Abnormal Security

Details
Content
Dependencies
Version History

Abnormal Security detects and protects against the whole spectrum of email attacks

Overview

Abnormal Security provides comprehensive defense against the entire landscape of messaging threats, ranging from high-sophistication Vendor Email Compromise (VEC) and targeted spear-phishing to lower-priority graymail and unsolicited spam.

To mitigate these advanced risks, the platform utilizes Behavioral Data Science to establish an identity-based baseline of legitimate communication patterns. By analyzing these established norms, Abnormal can identify and neutralize anomalous deviations and novel attack vectors that bypass traditional, signature-based security infrastructures.

The integration of Abnormal Security with Cortex XSIAM empowers security teams to respond to email threats with speed and dramatically reduces mean time to respond (MTTR). Threat data is ingested via the Abnormal Security REST API, enabling continuous visibility into detected threats, remediation status, and attack metadata directly within XSIAM.

This pack includes

Modeling rules for Cortex XSIAM Abnormal Security email threat logs.
Abnormal Security REST API into Cortex XSIAM.
Retrieving email threat campaign data using Cortex XSOAR / XSIAM.
Retrieving email anomaly cases using Cortex XSOAR / XSIAM.

Pack Contributors:

Sumit Badsara
Neelanjan Manna
Divesh Kumar

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Overview

This pack includes

Modeling rules for Cortex XSIAM Abnormal Security email threat logs.
Abnormal Security REST API into Cortex XSIAM.
Retrieving email threat campaign data using Cortex / XSIAM.
Retrieving email anomaly cases using Cortex / XSIAM.

Supported log categories

Category	Category Display Name
Email Threats	Abnormal Security Email Threat Detections

Data Collection

Abnormal Security side

Step 1: Generate an Authentication Token

Log in to the Abnormal Security Portal.
Navigate to Settings → Integrations and click on Abnormal REST API.
Click Generate Token to create your authentication token.
Copy and securely store the token — it grants access to sensitive threat data related to your organization.

Security Note: Keep the token safe. Store it in a secure location such as an encrypted password vault. Do not share it unless absolutely necessary. If you believe the token has been compromised, contact your Abnormal Security Account Manager immediately.

For more information, refer to the Abnormal Security REST API documentation.

Cortex XSIAM side

To configure Cortex XSIAM to collect data from the Abnormal Security REST API:

Navigate to Settings → Automation & Feed Integration.
Search for Abnormal Security and select Add instance.
Set the following parameters:

Parameter Value

Name Abnormal Security Email Protection

Token Enter the authentication token generated in Step 1 above ({your_api_token})
Click Test to Verify the connection.
Click Save & Exit to save the configuration.

Parameter	Value
`Name`	Abnormal Security Email Protection
`Token`	Enter the authentication token generated in Step 1 above (`{your_api_token}`)

For more information on configuring data sources in Cortex XSIAM, see the Cortex XSIAM Data Sources documentation.

Pack Contributors:

Sumit Badsara
Neelanjan Manna
Divesh Kumar

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Abnormal Security - Incoming Mapper

Incident Fields

Name	Description
Abnormal Security Abuse Campaign First Reported
Abnormal Security Customer Visible Time
Abnormal Security Sender Domain
Abnormal Security Remediation Timestamp
Abnormal Security Attacked Party
Abnormal Security Attachment Count
Abnormal Security Attack Type
Abnormal Security Severity Level
Abnormal Security Attachment Names
Abnormal Security Judgement Status
Abnormal Security Case Status
Abnormal Security Attack Vector
Abnormal Security Message ID
Abnormal Security Last Reported
Abnormal Security Url Count
Abnormal Security Sender IP Address
Abnormal Security From Name
Abnormal Security Abuse Campaign Attack Type
Abnormal Security Severity
Abnormal Security Recipient Name
Abnormal Security Affected Employee
Abnormal Security Abuse Campaign Recipient Name
Abnormal Security Is Read
Abnormal Security CC Emails
Abnormal Security First Observed Time
Abnormal Security Remediation Status
Abnormal Security Campaign ID
Abnormal Security Auto Remediated
Abnormal Security Portal URL
Abnormal Security Abuse Campaign From Name
Abnormal Security Overall Status
Abnormal Security Post Remediated
Abnormal Security Impersonated Party
Abnormal Security Abuse Campaign Message ID
Abnormal Security Threat ID
Abnormal Security Subject
Abnormal Security Abuse Campaign Recipient Address
Abnormal Security Summary Insights
Abnormal Security Attack Strategy
Abnormal Security Abuse Campaign ID
Abnormal Security Reply To Emails
Abnormal Security Analysis
Abnormal Security Case ID
Abnormal Security Received Time
Abnormal Security Abuse Campaign From Address
Abnormal Security From Address
Abnormal Security Abuse Campaign Last Reported
Abnormal Security First Reported
Abnormal Security Internet Message ID
Abnormal Security Abuse Campaign Overall Status
Abnormal Security To Addresses
Abnormal Security Abuse Campaign Subject
Abnormal Security Sent Time
Abnormal Security Threat IDs
Abnormal Security Case GenAI Summary
Abnormal Security Recipient Address
Abnormal Security Abuse Campaign Judgement Status
Abnormal Security Return Path

