Salem Threat Notifications

Salem escalates alerts via a Threat Notification in enterprise chat (see Salem Notifications in Chat). These Threat Notifications are shown as Alert Cards that give relevant information and context that Salem uses to conduct alert investigations.

These cards contain:

Salem's threat determination and score

• Threat Score: An assigned score to alerts or incidents based on severity, impact, or likelihood to prioritize response efforts. See Threat Scoring.

• Threat Status: A threat determination based on the threat score: Threat, False Positive, Not Escalated, and Needs Information

Salem’s investigation summary and key context

• Alert Name: This is the descriptive title of the alert, indicating the type of security event that has been detected

• Alert ID: A unique identifier assigned to each specific alert by Salem Cyber. This ID is essential for tracking, referencing, and managing the alert throughout its lifecycle within the security operations workflow.

• Alert Source: This field specifies where the original alert came from. It indicates the security tool or system that initially generated the alert before it was ingested and processed by Salem (e.g., CrowdStrike, Microsoft Defender, a specific SIEM, cloud logs from Azure, or an identity provider like Okta).

• Time: This indicates the timestamp of when the alert was detected by the source system.

Raw details from the alert itself for further investigation

• Summary Detail: This includes the relevant, high-level details of the alert

• Salem Investigation Context: The context details Salem used to make a threat determination. Ideal alerts have customized alert details, enriched with additional information relevant to the investigation and 9-12 context labels.

• Generate Summary button: The Generate Summary feature on the Salem Alert Card is designed to give you a text summary of the alert. See Generate Summary.

• Extract Field: Extract a new field from current alert data or use data in an external system to lookup the answer. See Field Extraction.

• Related Alerts: The Related Alerts feature on the Salem Alert Card allows users to view all alerts associated with the same threat action. See Related Alerts.

Actions you can take

• Continue Investigation: A way to add context to an investigation. Train Salem on alert context that you used in the conclusion of your investigation. Continue adding context to Salem until the Salem threat Score indicator turns green (for benign investigations) or red (for escalated investigations). See Alert Contextualization.

• Confirm Threat: If you agree with the Salem threat assessment, click this button to let Salem know. See Confirm False Positive or Threat.

• False Positive: If the alert is a confirmed false positive, click this button to let Salem know. See Confirm False Positive or Threat.

• Run Alert Action: Salem has added user-directed response actions for third party systems that can be executed by clicking the Run Alert Action button on the Salem threat notification card. See Run Alert Action to learn more.