable alert lifecycle that stays entirely inside their existing Splunk environment.

If you already use Splunk for visibility and alerting, AME turns your current Splunk alerts into compliant workflows - without external tools, data egress, or heavy custom development.

No new consoles. No compliance gaps. Just reliable event management that supports grid protection and simplifies audits.

The Reality for Utility SOC and Operations Teams​

Splunk is already used in many utility environments for visibility and alerting. Yet turning raw alerts into compliant, team-ready event workflows remains challenging:

• Teams must see only the events and assets relevant to their role
• NERC vs. non-NERC assets and data needs clear separation
• Triage, assignment, annotation, and status tracking must happen inside the secure NERC perimeter
• Full change history and exportable records are essential for audits
• Manual tracking of alert ownership, comments, and status changes often leads to incomplete audit evidence and findings during NERC audits

External incident management tools introduce compliance friction (data egress, scope expansion). Heavy custom development inside Splunk often becomes fragile over time.

Alert Manager Enterprise - Built for Electric Utilities​

Our AME App is a native Splunk application that helps regulated grid operators manage alerts and events effectively. It integrates directly into Splunk Enterprise and Splunk Cloud. This means that your alerts and events stay in Splunk, and management happens within the same environment.

AME elevates standard Splunk alerts into a structured, auditable lifecycle that supports NERC CIP requirements while reducing manual effort for operations, security, and compliance teams. For a deeper look at day-to-day event handling, see the documentation on working with events.

A key strength for utilities is the Observables framework, which lets you manage assets and identities by tenant. Observables are used to enrich events with asset and identity information (e.g. asset owner, criticality, location and so on). This provides deeper asset context per team or asset group, strengthens correlation for investigations, and aligns perfectly with CIP-002 asset categorization and CIP-007 monitoring needs - all while maintaining strict multitenancy isolation.

Key alignments utilities rely on:

SLA Management & Enterprise Ticketing Integration​

AME includes built-in SLA timers with visual countdowns, escalation rules, and automated notifications - giving operations and compliance teams clear visibility into response deadlines. This directly supports timely incident handling under NERC CIP-008 while reducing the risk of missed SLAs during audits.

For utilities that still need to create tickets in Jira or ServiceNow, AME offers native ticketing integration. Events can be pushed to the ticketing platform with full context and observables, while status updates (e.g. “Resolved”, “Closed”) are automatically synced back into Splunk - keeping the authoritative audit trail inside your secure Splunk environment.

This hybrid approach gives you the best of both worlds: compliant, auditable workflow management in Splunk + seamless process alignment with the rest of the enterprise.

AME works by adding an Alert Action to your existing Splunk searches. Alerts trigger and are turned into events that are managed in the Splunk UI. Notifications and event automation can integrate externally when needed, but core event data and management remain in Splunk. It integrates seamlessly with your current Splunk alerts, searches, and retention settings, helping shift compliance from a separate task to an integrated part of daily grid protection work.

If your utility manages segmented teams, needs traceable alert workflows, or is preparing for evolving CIP requirements, AME offers a practical, low-friction path forward.

Ready to see it in action?

• Download the free Community Edition directly from Splunkbase
• Request a 30-day Enterprise trial license tailored for utilities
• Book a focused demo with our specialists

Alert Manager Enterprise - Event management that keeps your grid reliable, your team efficient, and your auditors happy.

This release brings targeted improvements for quicker manual workflows, more customizable notifications, expanded vulnerability data sources (including native Microsoft Defender support), enhanced deployment flexibility, and stronger remediation tracking within Vulnerability Intelligence

What's New in 3.8.0​

• Custom email subject templating
  Override default email subjects using full AME templating support. Craft precise, context-rich subjects that improve open rates and clarity for recipients.

• Template selection for manual event creation
  When creating events manually, select any template to automatically apply field population, observable extraction, and other template logic - dramatically reducing manual effort and ensuring consistency with automated detections.

• Microsoft Defender vulnerability ingestion
  Native support for pulling vulnerability data from Microsoft Defender — expand your consolidated security view inside Splunk without extra connectors.

• Path-based reverse proxy compatibility
  AME now works seamlessly when served under a sub-path (e.g., https://your-splunk-domain/ame/) for environments with reverse proxies, ingress controllers, or shared gateways.

• Expanded vulnerability reporting KPIs
  New indicators to track remediation performance more precisely:

  • Percentage of open Notable Realizations
  • Number of realizations tied to an event
  • Median time to close notable realizations
  • Percentage closed within a configurable day range
  • Percentage closed after a configurable threshold

Upgrade Guidance​

Before upgrading, always review the Before You Upgrade guide to prevent issues.

Full details:

• What's New in 3.8
• Release Notes

Download AME 3.8.0 today from Splunkbase.

Questions or feedback? Reach out via Splunk Answers, the Splunk Usergroup Slack, or contact Datapunctum directly.

Data ingestion failures often go unnoticed until it's too late. In this post, we share how a simple detection layer + Alert Manager Enterprise monitors ingestion health.

Introduction​

As a former consultant at heart working with Splunk environments, I have seen that data ingestion monitoring is becoming more and more important.

