Salem Learning Pipeline
Learning pipeline engages analysts to learn what they know about a cyber alert.
What is Salem Learning Pipeline
This the Salem component responsible for collecting knowledge from analysts and translating that knowledge into instructions on how Salem should contextualize future alert investigations. Analysts interact with the Learning Pipeline through questions Salem asks about alert details.
Types of Salem Questions
Context
A context question asks an analyst to tell Salem what they know about activity, accounts, systems, programs and data associated with a specific alert.
Field
A field question asks a user to identify the value of a specific Salem Key Context Fields for a particular alert.
Context Questions
A context question asks an analyst to tell Salem what they know about activity, accounts, systems, programs, and data associated with a specific alert. Analysts answer these questions by selecting from a drop down of possible responses, then optionally provide logic Salem can use to create this same context association for future alert investigations.
Field Questions
Salem has a concept of key context fields. When Salem is asking a field type question, it is looking for an analysts to identify the exact value of that field for a specified alert.
For example, Salem may ask: "What account is associated with this alert?". To answer this question, an analyst will provide the account/user name for this alert. Salem will then look at the alert details, and if it finds the account value in a different named field, Salem will recommend an extraction that could be performed in the future to know the account value for similar alerts. Salem will ask the user to validate the extraction method is accurate before updating it's configuration. Configurations made this way will be saved in ParsingConf.
See our community tool, Studio for a sample of some context questions Salem asks during investigations.
Last updated