Collect Abnormal Security logs
Supported in:
This document explains how to ingest Abnormal Security logs to Google Security Operations. The parser handles email logs in both JSON and Syslog formats. It first attempts to process the input as JSON, and if unsuccessful, it uses Grok patterns to extract data from the Syslog format. The extracted fields are then mapped to the Unified Data Model (UDM), enriching the data with relevant security context and standardizing the format for further analysis.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance
- Privileged access to Abnormal Security
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Configure Abnormal Security to send logs to Google SecOps
- Sign in to the Abnormal Security Web UI.
- Click Settings > Integrations.
- Find the Google Chronicle icon and click Connect.
- Enter your Google SecOps Customer ID.
Enter your Google SecOps instance Endpoint address:
- Canada: https://northamerica-northeast2-malachiteingestion-pa.googleapis.com
- Dammam: https://me-central2-malachiteingestion-pa.googleapis.com
- Europe Multi-Region: https://europe-malachiteingestion-pa.googleapis.com
- Frankfurt: https://europe-west3-malachiteingestion-pa.googleapis.com
- London: https://europe-west2-malachiteingestion-pa.googleapis.com
- Mumbai: https://asia-south1-malachiteingestion-pa.googleapis.com
- Singapore: https://asia-southeast1-malachiteingestion-pa.googleapis.com
- Sydney: https://australia-southeast1-malachiteingestion-pa.googleapis.com
- Tel Aviv: https://me-west1-malachiteingestion-pa.googleapis.com
- Tokyo: https://asia-northeast1-malachiteingestion-pa.googleapis.com
- United States Multi-Region: https://malachiteingestion-pa.googleapis.com
- Zurich: https://europe-west6-malachiteingestion-pa.googleapis.com
Upload the Google Service Account Key.
Click Save > Confirm.
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
| attachmentCount | additional.fields.attachmentCount.value.number_value | Mapped directly |
| attachmentNames | additional.fields.attachmentNames.value | Concatenated into a comma-separated string |
| attackStrategy | security_result.detection_fields.attackStrategy.value | Mapped directly |
| attackType | security_result.threat_name | Mapped directly |
| attackVector | security_result.detection_fields.attackVector.value | Mapped directly |
| attackedParty | security_result.detection_fields.attackedParty.value | Mapped directly |
| autoRemediated | Not mapped to the IDM object | |
| ccEmails | network.email.cc | Each email address is extracted and added to the array |
| fromAddress | network.email.from | Email address is extracted and mapped directly |
| fromName | principal.user.user_display_name | Mapped directly |
| impersonatedParty | security_result.detection_fields.impersonatedParty.value | Mapped directly |
| internetMessageId | additional.fields.internetMessageId.value.string_value | Mapped directly |
| isRead | additional.fields.isRead.value.bool_value | Mapped directly |
| postRemediated | additional.fields.postRemediated.value.bool_value | Mapped directly |
| receivedTime | additional.fields.mailReceivedTime.value.string_value | Mapped directly |
| remediationStatus | additional.fields.remediationStatus.value.string_value | Mapped directly |
| remediationTimestamp | additional.fields.mailRemediationTimestamp.value.string_value | Mapped directly |
| replyToEmails | network.email.reply_to | The first email address is extracted and mapped directly |
| returnPath | additional.fields.returnPath.value.string_value | Mapped directly |
| senderDomain | principal.administrative_domain | Mapped directly |
| senderIpAddress | principal.ip, principal.asset.ip | IP address is extracted and mapped to both fields |
| sentTime | additional.fields.mailSentTime.value.string_value | Mapped directly |
| subject | network.email.subject | Mapped directly |
| summaryInsights | security_result.summary | Concatenated into a comma-separated string |
| threatId | security_result.threat_id | Mapped directly |
| toAddresses | network.email.to | Each email address is extracted and added to the array |
| urlCount | additional.fields.urlCount.value.number_value | Mapped directly |
| URLs | additional.fields.detectedUrls.value | Concatenated into a comma-separated string |
| additional.fields.campaign_id.value.string_value | Mapped from event_data.abx_body.campaign_id if present | |
| additional.fields.trace_id.value.string_value | Mapped from event_data.abx_metadata.trace_id if present | |
| additional.fields.messageReportedTime.value.string_value | Mapped from event_data.abx_body.message_reported_time if present | |
| metadata.event_type | Set to EMAIL_TRANSACTION if messages array is present, otherwise determined based on other fields and can be USER_LOGIN, STATUS_UPDATE, or GENERIC_EVENT |
|
| metadata.product_name | Always set to ABNORMAL_SECURITY |
|
| metadata.vendor_name | Always set to ABNORMAL_SECURITY |
|
| metadata.product_event_type | Mapped from event_data.abx_metadata.event_type if present | |
| extensions.auth.type | Set to AUTHTYPE_UNSPECIFIED if event_type is USER_LOGIN |
|
| security_result.category | Set to MAIL_SPAM and MAIL_PHISHING if messages array is present, otherwise set to MAIL_PHISHING and/or MAIL_SPAM based on other fields |
|
| security_result.category_details | Set to ABUSE_MAILBOX if abx_metadata.event_type is ABUSE_MAILBOX, otherwise set to login if abx_body.category is login |
|
| security_result.detection_fields.reported.value | Mapped from event_data.abx_body.reported if present | |
| security_result.detection_fields.judgement.value | Mapped from event_data.abx_body.judgement if present | |
| target.url | Mapped from event_data.abx_body.details.request_url if present | |
| target.user.userid | Mapped from event_data.abx_body.user.email if present | |
| target.user.email_addresses | Mapped from event_data.abx_body.user.email if present |
Changes
2024-09-18
Enhancement:
- Mapped
event_data.message_sources,event_data.sender_auth_results.spf,event_data.sender_auth_results.dkim,event_data.sender_auth_results.dmarc,event_data.tenant, andevent_data.attack_scoretoadditional.fields.
2024-09-12
Enhancement:
- When
sourcetypeiscase, then mapped the following: event.abx_body.event_timeline.n.ip_addresstoprincipal.ipandprincipal.asset.ip.event.abx_body.event_timeline.n.insights.0.signal,event.abx_body.event_timeline.n.insights.0.description,event.abx_body.event_timeline.n.browser,event.abx_body.event_timeline.n.operating_system,event.abx_body.event_timeline.n.isp,event.abx_body.event_timeline.n.application,event.abx_body.event_timeline.n.signin_event_status, andevent.abx_body.event_timeline.n.platformtoadditional.fields.
2024-08-21
Enhancement:
- Mapped
event_data.abx_body.severitytosecurity_result.severity. - Mapped
event_data.abx_body.trigger_eventandevent_data.abx_body.entity.entity_typetoadditional.fields. - Mapped
event_data.abx_body.entity.identifiertoprincipal.user.email_addresses. - Mapped
event_data.abx_body.case_idtometadata.product_log_id.
2024-07-24
Enhancement:
- Mapped
sourcetype,event.folder_locationstoadditional.fields. - Mapped
event.abx_message_idtometadata.product_log_id.
2024-05-02
Enhancement:
- Added support for a new pattern of JSON logs.
2023-11-06
- Newly created parser.
Need more help? Get answers from Community members and Google SecOps professionals.