Customers build detections, dashboards, and reports, assuming that data will keep arriving once the forwarders and inputs are in place. Once everything is in place, nobody thinks about the fact that ingestion can quietly degrade (silent dropouts, latency increases, volume changes unexpectedly, or data completely blacking out).

Sometimes it can take hours, days, or longer before anyone notices. By then the impact is already downstream: stale dashboards, missed detections, audit findings, or worse.

The root causes fall into the following areas:

• Once the setup is complete, many teams assume the pipeline is self-monitoring
• Splunk's Monitoring Console offers broad visibility, but rarely the granular, threshold-based per-source checks that catch real problems early
• Adding more alerts feels risky in heavily loaded environments
• Responsibility for end-to-end ingestion health is diffuse across ops, security, and analytics teams

The result is eroded trust in the entire stack due to data gaps.

Monitoring Data Ingestion​

A couple of weeks ago one of the more popular ingestion monitoring apps in the Splunk ecosystem announced it would move away from its free license model entirely. That change leaves many customers in the lurch, as there's no immediate budget around.

That announcement made me think: what does a minimal ingestion monitoring setup actually require, and how much of the incident management and response side can be handled very effectively by Alert Manager Enterprise (AME), even with the free version of our app?

I quickly put together a small proof-of-concept Splunk app called Data Ingestion Monitor (DIM), just to see what the core detection layer would look like.

My requirements for DIM were:

• Define the sources you care about (index + sourcetype, optional host filter)
• Set basic per-source thresholds: min/max event count per window, min/max volume in MB, max indexing lag, max end-to-end latency
• A handful of scheduled searches (bundled efficiently) compute the metrics and write current status to the KV Store
• A straightforward dashboard shows health summary cards, recent issues, and a source table with sparklines
• Markers for failed checks (Missing Data, Volume issues, Lag too high, Latency too high, etc.)
• Visualize historic data

Nothing fancy. No ML, no external services, just native Splunk pieces.

The app answers the four most important questions:

1. Is the source still sending data?
2. Are volumes roughly in the expected range?
3. Is indexing lag acceptable?
4. Is the latest data reasonably fresh?

With this, I was able to wire it up with Alert Manager Enterprise (AME). AME takes the detection of the DIM app from the lookup table and turns the results into actionable AME events.

Data Ingestion Monitor - Proof-of-Concept

Data Ingestion Monitor - Configuration Page

DIM - AME Integration

Templates & Rules​

Ingestion alerts can be noisy in predictable ways. On weekends there are quiet periods, repeating or planned maintenance windows, daily batch jobs during nights, or known low-activity sources during off-peak hours. With the help of AME's templates and Rules (cron-based or condition-based) noise can be reduced efficiently.

The following situations can be handled:

• Suppress or auto-close warnings that resolve themselves quickly (e.g. latency spike under 5 minutes)
• Auto-assign based on source or index ("Windows Events" to ops, "Vulnerability Scan Results" to security, "Webserver" to application team)
• Cron-based rules for maintenance windows: suppress all ingestion alerts from a specific set of sources (or entire indexes) between 02:00 and 04:00 every Saturday
• Conditional rules: only suppress if the alert matches a particular host that you know is involved in scheduled maintenance activity

After tuning templates and rules, most customers see a substantial drop in actionable events. Maintenance-related false positives can be avoided.

AME Template for DIM Detections

AME Example Event for Missing Firewall Logs

SLAs​

Many ingestion issues are not solved in time because no hard limits exist. AME's Service Level Agreements attach enforceable deadlines to every event.

Examples:

• Critical alerts (missing data from security, firewall, identity, or compliance-critical sources): acknowledge in 15 minutes, resolve in 60 minutes
• Warning-level issues (low volume on operational sources like disk, cpu, windows events): acknowledge in 30 minutes, resolve in 4 hours
• High-business-impact sources: tighter SLAs (e.g. 10-minute ack)

AME tracks compliance automatically, escalates on breach, and gives auditable reporting. It turns ingestion health from "someone will look eventually" into a measurable commitment.

AME - Sample Response Time SLA

Notifications & Integrations​

AME supports Slack, Teams, email, webhooks, Jira, ServiceNow, and more. As DIM sends alerts that contain fields such as source_name, status, event_count, volume_mb, avg_lag_seconds, etc., notifications arrive with context.

Typical Notifications:

• Critical failure: instant Slack message to the on-call engineer
• Warning: email to the team lead
• SLA breach: automatic notification to the responsible manager

When the problematic feed is not under your team's control (third-party vendors, other internal teams, cloud providers), AME's Jira and ServiceNow integrations are especially powerful. You can configure rules to automatically create a ticket in the upstream team's system, assign it to the right queue, pre-fill it with source name, index, failure details, metrics, and a link back to DIM or the AME event, and set the priority or the SLA based on criticality.

Observables​

AME's Observables let you attach structured asset/identity context to ingestion sources (e.g. owner_team, criticality, business_unit, asset ID).

When an alert arrives, AME matches fields (host, source_name, index) against observables and enriches the event automatically and can also increase the risk score for this asset.

Summary​

In short: a minimal detection layer gives you early visibility into ingestion health. Alert Manager Enterprise takes it from there, keeping signal from noise. AME handles exceptions smartly (templates & rules), enforces urgency (SLAs), applies real ownership (notifications & integrations), and enriches events with context (observables). Ingestion problems get caught early, routed to the right people (or upstream teams), and most important, actually get resolved instead of quietly forgotten.

