Skip to main content

Get Case Analysis

Provides the analysis and timeline details of a case.

External Documentation

To learn more, visit the Abnormal documentation.

Parameters

ParameterDescription
Case IDThe ID representing the case. Can be retrieved from the 'List Cases' action.

Example Output

{
    "insights": [
        {
            "signal": "Impossible Travel",
            "description": "There were signins from distant locations within an impossible-to-travel time interval"
        }
    ],
    "eventTimeline": [
        {
            "event_timestamp": "2020-05-19T17:47:30Z",
            "category": "Risk Event",
            "title": "Impossible Travel",
            "field_labels": {},
            "ip_address": "123.456.78.900",
            "location": {
                "city": "Aldie",
                "state": "Virginia",
                "country": "US"
            },
            "prev_location": {
                "city": "Aldie",
                "state": "Virginia",
                "country": "US"
            }
        },
        {
            "event_timestamp": "2020-05-19T17:47:30Z",
            "category": "Sign In Event",
            "title": "Suspicious Failed Sign In Attempt",
            "field_labels": {},
            "description": "Suspicious Failed Sign In Attempt for foo@bar.com",
            "ip_address": "123.456.78.900",
            "isp": "NGCOM",
            "browser": "Chrome",
            "operating_system": "Windows 10",
            "device_trust_type": "string",
            "protocol": "Browser",
            "application": "GSuite",
            "location": {
                "city": "Aldie",
                "state": "Virginia",
                "country": "US"
            }
        },
        {
            "event_timestamp": "2020-05-19T17:47:30Z",
            "category": "Mail Rule",
            "title": "Mail Rule Change",
            "rule_name": "Delete all messages rule",
            "condition": "hasNoCondition",
            "flagging_detectors": "DELETE_ALL"
        },
        {
            "event_timestamp": "2020-05-19T17:47:30Z",
            "category": "Mail Sent",
            "title": "Unusual Correspondence",
            "subject": "Transaction Sent",
            "sender": "john.doe@lamronba.com",
            "recipient": "Jane Eyre"
        },
        {
            "event_timestamp": "2020-05-19T17:47:30Z",
            "category": "Failed MFA Attempt",
            "title": "Failed MFA Attempt",
            "field_labels": {},
            "ip_address": "123.456.78.900",
            "browser": "Chrome",
            "operating_system": "Windows 10",
            "protocol": "Browser",
            "application": "GSuite",
            "location": {
                "city": "Aldie",
                "state": "Virginia",
                "country": "US"
            }
        },
        {
            "event_timestamp": "2020-05-19T17:47:30Z",
            "category": "Authentication Events",
            "title": "Different Authentication Factor Locations",
            "field_labels": {},
            "description": "Mismatch between session location and second factor authentication location",
            "session_ip": "123.456.78.900 / Indianapolis, IN, US",
            "second_factor_ip": "123.456.78.900 / Indianapolis, IN, US",
            "used_second_factors": "MOBILE_APP_NOTIFICATION",
            "familiarity_statistics": {},
            "location": {
                "city": "Aldie",
                "state": "Virginia",
                "country": "US"
            }
        }
    ]
}

Workflow Library Example

Get Case Analysis with Abnormal and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop