Skip to main content

Abnormal Security

This Integration is part of the Abnormal Security Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies. This integration was integrated and tested with version 1.3.0 of Abnormal Security

Configure Abnormal Security on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Abnormal Security.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g. https://api.abnormalplatform.com/v1)True
    API KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

abnormal-security-check-case-action-status#


Check the status of an action requested on a case.

Base Command#

abnormal-security-check-case-action-status

Input#

Argument NameDescriptionRequired
case_idA string representing the email case. Can be retrieved by first running command to list cases.Required
action_idA string representing the email case. Can be retrieved from payload after performing an action on a case.Required
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.ActionStatus.statusStringStatus of the case after an action is performed
AbnormalSecurity.ActionStatus.descriptionStringDetailed description of the status

Command Example#

!abnormal-security-check-case-action-status case_id=12345 action_id=abcdefgh-1234-5678-ijkl-mnop9qrstuvwx

Context Example#

{
"AbnormalSecurity": {
"ActionStatus": {
"description": "The request was completed successfully",
"status": "acknowledged"
}
}
}

Human Readable Output#

Results#

descriptionstatus
The request was completed successfullyacknowledged

abnormal-security-check-threat-action-status#


Check the status of an action requested on a threat.

Base Command#

abnormal-security-check-threat-action-status

Input#

Argument NameDescriptionRequired
threat_idA UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat.Required
action_idA UUID representing the action id for a threat. Can be obtained from payload after performing an action on the threat.Required
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.ActionStatus.statusStringThe status of a threat after performing an action on it
AbnormalSecurity.ActionStatus.descriptionStringThe description of the status

Command Example#

!abnormal-security-check-threat-action-status threat_id=xwvutsrq-9pon-mlkj-i876-54321hgfedcba action_id=abcdefgh-1234-5678-ijkl-mnop9qrstuvwx

Context Example#

{
"AbnormalSecurity": {
"ActionStatus": {
"description": "The request was completed successfully",
"status": "acknowledged"
}
}
}

Human Readable Output#

Results#

descriptionstatus
The request was completed successfullyacknowledged

abnormal-security-download-threat-log-csv#


Download data from Threat Log in .csv format

Base Command#

abnormal-security-download-threat-log-csv

Input#

Argument NameDescriptionRequired
filterFilter the results based on a filter key. Value must be of the format filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ. Supported keys - [receivedTime].Optional
mock-dataReturns test data if set to True.Optional
sourceFilters threats based on the source of detection.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

There is no context output for this command.

Command Example#

!abnormal-security-download-threat-log-csv filter="receivedTime gte 2020-12-01T01:01:01Z"

Context Example#

{
"File": {
"EntryID": "2294@2ef16ace-2149-42b9-8b0f-fb7620ba7d44",
"Extension": "csv",
"Info": "csv",
"MD5": "a981545ee72fe115888800725883ca8a",
"Name": "threat_log.csv",
"SHA1": "c3cbae11542dc7244e3bf04a0901d7063597d381",
"SHA256": "296463cad959803d64bfc94fbffa24e30c9438ba58827a100a9e7c219f26b382",
"SHA512": "21a53f61c7d22b533abd7181b16116bf9017b7a444c10e4d2336803794ef0d9dded56e65179f924252f0bf3231e35fa1b726c8d7723f10b2f08bae0b3bedddd1",
"SSDeep": "12:dB2XRzmZIm88Rvu8R7b7+I78RQC5+GUHwgfdvvq:dB2XRMrt/C5+GYw",
"Size": 449,
"Type": "ASCII text, with CRLF line terminators"
}
}

abnormal-security-list-abuse-mailbox-campaigns#


Get a list of campaigns submitted to Abuse Mailbox

Base Command#

abnormal-security-list-abuse-mailbox-campaigns

Input#

Argument NameDescriptionRequired
filterValue must be of the format filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ. A {FILTER KEY} must be specified, and currently only the key lastReportedTime is supported for /abusecampaigns. At least one of gte/lte must be specified, with a datetime string following the YYYY-MM-DDTHH:MM:SSZ format. Do note that provided filter time is in UTC.Optional
page_sizeNumber of abuse campaigns shown on each page. Each page of data will have at most page_size abuse campaign IDs.Optional
page_number1-indexed page number to get a particular page of threats. Has no effect if filter is not specified.Optional
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.AbuseCampaign.campaigns.campaignIdStringAn id which maps to an abuse campaign.
AbnormalSecurity.AbuseCampaign.pageNumberNumberThe current page number.
AbnormalSecurity.AbuseCampaign.nextPageNumberNumberThe next page number.

Command Example#

!abnormal-security-list-abuse-mailbox-campaigns filter="gte 2020-12-01T01:01:01Z"

Context Example#

{
"AbnormalSecurity": {
"AbuseCampaign": {
"campaigns": [
{
"campaignId": "fff51768-c446-34e1-97a8-9802c29c3ebd"
},
{
"campaignId": "07434ea5-df7b-3ff4-8d07-4a82df0c655d"
}
],
"pageNumber": 1
}
}
}

Human Readable Output#

List of Abuse Mailbox Campaigns#

Campaign IDs#

campaignId
fff51768-c446-34e1-97a8-9802c29c3ebd
07434ea5-df7b-3ff4-8d07-4a82df0c655d

abnormal-security-list-abnormal-cases#


Get a list of Abnormal cases identified by Abnormal Security

Base Command#

abnormal-security-list-abnormal-cases

Input#

Argument NameDescriptionRequired
filterValue must be of the format filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ. A {FILTER KEY} must be specified, and currently the only key that is supported for /cases is lastModifiedTime. At least 1 of gte/lte must be specified, with a datetime string following the YYYY-MM-DDTHH:MM:SSZ format.Optional
page_sizeNumber of cases that are on each page. Each page of data will have at most page_size threats. Has no effect if filter is not specified.Optional
page_number1-indexed page number to get a particular page of cases. Has no effect if filter is not specified.Optional
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.inline_response_200_1.cases.caseIdStringA unique identifier for this case.
AbnormalSecurity.inline_response_200_1.cases.descriptionStringDescription of the severity level for this case.
AbnormalSecurity.inline_response_200_1.pageNumberNumberThe current page number. Will not be be in the response if no filter query meter is passed in via the request.
AbnormalSecurity.inline_response_200_1.nextpageNumberNumberThe next page number. Will not be included in the response if there are no more pages of data or if no filter query meter is passed in via the request

Command Example#

!abnormal-security-list-abnormal-cases filter="gte 2020-12-01T01:01:01Z"

Context Example#

{
"AbnormalSecurity": {
"inline_response_200_1": {
"cases": [
{
"caseId": 1234,
"description": "Potential Account Takeover"
}
],
"nextPageNumber": 2,
"pageNumber": 1
}
}
}

Human Readable Output#

List of Cases#

Case IDs#

caseIddescription
1234Potential Account Takeover

abnormal-security-list-threats#


Get a list of threats

Base Command#

abnormal-security-list-threats

Input#

Argument NameDescriptionRequired
filterValue must be of the format filter={FILTER KEY} gte YYYY-MM-DDTHH:MM:SSZ lte YYYY-MM-DDTHH:MM:SSZ. A {FILTER KEY} must be specified, and currently the only keys that are supported for /threats are receivedTime and lastModifiedTime. At least 1 of gte/lte must be specified, with a datetime string following the YYYY-MM-DDTHH:MM:SSZ format.Optional
page_sizeNumber of threats that on in each page. Each page of data will have at most page_size threats. Has no effect if filter is not specified.Optional
page_number1-indexed page number to get a particular page of threats. Has no effect if filter is not specified.Optional
mock-dataReturns test data if set to True.Optional
sourceFilters threats based on the source of detection.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.inline_response_200.threats.threatIdStringAn id which maps to a threat campaign. A threat campaign might be received by multiple users.
AbnormalSecurity.inline_response_200.pageNumberNumberThe current page number. Will not be be in the response if no filter query meter is passed in via the request.
AbnormalSecurity.inline_response_200.nextpageNumberNumberThe next page number. Will not be included in the response if there are no more pages of data or if no filter query meter is passed in via the request