If ingestion monitoring has been more of an afterthought in your Splunk environment, or if a tool you relied on just changed its licensing and left you scrambling, you don't need to spin up a six-month custom monster. A lightweight detection setup (even just a few well-crafted scheduled searches) paired with AME can close the visibility gap in days and turn vague unease into measurable reliability.

Learn More​

Read our docs to learn how to install and configure AME.

Download AME from Splunkbase.

Don't forget to check out our YouTube channel for tutorial videos.

Introducing Alert Manager Enterprise Version 3.7: Smarter exports, clearer event visibility, and secure OAuth2 email support.

Datapunctum has released version 3.7.0 of Alert Manager Enterprise (AME), continuing to enhance the leading Splunk-native platform for transforming raw alerts into structured, actionable incidents, all without leaving your Splunk environment.

This update focuses on practical usability improvements, better data handling, and expanded export capabilities that help teams work more efficiently with alerts and vulnerability intelligence.

What's New in AME 3.7.0​

New Features​

• Event Export from Event View: Export single or multiple events directly as CSV from the Event Overview for quick sharing or offline analysis.
• Vulnerability Realization Export: Download filtered vulnerability realizations as CSV, making it easier to report on and track vulnerabilities.
• Endtime for TTLs in Event Details: Events with a time-to-live (TTL) now clearly display their calculated end time in the details view.
• New Vulnerability KPIs: Additional key performance indicators added to Vulnerability Intelligence scheduled reports for deeper insights.
• Event Data Copy with Templating: Copy individual event fields or entire events to the clipboard using customizable templates, great for pasting into tickets, chats, or documentation.
• OAuth2 Support for Mail Targets: Full OAuth2 authentication is now supported for email delivery targets, improving security and compatibility with modern email providers.

AME remains a powerful choice for IT Ops and SOC teams who want to stay inside Splunk while gaining advanced alert aggregation, deduplication, status tracking, assignments, enrichment (MITRE ATT&CK, risk scoring in higher tiers), and integrations with ServiceNow, Jira, Slack, Teams, and more.

The free core license is still available to get started, with premium features unlocked via subscription.

Ready to Upgrade?​

Download the latest version from Splunkbase: https://splunkbase.splunk.com/app/6730

Before upgrading, check the Before You Upgrade guide to ensure a smooth transition.

Full details are in the official What's New section.

Introducing Alert Manager Enterprise Version 3.5: Empowering Your Security Operations with Advanced Vulnerability Intelligence and Streamlined Workflows.

We're thrilled to announce the release of Alert Manager Enterprise (AME) Version 3.5, our premium Splunk app designed to supercharge your incident management and security operations. This update brings key enhancements that help organizations identify vulnerabilities faster, automate responses, and maintain compliance.

Revolutionizing Your Vulnerability Insights with Vulnerability Intelligence​

At the core of AME 3.5 is our new Vulnerability Intelligence feature, a powerful tool for correlating vulnerabilities with asset intelligence, prioritizing exposures, and tracking remediation. Available with an AME Security Pack Subscription (contact sales for an evaluation license), it ingests data from diverse sources indexed in Splunk, using saved searches and the "Ingest Vulnerability Realizations" Alert Action to capture vulnerability realizations (live instances of known vulnerabilities on specific assets) and create AME Events based on realization rules.

Vulnerability Intelligence Overview

Key benefits include:​

• Lifecycle Tracking: Manage vulnerabilities from detection to resolution, including exclusions for accepted risks and periodic reviews for standards like PCI-DSS, ISO 27001, and NIST.
• Staged Realizations: Identify issues on unknown assets to refine your observable inventory and reduce blind spots.
• Customization Options: Tailor CVE metadata, set tenant-specific auto-resolve rules, and configure data retention.
• Reporting Tools: Schedule customized reports with exactly the scope you need.

AME Vulnerability Intelligence Workflow Diagram

Smarter Notifications for Faster Responses​

We've enhanced notifications with greater flexibility and integration. The new "Create AME Notification Alert Action" enables triggering parametrized notifications from Splunk searches for timely alerts.

Enhanced Observables for Better Asset Visibility​

Observables in AME support Observable Reporting Groups, allowing nested organization based on attributes like region or network zones for hierarchical reporting. Use the "Ingest Observable Group" Alert Action to define groups from Splunk searches.

Upgrade to AME 3.5 Today and Elevate Your Security Posture​

AME Version 3.5 delivers proactive security with Vulnerability Intelligence, smarter notifications, and enhanced observables. Learn more about Alert Manager Enterprise at alertmanager.app, download it on Splunkbase or contact our sales team for details. At Datapunctum AG, we're committed to making Splunk work smarter for you.

Stay secure!

Alert Manager Enterprise 3.4 brings new improvements to event management, notifications, and overall stability.

We're excited to announce the release of Alert Manager Enterprise Version 3.4. This release continues our commitment to delivering the best alert management experience within Splunk.

Highlights​

• Improved event management workflows
• Enhanced notification capabilities
• Bug fixes and performance improvements

Download​

Download the latest version from Splunkbase and check the release notes for full details.

