Continue investigation

What is Continue Investigation?

Continue investigation is a core capability of Salem, which you can use from any Salem alert card. It's designed to surface the next best alert investigation questions to ask based on the unique set of facts surrounding a cyber alert. Analysts use Continue Investigation to help Salem learn context about activity, accounts, systems, programs, and data. The outcome of this process will directly influence the Threat Scoring of this alert, and future alerts.

Using Continue Investigation

This operation takes place from a Salem alert card view

1. Select "Continue Investigation" at the bottom of an Alert card view.

2. Salem will display a set of questions generated for this specific alert. These questions are selected based on what Salem believes are the next best investigation questions to ask for this specific alert. As Salem learns more context about this alert, these questions will change. NOTE: Questions that have been answered for this alert will always remain in this list. Review the questions and select one that you feel like you know how to answer, or that you would want guidance on answering.

3. Choose to answer the question or ask Salem for assistance.

   1. Selecting "Answer this question" will take you into the Salem Learning Pipeline

   2. Selecting "Ask Salem" will instruct Salem to suggest an answer or provide recommendations on how the question can be answered. This feature currently only works if you've enabled Salem LLM support.

   If you already know what context you want to provide Salem, you can use the Context Managerwhich is accessible from the bottom of the Continue Investigation card view