Abnormal Security

the abnormal security connector enables automated interaction with the abnormal security platform, facilitating threat detection, case management, and incident analysis abnormal security offers a cutting edge email security platform that leverages behavioral data science to identify and block modern email attacks this connector enables swimlane turbine users to automate the retrieval and management of threat intelligence, case details, and email security incidents directly within the swimlane ecosystem by integrating with abnormal security, users can streamline their security operations, enhance incident response, and leverage detailed threat insights to protect against sophisticated email based threats limitations none to date supported versions this abnormal security connector uses the latest version api additional docs https //app swaggerhub com/apis/abnormal security/abx/1 4 0#/threats/get threats prerequisites before utilizing the abnormal security connector for swimlane turbine, ensure you have the following prerequisites http bearer authentication with the following parameters url endpoint for the abnormal security api authentication token secure token used for authenticating api requests authentication methods the abnormal security http bearer authentication connector uses the http bearer authentication method to connect to the abnormal security api the following are required to set up the asset token the token generated from abnormal security http bearer authentication url the url endpoint for the abnormal security http bearer authentication api capabilities abuse campaigns list campaign details case action status case analysis case details case management detection 360 reports download a message in eml format download the attachment in an email as a file employee genome analysis employee information get attachment get details of the remediation history list vendors non analyzed messages and so on action setup get threats note the input parameter filter is an odata based filter which only supports two values attacktype and attackedparty to filter threats to only those with extortion intent use attacktype+eq+'extortion' to filter threats to only received by vips in your organization use attackedparty+eq+'vip' see the following for more information https //www odata org/documentation/ https //app swaggerhub com/apis/abnormal security/abx/1 4 0#/threats/get threats notes product version tested against 1 10 0 configurations abnormal security http bearer authentication authenticates using bearer token configuration parameters parameter description type required url a url to the target host string required token the api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions download a message in eml format retrieve an email message in eml format from abnormal security using the specified message id endpoint url /messages/{{message id}}/download method get input argument name type required description path parameters message id number required the abx message id of a message input example {"path parameters" {"message id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase file object attachments file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} download the attachment in an email as a file downloads a specified attachment from an email in abnormal security using the message id and attachment name endpoint url /messages/{{message id}}/attachment/{{attachment name}}/download method get input argument name type required description path parameters message id number required the abx message id of a message path parameters attachment name string required the attachment name of an attachment belonging to an email message headers object optional http headers for the request headers mock data string optional returns test data if set to true input example {"path parameters" {"message id" 123,"attachment name" "example name"},"headers" {"mock data" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase file object attachments file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} campaign details retrieve detailed information about an abuse mailbox campaign by its unique id in abnormal security endpoint url /v1/abusecampaigns/{{id}} method get input argument name type required description path parameters id string required parameters for the campaign details action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"id" "id"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase campaignid string unique identifier firstreported string output field firstreported lastreported string output field lastreported messageid string unique identifier subject string output field subject fromname string name of the resource fromaddress string output field fromaddress recipientname string name of the resource recipientaddress string output field recipientaddress judgementstatus string status value overallstatus string status value attacktype string type of the resource output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"campaignid" "fff51768 c446 34e1 97a8 9802c29c3ebd","firstreported" "2020 11 11t13 11 40 08 00","lastr abuse campaigns list retrieve a list of reported campaigns from the abuse mailbox in abnormal security endpoint url /v1/abusecampaigns method get input argument name type required description parameters filter string optional parameters for the abuse campaigns list action parameters sender string optional parameters for the abuse campaigns list action parameters recipient string optional parameters for the abuse campaigns list action parameters subject string optional parameters for the abuse campaigns list action parameters reporter string optional parameters for the abuse campaigns list action parameters attacktype string optional parameters for the abuse campaigns list action parameters threattype string optional parameters for the abuse campaigns list action parameters pagesize number optional parameters for the abuse campaigns list action parameters pagenumber number optional parameters for the abuse campaigns list action headers object optional http headers for the request headers mock data boolean optional response data input example {"parameters" {"filter" "lastreportedtime gte 2020 01 01t00 00 00z lte 2021 12 01t00 00 00z","sender" "sender","recipient" "recipient","subject" "subject","reporter" "reporter","attacktype" "attacktype","threattype" "threattype","pagesize" 100,"pagenumber" 1},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase campaigns array output field campaigns campaigns campaignid string unique identifier pagenumber number output field pagenumber