1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations

Abnormal AI Setup for Workbench

The Abnormal AI integration allows Expel to apply our detection strategy to your Abnormal AI alerts and pull them into the Workbench queue for investigation and remediation.

Prerequisites

  1. You must have the Organization Admin role in Workbench to set up this integration.
  2. You must have admin access in Abnormal AI to create an API token.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create an Access Token
  2. Add Abnormal AI as a Security Device in Workbench

Step 1: Create an Access Token

  1. Log in to Abnormal AI using an account with admin access.
  2. In the side menu, select Settings.
  3. Select Integrations.
  4. Scroll down to the Additional Integrations section and select +Connect on the Abnormal REST API card.
    abnormal-connect.png
  5. An integration page for your organization displays, showing a unique API access token. Copy and paste the token to a safe place as you will need to enter this into Workbench later.
    abnormal-token2.png
  6. In the IP Safelist field, enter the list of IP addresses provided in Configure an IP Allow List in a comma-separated list.
  7. Select Save.

Step 2: Add Abnormal AI as a Security Device in Workbench

Now that you have an access token, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Abnormal” and then select the Abnormal AI integration.
  5. A configuration pane displays. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Abnormal AI”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Abnormal Security API endpoint URL - enter "https://api.abnormalplatform.com". For EU-based tenants enter "https://eu.rest.abnormalsecurity.com"
    • Abnormal Security API authentication token - enter the API token you saved in Step 1.
  6. Select Save.
  7. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
      Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles