本頁面由 Cloud Translation API 翻譯而成。

收集 Abnormal Security 記錄

支援的國家/地區：

Google SecOps SIEM

本文說明如何將 Abnormal Security 記錄擷取至 Google Security Operations。剖析器會處理 JSON 和 Syslog 格式的電子郵件記錄。系統會先嘗試將輸入內容處理為 JSON，如果失敗，則會使用 Grok 模式從 Syslog 格式擷取資料。接著，系統會將擷取的欄位對應至 Unified Data Model (UDM)，並以相關安全性環境資訊擴充資料，以及將格式標準化，以利後續分析。

事前準備

請確認您已完成下列事前準備事項：

Google SecOps 執行個體。
Abnormal Security 的特殊存取權。

取得 Google SecOps 客戶 ID

登入 Google SecOps 控制台。
依序前往「SIEM 設定」>「設定檔」。
複製並儲存「機構詳細資料」專區中的客戶 ID。

取得 Google SecOps 擷取驗證檔案

登入 Google SecOps 控制台。
依序前往「SIEM 設定」>「收集代理程式」。
下載擷取驗證檔案。

設定 Abnormal Security，將記錄傳送至 Google SecOps

登入 Abnormal Security 網頁版 UI。
依序點選「設定」>「整合」。
找到「Google Chronicle」圖示，然後按一下「連結」。
輸入 Google SecOps 客戶 ID。
輸入 Google SecOps 執行個體端點地址。
- 加拿大：https://northamerica-northeast2-malachiteingestion-pa.googleapis.com
- Dammam：https://me-central2-malachiteingestion-pa.googleapis.com
- 歐洲多區域：https://europe-malachiteingestion-pa.googleapis.com
- 法蘭克福：https://europe-west3-malachiteingestion-pa.googleapis.com
- 倫敦：https://europe-west2-malachiteingestion-pa.googleapis.com
- 孟買：https://asia-south1-malachiteingestion-pa.googleapis.com
- 新加坡：https://asia-southeast1-malachiteingestion-pa.googleapis.com
- 雪梨：https://australia-southeast1-malachiteingestion-pa.googleapis.com
- 特拉維夫：https://me-west1-malachiteingestion-pa.googleapis.com
- 東京：https://asia-northeast1-malachiteingestion-pa.googleapis.com
- 美國多區域：https://malachiteingestion-pa.googleapis.com
- 蘇黎世：https://europe-west6-malachiteingestion-pa.googleapis.com
上傳先前下載的「擷取驗證檔案」，做為 Google 服務帳戶。
依序點選「儲存」>「確認」。

支援的 Abnormal Security 記錄格式

Abnormal Security 剖析器支援 SYSLOG 和 JSON 格式的記錄。

支援的 Abnormal Security 記錄檔範例

JSON

{
  "threatId": "3fd4ed1a-9237-7e6f-d434-eacdcc41f47b",
  "messages": [
    {
      "abxMessageId": 3405268390454580698,
      "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3405268390454580698",
      "attachmentCount": 0,
      "attachmentNames": [],
      "attackStrategy": "Unknown Sender",
      "attackType": "Spam",
      "attackVector": "Link",
      "attackedParty": "VIP",
      "autoRemediated": true,
      "fromAddress": "masked.from@example.com",
      "fromName": "Masked User Name",
      "impersonatedParty": "None / Others",
      "internetMessageId": "<20eb9e7c1c3046fda97f6564c81ced64@530566577>",
      "isRead": false,
      "postRemediated": false,
      "receivedTime": "2023-08-28T14:09:31Z",
      "recipientAddress": "masked.recipient@example.com",
      "remediationStatus": "Auto-Remediated",
      "remediationTimestamp": "2023-08-28T14:09:35.618Z",
      "sentTime": "2023-08-28T14:08:44Z",
      "subject": "Banking Insights | A deep dive into the global M&A landscape",
      "threatId": "3fd4ed1a-9237-7e6f-d434-eacdcc41f47b",
      "toAddresses": [
        "masked.to@example.com"
      ],
      "ccEmails": [],
      "replyToEmails": [
        "masked.reply@example.com"
      ],
      "returnPath": "masked.returnPath@example.com",
      "senderDomain": "masked.sender.domain",
      "senderIpAddress": null,
      "summaryInsights": [
        "Suspicious Link",
        "Unusual Sender",
        "Abnormal Email Body HTML",
        "Invisible characters found in Email",
        "Unusual Sender Domain",
        "Suspicious Financial Request",
        "Unusual Reply To"
      ],
      "urlCount": 19,
      "urls": [
        "https://masked.comm.link/e/es?s=530566577&e=2595782&elqTrackId=MASKEDID&elq=MASKEDID&elqaid=119820&elqat=1",
        "https://www.masked.group/en/simplifying-the-brand?utm_source=Eloqua&utm_medium=email&utm_campaign=MASKED_CAMPAIGN&elqCampaignId=20995&elq=MASKEDID",
        "https://masked.group.link/e/er?utm_source=Eloqua&utm_medium=email&utm_campaign=MASKED_CAMPAIGN&elqCampaignId=20995&s=530566577&lid=192730&elqTrackId=MASKEDID&elq=MASKEDID&elqaid=119820&elqat=1"
        // ... (16 additional masked URLs omitted for brevity)
      ]
    }
  ]
}

