From abnormal-security
Triages and manages Abnormal Security abuse mailbox cases: user-reported emails, AI judgments, remediation actions, case lifecycle, and phishing simulation workflows for MSP security analysts.
How this skill is triggered — by the user, by Claude, or both
Slash command
/abnormal-security:casesWhen to use
When working with user-reported emails, case triage, remediation actions, case lifecycle, and phishing simulation management in Abnormal Security abuse mailbox cases. Use when: abnormal case, abuse mailbox, user reported email, reported phishing, case triage, case review, abnormal cases, abuse case management, phishing report, user submission, case remediation, or case judgment.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Abnormal Security's Abuse Mailbox automatically processes user-reported suspicious emails. When users forward or report emails to a designated abuse mailbox address, Abnormal analyzes the reported message and creates a case with an AI-generated judgment. This skill covers case lifecycle, triage workflows, remediation actions, and bulk operations.
Abnormal Security's Abuse Mailbox automatically processes user-reported suspicious emails. When users forward or report emails to a designated abuse mailbox address, Abnormal analyzes the reported message and creates a case with an AI-generated judgment. This skill covers case lifecycle, triage workflows, remediation actions, and bulk operations.
User Reports Email
|
v
Case Created (status: Open)
|
v
AI Analysis (judgment generated)
|
+---> Malicious ---> Auto-Remediate (if configured)
|
+---> Suspicious ---> Analyst Review Required
|
+---> Spam ---> Auto-Dismiss (if configured)
|
+---> Safe ---> Auto-Dismiss (if configured)
|
v
Analyst Action
|
+---> Remediate (quarantine/delete across org)
|
+---> Mark Not Spam (release to inbox)
|
+---> Dismiss (close case, no action)
|
v
Case Closed (status: Done)
| Field | Type | Description |
|---|---|---|
caseId | string | Unique case identifier |
severity | string | Severity level of the case |
affectedEmployee | string | Email address of the user who reported |
firstReported | datetime | When the case was first reported |
| Field | Type | Description |
|---|---|---|
overallStatus | string | Case status: Open, Acknowledged, Done |
judgmentStatus | string | AI judgment: Malicious, Spam, Safe, No Action Needed |
customerVisibleTime | datetime | When the case became visible in portal |
| Field | Type | Description |
|---|---|---|
reportedMessage.subject | string | Subject of the reported email |
reportedMessage.senderAddress | string | Sender of the reported email |
reportedMessage.senderName | string | Display name of the sender |
reportedMessage.recipientAddress | string | Recipient of the reported email |
reportedMessage.receivedTime | datetime | When the reported email was received |
reportedMessage.attackType | string | Detected attack type (if malicious) |
| Judgment | Description | Recommended Action |
|---|---|---|
| Malicious | Confirmed threat (BEC, phishing, malware) | Remediate across organization |
| Spam | Unsolicited bulk email, marketing | Dismiss or move to junk |
| Safe | Legitimate email, no threat detected | Dismiss, notify user it is safe |
| No Action Needed | Phishing simulation or already remediated | Dismiss |
| Tool | Description | Key Parameters |
|---|---|---|
abnormal_cases_list | List abuse mailbox cases | pageSize, pageNumber, filter, fromDate, toDate |
abnormal_cases_get | Get detailed case by ID | caseId |
abnormal_cases_actions | Get available actions for a case | caseId |
abnormal_cases_action | Take action on a case | caseId, action |
List open cases:
{
"tool": "abnormal_cases_list",
"parameters": {
"filter": "overallStatus eq 'Open'",
"pageSize": 25
}
}
Get case details:
{
"tool": "abnormal_cases_get",
"parameters": {
"caseId": "12345"
}
}
Remediate a case:
{
"tool": "abnormal_cases_action",
"parameters": {
"caseId": "12345",
"action": "REMEDIATE"
}
}
overallStatus eq 'Open'Escalate a case when:
| Action | Description | When to Use |
|---|---|---|
REMEDIATE | Remove the email from all recipients' inboxes | Confirmed malicious email |
MARK_NOT_SPAM | Release email back to inbox | False positive, legitimate email |
DISMISS | Close case without action | Safe email, phishing simulation, spam |
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid filter | Check OData filter syntax |
| 401 | Unauthorized | Check API token |
| 403 | Insufficient permissions | Token needs abuse mailbox scope |
| 404 | Case not found | Verify case ID |
| 409 | Case already actioned | Case was already remediated/dismissed |
| 429 | Rate limited | Wait and retry |
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityDetects and analyzes email-borne threats (BEC, phishing, malware) using Abnormal Security's behavioral AI. Activates on keywords like 'abnormal threat', 'phishing detection', 'credential theft'.
Guides incident lifecycle management for Checkpoint Harmony Email security events: status transitions, triage, investigation, evidence collection, remediation, and closure workflows.
Investigates email-borne threats in Proofpoint, covering auto-pull, search and destroy, message trace, evidence collection, and remediation workflows.