Skip to content

Abnormal Security

Abnormal Security provides email threat monitoring, account takeover activity, audit log events, and more via a direct to Chronicle integration method.

Recommendation: Leverage the Google SecOps Feed for Abnormal Security Logs

Cyderes recommends enabling the Google SecOps feed to collect Abnormal Security logs as a complementary data source alongside our existing custom integrations. The SecOps feed provides a self-service, out-of-the-box ingestion path that allows teams to quickly onboard Abnormal Security telemetry without engineering overhead, reducing time-to-value while maintaining consistency and reliability in log collection.

This approach enhances operational agility by enabling security teams to independently manage and adjust log ingestion as needs evolve, without impacting or replacing our tailored integrations.

Please follow the instructions regarding enabling this feed in this article Google Cloud doc site

For more general information on SecOps feeds you can read more information in this other article on Google's doc site regarding feed management and adding a new feed. The doc goes over critical information like IP allowlisting, configuration, and other feed management features.

Chronicle Data Types

  • ABNORMAL_SECURITY

Configuration Prerequisites

You must obtain the following information before proceeding with setting up this integration

  • Google Chronicle customer ID: To access the ID, navigate to Google Chronicle Settings => Profile => Organization Details => Customer ID
  • Service Account Credentials: These credentials are provided by Google support and may require you or your Customer Success Manager to open a Chronicle support case to get this information
  • Google Chronicle URL: The Chronicle URL changes depending on your location. Please view Google's regional endpoint documentation to find your specific endpoint

Configuration

Note

Completion of this portion of the setup requires access to the Abnormal Portal

  • Log into the Abnormal Portal
  • Click settings => Integrations
  • Find the Google Chronicle icon and click the Connect button
  • Enter the information gathered above
  • Click save and if prompted with a confirmation box click confirm