Parsing Conf

ParsingConf Specification

ParsingConf controls how data is extracted from raw alerts and stored as parsed alert data. Parsing Configurations come in three types:

Type
id
source
Description

Default

default

default

The default configuration is the configuration that comes out of the box with Salem

Source

<source>

<source>

A parsing configuration specific to an alert source. Source configuration items override default configurations items of the same name

Alert

<alert_name>

<source>

A parsing configuration specific to an alert name and source. These configurations take president over other configuration items of the same name defined at the source and default level

parsing: auto | kv | json

Defines how raw alerts are going to be extracted. The default is 'auto', which will try to detect if the raw event is in JSON format or KV format

summary_details

Defines the parsed alert keys to be included in the

kv_regex: <str>

Defines a regex string used to extract key value pairs in a raw alert text. This value is ignored if parsing is set to json.

time_regex: <list>

Defines a list of regex strings used to extract a timestamp from raw event data. Salem will keep testing each regex string against the alert text until either a match is found or no match is found.

Field Transformations

There are 3 types of field transformations, and they are processed in the following order:

  • alias

  • evals

  • lookups

alias: <dict>

A dictionary where a key represents a field extracted from the alert data and value represents a new field name to set as an alias for the existing field name

# Alias Example
"alias": {
    "s": "src",
    "source": "src"
}

In the above example there are several fields that alias to src. These aliases are processed from the top down, meaning if 's' and 'source' both exist in the alert data, the value of src will be set to the value of 'source'

evals: <dict>

A dictionary of eval dictionaries. Each eval key value is a name and the value is a dictionary containing two keys: field and eval. Field should be set to the field name that will be set with the output of the eval statement. The eval statement should contain an eval string that returns a value to be set.

"evals": {
    "file_path": {
        "field":"file_path",
        "eval": "if_then(match('regex',r'[\\\\]',file),join(split(file,'\\\\')[0:-1],'/') + '/',if_then(match('regex',r'[/]',file),join(split(file,'/')[0:-1],'/') + '/',None))"
    },
    "file": {
        "field":"file",
        "eval": "if_then(match('regex',r'[\\\\]',file),split(file,'\\\\')[-1],if_then(match('regex',r'[/]',file),split(file,'/')[-1],file))"
    }
}

lookups

A dictionary of dictionaries. Each lookup item has a name key and a dictionary value with keys:

  • table

  • key

  • type

  • return

Typically, the table should be set to defaultParsingLookup, and the type set to 'parsed'. The key is the field being looked up, and return is the value returned if available in the lookup table.

"lookups": {
    "dest_ip": {
        "table": "defaultParsingLookup",
        "key": "dest",
        "type": "parsed",
        "return": "dest_ip"
    }
}

Webhooks

Webhooks are API calls to third party system. The Configurations here are focused on automatic alert enrichment. The below configuration is a list of webhook actionConfs to automatically run to enrich an alert. These APIs may not all get called. If Salem has enough information to decide if an alert is a Threat or False positive, it will stop processing these webhooks.

"webhooks": ['actionConf1', actionConf2']
PreviousBring Your Own LLMNextSummary Details

Last updated