Configure Inbound Processing
Configure Inbound Processing
Inbound Processing Explained
Inbound Processing, located in the AbuseHQ settings, gives you the power to decide which events reach AbuseHQ and how to enrich those events.
The configurable Inbound Processing Flow Chart presents the journey of your events before they enter AbuseHQ.
- The “Incoming Events” (input node) is where parsed email and API events enter the inbound processing flow.
- Events are then triaged and tagged with an event type.
- Finally, data is sent to AbuseHQ, where it is orchestrated.
Configuring Inbound Processing
To configure Inbound Processing:
- Open the Admin Portal in AbuseHQ.
- Click Settings in the left-hand menu.
- Under Automation, click Inbound Processing.
Default Configuration
The default AbuseHQ Inbound Processing setup includes:
- A filter called
IsRecent
- A resolver called
IPResolver
Step 1: IsRecent
- If an event matches the date filter, it proceeds to the
IPResolver
. (Shown by a green arrow in the flow chart.) - If it does not match, the event is dropped and not processed further. (This is shown with no link from the “Failed” red output.)
Step 2: IPResolver
- This resolver enriches the event’s IP address and adds a Subscriber ID.
- The event is then forwarded to AbuseHQ (AHQ).
- Some resolvers can resolve domain-based reports (e.g., phishing) to an IP address to help identify the correct subscriber.
API Resolver
Inbound Processing is fully configurable and supports API integrations.
For example, you can:
- Query values from your RADIUS server or CRM
- Customize identification and tagging logic
Integrity Checks
Inbound Processing includes three integrity checks, displayed in the upper-right of the configuration screen:
- No loops – Ensures there are no circular paths in the flow.
- Connection to AHQ – Verifies that there’s at least one path from the input node to AbuseHQ.
- No disconnected nodes – Detects isolated nodes or subgraphs that can’t be reached.
Saving Changes
Changes made in Inbound Processing are saved, but not live immediately.
Once your configuration is ready:
- Click Set it Live to apply it.
- Click Restore live config to reset the chart to the current live version.
Filtering Reports Based on Age
You may only want to process reports up to a certain age (e.g., 30 days), based on legal, technical, or organizational policies.
- Use the
IsRecent
filter to accomplish this. - This filter is included in the default processing chain.
Configuration Steps:
- Click the
IsRecent
node. - Fill out the form on the right:
- Set a name, description, and the filter logic.
- Example: check if an event’s date is newer than
30d
.
Other useful filters might include:
- IP is in a configured network
- IP has a specific network tag
- Event type (e.g., spam, copyright)
- Sender’s email address
Dropping Misdirected Reports
Sometimes, abuse reports are sent to your address for IPs you do not manage—these are considered noise.
AbuseHQ’s Inbound Processing can filter out such misdirected reports by comparing them to your defined networks in:
Settings > Networks
This ensures you focus only on events relevant to your infrastructure.