Alert Manager Enterprise 3.3 introduces Observables and Risk Scoring, two powerful new capabilities that bring context and prioritization to your incident management workflow.

Version 3.3 of Alert Manager Enterprise is now available on Splunkbase. This release focuses on enriching events with contextual information and helping teams prioritize effectively.

Observables: Context at Your Fingertips​

Observables allow you to attach structured contextual data, such as IP addresses, hostnames, user accounts, or file hashes, directly to your alert events. Instead of switching between tools, analysts can see all relevant artifacts in one place.

Observables are automatically extracted from your alert data and can be enriched with additional lookups. This gives your team immediate access to the context they need to make faster decisions.

Key Benefits​

• Automatic extraction: Observables are parsed from event fields without manual configuration
• Custom observable types: Define your own observable categories to match your use cases
• Enrichment support: Extend observables with additional context from external sources
• Drilldown actions: Click on any observable to pivot into deeper investigation

Risk Scoring: Focus on What Matters​

With so many alerts competing for attention, knowing which events to prioritize is critical. AME 3.3 introduces a risk scoring framework that assigns a calculated priority to each event based on configurable criteria.

Risk scores are computed using factors such as asset criticality, alert severity, historical patterns, and threat intelligence. Events with higher risk scores surface to the top of your queue, ensuring your team spends time on what truly matters.

How It Works​

• Configurable scoring rules: Define weights for different risk factors
• Dynamic recalculation: Scores update as new information arrives
• Visual indicators: See risk levels at a glance in the event list
• Integration with workflows: Trigger automatic actions based on risk thresholds

Additional Improvements​

• Enhanced event aggregation for reduced alert fatigue
• Improved workflow action capabilities
• Performance optimizations
• Bug fixes and stability improvements

Get Started​

Download the latest version from Splunkbase.

In this article we wish to introduce users to the Service Levels features that were introduced with AME version 3.2. SLAs are a game-changing addition that empower you to define precise policies for managing service levels associated with events within AME.

What Are SLAs in AME?​

SLAs enable fine-grained control over service levels, allowing you to specify objectives and thresholds for AME events. These agreements can be tailored to each tenant through the tenant configuration section, offering robust functionality to account for:

• Customer or Team Time Zones
• Specific Working Hours and Days
• Local and ad-hoc Holidays and Absences

In AME, each SLA is governed by an objective, and multiple objectives can be configured per tenant to apply to specific event conditions.

Defining SLAs: A Step-by-Step Guide​

Example​

To illustrate, let's create an SLA for tracking Time to Respond. Start by assigning a name, such as "Response Time", and providing a description.

Define a threshold for after how long the SLA is considered violated. You can also configure a notification interval to alert teams until the SLA state is resolved. For example, set hourly notifications for ongoing violations. This will send a notification each hour until the SLA is no longer breached.

Additionally a reminder threshold can be set to warn teams before an SLA breach occurs.

Establish Start and Stop Conditions​

The syntax used is similar to those of the AME rule engine to define when an SLA starts and stops.

• Start Condition: Check if an event title contains the keyword "SLA." (We only wish to match events with this keyword for SLA consideration)
• Stop Condition: Ensure the SLA applies only to events in progress, excluding new events. For this we populate the ame.status_type and the conditionals appropriately.

Notifications​

Notifications for SLA violations or imminent breaches require defining a notification scheme. For this example we create a scheme named "SLA Violation" and link it to our notification target, which is email. You can also use Slack, Teams, or any other notification mechanism supported by AME.

Use-Case: Update Event Metadata​

You can also update event metadata to better manage SLA states, such as escalating urgency for breached SLA events. This ensures analysts can quickly identify high-priority issues, when evaluating events in AME according to urgency and priority.

Multiple SLAs for One Event​

AME supports defining multiple SLAs for the same event. For example, you can track both Time to Respond (TTA) and Time to Resolve (TTR) by creating an additional objective with start and stop conditions.

SLA Periods​

You can configure the SLA validity periods with great flexibility in the configuration screen. AME allows you to define which time zone is in effect, which recurring and non-recurring holidays apply, as well as specific working hours for your teams or customers. These settings ensure that SLA rules only apply during active working periods.

If you are an MSSP managing multiple customers (tenants), then you can model the SLA times for your customers, applying their respective time zones and working hours.

Reporting SLA Performance​

AME includes a dedicated reporting dashboard to monitor SLA metrics. Key insights include:

• SLA performance versus violations
• Details broken down by tenant
• Trends and analysis

Conclusion​

The SLA features in AME 3.2 provide unparalleled flexibility and control, enabling teams to meet service level expectations effectively. From response times to tailored working hours, these capabilities enhance your event management workflows.

For full configuration details, refer to the SLA documentation.

Tutorial Video​

Watch a step-by-step walkthrough of the SLA configuration on our YouTube channel.

Learn about the enhanced event aggregation capabilities in Alert Manager Enterprise 3.2 that help reduce alert fatigue.

Alert fatigue is one of the biggest challenges for IT Operations and Security teams. When your monitoring infrastructure generates thousands of alerts daily, it becomes impossible to identify which ones truly matter.