Incident Types

Name	Description
AbnormalSecurity

Integrations

Name	Description
Abnormal Security (Partner Contribution)	Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies.

Classifiers

Name	Description
Abnormal Security - Incoming Mapper

Incident Fields

Name	Description
Abnormal Security Abuse Campaign Message ID
Abnormal Security Recipient Name
Abnormal Security Sender IP Address
Abnormal Security Case GenAI Summary
Abnormal Security Abuse Campaign First Reported
Abnormal Security To Addresses
Abnormal Security Remediation Status
Abnormal Security Abuse Campaign Overall Status
Abnormal Security Judgement Status
Abnormal Security Case ID
Abnormal Security Attachment Count
Abnormal Security Impersonated Party
Abnormal Security Received Time
Abnormal Security Attack Strategy
Abnormal Security Remediation Timestamp
Abnormal Security Attachment Names
Abnormal Security Attack Type
Abnormal Security Reply To Emails
Abnormal Security Attacked Party
Abnormal Security CC Emails
Abnormal Security Abuse Campaign Recipient Address
Abnormal Security Internet Message ID
Abnormal Security Auto Remediated
Abnormal Security Recipient Address
Abnormal Security Portal URL
Abnormal Security First Observed Time
Abnormal Security Subject
Abnormal Security Abuse Campaign From Name
Abnormal Security Return Path
Abnormal Security Threat ID
Abnormal Security Severity
Abnormal Security Threat IDs
Abnormal Security Sent Time
Abnormal Security Abuse Campaign Recipient Name
Abnormal Security Post Remediated
Abnormal Security Abuse Campaign From Address
Abnormal Security Severity Level
Abnormal Security Abuse Campaign Attack Type
Abnormal Security Last Reported
Abnormal Security Url Count
Abnormal Security Overall Status
Abnormal Security First Reported
Abnormal Security Campaign ID
Abnormal Security Message ID
Abnormal Security Abuse Campaign Judgement Status
Abnormal Security Sender Domain
Abnormal Security Analysis
Abnormal Security Summary Insights
Abnormal Security Customer Visible Time
Abnormal Security Abuse Campaign Last Reported
Abnormal Security Attack Vector
Abnormal Security Abuse Campaign Subject
Abnormal Security Abuse Campaign ID
Abnormal Security From Name
Abnormal Security Affected Employee
Abnormal Security From Address
Abnormal Security Case Status
Abnormal Security Is Read

Incident Types

Name	Description
AbnormalSecurity

Integrations

Name	Description
Abnormal Security Event Collector	Abnormal Security Event Collector integration for XSIAM.
Abnormal Security (Partner Contribution)	Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies.

Modeling Rules

Name	Description
Abnormal Security Modeling Rule

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

2.4.6 - 8564799 (April 29, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43949

Download

2.4.5 - 8515806 (April 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43940
- 43949

Download

2.4.4 - 8210013 (April 13, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43748

Download

2.4.3 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

2.4.2 - 7318727 (February 25, 2026)

Integrations

Fixed an issue where the integration would abort incident fetching when encountering an API error for a single entity (threat, abuse campaign, or account takeover case). Skippable 4xx errors (e.g., 404 Not Found, 410 Gone) are now logged and the entity is skipped, allowing remaining incidents to be fetched. Systemic errors (401, 403, 429) are still raised immediately.
Updated the Docker image to: demisto/python3:3.12.12.7090913.

