Overview

Abnormal is an email protection company, whose products are aimed at protecting against phishing, business email compromise scams and other advanced email threats.

Integrating Abnormal into Hunters will allow collection and ingestion of key data types into the datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

  1. Abnormal Threats - This log type lists emails classified as threats, including vast amount of additional data, both on the message itself and the threat's investigation and/or remediation. Further information on the logs' fields can be found here.

Prerequisites

For Hunters to ingest the data, it needs to be collected to an S3 bucket shared with Hunters. The expected format of the logs is ND-JSON as exported from Abnormal.

Abnormal Threats sample
{“threatId”: “1874eb00-22f3-604d-99ae-9e21ccdc7676", “abxMessageId”: 5876478689703653218, “abxPortalUrl”: “https://portal.abnormalsecurity.com/home/threat-center/remediation-history/6587658765858, “subject”: “Tuition for Hogwarts students”, “fromAddress”: “scottwos@execed.ce.dandermifflin.edu”, “fromName”: “mikel scott”, “toAddresses”: “minerva@hogwarts.com”, “recipientAddress”: “minerva@hogwarts.com”, “receivedTime”: “2022-06-17T17:45:19Z”, “sentTime”: “2022-06-17T17:45:19Z”, “internetMessageId”: “<labron-james@mail.gmail.com>“, “autoRemediated”: true, “postRemediated”: false, “attackType”: “Spam”, “attackStrategy”: “Unknown Sender”, “returnPath”: “<scottows@execed.ce.dandermifflin.edu>“, “replyToEmails”: [], “ccEmails”: [], “senderIpAddress”: “”, “impersonatedParty”: “None / Others”, “attackVector”: “Link”, “attachmentNames”: [], “urls”: [“http://ec2-54-189-84-127.us-west-2.compute.hogwarts.com/x/d?c=22601359&l=22748272-c34c-420b-abde-ddf843480bb4&r=ddad425c-1ca5-4dbc-affbf6b”, “http://ec2-54-189-84-127.us-west-2.compute.hogwarts.com/x/d?c=22601359&l=db2edcf0-ab29-42b6-bf7d-0d71dd82b64b&r=ddad425c-1ca5-4dbc-affb-”, “http://ec2-54-189-84-127.us-west-2.compute.hogwarts.com/x/d?c=22601359&l=7bf9ce1d-4c2a-4fa8-8507-7c64bf509b90&r=ddad425c-1ca5-4dbc”, “execed.ce.hogwarts.edu/big-data”], “summaryInsights”: [“Suspicious Link”, “Unusual Sender”], “remediationTimestamp”: “2022-06-16T17:45:24Z”, “isRead”: false, “attackedParty”: “VIP”}
CODE