The Problem​

• Too many alerts from the same source
• Duplicate notifications for recurring issues
• Valuable time spent on non-actionable noise

How AME 3.2 Helps​

Alert Manager Enterprise 3.2 introduces enhanced event aggregation that intelligently groups related alerts:

• Smart Grouping: Automatically group alerts based on configurable criteria
• Deduplication: Prevent duplicate events from flooding your queue
• Correlation: Link related events for unified investigation

Configuring Event Aggregation​

Setting up event aggregation in AME is straightforward. From the Alert Manager settings, you can define aggregation templates that specify which fields to group by and how to handle incoming events.

Templates support flexible field matching, you can aggregate by source, severity, category, or any combination of fields. Time windows let you control how long related events are grouped together.

Example Use Case: Aggregating Related Events​

Consider a scenario where a failing server generates hundreds of alerts across multiple monitoring checks. Without aggregation, your team is overwhelmed with individual notifications.

With AME's event aggregation, all alerts from the same source within a configurable time window are automatically grouped into a single incident. Your team sees one actionable event instead of hundreds of repetitive alerts.

Each aggregated event retains links to all the underlying alerts, so analysts can drill down when needed, but the initial triage is dramatically simplified.

Results​

After enabling event aggregation, teams typically see a significant reduction in alert noise. The aggregated view makes it easy to identify the root cause and take action quickly.

Organizations using AME event aggregation report:

• 70-90% reduction in alert volume
• Faster MTTR due to grouped context
• Improved analyst satisfaction with fewer repetitive tasks

Getting Started​

Upgrade to AME 3.2 or later from Splunkbase to take advantage of these features.

Our latest Alert Manager Enterprise release introduces a suite of powerful enhancements designed to streamline event management, improve data visibility, and refine control over workflows. From advanced SLA management to enhanced event aggregation, here's a breakdown of what's new.

Event Service Level Agreements (SLAs)​

Managing SLAs is critical to ensure events meet response time commitments. With the new Event SLA Management, you can set, monitor, and report on SLAs for specific events. This feature allows you to define key metrics such as response time, the duration between an event's occurrence and its acknowledgment, and resolution time, the period from acknowledgment to issue resolution.

To proactively manage potential breaches, the system can send notifications when an SLA is nearing its threshold or has been breached. These alerts can be configured to repeat at specified intervals until the issue is resolved, ensuring timely attention and adherence to service commitments.

Event Summary Customization​

Customizing your Event Summary view is now more intuitive. You can select and save specific columns, tailoring the interface to display only the information most relevant to your operations. This streamlined approach enables quicker access to essential details, enhancing efficiency in event management.

Enhanced Event Aggregation​

Grouping events based on common attributes has become more flexible. The latest Event Aggregation improvements introduce additional field options for grouping, making it easier to identify patterns and correlations across different event types. This enhancement facilitates more effective analysis and response strategies.

Improved Event Selection​

Managing multiple events is now less cumbersome with new selection features. "Select all" and "Select page" options allow for rapid bulk actions, improving efficiency in high-volume event scenarios. Additionally, selected rows are now highlighted, providing clear visual feedback and reducing the likelihood of errors during bulk operations.

Enhanced Event Filtering​

Filter management has been redesigned for easier access. With Event Filtering Improvements, users can choose to display filters directly on the page, as an alternative to the previous slide-out model. This update makes refining event searches faster, allowing for quicker identification of relevant events.

Additionally, we've introduced filters specifically for SLAs, enabling you to focus on events based on their SLA status, such as breached or approaching breach, to ensure timely interventions.

Resolution Restrictions by Status​

For added control over event lifecycles, Resolution Restrictions allow administrators to enforce specific resolutions based on event status. This ensures that certain statuses follow predetermined closure protocols, reducing error risks and enforcing consistency in event handling.

Support for Client Certificates​

For organizations prioritizing security, we've enabled Client Certificate support. If enabled in splunkd, you can now use client certificates, offering an extra layer of security and control over API access and event handling. This enhancement helps protect sensitive data and ensures that only authorized clients can interact with your system.

API Endpoint for Event Retrieval​

For those who prefer direct data access, we've introduced a new API Endpoint to retrieve events programmatically. Previously, accessing events required running a search query. This new endpoint streamlines the process, enabling seamless integration with other systems and enhancing automation possibilities, allowing for more efficient data management and analysis.

Object References in the UI​

To aid in troubleshooting, Object References are now visible within the UI, providing insights into interconnected objects and dependencies. This transparency simplifies problem identification and speeds up resolution, making it easier to understand the relationships between different components.

Notification Testing Functionality​

Testing notifications just got easier! With the new Notification Testing option, you can manually trigger notifications to ensure configurations are correct, minimizing the risk of missed alerts. This feature allows for proactive verification of notification settings, ensuring that critical alerts are delivered as intended.

MS-Teams Notification Enhancement​

For those using MS-Teams, we've updated the Teams Notification feature to support PowerAutomate. This update offers continuity for users of the now-deprecated connector, enhancing integration flexibility and ensuring that your notification workflows remain uninterrupted.

These updates provide greater flexibility, improved control, and enhanced performance in managing events. Explore these powerful new tools to make your event workflows more efficient and reliable.

