Alert Contextualization
Train Salem about your data, environment and priorities, to help Salem identify and validate cyber threats.
What is context in Salem?
Salem relies on context to understand which cyber alerts are threats and which can be closed as false positives. You can think of context as a common language that describes aspects of a cyber alert that is easily understandable by any cyber professional.
Training Salem on Alert Context
The objective is to teach Salem what you know about the actions, accounts, systems, programs, and data associated with threat activity. By breaking down what you know about a reported cyber alert into small component parts (context labels), Salem can reuse what it learned more easily to contextualize hundreds of new alerts that will be created over the coming days, weeks, and months.
Salem is trained using a component called the Salem Learning Pipeline. There are many ways to enter the learning pipeline, including Continue investigation, Context Manager, and Confirm False Positive or Threat.
Key Context Fields
Key Fields in Salem denote the 9 dimensions of context that Salem can record for a cyber alert. All Salem context labels map to one of these key fields.
action
Tthe threat action reported by the cyber alert
email, authentication, code execution, upload
related_action
Actions with relevance to the threat reported in the cyber alert
remote access, account creation, data deletion, antimalware block
account
The account that was the actor or was acted on in cases where the action was taken on an account
domain account, local account, default account
src_account
The account that was the actor for an action on an account
service account, third party, admin, developer
src
The source of the reported threat activity. This could include a network asset, application, or system
email gateway, risky geography, mobile device
dest
The resource that was the target of the activity or the system where an action occurred
workstation, server, cloud hosted
program
The program involved in the action or responsible to taking the action
web browser, command shell, data transfer tool, office application
parent_program
The program or set of programs responsible for invoking the program
office application, scripting language, remote access tool
data
The data involved in the reported action. This could include data that was moved, created, deleted, modified, or executed.
office doc, command string, image, database record, registry key, program installer
To learn more about how Salem leverages context to produce threat scores, see: Threat Scoring
Last updated