Configure Abnormal Cloud Email Security for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform email-based response actions in your network using Abnormal Cloud Email Security®.

Abnormal Security supports these response actions:

  • Delete a malicious email
For more information, see Response action descriptions.
Note: The Abnormal Security response action cannot be reliably tested due to a key limitation in the integration. Specifically, the Abnormal Security platform must assign a valid threat ID to an email for the response action to activate. Currently, there is no supported method to simulate an alert. Arctic Wolf recommends monitoring the integration in a live environment to observe active response behavior during genuine threat detections.

These resources are required:

  • Administrator access to the Abnormal Portal

These actions are required:

  • Complete Configure Abnormal Cloud Email Security for Arctic Wolf monitoring.
  • Verify that your Abnormal Security tenant is in Active Mode — In the Abnormal Portal, click Threat Log, select a recent entry, and review the Remediation Actions section for this note: This tenant was in Passive Mode at this time. If it were in Active Mode, here is a preview of an action taken. Absence of the note indicates that your tenant is in Active Mode.

Obtain access token

  1. Sign in to the Abnormal Portal.
  2. Click Settings > Integrations.
  3. Find the Abnormal REST API integration and click Connected.
  4. Copy the Access Token value to a safe, encrypted location to provide to Arctic Wolf later.

Provide Abnormal Security Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Abnormal Security.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration.
    • Base URLSelect the appropriate option for your region:

      • US — api.abnormalplatform.com

      • EU — eu.rest.abnormalsecurity.com

    • Access Token — Enter the API access token value from from Obtain access token.
    • Action Timeout (Hours) — Enter the number of hours that Arctic Wolf should continue checking for a command response from Abnormal Security. We recommend 1.
  6. Click Save Integration.