Abnormal Security Integration

Send Abnormal Security Threat Logs to Realm

This guide walks you through connecting Abnormal Security to Realm. The integration uses a polling-based approach — Realm Cloud periodically queries the Abnormal Security API to retrieve threat and case data, then forwards it through your data pipeline to your configured destination.

Prerequisites

• An active Abnormal Security account with administrator access
• Access to the Realm Security console
• Realm IP addresses whitelisted in Abnormal Security — contact Realm support for the list of IPs to add to your Abnormal Security allow list

Generate an API Token in Abnormal Security

1. Log in to the Abnormal Security Portal.
2. Navigate to Settings > Integrations.
3. Select REST API from the list of available integrations.
4. Click Generate Token to create a new API token.

Important: Copy and save the API token immediately — you will not be able to view it again. You will need to enter this token in the Realm Security console.

5. Note the Base URL displayed on the integrations page — this is the URL of the Abnormal Security API (e.g., https://api.abnormalsecurity.com). You will need this when configuring the integration in Realm.

Note: For more details on the Abnormal Security API, refer to the Abnormal Security API documentation.

Configure the Integration in Realm

1. Create a new Source.

   Name: Abnormal Security
   Format: Abnormal Security

2. Add a new Input feed.

   Type: Abnormal Security
   API Token: <your Abnormal Security API token>
   Base URL: <your Abnormal Security API URL>
   Desired Resources: <the API resources to collect>

Once saved, the Realm poller will begin retrieving threat and case event data from the Abnormal Security API at regular intervals. The data is converted to JSON and forwarded through your data pipeline to your configured destination (e.g., SIEM).