# Abnormal Security Integrating **Abnormal Security** with **ThreatDefence** allows you to ingest advanced email security telemetry—including phishing detections, business email compromise (BEC) alerts, and behavioral anomaly signals—directly into ThreatDefence. This ensures that identity and email-based threats are correlated with other security data for end-to-end monitoring and incident response. *** ## Step 1. Obtain API Credentials and Configure IP Safelist 1. Sign in to the **Abnormal Portal**. 2. Navigate to **Settings → Integrations**. 3. Locate the **Abnormal REST API integration** and click **+ Connect**. 4. Copy and save the **Access Token** securely (e.g., in a password vault). You will provide this to ThreatDefence later. 5. In the **IP Safelist** field, add the ThreatDefence SOC collector IP address ranges. > **Note:** Your ThreatDefence representative will provide the correct IP addresses to safelist. *** ## Step 2. Provide Credentials to ThreatDefence Send the following details to your ThreatDefence representative at [**support@threatdefence.com**](mailto:support@threatdefence.com): * **Access Token** (from Step 1) * **Host** — based on your region: * **US:** `api.abnormalplatform.com` * **EU:** `eu.rest.abnormalsecurity.com` * **Credential Expiry** — (optional) if your token has an expiration date. ThreatDefence will configure ingestion so Abnormal Security event data is collected and correlated within the ThreatDefence SecOps platform. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.threatdefence.com/siem-integrations/email-security/abnormal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.