Release Notes

We're constantly working to make the Abnormal product a world-class experience. See what's changed this month.

April 2021


  • Palo Alto Networks Cortex XSOAR Integration: Abnormal has made our integration with Palo Alto Networks Cortex XSOAR, previously Demisto, generally available. Customers can now send threats and other information generated by Abnormal to Cortex XSOAR where they may have custom orchestration and automation workflows that simplify security operations or tie into other products, including EDR tools. To set up the Cortex XSOAR integration, go to the Settings link in the upper right corner of the portal. Next, navigate to the Integrations tab within the Abnormal Security Settings Page. From there, you can download the Cortex XSOAR Integration Guide that provides a brief set of steps to follow for setup.
  • Recipient Engagements Threat Log Functionality: We've introduced a new feature called Recipient Engagements, which gives customers visibility into risk from employees opening, forwarding, and replying to malicious messages. Located in the Threat Log, customers can click and see information about each engagement, including what time messages were opened, who they were forwarded to, and the exact reply email sent back.
  • New Abnormal Security Trust Center: Abnormal has introduced a new Trust Center that outlines our principles and practices with respect to data privacy, security, and compliance—topics we take seriously and continue to invest heavily in. The Trust Center contains content such as our Information Security Program (ISP), SOC 2, and compliance policy frameworks, which are meant to be accessible to everyone in your organization—not just lawyers or privacy experts. We plan to enhance visibility into our best practices with additional updates in the next few months. The Trust Center is located here.
  • New Developer Tools and Mock Data: We've introduced the ability for developers to get mock data from all REST API endpoints. This functionality will make it easier for developers to test and verify workflows before building them out. The “mock data” string-type header parameter can be specified as True or False with a default of False for any API call. If the mock data parameter is set to True, Abnormal returns a JSON object with synthetic data in the same format as expected for the given endpoint’s response. This ability to easily access test data will enhance the developer experience by making it simpler to test workflows and debug in a lightweight way. For more information, please visit our Abnormal Security Client API documentation.


  • Expanded Link Crawling Policy for Uncommon Domains: Abnormal has expanded our link crawling policies to better protect against hard-to-detect attacks. We are now crawling uncommon domains from rare senders. If a link is found to be uncommon in an email sent from someone rarely seen in a customer's environment, we intend to crawl this link and perform in-depth analysis on the result. The two signals we'll use are defined as such:
    • Uncommon Domains: We utilize several open source intelligence tools (e.g. Alexa’s Top 1M Domains) that track the most common domains seen across the Internet. We consider domains not included in these lists as uncommon and a signal that the domain can be leveraged for malicious use.
    • Rare Senders: Using our behavioral signals, we determine if the sender is someone who is rarely seen within your environment.
  • Expanded Link Crawling Policy for File Extensions: We are also expanding our link crawling policy to crawl links that have file extensions within its path (e.g. [url pattern].[file extension]). As Abnormal has improved our phishing and malware detection capabilities, we have observed an increasing number of advanced malware and phishing attacks obfuscating malicious content behind links leading to unknown websites. In order for us to detect these attacks and detect malicious intent, we have to crawl these links to analyze the landing page or malicious file. As we increase this link crawling policy, we have also increased safeguards to prevent our systems from crawling one-time click links, such as event and calendar invites, or subscription links, in customers’ environments.