# Threats

## Overview

Coordinated, continuous series of malicious messages or actions that share common characteristics is called an Abuse Campaign.

Abnormal Security's behavioral AI detects and groups these related incidents so that they can be handled as a single threat, rather than dozens of individual alerts.

## Configuration

### Parameters

No parameters needed.

### Secrets

* Authorization (`abnormalToken`)

Open the **Secret** fields and click **New secret** to create a new one:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the secret corresponding to the value.
* Click **Save**.

<figure><picture><source srcset="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FlUo7CuVpPgIVm5VNjLw6%2Fnenenew.png?alt=media&#x26;token=eb7a7231-0ac2-4099-93f9-18f9ead5add1" media="(prefers-color-scheme: dark)"><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FTSD53FxGQOjijA3W3DhE%2Fimage.png?alt=media&#x26;token=9941a3c0-100a-4759-b603-30079fbc90de" alt=""></picture><figcaption></figcaption></figure>

{% hint style="info" %}
Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management).
{% endhint %}

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:

{% tabs %}
{% tab title="Config as YAML" %}
Toggle this **ON** to enable a free text field where you can paste your YAML.

```yaml
withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: false
withEnumerationPhase: true
enumerationPhase:
  paginationType: "page"
  pageSize: 100
  isZeroIndex: false
  request:
    responseType: json
    method: GET
    url: https://api.abnormalplatform.com/v1/abusecampaigns
    headers:
      - name: authorization
        value: Bearer ${secrets.abnormalToken}
    queryParams:
      - name: pageNumber
        value: "${pagination.pageNumber}"
      - name: pageSize
        value: "${pagination.pageSize}"
      - name: filter
        value: receivedTime gte ${temporalWindow.from} lte ${temporalWindow.to}
  output:
    select: "[.campaigns[].campaignId]"
    map: "."
    outputMode: element
collectionPhase:
  variables:
    - source: input
      name: campaignId
      expression: "."
      format: ""
  paginationType: none
  request:
    method: GET
    url: https://api.abnormalplatform.com/v1/abusecampaigns/${inputs.campaignId}
    headers:
      - name: authorization
        value: Bearer ${secrets.abnormalToken}
  output:
    select: "."
    map: "."
    outputMode: element
```

{% endtab %}

{% tab title="Manually configure" %}
**Temporal Window**

Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

* **Duration -** 5 minutes (`5m`) as default, adjust based on your needs.
* **Offset -** initial offset should be `5m`
* **Format** - `RFC3339`

**Enumeration Phase**

Toggle **ON** to configure the enumeration phase.  This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details.

* **Pagination Type**<mark style="color:red;">**\***</mark>**&#x20;-** `page`
* **Page Size**<mark style="color:red;">**\***</mark>**&#x20;-** `100`
* **Zero index**<mark style="color:red;">**\***</mark>**&#x20;-** `false`
* **Limit**<mark style="color:red;">**\***</mark>**&#x20;-** 100&#x20;
* **Request**&#x20;
  * **Response Type**<mark style="color:red;">**\***</mark>**&#x20;-** `JSON`
  * **Method**<mark style="color:red;">**\***</mark>**&#x20;-** `GET`
  * **URL**<mark style="color:red;">**\***</mark>**&#x20;-** `https://api.abnormalplatform.com/v1/threats`
  * **Headers**
    * **Name** - `authorization`&#x20;
    * **Value -** `Bearer ${secrets.abnormalToken}`
  * **Query Params**&#x20;
    * &#x20;\- name:  value:&#x20;
    * **Name** - pageNumber&#x20;
    * **Value** - `${pagination.pageNumber}`
    * **Name** - pageSize
    * **Value** -  `${pagination.pageSize}`
    * **Name** - Filter
    * **Value** - `receivedTime gte ${temporalWindow.from} lte ${temporalWindow.to}`

**Output**&#x20;

* **Select -** `[.threats[].threatId]`
* **Map -** `.`
* **Output Mode** - `element`

**Collection Phase**&#x20;

* **Variables**
  * **source -** `input`&#x20;
  * **name -** `threatId`
  * **expression -** `.`&#x20;
  * **format -** `""`
* **Pagination Type**<mark style="color:red;">**\***</mark>**&#x20;-** `none`
* **Request**&#x20;
  * **Method**<mark style="color:red;">**\***</mark>**&#x20;-** `GET`
  * **URL**<mark style="color:red;">**\***</mark>**&#x20;-** `https://api.abnormalplatform.com/v1/threats/${inputs.threatId}`
  * **Headers -** &#x20;
    * **Name** - `Authorization`
    * **Value -** `Bearer ${secrets.abnormalToken}`&#x20;
* **Output**&#x20;
  * **Select -** `.`
  * **Map -** `.`
  * **Output Mode** - `element`
    {% endtab %}
    {% endtabs %}

This HTTP Pull Listener now uses the data export API to extract alert events.&#x20;

Click **Create labels** to move on to the next step and define the required [Labels](https://docs.onum.com/the-workspace/listeners/labels) if needed.