Abnormal Knowledge Bases: Behaviorally-Derived Intelligence Surfaced In ThreatIntelBase

Discover how Abnormal provides greater visibility into cross-customer and cross-platform threat intelligence to support SOC investigations.
May 7, 2024

Security analysts are challenged to efficiently accomplish a core part of their role—they have to investigate all security events but have limited visibility and context around indicators of compromise dispersed across tools. With anywhere from 50 to 130 tools used by security teams, it’s not easy to collect, correlate, and analyze threat intelligence across platforms.

ThreatIntelBase, Abnormal’s newest Knowledge Base, is designed to help solve this problem. ThreatIntelBase surfaces and aggregates behaviorally-derived threat intelligence to improve threat hunting and incident response efforts, kickstarting the investigation of email-based attacks and compromised accounts with cross-customer and cross-platform insights and context.

The Challenge: Limited Visibility and Context Around Indicators of Compromise

Making sense of IoCs across tools and platforms is critical for an analyst to successfully remediate attacks and mitigate future risk for two key reasons:

  • Inadequate Cross-Platform Threat Intelligence Utilization. Security pros can’t easily assess their environments for known threats sourced from intelligence feeds. It is challenging to determine whether a compromised user account led to lateral or downstream malicious activity within an employee’s cloud account. Additionally, they need to be able to quickly investigate whether a threat actor group accessed the IT ecosystem.

  • Manual Collection of IP-based Intelligence. It takes time and effort to correlate intelligence between security tools, and analysts can end up with a limited understanding of an attack.

The nature of indicators of compromise and indicators of attack are changing as attackers are logging in with valid credentials or hijacking legitimate app sessions to gain access to an organization—rather than relying solely on hacking and exploiting software vulnerabilities.

To identify and understand IoCs today requires a new approach.

The Solution: Threat Intelligence Derived From User Behavior

Rather than relying on known IoCs from threat intel feeds, Abnormal understands what is normal for every user to identify anything anomalous. Using behavioral AI, Abnormal detects zero-day attacks across the cloud-based email platform, including cloud and SaaS applications that are accessed via users’ cloud-based email identities, whether or not you have admin rights to those apps.

The Abnormal AI platform uses these unique, behaviorally-derived IoCs to improve detection efficacy for each customer. Now the same threat intelligence created from our human behavior AI, which fuels the AI engines to autonomously learn and make accurate detection decisions, can now be leveraged by our customers to improve attack understanding.

Let’s dig into how ThreatIntelBase improves an analyst's understanding of an email-based attack, particularly compromised accounts.

1. Initiate Investigations with Key Insights: Analysts can see and search for critical insights related to unexpected or known bad IP addresses as a starting point for investigations.

Querying ThreatIntelBase for an IP address provides an Abnormal threat report, which includes: IoC metadata, associated APTs, common attacks, behavioral patterns, and any malicious activity within a customer’s environment or Abnormal’s federated network.

Threat Base1

2. Access Annotated Threat Intelligence: IP addresses associated with an account takeover will have tags associated with threat actor groups or attack campaigns that use that IP address, as well as the specific attack type used to compromise the account from that IP, such as credential stuffing.


3. Contextualize IP Intelligence in Case Timelines: When investigating an account takeover, IP-based intelligence is now listed in the Case timeline. Clicking into the IP address connects the ATO case to ThreatIntelBase, providing contextual understanding of attributes associated with the IP address.

This detailed view also includes metadata and aggregate information about what’s normal and abnormal for each logged IP, and provides analysts with access to some of the underlying data sets that Abnormal AI uses for making autonomous decisions.

Knowledge Bases represent the foundation of Abnormal’s Human Behavior AI Platform. Abnormal creates a deep understanding of each customer’s users, vendors, tenants, applications, and threat intelligence, surfacing any deviation from the established behavior baselines in Knowledge Bases. Analysts can use this list of potentially high-risk information to understand their cloud email attack surface and better protect their organization.


Benefits of Jump Starting Attack Investigations with ThreatIntelBase

Security analysts are faced with a barrage of alerts, logs, and feeds across many tools.

ThreatIntelBase provides a starting point to make sense of the noise, whether investigating an account takeover using a detected bad IP address, or you’re looking at the Knowledge Base to see the latest suspicious threat indicators in your cloud-based email ecosystem.

Analysts benefit from:

  • Faster incident response and investigation with instant, cross-product and cross-platform search results for cloud account activity and threats associated with a malicious IP. Analysts can use the info to restore compromised accounts, block malicious IPs, and threat hunt related activity.

  • Consolidated Threat Visibility about malicious IoCs in a single place with insights derived from Abnormal AI.

  • Improved efficacy with access to novel, behaviorally-derived threat intelligence to enhance protection across Abnormal products.

Future Capabilities and Availability

While the initial focus is on IPs, analysts will soon be able to query other IoCs including arbitrary files, text, and images. Additionally, later this year, we will export via STIX and TAXII to enable customers to automate threat integrations into other products.

ThreatIntelBase will be available to customers beginning May 12 and like all Knowledge Bases, it is free for customers.

Request a demo today to learn more about this and all the new capabilities in the Abnormal Human Behavior AI Platform.

Schedule a Demo
Abnormal Knowledge Bases: Behaviorally-Derived Intelligence Surfaced In ThreatIntelBase

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B travelscams
Cybercriminals exploit stolen financial data to offer consumers heavily discounted travel deals. Learn how these email scams work and tips to avoid falling victim to them this summer travel season.
Read More
B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More