From abnormal-security
Searches Abnormal Security for email threats by sender, recipient, attack type, keywords, status, and date range. Returns threat list with details and AI-generated insights.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-security# Search Threats Search and filter email threats detected by Abnormal Security using various criteria. ## Prerequisites - Valid Abnormal Security API token configured (ABNORMAL_API_TOKEN) - API token must have threat detection read permissions ## Steps 1. **Build search filter** - Parse all provided arguments - Construct OData filter expression - Validate date range 2. **Execute search query** 3. **Format and return results** - Display threat list with key details - Include AI-generated insights for each threat ## Parameters | Parameter | Type | Required | Defaul...
/search-threatsSearches detected threats in Checkpoint Harmony Email by type, severity, status, sender, recipient, date range, and free-text query. Returns formatted list with details and quick actions.
Search and filter email threats detected by Abnormal Security using various criteria.
Build search filter
Execute search query
GET /v1/threats?filter=...&pageSize=...
Authorization: Bearer <token>
Format and return results
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| query | string | No | - | Free text search |
| type | string | No | - | bec/phishing/malware/extortion/scam/spam/supply-chain |
| sender | string | No | - | Sender email address or domain |
| recipient | string | No | - | Target recipient address |
| status | string | No | all | remediated/not-remediated/post-remediated/all |
| start-date | string | No | 7d ago | ISO 8601 date |
| end-date | string | No | now | ISO 8601 date |
| limit | int | No | 25 | Max results (1-100) |
/search-threats --type bec
/search-threats --sender "suspicious@attacker-domain.com"
/search-threats --recipient "finance@company.com"
/search-threats --type bec --start-date "2026-03-01" --limit 50
/search-threats --query "wire transfer"
/search-threats --type supply-chain --start-date "2026-03-01"
Found 3 threats matching criteria (last 7 days)
+-----------+-----------+----------+---------------------+-----------------------------------+-------------------+-----------+
| Threat ID | Type | Severity | Sender | Subject | Received | Status |
+-----------+-----------+----------+---------------------+-----------------------------------+-------------------+-----------+
| 184def76 | BEC | Critical | ceo@c0mpany.com | Urgent: Wire Transfer Request | 2026-03-27 09:15 | Not Remed |
| 29abc134 | BEC | High | cfo@c0mpany.com | Confidential: Payment Update | 2026-03-25 14:20 | Remediated|
| 3f4e5d6c | BEC | High | hr@c0mpany.com | Employee Direct Deposit Change | 2026-03-23 11:05 | Remediated|
+-----------+-----------+----------+---------------------+-----------------------------------+-------------------+-----------+
Summary:
- Critical: 1 | High: 2
- Unremediated: 1 | Remediated: 2
AI Insights (threat 184def76):
- Display name matches internal CEO but email domain is typosquat
- Reply-to address differs from sender address
- Financial request with urgency language detected
- First-time sender from this domain
Quick Actions:
- View threat details: Use abnormal_threats_get with the threat ID
- Triage all threats: /threat-triage
- Check vendor risk: /vendor-risk --vendor "c0mpany.com"
| Text | API Filter Value |
|---|---|
| bec | BEC |
| phishing | Phishing: Credential |
| malware | Malware |
| extortion | Extortion |
| scam | Scam |
| spam | Spam |
| supply-chain | Supply Chain Compromise |
| Text | Filter Behavior |
|---|---|
| remediated | Auto-Remediated |
| not-remediated | Not Remediated |
| post-remediated | Post-Remediated (delivered then removed) |
| all | All threats regardless of status |
No threats found matching criteria.
Suggestions:
- Broaden your search (remove type/sender filters)
- Expand the date range (default is last 7 days)
- Try --status all to include remediated threats
- Check spelling of sender/recipient addresses
Rate limited by Abnormal Security API.
Retrying in 60 seconds...
/threat-triage - Triage recent threats by severity/case-review - Review abuse mailbox cases/vendor-risk - Check vendor risk scores/account-audit - Audit for account takeover