Command Example#

!abnormal-security-list-threats filter="gte 2020-12-01T01:01:01Z"

Context Example#

{
"AbnormalSecurity": {
"inline_response_200": {
"nextPageNumber": 2,
"pageNumber": 1,
"threats": [
{
"threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2"
}
]
}
}
}

Human Readable Output#

List of Threats#

Threat IDs#

threatId
184712ab-6d8b-47b3-89d3-a314efef79e2

abnormal-security-get-threat#


Get details of a threat

Base Command#

abnormal-security-get-threat

Input#

Argument NameDescriptionRequired
threat_idA UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat.Required
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.ThreatDetails.threatIdStringAn id which maps to a threat campaign. A threat campaign might be received by multiple users.
AbnormalSecurity.ThreatDetails.messages.threatIdStringAn id which maps to a threat campaign. A threat campaign might be received by multiple users.
AbnormalSecurity.ThreatDetails.messages.abxMessageIdNumberA unique identifier for an individual message within a threat (i.e email campaign).
AbnormalSecurity.ThreatDetails.messages.abxPortalUrlStringThe URL at which the specific message details are viewable in Abnormal Security's Portal web interface.
AbnormalSecurity.ThreatDetails.messages.subjectStringThe email subject.
AbnormalSecurity.ThreatDetails.messages.fromAddressStringThe email address of the sender.
AbnormalSecurity.ThreatDetails.messages.fromNameStringThe display name of the sender.
AbnormalSecurity.ThreatDetails.messages.toAddressesStringAll the email addresses to which the message was sent, comma-se ted & truncated at 255 chars.
AbnormalSecurity.ThreatDetails.messages.recipientAddressStringthe email address of the user who actually received the message.
AbnormalSecurity.ThreatDetails.messages.receivedTimeStringThe timestamp at which this message arrived.
AbnormalSecurity.ThreatDetails.messages.sentTimeStringThe timestamp at which this message was sent.
AbnormalSecurity.ThreatDetails.messages.internetMessageIdStringThe internet message ID, per RFC 822
AbnormalSecurity.ThreatDetails.messages.autoRemediatedBooleanAbnormal has automatically detected and remediated this message from the user's mailbox.
AbnormalSecurity.ThreatDetails.messages.postRemediatedBooleanEmail campaigns that were remediated at a later time, after landing in user's mailbox.
AbnormalSecurity.ThreatDetails.messages.attackTypeStringThe type of threat the message represents.
AbnormalSecurity.ThreatDetails.messages.attackStrategyStringThe attack strategy identified to be used by a threat campaign
AbnormalSecurity.ThreatDetails.messages.returnPathStringThe potential path where information is returned to the attacker
AbnormalSecurity.ThreatDetails.messages.senderIpAddressStringIP address of sender.
AbnormalSecurity.ThreatDetails.messages.impersonatedPartyStringImpersonated party, if any.
AbnormalSecurity.ThreatDetails.messages.attackVectorStringThe attack medium.
AbnormalSecurity.ThreatDetails.messages.remediationTimestampStringThe timestamp at which this message was remediated, or empty if it has not been remediated.
AbnormalSecurity.ThreatDetails.messages.isReadBooleanWhether an email has been read
AbnormalSecurity.ThreatDetails.messages.attackedPartyStringThe party that was targeted by an attack.

