Collect Abnormal Security logs

Supported in:

Google secops SIEM

This document explains how to ingest Abnormal Security logs to Google Security Operations. The parser handles email logs in both JSON and Syslog formats. It first attempts to process the input as JSON, and if unsuccessful, it uses Grok patterns to extract data from the Syslog format. The extracted fields are then mapped to the Unified Data Model (UDM), enriching the data with relevant security context and standardizing the format for further analysis.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance.
Privileged access to Abnormal Security.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.

Configure Abnormal Security to send logs to Google SecOps

Sign in to the Abnormal SecurityWeb UI.
Click Settings > Integrations.
Find the Google Chronicleicon and click Connect.
Enter your Google SecOps Customer ID.
Enter your Google SecOps instance Endpoint address.
- Canada: https://northamerica-northeast2-malachiteingestion-pa.googleapis.com
- Dammam: https://me-central2-malachiteingestion-pa.googleapis.com
- Europe Multi-Region: https://europe-malachiteingestion-pa.googleapis.com
- Frankfurt: https://europe-west3-malachiteingestion-pa.googleapis.com
- London: https://europe-west2-malachiteingestion-pa.googleapis.com
- Mumbai: https://asia-south1-malachiteingestion-pa.googleapis.com
- Singapore: https://asia-southeast1-malachiteingestion-pa.googleapis.com
- Sydney: https://australia-southeast1-malachiteingestion-pa.googleapis.com
- Tel Aviv: https://me-west1-malachiteingestion-pa.googleapis.com
- Tokyo: https://asia-northeast1-malachiteingestion-pa.googleapis.com
- United States Multi-Region: https://malachiteingestion-pa.googleapis.com
- Zurich: https://europe-west6-malachiteingestion-pa.googleapis.com
Upload the Ingestion Authentication Filedownloaded earlier as Google Service Account.
Click Save > Confirm.

UDM mapping table

Log field	UDM mapping	Logic
attachmentCount	additional.fields.attachmentCount.value.number_value	Mapped directly
attachmentNames	additional.fields.attachmentNames.value	Concatenated into a comma-separated string
attackStrategy	security_result.detection_fields.attackStrategy.value	Mapped directly
attackType	security_result.threat_name	Mapped directly
attackVector	security_result.detection_fields.attackVector.value	Mapped directly
attackedParty	security_result.detection_fields.attackedParty.value	Mapped directly
autoRemediated		Not mapped to the IDM object
ccEmails	network.email.cc	Each email address is extracted and added to the array
fromAddress	network.email.from	Email address is extracted and mapped directly
fromName	principal.user.user_display_name	Mapped directly
impersonatedParty	security_result.detection_fields.impersonatedParty.value	Mapped directly
internetMessageId	additional.fields.internetMessageId.value.string_value	Mapped directly
isRead	additional.fields.isRead.value.bool_value	Mapped directly
postRemediated	additional.fields.postRemediated.value.bool_value	Mapped directly
receivedTime	additional.fields.mailReceivedTime.value.string_value	Mapped directly
remediationStatus	additional.fields.remediationStatus.value.string_value	Mapped directly
remediationTimestamp	additional.fields.mailRemediationTimestamp.value.string_value	Mapped directly
replyToEmails	network.email.reply_to	The first email address is extracted and mapped directly
returnPath	additional.fields.returnPath.value.string_value	Mapped directly
senderDomain	principal.administrative_domain	Mapped directly
senderIpAddress	principal.ip, principal.asset.ip	IP address is extracted and mapped to both fields
sentTime	additional.fields.mailSentTime.value.string_value	Mapped directly
subject	network.email.subject	Mapped directly
summaryInsights	security_result.summary	Concatenated into a comma-separated string
threatId	security_result.threat_id	Mapped directly
toAddresses	network.email.to	Each email address is extracted and added to the array
urlCount	additional.fields.urlCount.value.number_value	Mapped directly
URLs	additional.fields.detectedUrls.value	Concatenated into a comma-separated string
	additional.fields.campaign_id.value.string_value	Mapped from event_data.abx_body.campaign_id if present
	additional.fields.trace_id.value.string_value	Mapped from event_data.abx_metadata.trace_id if present
	additional.fields.messageReportedTime.value.string_value	Mapped from event_data.abx_body.message_reported_time if present
	metadata.event_type	Set to `EMAIL_TRANSACTION` if messages array is present, otherwise determined based on other fields and can be `USER_LOGIN` , `STATUS_UPDATE` , or `GENERIC_EVENT`
	metadata.product_name	Always set to `ABNORMAL_SECURITY`
	metadata.vendor_name	Always set to `ABNORMAL_SECURITY`
	metadata.product_event_type	Mapped from event_data.abx_metadata.event_type if present
	extensions.auth.type	Set to `AUTHTYPE_UNSPECIFIED` if event_type is `USER_LOGIN`
	security_result.category	Set to `MAIL_SPAM` and `MAIL_PHISHING` if messages array is present, otherwise set to `MAIL_PHISHING` and/or `MAIL_SPAM` based on other fields
	security_result.category_details	Set to `ABUSE_MAILBOX` if abx_metadata.event_type is `ABUSE_MAILBOX` , otherwise set to `login` if abx_body.category is `login`
	security_result.detection_fields.reported.value	Mapped from event_data.abx_body.reported if present
	security_result.detection_fields.judgement.value	Mapped from event_data.abx_body.judgement if present
	target.url	Mapped from event_data.abx_body.details.request_url if present
	target.user.userid	Mapped from event_data.abx_body.user.email if present
	target.user.email_addresses	Mapped from event_data.abx_body.user.email if present

Need more help? Get answers from Community members and Google SecOps professionals.