From abnormal-security
Covers Abnormal Security REST API patterns: Bearer token auth, base URLs, rate limiting, pagination, OData filtering, error handling, and integration best practices. For developers and MSP administrators.
How this skill is triggered — by the user, by Claude, or both
Slash command
/abnormal-security:api-patternsWhen to use
When working with bearer token authentication, base URLs, rate limiting, pagination, OData filtering, error handling, and common API patterns in the Abnormal Security REST API. Use when: abnormal api, abnormal authentication, abnormal rest api, abnormal rate limit, abnormal pagination, abnormal api error, abnormal api token, abnormal odata filter, or abnormal security api.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The Abnormal Security REST API provides programmatic access to threat detection, abuse mailbox cases, account takeover protection, vendor risk assessment, and message analysis. This skill covers authentication, request patterns, pagination, filtering, rate limiting, error handling, and performance optimization.
The Abnormal Security REST API provides programmatic access to threat detection, abuse mailbox cases, account takeover protection, vendor risk assessment, and message analysis. This skill covers authentication, request patterns, pagination, filtering, rate limiting, error handling, and performance optimization.
Abnormal Security uses a static Bearer token for API authentication:
GET https://api.abnormalplatform.com/v1/threats
Authorization: Bearer YOUR_API_TOKEN
Accept: application/json
| Field | Description |
|---|---|
| Type | Static API token (no expiry rotation required) |
| Format | Long alphanumeric string |
| Header | Authorization: Bearer <token> |
| Scope | Full API access (determined at token creation) |
export ABNORMAL_API_TOKEN="your-api-token"
export ABNORMAL_MCP_URL="https://mcp.wyre.ai/v1/abnormal-security/mcp"
When used through the MCP Gateway, credentials are passed via the Authorization header:
{
"headers": {
"Authorization": "Bearer ${ABNORMAL_API_TOKEN}"
}
}
The gateway forwards this header to the Abnormal Security MCP server, which uses it to authenticate with the Abnormal API.
| Environment | Base URL |
|---|---|
| Production | https://api.abnormalplatform.com |
| Service | Path | Description |
|---|---|---|
| Threats | /v1/threats | Threat detection data |
| Threat Details | /v1/threats/{threatId} | Individual threat details |
| Cases | /v1/cases | Abuse mailbox cases |
| Case Details | /v1/cases/{caseId} | Individual case details |
| Account Takeover | /v1/account-takeover/cases | ATO cases |
| Vendors | /v1/vendors | VendorBase vendor risk |
| Messages | /v1/threats/{threatId}/messages | Messages for a threat |
GET /v1/threats?pageSize=25&pageNumber=1
Authorization: Bearer <token>
Accept: application/json
GET /v1/threats?filter=attackType eq 'BEC'&pageSize=25
Authorization: Bearer <token>
Accept: application/json
{
"threats": [
{
"threatId": "184def76-3c28-4e1b-9ef0-a5abc123def4",
"attackType": "BEC",
"attackStrategy": "Invoice/Payment Fraud",
"sentTime": "2026-03-25T14:30:00Z"
}
],
"pageNumber": 1,
"total": 142,
"nextPageNumber": 2
}
Abnormal Security uses page-number-based pagination:
GET /v1/threats?pageSize=25&pageNumber=1
Response:
{
"threats": [...],
"pageNumber": 1,
"total": 142,
"nextPageNumber": 2
}
| Parameter | Type | Description | Default | Maximum |
|---|---|---|---|---|
pageSize | int | Results per page | 25 | 100 |
pageNumber | int | Page number (1-based) | 1 | - |
async function fetchAllPages(endpoint, params = {}) {
const allItems = [];
let pageNumber = 1;
const pageSize = 100;
let hasMore = true;
while (hasMore) {
const url = new URL(endpoint, 'https://api.abnormalplatform.com');
url.searchParams.set('pageSize', pageSize.toString());
url.searchParams.set('pageNumber', pageNumber.toString());
Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
const response = await fetch(url, {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});
