FabConf

FabConf has the extraction logic/rules designed to extract alert IDs from various authorized pages for Salem's browser extension. By default, Salem's comes with predefined rules for Sentinel and Defender. id: the unique identifier for each configuration usually matching the application Salem can apply extraction rules fo disabled: (0|1) when disabled, the rules defined in this entry will not be applied id_extraction_rules: a list of rules to apply type: (xpath | uri) alert IDs can be extracted both from the url or the html content. fields: A value will be assigned to the fields defined in this array if matches are found. Salem will search for alerts where the parsed value of the alert, matches the field value extracted from the rules. allowed_domains: The specific rule will be applied to the list of domains.

{
    "id": "Defender",
    "version": "1.0.0",
    "disabled": 1,
    "id_extraction_rules": [
        {
            "type": "xpath",
            "xpath": "<valid xpath here>",
            "fields": [
                "additionalData__IncidentId",
                "incidentId"
            ],
            "allowed_domains": [
                "security.microsoft.com"
            ]
        },
        {
            "type": "uri",
            "regex": "/incident2/(\\d+)/",
            "fields": [
                "additionalData__IncidentId",
                "incidentId"
            ],
            "allowed_domains": [
                "security.microsoft.com"
            ]
        },
        {
            "type": "uri",
            "regex": "/alerts/([\\d-]+)",
            "fields": [],
            "allowed_domains": [
                "security.microsoft.com"
            ]
        }
    ]
}

PreviousSecret Management NextParsingConf

Last updated 1 month ago