Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Installing Browser Extension
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • Key Features
  • Configuring Summary Details
  • Default List of Summary Details
  1. Configurations Specification
  2. Parsing Conf

Summary Details

PreviousParsing ConfNextReport Conf

Last updated 1 year ago

Summary Details provide a focused view of the most critical information within an alert, enabling you to quickly assess and prioritize alerts without sifting through extensive details. This feature empowers you to customize which details are expanded by default when an alert's report card loads, ensuring you see the most pertinent information first.

  • Initial Expansion: Specified summary details automatically expand upon loading, while the rest remain collapsed, reducing visual clutter.

  • Flexible Configuration: Define summary details at three levels for tailored views:

    • Organization-wide

    • Alert Source

    • Alert Use Case/Name

  • Hierarchy of Application: Priority is given to use case-level configurations, followed by alert source-level and then organization-level settings, ensuring the most relevant details are displayed.

To tailor which alert details are expanded initially in your report card view, you'll need to define them within the "summary_fields" parameter of the relevant parsingConf object. Follow these steps to configure your Summary Details:

1. Access Parsing Configurations:

  • Navigate to the "Parsing Conf" menu via the admin page. See the doc page for more details.

2. Select Configuration Scope:

  • Choose the parsing configuration you want to edit based on your desired scope:

    • Organization-wide (e.g., "default)

    • Alert Source (e.g., "sentinel," "WindowsAV")

    • Alert Use Case/Name (e.g., "Account created from non-approved sources")

3. Add the "summary_fields" Array:

  • Within the selected parsing configuration, add a new array named "summary_fields".

4. Specify Desired Details:

  • List the specific alert details you want to be shown on alert reports initially within the "summary_fields" array, using the alert detail's exact name.

    • Note: There's no limit to the number of alert details you can include.

5. Save Changes:

  • Click the "Submit" button to finalize the configuration changes.

The following default summary fields are included in Salem's base image:

"summary_fields" : [
        "account",
        "src_account",
        "src",
        "dest",
        "program",
        "parent_program",
        "data",
        "command_line",
        "file",
        "file_path",
        "url",
        "action",
        "result",
        "user_agent",
        "registry_value",
        "registry_name",
        "file_hash",
        "registry_key"
]

If no summary details are defined in an alert's associated parsingConfs, this default list will be used.

✨
Parsing Conf
Key Features
Configuring Summary Details
Default List of Summary Details