Command Example#

!abnormal-security-get-threat threat_id=xwvutsrq-9pon-mlkj-i876-54321hgfedcba

Context Example#

{
"AbnormalSecurity": {
"ThreatDetails": {
"messages": [
{
"abxMessageId": 4551618356913732000,
"abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/4551618356913732076",
"attachmentCount": null,
"attachmentNames": [
"attachment.pdf"
],
"attackStrategy": "Name Impersonation",
"attackType": "Extortion",
"attackVector": "Text",
"attackedParty": "VIP",
"autoRemediated": true,
"ccEmails": [
"cc@example.com"
],
"fromAddress": "support@secure-reply.org",
"fromName": "",
"impersonatedParty": "None / Others",
"internetMessageId": "<5edfca1c.1c69fb81.4b055.8fd5@mx.google.com>",
"isRead": true,
"postRemediated": true,
"receivedTime": "2020-06-09T17:42:59Z",
"recipientAddress": "example@example.com",
"remediationTimestamp": "2020-06-09T17:42:59Z",
"replyToEmails": [
"reply-to@example.com"
],
"returnPath": "support@secure-reply.org",
"senderDomain": "",
"senderIpAddress": "100.101.102.103",
"sentTime": "2020-06-09T17:42:59Z",
"subject": "Phishing Email",
"summaryInsights": [
"Bitcoin Topics",
"Personal Information Theft",
"Unusual Sender"
],
"threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2",
"toAddresses": "example@example.com, another@example.com",
"urlCount": 0,
"urls": [
"https://www.google.com/"
]
}
],
"threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2"
}
}
}

Human Readable Output#

Messages in Threat 184712ab-6d8b-47b3-89d3-a314efef79e2#

subjectfromAddresstoAddressesrecipientAddressreceivedTimeattackTypeattackStrategyreturnPath
Phishing Emailsupport@secure-reply.orgexample@example.com, another@example.comexample@example.com2020-06-09T17:42:59ZExtortionName Impersonationsupport@secure-reply.org

abnormal-security-get-abnormal-case#


Get details of an Abnormal case

Base Command#

abnormal-security-get-abnormal-case

Input#

Argument NameDescriptionRequired
case_idA string representing the email case. Can be retrieved by first running command to list cases.Required
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.AbnormalCaseDetails.caseIdStringA unique identifier for this case.
AbnormalSecurity.AbnormalCaseDetails.severityStringDescription of the severity level for this case.
AbnormalSecurity.AbnormalCaseDetails.affectedEmployeeStringWhich employee this case pertains to.
AbnormalSecurity.AbnormalCaseDetails.firstObservedStringFirst time suspicious behavior was observed.

Command Example#

!abnormal-security-get-abnormal-case case_id=12805

Context Example#

{
"AbnormalSecurity": {
"AbnormalCaseDetails": {
"affectedEmployee": "FirstName LastName",
"analysis": "Mail Sent",
"caseId": 1234,
"case_status": "Action Required",
"firstObserved": "2020-06-09T17:42:59Z",
"remediation_status": "Not remediated",
"severity": "Potential Account Takeover",
"threatIds": [
"184712ab-6d8b-47b3-89d3-a314efef79e2"
]
}
}
}

Human Readable Output#

Details of Case 1234#

caseIdseverityaffectedEmployeefirstObservedthreatIds
1234Potential Account TakeoverFirstName LastName2020-06-09T17:42:59Z184712ab-6d8b-47b3-89d3-a314efef79e2

