Inbound Processing Explained
Inbound Processing gives you the power to decide which events reach AbuseHQ and how to enrich these events. The flow of your events before they hit AbuseHQ is represented by a graph which can be found under Inbound Processing in the Setting.
The “Input” node is where the parsed events come in and “AHQ” is the node where data is sent into your AbuseHQ instance. These two nodes cannot be removed. The rest of the graph is completely customizable to fit your needs.
In the default configuration, there is a filter called “IsRecent” and a resolver called “IPResolver”. If an event matches the “IsRecent” filter, it is passed on to the “IPResolver” as represented by the green arrow. If it isn’t the event is dropped and will not be further processed. In the graph, this is represented by no connected Nodes/Links on the “Failed” output of the filter.
After that the resolver attempts to enrich the event with a subscriber id and the event is then passed to AbuseHQ (“AHQ”).
There are several options to manipulate incoming data.
The general setup of your flow is validated by three Integrity Checks which are displayed on the upper right side:
- “No loops” checks if there are loops possible in your flow to avoid events being sent into limbo
- “Connection to AHQ” checks if there is at least one connection from “Input” to “AHQ” so it is at least theoretically possible for events to reach the AbuseHQ
- “No dead nodes” checks if there are unreachable nodes and subgraphs
All changes you make are saved but not directly taken live so you can be save to configure everything correctly and not jeopardize real incoming data. When you are done configuring you can either take the current config live by clicking the blue “Take config live” button or reset back to the currently applied config by clicking “Reset to live config”.