Scoping Salem Learnings

Salem learning scopes set the bound for how boradly Salem learning can be applied to new investigations.

What does it mean to Scope Salem Learnings?

As analysts use Salem, Salem will learn what they know about activity, accounts, systems, programs, and data in their organization. Salem wants to reuse that context as much as possible to investigate future alerts. Scope refers to how broadly Salem will use the context it has learned.

Scope

Short Description in Salem

Description

Alert

Similar Alerts

When an analyst selects an alert scope, Salem will only apply learning to alerts with the exact same alert name. This option is typically used when learning is very specific to the exact detection.

Alert Source

Alerts from the same source

When an analyst select alert source scope, Salem will apply learning to any alert with the same alert source. An alert source is the tool that generated the alert such as Microsoft Defender for Endpoint

All Alerts

All Alerts

All Alert scope represents any alert Salem reviews. This scope is common for learning related to objects such as accounts, systems, programs and data that can appear in a similar representation in an alert from any alert source.

Learning Expiration

In some cases, Salem may ask if learning is typically true, temporarily true, or only true for a specific alert. Salem uses this information to set time limits on how long it retains the context it has learned. Temporary learning status is typically 2 weeks, but can vary based on the specific context learned.

PreviousReporting Conditions NextTraining Salem in Web Browser

Last updated 1 month ago