A recap on Event Aggregation (event appending)
Event aggregation allows AME users to streamline alert management by defining templates for alerts. Templates dictate the attributes applied to events in AME. One of the core features of this system is determining whether events should be appended or aggregated to existing events. This has been a cornerstone of AME since its inception, helping users combat alert fatigue by consolidating recurring and duplicate events.
Key Enhancements in AME 3.2
Aggregation on Arbitrary Keys
Prior to version 3.2, event aggregation in AME relied solely on matching event titles. While effective, this approach had its limitations. The latest release introduces the ability to aggregate events based on multiple arbitrary keys, greatly enhancing flexibility.
For instance, in environments with multiple alerts from diverse sources targeting the same device, you can now aggregate these events using a specific key, such as host name or device name. This ensures all alerts related to a particular asset are consolidated into a single event, providing a clear and cohesive view.
Configuring Event Aggregation
AME offers several options to fine-tune event aggregation. Here’s how you can configure it:
Navigate to the template section under Tenants. There you can add a new template. For the example below, we add a template for aggregation.
Template Settings
On the right side, you’ll find parameters governing event aggregation. Key options include:
- Append: Enable the aggregation for matching events.
- Append Strict: Specify whether all event keys must match for aggregation to occur.
- Notification on Append: Disable notifications for appended events, allowing notifications only for newly created events if desired.
- Append Keys: Here you can add the keys that should be used for aggregation. These can include fields from the event data or (select) internal AME fields. In our example, the destination (dest) field was used for aggregation.
- Append Mode: Choose how AME handles multiple matching events
- Append to the first, last, or all matching events.
- Alternatively, create a new event when multiple matches occur.
Example Use Case: Aggregating Related Events
Consider an environment where two searches generate alerts using the same aggregation template. When these alerts fire, they are aggregated into a single event.
For our example:
- An search/detection matching a privileged logon event on a critical asset.
- A search/detection matching a malware event on the same asset.
To use the aggregation, we need to set the searches that trigger the AME Alert Action to use the correct template:
We do this for all searches that need to use the same aggregation template.
Results
Using the aggregation functionality, the results below are grouped into a single event, showing three contributing results: two authentication events and one endpoint detection event. This consolidated view helps analysts identify patterns and act more efficiently as the context is already established.
Additional Use Cases for Event Aggregation
Event aggregation in AME can be customized to suit your specific needs. Common keys for aggregation include:
- User
- Indicator
- Host
- Other fields relevant to your environment
Conclusion
The event aggregation enhancements in AME 3.2 bring powerful new capabilities for managing alerts. By enabling aggregation on arbitrary keys and offering flexible configuration options, AME helps streamline workflows and reduce alert fatigue.
