Introduction
The wait is over—Datapunctum has released Alert Manager Enterprise (AME) 3.3, bringing a fresh set of tools to supercharge alert management in Splunk Enterprise and Splunk Cloud. This update packs a punch with features designed to make your IT Ops and Security workflows smarter and faster. Leading the pack are Observables and Risk Scoring, but there’s plenty more to explore. Let’s break down what’s new in AME 3.3 and how it can transform your alert handling.
Observables: Context at Your Fingertips
Picture this: an alert pops up for an IP address, and Observables instantly reveal it’s tied to a key server. This feature lets you track assets (e.g., devices, servers) and identities (e.g., users, roles), adding critical context to every alert.
- How It Works: Asset and identity data—like server IPs or usernames—is gathered from Splunk Alert Actions, stored with a unique ID (e.g., server01) for each item. You can merge this data, such as combining asset info from different sources (e.g., an IP from a network scan and a hostname from an inventory list), and it’s available for lookups (like ame_default_observable_assets) to enrich searches and alerts effortlessly.
- Why It’s Great: No more digging for info—Observables speed up responses and sharpen your focus.
Risk Scoring: Focus on What Matters
Risk Scoring gives your alerts a priority score, spotlighting the threats that need attention now. For example, a high-risk asset triggering an alert might jump 100 points, flagged in the "Risk Events" tab.
- How It Works: Define risk modifiers in templates, connecting alert fields to observables and setting score changes (e.g., +100 for critical hits).
- Why It’s Great: Cuts through the noise, helping your team tackle high-stakes threats first.
Other Highlights in AME 3.3
Beyond Observables and Risk Scoring, AME 3.3 delivers these handy additions:
- Custom CA Chains: Lock down workflow actions and notifications with your own certificate authorities for extra security.
- Backup and Restore: Safeguard your AME setup with simple backup and restore tools, ready for any hiccup.
- Action Buttons: Tailor quick-action buttons to match your team’s needs, putting key tasks at your fingertips.
- Persistent Filter Values: Keep your Event Summary filter settings after applying them, saving setup time.
- Active Filter Name: See the active filter’s name right away, making navigation smoother.
Conclusion
AME 3.3 is here, and with Observables and Risk Scoring at the forefront, it’s set to redefine how you manage alerts—smarter context, sharper priorities. Add in custom CA chains, backups, and UI tweaks, and you’ve got a release that’s all about efficiency and control. Curious about the full lineup? Dive into the What’s New page for all the details on AME 3.3.