References:

• Release Notes
• Documentation
• SplunkBase

Workflow Actions are a powerful tool provided by the base Splunk platform that allows for interactions between events in Splunk and external systems. AME can be extended with these workflow actions, to allow analysts to click on events within AME and drill into key fields into an external system.

Everything about setting up workflow actions can be found in the Splunk Knowledge Manager manual.

In short, workflow actions bridge fields in Splunk with external web-based resources. They can be used for a number of use cases:

• Look up data for an IP address in an external system
• Return information for a device from the CMDB
• Create an incident in an external ticketing system

Workflow actions can also be used to trigger a search within Splunk, allowing you to further drill into information within the Splunk platform itself.

Tutorial​

In today's tutorial we will show how workflow actions can be used to extend the AME interface. We will be demonstrating how to pivot to an external data source to obtain more information about a threat.

In our AME instance, we will drill into an inbound port scan event. We would like to know more about the specific src_ip that is associated with this detection and we would like to look up this IP address in a Threat Intelligence Platform.

It is pertinent to note that Workflow Actions operate predominantly on fields. In this example, we will be navigating to Workflow Actions under Field Settings and add a new Workflow Action.

For our example we will enable an integration with VirusTotal. Once the action has been saved, reload the event within AME.

This can also be used to pivot to your CMDB system to look up asset information, or to peruse change information in your change management system.

Watch the full video tutorial on our YouTube channel to see the step-by-step walkthrough.

The Datapunctum AG team is proud to announce the latest 3.1 release of our flagship product. Alert Manager Enterprise. This release marks another milestone in the journey of Alert Manager Enterprise; specifically this release is a collaborative effort based on features requested by the community and our customers.

This release introduces a number of new features, compatibility improvements, bug fixes as well as performance enhancements to Alert Manager Enterprise. We will cover these broadly under the following sections.

UI Improvements​

Event Summary Timeline​

The AME event overview page sports three major improvements in this release. The first is the ability to toggle the Event Summary Timeline. The timeline has an earliest and latest period corresponding to what the user has selected as part of the filter properties. The timeline corresponds with the number of events grouped by their respective priorities.

We believe the timeline UI enhancement will be a great advantage especially to our NOC and SOC customers, that monitor events on large format displays.

Compact and Expanded Mode​

The second major UI improvement in this release is the "expanded mode" view. We have been asked by users for ways to present more information and context of an event in the overview page.

When perusing the list of events it is often useful, at a glance, to see for instance a specific key value field information for the event in the overview screen. This allows users to highlight key properties of the event directly in the overview page, saving additional clicks.

The information that can be opted to display includes:

• Notable fields (key/value)
• Event Tags
• Event Metadata

The display settings for the expanded view can be configured in the tenant configuration screen. We believe this will improve efficiency of teams when perusing the event overview screen, as pertinent information can now be highlighted to the user or analyst, without the need to drill into the event first.

Updates to the Refresh Functionality​

The third major UI enhancement is the behaviour of the refresh functionality on the overview screen. A common caveat in the previous release was the loss of focus when a refresh of the screen occurred. We have completely reworked the refresh functionality so that updates to the event list no longer shifts the analyst's focus away from the information they were investigating.

Additionally, the refresh information is now updated in the footer of the overview display, showing the specific state of the refresh timer. When an event is brought into focus by the user, the refresh is paused and the footer updated. This ensures that the user will not lose focus when interacting with events.

Event Summary Tab Ordering​

When perusing an event, the ordering of the event tabs can now be adjusted. This order is configured in the tenant configuration page.

Event Summary Saved Filters​

AME 3.1 now has the ability to save your preset filter conditions for re-use or for sharing with your team. Also a requested feature by our community, having the ability to save and share filters ensures your entire team is on the same page when handling alerts in your environment.

As an example, a filter can be made for all events that match the pci-dss tag. The PCI SOC team can all select this filter in their AME console to ensure the team is considering only the pertinent events they need for their day-to-day activities.

Single Value Trendlines​

Single values now have trendlines within their bounding frames, showing the trend of the specific priority over time.

Rule Engine Improvements​

Rule Execution on Event Update​

The rule-engine can now also fire in a case where an event is updated (such as an append). This allows the rule engine to be used for more complex logic, as an example, if an alert triggers again, and the alert is unassigned, then the alert can be prioritized or escalated appropriately.

Additionally the rule engine now also supports wildcard matches.

Compatibility Improvements​

AME 3.1 is now compatible with Python 3.9. This is especially important for our Splunk Cloud customers, where Python 3.9 is now the default interpreter in the Cloud Stack. We especially urge our Splunk Cloud customers to upgrade to AME 3.1 to ensure current and future compatibility with Splunk Cloud installs.

Other Improvements​

Full Name Displayed for Assignee​

The full name (according to information in Splunk for the user) is now displayed, instead of the username.

Chips for Impact and Urgency​

The impact and urgency labels are now coloured appropriately.

Bulk Comments on Events​

A comment can now be added to multiple events at once.

Internal AME Fields for Notable Fields​

These can also be manipulated in AME as per notable fields.

Search Command for Object Reference Lookup​

A new command is provided for users if they need to delve into the object references of their AME installation. Example:

| amelookupreferences type=notification tenant_uid=ops object_name=ops-mail

More information on the command may be obtained on our documentation page.

Manually Add a CVE Tag​

Users can now add their own context as CVE tags.

