Skip to content

Commit 0576617

Browse files
nate-smalls-s1nate-smalls-s1
authored
Merge pull request #19 from Perrtyk/main
Abnormal Security threat log ingestion workflow and dashboard
2 parents 301cd29 + 3258145 commit 0576617

File tree

2 files changed

+1041
-0
lines changed

2 files changed

+1041
-0
lines changed

dashboards/community/abnormal-security-latest/[Abnormal Security] Threats Dashboard.json

Lines changed: 342 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,342 @@
1+
{
2+
tabs: [
3+
{
4+
"tabName": "Threats",
5+
graphs: [
6+
{
7+
graphStyle: "funnel",
8+
query: "dataSource.name='Abnormal\\ Security'\n| group count() by attackType",
9+
title: "Attack Types",
10+
layout: {
11+
h: 26,
12+
w: 13,
13+
x: 0,
14+
y: 26
15+
},
16+
funnelOptions: {
17+
autoScale: "true",
18+
colorScheme: "red",
19+
colorSchemeOrder: "inverted"
20+
},
21+
orientation: "vertical"
22+
}, {
23+
breakdownFacet: "attackType",
24+
graphStyle: "stacked_bar",
25+
title: "Threat Activity",
26+
layout: {
27+
h: 12,
28+
w: 47,
29+
x: 13,
30+
y: 26
31+
},
32+
filter: "dataSource.name='Abnormal\\ Security' event.source='Threat'",
33+
plots: [
34+
{
35+
facet: "",
36+
filter: "dataSource.name='Abnormal\\ Security' event.source='Threat'",
37+
label: "rate"
38+
}
39+
],
40+
barWidth: "auto"
41+
}, {
42+
graphStyle: "number",
43+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| group count()",
44+
sparklineConfig: {
45+
enabled: false
46+
},
47+
title: "Threat Events",
48+
trendConfig: {
49+
enabled: true,
50+
indicators: {
51+
arrow: {
52+
enabled: true
53+
},
54+
number: {
55+
calculationType: "PERCENTAGE",
56+
enabled: true
57+
},
58+
upwardsMeaning: "POSITIVE"
59+
}
60+
},
61+
layout: {
62+
h: 5,
63+
w: 11,
64+
x: 11,
65+
y: 0
66+
},
67+
description: "Shows the number of threats targeting users protected by Abnormal Security."
68+
}, {
69+
graphStyle: "stacked_bar",
70+
layout: {
71+
h: 14,
72+
w: 47,
73+
x: 13,
74+
y: 38
75+
},
76+
title: "Recipients",
77+
plots: [
78+
{
79+
facet: "rate",
80+
filter: "dataSource.name='Abnormal\\ Security' event.source='Threat'",
81+
label: "rate"
82+
}
83+
],
84+
breakdownFacet: "recipientAddress",
85+
filter: "dataSource.name='Abnormal\\ Security' event.source='Threat'",
86+
barWidth: "auto"
87+
}, {
88+
filter: "dataSource.name='Abnormal\\ Security' event.source='Threat'",
89+
graphStyle: "line",
90+
layout: {
91+
h: 8,
92+
w: 60,
93+
x: 0,
94+
y: 5
95+
},
96+
lineSmoothing: "straightLines",
97+
plots: [
98+
{
99+
color: "#E0483C",
100+
facet: "rate",
101+
filter: "dataSource.name='Abnormal\\ Security' event.source='Threat'",
102+
label: "Logs"
103+
}
104+
],
105+
title: "Log Activity (Threats)"
106+
}, {
107+
graphStyle: "",
108+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| columns metadata.correlation_uid\n, receivedTime, attackType, attackVector, attackedParty, recipientAddress, fromAddress, summaryInsights\n, abxPortalUrl\n| sort -receivedTime",
109+
title: "Threat Events",
110+
layout: {
111+
h: 31,
112+
w: 60,
113+
x: 0,
114+
y: 52
115+
},
116+
showBarsColumn: "false"
117+
}, {
118+
dataLabelType: "PERCENTAGE",
119+
graphStyle: "pie",
120+
maxPieSlices: 100,
121+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| group count = count() by recipientAddress",
122+
title: "Target Addresses",
123+
totalNumberConfig: {
124+
enabled: false,
125+
label: ""
126+
},
127+
layout: {
128+
h: 13,
129+
w: 19,
130+
x: 0,
131+
y: 13
132+
}
133+
}, {
134+
dataLabelType: "PERCENTAGE",
135+
graphStyle: "pie",
136+
layout: {
137+
h: 13,
138+
w: 22,
139+
x: 19,
140+
y: 13
141+
},
142+
maxPieSlices: 100,
143+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| let Country = geo_ip_country(senderIpAddress)\n| columns Country\n| group count = count() by Country",
144+
title: "Attacker Region",
145+
totalNumberConfig: {
146+
enabled: false,
147+
label: ""
148+
}
149+
}, {
150+
graphStyle: "number",
151+
layout: {
152+
h: 5,
153+
w: 11,
154+
x: 0,
155+
y: 0
156+
},
157+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| group distinct_correlation_uuids = estimate_distinct(metadata.correlation_uid)",
158+
sparklineConfig: {
159+
enabled: false
160+
},
161+
title: "Threats",
162+
trendConfig: {
163+
enabled: true,
164+
indicators: {
165+
arrow: {
166+
enabled: true
167+
},
168+
number: {
169+
calculationType: "PERCENTAGE",
170+
enabled: true
171+
},
172+
upwardsMeaning: "POSITIVE"
173+
}
174+
},
175+
