Report Conf

ReportConf controls how Salem investigations are reported to users and third party systems. Each configuration is associated with an .

A name for the configuration

The configuration is disabled when set to 1. The Configuration is enabled with this value is 0 or not present

Conditions are cases that evaluate if and investigation or incident should be reported. Each condition is evaluated independently. Condition objects contain to keys:

• type: "bool" | "regex"

• value: "bool or regex str"

Accepted list values:

• "duplicate"

• "similar"

• "related"

"ignore_if": [
    "duplicate",
    "similar"
]

when ignore_if is set to any combination of these values, Salem will not report incidents that are similar or duplicates of other recently reported incidents

The value of block_threshold blocks reporting of new investigations and incidents when the total number reported in a 24hr period reaches the block_threshold value. By setting this value to 0, there is no limit on reporting

The params object defines ActionDefinition specific parameters. Each ReportConf configuration will have a params parameter of 'definition' which associates the ReportConf configuration to an ActionDefinition

For webhook ActionDefinition's the ReportConf Params will be:

• definition: <str>

• inputs <dict>

  • values based on the input keys of the ActionDefinition

Email report action params

• definition: <str>

• send_as: <str>

• recipients: <list>

• subject: <str>

• message: <str>

• definition: <str>

• role: <list>

  • a list of Salem roles to receive the report, such as ["salem.analyst"]

• is_group: true | false

  • when true, Salem will try to only report to groups that are set to receive incident notifications and if none are found fall back to reporting to individuals with the identified role(s)