Skip to content

Abnormal Inbound Email Security Integration Guide🔗

The following instructions are for configuring an Abnormal Inbound Email Security integration to facilitate log ingestion into Secureworks® Taegis™ XDR.

Data Provided from Integration🔗

The following Abnormal event types are supported by XDR:

  • Threats
  • Abuse Campaigns

    Note

    You must subscribe to Abnormal's AI Security Mailbox product for Abuse Campaigns to work.

Detection360 logs will be normalized to the Generic schema.

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Abnormal Inbound Email Security Email    

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.

Configure Abnormal Inbound Email Security🔗

  1. Refer to the vendor's documentation to configure the Abnormal API.

    Important

    The Read Sensitive access level is required for the integration.

  2. For new integrations, enter the IP address range for your region from the Taegis IP Address Ranges section in the IP Safelist field. If you previously configured an integration using the values in the IP Safelist field from this Knowledge Base article, you can add the new range for your region and remove the old address after 30 days from the date noted below, unless informed otherwise.

    Note

    Abnormal disallows a wildcard IP, such as 0.0.0.0/0 (all IPv4 addresses), as a valid value for the IP Safelist.

    If you have an existing IP allow list configured for this integration, or plan to configure one, use the IP address ranges in the Taegis IP Address Ranges section below.

  3. Copy the API Access Token. This value is required to complete the integration in XDR.

Taegis IP Address Ranges🔗

If you have an existing firewall or API gateway IP allow list configured for this integration, or plan to configure one, add the following XDR IP address ranges for your Taegis region.

Taegis Region IP Address Range
Charlie 216.9.204.0/24
Delta 216.9.204.0/24
Echo 216.9.205.0/24
Foxtrot 216.9.206.0/24
Golf 216.9.207.0/24
Hotel 208.89.40.0/24
India 208.89.42.0/24
Juliet 208.89.41.0/24
Kilo 208.89.43.0/24
Quebec 208.89.44.0/24

Note

As of June 8, 2026, these are the only IP ranges required for XDR integrations. If you previously configured older IP addresses, we recommend removing them after 30 days from this date, unless informed otherwise.

Complete the Integration in XDR🔗

  1. From the Taegis Menu, select Integrations → Cloud APIs.
  2. Select Add an Integration from the top of the page.

    Add an Integration

  3. From the Optimized tab, select the Abnormal Email Security card.

  4. Enter the following fields:

    • Integration Name — Any unique string
    • Access Token — Generated in the Configuration section

    Create the Integration

  5. Select Done. The Manage Integrations page displays with the successfully added Abnormal Email Security integration listed under Cloud API Integrations.

Tip

You can use the Integration Name defined in Step 3 above to identify the integration within the Cloud API Integrations table.

Sample Logs🔗

Abnormal Inbound Email Security Event🔗

{
  "messages": [
    {
      "abxMessageId": 0651365477966049289,
      "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/0651365477966049289",
      "attachmentCount": 0,
      "attachmentNames": [],
      "attackStrategy": "Unknown Sender",
      "attackType": "Spam",
      "attackVector": "Text",
      "attackedParty": "Employee (Other)",
      "autoRemediated": true,
      "ccEmails": [],
      "fromAddress": "user@email.com",
      "fromName": "john doe",
      "impersonatedParty": "None / Others",
      "internetMessageId": "<CAN=ZKYOYKLUBWRTCZXMOAIZEPMECVD79+-=8WYR3B6JL0YDT7BPWL@mail.email.com>",
      "isRead": false,
      "postRemediated": false,
      "receivedTime": "2024-08-07T14:30:14Z",
      "recipientAddress": "user@email.com",
      "remediationStatus": "Auto-Remediated",
      "remediationTimestamp": "2024-08-07T14:30:36.641996Z",
      "replyToEmails": [],
      "returnPath": "example@email.com",
      "senderDomain": "gmail.com",
      "senderIpAddress": null,
      "sentTime": "2024-08-07T14:29:59Z",
      "subject": "re: Conference registrants 2021",
      "summaryInsights": [
        "Unusual Sender"
      ],
      "threatId": "c1c926fc-555d-ecdc-f948-a2266c3e719b",
      "toAddresses": [
        "example@email.com"
      ],
      "urlCount": 0,
      "urls": []
    }
  ],
  "threatId": "c1c926fc-555d-ecdc-f948-a2266c3e719b"
}

Example Query Language Searches🔗

To search for email events from the last 24 hours:

`FROM email WHERE sensor_type = 'AbnormalSecurity' and EARLIEST=-24h`