Alerting Architecture & Third Parties Integration

Introduction to StateFul Alerting in TrackMe

Hint

StateFul Alerting in TrackMe since the release 2.1.11

• TrackMe 2.1.11 introduced a major enhancement in TrackMe alerting concepts and management, with StateFul alerting and advanced Emails alerts notifications.

• With StateFul alerting, TrackMe automatically maintains cycles of incidents in a persistent and state aware manner, used in conjunction with sophisticated and powerful capabilities.

• Notably, TrackMe can deliver rich email notifications, in HTML format and with automated and embedded metrics charts.

• It also generates stateful events, which can be used to trigger advanced third party notifications, starting with the incident creation, incidents updates and incident closure when the entity returns to a normal state.

• These features allow TrackMe to provide a complete, powerful and flexible state aware alerting architecture.

• Emails charts are not available in Splunk 9.1/9.2 environments due to Python 3.8.x and later requirements.

• Emails charts use SVG images format, some email clients such as Web Gmail do not support this format and charts are not displayed.

Sophisticated Alerting made easy - TrackMe alerting in a nutshell

In short:

• Once enabled, when a given entity turns into an alert state, a new incident is created.

• When new events are detected, such as Notable events or SLA breaches, the incident is updated.

• Eventually the entity returns to non alerting state, the incident is closed.

• Rich HTML emails notifications can be delivered by TrackMe, including automated and embedded metrics charts.

• Events are also generated, in the sourcetype=trackme:stateful_alerts.

• Therefore, TrackMe can generate Opening / Updating / Closing events, and/or rich Emails notifications.

Creating a StateFul Alert in a few easy steps

In the TrackMe Virtual Tenant, go to the “TRACKING ALERTS” tab, and use the wizard to create a new alert:

Step 1: Select the StateFul alert mode

The first step is to select the alert mode, available options are:

• Emails and Ingest: generate both emails deliveries and ingest events

• Emails only: generate emails deliveries only

• Ingest only: generate ingest events only

Third party integrations

• If your objective is to trigger third party integrations, such as creating and maintaining incidents in your ITSM, you should select the Ingest only mode.

Step 2: Configure emails delivery, if wanted

If you selected the Emails and Ingest mode, you can configure the emails delivery options:

For Splunk Cloud environments:

• You cannot configure an external SMTP destination in Splunk Cloud, the local MTA is mandatory.

• Therefore, for Splunk Cloud, you do not need any further configuration, TrackMe uses the local MTA as a default.

For Splunk Enterprise environments:

• You can choose to use the local MTA, or configure an external SMTP destination.

• You can configure an external SMTP destination in Splunk Enterprise, and TrackMe will use it to deliver emails.

In the Configuration UI, go to the Emails tab and configure the SMTP destination, note that using SSL or TLS is mandatory:

Step 3: Charts generation

By default, TrackMe generates dynamic charts using super fast TrackMe metrics queries and indexes, and embeds them in the emails notifications:

What does this look like? Very cool!:

TrackMe also stores the charts in base64 format in the persistent KVstore collection, so you can access them later on if needed notably for third party integrations.

Replace mytenant with the name of your Virtual Tenant:

| inputlookup trackme_stateful_alerting_charts_tenant_mytenant | eval key=_key, _time=mtime

You could link stateful alerts events to the charts in the KVstore collection, in a Splunk search:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id=mytenant
| lookup trackme_stateful_alerting_charts_tenant_mytenant incident_id OUTPUT chart_svg_base64

Step 4: Various options

Finally, there are various options that you can configure for the alert, such as:

• Consider orange as an alerting state: In TrackMe, orange is typically used to indicate a warning state, you can configure TrackMe to consider this as an alerting state.

• Drilldown URI: The drilldown URI is used to build the drilldown link in the emails notifications.

• Priority: The priority of entities for triggering the alert, you may for instance want to trigger the alert only on high or critical priority entities.

• Cron Schedule: The Cron schedule, typically every 5 or 10 minutes.

Additional information

TrackMe implements various dynamic actions, depending on the circumstances or the type of entities it is dealing with, to adapt automatically the behavior of StateFul alerts.

• Time detection, deduping and backfilling: TrackMe automatically identifies if events should be skipped according to the entity cycle, this means that it will skip events if necessary and will never send duplicated alerts, whatever the triggers of the alerts are. (so you can have an overlapped search approach safely and TrackMe does the hard work!)

