Expel

Version: 2.0.8

Expel is a SOC-as-a-service platform that provides security monitoring and response for cloud, hybrid, and on-premises environments.

Connect Expel with Logichub

  1. Navigate to Automations > Integrations.
  2. Search for Expel.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Api Token: Api Token to access Expel.
  4. After you've entered all the details, click Connect.

Actions for Expel

List Open Investigations

List open investigations in Workbench.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired

Output

JSON containing following items:

{
	"result": [{
		"id": "abcd"
	}, {
		"id": "abcde"
	}],
	"error": null,
	"has_error": false
}

List All Investigations

Retrieve all the investigations. If user provides the ID then only return that investigation, but default return all investigations.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation IdJinja-templated text containing the Investigation Id to look up for.Optional
Output TypeJinja-templated text, enter '1' for one JSON per input row or '2' for JSON per investigation found (Default is 1)Optional

Output

JSON containing following items:

{
	"result": [{
    "id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b",
    "status": "TESTING",
    "short_link": "ENVEST-43341",
    "expel_alerts": [
      {
        "id": "20asdffc-079f-437d-87c9-f03asdf1a7",
        "alert_type": "CLOUD",
        "expel_name": "Potential mining",
        "expel_severity": "HIGH",
        "status": "CLOSED"
      }
    ]
	}],
	"error": null,
	"has_error": false
}

Close Investigations

Update an investigation’s state by closing it. Note that setting an investigation’s decision to anything other than None will close it.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation IdJinja-templated text containing the Investigation Id to look up for.Required
DecisionJinja-templated text containing the Decision of the investigation.Required
CommentJinja-templated text containing the comment for the investigation. (Default is None)Optional

Output

JSON containing following items:

{
	"Result": "Investigation closed successfully",
	"error": null,
	"has_error": false
}

List Investigations Comments

List all comments, displaying when they were created and its id. If user provides the ID then only return that investigation, but default return all investigations.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation IdJinja-templated text containing the Investigation Id to look up for.Optional

Output

JSON containing following items:

{
	"result": [{
		"timestamp": "2021-09-16T19:29:41.097Z",
		"comment": "Test",
		"id": "abcd"
	}],
	"error": null,
	"has_error": false
}

Create Investigation Comments

Create a comment and associate it with an investigation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation IdJinja-templated text containing the Investigation Id to look up for.Required
CommentJinja-templated text containing the Comment for the Investigation.Required

Output

JSON containing following items:

{
	"Result": "Investigation comment created successfully",
	"error": null,
	"has_error": false
}

Create Findings For Incident

Create new investigative findings for an incident.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation IdJinja-templated text containing the Investigation Id to look up for.Required
Finding TitleJinja-templated text containing the Finding Title of incident.Required
Finding RankJinja-templated number containing the Rank of incident. (Default is 1)Optional
FindingJinja-templated text containing the Finding of incident.Required

Output

JSON containing following items:

{
	"Result": "Finding for incident created successfully",
	"error": null,
	"has_error": false
}

Get Expel Alert

Get expel alert by its id.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Expel Alert IdJinja-templated text containing the Expel Alert Id to look up for.Required

Output

JSON containing following items:

