Action Conf

Purpose: ActonConf controls the Salem actions that add contextual information to the alert.

Accessing current action configurations:

• In Salem Chat, type view -a.

• In the Admin menu, go to Configs > ActionConf.

Definition: unique identifier

Definition: Controls when an action is run.

Valid values: 0, 1, 2

• Cost 0: The action is run if the alert contains the required fields.

• Cost 1 or 2: The action only runs when Salem specifically wants to know the context that is returned by that action.

• Cost 2 is typically used for webhook actions.

Definition: Defines the alert fields and context required for this action to run. One or more requirements can be added, and each will be evaluated independently.

Example:

"requires": [
    {
        "fields": [
            "file"
        ],
        "context": {
            "contains": ["data.malicious"],
            "excludes": []
        }
    }
]

Definition: The alert context tags to add to the alert if the action evaluates to true.

Context Tags: Context tags are grouped into nouns, each with a unique set of group names and context labels, separated by a period. The following nouns are supported:

• action

• related_action

• account

• src

• src_account

• dest

• program

• parent_program

• data

Example: An identified domain user may have a context tag of account.domain_account.

Note: Custom context tags can be applied but may not contribute directly to the threat score.

Definition: A dictionary of parameters specific to the action type. For an overview of the possible parameter values, see the documentation for the specific action type.

Valid values:

• match

• webhook

Definition: Match actions are evaluation methods that resolve to True or False. If the match action evaluates to true, the returned context is applied to the alert. The match action is evaluated against the fields listed in the required_fields object.

match action examples

Definition: Webhook actions return a Boolean value by querying an external HTTP endpoint and evaluating an eval string against the response.

Supported external systems:

• Azure Log Analytics

• Microsoft Graph API

• Splunk

Definition: The query and optional parameters to the designated http endpoint. The inputs values are defined on an object basis in the ActionDefinition input_keys parameter. See the documentation on configuring an ActionDefinition for more information.

Definition: Output objects control how the results of the webhook are evaluated.

Example:

"outputs": [
    {
        "condition": {
            "type": "bool" | "regex",
            "value": "bool or regex str"
        },
        "outcome": {
            "type": "context" | "field",
            "value": [
                "context tag or field value"
            ]
        }
    }
]

• The user selects a configured system from the dropdown list.

• The user enters a query for the designated system, and optional parameters to include in the http request.

• If configured correctly, the bot returns the response from the external system.

• The user enters an eval string based on the response and the key/values of the selected alert. The eval string must evaluate to true for the selected information. See eval string for additional documentation.