Abnormal Inbound Email Security¶
About¶
Modern email attacks are circumventing traditional email security solutions with increasing sophistication, severity, and cost. Abnormal Inbound Email Security pairs advanced behavioral science with risk-adaptive detection to stop the full spectrum of malicious email, including business email compromise, supply chain fraud, ransomware, and spam.
Abnormal stops the full spectrum of email-borne attacks with a fundamentally different approach than traditional email security solutions.
Abnormal’s AI-based anomaly detection engine baselines known-good behavior across employees and vendors by correlating email content with non-email related signifiers of identity and behavior.
Using these profiles, Abnormal learns the difference between known-good and abnormal user behavior. It remediates malicious emails in milliseconds and offers explainable attack insights with in-depth reviews of each attack.
Product Details¶
Vendor URL: Abnormal
Product Type: Email Security
Product Tier: Tier III
Integration Method: JSON
Integration URL: Not available
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: ABNORMAL_SECURITY
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
eventid | metadata.product_event_type |
ccEmail | network.email.cc |
toAddress | network.email.to |
record.abxMessageId | security_result.abxMessageId |
record.abxPortalUrl | metadata.url_back_to_product |
record.attachmentNames | security_result.attachmentNames |
record.attackedParty | security_result.attackedParty |
record.attackStrategy | security_result.attackStrategy |
record.attackType | metadata.product_event_type |
record.attackVector | security_result.attackVector |
record.autoRemediated | security_result.autoRemediated |
record.fromAddress | network.email.from |
record.fromName | network.email.mail_id |
record.impersonatedParty | security_result.impersonatedParty |
record.internetMessageId | security_result.internetMessageId |
record.isRead | security_result.isRead |
record.postRemediated | security_result.postRemediated |
record.receivedTime | security_result.receivedTime |
record.remediationStatus | security_result.remediationStatus |
record.remediationTimestamp | security_result.remediationTimestamp |
record.returnPath | security_result.returnPath |
record.senderDomain | network.dns_domain |
record.sentTime | security_result.sentTime |
record.subject | network.email.subject |
record.summaryInsights | security_result.summaryInsights |
record.threatId | security_result.summary |
record.url | security_result.url |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all events | GENERIC_EVENT |
Log Sample¶
{"threatId": "fxxxxxx1-650c-60b9-afd5-xxxxxxxxxxxx", "messages": [{"abxMessageId": 58486xxxxxxx0783126, "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/58486xxxxxxx0783126", "attachmentCount": 0, "attachmentNames": [], "attackStrategy": "Unknown Sender", "attackType": "Spam", "attackVector": "Link", "attackedParty": "Employee (Other)", "autoRemediated": true, "fromAddress": "sxxxxe@mail.xxxx.xx.edu.tw", "fromName": "joan doe", "impersonatedParty": "None / Others", "internetMessageId": "<45xxxxx86.88xxxxxxxx5895@mail.xxxx.xx.edu.tw>", "isRead": false, "postRemediated": false, "receivedTime": "2023-03-21T21:19:59Z", "recipientAddress": "customer@company.com", "remediationStatus": "Auto-Remediated", "remediationTimestamp": "2023-03-21T21:20:04.689048Z", "sentTime": "2023-03-21T20:50:32Z", "subject": "Customer , hi", "threatId": "fxxxxxx1-650c-60b9-afd5-xxxxxxxxxxxx", "toAddresses": ["customer@company.com"], "ccEmails": [], "replyToEmails": [], "returnPath": "Boe@mail.xxxx.xx.edu.tw", "senderDomain": "mail.xxxx.xx.edu.tw", "senderIpAddress": null, "summaryInsights": ["Unusual Sender", "Suspicious Link"], "urlCount": 1, "urls": ["https://bit.ly/xxxxxxx"]}]}
Sample Parsing¶
metadata.product_name"Inbound Email Security"
metadata.product_event_type"Spam"
metadata.url_back_to_product"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/58486xxxxxxx0783126"
security_result[0].summary"threatId:fxxxxxx1-650c-60b9-afd5-xxxxxxxxxxxx"
security_result[0].detection_fields[0].key"abxMessageId"
security_result[0].detection_fields[0].value"58486xxxxxxx0783000"
security_result[0].detection_fields[1].key"attackStrategy"
security_result[0].detection_fields[1].value"Unknown Sender"
security_result[0].detection_fields[2].key"attackVector"
security_result[0].detection_fields[2].value"Link"
security_result[0].detection_fields[3].key"attackedParty"
security_result[0].detection_fields[3].value"Employee (Other)"
security_result[0].detection_fields[4].key"autoRemediated"
security_result[0].detection_fields[4].value"true"
security_result[0].detection_fields[5].key"isRead"
security_result[0].detection_fields[5].value"false"
security_result[0].detection_fields[6].key"postRemediated"
security_result[0].detection_fields[6].value"false"
security_result[0].detection_fields[7].key"impersonatedParty"
security_result[0].detection_fields[7].value"None / Others"
security_result[0].detection_fields[8].key"internetMessageId"
security_result[0].detection_fields[8].value"<45xxxxx86.88xxxxxxxx5895@mail.xxxx.xx.edu.tw>"
security_result[0].detection_fields[9].key"returnPath"
security_result[0].detection_fields[9].value"Boe@mail.xxxx.xx.edu.tw"
security_result[0].detection_fields[10].key"receivedTime"
security_result[0].detection_fields[10].value"2023-03-21T21:19:59Z"
security_result[0].detection_fields[11].key"sentTime"
security_result[0].detection_fields[11].value"2023-03-21T20:50:32Z"
security_result[0].detection_fields[12].key"remediationTimestamp"
security_result[0].detection_fields[12].value"2023-03-21T21:20:04.689048Z"
security_result[0].detection_fields[13].key"remediationStatus"
security_result[0].detection_fields[13].value"Auto-Remediated"
security_result[0].detection_fields[14].key"summaryInsights"
security_result[0].detection_fields[14].value"Unusual Sender"
security_result[0].detection_fields[15].key"summaryInsights"
security_result[0].detection_fields[15].value"Suspicious Link"
security_result[0].detection_fields[16].key"url"
security_result[0].detection_fields[16].value"https://bit.ly/xxxxxxx"
network.email.from"sxxxxe@mail.xxxx.xx.edu.tw"
network.email.to[0]"customer@company.com"
network.email.mail_id"joan doe"
network.email.subject[0]"Customer , hi"
network.dns_domain"mail.xxxx.xx.edu.tw"
Rules¶
Coming Soon