Configure Abnormal Cloud Email Security for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform email-based response actions in your network using Abnormal Cloud Email Security®.

Abnormal Security supports these response actions:

  • Delete a malicious email
For more information, see Response action descriptions.
Note: The Abnormal Security response action cannot be reliably tested due to a key limitation in the integration. Specifically, the Abnormal Security platform must assign a valid threat ID to an email for the response action to activate. Currently, there is no supported method to simulate an alert. Arctic Wolf recommends monitoring the integration in a live environment to observe active response behavior during genuine threat detections.

These resources are required:

  • Administrator access to the Abnormal Portal

These actions are required:

  • Complete Configure Abnormal Cloud Email Security for Arctic Wolf monitoring.
  • Verify that your Abnormal Security tenant is in Active Mode — In the Abnormal Portal, click Threat Log, select a recent entry, and review the Remediation Actions section for this note: This tenant was in Passive Mode at this time. If it were in Active Mode, here is a preview of an action taken. Absence of the note indicates that your tenant is in Active Mode.

Create API token

  1. Sign in to the Abnormal Portal.
  2. Click Settings > Integrations.
  3. In the API Token Management section, click + Create New Token.
  4. For the integration type, select REST API, and then click Next.
  5. For the token scope, select Tenant (Single Tenant), set the tenant to Arctic Wolf Networks, and then click Next.
  6. For token access, select these options:
    • Access type — Custom Access

    • API endpoints — Threats — Read Access and Threats — Write Access

  7. Set the token name.

    For example, Arctic Wolf monitoring token or Arctic Wolf AR token, as appropriate.

  8. For the token expiration period, select the value that meets your organizational security requirements.
  9. In the IP Safelist field, add the Arctic Wolf Cloud Sensors IP address ranges.
  10. Click Create Token.
  11. Copy the token value to a safe, encrypted location to provide to Arctic Wolf later.
  12. Click Done.

Provide Abnormal Security Active Response credentials to Arctic Wolf

  1. Sign in to the Portail unifié Arctic Wolf.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Abnormal Security.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration.
    • Base URLSelect the appropriate option for your region:
      • US — api.abnormalplatform.com

      • EU — eu.rest.abnormalsecurity.com

    • Access Token — Enter the API token value from Create API token.
    • Action Timeout (Hours) — Enter the number of hours that Arctic Wolf should continue checking for a command response from Abnormal Security. We recommend 1.
  6. Click Save Integration.