description: "Shows the number of cases involved with users protected by Abnormal Security."
176+
}, {
177+
dataLabelType: "PERCENTAGE",
178+
graphStyle: "pie",
179+
layout: {
180+
h: 13,
181+
i: "9",
182+
minH: 3,
183+
minW: 6,
184+
w: 19,
185+
x: 41,
186+
y: 13
187+
},
188+
maxPieSlices: 100,
189+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| group count = count() by senderDomain",
190+
title: "Attacker Domains",
191+
totalNumberConfig: {
192+
}
193+
}, {
194+
graphStyle: "number",
195+
layout: {
196+
h: 5,
197+
w: 11,
198+
x: 22,
199+
y: 0
200+
},
201+
query: "dataSource.name='Abnormal\\ Security' event.source='Threat'\n| group distinct_address_targets = estimate_distinct(recipientAddress)",
202+
sparklineConfig: {
203+
enabled: false
204+
},
205+
title: "Mailboxes Targeted",
206+
trendConfig: {
207+
enabled: true,
208+
indicators: {
209+
arrow: {
210+
enabled: true
211+
},
212+
number: {
213+
calculationType: "PERCENTAGE",
214+
enabled: true
215+
},
216+
upwardsMeaning: "POSITIVE"
217+
}
218+
},
219+
description: "Shows the number of mailboxes targeted by threats."
220+
}, {
221+
graphStyle: "markdown",
222+
title: "\uD83D\uDEE1️ Abnormal Security - Threat Overview",
223+
layout: {
224+
h: 5,
225+
w: 27,
226+
x: 33,
227+
y: 0
228+
},
229+
markdown: "```Monitor key email events and threat activity provided by the Abnormal Security threat logs.```"
230+
}
231+
],
232+
options: {
233+
layout: {
234+
locked: 1
235+
}
236+
},
237+
options: {
238+
layout: {
239+
locked: 0
240+
}
241+
},
242+
options: {
243+
layout: {
244+
locked: 1
245+
}
246+
},
247+
options: {
248+
layout: {
249+
locked: 0
250+
}
251+
},
252+
options: {
253+
layout: {
254+
locked: 1
255+
}
256+
},
257+
options: {
258+
layout: {
259+
locked: 0
260+
}
261+
},
262+
filters: [
263+
{
264+
name: "Threats Type",
265+
values: [
266+
{
267+
label: "Default Search",
268+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat'"
269+
}, {
270+
label: "Internal-to-Internal Attacks (Email Account Takeover)",
271+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Internal-to-Internal Attacks (Email Account Takeover)\""
272+
}, {
273+
label: "Invoice/Payment Fraud (BEC)",
274+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Invoice/Payment Fraud (BEC)\""
275+
}, {
276+
label: "Malware",
277+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Malware\""
278+
}, {
279+
label: "Phishing: Credential",
280+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Phishing: Credential\""
281+
}, {
282+
label: "Reconnaissance",
283+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Reconnaissance\""
284+
}, {
285+
label: "Scam",
286+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Scam\""
287+
}, {
288+
label: "Social Engineering (BEC)",
289+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' and attackType = \"Social Engineering (BEC)\""
290+
}
291+
]
292+
}, {
293+
name: "Source Severity",
294+
values: [
295+
{
296+
label: "Default Search",
297+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat'"
298+
}, {
299+
label: "Spam",
300+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' source='spam' "
301+
}, {
302+
label: "Borderline",
303+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' source='borderline'"
304+
}, {
305+
label: "Malicious",
306+
value: "dataSource.name='Abnormal\\ Security' event.source='Threat' source='malicious'"
307+
}
308+
]
309+
}, {
310+
name: "Threat Vectors",
311+
values: [
312+
{
313+
label: "Default Search",
314+
value: "dataSource.name='Abnormal Security' event.source='Threat'"
315+
}, {
316+
label: "Link",
317+
value: "dataSource.name='Abnormal Security' event.source='Threat' and attackVector = \"Link\""
318+
}, {
319+
label: "Attachment",
320+
value: "dataSource.name='Abnormal Security' event.source='Threat' and attackVector = \"Attachment\""
321+
}, {
322+
label: "Text",
323+
value: "dataSource.name='Abnormal Security' event.source='Threat' and attackVector = \"Text\""
324+
}, {
325+
label: "Others",
326+
value: "dataSource.name='Abnormal Security' event.source='Threat' and attackVector = \"Others\""
327+
}, {
328+
label: "Attachment with Zipped File",
329+
value: "dataSource.name='Abnormal Security' event.source='Threat' and attackVector = \"Attachment with Zipped File\""
330+
}
331+
]
332+
}
333+
],
334+
options: {
335+
layout: {
336+
locked: 1
337+
}
338+
}
339+
}
340+
],
341+
configType: "TABBED"
342+
}

0 commit comments

Comments
 (0)