Alert Manager Enterprise – Multi-Tenancy and What’s Next

Welcome to the last part of our Alert Manager Enterprise introduction blog series. 

Our previous blog post looked closely at Notifications and Workflow Actions. This time we’re looking at one of the most exciting new features of AME: Multi-Tenancy.

We will also discuss our release plan, feature packs, support plan, and roadmap. Let’s get started!

Multi-Tenancy defines Multi-Tenancy as:

“…an architecture in which a single instance of a software application serves multiple customers. Each customer is called a tenant. Tenants can be given the ability to customize some parts of the application…”.

And this is what most of our old Alert Manager users were asking for: 

A way to serve multiple internal or external customers with a single instance of Alert Manager.

Multi-tenancy is one of those things that rarely work as an afterthought, one of the reasons we could not implement it in our legacy Alert Manager. 

In AME, we made multi-tenancy a cornerstone of our architecture. Each tenant will have its own set of indexes and KV store collections. Access to information is only available with the appropriate Splunk role.

What makes an AME tenant?

AME comes with a “default” out-of-the-box tenant. The tenant has an index named ame_default and a few KV Store collections. 

In a distributed Splunk environment, index creation needs to be done by a Splunk admin with access to the Manager Node. Also, due to changes in Splunk Cloud, AME now sends data from the Search Head to the index using a Splunk HTTP Event Collector.

Two roles are created automatically for the default tenant: 

  • ame.default.user
  • ame.default.power

We will come back later to explain the functionality of the roles.

Creating a new tenant

For managing tenants, we are introducing a Tenant Manager.

A tenant has a friendly name and an internal name (unique identifier). Which roles to create can be selected here. These will be again named ame.<tenant>.<role>

For the tenant to be able to receive data, we need information about the HEC Receiver. Note that AME will automatically check the validity of the connection by showing a green OK.

For your convenience, we are creating a template for indexes.conf and inputs.conf.

How to use tenants

As shortly mentioned, each tenant comes with roles. A tenant can only be seen by a user with an assigned tenant role.

There are three roles available:

  • tenant.user = Can read events and write comments
  • tenant.power = Can read and modify events, create tags, and define rules.
  • tenant.admin = Power Role plus can mark events “deleted” with an audit record

You may have already seen from screenshots on our previous blog posts that many configurations contain a template attribute. Here’s a list of tenant-specific objects:

  • templates
  • rules
  • custom tags
  • notifications

Multi-Tenancy Conclusion

What are the Use Cases and Benefits of Multi-Tenancy?

The most apparent benefit is running one instance of AME and separating events for different customers. 

For example, if you’re in the MSSP business, you can have a single pane of glass for all your customers but only give access to SOC employees who have permission to access the events of a specific customer.

Another use case could be the testing of new correlation searches. You don’t want to pollute your production event queue with untested alerts, do you?

We’re sure you will find many new use cases!

What’s next?

We’re in the final stages of testing the brand-new AME app and will push for a release in January 2023.

As previously mentioned, our goal was to bring you a replacement app that covers the functionality of the legacy Alert Manager app as much as possible. We will have covered around 90% of the functionality with the GA version, which will increase in further releases.

We also plan to build a tool to help existing users migrate from the old AM to Alert Manager Enterprise.

As we will replace the legacy Alert Manager App later with Alert Manager Enterprise, our gift to you as a long-term user is that the AME Free Edition will cover the functionality of the old version free of charge!

To ensure the further development of AME, we will introduce optional maintenance & support and optional feature packs. We will provide you with more information at the release time.

Last but not least: Now that we are close to GA, we already have many new ideas on our roadmap. So expect more exciting features to appear shortly!

Thanks for reading our blog series. We hope you are as excited about the new Alert Manager Enterprise as we are!