Integration Notes

Revelstoke + Abnormal Integration

How It Works 

Revelstoke can create an alert for each new Abnormal case along with its associated threat data. Revelstoke provides both case management and automation of Abnormal tasks using a workflow. Revelstoke supports Abnormal actions, such as searching, retrieving, and updating cases and threats, submitting reports, and retrieving user data.


The Abnormal Security integration requires an admin role in order to authorize the account. If you are not an admin, please reach out to an admin or account owner within your organization to configure the integration for you.


If you need any help getting the Abnormal Security integration up and running, please do not hesitate to reach out to us via email at [email protected]

Integration Walkthrough

In Abnormal, complete these integration steps to get your API access token that you need to safelist your organization’s IP addresses:

1. Log in to the Abnormal Portal.

2. Click Settings in the left navigation menu.

3. Click Integrations in the settings menu.

4. Scroll down to the Additional Integrations section and click + Connect on the Abnormal REST API card to display an integration page for your organization.

The integration page displays a unique API access token that is required with your API calls. For more information on calling the Abnormal REST API, see REST API Endpoints

IMPORTANT: The API access token grants access to sensitive threat data related to your organization. Store it in a secure place, such as an encrypted password vault, and do not share it unless necessary. If you believe that the token has been compromised, contact Abnormal Support immediately at [email protected].

  1. In the IP Safelist field, enter a specific IPv4 / IPv6 address for your organization, or enter a range of addresses using a CIDR (Classless Inter-Domain Routing) block.

REST API Endpoints

Once you complete the integration steps, you can use the API access token to send requests to the Abnormal API from any HTTP client. For example, the following cURL command issues a GET request (GET is the default request method with cURL) to retrieve a list of threats:

curl -H “Authorization: Bearer << ACCESS_TOKEN >>”

For details on all the Abnormal REST API endpoints, see the Abnormal API documentation in SwaggarHub. SwaggarHub lists and describes all the available Abnormal API endpoints, and also lets you try out API calls to each endpoint. 

Integration Walkthrough

  1. In your Revelstoke account, navigate to the integrations page
  1. Select Add Integration Instance
  2. Select the Abnormal integration
  1. Enter the following required fields:
    • Name
    • Abnormal Security Base URL
    • Abnormal Security Access Token
    • Result Limit
  2. Enter the following optional fields if desired:
    • Default Alert Category
  1. Put a check mark in Enabled
  2. Click Save

How to Disable

To stop the Revelstoke project from ingesting alerts from Abnormal, you will need to disable the Abnormal integration in Revelstoke.

  1. Select the Revelstoke project that is configured to ingest Abnormal alerts.
  2. Navigate to the Integrations page.
  3. Under the Abnormal section click the Pencil icon.
  4. Uncheck Execute On A Schedule and then Save to stop creating alerts.

How to Remove

  1. In your Revelstoke account, navigate to the Integrations page.
  2. Select the Trash icon.
  3. Select Yes, delete to remove Abnormal instance from Revelstoke.