Inbound Processing Explained

Inbound Processing, located in the AbuseHQ settings, gives you the power to decide which events reach AbuseHQ and how to enrich those events.

The configurable Inbound Processing Flow Chart presents the journey of your events before they enter AbuseHQ.

  • The “Incoming Events” (input node) is where parsed email and API events enter the inbound processing flow.
  • Events are then triaged and tagged with an event type.
  • Finally, data is sent to AbuseHQ, where it is orchestrated.

Configuring Inbound Processing

To configure Inbound Processing:

  1. Open the Admin Portal in AbuseHQ.
  2. Click Settings in the left-hand menu.
  3. Under Automation, click Inbound Processing.

Default Configuration

The default AbuseHQ Inbound Processing setup includes:

  • A filter called IsRecent
  • A resolver called IPResolver

Step 1: IsRecent

  • If an event matches the date filter, it proceeds to the IPResolver. (Shown by a green arrow in the flow chart.)
  • If it does not match, the event is dropped and not processed further. (This is shown with no link from the “Failed” red output.)

Step 2: IPResolver

  • This resolver enriches the event’s IP address and adds a Subscriber ID.
  • The event is then forwarded to AbuseHQ (AHQ).
  • Some resolvers can resolve domain-based reports (e.g., phishing) to an IP address to help identify the correct subscriber.

API Resolver

Inbound Processing is fully configurable and supports API integrations.

For example, you can:

  • Query values from your RADIUS server or CRM
  • Customize identification and tagging logic

Integrity Checks

Inbound Processing includes three integrity checks, displayed in the upper-right of the configuration screen:

  1. No loops – Ensures there are no circular paths in the flow.
  2. Connection to AHQ – Verifies that there’s at least one path from the input node to AbuseHQ.
  3. No disconnected nodes – Detects isolated nodes or subgraphs that can’t be reached.

Saving Changes

Changes made in Inbound Processing are saved, but not live immediately.

Once your configuration is ready:

  • Click Set it Live to apply it.
  • Click Restore live config to reset the chart to the current live version.

Filtering Reports Based on Age

You may only want to process reports up to a certain age (e.g., 30 days), based on legal, technical, or organizational policies.

  • Use the IsRecent filter to accomplish this.
  • This filter is included in the default processing chain.

Configuration Steps:

  1. Click the IsRecent node.
  2. Fill out the form on the right:
    • Set a name, description, and the filter logic.
    • Example: check if an event’s date is newer than 30d.

Other useful filters might include:

  • IP is in a configured network
  • IP has a specific network tag
  • Event type (e.g., spam, copyright)
  • Sender’s email address

Dropping Misdirected Reports

Sometimes, abuse reports are sent to your address for IPs you do not manage—these are considered noise.

AbuseHQ’s Inbound Processing can filter out such misdirected reports by comparing them to your defined networks in:

Settings > Networks

This ensures you focus only on events relevant to your infrastructure.

Inbound Processing Explained

Inbound Processing, located in the AbuseHQ settings, gives you the power to decide which events reach AbuseHQ and how to enrich those events.

The configurable Inbound Processing Flow Chart presents the journey of your events before they enter AbuseHQ.

  • The “Incoming Events” (input node) is where parsed email and API events enter the inbound processing flow.
  • Events are then triaged and tagged with an event type.
  • Finally, data is sent to AbuseHQ, where it is orchestrated.

Configuring Inbound Processing

To configure Inbound Processing:

  1. Open the Admin Portal in AbuseHQ.
  2. Click Settings in the left-hand menu.
  3. Under Automation, click Inbound Processing.

Default Configuration

The default AbuseHQ Inbound Processing setup includes:

  • A filter called IsRecent
  • A resolver called IPResolver

Step 1: IsRecent

  • If an event matches the date filter, it proceeds to the IPResolver. (Shown by a green arrow in the flow chart.)
  • If it does not match, the event is dropped and not processed further. (This is shown with no link from the “Failed” red output.)

Step 2: IPResolver

  • This resolver enriches the event’s IP address and adds a Subscriber ID.
  • The event is then forwarded to AbuseHQ (AHQ).
  • Some resolvers can resolve domain-based reports (e.g., phishing) to an IP address to help identify the correct subscriber.

API Resolver

Inbound Processing is fully configurable and supports API integrations.

For example, you can:

  • Query values from your RADIUS server or CRM
  • Customize identification and tagging logic

Integrity Checks

Inbound Processing includes three integrity checks, displayed in the upper-right of the configuration screen:

  1. No loops – Ensures there are no circular paths in the flow.
  2. Connection to AHQ – Verifies that there’s at least one path from the input node to AbuseHQ.
  3. No disconnected nodes – Detects isolated nodes or subgraphs that can’t be reached.

Saving Changes

Changes made in Inbound Processing are saved, but not live immediately.

Once your configuration is ready:

  • Click Set it Live to apply it.
  • Click Restore live config to reset the chart to the current live version.

Filtering Reports Based on Age

You may only want to process reports up to a certain age (e.g., 30 days), based on legal, technical, or organizational policies.

  • Use the IsRecent filter to accomplish this.
  • This filter is included in the default processing chain.

Configuration Steps:

  1. Click the IsRecent node.
  2. Fill out the form on the right:
    • Set a name, description, and the filter logic.
    • Example: check if an event’s date is newer than 30d.

Other useful filters might include:

  • IP is in a configured network
  • IP has a specific network tag
  • Event type (e.g., spam, copyright)
  • Sender’s email address

Dropping Misdirected Reports

Sometimes, abuse reports are sent to your address for IPs you do not manage—these are considered noise.

AbuseHQ’s Inbound Processing can filter out such misdirected reports by comparing them to your defined networks in:

Settings > Networks

This ensures you focus only on events relevant to your infrastructure.