Welcome to the second part of our Alert Manager Enterprise blog series!

In our first part, we talked about the new Event Summary view and how to configure alerts. You may have already caught a glimpse of tags in the screenshots. Let’s take a deeper look!

Tags

Enrichment plays a vital role in working with events. Tags help classify and group events. A tag can be either assigned automatically during the creation of an event or later when a user gathers new information.

Automatic assignment of tags during creation is configurable within the Template Manager.

Tagging events afterward is done using the Event Summary view. Clicking on the add button shows a list of predefined tags. Auto-complete is available to find preexisting tags.

 

 

 

 

Clicking on the Tag shows useful information:

A user can also apply tags to multiple events using the „bulk edit“ action. Note for users of the old Alert Manager app: this replaces the grouping functionality.

Tag Manager

How are new tags created? For AME, we decided to be more innovative with tags and add more context.

To make this possible, we added a Tag Manager.

By pressing the add button, a modal opens, where you can not only add the name of the tag (short name) but also give it a friendly name, a description, and a URL for external information.

This information may be handy for a user to understand why the event is tagged.

Two additional tabs are available under the Tag Manager. For your convenience, we have added tags for the Cyber Kill Chain and Mitre Att&ck Framework to AME. For the latter, we have implemented an update function to keep the tags up-to-date.

 

Rule Manager

There are times when AME should ignore alerts, such as during a maintenance window or a specific host where a patch can’t be applied and pops up every week in a security policy check.

The Rule Manager helps with these cases. Creating a rule starts with giving it a name and a time window.

There are two types of rules: simple rules that only compare one field against a value or multi-rules that support multiple field-value conditions.

Create multi-rules using an easy syntax:

Finally, the action for the rule is defined. Typically „suppressed“ is used as the target status for an alert. Setting the status to suppressed helps us later audit how many alerts were triggered but not turned into actionable items.

Conclusion

We hope you enjoyed the introduction to Tags and Rules in Alert Manager Enterprise, and we hope these two features will help you in your everyday business!

In our next part, we will look at Notifications & Workflow-Actions.