{
  "disposition_alerts_in_investigations_count": null,
  "cust_disp_alerts_in_critical_incidents_count": null,
  "activity_last_at": "2021-09-28T20:09:24.963Z",
  "expel_alert_time": "2021-09-28T20:12:28.918Z",
  "tuning_requested": false,
  "vendor_disp_alerts_in_investigations_count": null,
  "is_auto_add": false,
  "investigative_action_count": 4,
  "disposition_closed_alerts_count": null,
  "cust_disp_closed_alerts_count": null,
  "alert_type": "CLOUD",
  "disposition_alerts_in_critical_incidents_count": null,
  "activity_first_at": "2021-09-28T20:09:24.963Z",
  "vendor_disp_disposed_alerts_count": null,
  "expel_message": null,
  "vendor_disp_alerts_in_incidents_count": null,
  "expel_signature_id": "execution_bitcoinmining",
  "close_comment": "This activity was generated as a result of authorized testing. Envestnet has verified this activity. This is internal testing activity. This was confirmed via comments within the assigned remediation actions. ",
  "status_updated_at": "2021-09-28T20:12:29.069Z",
  "relationships": {
    "vendor": {
      "meta": {
        "relation": "primary",
        "readOnly": false
      },
      "links": {
        "self": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7/relationships/vendor",
        "related": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7/vendor"
      },
      "data": {
        "type": "vendors",
        "id": "742fc1a2-a400-40e5-9b8e-113fd2a97d8f"
      }
    },
  },
  "cust_disp_disposed_alerts_count": null,
  "links": {
    "self": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7"
  },
  "expel_alias_name": null,
  "has_error": false,
  "vendor_alerts": [
    {
      "id": "bf9250cc-cfc0-4f75-ad8e-0e4caff86af8",
      "status": "NORMAL",
      "vendor_severity": "HIGH"
    }
  ],
  "id": "20d4e12c-079f-437d-87c9-f030e7f061a7",
  "vendor_disp_closed_alerts_count": null,
  "git_rule_url": "https://github.com/expel-io/expel-eye/edit/main/rules/vendor/AWS/bitcoinmining.yml",
  "properties": null,
  "vendor_disp_alerts_in_critical_incidents_count": null,
  "error": null,
  "vendor_alert_count": 1,
  "status": "CLOSED",
  "cust_disp_alerts_in_incidents_count": null,
  "disposition_disposed_alerts_count": null,
  "created_at": "2021-09-28T20:12:29.069Z",
  "expel_severity": "HIGH",
  "expel_name": "Potential bitcoin mining",
  "type": "expel_alerts",
  "updated_at": "2021-09-28T20:14:17.614Z",
  "ref_event_id": null,
  "cust_disp_alerts_in_investigations_count": null,
  "close_reason": "TESTING",
  "disposition_alerts_in_incidents_count": null,
  "expel_version": "f12457aa70250901805623a30972c22b571702b6"
}

Get Vendor Alert

Get vendor alert by its id.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Vendor Alert IdJinja-templated text containing the Vendor Alert Id to look up for.Required

Output

JSON containing following items:

{
  "evidence_summary": [
    {
      "process_evidence": {
        "src_process_v1": {
          "started_at": "2022-03-16T11:53:09",
          "process_name": "msedg.exe",
          "process_user": {
            "username": "aman.Keramagi",
            "username_norm": "aman.keramagi",
            "sid": "S-1-5-21-2043237595-5324247304-483988704-76616"
          },
          "process_args": "--type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2088,i,11427051102919855135,10905934713271070491,131072 /prefetch:3",
          "process_args_norm": "--type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2088,i,11427051102919855135,10905934713271070491,131072 /prefetch:3",
          "process_path": {
            "file_hash": [
              {
                "type": "SHA256",
                "value": "91e3dd07e4e8f44asdfsadfdae18b05865d5ea2f48a01b9aa"
              }
            ],
            "file_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\msedge.exe",
            "file_path_norm": "c:/program files (x86)/microsoft/application/msedge.exe",
            "filename": "msedge.exe",
            "filename_norm": "msedge.exe"
          },
          "asset": {
            "asset_name": "IN-L2426",
            "asset_name_norm": "in-l22346",
            "asset_types": [
              "ENDPOINT"
            ],
            "agents": [
              {
                "identifier": "3c8c3c7392e2asdf8d34c4521f981209",
                "version": "6.33.14.0"
              }
            ],
            "domain": "corp.yodl33.com",
            "os": {
              "name": "Windows 10",
              "os_type": "WINDOWS",
              "major_version": "10",
              "minor_version": "0"
            },
            "manufacturer": "LENOVO",
            "model": "20Vdf05U00",
            "nics": [
              {
                "ip_addr": {
                  "ip": "192.1.29.103"
                },
                "mac_addr": {
                  "mac_addr": "7c-35-ad-1b-6b-29"
                }
              }
            ],
            "external_ip": {
              "ip": "121.2.1.1"
            },
            "first_seen": "2022-01-19T10:21:40Z",
            "last_seen": "2022-03-16T11:44:02Z"
          }
        },
        "alert_action": "ACTION_ALERT"
      }
    }
  ],
  "has_error": false,
  "id": "6b7500f3-6975-4525-9731-a0b4basdf0d9",
  "original_alert_id": "sadfkjnsof-wefnwfn234re-ru23r23",
  "error": null,
  "status": "NORMAL"
}

