Match actions are created by users when teaching Salem how something was known and can be modified within the Admin menu by entering view -a in Salem Chat and then selecting Configs > ActionConfs.

Below are a few examples of how Salem creates and manages match actions.

Creating Match Actions with multiContext Questions

Situation: The user answers a multiContext question indicating the type of authorization an action represents. To build Salem's learning, the user wants to provide

1. The user selects an alert's multiContext question about whether the action related to the alert was authorized. Note: multiContext questions can be answered through the "Add Context" or "Answer a Question" workflow.

2. The user selects "authorized" based on insight into the action of the selected alert.

3. The user selects "Evaluate Alert Detail" and enters result == ‘success’ and bytes_out > 5000 and match(‘endsWith', ‘salemcyber.com’, account), and selects "Submit."

4. Salem generates an ActionConf object which includes, among other components, the following paramaters:

“returns”: [
         “action.authorized”
]
“params”: {
         result == ‘success’ and 
         bytes_out > 5000 and 
         match(‘endsWith', ‘salemcyber.com’, account)
}

5. Now Salem has learned to identify the actions of alerts as "authorized" if they have the characteristics input by the user.

For a complete list of eval operations, see the logical operations documentation.