Alert Enrichment
Train Salem to automatically collect and extract information about a cyber alert investigation.
Overview of alert enrichment in Salem
When an alert is sent to Salem for analysis, it often contains some but not all relevant information to understand if that alert is meaningful or a false positive. Additionally, the information Salem does have might be poorly formatted, making it difficult to analyze.
Salem is designed to learn from cyber analysts, specifically how they collect and extract data, then Salem automatically repeats those actions for future alerts.
Who enriches alerts in Salem?
Salem expects you to enrich alerts you are actively investigating, because the enrichments Salem wants to learn are the same that you are already doing for your own investigation purposes. By enabling you to record what you know and how you know it, Salem eliminates the need to repeat the exact enrichment in the future.
Types of alert enrichment in Salem
Field Extractions enable you to create new fields in alert details based on data already in the alert.
Third Party integrations allow you to query data lakes, databases, or other knowledge bases for information to add into alert details
Scoping alert Enrichments
Like any learning in Salem, ensure you understand the scope to which you want Salem to apply training. Read more about scoping in Salem training Scoping Salem Learnings
Last updated