Entities priority

Introduction to TrackMe Entities Priority

In TrackMe, all components and entities have a concept of “priority”. The priority can be:

  • low

  • medium

  • high

priority1.png

When TrackMe discovers and creates an entity, a default priority value is assigned to the entity.

The value assigned is driven by a system wide Splunk macro named “trackme_default_priority”.

By default, entities priority are assigned as “medium”.

Why using the priority

The priority is a simple concept that allows to categorize entities depending on their importance in your context.

This serves different purposes:

  • This facilitates understanding if there are important entities affected by issues currently

  • The TrackMe main user interface provides different features to highlight when high priority entities are affected

  • You can for instance filter on high priority entities, or use custom filters and drilldown actions to access to entities with a certain priority value

  • This allows qualifying entities over time to improve he coverage of your environment

  • As well, you can create different alerts filtering on certain priorities, to handle different actions depending on the priority

  • For example, you may want to generate an incident in your ITSM tool for high priority entities, while other types priorities are leading to email alerts

Updating the priority

You can update the priority for one or more entities, as needed. The priority is a KVstore field which is persistent.

To update an entity priority, you can:

  • Open the entity main screen, click on the “Modify” button and assign the priority accordingly

  • You can update priorities in bulk edit mode, select one or more entities, click on the bulk action button and define the priority as needed.

  • The priority can as well be updated using the associated REST API endpoint for the component

Updating the priority of a single entity

Open the entity Modification screen (click on the entity icon then Modification, or the configure icon right to the open icon), and set the priority as needed:

priority2.png priority3.png

Updating the priority in bulk

Select one of more entities to be updated, and click on the bulk edit button:

priority4.png priority5.png

Updating the priority with the REST API

Open the REST API reference to find the endpoint for that component, for instance with splk-dsm:

| trackme url="/services/trackme/v2/splk_dsm/write/ds_update_priority" mode="post" body="{'tenant_id': 'mytenant', 'priority': 'high', 'object_list': 'eventgen-firewall:netscreen:firewall|key:region;company|amer;company004,eventgen-firewall:netscreen:firewall|key:region;company|amer;company003'}"
priority6.png

Priority change audit

All changes of the priority through TrackMe are audited.

When a user updates the priority, an audit event associating the Virtual Tenant, the component and the entity is created.

You can review audit changes for a given entity in the “Audit” tab of the entity main screen.

priority7.png

Recommendations for Using TrackMe Entities Priority

When managing high-scale environments, one of the challenges is often dealing with the large number of entities that can be discovered.

To effectively handle this situation, consider the following recommendations:

  • Start progressively: Limit the scope of the Hybrid Trackers responsible for entity discovery as much as possible. This approach can help you maintain control over the number of entities being discovered and monitored.

  • Leverage priority: Use TrackMe’s entities priority feature to distinguish valuable entities from those that are less important. For instance, tagging entities that you have reviewed and qualified as “high” can help you focus on the most critical components in your environment.

  • Adopt a tiered alerting approach: By associating high priority entities with TrackMe alerts, you ensure that only qualified entities trigger alerts. This method helps to:

    • Improve your monitoring posture by focusing on the most important entities.

    • Reduce false positive alerts.

    • Minimize alert fatigue by reducing the number of alerts generated from lower priority entities.

By following these recommendations, you can better manage the entities in your high-scale environment and ensure that your monitoring efforts are focused on the most critical components.