Get Investigation

Get investigation by its short link.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation Short LinkJinja-templated text containing the Short link of Investigation to look up for.Required

Output

JSON containing following items:

{
	"result": {
    "id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b",
    "status": "TESTING",
    "short_link": "ENVEST-43341",
    "expel_alerts": [
      {
        "id": "20asdffc-079f-437d-87c9-f03asdf1a7",
        "alert_type": "CLOUD",
        "expel_name": "Potential mining",
        "expel_severity": "HIGH",
        "status": "CLOSED"
      }
    ]
	},
	"error": null,
	"has_error": false
}

Get Investigative Actions

Get the investigative actions for given investigation id.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Investigation IdJinja-templated text containing the Investigation Id for which actions has to be retrieved.Required

Output

JSON containing following items:

{
  "jsonapi": {
    "version": "1.0"
  },
  "meta": {
    "reqId": "03918aca-7e2-e0907df40b8a",
    "page": {
      "offset": 0,
      "limit": 50,
      "total": 27
    }
  },
  "links": {
    "self": "/api/v2/investigative_actions?filter%5Binvestigation%5D%5Bid%5D=:e6c40f86-4c18-4d5a-9963238e4b"
  },
  "data": [
    {
      "type": "investigative_actions",
      "id": "063315be-1bf5-4da4-9de3-45db08dbede7",
      "attributes": {
        "status": "COMPLETED",
        "title": "PDNS Do.pool.minergate.com",
        "instructions": "",
        "created_at": "2021-09-28T20:12:31.879Z",
        "updated_at": "2021-09-28T20:14:17.614Z",
        "status_updated_at": "2021-09-28T20:12:31.935Z",
        "reason": "Robotic Action",
        "results": "| DNS Resolution | Count | First Seen | Last Seen | Record Type\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| **176.9.2.145** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |\n| **176.9.147.78** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |\n| **176.9.147.178** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |",
        "close_reason": null,
        "input_args": null,
        "capability_name": null,
        "taskability_action_id": null,
        "result_task_id": null,
        "deleted_at": null,
        "action_type": "MANUAL",
        "tasking_error": null,
        "robot_action": true,
        "activity_authorized": null,
        "activity_verified_by": null,
        "downgrade_reason": null,
        "files_count": 0,
        "workflow_name": "Domain Info",
        "workflow_job_id": null,
        "result_byte_size": 0,
        "content_driven_results": null,
        "rank": 0
      },
      "links": {
        "self": "/api/v2/investigative_actions/06335db08dbede7"
      },
      "relationships": {
        "assigned_to_actor": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/0633155db08dbede7/relationships/assigned_to_actor",
            "related": "/api/v2/investigative_actions/063315e3-45db08dbede7/assigned_to_actor"
          },
          "data": {
            "type": "actors",
            "id": "ab5aed32--aaeff8c22fc3"
          }
        },
        "investigation": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/0633153-45db08dbede7/relationships/investigation",
            "related": "/api/v2/investigative_actions/063315bb08dbede7/investigation"
          },
          "data": {
            "type": "investigations",
            "id": "e6c40f86-b63238e4b"
          }
        },
        "depends_on_investigative_action": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315be-45db08dbede7/relationships/depends_on_investigative_action",
            "related": "/api/v2/investigative_actions/063315bedb08dbede7/depends_on_investigative_action"
          },
          "data": null
        },
        "dependent_investigative_actions": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063313-45db08dbede7/relationships/dependent_investigative_actions",
            "related": "/api/v2/investigative_actions/0633155db08dbede7/dependent_investigative_actions"
          }
        },
        "expel_alert": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315b45db08dbede7/relationships/expel_alert",
