Abnormal Security

Abnormal Security is for managing threats to an organisation identified by Abnormal Security. The organisation should be integrated with Abnormal Security and enabled for real-time detection of malicious emails.

Integration with LogicHub

Connecting with Abnormal Security

To connect to Abnormal Security following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • API Token: Token required for authentication with Abnormal Security APIS.

Actions with Abnormal Security

List Threats

Fetches a list of the IDs of the top 100 threats identified in Threat Log.

Inputs to this Action

  • Connections: Choose a connection that you have created.

Output of Action
Array of objects containing threatId.

{
   "error":null,
   "has_error":false,
   "threatId":"6124bd9c-9f4e-c0a8-3994-43a7a7e87f3f"
}

Threat Details

Get details of a threat by threat ID.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Threat ID: Column name from the parent table containing UUID of the threat.

Output of Action
JSON object containing details of the threat.

{
   "threatId":"424ca4a6-9bb9-d0f5-1683-c77d262e6ee0",
   "messages":[
      {
         "threatId":"424ca4a6-9bb9-d0f5-1683-c77d262e6ee0",
         "autoRemediated":false,
         "postRemediated":false,
         "attackType":"Reconnaissance",
         "attackStrategy":"Unknown Sender",
         "returnPath":"[email protected]",
         "replyToEmails":[
            
         ],
         "ccEmails":[
            
         ],
         "senderIpAddress":"",
         "impersonatedParty":"None / Others",
         "attackVector":"Text",
         "attachmentNames":[
            
         ],
         "summaryInsights":[
            "Unusual Sender"
         ],
         "remediationTimestamp":"2021-02-19T15:59:38Z",
         "isRead":false,
         "attackedParty":"Employee (other)",
         "abxMessageId":-7922944339592178420,
         "abxPortalUrl":"https://portal.abnormalsecurity.com/home/threat-center/remediation-history/-7922944339592178420",
         "subject":"test",
         "fromAddress":"[email protected]",
         "fromName":"Anna Romano",
         "toAddresses":"[email protected]",
         "recipientAddress":"[email protected]",
         "receivedTime":"2021-02-19T15:59:34Z",
         "sentTime":"2021-02-19T15:59:30Z",
         "internetMessageId":"<[email protected]od.outlook.com>",
         "urls":[
            
         ]
      }
   ],
   "error":null,
   "has_error":false
}

Manage Threat

Use this action to remediate or unremediate a threat. If the request is found to be something that can be processed, the server will an actionId and status URL in the response. This can be used to check the status of the request.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Threat ID: Column name from the parent table containing UUID of the threat.
  • Threat ID: Column name from the parent table containing UUID of the threat.
  • Action: Select action that is to be taken on this threat. Default is Remediate

Output of Action
JSON object containing details of the threat.

{
   "action_id":"3f506ad7-ed61-4b4a-8d5f-b842b48116d8",
   "status_url":"http://api.abnormalplatform.com/v1/threats/424ca4a6-9bb9-d0f5-1683-c77d262e6ee0/actions/3f506ad7-ed61-4b4a-8d5f-b842b48116d8",
   "error":null,
   "has_error":false
}

Threat Action Status

Check the status of an action requested on a threat.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Threat ID: Column name from the parent table containing UUID of the threat.
  • Action ID: Column name from the parent table containing action ID for a threat.

Output of Action
JSON object containing current status of the action performed on the threat.

{
   "status":"done",
   "description":"The request was completed successfully",
   "error":null,
   "has_error":false
}

List Cases

A list of the top 100 cases identified in Abnormal Cases.

Inputs to this Action

  • Connections: Choose a connection that you have created.

Output of Action
Array of JSON object containing caseId.

{
   "caseId":96609,
   "error":null,
   "has_error":false,
   "severity":"Suspicious Account Activity"
}

Case Details

Get details of an abnormal case.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Case ID: Column name from the parent table containing case ID.

Output of Action
JSON object containing details of the case.

{
   "caseId":96609,
   "severity":"Suspicious Account Activity",
   "affectedEmployee":"[email protected]",
   "firstObserved":"2021-02-17T09:00:13Z",
   "error":null,
   "has_error":false
}

Manage Case

Use this action to acknowledge or take another remediation action on a case. If the request is found to be something that can be processed, the server will return an actionId and status URL in the response. This can be used to check the status of the request.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Case ID: Column name from the parent table containing case ID.
  • Action: Jinja templated text containing action that is to be taken on this case. Example: {{column_from_parent}}

Output of Action
JSON object containing action ID fo the action performed on this case.

{
   "action_id":"48244c42-a1a5-42f6-9c2d-3783bd67c554",
   "status_url":"http://api.abnormalplatform.com/v1/cases/96609/actions/48244c42-a1a5-42f6-9c2d-3783bd67c554",
   "error":null,
   "has_error":false
}

Case Action Status

Check the status of an action requested on a case.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Case ID: Column name from the parent table containing case ID.
  • Action ID: Column name from the parent table containing action ID for a case.

Output of Action
JSON object containing status and description of the action performed.

{
   "status":"done",
   "description":"The request was completed successfully",
   "error":null,
   "has_error":false
}

Threat Intel (Beta)

Action to get the latest threat intel feed.

Inputs to this Action

  • Connections: Choose a connection that you have created.

Output of Action
Threat intel feed in stix format.

Case Report Misjudgement

To report a false negative or a false positive judgement by Abnormal Security.

Inputs to this Action

  • Connections: Choose a connection that you have created.
  • Jinja Template Report Type: Jinja-templated text containing report type Example: {{parent_table_report_type}}..
  • Jinja Template Reporter: Jinja-templated text containing reporter Example: {{parent_table_reporter}}..
  • Jinja Template Subject: Jinja-templated text subject Example: {{parent_table_subject}}.
  • Jinja Template Recipient Email Address: Jinja-templated text containing recipient email address. Example: {{parent_table_recipient_email_address}}.
  • Jinja Template Sender Email Address: Jinja-templated text containing sender email address. Example: {{[parent_table_sender_email_address}}..

Output of Action
JSON object containing detail.

{
   "detail":"Thank you for your feedback! We have sent your inquiry to our support staff.",
   "error":null,
   "has_error":false
}

Did this page help you?