Alert Manager Enterprise 3.1 Released

The Datapunctum team is proud to announce the latest 3.1 release of our flagship product; Alert Manager Enterprise.  This release marks another milestone in the journey of Alert Manager Enterprise; specifically this release is a collaborative effort based on features requested by the community and our customers.  

What’s new in AME 3.1

This release introduces a number of new features, compatibility improvements, bug fixes as well as performance enhancements to Alert Manager Enterprise.  We will cover these broadly under the following sections.  We are excited for how these features will enable customers to enhance their alert management workflows in Splunk.

UI Improvements

Event Summary Timeline

The AME event overview page sports three major improvements in this release.  The first is the ability to toggle the Event Summary Timeline

Event Summary Timeline

The timeline has an earliest and latest period corresponding to what the user has selected as part of the filter properties.  The timeline corresponds with the number of events based grouped by their respective  priorities.

Timeline toggle

The timeline can be toggled by the user

We believe the timeline UI enhancement will be a great advantage especially to our NOC and SOC customers, that monitor events on large format displays.

Compact and Expanded Mode

The second major UI improvement in this release is the “expanded mode” view.  We have been asked by users for ways to present more information and context of an event in the overview page.  

When perusing the list of events it is often useful, at a glance, to see for instance a specific key value field information for the event in the overview screen.  This allows users to highlight key properties of the event directly in the overview page, saving additional clicks.

The information that can be opted to display include the following:

• Notable fields (key/value)

• Event Tags

• Event Metadata

  
  

Expanded View

Toggling the expanded view adds a second set of information below each event, pertaining to the information that was selected to be displayed

The display settings for the expanded view can be configured in the tenant configuration screen.

Expanded View Settings

‍

We believe this will improve efficiency of teams when perusing the event overview screen, as pertinent information can be now be highlighted to the user or analyst, without the need to drill into the event first to peruse key event information.

Updates to the refresh functionality

The third major UI enhancement is the behaviour of the refresh functionality on the overview screen.  A common caveat in the previous release was the loss of focus when a refresh of the screen occurred.  We have completely reworked the refresh functionality so that updates to the event list no longer shifts the analysts focus away from the information they were investigating-

Refresh Time

The interval can be selected by the user

Additionally, the refresh information is now updated in the footer of the overview display, showing the specific state of the refresh timer

Next refresh footer

When an event is brought into focus by the user, the refresh is paused and the footer updated.  This ensures that the user will note lose focus when interacting with events, the footer is updated accordingly

Refresh suspended footer

Once the refresh timer expires and a refresh is in progress, the footer will be updated with the activity “Refreshing”, and once complete, the footer will again update and point to the next refresh interval.

Refreshing footer

Event Summary Tab Ordering

When perusing an event the ordering of the event tabs can now be adjusted.

Event Tab Ordering

This order is configured in the tenant configuration page

Event Tab Order Settings

Event Summary Saved Filters

AME 3.1 now has the ability to save your preset filter conditions for re-use or for sharing with your team.  Also a requested feature by our community, having the ability to save and share filters ensures your entire team is on the same page when handling alerts in your environment.

As an example, a filter can be made for all events that match the pci-dss tag.  The PCI SOC team can all select this filter in their AME console to ensure the team is considering only the pertinent events they need for their day to day activities.  

Event Summary Filter

Single Value Trendlines

Single values now have trendlines within their bounding frames, showing the trend of the specific priority over time

Single Value Trendlines

Rule Engine Improvements

Rule execution on event update

The rule-engine can now also fire in a case where an event is updated (such as an append).  This allows the rule engine to be used for more complex logic, as an example, if an an alert triggers again, and the alert is unassigned, then the alert can be prioritized or escalated appropriately.

Additionally the rule engine now also support wildcard matches

Compatibility Improvements

AME 3.1 is now compatible with Python 3.9.  This is especially important for our Splunk Cloud Customers, where Python 3.9 is now the default interpreter in the Cloud Stack.  We especially urge our Splunk Cloud customers to upgrade to AME 3.1 to ensure current and future compatibility with Splunk Cloud installs

Other Improvements

Full Name displayed for assignee

The full name (according to information in Splunk for the user) is now displayed, instead of the username

Chips for impact and urgency

The impact and urgency labels are now coloured appropriately

Bulk comments on events

A comment can now be added to a multiple number of events

Internal AME Fields for Notable Fields

These can also be manipulated in AME as per notable fields

Search Command for object reference lookup

A new command is provided for users if they need to delve into the object references of their AME installation.  Example

| amelookupreferences type=notification tenant_uid=ops object_name=ops-mail

More information on the command may be obtained on our documents page: https://docs.datapunctum.ch/ame/ame-command-amelookupreferences/

Manually add a CVE Tag

For users to add their own context as CVE tags

Search Description Markdown Support

Markdown syntax type in search description fields are now supported, meaning the markdown content is rendered in the saved search description

In closing

All of us here at Datapunctum AG would like to thank our customers, community and users for their continued support in making Alert Manager Enterprise great!  

We are continually improving the product and looking for interesting use-cases where AME can help customers manage their alert fatigue.  If you are interested in a demo, feature request or need more information on how AME can help solve your Splunk alerting needs, please do not hesitate to reach out to us at: https://alertmanager.app

References:

https://alertmanager.app

https://docs.datapunctum.ch/ame/ame-whats-new

https://splunkbase.splunk.com/app/6730