Overview

Abnormal is an email protection company, whose products are aimed at protecting against phishing, business email compromise scams and other advanced email threats.

Integrating Abnormal into Hunters will allow collection and ingestion of key data types into the datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

Hunters support the collection of Abnormal threats logs only. For further support you may contact us.

  1. Threats - This log type lists emails classified as threats, including vast amount of additional data, both on the message itself and the threat's investigation and/or remediation. Further information on the logs' fields can be found here.

Prerequisites

The preferred collection method is through Abnormal’s API, although a collection from a storage service (e.g.  S3 bucket or Azure Blob Storage) shared with Hunters is also supported.

The expected format of the logs is ND-JSON as exported from Abnormal.

Example:

Abnormal Threats sample
{“threatId”: “1874eb00-22f3-604d-99ae-9e21ccdc7676", “abxMessageId”: 5876478689703653218, “abxPortalUrl”: “https://portal.abnormalsecurity.com/home/threat-center/remediation-history/6587658765858, “subject”: “Tuition for Hogwarts students”, “fromAddress”: “scottwos@execed.ce.dandermifflin.edu”, “fromName”: “mikel scott”, “toAddresses”: “minerva@hogwarts.com”, “recipientAddress”: “minerva@hogwarts.com”, “receivedTime”: “2022-06-17T17:45:19Z”, “sentTime”: “2022-06-17T17:45:19Z”, “internetMessageId”: “<labron-james@mail.gmail.com>“, “autoRemediated”: true, “postRemediated”: false, “attackType”: “Spam”, “attackStrategy”: “Unknown Sender”, “returnPath”: “<scottows@execed.ce.dandermifflin.edu>“, “replyToEmails”: [], “ccEmails”: [], “senderIpAddress”: “”, “impersonatedParty”: “None / Others”, “attackVector”: “Link”, “attachmentNames”: [], “urls”: [“http://ec2-54-189-84-127.us-west-2.compute.hogwarts.com/x/d?c=22601359&l=22748272-c34c-420b-abde-ddf843480bb4&r=ddad425c-1ca5-4dbc-affbf6b”, “http://ec2-54-189-84-127.us-west-2.compute.hogwarts.com/x/d?c=22601359&l=db2edcf0-ab29-42b6-bf7d-0d71dd82b64b&r=ddad425c-1ca5-4dbc-affb-”, “http://ec2-54-189-84-127.us-west-2.compute.hogwarts.com/x/d?c=22601359&l=7bf9ce1d-4c2a-4fa8-8507-7c64bf509b90&r=ddad425c-1ca5-4dbc”, “execed.ce.hogwarts.edu/big-data”], “summaryInsights”: [“Suspicious Link”, “Unusual Sender”], “remediationTimestamp”: “2022-06-16T17:45:24Z”, “isRead”: false, “attackedParty”: “VIP”}
CODE