Related pull requests:
- 43268
- 43187

Download

2.4.1 - 6893600 (January 27, 2026)

Integrations

Abnormal Security

Added support for abnormal-security-list-activities command that get a list of activity logs for message search and remediation operations.
Added support for abnormal-security-download-message-eml command that download a message in rfc822 eml format for forensic analysis. for quarantine messages, both quarantine_identity and recipient_mailbox parameters are required.
Added support for abnormal-security-search-messages command that search for messages using filters across abnormal or quarantine sources.
Added support for abnormal-security-remediate-messages command that remediate messages by performing actions like delete, move, or submit to detection360.
Added support for abnormal-security-get-activity-status command that get the status and details of a specific activity log entry.
Added support for abnormal-security-download-message-attachment command that download an attachment from a message found in search results. all required parameters can be obtained from the abnormalsecuritysearchmessages command output.

Related pull requests:
- 42821
- 41995

Download

2.4.0 - 6802612 (January 20, 2026)

Incident Fields

Abnormal Security Affected Employee
Updated the Abnormal Security Affected Employee incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Strategy
Updated the Abnormal Security Attack Strategy incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Type
Updated the Abnormal Security Attack Type incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Vector
Updated the Abnormal Security Attack Vector incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attacked Party

- Updated the Abnormal Security Attacked Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Abnormal Security Auto Remediated
Updated the Abnormal Security Auto Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Case Status
Updated the Abnormal Security Case Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security First Observed Time
Updated the Abnormal Security First Observed Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Address
Updated the Abnormal Security From Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Name
Updated the Abnormal Security From Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Impersonated Party
Updated the Abnormal Security Impersonated Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Judgement Status
Updated the Abnormal Security Judgement Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Overall Status
Updated the Abnormal Security Overall Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Post Remediated
Updated the Abnormal Security Post Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Received Time
Updated the Abnormal Security Received Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Address
Updated the Abnormal Security Recipient Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Name
Updated the Abnormal Security Recipient Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Remediation Status
Updated the Abnormal Security Remediation Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender Domain
Updated the Abnormal Security Sender Domain incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender IP Address
Updated the Abnormal Security Sender IP Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sent Time
Updated the Abnormal Security Sent Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity
Updated the Abnormal Security Severity incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity Level
Updated the Abnormal Security Severity Level incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Subject
Updated the Abnormal Security Subject incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Related pull requests:
- 42696
- 42249

Download

2.3.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.3.6 - R5469292 (October 20, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40515

Download

2.3.5 - 3980324 (June 26, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40328

Download

2.3.4 - 3570731 (May 28, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to use lte operator in filters instead of lt (API only supports lte and gte operators)
Updated the Abnormal Security integration to poll non-overlapping times by adding a millisecond to start_time of script

Related pull requests:
- 40049
- 40104

Download

2.3.3 - R3526238 (May 25, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 39591

Download

2.3.2 - 3318350 (May 6, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to default polling lag to 2 minutes (instead of 5 minutes).
Updated filtering logic to include filter with windowed timestamps to fetch incidents in a range to support polling lag.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39791
- 39810

Download

2.4.6 - 8564799 (April 29, 2026)

Modeling Rules

Abnormal Security Modeling Rule

Updated the xdm fields supported in the Abnormal Security mapping.

Related pull requests:
- 43949

Download

2.4.5 - 8542515 (April 28, 2026)

Modeling Rules

Abnormal Security Modeling Rule

Documentation and metadata improvements.

Abnormal Security Event Collector

Documentation and metadata improvements.

Related pull requests:
- 43940
- 43949

Download

2.4.4 - 8210013 (April 13, 2026)

Integrations

Abnormal Security Event Collector

Documentation and metadata improvements.

