abnormal_security: add support for Not Analyzed Messages data stream #13483
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chemamartinez
added
enhancement
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
chemamartinez
force-pushed
the
13000-abnormal_security-not_analyzed
branch
from
10a4cb8 to
fccdd38
Compare
|
/test |
efd6
reviewed
Apr 10, 2025
| Content-Type: | ||
| - 'application/json' | ||
| body: |- | ||
| { |
There was a problem hiding this comment.
Suggested change
| { | |
| {{ minify_json ` | |
| { |
| "not_analyzed_reason": "PHISHING_SIMULATION" | ||
| } | ||
| ] | ||
| } |
| @@ -0,0 +1,3 @@ | |||
| {"abx_message_id":-7361381340273523750,"recipient":{"email":"phishing@test.com","name":"Phishing Test"},"reported_datetime":"2025-03-06T17:27:15Z","reporter":{"email":"reporter@test.com","name":"Reporter Test"},"subject":"Re: Subject","not_analyzed_reason":"ROUTED_SUBMISSION"} | |||
| {"abx_message_id":240750237502375023,"recipient":{"email":"phishing@test.com","name":"Phishing Test"},"reported_datetime":"2025-03-04T18:50:27Z","reporter":{"email":"test@example.com","name":"Test Example"},"subject":"Fw: Forwarded email","not_analyzed_reason":"INVALID_SUBMISSION"} | |||
| {"abx_message_id":-1234567891234567891,"recipient":{"email":"phishing@test.com","name":"Phishing Test"},"reported_datetime":"2025-03-04T17:03:55Z","reporter":{"email":"info@test.com","name":"Info Test"},"subject":"Fwd: Forwarded email","not_analyzed_reason":"PHISHING_SIMULATION"} | |||
| @@ -101,6 +101,63 @@ rules: | |||
| "attackType": "Attack Type: Spam" | |||
| } | |||
| `}} | |||
| - path: /v1/abuse_mailbox/not_analyzed | |||
There was a problem hiding this comment.
Can I confirm that the API is non-paginating?
There was a problem hiding this comment.
Looks like it can take start and end datetimes
There was a problem hiding this comment.
Yes, no pagination parameters are accepted for this endpoint. Here's the reference.
| "Authorization": ["Bearer " + string(state.access_token)], | ||
| } | ||
| }).do_request().as(resp, resp.StatusCode == 200 ? | ||
| bytes(resp.Body).decode_json().as(body, has(body.results) && size(body.results) > 0 ? |
There was a problem hiding this comment.
Suggested change
| bytes(resp.Body).decode_json().as(body, has(body.results) && size(body.results) > 0 ? | |
| resp.Body.decode_json().as(body, has(body.results) && size(body.results) > 0 ? |
| "error": { | ||
| "code": string(resp.StatusCode), | ||
| "id": string(resp.Status), | ||
| "message": "GET:"+( |
There was a problem hiding this comment.
Suggested change
| "message": "GET:"+( | |
| "message": "GET "+state.url.trim_right("/") + "/v1/abuse_mailbox/not_analyzed:"+( |
Comment on lines
34
to
35
| "start": [string(state.start_time)], | ||
| "end": [string(state.end_time)], |
There was a problem hiding this comment.
Suggested change
| "start": [string(state.start_time)], | |
| "end": [string(state.end_time)], | |
| "start": [state.start_time], | |
| "end": [state.end_time], |
These have just been formatted to strings, in the preamble block, so the conversion is not necessary.
