Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • Prerequisites
  • Part 1: Create an App Registration in Microsoft Entra ID
  • Part 2: Deploy Salem Application
  • Part 3: Install Salem Teams App
  1. Initiation Guides

Quickstart: Deploy Salem

PreviousDocumentation HomeNextAdmin Guide

Last updated 5 months ago

This Quickstart guide was developed for Salem users who leverage Azure, Entra ID and MS Teams. If your use case deviates from this requirement please contact Salem Support at support@salemcyber.com for install instructions.

✦ An active Azure subscription, including Microsoft Entra ID
✧ An active Microsoft 365 license that includes Microsoft Teams 
✦ An active Whitehat Cybersecurity Team
✧ Optimism and a little Blackbox Magic 

Please reach out to support@salemcyber.com with any questions.

Create App Registration

  1. From a web browser, go to the and sign in.

  2. From the Azure portal, search for and select "Microsoft Entra ID".

  1. In the top left, select 'Add' and then 'App registration'

  2. Select 'Register'

  3. Record the Application ID, Object ID, and Directory ID for future use.

  1. In the newly created App registration resource, select 'Certificates & secrets' in the menu on the left.

  1. Create 'New client secret'

    Select a reasonable expiry time, if the secret expires, users will no longer be able to logon to Salem

  2. Note down the secret value

  1. Select "App Roles"

  1. Create Application Roles ✧ There are three Salem roles (salem.user, salem.analyst, salem.admin) and you an create AD roles that contain any combination of these roles. For now, create a new role: ✦ Display Name: Salem_Admins ✧ Allowed Member Types: Users/Groups ✦ Value: salem.analyst,salem.admin ✧ Description: Users with this role will have both analyst and admin permissions

Add API Permissions

  1. Select "API permissions" from the left-side menu

  2. Add Offline Access permission by ✧ Select "Add a permission" ✦ Select "Microsoft Graph" ✧ Select "Delegated permission" ✦ Search for and select "offline_access" ✧ Select Add permission

  1. (Optional) Grant Addmin consent for these permissions This can only be done by a user with the Global Administrator role. This is REQUIRED if any of the permissions listed indicate that admin consent is required

  1. Return to Microsoft Entra ID in the Azure portal

  2. Select "Enterprise applications"

  1. Search for and select the name of the app registration you just created

  2. Select "Users and groups"

  3. Add user/group ✧ Select a user or group ✦ Select the role created above ✧ Continue adding individual users as needed.

Require Users to be Assigned to Salem (Optional but Recommended)

If this setting is left as its default, users who aren't assigned roles to use Salem can authenticate successfully with default access. Users with default access will be able to authenticate to Salem but receive a message that they have no application-level role. To simplify the experience for everyone, requiring assignment will prevent unassigned users from being able to authenticate at any level to the Salem application.

  1. Select Properties from the left side menu

  2. Toggle "Assignment required?" to Yes

  1. From the Azure portal, search for and select 'Marketplace'.

  1. Use the search feature to find "Salem the AI Cyber Analyst for SOC Automation".

  2. Select and Create ✧ App configuration details should have been noted when creating the app registration ✦ Under 'Network Configuration', provide a non-overlapping class C IP address (meaning an IP address block not in use in any network you may connect to Salem). These IP addresses will be used if you peer the Salem Vnet to other Vnets in your Azure subscription. Network peering will allow you to send and receive information from Salem without needing to connect to the Internet. Some communication between Azure services will continue to use Azure network routing. ✧ It may take 30 minutes or more to fully provision Salem

  2. Create App package ✧ create a zip archive containing the manifest.json, Salem_color.png, and Salem_outline.png files at the root level of the archive.

  3. From Microsoft Teams, navigate to "Apps", then select "Manage your apps"

  4. Select "Upload an app"

  5. If you are a Teams admin, you will have the option to Upload an app directly to your organization. If you are not an admin, you will need to submit the app to your org for approval. When submitting an app to your organization, your admins should receive a notification, but it's probably best to follow up with them directly about app approval.

  1. (Optional) MS teams allows admins to select specific users and groups who can access the Salem Application. The default access settings will depend on your organizations policies. If you are requesting approval from a Teams Admin, indicate who you expect to have access to Salem to ensure the access control is set appropriately.

From the Register an application page: ✦ Enter a name ✧ Select account type (Note: Single tenant is typically the best option) ✧ Enter Redirect URI. Platform type 'Web' with a value of '

Customize Salem App Manifest ✧ The latest app manifest can be found ✦ Add in the Deployment ID, and Salem Bot Name. These values can be found from the Salem app in Azure under Parameters and Outputs. This ID is NOT the ID of the App registration

✨
https://token.botframework.com/.auth/web/redirect'
here
Create App Secret
Create App User Roles
Add Users
Part 2: Deploy Salem Application
Part 3: Install Salem Teams App
Azure Portal
Prerequisites
Part 1: Create an App Registration in Microsoft Entra ID
GIF displaying how to find Entra ID form the Azure Portal
Image of how to start the creation of a new Entra ID App Registration
GIF demonstration of creating a new app secret for the new Salem App Registration
Image of creating a new app role for the Salem App Registration
Image of selecting API permissions to add to the Salem Entra ID App Registration
Image of the API permission menu from the new Salem App Registration
Image to require assignment setting in the Enterprise Applicaiton
GIF showing how to find the Azure Marketplace from the Azure Portal
Image of upload a Teams app widget
Teams App Access Controls