abnormal_security: add support for Not Analyzed Messages data stream (#13483)

Add support for AI Security Mailbox Not Analyzed data stream.

Author: chemamartinez

packages/abnormal_security/_dev/build/docs/README.md

@@ -6,10 +6,12 @@ The Abnormal Security integration collects data for AI Security Mailbox (formerl
 
 ## Data streams
 
-The Abnormal Security integration collects four types of logs:
+The Abnormal Security integration collects six types of logs:
 
 - **[AI Security Mailbox](https://app.swaggerhub.com/apis-docs/abnormal-security/abx/1.4.3#/AI%20Security%20Mailbox%20(formerly%20known%20as%20Abuse%20Mailbox))** - Get details of AI Security Mailbox.
 
+- **[AI Security Mailbox Not Analyzed](https://app.swaggerhub.com/apis/abnormal-security/abx/1.4.3#/AI%20Security%20Mailbox%20(formerly%20known%20as%20Abuse%20Mailbox)/v1_abuse_mailbox_not_analyzed_retrieve)** - Get details of messages submitted to AI Security Mailbox that were not analyzed.
+
 - **[Audit](https://app.swaggerhub.com/apis-docs/abnormal-security/abx/1.4.3#/Audit%20Logs)** - Get details of Audit logs for Portal.
 
 - **[Case](https://app.swaggerhub.com/apis-docs/abnormal-security/abx/1.4.3#/Cases)** - Get details of Abnormal Cases.
@@ -76,6 +78,16 @@ This is the `ai_security_mailbox` dataset.
 
 {{fields "ai_security_mailbox"}}
 
+### AI Security Mailbox Not Analyzed
+
+This is the `ai_security_mailbox_not_analyzed` dataset.
+
+#### Example
+
+{{event "ai_security_mailbox_not_analyzed"}}
+
+{{fields "ai_security_mailbox_not_analyzed"}}
+
 ### Audit
 
 This is the `audit` dataset.

packages/abnormal_security/_dev/deploy/docker/files/config.yml

@@ -101,6 +101,65 @@ rules:
               "attackType": "Attack Type: Spam"
           }
           `}}
+  - path: /v1/abuse_mailbox/not_analyzed
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "results": [
+                  {
+                      "abx_message_id": -7361381340273523750,
+                      "recipient": {
+                          "email": "[email protected]",
+                          "name": "Phishing Test"
+                      },
+                      "reported_datetime": "2025-03-06T17:27:15Z",
+                      "reporter": {
+                          "email": "[email protected]",
+                          "name": "Reporter Test"
+                      },
+                      "subject": "Re: Subject",
+                      "not_analyzed_reason": "ROUTED_SUBMISSION"
+                  },
+                  {
+                      "abx_message_id": 240750237502375023,
+                      "recipient": {
+                          "email": "[email protected]",
+                          "name": "Phishing Test"
+                      },
+                      "reported_datetime": "2025-03-04T18:50:27Z",
+                      "reporter": {
+                          "email": "[email protected]",
+                          "name": "Test Example"
+                      },
+                      "subject": "Fwd: Forwarded email",
+                      "not_analyzed_reason": "INVALID_SUBMISSION"
+                  },
+                  {
+                      "abx_message_id": -1234567891234567891,
+                      "recipient": {
+                          "email": "[email protected]",
+                          "name": "Phishing Test"
+                      },
+                      "reported_datetime": "2025-03-04T17:03:55Z",
+                      "reporter": {
+                          "email": "[email protected]",
+                          "name": "Info Test"
+                      },
+                      "subject": "Fwd: Forwarded email",
+                      "not_analyzed_reason": "PHISHING_SIMULATION"
+                  }
+              ]
+          }
+          `}}
   - path: /v1/auditlogs
     methods: ['GET']
     query_params:

packages/abnormal_security/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.6.0"
+  changes:
+    - description: New data stream for not analyzed messages in AI Security Mailbox.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13483
 - version: "1.5.0"
   changes:
     - description: Added support for vendor case data stream.

