Priority Management

About priority levels in TrackMe

Hint

Priority levels are an important concept in TrackMe which can easily be leveraged to categorize the importance of your different Splunk feeds, and for instance redirect notifications depending on an entity’s priority level.

  • TrackMe supports the following priority levels:

    • critical

    • high

    • medium

    • low

  • The priority level of an entity is defined by default when discovered, and can be updated per entity, defined by policy, or managed externally.

  • Entities are usually filtered when forwarding alerts to a third party, such as email or a ticketing system, based on their priority level.

  • Priority is a valuable concept that can be leveraged to reduce noise and alert fatigue. A frequent and recommended practice is to focus on high and critical priorities, while other priorities can be considered over time.

View example from a Virtual Tenant:

vtenant_view001.png

Preview in Virtual Tenant:

vtenant_view002.png

View in Home UI:

home_view1.png

View of an entity:

home_view2.png

Priority at discovery time

TrackMe applies the priority level at discovery time, which is configurable per Virtual Tenant:

When a Virtual Tenant is created, you can define the default priority that will be applied to entities as they are discovered:

config_tenant_level001.png

Once the Virtual Tenant is created, you can update the default priority level in the Virtual Tenant’s settings:

config_tenant_level002.png config_tenant_level003.png

Managing priority at the entity level

Updating the entity priority level in the modification screen

In the main entity screen, you can update the priority from the modification screen:

per_entity_001.png per_entity_002.png

Updating entities in bulk via the table view

In the Home view, you can update one or multiple entities at once within the table:

per_table_001.png

Updating entities in bulk selection

You can also select one or multiple entities in the table and update their priority level:

bulk001.png bulk002.png

Updating entities in SPL and REST API

You can also update the priority level of entities using SPL and the REST API, or by any other means that can interact with the REST API:

Example of SPL:

| trackme url="/services/trackme/v2/splk_dsm/write/ds_update_priority" mode="post" body="{'tenant_id': 'demo-priority', 'priority': 'high', 'object_list': 'eventgen-waf:akamai:cm:json,eventgen-waf:websense:cg:kv'}"
rest001.png

Managing priority via policy

TrackMe supports the management of priority levels via policy, which can be defined per Virtual Tenant:

  • Policies are regex-based expressions that are orchestrated by TrackMe automatically.

  • Matching entities are automatically updated with the priority level defined in the policy.

  • If multiple policies match a given entity, the highest priority level takes precedence.

  • Since TrackMe 2.1.10, an entity managed by policies can still be updated manually, and the policy will not override the manual update.

  • TrackMe will show an informational message in the entity screen, displaying the policy managing the entity, the requested priority level, and the effective priority level.

Accessing the policy management screen:

policy001.png

Defining a policy:

policy002.png policy003.png

Modification screen when an entity is managed by a policy:

policy004.png

Modification screen when an entity is managed by a policy and manually updated:

policy005.png

Accessing entities managed by policies using trackmegetcoll:

  • Update the tenant_id

  • The following SPL can be accessed via the “Search table” button in TrackMe’s UI; it leverages the real-time decision maker and TrackMe REST API

| trackmegetcoll tenant_id=feeds-secops component=dsm

| where isnotnull(priority_policy_id)
| table object, priority*
policy006.png

Managing priority externally

TrackMe supports the management of priority levels externally:

  • External management allows you to update the priority level of entities using Splunk and any logic of your own.

  • Priority policies take precedence over external management.

  • If an entity is managed externally, the priority level can still be updated manually, and external management will not override the manual update.

  • TrackMe will show an informational message in the entity screen, displaying the external management managing the entity, the requested priority level, and the effective priority level.

  • These instructions require TrackMe 2.1.10 or later.

Example of SPL:

  • Update the tenant_id

  • Update the search to match your needs, lookup files and logic

| inputlookup trackme_dsm_tenant_feeds-secops | eval keyid=_key

``` In this example, we leverage a Splunk lookup file referencing indexes and used to define the field priority_external ```
| lookup feeds_priorities.csv index as data_index OUTPUT priority as priority_external
| where isnotnull(priority_external)

``` The field priority_reason will be used by TrackMe to display an informational message ```
| eval priority_reason="lookup: feeds_priorities.csv"

``` Finally, the KVstore records will be updated; schedule this search so that any newly discovered entity will retrieve the expected externally managed priority ```
| outputlookup append=t key_field=keyid trackme_dsm_tenant_feeds-secops

Modification screen when an entity is managed externally:

external001.png

Modification screen when an entity is managed externally and manually updated:

external002.png

Accessing entities managed by policies using trackmegetcoll:

  • Update the tenant_id

  • The following SPL can be accessed via the “Search table” button in TrackMe’s UI; it leverages the real-time decision maker and TrackMe REST API

| trackmegetcoll tenant_id=feeds-secops component=dsm

| where isnotnull(priority_external)
| table object, priority*
external003.png