SYSLOG + JSON

<14> {
  "threatId": "83da593b-3778-9d2f-da8c-e305dc1425e1",
  "messages": [
    {
      "abxMessageId": 8274341447487143770,
      "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/8274341447487143770",
      "attackType": "Spam",
      "fromAddress": "masked.from.1@example.com",
      "fromName": "Masked User Name",
      "internetMessageId": "<PUZPR06MB45764FCED76739D0BC8A1B69E3DFA@masked.server.prod.outlook.com>",
      "recipientAddress": "masked.recipient.1@example.com",
      "remediationStatus": "Auto-Remediated",
      "subject": "Freightview, FreightPOP Users List",
      "toAddresses": [
        "masked.to.1@example.com"
      ],
      "returnPath": "masked.returnPath.1@example.com",
      "senderDomain": "outlook.com",
      "senderIpAddress": null,
      "urlCount": 0,
      "urls": []
    },
    {
      "abxMessageId": -4495524442058864563,
      "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/-4495524442058864563",
      "attackType": "Spam",
      "fromAddress": "masked.user.2@outlook.com",
      "fromName": "Masked User Name",
      "internetMessageId": "<PUZPR06MB4576BF221988D780C8412731E3DFA@masked.server.prod.outlook.com>",
      "recipientAddress": "masked.recipient.2@example.com",
      "remediationStatus": "Auto-Remediated",
      "subject": "Freightview, FreightPOP Users List",
      "toAddresses": [
        "masked.to.2@example.com"
      ],
      "returnPath": "masked.user.2@outlook.com",
      "senderDomain": "outlook.com",
      "senderIpAddress": null,
      "urlCount": 0,
      "urls": []
    }
  ]
}

JSON (threat_log) 結構定義

{
  "event": {
    "abx_message_id": -3325933065721657641,
    "abx_portal_url": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/-3325933065721657641",
    "threat_id": "1c3736ab-9e3a-883f-62b5-6fe36ac9672c",
    "subject": "[EXTERNAL] RE: Masked Name PUP094439581",
    "from_address": "masked.sender@maskeddomain.xyz",
    "from_name": "masked.sender@maskeddomain.xyz",
    "to_addresses": "masked.recipient@maskedcorp.com",
    "recipient_address": "masked.recipient@maskedcorp.com",
    "internet_message_id": "<MASKEDID@masked-insurance-group.com>",
    "attack_type": "Phishing: Credential",
    "return_path": "masked.sender@maskeddomain.xyz",
    "sender_ip_address": "",
    "urls": [
      "www.masked-insurance-group.com",
      "http://www.masked-insurance-group.com/"
    ],
    "sender_domain": "masked-insurance-group.com",
    "tenant": "Auto Club Group"
  },
  "sourcetype": "threat_log"
}

JSON (abuse_mailbox) 結構定義

{
  "event": {
    "abx_metadata": {
      "event_type": "ABUSE_MAILBOX",
      "timestamp": "2024-04-27T15:25:53.374227319Z",
      "trace_id": "00bc67b5-eb26-41c2-9f95-021eb435fc49"
    },
    "abx_body": {
      "campaign_id": "28b9c99f-f4a4-3032-bd99-3b7bac532471",
      "subject": "[EXTERNAL] News you might have missed",
      "recipient_name": "Masked PII Name",
      "recipient_address": "masked.abuse.recipient@secops.com",
      "internet_message_id": "<AutoNewsDigest-MASKED@odspnotify>",
      "email_label_or_location": "inbox"
    }
  },
  "sourcetype": "abuse_mailbox"
}

JSON (audit_log) 結構定義

{
  "event": {
    "abx_metadata": {
      "event_type": "AUDIT_LOG",
      "timestamp": "2024-04-01T17:50:55.194231924Z",
      "trace_id": "6f95188c-cba2-4e86-a3ae-3eaf22c869e4"
    },
    "abx_body": {
      "category": "login",
      "details": {
        "request_url": "/api-token-auth/"
      },
      "source_ip": "0.0.0.0",
      "status": "SUCCESS",
      "tenant_name": "masked_secops_tenant",
      "timestamp": "2024-04-01T17:50:54.632Z",
      "user": {
        "email": "masked.audit.user@secops.net"
      }
    }
  },
  "sourcetype": "audit_log"
}

