Feature Overview

Salembot Official Feature Flythrough

1. Give Salem an Alert:

The core function of Salem is to analyze cybersecurity alerts. You can either enter the alerts manually or follow this guide on how to use a file to upload multiple alerts.

From the main menu, select "alerts". A new menu can be collected by typing the "view" command with no extra parameters.

Select "add new" to add and submit the following:

 Source: User Added

 Alert Name: Failed authentication to Azure key vault

 Alert Body: 2022-04-10 08:23:24 action=failed src=10.0.0.1 user=appDev_svc dest=devKeyVault

The returned messages should contain the alert id. Select "yes" to view the alert card. Some data will be populated, but calibrating might take some time. Periodically refresh until the "Salem Threat Likelihood" is predicted.

Once the alert is done processing, you may tell Salem that it's a "False Positive."

On the expanded window, select this exact account in the leftmost dropdown list.

Select 'Yes' to Confirm the report as a False positive.

2. Answering Questions:

Salem asks questions to collect contextual information used to improve future threat predictions. Salem will, at most, send a once-a-day request for an answer. The following is how to inform her further:

Recall the main menu by typing the view command.

Select "Help Salem Learn": a new card will be generated with a necessary question. If no new questions are available, Salem will reciprocate confusion and inform.

If a new question is available, Salem will offer you the chance to answer.

3. Gathering Alert and Question Metrics:

The metrics view provides some basic information about Salem's work volume.

To view metrics recall the menu by typing the command again. You can also try using the parameter specifically for metrics by typing "view -m."

If you didn't use the metrics parameter, select actions and then view metrics. The card should be updated with current metrics, which should include an indication of processing any alert entered in a prior step.

4. View and Update Configuration File:

Admins specifically have the ability to customize Salem to their liking.

To view a configuration file. Type 'view -c' into Salem's Chat in MS Teams.

Select any option from the drop-down. Then a new menu of various configurations should appear.

Left-click any configuration to view further options.

Selecting "view" will open the JSON. Selecting "update" will allow you to retype the JSON. And selecting "delete" will eradicate the JSON from existence.

PreviousInstalling Teams AppNextManaging Alerts

Last updated