Details
Content
Dependencies
Version History

Abnormal Security detects and protects against the whole spectrum of email attacks

Abnormal Security

Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies. The integration of Abnormal Security's SOAR API with Cortex XSOAR empowers security teams to respond to incidents with speed and helps to dramatically reduce mean time to respond.

What does this pack do?

The integration pack allows:
• Retrieving email threat campaign data using Cortex XSOAR
• Retrieving email anomaly cases using Cortex XSOAR

For more information on Abnormal Security, please visit www.abnormalsecurity.com

Pack Contributors:

Sumit Badsara
Neelanjan Manna

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Abnormal Security

Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies. The integration of Abnormal Security's SOAR API with Cortex empowers security teams to respond to incidents with speed and helps to dramatically reduce mean time to respond.

What does this pack do?

The integration pack allows:
• Retrieving email threat campaign data using Cortex
• Retrieving email anomaly cases using Cortex

For more information on Abnormal Security, please visit www.abnormalsecurity.com

Pack Contributors:

Sumit Badsara
Neelanjan Manna

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Abnormal Security - Incoming Mapper

Incident Fields

Name	Description
Abnormal Security Case ID
Abnormal Security Abuse Campaign From Name
Abnormal Security From Address
Abnormal Security Message ID
Abnormal Security Abuse Campaign Overall Status
Abnormal Security Campaign ID
Abnormal Security Abuse Campaign Subject
Abnormal Security Attachment Names
Abnormal Security From Name
Abnormal Security Abuse Campaign Attack Type
Abnormal Security Auto Remediated
Abnormal Security Judgement Status
Abnormal Security Abuse Campaign From Address
Abnormal Security Affected Employee
Abnormal Security Abuse Campaign Recipient Name
Abnormal Security Sent Time
Abnormal Security Impersonated Party
Abnormal Security Abuse Campaign Message ID
Abnormal Security Url Count
Abnormal Security Severity
Abnormal Security Attack Vector
Abnormal Security Abuse Campaign Last Reported
Abnormal Security Recipient Name
Abnormal Security Attacked Party
Abnormal Security CC Emails
Abnormal Security Sender IP Address
Abnormal Security Summary Insights
Abnormal Security Internet Message ID
Abnormal Security Abuse Campaign Judgement Status
Abnormal Security Recipient Address
Abnormal Security To Addresses
Abnormal Security Severity Level
Abnormal Security Remediation Timestamp
Abnormal Security Case Status
Abnormal Security Abuse Campaign First Reported
Abnormal Security Is Read
Abnormal Security Portal URL
Abnormal Security First Observed Time
Abnormal Security First Reported
Abnormal Security Sender Domain
Abnormal Security Subject
Abnormal Security Attack Strategy
Abnormal Security Return Path
Abnormal Security Abuse Campaign Recipient Address
Abnormal Security Abuse Campaign ID
Abnormal Security Analysis
Abnormal Security Overall Status
Abnormal Security Attachment Count
Abnormal Security Post Remediated
Abnormal Security Reply To Emails
Abnormal Security Customer Visible Time
Abnormal Security Case GenAI Summary
Abnormal Security Last Reported
Abnormal Security Threat ID
Abnormal Security Attack Type
Abnormal Security Threat IDs
Abnormal Security Remediation Status
Abnormal Security Received Time

Incident Types

Name	Description
AbnormalSecurity

Integrations

Name	Description
Abnormal Security (Partner Contribution)	Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies.

Classifiers

Name	Description
Abnormal Security - Incoming Mapper

Incident Fields

Name	Description
Abnormal Security Attacked Party
Abnormal Security Post Remediated
Abnormal Security Subject
Abnormal Security Analysis
Abnormal Security Summary Insights
Abnormal Security Recipient Address
Abnormal Security Reply To Emails
Abnormal Security Attachment Names
Abnormal Security Case ID
Abnormal Security Attack Strategy
Abnormal Security Abuse Campaign Recipient Name
Abnormal Security Abuse Campaign Message ID
Abnormal Security Attachment Count
Abnormal Security Abuse Campaign First Reported
Abnormal Security Url Count
Abnormal Security Abuse Campaign From Address
Abnormal Security Sender Domain
Abnormal Security Attack Type
Abnormal Security Threat IDs
Abnormal Security Abuse Campaign Attack Type
Abnormal Security From Name
Abnormal Security Affected Employee
Abnormal Security Impersonated Party
Abnormal Security Case GenAI Summary
Abnormal Security Abuse Campaign Recipient Address
Abnormal Security Case Status
Abnormal Security Abuse Campaign Overall Status
Abnormal Security Judgement Status
Abnormal Security First Reported
Abnormal Security Remediation Timestamp
Abnormal Security To Addresses
Abnormal Security Abuse Campaign Judgement Status
Abnormal Security Internet Message ID
Abnormal Security Attack Vector
Abnormal Security CC Emails
Abnormal Security First Observed Time
Abnormal Security Abuse Campaign ID
Abnormal Security Customer Visible Time
Abnormal Security Recipient Name
Abnormal Security Is Read
Abnormal Security Portal URL
Abnormal Security Threat ID
Abnormal Security Received Time
Abnormal Security From Address
Abnormal Security Sent Time
Abnormal Security Overall Status
Abnormal Security Return Path
Abnormal Security Abuse Campaign Last Reported
Abnormal Security Severity
Abnormal Security Remediation Status
Abnormal Security Sender IP Address
Abnormal Security Campaign ID
Abnormal Security Last Reported
Abnormal Security Severity Level
Abnormal Security Message ID
Abnormal Security Abuse Campaign From Name
Abnormal Security Auto Remediated
Abnormal Security Abuse Campaign Subject

Incident Types

Name	Description
AbnormalSecurity

Integrations

Name	Description
Abnormal Security Event Collector	Abnormal Security Event Collector integration for XSIAM.
Abnormal Security (Partner Contribution)	Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies.

Modeling Rules

Name	Description
Abnormal Security Modeling Rule

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

2.4.1 - 6893600 (January 27, 2026)

Integrations

Abnormal Security

Added support for abnormal-security-list-activities command that get a list of activity logs for message search and remediation operations.
Added support for abnormal-security-download-message-eml command that download a message in rfc822 eml format for forensic analysis. for quarantine messages, both quarantine_identity and recipient_mailbox parameters are required.
Added support for abnormal-security-search-messages command that search for messages using filters across abnormal or quarantine sources.
Added support for abnormal-security-remediate-messages command that remediate messages by performing actions like delete, move, or submit to detection360.
Added support for abnormal-security-get-activity-status command that get the status and details of a specific activity log entry.
Added support for abnormal-security-download-message-attachment command that download an attachment from a message found in search results. all required parameters can be obtained from the abnormalsecuritysearchmessages command output.

Related pull requests:
- 42821
- 41995

Download

2.4.0 - 6802612 (January 20, 2026)

Incident Fields

Abnormal Security Affected Employee
Updated the Abnormal Security Affected Employee incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Strategy
Updated the Abnormal Security Attack Strategy incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Type
Updated the Abnormal Security Attack Type incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Vector
Updated the Abnormal Security Attack Vector incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attacked Party

- Updated the Abnormal Security Attacked Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Abnormal Security Auto Remediated
Updated the Abnormal Security Auto Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Case Status
Updated the Abnormal Security Case Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security First Observed Time
Updated the Abnormal Security First Observed Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Address
Updated the Abnormal Security From Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Name
Updated the Abnormal Security From Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Impersonated Party
Updated the Abnormal Security Impersonated Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Judgement Status
Updated the Abnormal Security Judgement Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Overall Status
Updated the Abnormal Security Overall Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Post Remediated
Updated the Abnormal Security Post Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Received Time
Updated the Abnormal Security Received Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Address
Updated the Abnormal Security Recipient Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Name
Updated the Abnormal Security Recipient Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Remediation Status
Updated the Abnormal Security Remediation Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender Domain
Updated the Abnormal Security Sender Domain incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender IP Address
Updated the Abnormal Security Sender IP Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sent Time
Updated the Abnormal Security Sent Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity
Updated the Abnormal Security Severity incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity Level
Updated the Abnormal Security Severity Level incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Subject
Updated the Abnormal Security Subject incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Related pull requests:
- 42696
- 42249

