Abnormal Security
App Vendor: Abnormal Security
App Category: Email Security and Threat Protection
Connector Version: 1.0.0
API Version: v1
Note
This app is currently released as a beta version.
About App
The Abnormal Security app helps security teams detect and prevent email threats like spear-phishing, vendor email compromise, spam, and graymail. By using behavioral data science, it establishes a normal activity baseline to identify anomalies and defend against advanced attacks.
The Abnormal Security app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
---|---|
Check Threat Action Status | This action checks the status of a requested action on a threat. |
Download Email Attachment | This action downloads the attachment from an email message as a file. |
Download Email Message | This action downloads the email message in EML format. |
Get Email Attachment Details | This action retrieves details of an attachment in an email message. |
Get Threat Campaign Attachments | This action retrieves details of the attachments in a threat campaign. |
Get Threat Campaign Links | This action retrieves information about the links in a threat campaign. |
Get Threat Details | This action retrieves the details of a threat. |
List Threats | This action lists all the threats. |
Manage Threat | This action manages a threat by remediating it or reversing its remediation. |
Generic Action | This is a generic action used to make requests to any Abnormal Security endpoint. |
Configuration Parameters
The following configuration parameters are required for the Abnormal Security app to communicate with the Abnormal Security enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
API Token | Enter the API token for authentication. | Password | Required | |
Base URL | Enter the base URL to access Abnormal Security. Example: https://api.abnormalplatform.com | Text | Required | Allowed values: https://api.abnormalplatform.com, https://eu.rest.abnormalsecurity.com |
Mock Data | Choose true to retrieve sample data in the response. | Boolean | Optional | Default value: false |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Abnormal Security. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is not enabled. |
Action: Check Threat Action Status
This action checks the status of a requested action on a threat.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat ID | Enter the ID of the threat. Example: 184712ab-6d8b-47b3-89d3-a314efef79e2 | Text | Required | You can retrieve the threat ID using the action List Threats. |
Action ID | Enter the ID of the action to check the status. Example: a33a212a-89ff-461f-be34-ea52aff44a67 | Text | Required |
Action: Download Email Attachment
This action downloads the attachment from an email message as a file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Message ID | Enter the ABX ID of the message. Example: 4551618356913732000 | Integer | Required | |
Attachment Name | Enter the name of the attachment from the email message. Example: attachment1.jpg | Text | Required |
Action: Download Email Message
This action downloads the email message in EML format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Message ID | Enter the ABX ID of the message. Example: 4551618356913732000 | Text | Required |
Action: Get Email Attachment Details
This action retrieves details of an attachment in an email message.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Message ID | Enter the ABX ID of the message. Example: 4551618356913732000 | Text | Required | |
Attachment Name | Enter the name of the attachment from the email message. Example: attachment1.jpg | Text | Required |
Action: Get Threat Campaign Attachments
This action retrieves details of the attachments in a threat campaign.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat ID | Enter the ID of the threat. Example: 184712ab-6d8b-47b3-89d3-a314efef79e2 | Text | Required | You can retrieve the threat ID using the action List Threats. |
Action: Get Threat Campaign Links
This action retrieves information about the links in a threat campaign.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat ID | Enter the ID of the threat. Example: 184712ab-6d8b-47b3-89d3-a314efef79e2 | Text | Required | You can retrieve the threat ID using the action List Threats. |
Action: Get Threat Details
This action retrieves the details of a threat.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat ID | Enter the ID of the threat to retrieve its details. Example: 184712ab-6d8b-47b3-89d3-a314efef79e2 | Text | Required | You can retrieve the threat ID using the action List Threats. |
Page Size | Enter the number of threat messages to retrieve on each page. | Integer | Optional | Allowed range: 1-2000 Default value: 100 |
Page Number | Enter the page number to retrieve a particular page of threat messages. | Integer | Optional | Default value: 1 |
Action: List Threats
This action lists all the threats.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Filter | Enter the value to filter the response. Example: receivedTime gte 2020-01-01T01:01:01Z lte 2021-12-01T01:01:01Z | Text | Optional | Allowed format: filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ Allowed key: receivedTime |
Source | Enter the source of detection to filter the response. Example: all | Text | Optional | Allowed values: all, advanced |
Attack Type | Enter the type of attack to filter the response. | Text | Optional | Allowed values: Internal-to-Internal Attacks (Email Account Takeover), Spam, Reconnaissance, Scam, Social Engineering (BEC), Phishing: Credential, Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Other |
Attack Vector | Enter the attack vector to filter the response. | Text | Optional | Allowed values: Link, Attachment, Text, Others, Attachment with Zipped File |
Attack Strategy | Enter the attack strategy to filter the response. | Text | Optional | Allowed values: Name Impersonation, Internal Compromised Email Account, External Compromised Email Account, Spoofed Email, Unknown Sender, Covid 19 Related Attack |
Extra Fields | Enter the extra fields to filter the response. | Key Value | Optional | Allowed keys: pageSize, pageNumber, sender, recipient, subject, topic, impersonatedParty, mock-data |
Action: Manage Threat
This action manages a threat by remediating it or reversing its remediation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Threat ID | Enter the ID of the threat to manage. Example: 184712ab-6d8b-47b3-89d3-a314efef79e2 | Text | Required | You can retrieve the threat ID using the action List Threats. |
Threat Action | Enter the action to take on the threat. Example: remediate | Text | Required | Allowed values: remediate, unremediate |
Action: Generic Action
This is a generic action used to make requests to any Abnormal Security endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: /messages/{message_id}/download | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, headers, download, files, filename, retry_wait, retry_count, custom_output, response_type |