Conf Spec Files

Salem configuration files control how Salem will process and analyze alerts. Configuration entities ("configs") include instructions for alert parsing, context extraction, incident reporting, and other key Salem functions.

If you have salem.admin privileges, you can access the configuration entries by sending the view --admin command in the chat box.

Action Conf

ActionConfs are low-level action classes that dictate how information retrieved from external systems is applied or adjusts requests to user specification.

Action Definitions

Action Definitions are high-level action classes that are referenced by Action and Reporting actions. These Definitions describe how Salem connects to third-party systems for context and reporting actions. Many ActionConfs may reference a single ActionDefinition for connection/authentication to external systems.

Fab Conf

Floating Action Button (FAB) configurations are rules used to identify alert IDs from web pages like MS Sentinel and Defender.

Parsing Conf

Parsing Conf defines how Salem will process and extract information from new alerts. Parsing can be defined on default (all alerts), source, and alert scopes, allowing fine control over the parsing of alerts using different data structures.

Report Conf

Report Conf controls how Salem sends notifications regarding alert analysis. Salem is pre-configured to send incident notifications to chat. Notifications can also be sent to third-party systems.

RoleConf

RoleConf determines which users have which roles in Salem. Users can be assigned to one or more roles, and this assignment is done based on the entries in RoleConf.