Configure Abnormal Cloud Email Security for Arctic Wolf monitoring

You can configure Abnormal Cloud Email Security® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • Administrator access to the Abnormal Portal
  • (Optional) Account Takeover (ATO) Protection license, to receive ATO alerts

Obtain API credentials and allowlist IP address ranges

  1. Sign in to the Abnormal Portal.
  2. Click Settings > Integrations.
  3. Find the Abnormal REST API integration and click + Connect.
  4. Copy the Access Token value to a safe, encrypted location to provide to Arctic Wolf later.
  5. In the IP Safelist field, add the Arctic Wolf Cloud Sensors IP address ranges in CIDR format.
    Note: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

Provide Abnormal Security credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Abnormal Security.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Access Token — Enter the API access token value from Obtain API credentials and allowlist IP address ranges.
    • HostSelect the appropriate option for your region:

      • US — api.abnormalplatform.com

      • EU — eu.rest.abnormalsecurity.com

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.