packages/abnormal_security/data_stream/ai_security_mailbox/agent/stream/cel.yml.hbs

@@ -1,9 +1,9 @@
 config_version: 2
 interval: {{interval}}
-{{#if enable_request_tracer}}
-resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
-resource.tracer.maxbackups: 5
-{{/if}}
+resource.tracer:
+  enabled: {{enable_request_tracer}}
+  filename: "../../logs/cel/http-request-trace-*.ndjson"
+  maxbackups: 5
 {{#if proxy_url}}
 resource.proxy_url: {{proxy_url}}
 {{/if}}

packages/abnormal_security/data_stream/ai_security_mailbox/manifest.yml

@@ -44,7 +44,7 @@ streams:
         multi: false
         required: false
         show_user: false
-        description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
+        description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.
       - name: tags
         type: text
         title: Tags

packages/abnormal_security/data_stream/ai_security_mailbox_not_analyzed/_dev/test/pipeline/test-ai-security-mailbox-not-analyzed.log

@@ -0,0 +1,3 @@
+{"abx_message_id":-7361381340273523750,"recipient":{"email":"[email protected]","name":"Phishing Test"},"reported_datetime":"2025-03-06T17:27:15Z","reporter":{"email":"[email protected]","name":"Reporter Test"},"subject":"Re: Subject","not_analyzed_reason":"ROUTED_SUBMISSION"}
+{"abx_message_id":240750237502375023,"recipient":{"email":"[email protected]","name":"Phishing Test"},"reported_datetime":"2025-03-04T18:50:27Z","reporter":{"email":"[email protected]","name":"Test Example"},"subject":"Fw: Forwarded email","not_analyzed_reason":"INVALID_SUBMISSION"}
+{"abx_message_id":-1234567891234567891,"recipient":{"email":"[email protected]","name":"Phishing Test"},"reported_datetime":"2025-03-04T17:03:55Z","reporter":{"email":"[email protected]","name":"Info Test"},"subject":"Fwd: Forwarded email","not_analyzed_reason":"PHISHING_SIMULATION"}

packages/abnormal_security/data_stream/ai_security_mailbox_not_analyzed/_dev/test/pipeline/test-ai-security-mailbox-not-analyzed.log-expected.json

