AbuseHQ
Resolver Reference
Incident IP Resolver
DescriptionIf an IP is available in the event (as parsed from the report or supplied by a domain resolver) the subscriber ID is set to that IP. If not, the event is marked as/stays unresolved.
Abusix Header Resolver
DescriptionIf an
X-AbuseHQ-Resolve header was set in the reported email its value will be parsed and subscriber ID, contract ID, and resolver data will be set.
API Resolver
DescriptionThe most powerful resolver sends queries to a given endpoint and expects a response in a certain format. It will then set the subscriber ID, contract ID, and resolver data accordingly. Attributes
- **URL – **That URL will be called when an event goes through the resolver
- **Method – **HTTP method to be used. When GET is used, the parameters will be added as query params, when POST is used the Content-Type determines how the parameters will be encoded in the body.
- **Content-Type – **When POST is used the content-type determines how the parameters are encoded in the body of the request.
- Authnone → no authentication
HTTP → allows setting username and password for HTTP basic authentication
bearer → allows setting a bearer token that is added asAuthorization: Bearer <token>header - **Parameter-Keys – **They will be sent to the API. Key names are custom and values can be chosen from using a list of fields. Values are then extracted from the event depending on the chosen field.
clientis the subscriber id in the case that the event was resolved through some other resolver at an earlier point.
The front end offers a button to test the API resolver using some sample data, without having to take the configuration live. The request will come from the same IPs that they will come from in production.
18.193.183.51\52.57.46.129\18.158.191.233
Static String Resolver
DescriptionAllows setting a custom static ID to events going through this resolver. Attributes
- **Value – **The string that the subscriber id will be set to
From Header Resolver
DescriptionIf the report contains email evidence and that email contains a from header its value will be used as the subscriber id.
Domain Resolver
DescriptionIf a domain or URL was parsed from the report it will be used to extract a domain. Further post-processors can then change the extracted value. Attributes
- **Post-Processors – **Given processors will be applied after a domain is extracted. For this resolver only the
resolve_to_ipprocessor is available. It allows resolving extracted domains to an IP by doing a DNS lookup. Note that the DNS records might have changed since the abuse incident happened and thus the resolved IP might not be correctly identifying the source of abuse that is reported.
Headerlist Resolver
DescriptionIf the report contains email evidence and that email contains one of the given headers its value will be used as the subscriber id. The headers will be checked in the given order and post-processors will be applied after value extraction. Attributes
- **Headers – **A list of user-defined header keys that are searched in the given order.
- **Post-Processors – **Given processors will be applied after a header value is extracted. They allow decoding base64 content and extracting domains, email addresses, and domains.
Resource Part Resolver
DescriptionIf the report contains email evidence and that email contains one of the given headers its value will be used as the subscriber id. The headers will be checked in the given order and post-processors will be applied after value extraction. Attributes
- **Resource-Part – **An event currently has multiple resource-parts with key-value pairs. You can choose one of them. The incident part and evidence part correspond to the parts shown on the event detail page on AbuseHQ’s web front end.
- **Keys – **The keys to look for in the given order. (Similar to Headerlist Resolver)
- **Post-Processors – **Given processors will be applied after a header value is extracted. They allow decoding base64 content, normalizing email addresses, and extracting domains, email addresses, and domains.