Train Salem

What is the Salem Training Process?

At a high level, the Salem Training Process is how users teach Salem to become more accurate at identifying real threats in their specific environment by providing context and enriching alerts. This feedback happens directly within user's enterprise chat tools (see Training Salem in Chat) or through Salem's Browser Extension (see Training Salem with in Web Browser).

How does the process work?

  1. When a client’s cybersecurity tool (ex. Defender, Sentinel) creates a new alert instance, Salem immediately begins investigating the alert. Salem will enrich and contextualize the alert with AI and Salem’s own knowledge base (see Alert Contextualization ). At the same time, the client will be notified of the alert and added to a first in first out queue in a MDR model.

  2. Based on what it knows, Salem attempts to make a determination (see Threat Scoring): Threat, False Positive or Needs Information.

  3. If Salem's did not reach a conviction on if the alert represents a threat or a false positive (i.e Needs Information), it will use third-party APIs to collect more relevant information if it knows how to collect the data it needs (see Alert Enrichment).

  4. Once Salem has reached a conviction, the SOC begins their IR process. In an MDR model, the client, their MDR IR analyst and Salem directly collaborate on active Tier 3 IR investigations.

PreviousSalem Onboarding QuestionsNextAlert Enrichment

Last updated