Summary Details

Summary Details provide a focused view of the most critical information within an alert, enabling you to quickly assess and prioritize alerts without sifting through extensive details. This feature empowers you to customize which details are expanded by default when an alert's report card loads, ensuring you see the most pertinent information first.

Key Features

  • Initial Expansion: Specified summary details automatically expand upon loading, while the rest remain collapsed, reducing visual clutter.

  • Flexible Configuration: Define summary details at three levels for tailored views:

    • Organization-wide

    • Alert Source

    • Alert Use Case/Name

  • Hierarchy of Application: Priority is given to use case-level configurations, followed by alert source-level and then organization-level settings, ensuring the most relevant details are displayed.

Configuring Summary Details

To tailor which alert details are expanded initially in your report card view, you'll need to define them within the "summary_fields" parameter of the relevant parsingConf object. Follow these steps to configure your Summary Details:

1. Access Parsing Configurations:

  • Navigate to the "Parsing Conf" menu via the admin page. See the Parsing Conf doc page for more details.

2. Select Configuration Scope:

  • Choose the parsing configuration you want to edit based on your desired scope:

    • Organization-wide (e.g., "default)

    • Alert Source (e.g., "sentinel," "WindowsAV")

    • Alert Use Case/Name (e.g., "Account created from non-approved sources")

3. Add the "summary_fields" Array:

  • Within the selected parsing configuration, add a new array named "summary_fields".

4. Specify Desired Details:

  • List the specific alert details you want to be shown on alert reports initially within the "summary_fields" array, using the alert detail's exact name.

    • Note: There's no limit to the number of alert details you can include.

5. Save Changes:

  • Click the "Submit" button to finalize the configuration changes.

Default List of Summary Details

The following default summary fields are included in Salem's base image:

"summary_fields" : [
        "account",
        "src_account",
        "src",
        "dest",
        "program",
        "parent_program",
        "data",
        "command_line",
        "file",
        "file_path",
        "url",
        "action",
        "result",
        "user_agent",
        "registry_value",
        "registry_name",
        "file_hash",
        "registry_key"
]

If no summary details are defined in an alert's associated parsingConfs, this default list will be used.

PreviousParsing ConfNextReport Conf

Last updated