Abnormal Security
Abnormal Security is a behavioral AI-based email security platform that learns the behavior of every identity in a cloud email environment and analyzes the risk of every event to block the most sophisticated attacks.
The Abnormal Security integration ingests threat data and case data identified by the Abnormal threat log and cases using the Abnormal Security API.
Important Limitation: Abnormal AI only allows for one API key per Integration tile. If you are using the Rest API Integration tile key for another integration you will need to reuse the same key.
Ingest Method
This source is a polling source and will download new logs from the Abnormal Security API approximately every 60 seconds (1 minute). When first added, RunReveal will backfill available data from the last 14 days.
Data Collected
The integration collects the following data types:
- Audit Logs: User actions and administrative activities from the Abnormal Security platform, including API calls, message actions, and platform usage events
- Threat Logs: Detailed information about detected email threats including attack types, strategies, sender details, remediation status, attachments, URLs, and threat metadata
- Case Logs: Security case data and incident information including case status, severity, affected employees, threat associations, analysis, and remediation details
Setup
Step 1: Get Your Abnormal Security Access Token
To set up the Abnormal Security integration, you need to obtain an access token from your Abnormal Security platform. Follow these steps:
- Sign in to the Abnormal Security platform
- In the Manage section, click on Settings
- In the Settings section, click on Integrations
- Scroll down to the Additional Integrations section
- Click + Connect on the Abnormal REST API card to display an integration page for your organization
- Copy and save the Access token - you’ll need this for the RunReveal configuration
Important: Copy the access token immediately as it may not be shown again. Store it securely for use in RunReveal configuration.
Step 2: Configure RunReveal
- In the RunReveal dashboard, navigate to Sources → Add Source
- Search for and select Abnormal Security
- Enter a descriptive Name for your source
- Paste the Access Token you copied from Abnormal Security
- Click Save to create the source
RunReveal will begin collecting your Abnormal Security logs immediately and will poll the API every 60 seconds for new data.
Verify It’s Working
Once added, the source logs should begin flowing within a few minutes.
You can check the abnormal_logs table in the Log Explorer to verify that logs are being ingested. You can also validate we are receiving your logs by running the following SQL query:
SELECT * FROM abnormal_logs LIMIT 10