Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • 1. Give Salem an Alert:
  • 2. Answering Questions:
  • 3. Gathering Alert and Question Metrics:
  • 4. View and Update Configuration File:
  1. Initiation Guides

Feature Overview

Salembot Official Feature Flythrough

PreviousInstalling Teams AppNextManaging Alerts

Last updated 11 months ago

The core function of Salem is to analyze cybersecurity alerts and alert users of the most critical threats to their organization (see ). You can either enter the alerts manually or follow guide on how to use a file to upload multiple alerts.

From the main menu, select "alerts". A new menu can be collected by typing the "view" command with no extra parameters.

Select "add new" to add and submit the following:

 Source: User Added

 Alert Name: Failed authentication to Azure key vault

 Alert Body: 2022-04-10 08:23:24 action=failed src=10.0.0.1 user=appDev_svc dest=devKeyVault

The returned messages should contain the alert id. Select "yes" to view the alert card. Some data will be populated, but calibrating might take some time. Periodically refresh until the "Salem Threat Likelihood" is predicted.

Once the alert is done processing, you may tell Salem that it's a "False Positive."

On the expanded window, select this exact account in the leftmost dropdown list.

Select 'Yes' to Confirm the report as a False positive.

Salem asks questions to collect contextual information used to improve future threat predictions. Salem will, at most, send a once-a-day request for an answer. The following is how to inform her further:

Recall the main menu by typing the view command.

Select "Help Salem Learn": a new card will be generated with a necessary question. If no new questions are available, Salem will reciprocate confusion and inform.

If a new question is available, Salem will offer you the chance to answer.

The metrics view provides some basic information about Salem's work volume.

To view metrics recall the menu by typing the command again. You can also try using the parameter specifically for metrics by typing "view -m."

If you didn't use the metrics parameter, select actions and then view metrics. The card should be updated with current metrics, which should include an indication of processing any alert entered in a prior step.

Admins specifically have the ability to customize Salem to their liking.

To view a configuration file. Type 'view -c' into Salem's Chat in MS Teams.

Select any option from the drop-down. Then a new menu of various configurations should appear.

Left-click any configuration to view further options.

Selecting "view" will open the JSON. Selecting "update" will allow you to retype the JSON. And selecting "delete" will eradicate the JSON from existence.

✨
2. Answering Questions:
3. Gathering Alert and Question Metrics:
4. View and Update Configuration File:
Threat Notification Management
this
1. Give Salem an Alert: