The Datapunctum AG team is proud to announce the latest 3.1 release of our flagship product; Alert Manager Enterprise. This release marks another milestone in the journey of Alert Manager Enterprise; specifically this release is a collaborative effort based on features requested by the community and our customers.
What’s new in AME 3.1
This release introduces a number of new features, compatibility improvements, bug fixes as well as performance enhancements to Alert Manager Enterprise. We will cover these broadly under the following sections. We are excited for how these features will enable customers to enhance their alert management workflows in Splunk.
UI Improvements
Event Summary Timeline
The AME event overview page sports three major improvements in this release. The first is the ability to toggle the Event Summary Timeline
The timeline has an earliest and latest period corresponding to what the user has selected as part of the filter properties. The timeline corresponds with the number of events based grouped by their respective priorities.
The timeline can be toggled by the user
We believe the timeline UI enhancement will be a great advantage especially to our NOC and SOC customers, that monitor events on large format displays.
Compact and Expanded Mode
The second major UI improvement in this release is the “expanded mode” view. We have been asked by users for ways to present more information and context of an event in the overview page.
When perusing the list of events it is often useful, at a glance, to see for instance a specific key value field information for the event in the overview screen. This allows users to highlight key properties of the event directly in the overview page, saving additional clicks.
The information that can be opted to display include the following:
- Notable fields (key/value)
- Event Tags
- Event Metadata
Toggling the expanded view adds a second set of information below each event, pertaining to the information that was selected to be displayed
The display settings for the expanded view can be configured in the tenant configuration screen.
We believe this will improve efficiency of teams when perusing the event overview screen, as pertinent information can be now be highlighted to the user or analyst, without the need to drill into the event first to peruse key event information.
Updates to the refresh functionality
The third major UI enhancement is the behaviour of the refresh functionality on the overview screen. A common caveat in the previous release was the loss of focus when a refresh of the screen occurred. We have completely reworked the refresh functionality so that updates to the event list no longer shifts the analysts focus away from the information they were investigating.
The interval can be selected by the user
Additionally, the refresh information is now updated in the footer of the overview display, showing the specific state of the refresh timer
When an event is brought into focus by the user, the refresh is paused and the footer updated. This ensures that the user will note lose focus when interacting with events, the footer is updated accordingly
Once the refresh timer expires and a refresh is in progress, the footer will be updated with the activity “Refreshing”, and once complete, the footer will again update and point to the next refresh interval.
Event Summary Tab Ordering
When perusing an event the ordering of the event tabs can now be adjusted.
This order is configured in the tenant configuration page
Event Summary Saved Filters
AME 3.1 now has the ability to save your preset filter conditions for re-use or for sharing with your team. Also a requested feature by our community, having the ability to save and share filters ensures your entire team is on the same page when handling alerts in your environment.
As an example, a filter can be made for all events that match the pci-dss tag. The PCI SOC team can all select this filter in their AME console to ensure the team is considering only the pertinent events they need for their day to day activities.
Single Value Trendlines
Single values now have trendlines within their bounding frames, showing the trend of the specific priority over time
Rule Engine Improvements
Rule execution on event update
The rule-engine can now also fire in a case where an event is updated (such as an append). This allows the rule engine to be used for more complex logic, as an example, if an an alert triggers again, and the alert is unassigned, then the alert can be prioritized or escalated appropriately.
Additionally the rule engine now also support wildcard matches
Compatibility Improvements
AME 3.1 is now compatible with Python 3.9. This is especially important for our Splunk Cloud Customers, where Python 3.9 is now the default interpreter in the Cloud Stack. We especially urge our Splunk Cloud customers to upgrade to AME 3.1 to ensure current and future compatibility with Splunk Cloud installs
Other Improvements
Full Name displayed for assignee
The full name (according to information in Splunk for the user) is now displayed, instead of the username
Chips for impact and urgency
The impact and urgency labels are now coloured appropriately
Bulk comments on events
A comment can now be added to a multiple number of events
Internal AME Fields for Notable Fields
These can also be manipulated in AME as per notable fields
Search Command for object reference lookup
A new command is provided for users if they need to delve into the object references of their AME installation. Example
| amelookupreferences type=notification tenant_uid=ops object_name=ops-mail
More information on the command may be obtained on our documents page: https://docs.datapunctum.ch/ame/ame-command-amelookupreferences/
Manually add a CVE Tag
For users to add their own context as CVE tags
Search Description Markdown Support
Markdown syntax type in search description fields are now supported, meaning the markdown content is rendered in the saved search description
In closing
All of us here at Datapunctum AG would like to thank our customers, community and users for their continued support in making Alert Manager Enterprise great!
We are continually improving the product and looking for interesting use-cases where AME can help customers manage their alert fatigue. If you are interested in a demo, feature request or need more information on how AME can help solve your Splunk alerting needs, please do not hesitate to reach out to us at: https://alertmanager.app
References:
https://docs.datapunctum.ch/ame/ame-whats-new
https://splunkbase.splunk.com/app/6730
.png)