Reporting Conditions

Use Salem reporting conditions to override Salem's threat notification behavior.

What is a Reporting Condition?

Reporting Conditions are rules that override Salem's threat notification behavior. For instance, you can use a reporting condition to ensure Salem sends a Threat notification for any alert that includes key characteristic. Reporting Conditions are useful when there is simple business reporting logic you want to ensure is followed regardless of Salem Threat Scoring.

Prerequisites

To create, view and remove reporting conditions, you must have Salem Admin permissions.

Creating a Reporting Condition

  1. Reporting Conditions are created from the Salem Admin Menu. The Admin Menu is only available from Salem in chat. To enter the admin menu, send Salem a message: 

    view -a

  2. From the Admin Menu, select "Others", then select "Add Reporting Condition"

  3. Enter the logic for this reporting condition, using Salem eval strings. Eval String Reference

  4. Select an alert Status that Salem well set an alert to if the above condition is matched

  5. Enter a message to include on any associated threat notification sent by Salem. This message will help inform anyone who is viewing an alert that matches this condition.

  6. Submit

Viewing or Removing a Reporting Condition

  1. Reporting Conditions are created from the Salem Admin Menu. The Admin Menu is only available from Salem in chat. To enter the admin menu, send Salem a message:

  2. From the Admin Menu, select "Others, then select "Reporting Condition Menu"

  3. Search for a Reporting Condition. The search filter operates over both the Reporting Condition Name, or the value of the filter. For instance the if you want to find reporting conditions that include a specific user, simply search the user account. NOTE: Reporting Condition names are typically a alert use case name or "All alerts". For reporting conditions with a name other than "All alerts", that condition will only apply to alerts with that particular alert use case name. This type of reporting condition is created from the Salem Confirm False Positive or Threat feature.

  4. Selecting a Reporting Condition row in the table will provide its details

  5. To Delete a reporting condition, select "Delete NOTE: there is no capability to modify a reporting condition. To modify, you must remove a recreate the reporting condition.

Reporting Conditions order of precedence [Ask Anil]

PreviousConfirm False Positive or ThreatNextScoping Salem Learnings

Last updated