Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Installing Browser Extension
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • ParsingConf Specification
  • parsing: auto | kv | json
  • summary_details
  • kv_regex: <str>
  • time_regex: <list>
  • Field Transformations
  • alias: <dict>
  • evals: <dict>
  • lookups
  • Webhooks
  1. Configurations Specification

Parsing Conf

PreviousBring Your Own LLMNextSummary Details

Last updated 6 months ago

ParsingConf controls how data is extracted from raw alerts and stored as parsed alert data. Parsing Configurations come in three types:

Type
id
source
Description

Default

default

default

The default configuration is the configuration that comes out of the box with Salem

Source

<source>

<source>

A parsing configuration specific to an alert source. Source configuration items override default configurations items of the same name

Alert

<alert_name>

<source>

A parsing configuration specific to an alert name and source. These configurations take president over other configuration items of the same name defined at the source and default level

Defines how raw alerts are going to be extracted. The default is 'auto', which will try to detect if the raw event is in JSON format or KV format

Defines the parsed alert keys to be included in the

Defines a regex string used to extract key value pairs in a raw alert text. This value is ignored if parsing is set to json.

Defines a list of regex strings used to extract a timestamp from raw event data. Salem will keep testing each regex string against the alert text until either a match is found or no match is found.

There are 3 types of field transformations, and they are processed in the following order:

  • alias

  • evals

  • lookups

A dictionary where a key represents a field extracted from the alert data and value represents a new field name to set as an alias for the existing field name

# Alias Example
"alias": {
    "s": "src",
    "source": "src"
}

In the above example there are several fields that alias to src. These aliases are processed from the top down, meaning if 's' and 'source' both exist in the alert data, the value of src will be set to the value of 'source'

A dictionary of eval dictionaries. Each eval key value is a name and the value is a dictionary containing two keys: field and eval. Field should be set to the field name that will be set with the output of the eval statement. The eval statement should contain an eval string that returns a value to be set.

"evals": {
    "file_path": {
        "field":"file_path",
        "eval": "if_then(match('regex',r'[\\\\]',file),join(split(file,'\\\\')[0:-1],'/') + '/',if_then(match('regex',r'[/]',file),join(split(file,'/')[0:-1],'/') + '/',None))"
    },
    "file": {
        "field":"file",
        "eval": "if_then(match('regex',r'[\\\\]',file),split(file,'\\\\')[-1],if_then(match('regex',r'[/]',file),split(file,'/')[-1],file))"
    }
}

A dictionary of dictionaries. Each lookup item has a name key and a dictionary value with keys:

  • table

  • key

  • type

  • return

Typically, the table should be set to defaultParsingLookup, and the type set to 'parsed'. The key is the field being looked up, and return is the value returned if available in the lookup table.

"lookups": {
    "dest_ip": {
        "table": "defaultParsingLookup",
        "key": "dest",
        "type": "parsed",
        "return": "dest_ip"
    }
}

Webhooks

Webhooks are API calls to third party system. The Configurations here are focused on automatic alert enrichment. The below configuration is a list of webhook actionConfs to automatically run to enrich an alert. These APIs may not all get called. If Salem has enough information to decide if an alert is a Threat or False positive, it will stop processing these webhooks.

"webhooks": ['actionConf1', actionConf2']

✨
ParsingConf Specification
parsing: auto | kv | json
summary_details
kv_regex: <str>
time_regex: <list>
Field Transformations
alias: <dict>
evals: <dict>
lookups