• Dynamic charting: TrackMe automatically chooses which metrics should be charted, and how, based on the entity type and metrics available.

• For instance, for the splk-dsm component, it will automatically add component specific charts such as data sampling charts. (quality issues)

• For components like splk-flx and splk-wlk, TrackMe will automatically verify metrics availability for the entity, and will generate charts accordingly.

• Status flexibility: TrackMe has different statuses, you can influence for instance if orange should be considered as an alerting state or not. On the other hand, “blue” which is a special status (notably for logical grouping) is automatically considered as a non alerting state, eligible for incident closures.

Anatomy of StateFul Incidents Events

In addition with rich email notifications, TrackMe also generates incident events, which can easily be used to trigger third party integrations.

• alert_status: opened - This is the start of the incident

• alert_status: updated - This is an update of the incident

• alert_status: closed - This is the closure of the incident

Example of an opening incident event:

index=trackme_summary sourcetype="trackme:stateful_alerts" alert_status=opened tenant_id=* object_category=* object=*

Example of an updating incident event:

index=trackme_summary sourcetype="trackme:stateful_alerts" alert_status=updated tenant_id=* object_category=* object=*

Example of a closing incident event:

index=trackme_summary sourcetype="trackme:stateful_alerts" alert_status=closed tenant_id=* object_category=* object=*

In TrackMe, incidents events can be accessed through the UI and the Incidents tab: (which was renamed from Notables to Incidents in this release)

TrackMe StateFul alerts events are JSON formatted events, these contain the following key information:

Field	Description
alert_status	The status of the alert, this can be opened, updated or closed
chart_ids	The list of chart ids associated with the incident, these can be used to retrieve the charts from the KVstore collection
ctime	The creation time of the incident (epoch)
delivery_type	The list of delivery types that were called for this incidents, such as email and ingest
detection_time	The time of the detection of the alert in human readable format (strftime %c %Z)
drilldown_link	A link to the TrackMe Home user interface which filters on the tenant, component and entity, and automatically opens the entity overview screen (from TrackMe 2.0.88)
event_id	The unique identifier for this notable event, as the sha-256 hash of the notable event content (from TrackMe 2.1.0)
incident_id	The unique identifier for this incident, this is shorter identifier which is common to events and objects that related to the same incident
message_id	A unique identifier for this message, this is principally used for emails
messages	The list of messages from TrackMe that occur during the incident life cycle, this related to the TrackMe status_message field
mtime	The last modification time of the incident (epoch)
object	The object name for this entity, this basically is the name of entities in TrackMe
object_category	A TrackMe identifier for each component, this describes which type of TrackMe component this notable is related to.
object_id	The unique identifier for this object in the tenant / component central KVstore collection
object_state	The current state of the object (blue / green / orange / red)
reference_chain	The list of message_id that relate to the same incident, this is used for emails threading purposes
tenant_id	The tenant identifier this Notable event is related to.
priority	The priority definition for this object (low / medium / high / critical)
source_message	The TrackMe sourcetype at the origin of the incident, such as trackme:flip
source_message_id	The unique identifier (event_id) of the original event that triggered the incident

Example: Feed tracking entity (splk-dsm)

In this example, a sourcetype is affected by high latency and/or delay, a first notification is generated:

A first notification is generated, either through a notable event of a flip event:

An opening incident event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="mytenant" object="myobject" alert_status="opened"

Eventually, an update will be issued if a new event is generated:

An update incident event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="mytenant" object="myobject" alert_status="updated"

Later on, the SLA is breached, a new notification is generated:

Another update incident event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="mytenant" object="myobject" alert_status="updated"

Finally, the issue is resolved, an incident closure notification is generated:

An incident closure event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="mytenant" object="myobject" alert_status="closed"

Example: Splunk Cluster Monitoring with splk-flx

In this example, we monitor a Splunk cluster and Splunk indexers through the Flex object component.

