Skip to content

Abnormal Inbound Email Security Integration Guide🔗

The following instructions are for configuring an Abnormal Inbound Email Security integration to facilitate log ingestion into Secureworks® Taegis™ XDR.

Data Provided from Integration🔗

The following Abnormal event types are supported by XDR:

  • Threats
  • Abuse Campaigns

Detection360 logs will be normalized to the Generic schema.

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Abnormal Inbound Email Security Email    

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure Abnormal Inbound Email Security🔗

  1. Refer to the vendor's documentation to configure the Abnormal API.

  2. Enter the values in the IP Safelist field from this Knowledge Base article.

Note

Abnormal disallows a wildcard IP such as 0.0.0.0/0 which is all IPv4 addresses as a valid value for the IP Safelist.

  1. Copy the API Access Token. This value is required to complete the integration in XDR.

Complete the Integration in XDR🔗

  1. From the Taegis Menu, select Integrations → Cloud APIs.
  2. Select Add an Integration from the top of the page.

Add an Integration

  1. From the Optimized tab, select the Abnormal Email Security card.
  2. Enter the following fields:
  • Integration Name — Any unique string
  • Access Token — Generated in the Configuration section

Create the Integration

  1. Select Done. The Manage Integrations page displays with the successfully added Abnormal Email Security integration listed under Cloud API Integrations.

Tip

You can use the Integration Name defined in Step 3 above to identify the integration within the Cloud API Integrations table.

Sample Logs🔗

Abnormal Inbound Email Security Event🔗

{
  "messages": [
    {
      "abxMessageId": 0651365477966049289,
      "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/0651365477966049289",
      "attachmentCount": 0,
      "attachmentNames": [],
      "attackStrategy": "Unknown Sender",
      "attackType": "Spam",
      "attackVector": "Text",
      "attackedParty": "Employee (Other)",
      "autoRemediated": true,
      "ccEmails": [],
      "fromAddress": "user@email.com",
      "fromName": "john doe",
      "impersonatedParty": "None / Others",
      "internetMessageId": "<CAN=ZKYOYKLUBWRTCZXMOAIZEPMECVD79+-=8WYR3B6JL0YDT7BPWL@mail.email.com>",
      "isRead": false,
      "postRemediated": false,
      "receivedTime": "2024-08-07T14:30:14Z",
      "recipientAddress": "user@email.com",
      "remediationStatus": "Auto-Remediated",
      "remediationTimestamp": "2024-08-07T14:30:36.641996Z",
      "replyToEmails": [],
      "returnPath": "example@email.com",
      "senderDomain": "gmail.com",
      "senderIpAddress": null,
      "sentTime": "2024-08-07T14:29:59Z",
      "subject": "re: Conference registrants 2021",
      "summaryInsights": [
        "Unusual Sender"
      ],
      "threatId": "c1c926fc-555d-ecdc-f948-a2266c3e719b",
      "toAddresses": [
        "example@email.com"
      ],
      "urlCount": 0,
      "urls": []
    }
  ],
  "threatId": "c1c926fc-555d-ecdc-f948-a2266c3e719b"
}

Example Query Language Searches🔗

To search for email events from the last 24 hours:

`FROM email WHERE sensor_type = 'AbnormalSecurity' and EARLIEST=-24h`