What Changed
The Abnormal Security solution (v3.0.0) shipped a new CCF Push connector in May 2026 but included zero detection content against its custom tables. This PR closes that gap entirely, adding a full content layer required for MISA integration certification.
Analytic Rules (4 added)
All four rules are Scheduled kind, 1h frequency/period, triggering on any result (gt 0). Grouping is configured with a 5h lookback window on AllEntities.
AbnormalSecurity_HighRiskEmailAttack â sources ABNORMAL_SECURITY_THREAT_LOG_CL; filters on high-signal attack types: Phishing: Credential, Social Engineering (BEC), Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Internal-to-Internal Attacks (Email Account Takeover), Scam. Intentionally excludes Spam, Graymail, and Reconnaissance. Maps entities: Account, MailMessage, IP.
- Severity: High â MITRE: T1566 (Phishing)
AbnormalSecurity_AccountTakeover â sources ABNORMAL_SECURITY_ATO_CASE_CL; deduplicates to one alert per ATO case via summarize arg_min(TimeGenerated, *) by CaseId. Maps entity: Account (CompromisedAccount).
- Severity: High â MITRE: T1078 (Valid Accounts), T1110 (Brute Force)
AbnormalSecurity_AbuseMailboxMalicious â sources ABNORMAL_SECURITY_ABUSE_MAILBOX_CL; filters abx_body_abx_body_reported_b == true and judgement == malicious. Intentionally excludes spam- and safe-judged reports. Maps entities: Account (reporter), MailMessage (recipient, subject, network message ID).
- Severity: Medium â MITRE: T1566 (Phishing)
AbnormalSecurity_VendorCompromise â sources ABNORMAL_SECURITY_VENDOR_CASE_CL; deduplicates per VendorCaseId. Maps entity: DNS (vendor domain).
- Severity: High â MITRE: T1566
Parsers (4 added)
Four KQL parsers normalise the raw double-nested column names (abx_body_abx_body_*) produced by the CCF Push connector into human-readable aliases: AbnormalSecurityThreatLog, AbnormalSecurityAtoCases, AbnormalSecurityAbuseMailbox, AbnormalSecurityVendorCases. Queries referencing the raw table columns without these parsers would require verbose field names â the parsers provide a stable query surface for hunting and custom detections.
Hunting Queries (4 added)
- AbnormalSecurity_TopAttackTargets â identifies most-targeted accounts by attack type over the query period
- AbnormalSecurity_AbuseMailboxCampaigns â surfaces active phishing campaigns via abuse mailbox reports grouped by CampaignId
- AbnormalSecurity_NewVendorDomains â hunts for newly observed vendor domains in compromise cases
- AbnormalSecurity_UnremediatedThreats â queries for open threats not yet actioned
Workbook (1 added)
AbnormalSecurityOverview.json â operational dashboard across threat logs, ATO cases, abuse mailbox, and vendor compromise tables.
Playbook (1 added)
AbnormalSecurity-AddIncidentComment â triggered on incident creation; adds a summary comment (provider, severity, title) sourced from Abnormal Security alert data using the Microsoft Sentinel connector with system-assigned managed identity. Requires Microsoft Sentinel Responder role assigned to the managed identity. No third-party credentials required.
MITRE Mapping
| Technique | Name | Rules |
|---|---|---|
| T1566 | Phishing | High-Risk Email, Abuse Mailbox, Vendor Compromise |
| T1078 | Valid Accounts | Account Takeover |
| T1110 | Brute Force | Account Takeover |
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_ABUSE_MAILBOX_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_ATO_CASE_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_THREAT_LOG_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_SECURITY_VENDOR_CASE_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_AbuseMailboxMalicious.yaml
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_AccountTakeover.yaml
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_HighRiskEmailAttack.yaml
Solutions/AbnormalSecurity/Analytic Rules/AbnormalSecurity_VendorCompromise.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_AbuseMailboxCampaigns.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_NewVendorDomains.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_TopAttackTargets.yaml
Solutions/AbnormalSecurity/Hunting Queries/AbnormalSecurity_UnremediatedThreats.yaml
Solutions/AbnormalSecurity/Package/testParameters.json
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityAbuseMailbox.yaml
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityAtoCases.yaml
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityThreatLog.yaml
Solutions/AbnormalSecurity/Parsers/AbnormalSecurityVendorCases.yaml
Solutions/AbnormalSecurity/Playbooks/AbnormalSecurity-AddIncidentComment/azuredeploy.json
Solutions/AbnormalSecurity/Playbooks/AbnormalSecurity-AddIncidentComment/readme.md
Solutions/AbnormalSecurity/Workbooks/AbnormalSecurityOverview.json
Solutions/AbnormalSecurity/Workbooks/Images/Preview/AbnormalSecurityOverviewBlack.png
Solutions/AbnormalSecurity/Workbooks/Images/Preview/AbnormalSecurityOverviewWhite.png
Solutions/AbnormalSecurity/Workbooks/Images/Preview/abnormalsecurity.svg
Workbooks/Images/Logos/abnormalsecurity.svg
Workbooks/Images/Preview/AbnormalSecurityOverviewBlack.png
Workbooks/Images/Preview/AbnormalSecurityOverviewWhite.png
Workbooks/Images/Preview/abnormalsecurity.svg
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_AbnormalSecurity.json, createUiDefinition.json, mainTemplate.json)