Abnormal Security

Abnormal Security is an email security platform that detects threats such as phishing, social engineering, business email compromise, and account takeover attempts. The Abnormal Security event source queries the Abnormal REST API from a SIEM (InsightIDR) Collector to collect threat, account takeover case, and vendor fraud case records and generate third-party alerts in SIEM (InsightIDR).

Data is collected from your Abnormal Security account with event collection through a Collector.

To set up Abnormal Security:

Read the requirements and complete any prerequisite steps.
Configure Abnormal Security to send data to SIEM (InsightIDR).
Configure SIEM (InsightIDR) to collect data from the event source.
Test the configuration.

You can also:

Review sample logs

ℹ️

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with SIEM (InsightIDR), we recommend that you visit the Abnormal Security API documentation .

Requirements

Before SIEM (InsightIDR) can start ingesting data from Abnormal Security, you must:

Have privileged access to your Abnormal Security account.
Have a SIEM (InsightIDR) Collector that can reach the Abnormal Security API URL for your tenant.
Generate and securely record an Abnormal REST API authentication token.
Determine which Abnormal Security API URL your tenant uses:
- Global: https://api.abnormalplatform.com
- EU: https://eu.rest.abnormalsecurity.com
If your Abnormal Security API access is restricted by IP address, configure the Abnormal Security API IP allowlist to allow the public source IP address used by your SIEM (InsightIDR) Collector.

If you want to collect Abnormal Security account takeover case records, your Abnormal Security subscription must include Account Takeover. Vendor fraud case records are collected when they are available in your Abnormal Security subscription.

Configure Abnormal Security to send data to SIEM (InsightIDR)

To ensure SIEM (InsightIDR) can receive data from Abnormal Security, you must generate an API token and allow API access from SIEM (InsightIDR).

To configure Abnormal Security API access:

Sign in to the Abnormal Security portal .
Go to Settings > Integrations.
In the Additional Integrations section, find the Abnormal REST API integration and open the integration settings.
Retrieve the authentication token.
Securely save the authentication token for later use when you configure the Abnormal Security event source in SIEM (InsightIDR).
If your Abnormal Security API access is restricted by IP address, update the API IP allowlist to allow the public source IP address used by your SIEM (InsightIDR) Collector.
Determine whether your tenant uses the Global or EU API URL.

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Abnormal Security

From the Command Platform main menu, go to Data Connectors > Data Collectors.
Go to the Event Sources tab, then click Add Event Source.
Do one of the following:
- Search for Abnormal Security in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
Select the Abnormal Security event source tile.

Task 2: Set up the Collector connection

In the Add Event Source panel, select Run On Collector.
Name the event source. This will become the name of the log that contains the event data in Log Search.
Select a Collector.
Optionally, select the option to send unparsed data.
In the Base URL dropdown, select the API URL for your Abnormal Security tenant:
- Global: https://api.abnormalplatform.com
- EU: https://eu.rest.abnormalsecurity.com
In the API Token field, select an existing credential or select Create new… to add a new credential:
1. Name your credential.
2. Enter the authentication token you obtained in Configure Abnormal Security to send data to SIEM (InsightIDR).
Click Save.

Test the configuration

The event types that SIEM (InsightIDR) parses from this event source are:

Threats
Account takeover cases
Vendor fraud cases

To test that event data is flowing into SIEM (InsightIDR):

From the Data Collection Management page, open the Event Sources tab.
Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
Open Log Search.

Next, verify that log entries are appearing in Log Search:

From the left menu, go to Log Search.
In the Log Search filter panel, search for the event source you named in Task 2: Set up the Collector connection. Abnormal Security logs should flow into these log sets:
- Third Party Alerts
- Unparsed Data, if you selected the option to send unparsed data
Select the log sets and the logs within them.
Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into SIEM (InsightIDR) in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log sets: Third Party Alerts and, if selected, Unparsed Data.

The following examples show typical Abnormal Security events. The fields in your logs can differ based on your Abnormal Security subscription and event type.

