Skip to content

Abnormal Inbound Email Security

Abnormal Inbound Email Security

About

Modern email attacks are circumventing traditional email security solutions with increasing sophistication, severity, and cost. Abnormal Inbound Email Security pairs advanced behavioral science with risk-adaptive detection to stop the full spectrum of malicious email, including business email compromise, supply chain fraud, ransomware, and spam.

Abnormal stops the full spectrum of email-borne attacks with a fundamentally different approach than traditional email security solutions.

Abnormal’s AI-based anomaly detection engine baselines known-good behavior across employees and vendors by correlating email content with non-email related signifiers of identity and behavior.

Using these profiles, Abnormal learns the difference between known-good and abnormal user behavior. It remediates malicious emails in milliseconds and offers explainable attack insights with in-depth reviews of each attack.

Product Details

Vendor URL: Abnormal

Product Type: Email Security

Product Tier: Tier III

Integration Method: JSON

Integration URL: Not available

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: ABNORMAL_SECURITY

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
eventid metadata.product_event_type
ccEmail network.email.cc
toAddress network.email.to
record.abxMessageId security_result.abxMessageId
record.abxPortalUrl metadata.url_back_to_product
record.attachmentNames security_result.attachmentNames
record.attackedParty security_result.attackedParty
record.attackStrategy security_result.attackStrategy
record.attackType metadata.product_event_type
record.attackVector security_result.attackVector
record.autoRemediated security_result.autoRemediated
record.fromAddress network.email.from
record.fromName network.email.mail_id
record.impersonatedParty security_result.impersonatedParty
record.internetMessageId security_result.internetMessageId
record.isRead security_result.isRead
record.postRemediated security_result.postRemediated
record.receivedTime security_result.receivedTime
record.remediationStatus security_result.remediationStatus
record.remediationTimestamp security_result.remediationTimestamp
record.returnPath security_result.returnPath
record.senderDomain network.dns_domain
record.sentTime security_result.sentTime
record.subject network.email.subject
record.summaryInsights security_result.summaryInsights
record.threatId security_result.summary
record.url security_result.url

Product Event Types

Event UDM Event Classification
all events GENERIC_EVENT

Log Sample

{"threatId": "fxxxxxx1-650c-60b9-afd5-xxxxxxxxxxxx", "messages": [{"abxMessageId": 58486xxxxxxx0783126, "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/58486xxxxxxx0783126", "attachmentCount": 0, "attachmentNames": [], "attackStrategy": "Unknown Sender", "attackType": "Spam", "attackVector": "Link", "attackedParty": "Employee (Other)", "autoRemediated": true, "fromAddress": "sxxxxe@mail.xxxx.xx.edu.tw", "fromName": "joan doe", "impersonatedParty": "None / Others", "internetMessageId": "<45xxxxx86.88xxxxxxxx5895@mail.xxxx.xx.edu.tw>", "isRead": false, "postRemediated": false, "receivedTime": "2023-03-21T21:19:59Z", "recipientAddress": "customer@company.com", "remediationStatus": "Auto-Remediated", "remediationTimestamp": "2023-03-21T21:20:04.689048Z", "sentTime": "2023-03-21T20:50:32Z", "subject": "Customer , hi", "threatId": "fxxxxxx1-650c-60b9-afd5-xxxxxxxxxxxx", "toAddresses": ["customer@company.com"], "ccEmails": [], "replyToEmails": [], "returnPath": "Boe@mail.xxxx.xx.edu.tw", "senderDomain": "mail.xxxx.xx.edu.tw", "senderIpAddress": null, "summaryInsights": ["Unusual Sender", "Suspicious Link"], "urlCount": 1, "urls": ["https://bit.ly/xxxxxxx"]}]}

Sample Parsing

metadata.product_name"Inbound Email Security"
metadata.product_event_type"Spam"
metadata.url_back_to_product"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/58486xxxxxxx0783126"
security_result[0].summary"threatId:fxxxxxx1-650c-60b9-afd5-xxxxxxxxxxxx"
security_result[0].detection_fields[0].key"abxMessageId"
security_result[0].detection_fields[0].value"58486xxxxxxx0783000"
security_result[0].detection_fields[1].key"attackStrategy"
security_result[0].detection_fields[1].value"Unknown Sender"
security_result[0].detection_fields[2].key"attackVector"
security_result[0].detection_fields[2].value"Link"
security_result[0].detection_fields[3].key"attackedParty"
security_result[0].detection_fields[3].value"Employee (Other)"
security_result[0].detection_fields[4].key"autoRemediated"
security_result[0].detection_fields[4].value"true"
security_result[0].detection_fields[5].key"isRead"
security_result[0].detection_fields[5].value"false"
security_result[0].detection_fields[6].key"postRemediated"
security_result[0].detection_fields[6].value"false"
security_result[0].detection_fields[7].key"impersonatedParty"
security_result[0].detection_fields[7].value"None / Others"
security_result[0].detection_fields[8].key"internetMessageId"
security_result[0].detection_fields[8].value"<45xxxxx86.88xxxxxxxx5895@mail.xxxx.xx.edu.tw>"
security_result[0].detection_fields[9].key"returnPath"
security_result[0].detection_fields[9].value"Boe@mail.xxxx.xx.edu.tw"
security_result[0].detection_fields[10].key"receivedTime"
security_result[0].detection_fields[10].value"2023-03-21T21:19:59Z"
security_result[0].detection_fields[11].key"sentTime"
security_result[0].detection_fields[11].value"2023-03-21T20:50:32Z"
security_result[0].detection_fields[12].key"remediationTimestamp"
security_result[0].detection_fields[12].value"2023-03-21T21:20:04.689048Z"
security_result[0].detection_fields[13].key"remediationStatus"
security_result[0].detection_fields[13].value"Auto-Remediated"
security_result[0].detection_fields[14].key"summaryInsights"
security_result[0].detection_fields[14].value"Unusual Sender"
security_result[0].detection_fields[15].key"summaryInsights"
security_result[0].detection_fields[15].value"Suspicious Link"
security_result[0].detection_fields[16].key"url"
security_result[0].detection_fields[16].value"https://bit.ly/xxxxxxx"
network.email.from"sxxxxe@mail.xxxx.xx.edu.tw"
network.email.to[0]"customer@company.com"
network.email.mail_id"joan doe"
network.email.subject[0]"Customer , hi"
network.dns_domain"mail.xxxx.xx.edu.tw"

Rules

Coming Soon