Threat Notification Management

Salem is designed to keep your security operations centers informed about high-fidelity alerts through enterprise chat notifications. To ensure optimal communication and prevent alert fatigue, we offer flexible options for managing these notifications.

User Notification Preferences

You can tailor your Salem 1-on-1 notifications directly within the chat interface:

  1. Navigate to the Analyst Menu.

  2. Select Others.

  3. Choose Chat Preferences.

Here, you can choose whether or not to receive threat notifications to your individual chat with Salem.

Group Chat Notifications

To enable Salem notification in a group chat, team chat, or channel. Simply add the Salem app to that group, team, or chat. Salem will prompt you to confirm you want to receive new threat notifications in that conversation.

Report Block Feature

During periods of heightened threat activity, it's possible for a large number of alerts to be triggered in a short timeframe. To prevent over-alerting and maintain focus on critical threats, Salem includes a built-in "report block" feature.

How It Works

  1. Elevated State: When the number of alerts exceeds predefined thresholds (5 alerts per hour or 8 alerts per 24 hours by default), the bot automatically enters an "elevated state."

  2. Filtered Alerts: In elevated state, Salem mutes alert notifications and sends users updates of the number of threats received at a predefined time interval. Users can choose to exit this state at any time or pause notifications from specific alerts.

  3. Return to Normal: Once the alert volume subsides (as defined as less than 4 alerts per day on a pro-rated basis), the bot returns to its normal notification behavior.

Customizing Thresholds

Your organization can adjust the thresholds for entering elevated state to align with your specific security operations requirements. To modify these settings, follow these steps:

  1. Access the Admin Menu.

  2. Go to Configs.

  3. Select ReportConf.

  4. Choose default_chat_notify.

  5. Edit the "block_threshold" integer (the default is 5 threats) to define your desired threshold for an hour period, the 24 hour threshold is 1.6x the block_threshold value (the default is 5*1.6 = 8 threats).

By customizing the report block feature, you can fine-tune the bot's responsiveness to high-threat situations, ensuring that your security teams receive the most relevant and actionable alerts.

Last updated