Field Extraction

Extract and format data in a Salem alert.

Salem enables you to reformat details in a single alert and have Salem automatically repeat that formatting in future alerts.

When to use Field Extractions

You'll use field extractions when you want Salem to create a new field or update an existing field in alert details.

Salem Field Naming Conventions

Salem doesn't have a rigid model for field names. However, Salem is most effective when field naming leverages the following 6 named fields: account, src_account, src, dest, program, and parent_program. These fields are described asKey Context Fields, and using these field names helps Salem cross correlate investigation context.

Creating a new Field Extraction

Field extractions are created from a Salem alert view.

  1. Start a new field extraction by selecting "extract field" on the alert view.

  2. Select the "Alert Details" which indicates to Salem that you are looking to create a new field in Alert Details, created by evaluating data already contained in Alert Details

  3. Enter the name of the new field in Alert Details you want to create in the "Field Name" box. If you enter the name of an existing field, the value of that field will be overwritten.

  4. Enter the extraction logic that Salem should use to create this field. Example:

    1. Entering the name of an existing field will create a new field with the value of the existing field You can learn more about Salem eval language here: Eval String Reference

  5. Select Test. If your extraction logic doesn't produce a valid return value, an error will be returned.

  6. Review the field extraction preview to ensure it matches expectations

  7. Select the scope where this extraction should apply for future alerts. Read more here about scoping Salem configurations: Scoping Salem Learnings

  8. Select Save

Summary Details vs Alert Details

All fields available in Summary Details are also available in Alert Details. Summary Details exist to highlight information that is most relevant to you. Control over what fields are displayed in Summary Details is managed in ParsingConf. Read more about configuring ParsingConf here: ParsingConf

Field Extractions in ParsingConf

Field extractions created from a Salem alert are saved as Evals in ParsingConf. The exact ParsingConf updated will depend on the scope selected when the field extraction was created. You can learn more about conf scopes here: Scoping Salem Learnings

You can add, remove, or update field extractions by editing ParsingConf directly. ParsingConf provides other methods for formatting alert data. Learn more about ParsingConf here: ParsingConf

PreviousAlert EnrichmentNextCollect data with Third Party API

Last updated