Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From abnormal-security
Provides patterns for Abnormal Security REST API integration: Bearer token authentication, base URLs, rate limiting, pagination, OData filtering, error handling, token management, and request formats.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityHow this skill is triggered — by the user, by Claude, or both
Slash command
/abnormal-security:api-patternsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The Abnormal Security REST API provides programmatic access to threat detection, abuse mailbox cases, account takeover protection, vendor risk assessment, and message analysis. This skill covers authentication, request patterns, pagination, filtering, rate limiting, error handling, and performance optimization.
Analyzes Abnormal Security email threats like BEC, phishing, malware, social engineering, spam, graymail, and credential theft. Covers threat types, attack vectors, severity assessment, remediation, and investigation workflows.
Guides Huntress MCP tools for threat detection platform: HTTP Basic Auth, API structure, pagination with page tokens, 60 req/min rate limits, error handling, and tools for agents, incidents, organizations.
Provides Proofpoint API integration patterns: HTTP Basic Auth with service principal/secret, base URLs, rate limits, pagination, errors for TAP SIEM, quarantine, people, URL Defense.
Share bugs, ideas, or general feedback.
The Abnormal Security REST API provides programmatic access to threat detection, abuse mailbox cases, account takeover protection, vendor risk assessment, and message analysis. This skill covers authentication, request patterns, pagination, filtering, rate limiting, error handling, and performance optimization.
Abnormal Security uses a static Bearer token for API authentication:
GET https://api.abnormalplatform.com/v1/threats
Authorization: Bearer YOUR_API_TOKEN
Accept: application/json
| Field | Description |
|---|---|
| Type | Static API token (no expiry rotation required) |
| Format | Long alphanumeric string |
| Header | Authorization: Bearer <token> |
| Scope | Full API access (determined at token creation) |
export ABNORMAL_API_TOKEN="your-api-token"
export ABNORMAL_MCP_URL="https://mcp.wyretechnology.com/v1/abnormal-security/mcp"
When used through the MCP Gateway, credentials are passed via the Authorization header:
{
"headers": {
"Authorization": "Bearer ${ABNORMAL_API_TOKEN}"
}
}
The gateway forwards this header to the Abnormal Security MCP server, which uses it to authenticate with the Abnormal API.
| Environment | Base URL |
|---|---|
| Production | https://api.abnormalplatform.com |
| Service | Path | Description |
|---|---|---|
| Threats | /v1/threats | Threat detection data |
| Threat Details | /v1/threats/{threatId} | Individual threat details |
| Cases | /v1/cases | Abuse mailbox cases |
| Case Details | /v1/cases/{caseId} | Individual case details |
| Account Takeover | /v1/account-takeover/cases | ATO cases |
| Vendors | /v1/vendors | VendorBase vendor risk |
| Messages | /v1/threats/{threatId}/messages | Messages for a threat |
GET /v1/threats?pageSize=25&pageNumber=1
Authorization: Bearer <token>
Accept: application/json
GET /v1/threats?filter=attackType eq 'BEC'&pageSize=25
Authorization: Bearer <token>
Accept: application/json
{
"threats": [
{
"threatId": "184def76-3c28-4e1b-9ef0-a5abc123def4",
"attackType": "BEC",
"attackStrategy": "Invoice/Payment Fraud",
"sentTime": "2026-03-25T14:30:00Z"
}
],
"pageNumber": 1,
"total": 142,
"nextPageNumber": 2
}
Abnormal Security uses page-number-based pagination:
GET /v1/threats?pageSize=25&pageNumber=1
Response:
{
"threats": [...],
"pageNumber": 1,
"total": 142,
"nextPageNumber": 2
}
| Parameter | Type | Description | Default | Maximum |
|---|---|---|---|---|
pageSize | int | Results per page | 25 | 100 |
pageNumber | int | Page number (1-based) | 1 | - |