| @@ -116,7 +116,7 @@ | |||
| "id": "", | |||
| "params": { | |||
| "fontSize": 12, | |||
| "markdown": "**Navigation**\n\n**Abnormal Security**\n\n- [AI Security Mailbox Overview](#/dashboard/abnormal_security-a4364503-ada3-4fe6-a054-d152accf207c)\n- [**Audit Overview (This Page)**](#/dashboard/abnormal_security-37ed5d19-c753-43a0-b0a2-f8e6437ddfe5)\n- [Case Overview](#/dashboard/abnormal_security-f6562262-e429-470d-af45-4c80afdcf664)\n- [Threat Overview](#/dashboard/abnormal_security-6a8e53ac-7759-4564-bcd6-03c6a9792eac)\n- [Vendor Case Overview](#/dashboard/abnormal_security-7997c0a4-da55-4090-b24f-586dbd19aff4)\n\n**Overview**\n\nThis dashboard displays key statistics and visualizations based on Audit logs from the Abnormal Security integration. It includes the top 10 users and source IPs, a breakdown of events by category, action and tenant name, as well as essential details about the Audit data.\n\n[**Integrations Page**](/app/integrations/detail/abnormal_security/overview)", | |||
| "markdown": "**Navigation**\n\n**Abnormal Security**\n\n- [AI Security Mailbox Overview](#/dashboard/abnormal_security-a4364503-ada3-4fe6-a054-d152accf207c)\n- [AI Security Mailbox Not Analyzed Overview](#/dashboard/abnormal_security-a0e8aab9-b870-4903-a966-7195fd6cee9c)\n- [**Audit Overview (This Page)**](#/dashboard/abnormal_security-37ed5d19-c753-43a0-b0a2-f8e6437ddfe5)\n- [Case Overview](#/dashboard/abnormal_security-f6562262-e429-470d-af45-4c80afdcf664)\n- [Threat Overview](#/dashboard/abnormal_security-6a8e53ac-7759-4564-bcd6-03c6a9792eac)\n- [Vendor Case Overview](#/dashboard/abnormal_security-7997c0a4-da55-4090-b24f-586dbd19aff4)\n\n**Overview**\n\nThis dashboard displays key statistics and visualizations based on Audit logs from the Abnormal Security integration. It includes the top 10 users and source IPs, a breakdown of events by category, action and tenant name, as well as essential details about the Audit data.\n\n[**Integrations Page**](/app/integrations/detail/abnormal_security/overview)", | |||
There was a problem hiding this comment.
Suggested change
| "markdown": "**Navigation**\n\n**Abnormal Security**\n\n- [AI Security Mailbox Overview](#/dashboard/abnormal_security-a4364503-ada3-4fe6-a054-d152accf207c)\n- [AI Security Mailbox Not Analyzed Overview](#/dashboard/abnormal_security-a0e8aab9-b870-4903-a966-7195fd6cee9c)\n- [**Audit Overview (This Page)**](#/dashboard/abnormal_security-37ed5d19-c753-43a0-b0a2-f8e6437ddfe5)\n- [Case Overview](#/dashboard/abnormal_security-f6562262-e429-470d-af45-4c80afdcf664)\n- [Threat Overview](#/dashboard/abnormal_security-6a8e53ac-7759-4564-bcd6-03c6a9792eac)\n- [Vendor Case Overview](#/dashboard/abnormal_security-7997c0a4-da55-4090-b24f-586dbd19aff4)\n\n**Overview**\n\nThis dashboard displays key statistics and visualizations based on Audit logs from the Abnormal Security integration. It includes the top 10 users and source IPs, a breakdown of events by category, action and tenant name, as well as essential details about the Audit data.\n\n[**Integrations Page**](/app/integrations/detail/abnormal_security/overview)", | |
| "markdown": "**Navigation**\n\n**Abnormal Security**\n\n- [AI Security Mailbox Overview](#/dashboard/abnormal_security-a4364503-ada3-4fe6-a054-d152accf207c)\n- [AI Security Mailbox Not Analyzed Overview](#/dashboard/abnormal_security-a0e8aab9-b870-4903-a966-7195fd6cee9c)\n- **Audit Overview**\n- [Case Overview](#/dashboard/abnormal_security-f6562262-e429-470d-af45-4c80afdcf664)\n- [Threat Overview](#/dashboard/abnormal_security-6a8e53ac-7759-4564-bcd6-03c6a9792eac)\n- [Vendor Case Overview](#/dashboard/abnormal_security-7997c0a4-da55-4090-b24f-586dbd19aff4)\n\n**Overview**\n\nThis dashboard displays key statistics and visualizations based on Audit logs from the Abnormal Security integration. It includes the top 10 users and source IPs, a breakdown of events by category, action and tenant name, as well as essential details about the Audit data.\n\n[**Integrations Page**](/app/integrations/detail/abnormal_security/overview)", |
(similar below)
There was a problem hiding this comment.
What is the motivation for this? To remove the (This page) message next to the dashboard title for everyone?
Would you agree to change it in a separate PR? as it is something that was added with the initial release of the integration.
There was a problem hiding this comment.
This can be another PR (though I would rather it not be since we are changing all the lines that need to be fixed in this change anyway, and it is a UI design bug); there is no need to have an active link to the page you are on and the text should tell the user where they are without having to read additional text. This is something that we discussed internally a few months back (2024-10-30). example comparison.
💚 Build Succeeded
History
|
|
efd6
approved these changes
Apr 16, 2025
|
Package abnormal_security - 1.6.0 containing this change is available at https://epr.elastic.co/package/abnormal_security/1.6.0/ |
Auto-merge was enabled but I will open a new PR with your suggestion. |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Add support for AI Security Mailbox Not Analyzed data stream. API reference can be found here.
Checklist
changelog.ymlfile.Related issues
Screenshots