Salem Escalations to Third Party API

Salem automatic triggers for third party APIs

Salem Analysis and Escalations to Thrid Party APIs

At the conclusion of a Salem alert investigation, Salem can automatically invoke Third Party APIs for a number of purposes, including:

Log Salem analysis in a data lake
Create/Update a ticket in case management
Initiate a Response Action, such as host isolation

Define a Thrid Party Action

All API actions are defined in an ActionDefinition configuration. Pre-Build Salem integrations are listed here: Integration List.

To configure an existing thrid party action, see: Configure Third Party Actions

Configure Automated Actions

Automated actions are defined as ReportConf configurations. These configurations can be created by Salem as part of the Salem Learning Pipeline, where a user selects a response action to run automatically. ReportConf's can also be created manually by Salem Admins from the confs menu

This ReportConf configuration triggers the Send to Sentinel action after every alert analysis. This action logs the Salem alert analysis to a custom table in Microsoft Sentinel.

{ 
 "id": "send_to_sentinel", 
 "disabled": 0, 
 "condition": [ 
  { 
     "type": "bool", 
     "value": "incident == 1 or incident == 0 or stale == 1" 
  }
 ], 
 "ignore_if": [], 
 "block_threshold": 0, 
 "params": { "definition": "Send to Sentinel" } 
}

Changing the condition logic will determine what alerts are logged. For example, the below will only log alerts classified as incidents to Sentinel

{ 
 "id": "send_to_sentinel", 
 "disabled": 0, 
 "condition": [ 
  { 
     "type": "bool", 
     "value": "incident == 1" 
  }
 ], 
 "ignore_if": [], 
 "block_threshold": 0, 
 "params": { "definition": "Send to Sentinel" } 
}

PreviousGenerate Summary NextUser Preference

Last updated 22 days ago