Abnormal Security Modeling Rule

Modeling Rule

Abnormal Security

Details

IDAbnormal_Security_ModelingRule
From Version8.4.0

Rules (XIF)

[MODEL: dataset="abnormal_security_email_protection_raw"]
alter
    xdm.event.id = threatId,
    xdm.event.outcome = if(remediationStatus = "Auto-Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "Post Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "Remediated", XDM_CONST.OUTCOME_SUCCESS, remediationStatus = "No Action Done", XDM_CONST.OUTCOME_FAILED, remediationStatus = "Would Remediate", XDM_CONST.OUTCOME_PARTIAL, remediationStatus = "Remediation Attempted", XDM_CONST.OUTCOME_PARTIAL, to_string(autoRemediated) = "true", XDM_CONST.OUTCOME_SUCCESS, to_string(postRemediated) = "true", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.description = to_json_string(object_create("abxPortalUrl", abxPortalUrl, "fromName", fromName, "attackedParty", attackedParty, "replyToEmails", replyToEmails, "attackVector", attackVector, "autoRemediated", autoRemediated, "postRemediated", postRemediated, "isRead", isRead)),
    xdm.alert.category = attackType,
    xdm.alert.name = attackStrategy,
    // Build a JSON object with supplementary fields not covered by dedicated XDM fields; serialized to string for xdm.event.description
    xdm.alert.description = arraystring(arraymap(split(to_string(summaryInsights), ","), replex("@element", "\[|\"|\]", "")), " | "),
    xdm.observer.unique_identifier = to_string(abxMessageId),
    // Use toAddresses when present; fall back to recipientAddress when toAddresses is empty or null
    xdm.email.recipients = if(toAddresses != null and toAddresses != "", arraymap(split(to_string(toAddresses), ","), replex("@element", "\[|\"|\]", "")), arraycreate(recipientAddress)),
    // Build attachment filename string only when attachmentNames is non-empty; returns null for empty arrays ("[]")
    xdm.email.attachment.filename = if(attachmentNames != "[]" and attachmentNames != null, arraystring(arraymap(split(to_string(attachmentNames), ","), replex("@element", "\[|\"|\]", "")), " | "), null),
    xdm.email.subject = subject,
    xdm.email.cc = arraymap(split(to_string(ccEmails), ","), replex("@element", "\[|\"|\]", "")),
    xdm.email.sender = fromAddress,
    xdm.email.return_path = returnPath,
    xdm.email.message_id = internetMessageId,
    // Classify senderIpAddress as IPv4 or IPv6 using built-in is_ipv4() and is_ipv6() functions
    xdm.source.ipv4 = if(is_ipv4(senderIpAddress), senderIpAddress, null),
    xdm.source.ipv6 = if(is_ipv6(senderIpAddress), senderIpAddress, null),
    // Extract all URLs from the stringified urls array as a pipe-delimited string; null when urls=[]
    xdm.target.url = if(urls != "[]" and urls != null, arraystring(arraymap(split(to_string(urls), ","), replex("@element", "\[|\"|\]", "")), " | "), null);

Schema

abnormal_security_email_protection_raw

Field Type Array?
abxMessageId string
abxPortalUrl string
attachmentNames string
attackStrategy string
attackType string
attackVector string
attackedParty string
autoRemediated string
ccEmails string
fromAddress string
fromName string
internetMessageId string
isRead string
postRemediated string
recipientAddress string
remediationStatus string
replyToEmails string
returnPath string
senderIpAddress string
subject string
summaryInsights string
threatId string
toAddresses string
urls string
Raw JSON
{
  "abnormal_security_email_protection_raw": {
    "threatId": {
      "type": "string",
      "is_array": false
    },
    "remediationStatus": {
      "type": "string",
      "is_array": false
    },
    "autoRemediated": {
      "type": "string",
      "is_array": false
    },
    "postRemediated": {
      "type": "string",
      "is_array": false
    },
    "abxPortalUrl": {
      "type": "string",
      "is_array": false
    },
    "fromName": {
      "type": "string",
      "is_array": false
    },
    "attackedParty": {
      "type": "string",
      "is_array": false
    },
    "replyToEmails": {
      "type": "string",
      "is_array": false
    },
    "attackVector": {
      "type": "string",
      "is_array": false
    },
    "isRead": {
      "type": "string",
      "is_array": false
    },
    "attackType": {
      "type": "string",
      "is_array": false
    },
    "attackStrategy": {
      "type": "string",
      "is_array": false
    },
    "summaryInsights": {
      "type": "string",
      "is_array": false
    },
    "abxMessageId": {
      "type": "string",
      "is_array": false
    },
    "toAddresses": {
      "type": "string",
      "is_array": false
    },
    "recipientAddress": {
      "type": "string",
      "is_array": false
    },
    "attachmentNames": {
      "type": "string",
      "is_array": false
    },
    "subject": {
      "type": "string",
      "is_array": false
    },
    "ccEmails": {
      "type": "string",
      "is_array": false
    },
    "fromAddress": {
      "type": "string",
      "is_array": false
    },
    "returnPath": {
      "type": "string",
      "is_array": false
    },
    "internetMessageId": {
      "type": "string",
      "is_array": false
    },
    "senderIpAddress": {
      "type": "string",
      "is_array": false
    },
    "urls": {
      "type": "string",
      "is_array": false
    }
  }
}