Forward Alerts to Salem

Send alerts from existing cyber threat detection tools, to Salem for autmated alert investigation.

Salem leverages an Azure Event Hub as it's primary method to receive alerts from a detection source.

Out of the box integrations exist to help collect alerts from Tools such as Microsoft Sentinel, Microsoft Defender, Crowdstrike and Splunk. The specifics of these integrations can be found in the Salem public GitHub, here:

GitHub - SalemCyberAI/UtilsGitHub

Alert Formats

Salem supports common alert formats, including JSON, Key Value pair strings and Common Event Format (CEF). JSON is the recommended format.

For alerts formatted with JSON, Salem expects the following format

{
    "alert_name": "Name of the alert",
    "id": "A unique ID for the alert",                      // Best Practice is the use the ID of the source alert,
    "source": "Name of the product that created the alert", // i.e. Microsoft Defender XDR
    "alert": { ... }                                        // the JSON representation of the alert body
}

PreviousConfigure User Access NextInstall Salem Teams App

Last updated 1 month ago