@@ -0,0 +1,175 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-03-06T17:27:15.000Z",
+            "abnormal_security": {
+                "ai_security_mailbox_not_analyzed": {
+                    "abx_message_id": "-7361381340273523750",
+                    "reason": "ROUTED_SUBMISSION",
+                    "recipient": {
+                        "address": "[email protected]",
+                        "name": "Phishing Test"
+                    },
+                    "reported_time": "2025-03-06T17:27:15Z",
+                    "reporter": {
+                        "address": "[email protected]",
+                        "name": "Reporter Test"
+                    },
+                    "subject": "Re: Subject"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "subject": "Re: Subject",
+                "to": {
+                    "address": [
+                        "[email protected]"
+                    ]
+                }
+            },
+            "event": {
+                "category": [
+                    "email"
+                ],
+                "id": "-7361381340273523750",
+                "kind": "event",
+                "original": "{\"abx_message_id\":-7361381340273523750,\"recipient\":{\"email\":\"[email protected]\",\"name\":\"Phishing Test\"},\"reported_datetime\":\"2025-03-06T17:27:15Z\",\"reporter\":{\"email\":\"[email protected]\",\"name\":\"Reporter Test\"},\"subject\":\"Re: Subject\",\"not_analyzed_reason\":\"ROUTED_SUBMISSION\"}",
+                "reason": "ROUTED_SUBMISSION",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Inbound Email Security",
+                "vendor": "Abnormal"
+            },
+            "related": {
+                "user": [
+                    "[email protected]",
+                    "Phishing Test",
+                    "[email protected]",
+                    "Reporter Test"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "@timestamp": "2025-03-04T18:50:27.000Z",
+            "abnormal_security": {
+                "ai_security_mailbox_not_analyzed": {
+                    "abx_message_id": "240750237502375023",
+                    "reason": "INVALID_SUBMISSION",
+                    "recipient": {
+                        "address": "[email protected]",
+                        "name": "Phishing Test"
+                    },
+                    "reported_time": "2025-03-04T18:50:27Z",
+                    "reporter": {
+                        "address": "[email protected]",
+                        "name": "Test Example"
+                    },
+                    "subject": "Fw: Forwarded email"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "subject": "Fw: Forwarded email",
+                "to": {
+                    "address": [
+                        "[email protected]"
+                    ]
+                }
+            },
+            "event": {
+                "category": [
+                    "email"
+                ],
+                "id": "240750237502375023",
+                "kind": "event",
+                "original": "{\"abx_message_id\":240750237502375023,\"recipient\":{\"email\":\"[email protected]\",\"name\":\"Phishing Test\"},\"reported_datetime\":\"2025-03-04T18:50:27Z\",\"reporter\":{\"email\":\"[email protected]\",\"name\":\"Test Example\"},\"subject\":\"Fw: Forwarded email\",\"not_analyzed_reason\":\"INVALID_SUBMISSION\"}",
+                "reason": "INVALID_SUBMISSION",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Inbound Email Security",
+                "vendor": "Abnormal"
+            },
+            "related": {
+                "user": [
+                    "[email protected]",
+                    "Phishing Test",
+                    "[email protected]",
+                    "Test Example"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "@timestamp": "2025-03-04T17:03:55.000Z",
+            "abnormal_security": {
+                "ai_security_mailbox_not_analyzed": {
+                    "abx_message_id": "-1234567891234567891",
+                    "reason": "PHISHING_SIMULATION",
+                    "recipient": {
+                        "address": "[email protected]",
+                        "name": "Phishing Test"
+                    },
+                    "reported_time": "2025-03-04T17:03:55Z",
+                    "reporter": {
+                        "address": "[email protected]",
+                        "name": "Info Test"
+                    },
+                    "subject": "Fwd: Forwarded email"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "email": {
+                "subject": "Fwd: Forwarded email",
+                "to": {
+                    "address": [
+                        "[email protected]"
+                    ]
+                }
+            },
+            "event": {
+                "category": [
+                    "email"
+                ],
+                "id": "-1234567891234567891",
+                "kind": "event",
+                "original": "{\"abx_message_id\":-1234567891234567891,\"recipient\":{\"email\":\"[email protected]\",\"name\":\"Phishing Test\"},\"reported_datetime\":\"2025-03-04T17:03:55Z\",\"reporter\":{\"email\":\"[email protected]\",\"name\":\"Info Test\"},\"subject\":\"Fwd: Forwarded email\",\"not_analyzed_reason\":\"PHISHING_SIMULATION\"}",
+                "reason": "PHISHING_SIMULATION",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Inbound Email Security",
+                "vendor": "Abnormal"
+            },
+            "related": {
+                "user": [
+                    "[email protected]",
+                    "Phishing Test",
+                    "[email protected]",
+                    "Info Test"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        }
+    ]
+}

packages/abnormal_security/data_stream/ai_security_mailbox_not_analyzed/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_duplicate_custom_fields

packages/abnormal_security/data_stream/ai_security_mailbox_not_analyzed/_dev/test/system/test-default-config.yml

@@ -0,0 +1,13 @@
+input: cel
+service: abnormal_security
+vars:
+  url: http://{{Hostname}}:{{Port}}
+  access_token: xxxx
+data_stream:
+  vars:
+    interval: 1h
+    initial_interval: 2160h
+    preserve_original_event: true
+    preserve_duplicate_custom_fields: true
+assert:
+  hit_count: 3