Abnormal Security
- Anthony Shevlin (Deactivated)
Abnormal Security is for managing threats to an organisation identified by Abnormal Security. The organisation should be integrated with Abnormal Security and enabled for real-time detection of malicious emails.
Connect Abnormal Security with Devo SOAR
Navigate to Automations > Integrations.
Search for Abnormal Security.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: The API key required for authentication with Abnormal Security APIs.
After you've entered all the details, click Connect.
Actions for Abnormal Security
List Threats
Fetches a list of the IDs of the top 100 threats identified in Threat Log.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Filter | Jinja-templated text containing the value of filter. Example: receivedTime gte 2020-01-01T01:01:01Z lte {{time}} | Optional |
Limit | Number of results to fetch (Default is 100000). Has no effect if filter is not specified. Example: 100 | Optional |
Extra params | Jinja-templated text containing the JSON of params to be sent. Example: {"subject":"sub1","topic":"Abnormal Activity"} | Optional |
Output
An array of objects containing information about the threatId.
JSON
{
"error":null,
"has_error":false,
"threatId":"6124bd9c-9f4e-c0a8-3994-43a7a7e87f3f"
}Threat details
Get details of a threat by threat ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Threat ID | Column name from the parent table containing UUID of the threat. | Required |
Output
A JSON object containing information about the threat.
JSON
{
"threatId":"424ca4a6-9bb9-d0f5-1683-c77d262e6ee0",
"messages":[
{
"threatId":"424ca4a6-9bb9-d0f5-1683-c77d262e6ee0",
"autoRemediated":false,
"postRemediated":false,
"attackType":"Reconnaissance",
"attackStrategy":"Unknown Sender",
"returnPath":"romanoanna@hotmail.com",
"replyToEmails":[
],
"ccEmails":[
],
"senderIpAddress":"",
"impersonatedParty":"None / Others",
"attackVector":"Text",
"attachmentNames":[
],
"summaryInsights":[
"Unusual Sender"
],
"remediationTimestamp":"2021-02-19T15:59:38Z",
"isRead":false,
"attackedParty":"Employee (other)",
"abxMessageId":-7922944339592178420,
"abxPortalUrl":"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/-7922944339592178420",
"subject":"test",
"fromAddress":"romanoanna@hotmail.com",
"fromName":"Anna Romano",
"toAddresses":"anna@example.ca",
"recipientAddress":"anna@example.ca",
"receivedTime":"2021-02-19T15:59:34Z",
"sentTime":"2021-02-19T15:59:30Z",
"internetMessageId":"<DM6PR13MB4068A0D738E4A2DF61CBFF27DF849@DM6PR13MB4068.namprd13.prod.outlook.com>",
"urls":[
]
}
],
"error":null,
"has_error":false
}Manage Threat
Use this action to remediate or unremediate a threat. If the request is found to be something that can be processed, the server will an actionId and status URL in the response. This can be used to check the status of the request.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Threat ID | Column name from the parent table containing UUID of the threat. | Required |
Action | Select action that is to be taken on this threat. Default is Remediate | Required |
Output
A JSON object containing information about the threat.
JSON
{
"action_id":"3f506ad7-ed61-4b4a-8d5f-b842b48116d8",
"status_url":"http://api.abnormalplatform.com/v1/threats/424ca4a6-9bb9-d0f5-1683-c77d262e6ee0/actions/3f506ad7-ed61-4b4a-8d5f-b842b48116d8",
"error":null,
"has_error":false
}Threat Action Status
Check the status of an action requested on a threat.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Threat ID | Column name from the parent table containing UUID of the threat. | Required |
Action ID | Column name from the parent table containing action ID for a threat. | Required |
Output
A JSON object containing information about the current status of the action performed on the threat.
JSON
List Cases
A list of the top 100 cases identified in Abnormal Cases.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
An array of JSON object containing information about the caseId.
JSON
Case Details
Get details of an abnormal case.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Case ID | Column name from the parent table containing case ID. | Required |
Output
A JSON object containing information about the case.
JSON
Manage Case
Use this action to acknowledge or take another remediation action on a case. If the request is found to be something that can be processed, the server will return an actionId and status URL in the response. This can be used to check the status of the request.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Case ID | Column name from the parent table containing case ID. | Required |
Action | Jinja-templated text containing action that is to be taken on this case. | Required |
Output
A JSON object containing information about the action ID of the action that was performed.
JSON
Case Action Status
Check the status of an action requested on a case.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Case ID | Column name from the parent table containing case ID. | Required |
Action ID | Column name from the parent table containing action ID for a case. | Required |
Output
A JSON object containing information about the status and description of the action that was performed.
JSON
Threat Intel (Beta)
Action to get the latest threat intel feed.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
Feed of threat intelligence in Structured Threat Information Expression (STIX) format.
Case Report Misjudgement
To report a false negative or a false positive judgement by Abnormal Security.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Report Type | Jinja-templated text containing report type Example: {{parent_table_report_type}}. | Required |
Reporter | Jinja-templated text containing reporter Example: {{parent_table_reporter}}. | Required |
Subject | Jinja-templated text subject Example: {{parent_table_subject}}. | Required |
Recipient Email Address | Jinja-templated text containing recipient email address. Example: {{parent_table_recipient_email_address}}. | Required |
Sender Email Address | Jinja-templated text containing sender email address. Example: {{[parent_table_sender_email_address}}. | Required |
Output
A JSON object containing information.
JSON
Get Detection 360 Report
Get a list of Detection 360deg reports that you have submitted and view corresponding details for each case, including report summaries, statuses, message analyses, and more.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Inquiry Type | Jinja-templated text containing inquiry type. Example: {{inquiry_type}}. | Required |
Start | Jinja-templated text containing the start of the datetime range, as a Unix timestamp (seconds since 1 January 1970), to fetch Detection 360° cases from as a Unix timestamp. Defaults to 30 days before end. Example. 2022-10-20T00:00:00Z | Optional |
End | Jinja-templated text containing the end of the datetime range, as a Unix timestamp (seconds since 1 January 1970), to fetch Detection 360° cases from. Defaults to the current time. Example. 2022-10-20T00:00:00Z | Optional |
Status | Jinja-templated text containing the comma separated status. Only Detection 360° cases with these statuses will be retrieved. Defaults to all statuses. Example: UNREVIEWED,CONTAINING_ATTACK | Optional |
Output
JSON containing the following items:
JSON
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.3.1- AddedGet Detection 360 Reportaction.v1.2.1- AddedExtra paramsoptional field inList Threatsaction.