Action Conf

Overview

Purpose: ActonConf controls the Salem actions that add contextual information to the alert.

Accessing current action configurations:

In Salem Chat, type view -a.
In the Admin menu, go to Configs > ActionConf.

cost <int>

Definition: Controls when an action is run.

Valid values: 0, 1, 2

Cost 0: The action is run if the alert contains the required fields.
Cost 1 or 2: The action only runs when Salem specifically wants to know the context that is returned by that action.
Cost 2 is typically used for webhook actions.

requires <list[dict]>

Definition: Defines the alert fields and context required for this action to run. One or more requirements can be added, and each will be evaluated independently.

Example:

"requires": [
    {
        "fields": [
            "file"
        ],
        "context": {
            "contains": ["data.malicious"],
            "excludes": []
        }
    }
]

returns <list>

Definition: The alert context tags to add to the alert if the action evaluates to true.

Context Tags: Context tags are grouped into nouns, each with a unique set of group names and context labels, separated by a period. The following nouns are supported:

action
related_action
account
src
src_account
dest
program
parent_program
data

Example: An identified domain user may have a context tag of account.domain_account.

Note: Custom context tags can be applied but may not contribute directly to the threat score.

params <dict>

Definition: A dictionary of parameters specific to the action type. For an overview of the possible parameter values, see the documentation for the specific action type.

Definition: Match actions are evaluation methods that resolve to True or False. If the match action evaluates to true, the returned context is applied to the alert. The match action is evaluated against the fields listed in the required_fields object.

match action params

The match function accepts a number of eval types. See the logical operation documentation for a complete list.

match action examples

webhook (as of Sept 2023)

Definition: Webhook actions return a Boolean value by querying an external HTTP endpoint and evaluating an eval string against the response.

Supported external systems:

Azure Log Analytics
Microsoft Graph API
Splunk

webhook params

definition <str>

Definition: The ActionDefinition configuration to use for this webhook action. See the ActionDefinition documentation for additional information on system configuration.

input <dict>

Definition: The query and optional parameters to the designated http endpoint. The inputs values are defined on an object basis in the ActionDefinition input_keys parameter. See the documentation on configuring an ActionDefinition for more information.

outputs <list[dict]>

Definition: Output objects control how the results of the webhook are evaluated.

Example:

"outputs": [
    {
        "condition": {
            "type": "bool" | "regex",
            "value": "bool or regex str"
        },
        "outcome": {
            "type": "context" | "field",
            "value": [
                "context tag or field value"
            ]
        }
    }
]

creating a query webhook action

The user selects a configured system from the dropdown list.
The user enters a query for the designated system, and optional parameters to include in the http request.
If configured correctly, the bot returns the response from the external system.
The user enters an eval string based on the response and the key/values of the selected alert. The eval string must evaluate to true for the selected information. See eval string for additional documentation.

LLM configurations

PreviousConfiguration Home Next"match" ActionConfs

Last updated 5 months ago

Salem Cyber Doc Site