Collect data with Third Party API
Train Salem to use Third Party integrations to collect information relivent to cyber investigations.
Prebuilt Salem Integrations for alert enrichment
Microsoft Sentinel (Azure Log Analytics)
Use Sentinel Log Search to enrich a Salem alert with data from your Sentinel workspace.
Microsoft Defender
Use Defender Advanced Hunt queries to enrich a Salem alert with device, process, email, and other data available in Defender.
Splunk
User Splunk Search directly to enrich a Salem alert with data from your Splunk instance.
Virus Total
Query Virus Total threat information to enrich IPs, Domains, Hashs, and other observables.
Silent Push
Query Silent Push threat information to enrich IPs, Domains, Hashs and other observables.
Microsoft Graph API
Query the Microsoft Graph API to enrich a Salem alert with Microsoft 365, User, Application, and Azure Cloud data.
Enrich an alert with a Third Party Integration
Alert enrichment is performed from an alert card view.
Select "Run Alert Action", and Select the third party integration you want to use from the dropdown list
Fill in the parameters for the selected action
Select Run. If an error occurs, it will be displayed at the bottom of this view. For more information on how to troubleshoot errors within third party actions, see Troubleshooting
Once the action is complete, the results will be returned in a new card view NOTE: Salem only uses data from the first result. The resultCount will indicate the total number of result records returned. If you need to incorporate data from many results, you must adjust your query to have that data returned in one single result record. For example, you can use summarization features in tools like Sentinel and Splunk to combine many records into a single table row.
Select which fields from the returned data you want to have added to Alert Details of the alert.
If you want Salem to run this action automatically for future alerts, select "Set action to run automatically".
OPTIONAL: Provide eval logic to help Salem decide under what conditions to run this action. For more information about Salem eval strings, see: Eval String Reference
Provide the scope at which this action should be applied. For more information about conf scoping, see: Scoping Salem Learnings
When you set an action to run automatically, that action will be added to the ParsingConf webhook actions. The exact ParsingConf modified will depend on the scope you've selected. To learn more about ParsingConf, see: ParsingConf NOTE: When creating this new configuration, Salem will take the inputs you've provided and parameterize them based on the data that was previously available in Alert Details. Ensure the key details of your input parameters are extracted as fields in alert Details. This will help Salem build a template that is reusable for future alerts. FAILING TO DO SO could result in Salem creating a configuration that could provide inaccurate data for future alerts.
Select Submit. Salem will display the name of the ActionConf configuration created. If no ActionConf name is displayed, then Salem failed to reconcile the parameters provided with the Alert Details. The new data will still be added to this alert, but no configuration was saved for future enrichment automation.
Enable and Configure Prebuilt Integrations
PreBuilt Integrations are defined by default as ActionDefinitions that are in a disabled state. Read more about Configuring ActionDefinitions here: Configure Third Party Actions
Adding new Third Party integrations
You can create new third party integrations, or customize existing integrations by creating or modifying ActionDefinitions. Learn more about Salem ActionDefinitions here: ActionDefinition
Last updated