Abnormal Security Events

Solution: AbnormalSecurity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index

Attribute	Value
Publisher	Abnormal Security
Support Tier	Partner
Support Link	https://abnormalsecurity.com/contact
Categories	Security - Threat Protection
Version	3.0.0
Author	AbnormalSecurity - support@abnormalsecurity.com
First Published	2021-10-20
Last Updated	2026-05-26
Solution Folder	AbnormalSecurity
Marketplace	Azure Marketplace · Popularity: 🟢 High (83%)

The Abnormal Security solution provides real-time security event ingestion from Abnormal's cloud email security platform into Microsoft Sentinel. Supports both push-based (CCF Push) and pull-based (Azure Functions) connectors. The push connector routes events to per-event-type tables (threats, cases, audit logs, abuse mailbox, posture changes, ATO cases, remediations, vendor cases) using the Codeless Connector Framework.

Data Connectors

This solution provides 2 data connector(s):

AbnormalSecurity 🔶
Abnormal Security (Push) 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 11 table(s):

Table	Used By Connectors	Used By Content
`ABNORMAL_CASES_CL`	AbnormalSecurity	-
`ABNORMAL_SECURITY_ABUSE_MAILBOX_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_ATO_CASE_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_AUDIT_LOG_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_CASE_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_LOGS_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_POSTURE_CHANGE_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_REMEDIATION_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_THREAT_LOG_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_SECURITY_VENDOR_CASE_CL` 🔶	Abnormal Security (Push)	-
`ABNORMAL_THREAT_MESSAGES_CL` 🔶	AbnormalSecurity	-

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	08-05-2026	Added CCF Push connector with multi-table routing (9 tables), DeployPushConnectorButton, and OAuth 2.0 authentication. Legacy Azure Functions connector retained for backward compatibility. Full MLA column parity: renamed abx_body_* columns to abx_body_abx_body_, added abx_body_abx_metadata_ columns across all 9 streams. Fixed DCR transforms with explicit tostring(abx_body) and tostring(abx_metadata) conversions. Fixed fallback stream to Custom-ABNORMAL_SECURITY_LOGS_CL. Added top-level workspace/tables resources in mainTemplate for direct ARM deployment.
2.0.1	29-06-2023	Renaming Azure Function to Azure Functions in Data Connector Description and Updated the python runtime version to 3.11

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index