Threats
Collects and ingests email threat campaigns detected by Abnormal Security. Each campaign is expanded into one record per message — including BEC, phishing, malware, and extortion attacks — with full sender, recipient, attack-type, and remediation context.
Sync Type: Incremental
Prerequisites
Before connecting Monad to Abnormal Security, you need:
- An active Abnormal Security tenant with permission to manage API integrations
- An Abnormal Security REST API key
- Monad's egress IP addresses added to the Abnormal IP allowlist
Setup Instructions
1. Generate an Abnormal Security API Key
-
Log in to the Abnormal portal:
- Sign in at your tenant's Abnormal Security portal URL
-
Navigate to the Integrations area:
- Go to Settings → Integrations
- Open the REST API integration tile
-
Create an API Key:
- Click Generate API Key (or Create Token)
- Provide a descriptive name (e.g., "Monad Threats Connector")
- Copy the generated token immediately — it cannot be retrieved later
- Important: Store the API key securely. Never commit it to version control.
2. Identify Your Tenant's API Base URL
The Abnormal API base URL is region-specific.
- In the Abnormal portal, go to Settings → Integrations → REST API
- Note the base URL listed for your tenant (for example,
https://api.abnormalplatform.com)
3. Allowlist Monad Egress IPs
Abnormal requires API clients to be on an allowlist. Provide the following IPs to your Abnormal administrator or Abnormal support:
- Monad SaaS: see Monad egress IP addresses
- Monad on-premises: your Monad instance's egress IP address
Confirm the allowlist update has been applied before running the connector.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Base URL | string | Yes | API base URL for your Abnormal Security tenant (e.g. https://api.abnormalplatform.com). Region-specific. |
| API Key | string (secret) | Yes | Abnormal Security REST API key from the portal integration tile. Sent as a Bearer token in the Authorization header. |
| Backfill Start Time | string | No | The date to start fetching data from (ISO 8601 format, e.g., 2024-01-15T00:00:00Z). If not specified, no past records will be fetched. |
Troubleshooting
Common Issues
-
Authentication Failures (401 Unauthorized)
- Verify the API key is correct and has not been revoked
- Confirm the Monad egress IPs are on the Abnormal allowlist
- Regenerate the API key if you suspect it may have been compromised
-
Wrong Base URL (404 / connection errors)
- The base URL is region-specific — confirm it matches the value shown in the Abnormal portal under Settings → Integrations → REST API
- Ensure you have not included
/v1in the configured Base URL
-
Missing Threats or Messages
- The connector filters threats by
receivedTime— set Backfill Start Time appropriately to retrieve historical campaigns - Threats purged from Abnormal between the list and detail fetches will be logged and skipped; this is expected behavior
- The connector filters threats by
-
Rate Limiting
- The connector enforces an internal request rate limit
- If you encounter rate limit errors, check whether other processes are using the same API key
- Threat detail fetches are issued sequentially to keep memory and request rate bounded
Related Articles
Sample Record
Code