Comment on page
Report Conf
ReportConf controls how Salem investigations are reported to users and third party systems. Each configuration is associated with an ActionDefinition.
A name for the configuration
The configuration is disabled when set to 1. The Configuration is enabled with this value is 0 or not present
Conditions are cases that evaluate if and investigation or incident should be reported. Each condition is evaluated independently. Condition objects contain to keys:
- type: "bool" | "regex"
- value: "bool or regex str"
Accepted list values:
- "duplicate"
- "similar"
- "related"
"ignore_if": [
"duplicate",
"similar"
]
when ignore_if is set to any combination of these values, Salem will not report incidents that are similar or duplicates of other recently reported incidents
The value of block_threshold blocks reporting of new investigations and incidents when the total number reported in a 24hr period reaches the block_threshold value. By setting this value to 0, there is no limit on reporting
The params object defines ActionDefinition specific parameters. Each ReportConf configuration will have a params parameter of 'definition' which associates the ReportConf configuration to an ActionDefinition
For webhook ActionDefinition's the ReportConf Params will be:
- definition: <str>
- inputs <dict>
- values based on the input keys of the ActionDefinition
Email report action params
- definition: <str>
- send_as: <str>
- recipients: <list>
- subject: <str>
- message: <str>
- definition: <str>
- role: <list>
- a list of Salem roles to receive the report, such as
["salem.analyst"]
- is_group: true | false
- when true, Salem will try to only report to groups that are set to receive incident notifications and if none are found fall back to reporting to individuals with the identified role(s)