Initial status: The cluster global status is healthy, all peers are up and running: (although one peer is reported as orange due to bucket imbalance)

An incident affects an indexer, the global cluster status as well as the indexer turn into alerting state:

A first notification is generated for the cluster status:

An opening incident event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="cluster-mon" object="infrastructure:splunk_cluster:idxc1" alert_status="opened"

Notifications are also generated for the indexer:

An update incident event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="cluster-mon" object="infrastructure:splunk_cluster:idxc1" alert_status="updated"

As the incident continues, several notifications can be generated, for instance when the SLA is breached:

An update incident event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="cluster-mon" object="infrastructure:splunk_cluster:idxc1" alert_status="updated"

At some point, the issue on our indexer is resolved, the entity returned to a non alerting state (here orange due to bucket imbalance), the incident is closed:

An incident closure event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="cluster-mon" object="infrastructure:splunk_cluster:idxc1:prd5-cl-idx-dc1-idx1" alert_status="closed"

Finally, after some time, our indexer cluster catches up and the entity returns to a healthy state, the incident is closed:

A final incident closure event is created:

index=trackme_summary sourcetype=trackme:stateful_alerts tenant_id="cluster-mon" object="infrastructure:splunk_cluster:idxc1" alert_status=closed

Visualizing the incident life cycle in a Splunk chart with annotations:

Example of a notification due to Machine Learning Outliers detection:

Below is an example of a notification due to Machine Learning Outliers detection:

Note: TrackMe will automatically add a data sampling related chart in the notification, to help you visualise the issue.

Example of a notification due to a feed data quality issue (data sampling):

Below is an example of a notification due to a feed data quality issue (data sampling):

Note: TrackMe will automatically add a data sampling related chart in the notification, to help you visualise the issue.

Example of a notification for the Workload component (Splunk scheduled searches and alerts monitoring):

Below is an example of a notification for the Workload component (splk-wlk):

Note: For this component, TrackMe will automatically generate charts per metrics, depending on metrics available in the entity.

Legacy Alerting with Notables or direct alerts

Legacy Alerting is based on Notables or direct alerts:

Creating an alert in TrackMe

You can create a new alert in the scope of any Virtual Tenant:

Available option may differ per TrackMe component, for instance with splk-dsm:

Once created, the alert reports in the alert user interface, and can be managed from this screen:

TrackMe modular alert actions

TrackMe has several alert actions that are leveraged when creating alerts:

• TrackMe Notable event: This alert action generates a JSON event in the Virtual Tenant notable index summarising the status of an entity when the alert triggers

• TrackMe Auto Acknowledgment: This alert action automatically acknowledges the entity in TrackMe’s workflow for a given period of time

• TrackMe SmartStatus: This alert performs automated investigations when an alert triggers for one or more entities, to improve and speed the root cause identifications and add context to an issue detected by TrackMe

The TrackMe Notable event is a mandatory alert action, others can be disabled during the creation of the alert if you wish to do so.

Alerts Triggering

When the alert fires and triggers results, the user interface shows a summary of the triggers and the actions involved:

The alert user interface allows to investigate alert actions traces:

From the entities perspective, we can for instance observe that the entity alert was acknowledged automatically:

A notable event was created:

As well as a TrackMe SmartStatus event:

Third Parties Alert Integration

Introduction to Third Parties Alerting Notification

Any TrackMe alert can be extended to send notifications to a third party, typically:

• Sending emails to a recipient, such as the owner of the entities/service, or TrackMe administrators and analysts

• Opening an incident to your ITSM such as ServiceNow or Atlassian Jira

• Creating a message in a Slack or Microsoft Teams channel

Note

Two main alerting architecture design can be implemented:

• Architecture scenario 1: Notable based design TrackMe alerts generate notable events, a centralised Splunk alert monitors for TrackMe notables and run alert actions for the third party

• Architecture scenario 2: Per alert design TrackMe alerts are configured to run the third party alert action and perform the associated action directly

While the two options are possible, the Architecture scenario 1 based on Notables has multiple advantages:

• Each TrackMe alert handles all entities, ensuring the creation of TrackMe notable events and other features such as the acknowledgment

• Allows centralising the definition of what should lead to the creation of an incident, sending an email or sharing channel message

• Notable events are normalised and provide all necessary information in a consistent fashion

• For instance, you can have a single “TrackMe forward notable” alert which restricts to high priority entities and any additional logic of your own, easily in SPL

• This logic can easily be maintained over time, without having to modify multiple alerts and provides a deeper and more consistent control

This documentation covers both approaches in the next sections.