            "related": "/api/v2/investigative_actions/063315be5db08dbede7/expel_alert"
          },
          "data": {
            "type": "expel_alerts",
            "id": "20d4e130e7f061a7"
          }
        },
        "analysis_assigned_to_actor": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315be-1db08dbede7/relationships/analysis_assigned_to_actor",
            "related": "/api/v2/investigative_actions/063315be-15db08dbede7/analysis_assigned_to_actor"
          },
          "data": {
            "type": "actors",
            "id": "ab5aed32-ff8c22fc3"
          }
        },
        "security_device": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/06331bede7/relationships/security_device",
            "related": "/api/v2/investigative_actions/063315bdb08dbede7/security_device"
          },
          "data": null
        },
        "organization": {
          "meta": {
            "relation": "primary",
            "readOnly": true
          },
          "links": {
            "self": "/api/v2/investigative_actions/0633-45db08dbede7/relationships/organization",
            "related": "/api/v2/investigative_actions/06331-45db08dbede7/organization"
          },
          "data": {
            "type": "organizations",
            "id": "8cc558f1-56f4f44dcc"
          }
        },
        "result_file": {
          "meta": {
            "relation": "primary",
            "readOnly": true
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315bede3-45db08dbede7/relationships/result_file",
            "related": "/api/v2/investigative_actions/063315b-45db08dbede7/result_file"
          },
          "data": null
        },
        "created_by": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315bede7/relationships/created_by",
            "related": "/api/v2/investigative_actions/063315b3-45db08dbede7/created_by"
          },
          "data": {
            "type": "actors",
            "id": "ab5aed32-061f-5d75-86b2-aaeff8c22fc3"
          }
        },
        "updated_by": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/0633db08dbede7/relationships/updated_by",
            "related": "/api/v2/investigative_actions/06331545db08dbede7/updated_by"
          },
          "data": {
            "type": "actors",
            "id": "ae4298a3af8935"
          }
        },
        "files": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315be-18dbede7/relationships/files",
            "related": "/api/v2/investigative_actions/063315b08dbede7/files"
          }
        },
        "investigative_action_histories": {
          "meta": {
            "relation": "primary",
            "readOnly": false
          },
          "links": {
            "self": "/api/v2/investigative_actions/063315b08dbede7/relationships/investigative_action_histories",
            "related": "/api/v2/investigative_actions/06338dbede7/investigative_action_histories"
          }
        }
      }
    }
  ],
  "included": [],
  "error": null,
  "has_error": false
}

Get All Expel Alerts (CSV)

Download Expel Alert CSV Data.

Input Field

Choose a connection that you have previously created.

Output

JSON containing the following items:

{
  "result":{
  	"file_id":"3i24uhro324uhrp9r3fpiuh3"
  },
  "error": null,
  "has_error": false
}

Release Notes

  • v2.0.8 - Validation Bug fix for Get Expel Alert
  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.5.0 - Added new Get All Expel Alerts (CSV) action.
  • v1.4.1 - Added multiple fields in Get Expel Alert action's response.
  • v1.4.0 - Added 'original_alert_id' field in Get Vendor Alert action's response.
  • v1.3.0 - Added new 'Get Investigative Actions' action.
  • v1.2.3 - Added 'output type' optional field to the List All Investigations action.
  • v1.2.2 - Added 1 action Get Investigation which retrieves investigation using their short link.
  • v1.1.0 - Modified list all Investigations action: added new fields to the response and added two more actions: Get Expel Alert and Get Vendor Alert
  • v1.0.2 - Added 6 actions to perform investigation operations.