What Changed

The Abnormal Security solution (v3.0.0) shipped a new CCF Push connector in May 2026 but included zero detection content against its custom tables. This PR closes that gap entirely, adding a full content layer required for MISA integration certification.

Analytic Rules (4 added)

All four rules are Scheduled kind, 1h frequency/period, triggering on any result (gt 0). Grouping is configured with a 5h lookback window on AllEntities.

AbnormalSecurity_HighRiskEmailAttack — sources ABNORMAL_SECURITY_THREAT_LOG_CL; filters on high-signal attack types: Phishing: Credential, Social Engineering (BEC), Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Internal-to-Internal Attacks (Email Account Takeover), Scam. Intentionally excludes Spam, Graymail, and Reconnaissance. Maps entities: Account, MailMessage, IP.

  • Severity: High — MITRE: T1566 (Phishing)

AbnormalSecurity_AccountTakeover — sources ABNORMAL_SECURITY_ATO_CASE_CL; deduplicates to one alert per ATO case via summarize arg_min(TimeGenerated, *) by CaseId. Maps entity: Account (CompromisedAccount).

  • Severity: High — MITRE: T1078 (Valid Accounts), T1110 (Brute Force)

AbnormalSecurity_AbuseMailboxMalicious — sources ABNORMAL_SECURITY_ABUSE_MAILBOX_CL; filters abx_body_abx_body_reported_b == true and judgement == malicious. Intentionally excludes spam- and safe-judged reports. Maps entities: Account (reporter), MailMessage (recipient, subject, network message ID).

  • Severity: Medium — MITRE: T1566 (Phishing)

AbnormalSecurity_VendorCompromise — sources ABNORMAL_SECURITY_VENDOR_CASE_CL; deduplicates per VendorCaseId. Maps entity: DNS (vendor domain).

  • Severity: High — MITRE: T1566

Parsers (4 added)

Four KQL parsers normalise the raw double-nested column names (abx_body_abx_body_*) produced by the CCF Push connector into human-readable aliases: AbnormalSecurityThreatLog, AbnormalSecurityAtoCases, AbnormalSecurityAbuseMailbox, AbnormalSecurityVendorCases. Queries referencing the raw table columns without these parsers would require verbose field names — the parsers provide a stable query surface for hunting and custom detections.

Hunting Queries (4 added)

  • AbnormalSecurity_TopAttackTargets — identifies most-targeted accounts by attack type over the query period
  • AbnormalSecurity_AbuseMailboxCampaigns — surfaces active phishing campaigns via abuse mailbox reports grouped by CampaignId
  • AbnormalSecurity_NewVendorDomains — hunts for newly observed vendor domains in compromise cases
  • AbnormalSecurity_UnremediatedThreats — queries for open threats not yet actioned

Workbook (1 added)

AbnormalSecurityOverview.json — operational dashboard across threat logs, ATO cases, abuse mailbox, and vendor compromise tables.

Playbook (1 added)

AbnormalSecurity-AddIncidentComment — triggered on incident creation; adds a summary comment (provider, severity, title) sourced from Abnormal Security alert data using the Microsoft Sentinel connector with system-assigned managed identity. Requires Microsoft Sentinel Responder role assigned to the managed identity. No third-party credentials required.

MITRE Mapping

TechniqueNameRules
T1566PhishingHigh-Risk Email, Abuse Mailbox, Vendor Compromise
T1078Valid AccountsAccount Takeover
T1110Brute ForceAccount Takeover

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_ABUSE_MAILBOX_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_ATO_CASE_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_THREAT_LOG_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_VENDOR_CASE_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_AbuseMailboxMalicious.yaml
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_AccountTakeover.yaml
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_HighRiskEmailAttack.yaml
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_VendorCompromise.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_AbuseMailboxCampaigns.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_NewVendorDomains.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_TopAttackTargets.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_UnremediatedThreats.yaml
Solutions/AbnormalSecurity/Package/testParameters.json
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityAbuseMailbox.yaml
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityAtoCases.yaml
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityThreatLog.yaml
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityVendorCases.yaml
Solutions/AbnormalSecurity/Playbooks/AbnormalSecurity-AddIncidentComment/azuredeploy.json
Solutions/AbnormalSecurity/Playbooks/AbnormalSecurity-AddIncidentComment/readme.md
Solutions/AbnormalSecurity/Workbooks/AbnormalSecurityOverview.json
Solutions/AbnormalSecurity/Workbooks/Images/Preview/AbnormalSecurityOverviewBlack.png
Solutions/AbnormalSecurity/Workbooks/Images/Preview/AbnormalSecurityOverviewWhite.png
Solutions/AbnormalSecurity/Workbooks/Images/Preview/abnormalsecurity.svg
Workbooks/Images/Logos/abnormalsecurity.svg
Workbooks/Images/Preview/AbnormalSecurityOverviewBlack.png
Workbooks/Images/Preview/AbnormalSecurityOverviewWhite.png
Workbooks/Images/Preview/abnormalsecurity.svg
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_AbnormalSecurity.json, createUiDefinition.json, mainTemplate.json)