Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Installing Browser Extension
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • User Notification Preferences
  • Group Chat Notifications
  • Report Block Feature
  • How It Works
  • Customizing Thresholds
  1. General Guides

Threat Notification Management

Salem is designed to keep your security operations centers informed about high-fidelity alerts through enterprise chat notifications. To ensure optimal communication and prevent alert fatigue, we offer flexible options for managing these notifications.

User Notification Preferences

You can tailor your Salem 1-on-1 notifications directly within the chat interface:

  1. Navigate to the Analyst Menu.

  2. Select Others.

  3. Choose Chat Preferences.

Here, you can choose whether or not to receive threat notifications to your individual chat with Salem.

Group Chat Notifications

To enable Salem notification in a group chat, team chat, or channel. Simply add the Salem app to that group, team, or chat. Salem will prompt you to confirm you want to receive new threat notifications in that conversation.

Report Block Feature

During periods of heightened threat activity, it's possible for a large number of alerts to be triggered in a short timeframe. To prevent over-alerting and maintain focus on critical threats, Salem includes a built-in "report block" feature.

How It Works

  1. Elevated State: When the number of alerts exceeds predefined thresholds (5 alerts per hour or 8 alerts per 24 hours by default), the bot automatically enters an "elevated state."

  2. Filtered Alerts: In elevated state, Salem mutes alert notifications and sends users updates of the number of threats received at a predefined time interval. Users can choose to exit this state at any time or pause notifications from specific alerts.

  3. Return to Normal: Once the alert volume subsides (as defined as less than 4 alerts per day on a pro-rated basis), the bot returns to its normal notification behavior.

Customizing Thresholds

Your organization can adjust the thresholds for entering elevated state to align with your specific security operations requirements. To modify these settings, follow these steps:

  1. Access the Admin Menu.

  2. Go to Configs.

  3. Select ReportConf.

  4. Choose default_chat_notify.

  5. Edit the "block_threshold" integer (the default is 5 threats) to define your desired threshold for an hour period, the 24 hour threshold is 1.6x the block_threshold value (the default is 5*1.6 = 8 threats).

By customizing the report block feature, you can fine-tune the bot's responsiveness to high-threat situations, ensuring that your security teams receive the most relevant and actionable alerts.

PreviousManaging QuestionsNextUploading Files

Last updated 11 months ago

✨