Learn about recent enhancements to Abnormal's behavioral AI security platform.
Introducing Security Posture Management (Beta)
November 30, 2022
The Security Posture Management add-on improves the risk posture of cloud email environments by helping security teams understand and take action on configuration gaps, while eliminating the need for manual efforts, spreadsheets, or PowerShell scripts that are typically needed to perform discovery and mitigation.
Security Posture Management uses the data within behavioral profiles built by three of the Abnormal Knowledge Bases - PeopleBase, AppBase, and TenantBase - to determine when a potentially harmful or unexpected configuration change has occurred. Armed with this knowledge, the platform monitors for high-risk configuration drifts, including privilege escalations, new third-party apps, and conditional access policy exceptions. Once these changes are identified, teams are notified and can action changes in a simple acknowledgement workflow.
New Sender IP Address and URL for Search & Respond
November 29, 2022
Detection 360 Filters
November 21, 2022
Abnormal users can now quickly find submitted detection tickets in Detection 360. The new functionality enables users to filter all D360 cases by:
- Sender - name or email address
- Recipient - name or email address
- Subject - title of message
- Submitted by - name
- Case Number - D360 Case number
- Time - what is the necessary time span
- Status - Resolved/Submitted
- VIP - reports with VIPs and/or Non VIPs
To access filters, click on Investigate > Detection 360 and use the Filter By pop-up.
November 18, 2022
New SIEM Event Type: Audit Log
November 15, 2022
Expansion of both Abnormal's SIEM export schema and API functionality to include Abnormal Audit Logs. This added feature allows customers to ingest audit logs into their SIEM or SOAR integrations, extract relevant information, and create incident response workflows and alerts for suspicious user activity.
Introducing Knowledge Bases: AppBase, PeopleBase, TenantBase
November 15, 2022
The vendors, third-party applications, and employees that have access to data within your Microsoft 365 environment can serve as potential entry points for attackers to carry out account takeovers, privilege escalations, and third-party application abuse. Unfortunately, security teams often lack visibility into the risks to their cloud email environment, because information about the most business-critical configuration settings is scattered across multiple control panes. To help you and your team gain visibility to potential People, Application, and Tenant attack surface areas in Microsoft 365, we have added three new Knowledge Bases: TenantBase, AppBase, and PeopleBase. Each are available as no-cost Platform capabilities for all Abnormal customers.
TenantBase provides a catalog of each of the email tenants Abnormal Security protects and the relevant permissions governing access to them.
AppBase centralizes app activity data, permissions, and key metadata for all applications integrated into your cloud email platform. Identify risky applications–whether over-permissioned or simply unknown and unusual–then track ongoing activity to conduct a thorough and expeditious investigation into potentially malicious 3rd-party apps.
PeopleBase provides a directory of each of the active users in the environment. It uses contextual, behavioral data to build a dynamic user genome. PeopleBase also provides an activity timeline of recent events, including sign-on patterns, suspicious email activity, and more.
New SIEM Event Fields
November 15, 2022
Added two new fields into the threats event type in the SIEM export schema to provide more granular detail to SOC teams:
- attack_score - The information is currently shown in the Threat Log > Threat Log Details page.
- folder_locations - This information is currently shown on the Threat Log > Threat Log Details in the Remediation Options card which says where the email was found.
Detection 360 Email Notifications
November 14, 2022
API Endpoint Enhancement for Abuse Mailbox Automation
November 10, 2022
Abnormal has added a REST API endpoint to allow developers to programmatically extract more information from Abuse Mailbox Automation.
The new GET /abuse_mailbox/not_analyzed endpoint allows customers to view a list of end-user-submitted phishing reports, that Abuse Mailbox did not analyze, with the reasons why, and any corresponding details such as reporter, reporter email, reported time, and more.
This endpoint can be used immediately by any customers who have already integrated with the Abnormal API. For integration instructions, see Abnormal REST API Integration Guide.
Abuse Mailbox Automation Now Analyzes and Surface Multi-forwarded Email Threads
October 25, 2022
Improved extraction logic in Abuse Mailbox Automation to surface multi-forwarded and reply phishing reported messages.
Now, when employees submit multi-forwarded email threads to the Abuse Mailbox Automation for analysis, Abnormal will automatically triage and remediate them within seconds, adding to the 4x time savings SOC teams can achieve. The Email Summary view now includes context about forwards or replies within the message. Analysis details will show the origin of the email, i.e. “this email is the first in a thread with two replies.”
New Search and Respond Fields and Filters
October 20, 2022
Security analysts can locate specific emails more quickly with a new filter and search fields. Customers who have Email Productivity enabled can filter the search to only show Graymail messages. Additionally, customers can now use two new fields to quickly search by:
- Message ID
- Attachment name
Improved Spam Detection
October 14, 2022
Abnormal has enhanced Inbound Email Security's detection model by leveraging behavioral intelligence that identifies more known-good behaviors to identify anomalies in emails that indicate spam. For example, older domains are less likely than young domains to be carrying out this newer type of spam we are now filtering out of inboxes.
Inbound Email security now filters twice the volume of spam to a hidden folder, freeing security analysts from having to triage additional user-reported spam reported to their abuse mailbox.
BERT Large Language Model (LLM)
October 12, 2022
With the addition of the BERT LLM enhancement, Abnormal's detection models can more easily determine if two emails are similar and are part of the same polymorphic email campaign targeting an organization. Additionally, these pre-trained BERT LLMs give Abnormal the ability to understand content and text and the intention of a possible attacker in a highly scalable manner.
Here's an example of the differences a word's meaning can have depending on where it sits within a sentence.
Because BERT can understand the context of word placement in text, it will return different embeddings as vectors that encapsulate the meaning of the word to detect similar spam campaigns.
Detection 360 API Endpoint
October 7, 2022
New API endpoint for customers to fetch a list of Detection 360° reports that they have submitted and view corresponding details for each case, including report summaries, statuses, message analyses, and more.
Customers who have integrated with the Abnormal API can use this endpoint to extract their D360° information. For integration instructions, see the Abnormal REST API Integration Guide.