nextpagenumber number output field nextpagenumber output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"campaigns" \[{}],"pagenumber" 1,"nextpagenumber" 2}} get attachment in an email message retrieves the details of a specified attachment from an email message in abnormal security using the message id and attachment name endpoint url /messages/{{message id}}/attachment/{{attachment name}} method get input argument name type required description path parameters message id number required the abx message id of a message path parameters attachment name string required the attachment name of an attachment belonging to an email message headers object optional http headers for the request headers mock data string optional returns test data if set to true input example {"path parameters" {"message id" 123,"attachment name" "example name"},"headers" {"mock data" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase attachmentname string name of the resource type string type of the resource details array output field details md5 string output field md5 sha1 string output field sha1 sha256 string output field sha256 size string output field size createdon string output field createdon lastupdated string output field lastupdated url array url endpoint for the request keyphrases array output field keyphrases output example {"attachmentname" "example name","type" "string","details" \["string"],"md5" "string","sha1" "string","sha256" "string","size" "string","createdon" "string","lastupdated" "string","url" \["string"],"keyphrases" \["string"]} case details retrieve detailed case information from abnormal security using a specific case id endpoint url /v1/cases/{{caseid}} method get input argument name type required description path parameters caseid string required parameters for the case details action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"caseid" "caseid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase caseid string unique identifier severity string output field severity affectedemployee string output field affectedemployee firstobserved string output field firstobserved threatids array unique identifier output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"caseid" "1234","severity" "potential account takeover","affectedemployee" "firstname lastname","first case action status check the status of a specific action on a case using the case id and action id in abnormal security endpoint url /v1/cases/{{caseid}}/actions/{{actionid}} method get input argument name type required description path parameters caseid string required parameters for the case action status action path parameters actionid string required parameters for the case action status action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"caseid" "caseid","actionid" "actionid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value description string output field description output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"status" "acknowledged","description" "the request was completed successfully"}} case analysis retrieve a detailed analysis and timeline for a specific case in abnormal security using the unique case id endpoint url /v1/cases/{{caseid}}/analysis method get input argument name type required description path parameters caseid string required parameters for the case analysis action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"caseid" "caseid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase insights array output field insights insights signal string output field insights signal insights description string output field insights description eventtimeline array output field eventtimeline eventtimeline event timestamp string output field eventtimeline event timestamp eventtimeline category string output field eventtimeline category eventtimeline title string output field eventtimeline title eventtimeline field labels object output field eventtimeline field labels eventtimeline ip address string output field eventtimeline ip address eventtimeline location object output field eventtimeline location eventtimeline location city string output field eventtimeline location city eventtimeline location state string output field eventtimeline location state eventtimeline location country string output field eventtimeline location country eventtimeline prev location object output field eventtimeline prev location eventtimeline prev location city string output field eventtimeline prev location city eventtimeline prev location state string output field eventtimeline prev location state eventtimeline prev location country string output field eventtimeline prev location country eventtimeline description string output field eventtimeline description eventtimeline isp string output field eventtimeline isp eventtimeline browser string output field eventtimeline browser eventtimeline operating system string output field eventtimeline operating system eventtimeline device trust type string type of the resource eventtimeline protocol string output field eventtimeline protocol output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"insights" \[{}],"eventtimeline" \[{"event timestamp" "2020 05 19t17 47 30z","category" "risk event","ti retrieve cases obtain an overview of detected security incidents by listing cases identified by abnormal security endpoint url /v1/cases method get input argument name type required description parameters filter string optional parameters for the retrieve cases action parameters pagesize number optional parameters for the retrieve cases action parameters pagenumber number optional parameters for the retrieve cases action headers object optional http headers for the request headers mock data boolean optional response data input example {"parameters" {"filter" "lastmodifiedtime gte 2020 01 01t01 01 01z lte 2021 12 01t01 01 01z","pagesize" 100,"pagenumber" 1},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase cases array output field cases cases caseid string unique identifier cases severity string output field cases severity pagenumber number output field pagenumber nextpagenumber number output field nextpagenumber output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"cases" \[{}],"pagenumber" 1,"nextpagenumber" 2}} get details of the remediation history retrieve the remediation history details for a specific threat log message using its message id in abnormal security endpoint url /messages/{{message id}}/remediation history method get input argument name type required description path parameters message id number required the abx message id of a message input example {"path parameters" {"message id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase remediation history string output field remediation history folder locations array output field folder locations output example {"status code" 200,"reason" "ok","json body" {"remediation history" "\\"auto remediated\\" \\"2023 04 11t20 54 56 244716+00 00\\"","folder locations" \["junk"]}} detection 360 reports retrieve missed attack or false positive reports from abnormal security's detection 360° by specifying the inquiry type endpoint url /v1/detection360/reports method get input argument name type required description parameters inquiry type string required specifies the type of inquiry for the report available values are missed attack and false positive parameters start string optional parameters for the detection 360 reports action parameters end string optional parameters for the detection 360 reports action parameters status string optional defines the current status of the detection report available values are unreviewed, containing attack, improving platform, resolved, and correcting judgement input example {"parameters" {"inquiry type" "missed attack","start" "2022 01 01t00 00 00z","end" "2022 01 07t23 59 59z","status" "unreviewed","reporter" "reporter","attacktype" "attacktype","threattype" "threattype","pagesize" 100,"pagenumber" 1}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" \[{"id" 0,"inquiry type" "missed attack","messages" {},"report" {},"status" "unreviewed","submission dat employee information retrieve detailed information for an employee by using their email address as a unique identifier in abnormal security endpoint url /v1/employee/{{emailaddress}} method get input argument name type required description path parameters emailaddress string required parameters for the employee information action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"emailaddress" "emailaddress"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource email string output field email title string output field title manager string output field manager output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"name" "tom","email" "example\@example com","title" "general manager","manager" "manager email\@example employee genome analysis retrieve identity analysis data for a specified employee from abnormal security using their email address endpoint url /v1/employee/{{emailaddress}}/identity method get input argument name type required description path parameters emailaddress string required parameters for the employee genome analysis action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"emailaddress" "emailaddress"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data key string response data data name string response data data description string response data data values array response data data values value string response data data values percentage number response data data values total count number response data output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"data" \[{}]}} non analyzed messages retrieve messages from the abuse mailbox in abnormal security that are pending analysis endpoint url /v1/abuse mailbox/not analyzed method get input argument name type required description parameters start string optional parameters for the non analyzed messages action parameters end string optional parameters for the non analyzed messages action input example {"parameters" {"start" "2022 01 01t00 00 00z","end" "2022 01 01t00 00 00z"}} output parameter type description status code number http status code of the response reason string response reason phrase results object result of the operation results abx message id number unique identifier results recipient object result of the operation results recipient name string name of the resource results recipient email string result of the operation results reported datetime string result of the operation results reporter object result of the operation results reporter name string name of the resource results reporter email string result of the operation results subject string result of the operation results not analyzed reason string response reason phrase output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"results" {"abx message id" 0,"recipient" {},"reported datetime" "2024 05 17t06 19 57 145z","reporter" threat details retrieve detailed information for a specified threat in abnormal security using the unique threat id provided endpoint url /v1/threats/{{threatid}} method get input argument name type required description parameters pagesize number optional parameters for the threat details action parameters pagenumber number optional parameters for the threat details action path parameters threatid string required parameters for the threat details action headers object optional http headers for the request headers mock data boolean optional response data input example {"parameters" {"pagesize" 100,"pagenumber" 1},"path parameters" {"threatid" "threatid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase threatid string unique identifier messages array response message messages threatid string unique identifier messages abxmessageid number unique identifier messages abxportalurl string url endpoint for the request messages subject string response message messages fromaddress string response message messages fromname string name of the resource messages senderdomain string response message messages toaddresses string response message messages recipientaddress string response message messages receivedtime string response message messages senttime string response message messages internetmessageid string unique identifier messages remediationstatus string status value messages attacktype string type of the resource messages attackstrategy string response message messages returnpath string response message messages replytoemails array response message messages ccemails array response message messages senderipaddress string response message messages impersonatedparty string response message messages attackvector string response message output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"threatid" "184712ab 6d8b 47b3 89d3 a314efef79e2","messages" \[{}],"pagenumber" 1,"nextpagenumber" 2}} threat action status check the status of a requested action on a threat within abnormal security using threatid and actionid endpoint url /v1/threats/{{threatid}}/actions/{{actionid}} method get input argument name type required description path parameters threatid string required parameters for the threat action status action path parameters actionid string