Related pull requests:
- 43748

Download

2.4.3 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

2.4.2 - 7318727 (February 25, 2026)

Integrations

Abnormal Security

Fixed an issue where the integration would abort incident fetching when encountering an API error for a single entity (threat, abuse campaign, or account takeover case). Skippable 4xx errors (e.g., 404 Not Found, 410 Gone) are now logged and the entity is skipped, allowing remaining incidents to be fetched. Systemic errors (401, 403, 429) are still raised immediately.
Updated the Docker image to: demisto/python3:3.12.12.7090913.

Related pull requests:
- 43268
- 43187

Download

2.4.1 - 6893600 (January 27, 2026)

Integrations

Abnormal Security

Added support for abnormal-security-list-activities command that get a list of activity logs for message search and remediation operations.
Added support for abnormal-security-download-message-eml command that download a message in rfc822 eml format for forensic analysis. for quarantine messages, both quarantine_identity and recipient_mailbox parameters are required.
Added support for abnormal-security-search-messages command that search for messages using filters across abnormal or quarantine sources.
Added support for abnormal-security-remediate-messages command that remediate messages by performing actions like delete, move, or submit to detection360.
Added support for abnormal-security-get-activity-status command that get the status and details of a specific activity log entry.
Added support for abnormal-security-download-message-attachment command that download an attachment from a message found in search results. all required parameters can be obtained from the abnormalsecuritysearchmessages command output.

Related pull requests:
- 42821
- 41995

Download

2.4.0 - 6802612 (January 20, 2026)

Incident Fields

Abnormal Security Affected Employee
Updated the Abnormal Security Affected Employee incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Strategy
Updated the Abnormal Security Attack Strategy incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Type
Updated the Abnormal Security Attack Type incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attack Vector
Updated the Abnormal Security Attack Vector incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Attacked Party

- Updated the Abnormal Security Attacked Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Abnormal Security Auto Remediated
Updated the Abnormal Security Auto Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Case Status
Updated the Abnormal Security Case Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security First Observed Time
Updated the Abnormal Security First Observed Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Address
Updated the Abnormal Security From Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security From Name
Updated the Abnormal Security From Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Impersonated Party
Updated the Abnormal Security Impersonated Party incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Judgement Status
Updated the Abnormal Security Judgement Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Overall Status
Updated the Abnormal Security Overall Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Post Remediated
Updated the Abnormal Security Post Remediated incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Received Time
Updated the Abnormal Security Received Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Address
Updated the Abnormal Security Recipient Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Recipient Name
Updated the Abnormal Security Recipient Name incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Remediation Status
Updated the Abnormal Security Remediation Status incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender Domain
Updated the Abnormal Security Sender Domain incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sender IP Address
Updated the Abnormal Security Sender IP Address incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Sent Time
Updated the Abnormal Security Sent Time incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity
Updated the Abnormal Security Severity incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Severity Level
Updated the Abnormal Security Severity Level incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.
Abnormal Security Subject
Updated the Abnormal Security Subject incident field to be searchable to enable comprehensive dashboard creation and reporting capabilities in XSOAR.

Related pull requests:
- 42696
- 42249

Download

2.3.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.3.6 - R5469292 (October 20, 2025)

Integrations

Abnormal Security Event Collector

Resolved an issue that caused first fetch events to fail due to a missing default next page number.

Related pull requests:
- 40515

Download

2.3.5 - 3980324 (June 26, 2025)

Modeling Rules

Abnormal Security Modeling Rule

Updated the Abnormal Security Event Collector Modeling Rule due to backend compatibility issues.

Related pull requests:
- 40328

Download

2.3.4 - 3570731 (May 28, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to use lte operator in filters instead of lt (API only supports lte and gte operators)
Updated the Abnormal Security integration to poll non-overlapping times by adding a millisecond to start_time of script

Related pull requests:
- 40049
- 40104

Download

2.3.3 - R3526238 (May 25, 2025)

Integrations

Abnormal Security Event Collector

Fixed an issue where fetch-events failed due to exceeding the fetching limit threshold.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39591

Download

2.3.2 - 3324525 (May 6, 2025)

Integrations

Abnormal Security

Updated the Abnormal Security integration to default polling lag to 2 minutes (instead of 5 minutes).
Updated filtering logic to include filter with windowed timestamps to fetch incidents in a range to support polling lag.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39791
- 39810

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	July 13, 2021
Last Release	April 29, 2026

Phishing

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.