abnormal-security-get-abuse-mailbox-campaign#


Get details of an Abuse Mailbox campaign

Base Command#

abnormal-security-get-abuse-mailbox-campaign

Input#

Argument NameDescriptionRequired
campaign_idA UUID representing the abuse campaign id. Can be Can be retrieved by first running command to list abuse mailbox campaigns.Required
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.AbuseCampaign.campaignIdStringAn id which maps to an abuse campaign.
AbnormalSecurity.AbuseCampaign.firstReportedStringDate abuse campaign was first reported.
AbnormalSecurity.AbuseCampaign.lastReportedStringDate abuse campaign was last reported.
AbnormalSecurity.AbuseCampaign.messageIdStringA unique identifier for the first message in the abuse campaign.
AbnormalSecurity.AbuseCampaign.subjectStringSubject of the first email in the abuse campaign.
AbnormalSecurity.AbuseCampaign.fromNameStringThe display name of the sender.
AbnormalSecurity.AbuseCampaign.fromAddressStringThe email address of the sender.
AbnormalSecurity.AbuseCampaign.recipientNameStringThe email address of the recipient.
AbnormalSecurity.AbuseCampaign.recipientAddressStringThe email address of the recipient.
AbnormalSecurity.AbuseCampaign.judgementStatusStringJudgement status of message.
AbnormalSecurity.AbuseCampaign.overallStatusStringOverall status of message.
AbnormalSecurity.AbuseCampaign.attackTypeStringThe type of threat the message represents.

Command Example#

!abnormal-security-get-abuse-mailbox-campaign campaign_id=xwvutsrq-9pon-mlkj-i876-54321hgfedcba

Context Example#

{
"AbnormalSecurity": {
"AbuseCampaign": {
"campaigns": {
"attackType": "Attack Type: Spam",
"campaignId": "fff51768-c446-34e1-97a8-9802c29c3ebd",
"firstReported": "2020-11-11T13:11:40-08:00",
"fromAddress": "example@example.com",
"fromName": "Tom Dinkley",
"judgementStatus": "Malicious",
"lastReported": "2020-11-11T13:11:40-08:00",
"messageId": "12345678910",
"overallStatus": "Move attempted",
"recipientAddress": "example_phisher@example.com",
"recipientName": "Booker",
"subject": "Fwd: This is spam"
}
}
}
}

Human Readable Output#

Results#

attackTypecampaignIdfirstReportedfromAddressfromNamejudgementStatuslastReportedmessageIdoverallStatusrecipientAddressrecipientNamesubject
Attack Type: Spamfff51768-c446-34e1-97a8-9802c29c3ebd2020-11-11T13:11:40-08:00example@example.comTom DinkleyMalicious2020-11-11T13:11:40-08:0012345678910Move attemptedexample_phisher@example.comBookerFwd: This is spam

abnormal-security-get-employee-identity-analysis#


Get employee identity analysis (Genome) data

Base Command#

abnormal-security-get-employee-identity-analysis

Input#

Argument NameDescriptionRequired
email_addressEmail address of the employee you want to retrieve data for.Required
mock-dataReturns test data if set to True.Optional

Context Output#

PathTypeDescription
AbnormalSecurity.Employee.emailStringEmployee email
AbnormalSecurity.Employee.histograms.keyStringGenome key name
AbnormalSecurity.Employee.histograms.nameStringGenome title
AbnormalSecurity.Employee.histograms.descriptionStringDescription of genome object
AbnormalSecurity.Employee.histograms.values.valueStringCategory value
AbnormalSecurity.Employee.histograms.values.percentageNumberRatio of this category relative to others
AbnormalSecurity.Employee.histograms.values.total_countNumberNumber of occurences for this category

Command Example#

!abnormal-security-get-employee-identity-analysis email_address="test@test.com"

Context Example#

{
"AbnormalSecurity": {
"Employee": {
"email": "test@test.com",
"histograms": [
{
"description": "Common IP addresses for user logins",
"key": "ip_address",
"name": "Common IP Addresses",
"values": [
{
"ratio": 0.25,
"raw_count": 12,
"text": "ip-address-0"
},
{
"ratio": 0.25,
"raw_count": 12,
"text": "ip-address-1"
},
{
"ratio": 0.25,
"raw_count": 12,
"text": "ip-address-2"
},
{
"ratio": 0.25,
"raw_count": 12,
"text": "ip-address-3"
}
]
}
]
}
}
}