Threat event


{
  "threatId": "4cdb6715-d6a8-dc28-1331-f1bfa649869d",
  "messages": [
    {
      "abxMessageIdStr": "5378521536548737068",
      "abxMessageId": 5378521536548737068,
      "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/5378521536548737068",
      "attachmentCount": 0,
      "attachmentNames": [],
      "attackStrategy": "Unknown Sender",
      "attackType": "Spam",
      "attackVector": "Link",
      "attackedParty": "Employee (Other)",
      "autoRemediated": false,
      "impersonatedParty": "None / Others",
      "internetMessageId": "<abcd@example.net>",
      "isRead": false,
      "postRemediated": false,
      "recipientAddress": "employee@example.com",
      "remediationStatus": "Remediated",
      "remediationTimestamp": "2026-03-18T20:47:25.286Z",
      "sentTime": "2026-03-18T20:47:03Z",
      "source": "spam",
      "ccEmails": [],
      "replyToEmails": [],
      "returnPath": "bounce+employee@example.net",
      "senderDomain": "example.net",
      "senderIpAddress": "111.111.111.111",
      "summaryInsights": [
        "Abnormal Email Body HTML",
        "Possible Sender Impersonation",
        "Unusual Sender",
        "Personal Information Theft",
        "Social Engineering Tactics"
      ],
      "urlCount": 13,
      "urls": [
        "https://example.net/login"
      ],
      "fromAddress": "sender@example.net",
      "fromName": "Example Sender",
      "receivedTime": "2026-03-18T20:47:19Z",
      "subject": "Action required for your account",
      "tenantId": 12345,
      "tenantName": "example_tenant",
      "threatId": "4cdb6715-d6a8-dc28-1331-f1bfa649869d",
      "toAddresses": [
        "employee@example.com"
      ]
    }
  ],
  "recipientCount": 1,
  "tenantId": 12345,
  "tenantName": "example_tenant"
}

Account takeover case event


{
  "caseId": 20185366,
  "affectedEmployee": "employee@example.com",
  "analysis": "AUDIT_LOG_ACTIVITY",
  "case_status": "Action Required",
  "customerVisibleTime": "2026-04-02T01:16:59.498396+00:00",
  "firstObserved": "2026-03-26T13:34:39.261456+00:00",
  "remediation_status": "Not remediated",
  "severity": "Account Takeover",
  "severity_level": "MEDIUM",
  "confidence": "MEDIUM",
  "threatIds": [],
  "genai_summary": [
    "A suspicious message was received 9 hours prior to anomalous sign-in activity, followed by internal lateral phishing emails.",
    "Observed sign-ins from Vancouver, New York, and Seattle using new browsers and operating systems, some with VPNs, all abnormal for this user.",
    "Service principal or application was created or modified multiple times, with suspicious changes to authentication settings detected."
  ],
  "tenant": "example_tenant"
}

Vendor fraud case event


{
  "vendorCaseId": 24325,
  "vendorDomain": "acmefinance.example",
  "firstObservedTime": "2024-11-01T16:04:50Z",
  "lastModifiedTime": "2024-11-02T19:37:49Z",
  "insights": [
    {
      "highlight": "Invoice Inquiry Language",
      "description": "The language contained in the email body is consistent with invoice inquiry fraud."
    },
    {
      "highlight": "Suspicious Body Link Domain",
      "description": "The body of this message contains links to a domain that is suspicious or uncommon for this sender, a common indicator of phishing or vendor fraud attacks."
    },
    {
      "highlight": "Young Sender Domain",
      "description": "The sender domain \"acmefinance.example\" was 0 days old when the first engagement in this case was observed, a suspicious signal for a financial email conversation."
    }
  ],
  "timeline": [
    {
      "eventTimestamp": "2024-11-01T16:04:50Z",
      "senderAddress": "billing@acmefinance.example",
      "recipientAddress": "accounts-payable@example.com",
      "subject": "Updated Banking Information",
      "markedAs": "Malicious",
      "threatId": "14fd8d0f-9ebd-7806-8612-4c34a8684351"
    },
    {
      "eventTimestamp": "2024-11-01T13:44:46Z",
      "senderAddress": "billing@acmefinance.example",
      "recipientAddress": "accounts-payable@example.com",
      "subject": "Update Payment Information",
      "markedAs": "Malicious",
      "threatId": "a13ba14a-3e81-99e0-e2d8-1172a572e079"
    }
  ]
}