Architecture scenario 1: TrackMe Notable Events

Introduction: Anatomy of TrackMe Notable Events

Hint

Forwarding TrackMe Notable to Splunk SOAR

• If you are looking to forward TrackMe Notable Events to Splunk SOAR, consult the following: :Forwarding TrackMe Notable Events to SOAR

TrackMe Notable Events creation

TrackMe notable events are generated when a TrackMe alert triggers against one or more entities, relying on the built in TrackMe Notable modular alert action.

This alert action configuration is also visible when editing a TrackMe alert:

Note

Notable events are ONLY created when a TrackMe alert is configured and triggers, in this scenario all eligible entities should therefore be covered by an alert per tenant and component.

TrackMe Notable Events structure

TrackMe Notable events are JSON formatted events, these contain the following key information:

Field	Description
tenant_id	The tenant identifier this Notable event is related to.
object	The object name for this entity, this basically is the name of entities in TrackMe
object_category	A TrackMe identifier for each component, this describes which type of TrackMe component this notable is related to.
keyid	The unique identifier for this object in the tenant / component central KVstore collection
priority	The priority definition for this object (low / medium / high / critical)
state	The status of the object (blue / green / orange / red)
anomaly_reason	A normalised field describing the reason behind the status of a given entity
status_message	A human readable detailed description of the reason why TrackMe generated an alert for this entity
timeStr	The time of the event in human readable format
drilldown_link	A link to the TrackMe Home user interface which filters on the tenant, component and entity, and automatically opens the entity overview screen (from TrackMe 2.0.88)
event_id	The unique identifier for this notable event, as the sha-256 hash of the notable event content (from TrackMe 2.1.0)
properties	The complete TrackMe object record in a nested JSON structure, as it was when the alert triggered

Therefore, TrackMe Notable events contain all necessary information in a consistent and normalised manner, to interact with any third party.

Example of a TrackMe Notable event:

The properties field contains the entire entity record as nested JSON, it is also extracted automatically so you can use fields as needed:

TrackMe Notable events are easy to access and review in TrackMe’s user interface:

Step 1: Create TrackMe alerts for tenants and components in used

The first step is to create a TrackMe alert for every tenant and components that are in use.

It is not necessary at this stage to filter on concepts like the priority because filtering will be made while monitoring the TrackMe notable events.

For each tenant, access the TRACKING ALERTS tab, and use the wizard to create an alert, you can leave all options to their default:

Step 2: Create a custom alert monitoring TrackMe notable

The second step is to create a custom Splunk alert which searches for TrackMe notable and enables third party interactions, for instance:

As a basis:

index=trackme_notable tenant_id=* priority=*
| table tenant_id, keyid, event_id, object, object_category, state, priority, anomaly_reason, status_message, drilldown_link

For instance, a typical use case would be to create incidents only for high priority entities in alert:

index=trackme_notable tenant_id=* priority="high"
| table tenant_id, keyid, event_id, object, object_category, state, priority, anomaly_reason, status_message, drilldown_link

Note

In TrackMe, you can define different notable indexes per tenant, if you did so you will want to adapt your search.

Create the Splunk alert:

• Cron every 5 minutes: */5 * * * *

• Earliest time: -15m

• Trigger for each result

• Throttle against the keyid for 60m

Then enable the third party alert action, for example we will enable creating incident in JIRA, the following shows an example of content for the alert which calls tokens replacements:

TrackMe alert for a Splunk high priority entity:

- tenant: $result.tenant_id$
- object: $result.object$
- object_category: $result.object_category$
- state: $result.state$
- priority: $result.priority$
- anomaly_reason: $result.anomaly_reason$
- status_message: $result.status_message$
- drilldown_link: $result.drilldown_link$

Hint

Re-assigning to a service account

• As a good practice, you should re-assign the created Splunk alert to the TrackMe service account user, or nobody

• You should avoid running alerts on behalf of normal users

Adding third parties actions:

Atlasian Jira example:

Note: this integration relies on the following Add-on for Jira: https://splunkbase.splunk.com/app/4958

Email example:

Note: Sending emails is a builtin alert action in Splunk

Slack example:

Note: this integration relies on the following Add-on for Slack: https://apps.splunk.com/app/2878

Optional: Notable events enrichment

When using Notable events as the central means for third party alerting, further logic can easily be implemented such as custom normalisation and enrichment.

With enrichment for instance, you may want to leverage your CMDB knowledge to add context information such as the owner or contact address email for the notification, there are plenty of options and designs possible.