async function fetchAllPages(endpoint, params = {}) {
const allItems = [];
let pageNumber = 1;
const pageSize = 100;
let hasMore = true;
while (hasMore) {
const url = new URL(endpoint, 'https://api.abnormalplatform.com');
url.searchParams.set('pageSize', pageSize.toString());
url.searchParams.set('pageNumber', pageNumber.toString());
Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
const response = await fetch(url, {
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});
const data = await response.json();
const items = data.threats || data.cases || [];
allItems.push(...items);
hasMore = data.nextPageNumber != null;
pageNumber = data.nextPageNumber || pageNumber + 1;
}
return allItems;
}
Abnormal Security supports OData-style filter expressions on list endpoints:
filter=<field> <operator> '<value>'
| Operator | Description | Example |
|---|---|---|
eq | Equals | attackType eq 'BEC' |
ne | Not equals | status ne 'Closed' |
gt | Greater than | riskScore gt 70 |
lt | Less than | riskScore lt 30 |
ge | Greater than or equal | sentTime ge '2026-03-01T00:00:00Z' |
le | Less than or equal | sentTime le '2026-03-27T00:00:00Z' |
and | Logical AND | attackType eq 'BEC' and severity eq 'Critical' |
or | Logical OR | attackType eq 'BEC' or attackType eq 'Phishing' |
GET /v1/threats?filter=sentTime ge '2026-03-20T00:00:00Z' and sentTime le '2026-03-27T00:00:00Z'
GET /v1/threats?filter=attackType eq 'BEC' and remediationStatus eq 'Not Remediated'&pageSize=50
| Limit Type | Value | Scope |
|---|---|---|
| Requests per minute | 60 | Per API token |
| Requests per hour | 1,000 | Per API token |
When rate limited, the API returns HTTP 429:
HTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"error": "Rate limit exceeded. Please retry after 60 seconds."
}
async function requestWithRetry(url, options, maxRetries = 5) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status === 429) {
const retryAfter = parseInt(response.headers.get('Retry-After') || '60');
const jitter = Math.random() * 5000;
await sleep(retryAfter * 1000 + jitter);
continue;
}
if (response.status === 401) {
throw new Error('Invalid API token. Regenerate at Settings > Integrations > API.');
}
return response;
}
throw new Error('Max retries exceeded');
}
| Code | Meaning | Action |
|---|---|---|
| 200 | Success | Process response |
| 400 | Bad Request | Check request format, filter syntax |
| 401 | Unauthorized | Check API token |
| 403 | Forbidden | Token lacks required permissions |
| 404 | Not Found | Entity does not exist |
| 429 | Rate Limited | Wait per Retry-After header |
| 500 | Server Error | Retry with exponential backoff |
| 503 | Service Unavailable | Temporary outage, retry later |
{
"error": "Invalid filter expression",
"message": "The field 'attackType' does not support the operator 'contains'.",
"statusCode": 400
}
| Error | Scenario | Resolution |
|---|---|---|
| Invalid token | Token revoked or miscopied | Regenerate at Settings > Integrations > API |
| Invalid filter | Unsupported OData expression | Check filter syntax and supported operators |
| Entity not found | Threat/case ID does not exist | Verify the ID via list endpoint |
| Permission denied | Token scope insufficient | Generate new token with required permissions |
| Date range error | Dates in wrong format | Use ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ |
// Good: Use filters to narrow results server-side
const threats = await client.threats.list({
filter: "attackType eq 'BEC' and sentTime ge '2026-03-20T00:00:00Z'",
pageSize: 100
});
// Avoid: Fetching all threats and filtering client-side
const allThreats = await client.threats.list({ pageSize: 100 });
const becThreats = allThreats.filter(t => t.attackType === 'BEC');
// Good: Independent endpoints in parallel
const [threats, cases, atoCases] = await Promise.all([
client.threats.list({ pageSize: 25 }),
client.cases.list({ pageSize: 25 }),
client.ato.list({ pageSize: 25 })
]);