👋 How can we help you?

Configure Inbound Processing

Learn about Inbound Processing and how it fits into your work flows

Last updated on Invalid Date

Inbound Processing Explained

Inbound Processing gives you the power to decide which events reach AbuseHQ and how to enrich these events.

 

The flow of your events before they hit AbuseHQ is represented by a graph that can be found under Inbound Processing in the Settings.

 

The “Input” node is where the parsed events come in and “AHQ” is the node where data is sent into your AbuseHQ instance.

 

These two nodes cannot be removed. The rest of the graph is completely customizable to fit your needs.

 
 

Looking at the image above, you can see that in the default configuration there is a filter called “IsRecent” and a resolver called “IPResolver”. Two situations can occur:

 
  1. An event matches the “IsRecent” filter and it is passed on to the “IPResolver” as represented by the green arrow.
  1. The event doesn’t match this and is dropped and will not be further processed.
 

In the graph, this is represented by no connected Nodes/Links on the “Failed” output of the filter.

After that, the resolver attempts to enrich the event with a subscriber id, and the event is then passed to AbuseHQ (“AHQ”).

 

There are several options to manipulate incoming data.

 

Integrity Checks

 
 

The general setup of your flow is validated by Three Integrity Checks which are displayed on the upper right side:

 
  • “No loops” check if there are loops possible in your flow to avoid events being sent into limbo
  • “Connection to AHQ” checks if there is at least one connection from “Input” to “AHQ” so it is at least theoretically possible for events to reach the AbuseHQ
  • “No disconnected nodes” checks if there are unreachable nodes and subgraphs
 

Saving Changes

All changes you make are saved but not directly taken live so you can be saved to configure everything correctly and not jeopardize real incoming data.

When you are done configuring, you can either take the current configuration live by clicking the blue Take config live button or reset back to the currently applied config by clicking Reset to live config .

 

How to filter reports based on age?

In certain cases, you might not be able to handle reports that are older than X days. This might be a legal or maybe even a technical thing and in some cases just your subjective choice on how to handle things.

Setting up a Filter in Inbound Processing is very simple and this exact "IsRecent" Filter is already part of the Default Inbound Processing Chain.

Opening the “IsRecent” node will show a form on the right side with all configuration options for this filter. The fields are more or less the same for all Filters.

 
 
 

Set a name, description and the actual logic of the filter. In our case, we want to operate on the event’s date and check if it is younger than 30 days (“30d”). Some other examples of useful filters may be:

  • Check if the event IP is in your configured networks.
  • Check if the event IP is in a network with a specific tag.
  • Filter based on the type of the event (spam, copyright, etc).
  • Filter based on senders email address.
 
 
 

How to drop misguided reports?

Misdirected abuse reports, with IP addresses that you are not responsible for, are sometimes sent to you and end up being noise.

AbuseHQ's Inbound processing will filter out everything, except the networks that you have configured in your Network Settings (Settings > Networks) allowing you to focus on only, what is important.

 
 

Learn More

If you want to understand a little bit more about this feature, we recommend the following articles:

 
 
 
Did this answer your question?
😞
😐
🤩