Apr 15, 2024

AME 3.0 New Rule Engine & Notification Functionality

Introducing the new Rule and Notification Engines

AME 3.0 New Rule Engine & Notification Functionality

In our recent communication regarding the launch of Alert Manager Enterprise (AME) version 3.0, we introduced various new features and enhancements, showcasing our commitment to delivering substantial value to our clients and users. We plan to delve deeper into these updates through a series of blog posts, elaborating on how these innovations not only bolster the capabilities of AME but also offer customization options to align with the specific processes of our clients.

A highlight of the AME 3.0 release is the introduction of the Rule Engine -- a pivotal element within AME's framework that empowers users to create intricate workflows and automation. This engine is at the heart of AME 3.0, underpinning the core logic and facilitating seamless interaction flows within the software.

AME 3.0 Architecture with Rule and Notification Engines

The Rule Engine plays a crucial role, being activated whenever an alert is dispatched to AME. It meticulously evaluates all incoming events, utilizing the capability to modify event metadata based on a series of complex conditions. Users can craft these conditions through the Rule Composer, employing sophisticated conditional logic (AND/OR/NOT) that operates on either the event data or its metadata.

Furthermore, the Rule Engine triggers notifications through any supported schemes (Email, Slack, Teams, etc.). With the ability to initiate generic Webhooks through GET and POST requests, AME can be extended to automate and trigger a wide range of functions in external systems based on specific event conditions.

Example 1: Tagging of events related to PCI networks

Properly handling events based on the originating PCI zone is imperative in scenarios requiring PCI compliance. A simple rule can assign a tag to an event if it originates from or is destined to a PCI zone, utilizing source or destination IP addresses. This facilitates setting appropriate impact and urgency levels for events associated with the Cardholder Data Environment (CDE) network.

Again, we can use the same template to handle events applying to PCI and non-PCI assets, and the rule will tag the event appropriately where required.

Tagging the correct PCI zone when dealing with events from networks hosting payment card-related data

Results of the rule being applied to the event:

Event History, showing transformations applied by the rule

Example 2: Privileged Access Management

Monitoring privileged access is a staple activity within Security Operations Centers (SOCs), ensuring that elevated access privileges are used responsibly and audibly. AME facilitates this through a template that delineates the creation of new events following a privileged logon, accommodating environments that utilize both Windows and Linux systems. This unified approach in AME streamlines the management of privilege access events.

Since our environment supports both Windows and Linux, we have a single AME template for the Privilege Access Event, which is invoked by two searches: one machine logs in in Windows and the other in Linux. They have the same template in AME as the target.

Triggering a notification and setting event attributes when a privilege logon event occurs

Triggering a notification and set event attributes when a privilege logon event occurs

Introducing Customisable Notifications

The notification functionality in Alert Manager Enterprise (AME) version 3.0 has been significantly enhanced to cater to both human recipients and automated systems. Integrating the Rule Engine and the new Notification Engine allows for sophisticated conditional evaluations, enabling precise control over the timing and content of notifications sent to teams or external systems.
Administrators can now define Notification Schemes, Notification Targets, and Notification Templates within AME. Notification Targets refer to the delivery endpoints, such as Email, Slack, Teams, etc. Additionally, the system supports Splunk Alert Actions and Webhook targets, enabling users to develop REST/HTTP-based integrations with customized payloads derived from event data using the Template system.

This advanced functionality transforms AME into a robust platform for orchestrating complex workflows and automation.

The AME Template system is compatible with the widely-used Jinja syntax, which facilitates dynamic formatting and populating template contents. Templates can be tailored for structured and unstructured text-based formats, including HTML, XML, JSON, and plain text, enhancing flexibility and utility across various application scenarios.

An example of a notification template, utilising Jinja templating syntax

Going Further: What’s next?

The Rule Engine's capability to facilitate complex event management logic and the Notification Engine's automatic update triggers pave the way for extensive automation possibilities. By leveraging external services via Webhooks, AME's system can be expanded to automate many functionalities.

Further exploration of these capabilities and their potential applications will be the subject of a forthcoming blog post.