Audit Context Actions
Audit what and how Salem knows context in a security investigaiton.
Audit Salem Alert Context
The Audit Context menu allows you to view the context labels added to a Salem alert, view the source of that context, and remove context that should no longer be understood about that alert.
Sources of Context
Salem uses a number of methods to add context to an alert.
Learned Action
This type of context is applied based on an ActionConf created in Salem. ActionConfs can exist by default in Salem, and may others will be created as part of the Salem Learning Pipeline
Lookup
This type of context is applied based on an entry in a lookup table created in Salem. Lookups and lookup entries can exist by default in Salem, and may others will be created as part of the Salem Learning Pipeline
Salem NLP
This is context applied by Salem as part of an AI review of the alert. The primary role of Salem NLP is to understand what type of potential threat an alert is attempting to represent.
User Added
This is context added by a user to this Salem alert. Context of this type is often added in the Salem Learning Pipeline
Managing Context
Selecting the type of context will take you to the configuration or lookup table row that Salem used to generate this context. If you have Salem Admin permissions, you will be able to make changes to the specific learned context method.
Remove Context from an Alert
Any context label can be removed from a Salem alert by selecting the "Remove" on the corresponding table row from the Audit Context Actions view. NOTE: if you remove context but don't change the underlying learning method, the context can return if the alert is re-evaluated by Salem.
Last updated