Human Readable Output#

Analysis of test@test.com#

descriptionkeynamevalues
Common IP addresses for user loginsip_addressCommon IP Addresses{'text': 'ip-address-0', 'ratio': 0.25, 'raw_count': 12},
{'text': 'ip-address-1', 'ratio': 0.25, 'raw_count': 12},
{'text': 'ip-address-2', 'ratio': 0.25, 'raw_count': 12},
{'text': 'ip-address-3', 'ratio': 0.25, 'raw_count': 12}

abnormal-security-get-employee-information#


Get employee information

Base Command#

abnormal-security-get-employee-information

Input#

Argument NameDescriptionRequired
email_addressEmail address of the employee you want to retrieve data for.Required
mock-dataReturns test data if set to True.Optional

Context Output#

PathTypeDescription
AbnormalSecurity.Employee.nameStringName of the employee.
AbnormalSecurity.Employee.emailStringEmail of the employee.
AbnormalSecurity.Employee.titleStringJob title of the employee.
AbnormalSecurity.Employee.managerStringEmail address of the employee's manager

Command Example#

!abnormal-security-get-employee-information email_address="test@test.com"

Context Example#

{
"AbnormalSecurity": {
"Employee": {
"email": "testemail@email.com",
"manager": "testmanageremail@email.net",
"name": "test_name",
"title": "Test Operator"
}
}
}

Human Readable Output#

Results#

emailmanagernametitle
testemail@email.comtestmanageremail@email.nettest_nameTest Operator

abnormal-security-get-employee-last-30-days-login-csv#


Get employee login information for last 30 days in csv format

Base Command#

abnormal-security-get-employee-last-30-days-login-csv

Input#

Argument NameDescriptionRequired
email_addressEmail address of the employee you want to retrieve data for.Required
mock-dataReturns test data if set to True.Optional

Context Output#

There is no context output for this command.

Command Example#

!abnormal-security-get-employee-last-30-days-login-csv email_address="test@test.com"

Context Example#

{
"File": {
"EntryID": "2338@2ef16ace-2149-42b9-8b0f-fb7620ba7d44",
"Extension": "csv",
"Info": "csv",
"MD5": "11afb4879c5026e25bd868dfcf23e811",
"Name": "employee_login_info_30_days.csv",
"SHA1": "345ea1d24b52c96baf6b0e4d892d13d4efcf666d",
"SHA256": "12620e0f576f4d74603b1f542919a3e5199e61435ffd99bcd68c26e02ed9c693",
"SHA512": "f0e788981ce70d9668100ae3f93d1f28660f0d8a9dfda02284a70f08ac14ca5a356872284f460d8fb7970791e314e0db4a6c84b0032c35046efce62368a00da5",
"SSDeep": "12:uR2xCC56aHoW2IY3zg05Eg05ng05Eg05V:uROjHn2IY3v5i5T5i5V",
"Size": 484,
"Type": "ASCII text, with CRLF line terminators"
}
}

abnormal-security-get-latest-threat-intel-feed#


Get the latest threat intel feed.

Base Command#

abnormal-security-get-latest-threat-intel-feed

Input#

Argument NameDescriptionRequired
mock-dataReturns test data if set to True.Optional

Context Output#

There is no context output for this command.

Command Example#

!abnormal-security-get-latest-threat-intel-feed

Context Example#

{
"File": {
"EntryID": "2314@2ef16ace-2149-42b9-8b0f-fb7620ba7d44",
"Extension": "json",
"Info": "application/json",
"MD5": "a00e919efc9e28f77b8f7b7523b1ffe8",
"Name": "threat_intel_feed.json",
"SHA1": "53bf3e6075f407b53c95d5dd2197b9be0dfa5ced",
"SHA256": "f842e7f6795fba081f2046617fce662c050b5a3c64cac9501f23fa7576788429",
"SHA512": "27af66eefb1ed7227b4f8ec1c663ac8ef47660bb34ffd1d5853a7a58e25caec68615c2e66bfbd66577749faa889894e792f53cab70a826818b4d627ad02bbb04",
"SSDeep": "49152:dY0GiMq58ZVhOH+sZwFp+h/s0pH6VRRxIGFe7V3dCLtJ/W7H8nsIdL0E:u",
"Size": 8007799,
"Type": "ASCII text"
}
}

abnormal-security-manage-threat#


Manage a Threat identified by Abnormal Security

Base Command#

abnormal-security-manage-threat

Input#

Argument NameDescriptionRequired
threat_idA UUID representing a threat campaign. Full list of threat IDs can be obtained by first running the command to list a threat.Required
actionAction to perform on threat.Required
mock-dataReturns test data if set to True.Optional

