Skip to main content

Cyware Orchestrate

Abnormal Security

App Vendor: Abnormal Security

App Category: Email Security and Threat Protection

Connector Version: 1.0.0

API Version: v1

Note

This app is currently released as a beta version.

About App

The Abnormal Security app helps security teams detect and prevent email threats like spear-phishing, vendor email compromise, spam, and graymail. By using behavioral data science, it establishes a normal activity baseline to identify anomalies and defend against advanced attacks.

The Abnormal Security app is configured with Cyware Orchestrate to perform the following actions:

Action Name

Description

Check Threat Action Status

This action checks the status of a requested action on a threat.

Download Email Attachment

This action downloads the attachment from an email message as a file.

Download Email Message

This action downloads the email message in EML format.

Get Email Attachment Details

This action retrieves details of an attachment in an email message.

Get Threat Campaign Attachments

This action retrieves details of the attachments in a threat campaign.

Get Threat Campaign Links

This action retrieves information about the links in a threat campaign.

Get Threat Details

This action retrieves the details of a threat.

List Threats

This action lists all the threats.

Manage Threat

This action manages a threat by remediating it or reversing its remediation.

Generic Action

This is a generic action used to make requests to any Abnormal Security endpoint.

Configuration Parameters

The following configuration parameters are required for the Abnormal Security app to communicate with the Abnormal Security enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

API Token

Enter the API token for authentication.

Password

Required

Base URL

Enter the base URL to access Abnormal Security.

Example:

https://api.abnormalplatform.com

Text

Required

Allowed values:

https://api.abnormalplatform.com, https://eu.rest.abnormalsecurity.com

Mock Data

Choose true to retrieve sample data in the response.

Boolean

Optional

Default value:

false

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Abnormal Security.

Integer

Optional

Allowed range:

15-120

Default value:

15

Verify

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, verification is not enabled.

Action: Check Threat Action Status

This action checks the status of a requested action on a threat.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat ID

Enter the ID of the threat.

Example:

184712ab-6d8b-47b3-89d3-a314efef79e2

Text

Required

You can retrieve the threat ID using the action List Threats.

Action ID

Enter the ID of the action to check the status.

Example:

a33a212a-89ff-461f-be34-ea52aff44a67

Text

Required

Action: Download Email Attachment

This action downloads the attachment from an email message as a file.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Message ID

Enter the ABX ID of the message.

Example:

4551618356913732000

Integer

Required

Attachment Name

Enter the name of the attachment from the email message.

Example:

attachment1.jpg

Text

Required

Action: Download Email Message

This action downloads the email message in EML format.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Message ID

Enter the ABX ID of the message.

Example:

4551618356913732000

Text

Required

Action: Get Email Attachment Details

This action retrieves details of an attachment in an email message.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Message ID

Enter the ABX ID of the message.

Example:

4551618356913732000

Text

Required

Attachment Name

Enter the name of the attachment from the email message.

Example:

attachment1.jpg

Text

Required

Action: Get Threat Campaign Attachments

This action retrieves details of the attachments in a threat campaign.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat ID

Enter the ID of the threat.

Example:

184712ab-6d8b-47b3-89d3-a314efef79e2

Text

Required

You can retrieve the threat ID using the action List Threats.

Action: Get Threat Details

This action retrieves the details of a threat.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat ID

Enter the ID of the threat to retrieve its details.

Example:

184712ab-6d8b-47b3-89d3-a314efef79e2

Text

Required

You can retrieve the threat ID using the action List Threats.

Page Size

Enter the number of threat messages to retrieve on each page.

Integer

Optional

Allowed range:

1-2000

Default value:

100

Page Number

Enter the page number to retrieve a particular page of threat messages.

Integer

Optional

Default value:

1

Action: List Threats

This action lists all the threats.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter

Enter the value to filter the response.

Example:

receivedTime gte 2020-01-01T01:01:01Z lte 2021-12-01T01:01:01Z

Text

Optional

Allowed format:

filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ

Allowed key:

receivedTime

Source

Enter the source of detection to filter the response.

Example:

all

Text

Optional

Allowed values:

all, advanced

Attack Type

Enter the type of attack to filter the response.

Text

Optional

Allowed values:

Internal-to-Internal Attacks (Email Account Takeover), Spam, Reconnaissance, Scam, Social Engineering (BEC), Phishing: Credential, Invoice/Payment Fraud (BEC), Malware, Extortion, Phishing: Sensitive Data, Other

Attack Vector

Enter the attack vector to filter the response.

Text

Optional

Allowed values:

Link, Attachment, Text, Others, Attachment with Zipped File

Attack Strategy

Enter the attack strategy to filter the response.

Text

Optional

Allowed values:

Name Impersonation, Internal Compromised Email Account, External Compromised Email Account, Spoofed Email, Unknown Sender, Covid 19 Related Attack

Extra Fields

Enter the extra fields to filter the response.

Key Value

Optional

Allowed keys:

pageSize, pageNumber, sender, recipient, subject, topic, impersonatedParty, mock-data

Action: Manage Threat

This action manages a threat by remediating it or reversing its remediation.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Threat ID

Enter the ID of the threat to manage.

Example:

184712ab-6d8b-47b3-89d3-a314efef79e2

Text

Required

You can retrieve the threat ID using the action List Threats.

Threat Action

Enter the action to take on the threat.

Example:

remediate

Text

Required

Allowed values:

remediate, unremediate

Action: Generic Action

This is a generic action used to make requests to any Abnormal Security endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint

Enter the endpoint to make the request to.

Example:

/messages/{message_id}/download

Text

Required

Query Params

Enter the query parameters to pass to the API.

Key Value

Optional

Payload

Enter the payload to pass to the API.

Any

Optional

Extra Fields

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

payload_json, headers, download, files, filename, retry_wait, retry_count, custom_output, response_type