Guardian Ops provides automated and manual workflows for managing your network’s abuse reports. One key feature is the ability to parse and identify abuse reports by event types and then match time frames to your customers through a simple API call. Here is a quick 3-step start guide that will help you achieve orchestration, aggregation, and automation. Guardian Ops has two core views: Customers and Cases. In the Customers view, you will see all forwarded reports aggregated to a specific customer. To get started, follow steps 1–3 to set up orchestration in inbound processing and aggregation within the customer list.

Step 1: Forwarding Your Abuse Mailbox

Forwarding your abuse reports to Abusix for processing is easy and beneficial to your organization. We will parse your abuse data and extract numerous details that will give you an exact idea of what is happening on your network. Abuse reports sent to the abuse@ role address ([email protected]) should be forwarded by “aliasing” your abuse@ role address to the SMTP email address provided to you as shown below. Network Set Up Web If you send reports that you receive at an email address other than the abuse@ role address, “alias” that address to the SMTP email address provided as well.
⚠️ Forwarding from an email client does not work!
Forwarding using an email client changes the formatting of messages, and every email client changes the formatting differently.

Steps:

  1. Check if your “role address” is an existing alias address and if Abusix can be added as an additional alias to the address.
  2. If your role address supports aliasing, add the Data Channel forwarding address (e.g., [email protected]) as an alias in your email server.
By “aliasing” role addresses, we ensure that the emails are not altered in transit, no additional headers are added, and the report is not repackaged in an envelope in an email. For more information on forwarding your abuse data, see the abuse management page documentation.

Step 2: Customer Resolving

To process your data, Guardian Ops needs to resolve the customer associated with the abuse report. This can be done in two ways:
  1. IP-Based Resolution:
    Guardian Ops uses the IP address from the abuse report as customer IDs.
  2. API-Based Resolution:
    Guardian Ops can call your RESTful API with the IP address and event timestamp to retrieve the correct customer id and related information. This is ideal for dynamic IP assignments or when additional metadata is needed.
Choose the method that best fits your network and customer management setup.
If you decide to use IPs as customer identifiers, please jump to step 3 and remember to configure the IP Resolver during the configuration of Inbound Processing

Step 3: Configuring Inbound Processing

Inbound Processing, located in the Guardian Ops settings, gives you the power to decide which events reach Guardian Ops and how to enrich and aggregate those events to cases. To learn more about cases, see Case documentation. The configurable Inbound Processing Flow Chart presents the journey of your events before they end up Guardian Ops.
  • The “Incoming Events” (input node) is where parsed email and API events (XARF) enter the inbound processing flow.
  • Events are then triaged and assigned with an event type.
  • Finally, data is sent to Guardian Ops, where it is aggregated.

Configuring Inbound Processing

To configure Inbound Processing:
  1. Click Settings under Guardian Ops in the left-hand menu where the Inbound Processing tab is located.
  2. Click Inbound Processing in the top navigation bar.
  3. Create a new draft by clicking the New Draft button.
  4. Drag and drop a node from the top left of the grid.
Use the IP resolver node or the API resolver node created in the previous step for this guide.

Saving and Activating the Flow

  1. After adding the nodes and configuring them, make sure to give the draft a proper name.
  2. Click the Save button to save your changes.
  3. To activate the flow, click the Activate button.
If everything is configured correctly, as soon as you receive a new abuse report, you should see the related customer in the Customer list with the report attached. For configuration examples and full guidance, see the configuring inbound processing documentation.

Questions? Send us a message

Having trouble with your setup or a technical issue? Get in touch with our team of Abusix experts. Click the chat button at the bottom and send us your questions. Alternatively, you can email us at [email protected].