JSON (案件) 結構定義

{
  "event": {
    "abx_metadata": {
      "event_type": "CASE",
      "timestamp": "2024-08-08T12:42:45.104485389Z",
      "trace_id": "e4ad638f-439a-4c5f-839d-b650ecab9156"
    },
    "abx_body": {
      "schema_version": "1.0.0",
      "case_id": 11188520,
      "tenant": "masked name",
      "entity": {
        "entity_type": "USER_ACCOUNT",
        "identifier": "masked.case.user@secops.com"
      },
      "description": "Account Compromised",
      "event_timeline": [
        {
          "timestamp": "2024-09-07T20:17:25+00:00",
          "event_type": "SIGN_IN",
          "platform": "AZURE_AD",
          "insights": [
            {
              "signal": "Risky Browser",
              "description": "The browser associated with this sign-in, None, is considered risky and has been blocklisted by Abnormal or your organization."
            }
          ],
          "ip_address": "0.0.0.0 ",
          "operating_system": "ios 17.6",
          "isp": "verizon wireless",
          "location": {
            "city": "Huntley",
            "state": "Illinois",
            "country": "United States"
          }
        },
        {
          "timestamp": "2024-09-07T20:17:25+00:00",
          "event_type": "SIGN_IN",
          "platform": "AZURE_AD",
          "ip_address": "0.0.0.0 ",
          "operating_system": "ios 15.6"
        }
      ],
      "event_type": "CASE"
    }
  },
  "sourcetype": "case"
}

UDM 對應表

記錄欄位	UDM 對應	邏輯
attachmentCount	additional.fields.attachmentCount.value.number_value	直接對應
attachmentNames	additional.fields.attachmentNames.value	串連成以半形逗號分隔的字串
attackStrategy	security_result.detection_fields.attackStrategy.value	直接對應
attackType	security_result.threat_name	直接對應
attackVector	security_result.detection_fields.attackVector.value	直接對應
attackedParty	security_result.detection_fields.attackedParty.value	直接對應
autoRemediated		未對應至 IDM 物件
ccEmails	network.email.cc	系統會擷取每個電子郵件地址，並新增至陣列
fromAddress	network.email.from	直接擷取並對應電子郵件地址
fromName	principal.user.user_display_name	直接對應
impersonatedParty	security_result.detection_fields.impersonatedParty.value	直接對應
internetMessageId	additional.fields.internetMessageId.value.string_value	直接對應
isRead	additional.fields.isRead.value.bool_value	直接對應
postRemediated	additional.fields.postRemediated.value.bool_value	直接對應
receivedTime	additional.fields.mailReceivedTime.value.string_value	直接對應
remediationStatus	additional.fields.remediationStatus.value.string_value	直接對應
remediationTimestamp	additional.fields.mailRemediationTimestamp.value.string_value	直接對應
replyToEmails	network.email.reply_to	系統會擷取第一個電子郵件地址並直接對應
returnPath	additional.fields.returnPath.value.string_value	直接對應
senderDomain	principal.administrative_domain	直接對應
senderIpAddress	principal.ip、principal.asset.ip	系統會擷取 IP 位址，並對應至兩個欄位
sentTime	additional.fields.mailSentTime.value.string_value	直接對應
主旨	network.email.subject	直接對應
summaryInsights	security_result.summary	串連成以半形逗號分隔的字串
threatId	security_result.threat_id	直接對應
toAddresses	network.email.to	系統會擷取每個電子郵件地址，並新增至陣列
urlCount	additional.fields.urlCount.value.number_value	直接對應
網址	additional.fields.detectedUrls.value	串連成以半形逗號分隔的字串
	additional.fields.campaign_id.value.string_value	如有，則從 event_data.abx_body.campaign_id 對應
	additional.fields.trace_id.value.string_value	如果存在，則從 event_data.abx_metadata.trace_id 對應
	additional.fields.messageReportedTime.value.string_value	如果存在，則從 event_data.abx_body.message_reported_time 對應
	metadata.event_type	如果存在訊息陣列，則設為 `EMAIL_TRANSACTION`；否則根據其他欄位判斷，且可以是 `USER_LOGIN`、`STATUS_UPDATE` 或 `GENERIC_EVENT`
	metadata.product_name	一律設為「`ABNORMAL_SECURITY`」
	metadata.vendor_name	一律設為「`ABNORMAL_SECURITY`」
	metadata.product_event_type	如果存在，則從 event_data.abx_metadata.event_type 對應
	extensions.auth.type	如果 event_type 為 `USER_LOGIN`，請設為 `AUTHTYPE_UNSPECIFIED`
	security_result.category	如有訊息陣列，請設為 `MAIL_SPAM` 和 `MAIL_PHISHING`，否則請根據其他欄位設為 `MAIL_PHISHING` 和/或 `MAIL_SPAM`
	security_result.category_details	如果 abx_metadata.event_type 為 `ABUSE_MAILBOX`，請設為 `ABUSE_MAILBOX`；否則，如果 abx_body.category 為 `login`，請設為 `login`
	security_result.detection_fields.reported.value	如果存在，則從 event_data.abx_body.reported 對應
	security_result.detection_fields.judgement.value	如果存在，則從 event_data.abx_body.judgement 對應
	target.url	如果存在，則從 event_data.abx_body.details.request_url 對應
	target.user.userid	如果存在，則從 event_data.abx_body.user.email 對應
	target.user.email_addresses	如果存在，則從 event_data.abx_body.user.email 對應

還有其他問題嗎？向社群成員和 Google SecOps 專業人員尋求答案。