TrackMe allows to lookup easily in your CMDB to provide context information handy in the user interface, you can leverage the same content from the central Notable alert, for more information about the CMDB Lookup integrator see: CMDB Lookup Integration

CMDB integration in the user interface:

For instance, we could update our Notable event alert:

index=trackme_notable tenant_id=* priority="high"
| lookup my_cmdb index as properties.data_index, sourcetype as properties.data_sourcetype OUTPUT
| table tenant_id, keyid, event_id, object, object_category, state, priority, anomaly_reason, status_message, drilldown_link

Enrichment information are automatically available:

Any of these fields can be used equally in your alert configuration using tokens, for instance we could update the recipient email address and add some logic to handle unknown entities:

index=trackme_notable tenant_id=* priority="high"
| lookup my_cmdb index as properties.data_index, sourcetype as properties.data_sourcetype OUTPUT
| eval contact=if(isnull(contact), "support@trackme-solutions.com", contact)
| table tenant_id, keyid, event_id, object, object_category, state, priority, anomaly_reason, status_message, drilldown_link, contact

And recycle this token instead:

Architecture scenario 2: Per TrackMe Alert Design

Another design choice is to configure third party alert actions on a per TrackMe alert instead of relying on the Notable events.

Note

This integration can also be considered as a valid choice, eventually easier and more logical, however it does not present some of the advantages in comparison with a TrackMe Notable based design:

• Each alert needs to be configured individually, which can be more challenging to maintain over time

• Entities that are not covered by any TrackMe alert will not lead to TrackMe alert actions being executed (Notable, Ack, SmartStatus), for instance if you restrict alerts using entities priority or tags and some entities are out of the scope

• Normalisation, enrichment or the introduction of custom SPL logic is decentralised opposed to the central alert based on Notables

• Finally, you may need more alerts to be created (for instance to cover entities by priority and have alert actions executed for all entities)

For the purposes of this documentation, the following scenario will be implemented:

• A first alert is created which targets high priority entities, when triggering a notification is sent using a Splunk alert action to open an incident in our ITSM tool (we will use Jira but this is applicable to any Splunk supported third party)

• A second alert is created which targets medium priority entities, this time an email will be sent when the alert triggers

• Entities set as low are not subject to a third party integration, however an alert should also be active for notable events and other TrackMe alert actions to be triggered

Step 1: Create a TrackMe alert for high priority entities

We start by creating an alert in TrackMe for high priority entities:

Repeat the same process for other priority levels, all entities should be covered by alerts, in this example we would therefore need 3 alerts in total.

Step 2: Enable alert actions per alert

The next step is to update TrackMe alerts to include the alert actions to be enabled:

This opens the Splunk alert edition management screen, we will add a new alert action:

We add for instance add the Jira alert action and define some of the most use fields returned by TrackMe:

These steps are the same as in the architecture scenario 1 Notable based, consult the previous section for more insights.

Context body example:

TrackMe alert for a Splunk high priority entity:

- tenant: $result.tenant_id$
- object: $result.object$
- object_category: $result.object_category$
- state: $result.state$
- priority: $result.priority$
- anomaly_reason: $result.anomaly_reason$
- status_message: $result.status_message$
- drilldown_link: $result.drilldown_link$

The same process needs to be achieved for every alert that should monitor TrackMe entities, per tenant and component.

When alerts trigger, Splunk automatically configured the alert actions according to your settings.

Deleting TrackMe alerts

Warning

TrackMe alerts are orchestrated by TrackMe and should be deleted in TrackMe

• When creating a TrackMe alert, it will preserve knowledge of it

• This allows automatically managing assignment and Roles Based Access Control settings, according to the Virtual Tenant setup

• Therefore, you must delete a TrackMe alert via TrackMe, and not directly via Splunk

Deleting an alert from the user interface

You can delete TrackMe alerts from the user interface, because TrackMe maintains the knowledge of objects associated with a given Virtual Tenant, alerts should be deleted through the user interface or the REST API:

Deleting an alert from the REST API

You can as well delete an alert using the REST API and the following endpoint:

| trackme mode=post url="/services/trackme/v2/alerting/admin/del_alert" body="{'tenant_id':'mytenant', 'alert_name': 'TrackMe alert tenant_id:mytenant - Alert custom on splk-dsm'}"