# Cases Ingests Abnormal Security cases — investigation groupings that bundle related threats, affected employees, and remediation actions for a security event. **Sync Type: Incremental** ## Prerequisites Before connecting Monad to Abnormal Security, you need: 1. An active Abnormal Security tenant with permission to manage API integrations 2. An Abnormal Security REST API key 3. Monad's egress IP addresses added to the Abnormal IP allowlist ## Setup Instructions ### 1. Generate an Abnormal Security API Key 1. **Log in to the Abnormal portal**: - Sign in at your tenant's Abnormal Security portal URL 2. **Navigate to the Integrations area**: - Go to **Settings** → **Integrations** - Open the **REST API** integration tile 3. **Create an API Key**: - Click **Generate API Key** (or **Create Token**) - Provide a descriptive name (e.g., "Monad Cases Connector") - Copy the generated token immediately — it cannot be retrieved later - **Important**: Store the API key securely. Never commit it to version control. ### 2. Identify Your Tenant's API Base URL The Abnormal API base URL is region-specific. 1. In the Abnormal portal, go to **Settings** → **Integrations** → **REST API** 2. Note the base URL listed for your tenant (for example, `https://api.abnormalplatform.com`) ### 3. Allowlist Monad Egress IPs Abnormal requires API clients to be on an allowlist. Provide the following IPs to your Abnormal administrator or Abnormal support: - **Monad SaaS**: `35.81.245.33`, `35.83.26.83`, `35.84.110.88` - **Monad on-premises**: your Monad instance's egress IP address Confirm the allowlist update has been applied before running the connector. ## Configuration The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below. ### Settings | Setting | Type | Required | Description | | ------- | ---- | -------- | ----------- | | Base URL | string | Yes | API base URL for your Abnormal Security tenant (e.g. `https://api.abnormalplatform.com`). Region-specific. | | API Key | string (secret) | Yes | Abnormal Security REST API key from the portal integration tile. Sent as a Bearer token in the Authorization header. | | Backfill Start Time | string | No | The date to start fetching data from (ISO 8601 format, e.g., `2024-01-15T00:00:00Z`). If not specified, no past records will be fetched. | ## Troubleshooting ### Common Issues 1. **Authentication Failures (401 Unauthorized)** - Verify the API key is correct and has not been revoked - Confirm the Monad egress IPs are on the Abnormal allowlist - Regenerate the API key if you suspect it may have been compromised 2. **Wrong Base URL (404 / connection errors)** - The base URL is region-specific — confirm it matches the value shown in the Abnormal portal under Settings → Integrations → REST API - Ensure you have not included `/v1` in the configured Base URL 3. **Missing Cases** - The connector filters cases by `lastModifiedTime` — set Backfill Start Time appropriately to retrieve historical cases - Cases purged from Abnormal between the list and detail fetches will be logged and skipped; this is expected behavior 4. **Rate Limiting** - The connector enforces an internal request rate limit of 1 request/second - If you encounter rate limit errors, check whether other processes are using the same API key - Case detail fetches are issued sequentially to keep memory and request rate bounded ## Related Articles - [Abnormal Security REST API Spec](https://app.swaggerhub.com/apis-docs/abnormal-security/abx) - [Abnormal Security REST API Overview](https://abnormalsecurity.my.site.com/knowledgebase/s/article/Abnormal-REST-API-Integration) ## Sample Record ```json { "caseId": "1234", "severity": "HIGH", "severityScore": 8.5, "affectedEmployees": [ { "name": "Jane Smith", "email": "jane.smith@acme.com" } ], "firstObservedTime": "2024-11-10T08:00:00Z", "lastModifiedTime": "2024-11-14T12:30:00Z", "customerVisibleTime": "2024-11-10T08:05:00Z", "threatIds": [ "184712ab-6d8b-47b3-89d3-a314efef79e2" ], "description": "Potential account takeover detected across multiple threat vectors.", "actions": [ { "actionType": "QUARANTINE", "timestamp": "2024-11-14T12:30:00Z" } ] } ```