Run Alert Actions

What is the Run Alert Action button?

Salem has added user-directed response actions for third party systems that can be executed by clicking the Run Alert Action button on the Salem threat notification card. Once you select the “Run Alert Action” button, you will see enabled actions in your environment like isolating hosts, resetting passwords, updating case management tools, and allowing/blocking domains.

Some specific tool options include (but are not limited to):

• Update Defender XDR Incident

• Update Sentinel Incident

• MS Defender - Isolate Host

• Send to EventHub with SAS

• Azure Log Analytics Search

• Virus Total API

• Defender Advanced Hunt Query

See Collect data with Third Party APIfor more specific information about Third-Party Integrations.

Using Run Action Button

1. Navigate to an alert in enterprise chat or the Salem Browser Extension

2. Under Salem Investigation Context, select the Run Action button

3. A new section will load below the original alert card

1. Select the action to run for the alert (ex. Azure Log Analytics Search) and select Submit

1. Follow the integration-specific prompts on the next screen

How do users automate these actions?

Analysts can automate actions with similar conditions. You can automate actions by clicking the “Set action to run automatically?” button that appears after running an action. By doing so, Salem will automatically run actions in the future when confronted with similar situations.