Document toolboxDocument toolbox

mail.abnormalsecurity

Introduction

The tags beginning with mail.abnormalsecurity identify events generated by Abnormal Security.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as mail.abnormalsecurity. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Abnormal Security

mail.abnormalsecurity.cases

mail.abnormalsecurity.cases

mail.abnormalsecurity.threats

mail.abnormalsecurity.threats

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

mail.abnormalsecurity.cases

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

caseId

int4

 

severity

str

 

affectedEmployee

str

 

firstObserved

timestamp

 

threatIds

str

 

analysis

str

 

case_status

str

 

remediation_status

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

mail.abnormalsecurity.threats

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

threatId

str

 

 

 

abxMessageId

int8

 

 

 

abxPortalUrl

str

 

 

 

subject

str

 

 

 

fromName

str

 

 

 

fromAddress

str

 

 

 

toAddresses

str

 

 

 

recipientAddress

str

 

 

 

receivedTime

timestamp

 

 

 

sentTime

timestamp

 

 

 

internetMessageId

str

 

 

 

autoRemediated

bool

 

 

 

postRemediated

bool

 

 

 

attackType

str

 

 

 

attackStrategy

str

 

 

 

attachmentCount

int4

 

 

 

attackedParty

str

 

 

 

returnPath

str

 

 

 

replyToEmails_str

str

join(replyToEmails, ',')

replyToEmails

 

ccEmails_str

str

join(ccEmails, ',')

ccEmails

 

senderIpAddress

ip4

 

 

 

impersonatedParty

str

 

 

 

attackVector

str

 

 

 

attachmentNames_str

str

join(attachmentNames, ',')

attachmentNames

 

urls_str

str

urls

 

urlCount

int4

 

 

 

summaryInsights_str

str

summaryInsights

 

remediationTimestamp

timestamp

 

 

 

isRead

bool

 

 

 

remediationStatus

str

 

 

 

senderDomain

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

Â