From abnormal-security
Provides patterns for Abnormal Security REST API integration: Bearer token authentication, base URLs, rate limiting, pagination, OData filtering, error handling, token management, and request formats.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityThis skill uses the workspace's default tool permissions.
The Abnormal Security REST API provides programmatic access to threat detection, abuse mailbox cases, account takeover protection, vendor risk assessment, and message analysis. This skill covers authentication, request patterns, pagination, filtering, rate limiting, error handling, and performance optimization.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
The Abnormal Security REST API provides programmatic access to threat detection, abuse mailbox cases, account takeover protection, vendor risk assessment, and message analysis. This skill covers authentication, request patterns, pagination, filtering, rate limiting, error handling, and performance optimization.
Abnormal Security uses a static Bearer token for API authentication:
GET https://api.abnormalplatform.com/v1/threats
Authorization: Bearer YOUR_API_TOKEN
Accept: application/json
| Field | Description |
|---|---|
| Type | Static API token (no expiry rotation required) |
| Format | Long alphanumeric string |
| Header | Authorization: Bearer <token> |
| Scope | Full API access (determined at token creation) |
export ABNORMAL_API_TOKEN="your-api-token"
export ABNORMAL_MCP_URL="https://mcp.wyretechnology.com/v1/abnormal-security/mcp"
When used through the MCP Gateway, credentials are passed via the Authorization header:
{
"headers": {
"Authorization": "Bearer ${ABNORMAL_API_TOKEN}"
}
}
The gateway forwards this header to the Abnormal Security MCP server, which uses it to authenticate with the Abnormal API.
| Environment | Base URL |
|---|---|
| Production | https://api.abnormalplatform.com |
| Service | Path | Description |
|---|---|---|
| Threats | /v1/threats | Threat detection data |
| Threat Details | /v1/threats/{threatId} | Individual threat details |
| Cases | /v1/cases | Abuse mailbox cases |
| Case Details | /v1/cases/{caseId} | Individual case details |
| Account Takeover | /v1/account-takeover/cases | ATO cases |
| Vendors | /v1/vendors | VendorBase vendor risk |
| Messages | /v1/threats/{threatId}/messages | Messages for a threat |
GET /v1/threats?pageSize=25&pageNumber=1
Authorization: Bearer <token>
Accept: application/json
GET /v1/threats?filter=attackType eq 'BEC'&pageSize=25
Authorization: Bearer <token>
Accept: application/json
{
"threats": [
{
"threatId": "184def76-3c28-4e1b-9ef0-a5abc123def4",
"attackType": "BEC",
"attackStrategy": "Invoice/Payment Fraud",
"sentTime": "2026-03-25T14:30:00Z"
}
],
"pageNumber": 1,
"total": 142,
"nextPageNumber": 2
}
Abnormal Security uses page-number-based pagination:
GET /v1/threats?pageSize=25&pageNumber=1
Response:
{
"threats": [...],
"pageNumber": 1,
"total": 142,
"nextPageNumber": 2
}
| Parameter | Type | Description | Default | Maximum |
|---|---|---|---|---|
pageSize | int | Results per page | 25 | 100 |
pageNumber | int | Page number (1-based) | 1 | - |
async function fetchAllPages(endpoint, params = {}) {
const allItems = [];
let pageNumber = 1;
const pageSize = 100;
let hasMore = true;
while (hasMore) {
const url = new URL(endpoint, 'https://api.abnormalplatform.com');
url.searchParams.set('pageSize', pageSize.toString());
url.searchParams.set('pageNumber', pageNumber.toString());
Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
const response = await fetch(url, {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});
const data = await response.json();
const items = data.threats || data.cases || [];
allItems.push(...items);
hasMore = data.nextPageNumber != null;
pageNumber = data.nextPageNumber || pageNumber + 1;
}
return allItems;
}
Abnormal Security supports OData-style filter expressions on list endpoints:
filter=<field> <operator> '<value>'
| Operator | Description | Example |
|---|---|---|
eq | Equals | attackType eq 'BEC' |
ne | Not equals | status ne 'Closed' |
gt | Greater than | riskScore gt 70 |
lt | Less than | riskScore lt 30 |
ge | Greater than or equal | sentTime ge '2026-03-01T00:00:00Z' |
le | Less than or equal | sentTime le '2026-03-27T00:00:00Z' |
and | Logical AND | attackType eq 'BEC' and severity eq 'Critical' |
or | Logical OR | attackType eq 'BEC' or attackType eq 'Phishing' |
GET /v1/threats?filter=sentTime ge '2026-03-20T00:00:00Z' and sentTime le '2026-03-27T00:00:00Z'
GET /v1/threats?filter=attackType eq 'BEC' and remediationStatus eq 'Not Remediated'&pageSize=50
| Limit Type | Value | Scope |
|---|---|---|
| Requests per minute | 60 | Per API token |
| Requests per hour | 1,000 | Per API token |
When rate limited, the API returns HTTP 429:
HTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"error": "Rate limit exceeded. Please retry after 60 seconds."
}
async function requestWithRetry(url, options, maxRetries = 5) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status === 429) {
const retryAfter = parseInt(response.headers.get('Retry-After') || '60');
const jitter = Math.random() * 5000;
await sleep(retryAfter * 1000 + jitter);
continue;
}
if (response.status === 401) {
throw new Error('Invalid API token. Regenerate at Settings > Integrations > API.');
}
return response;
}
throw new Error('Max retries exceeded');
}
| Code | Meaning | Action |
|---|---|---|
| 200 | Success | Process response |
| 400 | Bad Request | Check request format, filter syntax |
| 401 | Unauthorized | Check API token |
| 403 | Forbidden | Token lacks required permissions |
| 404 | Not Found | Entity does not exist |
| 429 | Rate Limited | Wait per Retry-After header |
| 500 | Server Error | Retry with exponential backoff |
| 503 | Service Unavailable | Temporary outage, retry later |
{
"error": "Invalid filter expression",
"message": "The field 'attackType' does not support the operator 'contains'.",
"statusCode": 400
}
| Error | Scenario | Resolution |
|---|---|---|
| Invalid token | Token revoked or miscopied | Regenerate at Settings > Integrations > API |
| Invalid filter | Unsupported OData expression | Check filter syntax and supported operators |
| Entity not found | Threat/case ID does not exist | Verify the ID via list endpoint |
| Permission denied | Token scope insufficient | Generate new token with required permissions |
| Date range error | Dates in wrong format | Use ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ |
// Good: Use filters to narrow results server-side
const threats = await client.threats.list({
filter: "attackType eq 'BEC' and sentTime ge '2026-03-20T00:00:00Z'",
pageSize: 100
});
// Avoid: Fetching all threats and filtering client-side
const allThreats = await client.threats.list({ pageSize: 100 });
const becThreats = allThreats.filter(t => t.attackType === 'BEC');
// Good: Independent endpoints in parallel
const [threats, cases, atoCases] = await Promise.all([
client.threats.list({ pageSize: 25 }),
client.cases.list({ pageSize: 25 }),
client.ato.list({ pageSize: 25 })
]);