Search Description Markdown Support​

Markdown syntax typed in search description fields is now supported, meaning the markdown content is rendered in the saved search description.

In Closing​

All of us here at Datapunctum AG would like to thank our customers, community and users for their continued support in making Alert Manager Enterprise great!

We are continually improving the product and looking for interesting use cases where AME can help customers manage their alert fatigue. If you are interested in a demo, feature request, or need more information on how AME can help solve your Splunk alerting needs, please do not hesitate to reach out to us. Follow us on LinkedIn.

References:

• What's New
• SplunkBase

In our recent communication regarding the launch of Alert Manager Enterprise (AME) version 3.0, we introduced various new features and enhancements, showcasing our commitment to delivering substantial value to our clients and users. We plan to delve deeper into these updates through a series of blog posts, elaborating on how these innovations not only bolster the capabilities of AME but also offer customization options to align with the specific processes of our clients.

A highlight of the AME 3.0 release is the introduction of the Rule Engine, a pivotal element within AME's framework that empowers users to create intricate workflows and automation. This engine is at the heart of AME 3.0, underpinning the core logic and facilitating seamless interaction flows within the software.

The Rule Engine plays a crucial role, being activated whenever an alert is dispatched to AME. It meticulously evaluates all incoming events, utilizing the capability to modify event metadata based on a series of complex conditions. Users can craft these conditions through the Rule Composer, employing sophisticated conditional logic (AND/OR/NOT) that operates on either the event data or its metadata.

Furthermore, the Rule Engine triggers notifications through any supported schemes (Email, Slack, Teams, etc.). With the ability to initiate generic Webhooks through GET and POST requests, AME can be extended to automate and trigger a wide range of functions in external systems based on specific event conditions.

Example 1: Tagging of Events Related to PCI Networks​

Properly handling events based on the originating PCI zone is imperative in scenarios requiring PCI compliance. A simple rule can assign a tag to an event if it originates from or is destined to a PCI zone, utilizing source or destination IP addresses. This facilitates setting appropriate impact and urgency levels for events associated with the Cardholder Data Environment (CDE) network.

Again, we can use the same template to handle events applying to PCI and non-PCI assets, and the rule will tag the event appropriately where required.

Example 2: Privileged Access Management​

Monitoring privileged access is a staple activity within Security Operations Centers (SOCs), ensuring that elevated access privileges are used responsibly and audibly. AME facilitates this through a template that delineates the creation of new events following a privileged logon, accommodating environments that utilize both Windows and Linux systems. This unified approach in AME streamlines the management of privilege access events.

Since our environment supports both Windows and Linux, we have a single AME template for the Privilege Access Event, which is invoked by two searches: one machine logs in on Windows and the other on Linux. They have the same template in AME as the target, triggering a notification and setting event attributes when a privileged logon event occurs.

Introducing Customisable Notifications​

The notification functionality in Alert Manager Enterprise (AME) version 3.0 has been significantly enhanced to cater to both human recipients and automated systems. Integrating the Rule Engine and the new Notification Engine allows for sophisticated conditional evaluations, enabling precise control over the timing and content of notifications sent to teams or external systems.

Administrators can now define Notification Schemes, Notification Targets, and Notification Templates within AME. Notification Targets refer to the delivery endpoints, such as Email, Slack, Teams, etc. Additionally, the system supports Splunk Alert Actions and Webhook targets, enabling users to develop REST/HTTP-based integrations with customized payloads derived from event data using the Template system.

This advanced functionality transforms AME into a robust platform for orchestrating complex workflows and automation.

The AME Template system is compatible with the widely-used Jinja syntax, which facilitates dynamic formatting and populating template contents. Templates can be tailored for structured and unstructured text-based formats, including HTML, XML, JSON, and plain text, enhancing flexibility and utility across various application scenarios.

Going Further: What's Next?​

The Rule Engine's capability to facilitate complex event management logic and the Notification Engine's automatic update triggers pave the way for extensive automation possibilities. By leveraging external services via Webhooks, AME's system can be expanded to automate many functionalities.

Further exploration of these capabilities and their potential applications will be the subject of a forthcoming blog post. Follow us on LinkedIn to stay up to date.

The Datapunctum team is proud to release version 3.0 of Alert Manager Enterprise. This major release marks another milestone in the Alert Manager Enterprise journey that started more than three years ago. We are especially proud of this release since it coincides with Datapunctum's 5th birthday, another significant achievement and impetus for celebration for the team.

We are excited about the new features and functionalities introduced in the latest release and how these features can help customers realize how AME can benefit their event resolution workflows.

Rule and Notification Engines​

This release sees significant enhancements to the Rule and Notification engines within AME. Customers can now model workflows and states according to their processes. The release also introduces Notification templates and a template editor. Customers can craft custom templates with content based on the Jinja templating syntax to drive notifications from the platform.

Event Automation​

The rule engine can now be used to power dynamic event updates, using the rule composer to craft complex logic evaluations for when updates and notification triggers should fire.

Event Resolutions​

Event resolutions are now available, allowing analysts to set the ultimate state of an event, such as designating it as a "False positive," "True positive," "Benign true positive," etc. Customers can define their own resolutions per tenant to ensure that events are accurately classified and can provide insights into reporting KPIs.

Improved Statuses​

Statuses have been improved, and status transitions can now be enforced. Users can now constrain transitions to ensure that event flows accurately match their internal processes, ensuring that users can no longer transition events improperly.

Performance Improvements​

Overall, performance improvements were also made to the new release. The backend and API improvements result in a much more responsive user interface and overall user experience.

Notification Template Editor​

Customers can craft custom templates using the templating syntax to render structured text (such as HTML) or normal plain text. Event information and metadata can be freely referenced to create punctual and concise notifications, ensuring the right information is distributed to analysts at the right time.

We will be publishing additional blogs and articles showcasing how these new features can enable your team to streamline and improve their workflows and alert management processes.

We are proud of this latest achievement and eager for our customers to experience the benefits of Alert Manager Enterprise Version 3.0. Our commitment to continuous improvement and excellence remains unwavering, and we look forward to supporting our customers in achieving their operational goals. Stay tuned, and be sure to follow us on LinkedIn.

References:

• Release Notes
• What's New
• Documentation
• SplunkBase

Alert Manager Enterprise 2.0 was released last week, bringing many exciting new features. In Version 2.0, we also changed the Alert Action Notifications into a free feature.

The Power of Alert Action Notifications​

The Alert Action Notification feature allows you to utilize existing Alert Actions seamlessly. This means that the results of an AME event can now be effortlessly passed to the selected Alert Action command when a status change happens, e.g., when a new Event is created or assigned.

The Alert Action Channel supports parametrization. You can use static values for parameters or reference results using the $<result.field>$ syntax. This flexibility gives you full control and customization over your alerts.

Real-World Examples​

To show you just how powerful these new features can be, we've included a couple of real-world examples:

Automatically Open a Jira Task​

In this example, we'll walk you through configuring an automatic Jira Task creation when changing the status of an AME event. We provide step-by-step instructions and prerequisites so you can get started right away.

Automatically Send a Splunk Mobile Alert​

In this scenario, we'll guide you through setting up automatic Splunk Mobile Alerts when the status of an AME event changes. With detailed instructions and prerequisites, you can take full advantage of this feature quickly. We have added a Splunk Mobile Dashboard so you can have all the essential Event information at your fingertips!

You can find the examples in our documentation page.

Our commitment to delivering an exceptional experience is at the heart of Alert Manager Enterprise. We value your feedback and strive to meet your needs.

So, what are you waiting for? Dive into the world of Alert Manager Enterprise and take your event management to the next level. We're here to empower you every step of the way!

References:

• Alert Action Notifications documentation
• SplunkBase

Alert Manager Enterprise for Splunk has been a go-to solution for organizations looking to manage and respond to critical events effectively. With the release of version 2.0, Alert Manager has undergone a significant transformation, introducing a sleeker user interface, dark mode support, and a host of enhanced features that promise to streamline your event management processes. In this blog post, we'll dive into the new and improved aspects of Alert Manager Enterprise 2.0.

A Fresh, Slick User Interface​

The most noticeable change in this release is the updated user interface. Alert Manager Enterprise 2.0 has embraced a sleek and modern design, making your experience smoother and more intuitive. The switch to Splunk UI components brings a familiar and cohesive look that integrates seamlessly with your existing Splunk experience.

With the UI overhaul, users can navigate and manage events more efficiently.

Dark Mode for Night Owls​

Alert Manager Enterprise offers UI-theming support (Dark Mode FTW!) for those who prefer working in low-light conditions or enjoy the stylish aesthetics of a dark interface.

Maximize Screen Real Estate​

In Alert Manager Enterprise 2.0, users can hide single-value indicators, providing maximum screen real estate for their events.

Streamlined Event Filtering​

We have given event view filters a makeover as well. The filters are now hidden in a slide-out, offering a more streamlined and cleaner interface. We have also improved filtering based on event data!

Event Table Sorting​

In response to user feedback and as a testament to our commitment to improving user experience, we have added table sorting to the Event Summary.

Information at Your Fingertips​

We have added a footer in Alert Manager Enterprise 2.0 that a user can hide. Still, when displayed, it provides essential metadata for the events summary, such as when the summary was reloaded automatically or by a user, the time range, and the number of events found.

New Reporting Dashboard: State Transitions​

Alert Manager Enterprise 2.0 introduces a redesigned KPI dashboard featuring a Sankey chart to enhance reporting. The dashboard helps you understand event lifecycles to improve operational efficiency.

Improved Reporting Commands​

Creating custom reports is now more straightforward with the improved reporting commands in Alert Manager Enterprise 2.0. These commands allow you to tailor your reports to your specific requirements, providing the flexibility to analyze your data in a way that suits your organization's unique needs. It's also possible to add your custom dashboards to Alert Manager Enterprise.

Conclusion​

The release of Alert Manager Enterprise 2.0 for Splunk marks a significant step forward in event management and incident response workflows. With its sleek new UI, support for dark mode, enhanced event filtering, metadata presentation, Sankey charts, and improved reporting commands, this update makes managing alerts and events even more effortless. Combining user-friendly design with powerful functionality, Alert Manager Enterprise 2.0 is a must-have tool for businesses prioritizing effective event management.

Download our latest release from Splunkbase now!