Priority Management

About priority levels in TrackMe

Hint

Priority levels are an important concept in TrackMe which can easily be leveraged to categorize the importance of your different Splunk feeds, and for instance redirect notifications depending on entities priority levels.

  • TrackMe supports the following priority levels:

    • critical

    • high

    • medium

    • low

  • The priority level of an entity is defined by default when discovered, can be updated per entity or defined by policy or externally managed.

  • Entities are usually filtered when forwarding alerts to a third party, such as emails or a ticketing system, based on their priority level.

  • The priority is a valuable concept that can be leveraged to reduce noise and alert fatigue, a frequent and recommended practice is to focus on high and critical priorities, while other priorities can be considered over time.

view example from a Virtual Tenant:

vtenant_view001.png

preview in Virtual Tenant:

vtenant_view002.png

view in Home UI:

home_view1.png

view of an entity:

home_view2.png

Priority at discovery time

TrackMe applies the priority level at discovery time, which is configurable on a per Virtual Tenant basis:

When the Virtual Tenant is created, you can define the default priority which will be applied to entities that are discovered:

config_tenant_level001.png

Once the Virtual Tenant is created, you can update the default priority level in the Virtual Tenant settings:

config_tenant_level002.png config_tenant_level003.png

Managing priority at the entity level

Updating the entity priority level in the modification screen

In the main entity screen, you can update the priority in the modification screen:

per_entity_001.png per_entity_002.png

Updating entities in bulk via the table view

In the Home view, you can update one or multiple entities at once within the table:

per_table_001.png

Updating entities in bulk selection

You can also select one or multiple entities in the table and update their priority level:

bulk001.png bulk002.png

Updating entities in SPL and REST API

You can also update the priority level of entities using SPL and the REST API, or the REST API via any mean:

Example of SPL:

| trackme url="/services/trackme/v2/splk_dsm/write/ds_update_priority" mode="post" body="{'tenant_id': 'demo-priority', 'priority': 'high', 'object_list': 'eventgen-waf:akamai:cm:json,eventgen-waf:websense:cg:kv'}"
rest001.png

Managing priority via policy

TrackMe supports the management of priority levels via policy, which can be defined on a per Virtual Tenant basis:

  • Policies are regex based expressions which are orchestrated by TrackMe automatically.

  • Matching entities get automatically updated with the priority level defined in the policy.

  • If multiple policies match a given entity, the highest level of priority takes precedence.

  • Since TrackMe 2.1.10, an entity which is managed by policies can still be updated manually, and the policy will not override the manual update.

  • TrackMe will show an informational message in the entity screen, displaying the policy that is managing the entity, the requested priority level, and the effective priority level.

Accessing the policy management screen:

policy001.png

Defining a policy:

policy002.png policy003.png

Modification screen when an entity is managed by a policy:

policy004.png

Modification screen when an entity is managed by a policy and manually updated:

policy005.png

Accessing entities managed by policies using trackmegetcoll:

  • update the tenant_id

  • The following SPL can be accessed via the “Search table” button in TrackMe’s UI, it leverages the real time decision maker and TrackMe REST API

| trackmegetcoll tenant_id=feeds-secops component=dsm

| where isnotnull(priority_policy_id)
| table object, priority*
policy006.png

Managing priority externally

TrackMe supports the management of priority levels externally:

  • External management is a way to update the priority level of entities using Splunk and any logic of your own.

  • Priority policies take precedence over external management.

  • If an entity is managed externally, the priority level can still be updated manually, and the external management will not override the manual update.

  • TrackMe will show an informational message in the entity screen, displaying the external management that is managing the entity, the requested priority level, and the effective priority level.

  • These instructions requires TrackMe 2.1.10 or later.

Example of SPL:

  • Update the tenant_id

  • Update the search to match your needs, lookup files and logic

| inputlookup trackme_dsm_tenant_feeds-secops | eval keyid=_key

``` in this example, we leverage a Splunk lookup files referencing indexes and used to define the field priority_external ```
| lookup feeds_priorities.csv index as data_index OUTPUT priority as priority_external
| where isnotnull(priority_external)

``` the field priority_reason will be used by TrackMe to display an informational message ```
| eval priority_reason="lookup: feeds_priorities.csv"

``` finally the KVstore records will be updated, schedule this search so that any newly discovered entity will retrieve the expected externally managed priority ```
| outputlookup append=t key_field=keyid trackme_dsm_tenant_feeds-secops

Modification screen when an entity is managed externally:

external001.png

Modification screen when an entity is managed externally and manually updated:

external002.png

Accessing entities managed by policies using trackmegetcoll:

  • update the tenant_id

  • The following SPL can be accessed via the “Search table” button in TrackMe’s UI, it leverages the real time decision maker and TrackMe REST API

| trackmegetcoll tenant_id=feeds-secops component=dsm

| where isnotnull(priority_external)
| table object, priority*
external003.png