Confirm False Positive or Threat

Confirming that status of a cyber alert helps further Salem analysis.

The Confirm False Positive or Threat capability allows an analyst to quickly instruct Salem on why they knew the threat state of an alert. It is the fastest way to train Salem, but less thorough than Continue investigation.

Confirm a Threat of False Positive

This operation takes place from a Salem alert card view

Start by selecting either "Confirm Threat" or "False Positive" from the bottom of an alert card view
OPTIONAL: Select from the dropdown all the alert details that contributed to your assessment NOTE: When you Select Fields that contribute to your assessment, Salem is going to create a Reporting Conditionsfor this alert use case so that future alerts of the same use case name will be classified in the same way, given that the exact details you provide match. Because of this, it's important to include enough information that you'd always want to observe the same behavior. If no fields are selected, Salem will not create any reporting conditions.
Select "Yes"
Salem may choose to follow up with more questions depending on the fields you've selected in a prior step. To learn more about these questions, see Salem Learning Pipeline

PreviousSalem Learning Pipeline NextReporting Conditions

Last updated 1 month ago