Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From abnormal-security
Searches Abnormal Security for email threats by sender, recipient, attack type, keywords, status, and date range. Returns threat list with details and AI-generated insights.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityHow this command is triggered — by the user, by Claude, or both
Slash command
/abnormal-security:search-threatsFiles this command reads when invoked
The summary Claude sees in its command listing — used to decide when to auto-load this command
# Search Threats Search and filter email threats detected by Abnormal Security using various criteria. ## Prerequisites - Valid Abnormal Security API token configured (ABNORMAL_API_TOKEN) - API token must have threat detection read permissions ## Steps 1. **Build search filter** - Parse all provided arguments - Construct OData filter expression - Validate date range 2. **Execute search query** 3. **Format and return results** - Display threat list with key details - Include AI-generated insights for each threat ## Parameters | Parameter | Type | Required | Defaul...
/search-threatsSearches detected threats in Checkpoint Harmony Email by type, severity, status, sender, recipient, date range, and free-text query. Returns formatted list with details and quick actions.
/check-threatsViews recent Proofpoint TAP threat events including blocked messages, delivered threats, and click activity, filtered by time window, type, classification, and status.
/hunt-threatHunts threats across managed environments: uses Purple AI to generate PowerQueries from natural language descriptions, executes on Singularity Data Lake, reports findings and actions.
/investigate-incidentInvestigates security incidents using Z-Insights analytics for threats, firewall actions, shadow IT, and web traffic. Produces structured report with timeline, affected assets, analysis, and recommendations.
/reporting-templatesDisplays menu of pre-defined report templates for MSSP executive summary, customer health dashboard, monthly billing, and detection analytics. Outputs formatted markdown/tables or optional HTML.
/search-incidentsSearches RocketCyber security incidents filtered by account, status, severity, verdict, and limit. Displays table of ID, title, severity, verdict, status, account, created date sorted by severity and recency.
Share bugs, ideas, or general feedback.
Search and filter email threats detected by Abnormal Security using various criteria.
Build search filter
Execute search query
GET /v1/threats?filter=...&pageSize=...
Authorization: Bearer <token>
Format and return results
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| query | string | No | - | Free text search |
| type | string | No | - | bec/phishing/malware/extortion/scam/spam/supply-chain |
| sender | string | No | - | Sender email address or domain |
| recipient | string | No | - | Target recipient address |
| status | string | No | all | remediated/not-remediated/post-remediated/all |
| start-date | string | No | 7d ago | ISO 8601 date |
| end-date | string | No | now | ISO 8601 date |
| limit | int | No | 25 | Max results (1-100) |
/search-threats --type bec
/search-threats --sender "suspicious@attacker-domain.com"
/search-threats --recipient "finance@company.com"
/search-threats --type bec --start-date "2026-03-01" --limit 50
/search-threats --query "wire transfer"
/search-threats --type supply-chain --start-date "2026-03-01"
Found 3 threats matching criteria (last 7 days)
+-----------+-----------+----------+---------------------+-----------------------------------+-------------------+-----------+
| Threat ID | Type | Severity | Sender | Subject | Received | Status |
+-----------+-----------+----------+---------------------+-----------------------------------+-------------------+-----------+
| 184def76 | BEC | Critical | ceo@c0mpany.com | Urgent: Wire Transfer Request | 2026-03-27 09:15 | Not Remed |
| 29abc134 | BEC | High | cfo@c0mpany.com | Confidential: Payment Update | 2026-03-25 14:20 | Remediated|
| 3f4e5d6c | BEC | High | hr@c0mpany.com | Employee Direct Deposit Change | 2026-03-23 11:05 | Remediated|
+-----------+-----------+----------+---------------------+-----------------------------------+-------------------+-----------+
Summary:
- Critical: 1 | High: 2
- Unremediated: 1 | Remediated: 2
AI Insights (threat 184def76):
- Display name matches internal CEO but email domain is typosquat
- Reply-to address differs from sender address
- Financial request with urgency language detected
- First-time sender from this domain
Quick Actions:
- View threat details: Use abnormal_threats_get with the threat ID
- Triage all threats: /threat-triage
- Check vendor risk: /vendor-risk --vendor "c0mpany.com"
| Text | API Filter Value |
|---|---|
| bec | BEC |
| phishing | Phishing: Credential |
| malware | Malware |
| extortion | Extortion |
| scam | Scam |
| spam | Spam |
| supply-chain | Supply Chain Compromise |
| Text | Filter Behavior |
|---|---|
| remediated | Auto-Remediated |
| not-remediated | Not Remediated |
| post-remediated | Post-Remediated (delivered then removed) |
| all | All threats regardless of status |
No threats found matching criteria.
Suggestions:
- Broaden your search (remove type/sender filters)
- Expand the date range (default is last 7 days)
- Try --status all to include remediated threats
- Check spelling of sender/recipient addresses
Rate limited by Abnormal Security API.
Retrying in 60 seconds...
/threat-triage - Triage recent threats by severity/case-review - Review abuse mailbox cases/vendor-risk - Check vendor risk scores/account-audit - Audit for account takeover