const data = await response.json();
const items = data.threats || data.cases || [];
allItems.push(...items);
hasMore = data.nextPageNumber != null;
pageNumber = data.nextPageNumber || pageNumber + 1;
}
return allItems;
}
Abnormal Security supports OData-style filter expressions on list endpoints:
filter=<field> <operator> '<value>'
| Operator | Description | Example |
|---|---|---|
eq | Equals | attackType eq 'BEC' |
ne | Not equals | status ne 'Closed' |
gt | Greater than | riskScore gt 70 |
lt | Less than | riskScore lt 30 |
ge | Greater than or equal | sentTime ge '2026-03-01T00:00:00Z' |
le | Less than or equal | sentTime le '2026-03-27T00:00:00Z' |
and | Logical AND | attackType eq 'BEC' and severity eq 'Critical' |
or | Logical OR | attackType eq 'BEC' or attackType eq 'Phishing' |
GET /v1/threats?filter=sentTime ge '2026-03-20T00:00:00Z' and sentTime le '2026-03-27T00:00:00Z'
GET /v1/threats?filter=attackType eq 'BEC' and remediationStatus eq 'Not Remediated'&pageSize=50
| Limit Type | Value | Scope |
|---|---|---|
| Requests per minute | 60 | Per API token |
| Requests per hour | 1,000 | Per API token |
When rate limited, the API returns HTTP 429:
HTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"error": "Rate limit exceeded. Please retry after 60 seconds."
}
async function requestWithRetry(url, options, maxRetries = 5) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status === 429) {
const retryAfter = parseInt(response.headers.get('Retry-After') || '60');
const jitter = Math.random() * 5000;
await sleep(retryAfter * 1000 + jitter);
continue;
}
if (response.status === 401) {
throw new Error('Invalid API token. Regenerate at Settings > Integrations > API.');
}
return response;
}
throw new Error('Max retries exceeded');
}
| Code | Meaning | Action |
|---|---|---|
| 200 | Success | Process response |
| 400 | Bad Request | Check request format, filter syntax |
| 401 | Unauthorized | Check API token |
| 403 | Forbidden | Token lacks required permissions |
| 404 | Not Found | Entity does not exist |
| 429 | Rate Limited | Wait per Retry-After header |
| 500 | Server Error | Retry with exponential backoff |
| 503 | Service Unavailable | Temporary outage, retry later |
{
"error": "Invalid filter expression",
"message": "The field 'attackType' does not support the operator 'contains'.",
"statusCode": 400
}
| Error | Scenario | Resolution |
|---|---|---|
| Invalid token | Token revoked or miscopied | Regenerate at Settings > Integrations > API |
| Invalid filter | Unsupported OData expression | Check filter syntax and supported operators |
| Entity not found | Threat/case ID does not exist | Verify the ID via list endpoint |
| Permission denied | Token scope insufficient | Generate new token with required permissions |
| Date range error | Dates in wrong format | Use ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ |
// Good: Use filters to narrow results server-side
const threats = await client.threats.list({
filter: "attackType eq 'BEC' and sentTime ge '2026-03-20T00:00:00Z'",
pageSize: 100
});
// Avoid: Fetching all threats and filtering client-side
const allThreats = await client.threats.list({ pageSize: 100 });
const becThreats = allThreats.filter(t => t.attackType === 'BEC');
// Good: Independent endpoints in parallel
const [threats, cases, atoCases] = await Promise.all([
client.threats.list({ pageSize: 25 }),
client.cases.list({ pageSize: 25 }),
client.ato.list({ pageSize: 25 })
]);
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityDetects and analyzes email-borne threats (BEC, phishing, malware) using Abnormal Security's behavioral AI. Activates on keywords like 'abnormal threat', 'phishing detection', 'credential theft'.
Handles OAuth2 authentication, request/response patterns, pagination, rate limiting, and error handling for the Checkpoint Harmony Email (Avanan) API.
Authenticates and integrates with Proofpoint APIs (TAP SIEM, quarantine, people, URL Defense) using HTTP Basic Auth. Covers base URLs, rate limits, pagination, and error codes.