Configure Salem Chat Notifications

Chat notifications in Salem are managed by ReportConf and the corresponding ActionDefinition. If you have access to edit these configurations, then you can configure Salem to notify in chat as per your organizations policy.

Navigate to ReportConf

Send following message to Salem to view the admin menu. You must have salem.admin role to view the admin menu

view -a

Click Configs in the admin menu
Select RoleConf in the dropdown selection > Submit
Search for desired ReportConf in the search bar
Click View to see config contents.

To switch to ActionDefinition

Click Reselect Config

Select ActionDefinition in the dropdown selection > Submit

Sample ReportConf

{
    "id": "default_chat_notify",
    "condition":[
        {
            "type": "bool",
            "value": "incident == 1"
        }
    ],
    "block_threshold": 5,
    "ignore_if": [
    ],
    "params": {
        "definition": "Chat Notify",
        "role": [
            "salem.analyst"
        ],
        "group": true
    }
}

condition: This array may contain one or more conditions. However, for Salem to successfully send out notifications, all specified conditions must evaluate to true.

block_threshold: (optional) If not specified, this value defaults to 5. It represents the maximum number of alerts to be sent in a day before ceasing to send additional threat alerts.

params.role: This value filters users based on having the appropriate Salem role to receive chat notifications.

params.definition: The value refers to the ActionDefinition referenced for this ReportConf. See the same ActionDefinition below.

params.group: This boolean value determines whether group chats should receive chat notifications or not. Please note that the ability to receive notifications from Salem is further governed by group notification preferences. The params.group setting simply determines whether Salem should scan and send notifications to eligible groups or not.

Sample Chat ActionDefinition

{
    "id": "Chat Notify",
    "action_type": "chat",
    "params": {
        "role": []
    }
}

id: The unique ID used to map ActionDefinition with the ReportConf

action_type: This value must be 'chat' for chat notifications.

params.role: This value is not used for chat notifications but used for other notification type.

Chat Notification States

Chat notification in Salem has three states. The system automatically enters and exists out of chat notification states based on number of threat notifications it has escalated in a specific period of time.

Normal State: When the system is functioning normally, alert notifications are sent out as soon as they are detected. In this case, Salem will notify users of alerts via chat messages if the conditions outlined in the ReportConf are met. However, if the system detects a high number of threats in a short period of time, it may enter into an elevated state, which is explained below.

Elevated State: If the number of notifications exceeds the block_threshold within one hour, the system enters this state. Within the elevated state, there are two modes: burst and sustained.

Burst mode occurs when there are more chat notifications than defined in the block_threshold within one hour. Sustained mode occurs when there are more chat notifications than defined in block_threshold * 1.6 within 24 hours.

During an elevated state, the system mutes alert notifications as they occur, instead, sending bulk threat reports at pre-defined time intervals of 1, 2, 4, or 8 hours for burst mode and 4 or 12 hours for sustained mode. The time intervals set for elevated states cannot be customized by the user.

PreviousBrowser Extension Settings NextConfigure Salem LLM Integration

Last updated 1 month ago