Client Portal

Configure Inbound Processing

Inbound Processing Explained

Inbound Processing located in AbuseHQ settings gives you the power to decide which events reach AbuseHQ and how to enrich these events.

The Inbound Processing configurable flow chart presents the flow of your events before they hit AbuseHQ.

The “Incoming Events” or input node is where the parsed email and API events come into inbound processing.

The events are then triaged and tagged with the event type, and “AbuseHQ” is where data is sent to be orchestrated in your AbuseHQ instance.

 

Notion Image

 

Configuring Inbound Processing

You will need to access this menu within the Admin Portal to configure your  Inbound Processing:

 

  1. Click the Settings option in the left menu under AbuseHQ.
  2. Click on Inbound Processing under Automation

Default Configuration

The AbuseHQ default configuration includes a filter called “IsRecent” and a resolver called “IPResolver”.

These inbound processing steps do the following:

Step 1,Is recent

  1. If an event matches the “IsRecent” date filter it is the event is passed on to the “IPResolver” as shown by the green arrow.
  1. The event doesn’t match the “IsRecent” date filter, it is dropped and is not further processed. The flow chart illustrates this with no connected Nodes/Links on the “Failed” or red output of the filter.

 

Step 2, “IP Resolver

  1. Upon receiving an event from the “IsRecent” node, the resolver attempts to enrich the IP address for an event and add a subscriber ID. The event is then passed to AbuseHQ (“AHQ”). Some resolvers resolve domain reports, like phishing reports to an IP address to further help identify a subscriber.
Notion Image

 

API Resolver

Inbound Processing is fully configurable, with an API integration to return values from your radius server or CRM and to otherwise fit your inbound identification and tagging requirements.

Notion Image

Integrity Checks

Three Integrity Checks validate the configuration of your Inbound Processing Flow. This is shown on the upper right side of the screen. These checks are

  • “No loops” checks if there are loops in your inbound processing flow. This prevents events from being sent into limbo.
  • “Connection to AHQ” checks to make sure that there is at least one connection from “Input” to “AHQ” so that is at least theoretically possible for events to reach the AbuseHQ. You could be over-filtering, but that is easy enough to fix.
  • “No disconnected nodes” checks if there are unreachable nodes and subgraphs.
Notion Image

 

Saving Changes

All changes you make are saved but not directly taken live. This setting allows you to ensure that you configure everything correctly and not jeopardize real incoming data.

When you are done configuring, you can either take the current configuration live by clicking the blue Set it Live button or reset the inbound processing flow chart to the currently applied config by clicking Restore live config.

Notion Image

 

Filtering reports based on age

Sometimes, you may only handle reports for up to X days. This might be a legal or technical requirement; in some cases, it may just be your subjective choice of handling things.

Setting up a Filter in Inbound Processing is very simple, and this exact “IsRecent” Filter is already part of the Default Inbound Processing Chain.

Opening the “IsRecent” node will show a form on the right side with all configuration options for this filter. The fields are more or less the same for all Filters.

Set a name, description, and the actual logic of the filter. In our case, we want to operate on the event’s date and check if it is younger than 30 days (“30d”). Some other examples of valuable filters may be:

  • Check if the event IP is in your configured networks.
  • Check if the event IP is in a network with a specific tag.
  • Filter based on the type of the event (spam, copyright, etc.).
  • Filter based on the sender’s email address.

 

Dropping misdirected reports

Misdirected abuse reports, with IP addresses you are not responsible for, are sometimes sent to your abuse address and can become noise.

AbuseHQ’s Inbound processing will filter out everything except the networks you have configured in your Network Settings (Settings > Networks), allowing you to focus on only what is essential.

 

 

Send us a message

Having trouble with your setup or a technical issue? Get in touch with our team of Abusix experts.

Click the chat button at the bottom and send us your questions. Alternatively, you can email us at [email protected]