Action Definition

Overview

Action definitions define the base parameters for contextual and reporting actions. You can configure your own action definitions or re-use the default options. To see the currently configured action definitions, type view -a in Salem Chat and navigate to Configs > ActionDefinition.

action_type

Definition: Specifies the type of action to be executed by the ActionDefinition object.

Supported action types:

  • Chat

  • Email

  • Webhook

Chat

Chat actions are used by ReportConf and other internal processes to communicate with users.

Specifications:

  • params <dict>

    • role <list>

Email

Definition: Email actions are used by ReportConf objects to interface with target email resources.

Specifications:

  • params <dict>

    • role <list>

Default Email actions

By default, one email ActionDefinition is defined, called Email Notify. To enable use of this ActionDefinition, add a target email server and port. Additionally, see the default ReportConf configuration default_email_notify to configure reporting preferences.

Webhook

Definition: Webhook ActionDefinitions allow Salem to interact with third-party systems, either as ActionConf or ReportConf actions. There are several default configurations pre-loaded into Salem, to access/edit type view -a in Salem Chat and navigate to Configs > ActionDefinition.

webhook params

The action completed by a webhook object, including authentication methods and attempted requests, are defined as part of the parameters listed below.

Specifications:

  • credentials<dict>: authentication attributes.

  • action_type <str>: accepts "webhook" or "report_webhook"

  • disabled<bool>: true/false whether the ActionDefinition has been disabled.

  • input<dict>:

    • static_keys<dict>: GUIDs for target resources to be called in the http request.

    • input_keys<list dict>: query or reporting.

  • requests<list dict>: types and format of http requests to target resources.

  • timeout<dict>: length of time before no response

  • results<dict>: expected format of response

All parameters can be edited to fit whatever configuration required of an organization, including unique key structures, authentication methods, and http methods.

credentials <dict>

Definition: The credentials parameter specifies the authentication fields needed to authenticate calls made to the actions specified in the requests parameter of the same ActionDefinition object.

Default credential fields:

  • user: The user name used to authenticate Salem to a third-party system.

  • secret_name: The name of a secret in a key vault that contains the credential used to access a third-party system.

  • vault_url: The FQDN (ex: https://{vaultName}.vault.azure.net) of the key vault where the secret is stored.

input.static_keys <dict>

Definition: The input.static_keys field includes the id tags for the target resources used in the HTTP calls defined in the requests parameter. Typically, the values of these IDs will mimic a GUID structure.

input.input_keys <dict>

Definition: The input.input_keys parameter defines the fields Salem users can interact with once the system is configured.

Specifications:

  • key: The name of the value object, referenced in the requests parameter.

  • example: An example of the expected response from the user.

  • description: A description for how the value will be used.

requests <list dict>

The requests parameter dictates the composition, sequence, and construction of http requests made by the ActionDefinition.

Default Webhook actions

Salem offers a set of preconfigured webhook actions for your convenience. These out-of-the-box webhook actions seamlessly integrate with the following services:

  • Azure Log Analytics

  • Microsoft Graph API

This documentation provides general guidance on configuring and customizing these system integrations. For in-depth information about each of these systems, refer to the Default System Configurations documentation.

Configuring Default Webhook Actions

You can configure default webhook actions in Salem using one of two methods::

  1. Editing ActionDefinition object directly within Salem:

    1. Access Salem's admin command by sending view -a to Salem.

    2. Select "View Configs" and then "ActionDefinition" to view available actions.

    3. Locate and select the ActionDefintion you wish to configure/enable.

    4. Update the configuration by replacing placeholder values (denoted by <>) in the existing config and changing the "disabled" value to 0.

      • Once done, update the configuration by using the update button and pasting in your newly changed JSON config.

    5. OPTIONAL: If configuring an ActionDefinition with the action_type of "report_webook," you should also enable/configure/update the reporting parameters in the ReportConf config to match your expectations. You can read more about the options here: ReportConf

Contact support@salemcyber.com for assistance creating new webhook integrations with third-party tools.

  1. Entering fields in the system configuration workflow:

The system configuration workflow streamlines system configurations and is accessible to Salem admins. The workflow inputs are dynamically created based on the fields in the specified ActionDefinition. See ActionDefinition System Configurations for additional details on specific system configuration.

Workflow inputs:

  • Credentials: (inputs generated based on credentials )

    • Salem expects a key vault for bot authentication. See webhook auth documentation for additional detail.

  • Customer Environment Identifiers: (inputs generated based on static_keys)

    • Salem expects your

  • Webhook Request Inputs: (inputs generated based on input_keys)

    • The request expects a valid query, with any required parameters, to validate the connection. The request can be

Note: the system configuration workflow currently only supports query webhook actions and not report webhook actions.

Previous"llm" ActionConfsNextAzure Log Analytics

Last updated