Threats
Overview
Coordinated, continuous series of malicious messages or actions that share common characteristics is called an Abuse Campaign.
Abnormal Security's behavioral AI detects and groups these related incidents so that they can be handled as a single threat, rather than dozens of individual alerts.
Configuration
Parameters
No parameters needed.
Secrets
Authorization (
abnormalToken)
Open the Secret fields and click New secret to create a new one:
Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.
You can now select the secret you just created in the corresponding fields.
After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your YAML.
Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset - initial offset should be
5mFormat -
RFC3339
Enumeration Phase
Toggle ON to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details.
Pagination Type* -
pagePage Size* -
100Zero index* -
falseLimit* - 100
Request
Response Type* -
JSONMethod* -
GETURL* -
https://api.abnormalplatform.com/v1/threatsHeaders
Name -
authorizationValue -
Bearer ${secrets.abnormalToken}
Query Params
- name: value:
Name - pageNumber
Value -
${pagination.pageNumber}Name - pageSize
Value -
${pagination.pageSize}Name - Filter
Value -
receivedTime gte ${temporalWindow.from} lte ${temporalWindow.to}
Output
Select -
[.threats[].threatId]Map -
.Output Mode -
element
Collection Phase
Variables
source -
inputname -
threatIdexpression -
.format -
""
Pagination Type* -
noneRequest
Method* -
GETURL* -
https://api.abnormalplatform.com/v1/threats/${inputs.threatId}Headers -
Name -
AuthorizationValue -
Bearer ${secrets.abnormalToken}
Output
Select -
.Map -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract alert events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?