Context Output#

PathTypeDescription
AbnormalSecurity.ThreatManageResults.action_idStringID of the action taken
AbnormalSecurity.ThreatManageResults.status_urlStringURL of the status of the action

Command Example#

!abnormal-security-manage-threat threat_id=xwvutsrq-9pon-mlkj-i876-54321hgfedcba action=remediate

Context Example#

{
"AbnormalSecurity": {
"ThreatManageResults": {
"action_id": "a33a212a-89ff-461f-be34-ea52aff44a73",
"status_url": "https://api.abnormalplatform.com/v1/threats/184712ab-6d8b-47b3-89d3-a314efef79e2/actions/a33a212a-89ff-461f-be34-ea52aff44a73"
}
}
}

Human Readable Output#

Results#

action_idstatus_url
a33a212a-89ff-461f-be34-ea52aff44a73https://api.abnormalplatform.com/v1/threats/184712ab-6d8b-47b3-89d3-a314efef79e2/actions/a33a212a-89ff-461f-be34-ea52aff44a73

abnormal-security-manage-abnormal-case#


Manage an Abnormal Case.

Base Command#

abnormal-security-manage-abnormal-case

Input#

Argument NameDescriptionRequired
case_idA string representing the email case. Can be retrieved by first running command to list cases.Required
actionAction to perform on case.Required
mock-dataReturns test data if set to True.Optional

Context Output#

PathTypeDescription
AbnormalSecurity.CaseManageResults.action_idStringID of the action taken
AbnormalSecurity.CaseManageResults.status_urlStringURL of the status of the action

Command Example#

!abnormal-security-manage-abnormal-case case_id=12805 action=action_required

Context Example#

{
"AbnormalSecurity": {
"CaseManageResults": {
"action_id": "61e76395-40d3-4d78-b6a8-8b17634d0f5b",
"status_url": "https://api.abnormalplatform.com/v1/cases/1234/actions/61e76395-40d3-4d78-b6a8-8b17634d0f5b"
}
}
}

Human Readable Output#

Results#

action_idstatus_url
61e76395-40d3-4d78-b6a8-8b17634d0f5bhttps://api.abnormalplatform.com/v1/cases/1234/actions/61e76395-40d3-4d78-b6a8-8b17634d0f5b

abnormal-security-get-case-analysis-and-timeline#


Provides the analysis and timeline details of a case

Base Command#

abnormal-security-get-case-analysis-and-timeline

Input#

Argument NameDescriptionRequired
case_idA string representing the email case. Can be retrieved by first running command to list cases.Required
mock-dataReturns test data if set to True.Optional
subtenantSubtenant of the user (if applicable).Optional

Context Output#

PathTypeDescription
AbnormalSecurity.CaseAnalysis.insights.signalStringInsight signal or highlight of a case
AbnormalSecurity.CaseAnalysis.insights.descriptionStringDescription of insight signal or highlight
AbnormalSecurity.CaseAnalysis.eventTimeline.event_timestampStringTime when event occurred
AbnormalSecurity.CaseAnalysis.eventTimeline.categoryStringType of event
AbnormalSecurity.CaseAnalysis.eventTimeline.titleStringTitle of the event
AbnormalSecurity.CaseAnalysis.eventTimeline.ip_addressStringIP Address where user accessed mail from
AbnormalSecurity.CaseAnalysis.eventTimeline.field_labelsUnknownAnalysis labels associated with the fields in the timeline event

