Rules (XIF)
[MODEL: dataset="abnormal_security_email_protection_raw"]
alter
xdm.event.id = threatId,
xdm.event.outcome = if(remediationStatus = "Auto-Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "Post Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "No Action Done", XDM_CONST.OUTCOME_FAILED, remediationStatus = "Would Remediate", XDM_CONST.OUTCOME_PARTIAL, remediationStatus = "Remediation Attempted", XDM_CONST.OUTCOME_PARTIAL, to_string(autoRemediated) = "true", XDM_CONST.OUTCOME_SUCCESS, to_string(postRemediated) = "true", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_UNKNOWN),
xdm.event.description = to_json_string(object_create("abxPortalUrl", abxPortalUrl, "fromName", fromName, "attackedParty", attackedParty, "replyToEmails", replyToEmails, "attackVector", attackVector, "autoRemediated", autoRemediated, "postRemediated", postRemediated, "isRead", isRead)),
xdm.alert.category = attackType,
xdm.alert.name = attackStrategy,
// Build a JSON object with supplementary fields not covered by dedicated XDM fields; serialized to string for xdm.event.description
xdm.alert.description = arraystring(arraymap(split(to_string(summaryInsights), ","), replex("@element", "\[|\"|\]", "")), " | "),
xdm.observer.unique_identifier = to_string(abxMessageId),
// Use toAddresses when present; fall back to recipientAddress when toAddresses is empty or null
xdm.email.recipients = if(toAddresses != null and toAddresses != "", arraymap(split(to_string(toAddresses), ","), replex("@element", "\[|\"|\]", "")), arraycreate(recipientAddress)),
// Build attachment filename string only when attachmentNames is non-empty; returns null for empty arrays ("[]")
xdm.email.attachment.filename = if(attachmentNames != "[]" and attachmentNames != null, arraystring(arraymap(split(to_string(attachmentNames), ","), replex("@element", "\[|\"|\]", "")), " | "), null),
xdm.email.subject = subject,
xdm.email.cc = arraymap(split(to_string(ccEmails), ","), replex("@element", "\[|\"|\]", "")),
xdm.email.sender = fromAddress,
xdm.email.return_path = returnPath,
xdm.email.message_id = internetMessageId,
// Classify senderIpAddress as IPv4 or IPv6 using built-in is_ipv4() and is_ipv6() functions
xdm.source.ipv4 = if(is_ipv4(senderIpAddress), senderIpAddress, null),
xdm.source.ipv6 = if(is_ipv6(senderIpAddress), senderIpAddress, null),
// Extract all URLs from the stringified urls array as a pipe-delimited string; null when urls=[]
xdm.target.url = if(urls != "[]" and urls != null, arraystring(arraymap(split(to_string(urls), ","), replex("@element", "\[|\"|\]", "")), " | "), null);
Schema
abnormal_security_email_protection_raw
| Field |
Type |
Array? |
abxMessageId |
string |
— |
abxPortalUrl |
string |
— |
attachmentNames |
string |
— |
attackStrategy |
string |
— |
attackType |
string |
— |
attackVector |
string |
— |
attackedParty |
string |
— |
autoRemediated |
string |
— |
ccEmails |
string |
— |
fromAddress |
string |
— |
fromName |
string |
— |
internetMessageId |
string |
— |
isRead |
string |
— |
postRemediated |
string |
— |
recipientAddress |
string |
— |
remediationStatus |
string |
— |
replyToEmails |
string |
— |
returnPath |
string |
— |
senderIpAddress |
string |
— |
subject |
string |
— |
summaryInsights |
string |
— |
threatId |
string |
— |
toAddresses |
string |
— |
urls |
string |
— |
Raw JSON
{
"abnormal_security_email_protection_raw": {
"threatId": {
"type": "string",
"is_array": false
},
"remediationStatus": {
"type": "string",
"is_array": false
},
"autoRemediated": {
"type": "string",
"is_array": false
},
"postRemediated": {
"type": "string",
"is_array": false
},
"abxPortalUrl": {
"type": "string",
"is_array": false
},
"fromName": {
"type": "string",
"is_array": false
},
"attackedParty": {
"type": "string",
"is_array": false
},
"replyToEmails": {
"type": "string",
"is_array": false
},
"attackVector": {
"type": "string",
"is_array": false
},
"isRead": {
"type": "string",
"is_array": false
},
"attackType": {
"type": "string",
"is_array": false
},
"attackStrategy": {
"type": "string",
"is_array": false
},
"summaryInsights": {
"type": "string",
"is_array": false
},
"abxMessageId": {
"type": "string",
"is_array": false
},
"toAddresses": {
"type": "string",
"is_array": false
},
"recipientAddress": {
"type": "string",
"is_array": false
},
"attachmentNames": {
"type": "string",
"is_array": false
},
"subject": {
"type": "string",
"is_array": false
},
"ccEmails": {
"type": "string",
"is_array": false
},
"fromAddress": {
"type": "string",
"is_array": false
},
"returnPath": {
"type": "string",
"is_array": false
},
"internetMessageId": {
"type": "string",
"is_array": false
},
"senderIpAddress": {
"type": "string",
"is_array": false
},
"urls": {
"type": "string",
"is_array": false
}
}
}