Download

2.3.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.3.6 - R5469292 (October 20, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40515

Download

2.3.5 - 3980324 (June 26, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40328

Download

2.3.4 - 3570731 (May 28, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to use lte operator in filters instead of lt (API only supports lte and gte operators)
Updated the Abnormal Security integration to poll non-overlapping times by adding a millisecond to start_time of script

Related pull requests:
- 40049
- 40104

Download

2.3.3 - R3526238 (May 25, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 39591

Download

2.3.2 - 3318350 (May 6, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to default polling lag to 2 minutes (instead of 5 minutes).
Updated filtering logic to include filter with windowed timestamps to fetch incidents in a range to support polling lag.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39791
- 39810

Download

2.3.1 - 3079234 (April 7, 2025)

Incident Fields

Abnormal Security Abuse Campaign ID
Updated the Abnormal Security Abuse Campaign ID incident field to be searchable.
Abnormal Security Case ID
Updated the Abnormal Security Case ID incident field to be searchable.
Abnormal Security Threat ID
Updated the Abnormal Security Threat ID incident field to be searchable.

Related pull requests:
- 39406
- 39360

Download

2.3.0 - 3062885 (April 6, 2025)

Incident Fields

New: Abnormal Security Case GenAI Summary
New: Added the Abnormal Security Case GenAI Summary incident field.

Integrations

Abnormal Security

Added support for the following parameters:
- Maximum incidents pages to fetch that limits the number of incidents fetched in a single fetch_incidents call.
- Polling Lag Time (in minutes) that adds a custom lag while polling incidents.
Added support for the following arguments in abnormal-security-get-threat command, to enable pagination:
- page_number
- page_size
Fixed pagination issue in fetch-incidents to handle max_fetch below 100 properly.
Enhanced pagination support in fetch-incidents to reliably fetch more than 100 incidents across multiple pages, enabling comprehensive data retrieval for large-scale incident analysis.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Mappers

Abnormal Security - Incoming Mapper

Updated the Abnormal Security - Incoming Mapper to include genai_summary field in case details.

Related pull requests:
- 39104
- 39425

Download

2.2.12 - 3042633 (April 2, 2025)

Integrations

Abnormal Security

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

2.2.11 - R2988287 (March 26, 2025)

Integrations

Abnormal Security

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

2.4.1 - 6893600 (January 27, 2026)

Integrations

Abnormal Security

Added support for abnormal-security-list-activities command that get a list of activity logs for message search and remediation operations.
Added support for abnormal-security-download-message-eml command that download a message in rfc822 eml format for forensic analysis. for quarantine messages, both quarantine_identity and recipient_mailbox parameters are required.
Added support for abnormal-security-search-messages command that search for messages using filters across abnormal or quarantine sources.
Added support for abnormal-security-remediate-messages command that remediate messages by performing actions like delete, move, or submit to detection360.
Added support for abnormal-security-get-activity-status command that get the status and details of a specific activity log entry.
Added support for abnormal-security-download-message-attachment command that download an attachment from a message found in search results. all required parameters can be obtained from the abnormalsecuritysearchmessages command output.

Related pull requests:
- 42821
- 41995

Download

2.4.0 - 6802612 (January 20, 2026)

Incident Fields

Abnormal Security Affected Employee
Updated the Abnormal Security Affected Employee incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Strategy
Updated the Abnormal Security Attack Strategy incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Type
Updated the Abnormal Security Attack Type incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Vector
Updated the Abnormal Security Attack Vector incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attacked Party

- Updated the Abnormal Security Attacked Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Abnormal Security Auto Remediated
Updated the Abnormal Security Auto Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Case Status
Updated the Abnormal Security Case Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security First Observed Time
Updated the Abnormal Security First Observed Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Address
Updated the Abnormal Security From Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Name
Updated the Abnormal Security From Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Impersonated Party
Updated the Abnormal Security Impersonated Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Judgement Status
Updated the Abnormal Security Judgement Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Overall Status
Updated the Abnormal Security Overall Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Post Remediated
Updated the Abnormal Security Post Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Received Time
Updated the Abnormal Security Received Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Address
Updated the Abnormal Security Recipient Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Name
Updated the Abnormal Security Recipient Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Remediation Status
Updated the Abnormal Security Remediation Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender Domain
Updated the Abnormal Security Sender Domain incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender IP Address
Updated the Abnormal Security Sender IP Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sent Time
Updated the Abnormal Security Sent Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity
Updated the Abnormal Security Severity incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity Level
Updated the Abnormal Security Severity Level incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Subject
Updated the Abnormal Security Subject incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Related pull requests:
- 42696
- 42249

Download

2.3.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.3.6 - R5469292 (October 20, 2025)

Integrations

Abnormal Security Event Collector

Resolved an issue that caused first fetch events to fail due to a missing default next page number.

Related pull requests:
- 40515

Download

2.3.5 - 3980324 (June 26, 2025)

Modeling Rules

Abnormal Security Modeling Rule

Updated the Abnormal Security Event Collector Modeling Rule due to backend compatibility issues.

Related pull requests:
- 40328

Download

2.3.4 - 3570731 (May 28, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to use lte operator in filters instead of lt (API only supports lte and gte operators)
Updated the Abnormal Security integration to poll non-overlapping times by adding a millisecond to start_time of script

Related pull requests:
- 40049
- 40104

Download

2.3.3 - R3526238 (May 25, 2025)

Integrations

Abnormal Security Event Collector

Fixed an issue where fetch-events failed due to exceeding the fetching limit threshold.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39591

Download

2.3.2 - 3324525 (May 6, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to default polling lag to 2 minutes (instead of 5 minutes).
Updated filtering logic to include filter with windowed timestamps to fetch incidents in a range to support polling lag.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39791
- 39810

Download

2.3.1 - 3079234 (April 7, 2025)

Incident Fields

Abnormal Security Abuse Campaign ID
Updated the Abnormal Security Abuse Campaign ID incident field to be searchable.
Abnormal Security Case ID
Updated the Abnormal Security Case ID incident field to be searchable.
Abnormal Security Threat ID
Updated the Abnormal Security Threat ID incident field to be searchable.

Related pull requests:
- 39406
- 39360

Download

2.3.0 - 3062885 (April 6, 2025)

Incident Fields

New: Abnormal Security Case GenAI Summary
New: Added the Abnormal Security Case GenAI Summary incident field.

Integrations

Abnormal Security

Added support for the following parameters:
- Maximum incidents pages to fetch that limits the number of incidents fetched in a single fetch_incidents call.
- Polling Lag Time (in minutes) that adds a custom lag while polling incidents.
Added support for the following arguments in abnormal-security-get-threat command, to enable pagination:
- page_number
- page_size
Fixed pagination issue in fetch-incidents to handle max_fetch below 100 properly.
Enhanced pagination support in fetch-incidents to reliably fetch more than 100 incidents across multiple pages, enabling comprehensive data retrieval for large-scale incident analysis.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Mappers

Abnormal Security - Incoming Mapper

Updated the Abnormal Security - Incoming Mapper to include genai_summary field in case details.

Related pull requests:
- 39104
- 39425

Download

2.2.12 - 3042633 (April 2, 2025)

Integrations

Abnormal Security Event Collector

Metadata and documentation improvements.

Abnormal Security

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

2.2.11 - R2988287 (March 26, 2025)

Integrations

Abnormal Security Event Collector

Updated the Docker image to: demisto/python3:3.11.10.115186.

Abnormal Security

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	July 13, 2021
Last Release	January 27, 2026

Phishing

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.