required parameters for the threat action status action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"threatid" "threatid","actionid" "actionid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value description string output field description output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"status" "acknowledged","description" "the request was completed successfully"}} threat attachment details retrieve detailed attachment information for a given threat id in abnormal security endpoint url /v1/threats/{{threatid}}/attachments method get input argument name type required description path parameters threatid string required parameters for the threat attachment details action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"threatid" "threatid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase threats array output field threats threats abxmessageid number unique identifier threats attachmentname string name of the resource output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"threats" \[{}]}} threat link info retrieve detailed link information for a given threat id from abnormal security, requiring the threatid as a path parameter endpoint url /v1/threats/{{threatid}}/links method get input argument name type required description path parameters threatid string required parameters for the threat link info action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"threatid" "threatid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase threats array output field threats threats abxmessageid number unique identifier threats domainlink string output field threats domainlink threats linktype string type of the resource threats source string output field threats source threats displaytext string output field threats displaytext threats linkurl string url endpoint for the request output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"threats" \[{}]}} threat retrieval obtain a detailed list of threats identified by abnormal security, providing insights into potential security incidents endpoint url /v1/threats method get input argument name type required description parameters filter string optional parameters for the threat retrieval action parameters sender string optional parameters for the threat retrieval action parameters source string optional parameters for the threat retrieval action parameters recipient string optional parameters for the threat retrieval action parameters subject string optional parameters for the threat retrieval action parameters topic string optional parameters for the threat retrieval action parameters attackstrategy string optional parameters for the threat retrieval action parameters impersonatedparty string optional parameters for the threat retrieval action parameters attacktype string optional parameters for the threat retrieval action parameters threattype string optional parameters for the threat retrieval action parameters pagesize number optional parameters for the threat retrieval action parameters pagenumber number optional parameters for the threat retrieval action headers object optional http headers for the request headers mock data boolean optional response data input example {"parameters" {"filter" "receivedtime gte 2020 01 01t01 01 01z lte 2021 12 01t01 01 01z","sender" "sender","source" "source","recipient" "recipient","subject" "subject","topic" "topic","attackstrategy" "attackstrategy","impersonatedparty" "impersonatedparty","attacktype" "attacktype","threattype" "threattype","pagesize" 100,"pagenumber" 1},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase threats array output field threats threats threatid string unique identifier pagenumber number output field pagenumber nextpagenumber number output field nextpagenumber output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"threats" \[{}],"pagenumber" 1,"nextpagenumber" 2}} vendor details retrieve details for a specified vendor domain from abnormal security, requiring the vendordomain as a path parameter endpoint url /v1/vendors/{{vendordomain}}/details method get input argument name type required description path parameters vendordomain string required parameters for the vendor details action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"vendordomain" "vendordomain"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase vendordomain string output field vendordomain risklevel string output field risklevel vendorcontacts array output field vendorcontacts companycontacts array output field companycontacts vendorcountries array output field vendorcountries analysis array output field analysis vendoripaddress array output field vendoripaddress output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"vendordomain" "vendor com","risklevel" "high","vendorcontacts" \["alice\@vendor com"],"companycontacts" vendor activity retrieve interaction activity for a specified vendor domain in abnormal security, requiring the vendordomain path parameter endpoint url /v1/vendors/{{vendordomain}}/activity method get input argument name type required description path parameters vendordomain string required parameters for the vendor activity action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"vendordomain" "vendordomain"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase eventtimeline array output field eventtimeline eventtimeline eventtimestamp string output field eventtimeline eventtimestamp eventtimeline eventtype string type of the resource eventtimeline suspiciousdomain string output field eventtimeline suspiciousdomain eventtimeline domainip string output field eventtimeline domainip eventtimeline ipgeolocation string output field eventtimeline ipgeolocation eventtimeline attackgoal string output field eventtimeline attackgoal eventtimeline actiontaken string output field eventtimeline actiontaken eventtimeline hasengagement boolean output field eventtimeline hasengagement eventtimeline recipient string output field eventtimeline recipient eventtimeline threatid string unique identifier output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"eventtimeline" \[{}]}} vendor case details retrieve detailed information for a specific vendor case in abnormal security using the unique case id endpoint url /v1/vendor cases/{{id}} method get input argument name type required description path parameters id string required parameters for the vendor case details action headers object optional http headers for the request headers mock data boolean optional response data input example {"path parameters" {"id" "id"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase