Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • ReportConf Specification
  • ID
  • disabled (0 | 1 | None)
  • condition list[dict]
  • ignore_if <list>
  • block_threshold <int>
  • params <dict>
  1. Configurations Specification

Report Conf

PreviousSummary DetailsNextLLM Configuration

Last updated 1 year ago

ReportConf controls how Salem investigations are reported to users and third party systems. Each configuration is associated with an .

A name for the configuration

The configuration is disabled when set to 1. The Configuration is enabled with this value is 0 or not present

Conditions are cases that evaluate if and investigation or incident should be reported. Each condition is evaluated independently. Condition objects contain to keys:

  • type: "bool" | "regex"

  • value: "bool or regex str"

Accepted list values:

  • "duplicate"

  • "similar"

  • "related"

"ignore_if": [
    "duplicate",
    "similar"
]

when ignore_if is set to any combination of these values, Salem will not report incidents that are similar or duplicates of other recently reported incidents

The value of block_threshold blocks reporting of new investigations and incidents when the total number reported in a 24hr period reaches the block_threshold value. By setting this value to 0, there is no limit on reporting

The params object defines ActionDefinition specific parameters. Each ReportConf configuration will have a params parameter of 'definition' which associates the ReportConf configuration to an ActionDefinition

For webhook ActionDefinition's the ReportConf Params will be:

  • definition: <str>

  • inputs <dict>

    • values based on the input keys of the ActionDefinition

Email report action params

  • definition: <str>

  • send_as: <str>

  • recipients: <list>

  • subject: <str>

  • message: <str>

  • definition: <str>

  • role: <list>

    • a list of Salem roles to receive the report, such as ["salem.analyst"]

  • is_group: true | false

    • when true, Salem will try to only report to groups that are set to receive incident notifications and if none are found fall back to reporting to individuals with the identified role(s)

✨
ActionDefinition
ReportConf Specification
ID
disabled (0 | 1 | None)
condition list[dict]
ignore_if <list>
block_threshold <int>
params <dict>
Webhook report action params
Email report action params
Chat report action params