Configuring Inbound Processing
Access the settings menu AbuseHQ to configure Inbound Processing.
- Click your name in the top right corner
System Settingsfrom the drop-down menu
- On the left side of your screen, select
Inbound Processingunder Automation.
Inbound Processing Explained
Inbound Processing located in AbuseHQ settings gives you the power to decide which events reach AbuseHQ and how to enrich these events.
The Inbound Processing configurable flow chart presents the flow of your events before they hit AbuseHQ.
The “Incoming Events” or input node is where the parsed email and API events come into inbound processing. The events are then triaged and tagged with the event type, and “AbuseHQ” is where data is sent to be orchestrated in your AbuseHQ instance.
Inbound Processing is fully configurable, with an API integration to return values from your radius server or CRM and to otherwise fit your inbound identification and tagging requirements.
The AbuseHQ default configuration includes a filter called “IsRecent” and a resolver called “IPResolver”.
These inbound processing steps do the following:
Step 1, “Is recent”
- If an event matches the “IsRecent” date filter it is the event is passed on to the “IPResolver” as shown by the green arrow.
- The event doesn’t match the “IsRecent” date filter, it is dropped and is not further processed. The flow chart illustrates this with no connected Nodes/Links on the “Failed” or red output of the filter.
Step 2, “IP Resolver”
- Upon receiving an event from the “Is Recent” node, the resolver attempts to enrich the IP address for an event and add a subscriber id. The event is then passed to AbuseHQ (“AHQ”). Some resolvers resolve domain reports, like phishing reports to an IP address to further help identify a subscriber.
Three Integrity Checks validate the configuration of your Inbound Processing Flow. This is shown on the upper right side of the screen. These checks are
- “No loops” checks if there are loops in your inbound processing flow. This prevents events from being sent into limbo.
- “Connection to AHQ” checks to make sure that there is at least one connection from “Input” to “AHQ” so that is at least theoretically possible for events to reach the AbuseHQ. You could be over-filtering, but that is easy enough to fix.
- “No disconnected nodes” checks if there are unreachable nodes and subgraphs.
All changes you make are saved but not directly taken live. This setting allows you to ensure that you configure everything correctly and not jeopardize real incoming data.
When you are done configuring, you can either take the current configuration live by clicking the blue
Set it Live button or reset the inbound processing flow chart to the currently applied config by clicking
Restore live config.
Filtering reports based on age
Sometimes, you may only handle reports for up to X days. This might be a legal or technical requirement; in some cases, it may just be your subjective choice of handling things.
Setting up a Filter in Inbound Processing is very simple, and this exact "IsRecent" Filter is already part of the Default Inbound Processing Chain.
Opening the “IsRecent” node will show a form on the right side with all configuration options for this filter. The fields are more or less the same for all Filters.
Set a name, description, and the actual logic of the filter. In our case, we want to operate on the event’s date and check if it is younger than 30 days (“30d”). Some other examples of valuable filters may be:
- Check if the event IP is in your configured networks.
- Check if the event IP is in a network with a specific tag.
- Filter based on the type of the event (spam, copyright, etc.).
- Filter based on the sender's email address.
Dropping misdirected reports
Misdirected abuse reports, with IP addresses you are not responsible for, are sometimes sent to your abuse address and can become noise.
AbuseHQ's Inbound processing will filter out everything except the networks you have configured in your Network Settings (Settings > Networks), allowing you to focus on only what is essential.
If you want to understand a little bit more about this feature, we recommend the following articles:
Send us a message
Having trouble with your set up or a technical issue? Get in touch with our team of Abusix experts.
Click the chat button at the bottom and send us your questions. Alternatively, you can email us at firstname.lastname@example.org