Abnormal Security Event Collector

Modeling Rule

Abnormal Security

Details

IDModelingAbnormalSecurityEventCollector
From Version3.3.0
To Version6.9.9

Rules (XIF)

[MODEL: model="Email", dataset="abnormal_security_email_protection_raw"]
alter XDM.Email.event_timestamp = sentTime,
    XDM.Email.attachment.filename = attachmentNames,
    XDM.Email.cc = arraycreate(ccEmails),
    XDM.Email.delivery_timestamp = receivedTime,
    XDM.Email.original_event_description = summaryInsights,
    XDM.Email.recipients = arraycreate(toAddresses),
    XDM.Email.return_path = returnPath,
    XDM.Email.sender = fromAddress,
    XDM.Email.Server.host.ipv4_addresses = arraycreate(senderIpAddress),
    XDM.Email.subject = subject,
    XDM.Email.threat.category = attackType,
    XDM.Email.threat.name = attackStrategy,
    XDM.Email.threat.original_alert_id = to_string(abxMessageId),
    XDM.Email.threat.original_threat_id = threatId,
    XDM.Email.threat.subcategory = attackVector,
    XDM.Email.Observer.vendor = _vendor,
    XDM.Email.Observer.product = _product,
    XDM.Email.Client.user.user_type = attackedParty,
    XDM.Email.original_event_id = internetMessageId,
    XDM.Email.threat.description = summaryInsights;

Schema

abnormal_security_email_protection_raw

Field Type Array?
_product string
_vendor string
abxMessageId int
attachmentNames string
attackStrategy string
attackType string
attackVector string
attackedParty string
ccEmails string Yes
fromAddress string
internetMessageId string
receivedTime string
returnPath string
senderIpAddress string
sentTime string
subject string
summaryInsights string
threatId, string
toAddresses string
Raw JSON
{
    "abnormal_security_email_protection_raw": {
        "sentTime": {
            "type": "string",
            "is_array": false
        },
        "attachmentNames": {
            "type": "string",
            "is_array": false
        },
        "ccEmails": {
            "type": "string",
            "is_array": true
        },
        "receivedTime": {
            "type": "string",
            "is_array": false
        },
        "summaryInsights": {
            "type": "string",
            "is_array": false
        },
        "toAddresses": {
            "type": "string",
            "is_array": false
        },
        "returnPath": {
            "type": "string",
            "is_array": false
        },
        "fromAddress": {
            "type": "string",
            "is_array": false
        },
        "senderIpAddress": {
            "type": "string",
            "is_array": false
        },
        "subject": {
            "type": "string",
            "is_array": false
        },
        "attackType": {
            "type": "string",
            "is_array": false
        },
        "attackStrategy": {
            "type": "string",
            "is_array": false
        },
        "abxMessageId": {
            "type": "int",
            "is_array": false
        },
        "threatId,": {
            "type": "string",
            "is_array": false
        },
        "attackVector": {
            "type": "string",
            "is_array": false
        },
        "_vendor": {
            "type": "string",
            "is_array": false
        },
        "_product": {
            "type": "string",
            "is_array": false
        },
        "attackedParty": {
            "type": "string",
            "is_array": false
        },
        "internetMessageId": {
            "type": "string",
            "is_array": false
        }
    }
}