Command Example#

!abnormal-security-get-case-analysis-and-timeline case_id=12345

Context Example#

{
"AbnormalSecurity": {
"CaseAnalysis": {
"eventTimeline": [
{
"category": "Risk Event",
"description": "Impossible Travel Event was observed for test@lamronba.com.",
"event_timestamp": "2021-07-14T22:41:54Z",
"ip_address": "127.0.0.1",
"location": {
"city": "Aldie",
"country": "US",
"state": "Virginia"
},
"prev_location": {
"city": "Atherton",
"country": "US",
"state": "California"
},
"title": "Impossible Travel"
},
{
"category": "Mail Rule",
"condition": "hasNoCondition",
"event_timestamp": "2021-07-14T22:41:54Z",
"flagging_detectors": "DELETE_ALL",
"rule_name": "Swag Voice Note",
"title": "Mail Rule Change"
},
{
"category": "Mail Sent",
"event_timestamp": "2021-07-14T22:41:54Z",
"recipient": "Recipient Name",
"sender": "test@lamronba.com",
"subject": "Spoof email subject",
"title": "Unusual Correspondence"
},
{
"application": "Microsoft Office 365 Portal",
"browser": "Chrome 79.0.3453",
"category": "Sign In",
"description": "Suspicious Failed Sign In Attempt for test@lamronba.com",
"device_trust_type": "None",
"event_timestamp": "2021-07-14T22:41:54Z",
"field_labels": {
"ip_address": [
"rare",
"proxy"
],
"operating_system": [
"legacy"
]
},
"ip_address": "127.0.0.1",
"isp": "NGCOM",
"location": {
"country": "Ireland"
},
"operating_system": "Windows XP",
"protocol": "Browser",
"title": "Suspicious Failed Sign In Attempt"
}
],
"insights": [
{
"description": "There was a signin into test@lamronba.com from a location frequently used to launch attacks.",
"signal": "Risky Location"
}
]
}
}
}

Human Readable Output#

Insights for 12345#

signaldescription
Risky LocationThere was a signin into test@lamronba.com from a location frequently used to launch attacks.

Event Timeline for#

event_timestampcategorytitlefield_labelsip_addressdescriptionlocationsendersubjecttitlerule_name
2021-07-14T22:41:54ZRisk EventImpossible Travel127.0.0.1Impossible Travel Event was observed for test@lamronba.com.city: Aldie
state: Virginia
country: US
Impossible Travel
2021-07-14T22:41:54ZMail RuleMail Rule ChangeMail Rule ChangeSwag Voice Note
2021-07-14T22:41:54ZMail SentUnusual Correspondencetest@lamronba.comSpoof email subjectUnusual Correspondence
2021-07-14T22:41:54ZSign InSuspicious Failed Sign In Attemptip_address: rare,
proxy
operating_system: legacy
127.0.0.1Suspicious Failed Sign In Attempt for test@lamronba.comcountry: IrelandSuspicious Failed Sign In Attempt

abnormal-security-submit-inquiry-to-request-a-report-on-misjudgement#


Submit an Inquiry to request a report on misjudgement by Abnormal Security

Base Command#

abnormal-security-submit-inquiry-to-request-a-report-on-misjudgement

Input#

Argument NameDescriptionRequired
mock-dataReturns test data if set to True.Optional
reporterEmail of the reporter.Required
report_typeType of misjudgement reported.Required

Context Output#

PathTypeDescription
AbnormalSecurity.SubmitInquiry.detailStringConfirmation of inquiry sent

Command Example#

!abnormal-security-submit-inquiry-to-request-a-report-on-misjudgement reporter=abc@def.com report_type=false-positive

Context Example#

{
"AbnormalSecurity": {
"SubmitInquiry": {
"detail": "Thank you for your feedback! We have sent your inquiry to our support staff."
}
}
}

Human Readable Output#

Results#

detail
Thank you for your feedback! We have sent your inquiry to our support staff.