vendorcaseid number unique identifier firstobservedtime string time value lastmodifiedtime string time value vendordomain string output field vendordomain insights array output field insights insights highlight string output field insights highlight insights description string output field insights description timeline array output field timeline timeline eventtimestamp string output field timeline eventtimestamp timeline senderaddress string output field timeline senderaddress timeline recipientaddress string output field timeline recipientaddress timeline subject string output field timeline subject timeline markedas string output field timeline markedas timeline threatid string unique identifier output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 22 40 36 gmt","content type" "application/json","content length" "1757","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "3aa7103c 84d3 474a 97dd 64b9870d59d6","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"vendorcaseid" 0,"firstobservedtime" "2020 06 09t17 42 59z","lastmodifiedtime" "2020 06 09t17 42 59z" vendor cases list retrieve an overview of potential security incidents by listing vendor cases from abnormal security endpoint url /v1/vendor cases method get input argument name type required description parameters filter string optional parameters for the vendor cases list action parameters pagesize number optional parameters for the vendor cases list action parameters pagenumber number optional parameters for the vendor cases list action headers object optional http headers for the request headers mock data boolean optional response data input example {"parameters" {"filter" "firstobservedtime gte 2020 01 01t01 01 01z lte 2021 12 01t01 01 01z","pagesize" 100,"pagenumber" 1},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase vendorcases array output field vendorcases vendorcases vendorcaseid number unique identifier pagenumber number output field pagenumber nextpagenumber number output field nextpagenumber output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 22 40 35 gmt","content type" "application/json","content length" "109","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "9c0e0956 c50b 4c78 bd66 cb4b522d5fd6","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"vendorcases" \[{}],"pagenumber" 1,"nextpagenumber" 2}} list vendors retrieve a list of vendors your organization has interacted with via abnormal security endpoint url /v1/vendors method get input argument name type required description parameters pagesize number optional parameters for the list vendors action parameters pagenumber number optional parameters for the list vendors action headers object optional http headers for the request headers mock data boolean optional response data input example {"parameters" {"pagesize" 100,"pagenumber" 1},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase vendors array output field vendors vendors vendordomain string output field vendors vendordomain pagenumber number output field pagenumber nextpagenumber number output field nextpagenumber output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"vendors" \[{}],"pagenumber" 1,"nextpagenumber" 2}} case management update or retrieve details for a specific abnormal security case using the provided case id endpoint url /v1/cases/{{caseid}} method post input argument name type required description path parameters caseid string required parameters for the case management action headers object optional http headers for the request headers mock data boolean optional response data action string optional parameter for case management input example {"json body" {"action" "action required"},"path parameters" {"caseid" "caseid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase action string output field action output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"action" "action required"}} threat management manage a specific threat in abnormal security by utilizing the provided threatid endpoint url /v1/threats/{{threatid}} method post input argument name type required description path parameters threatid string required parameters for the threat management action headers object optional http headers for the request headers mock data boolean optional response data action string optional parameter for threat management input example {"json body" {"action" "remediate"},"path parameters" {"threatid" "threatid"},"headers" {"mock data"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase actionid string unique identifier statusurl string url endpoint for the request output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {"actionid" "a33a212a 89ff 461f be34 ea52aff44a73","statusurl" "https //api abnormalplatform com/v1/thr report misjudgement report a missed attack or false positive to abnormal security, enhancing future detection accuracy a json body input is required endpoint url /v1/detection360/reports method post input argument name type required description report type string optional type of the resource received date string optional date value description string optional parameter for report misjudgement portal link string optional parameter for report misjudgement input example {"json body" {"report type" "false positive","received date" "2020/02/01","description" "alice reported this email was missing from their inbox ","portal link" "https //portal abnormalsecurity com/home/threat center/remediation history/1234567890"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "mon, 06 may 2024 20 11 44 gmt","content type" "application/json","content length" "144","connection" "keep alive","server" "nginx","vary" "accept","allow" "get, options","x abnormal trace id" "b1667e55 51de 4e6c 9a36 85ba4184dea3","x frame options" "deny","x content type options" "nosniff","referrer policy" "same origin"},"reason" "ok","json body" {}} response headers header description example allow http response header allow get, options connection http response header connection keep alive content length the length of the response body in bytes 144 content type the media type of the resource application/json date the date and time at which the message was originated mon, 06 may 2024 22 40 36 gmt referrer policy http response header referrer policy same origin server information about the software used by the origin server nginx vary http response header vary accept x abnormal trace id http response header x abnormal trace id 3aa7103c 84d3 474a 97dd 64b9870d59d6 x content type options http response header x content type options nosniff x frame options http response header x frame options deny