Expel
Version: 2.0.8
Expel is a SOC-as-a-service platform that provides security monitoring and response for cloud, hybrid, and on-premises environments.
Connect Expel with Logichub
- Navigate to Automations > Integrations.
- Search for Expel.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Api Token: Api Token to access Expel.
- After you've entered all the details, click Connect.
Actions for Expel
List Open Investigations
List open investigations in Workbench.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
Output
JSON containing following items:
{
"result": [{
"id": "abcd"
}, {
"id": "abcde"
}],
"error": null,
"has_error": false
}
List All Investigations
Retrieve all the investigations. If user provides the ID then only return that investigation, but default return all investigations.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Optional |
| Output Type | Jinja-templated text, enter '1' for one JSON per input row or '2' for JSON per investigation found (Default is 1) | Optional |
Output
JSON containing following items:
{
"result": [{
"id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b",
"status": "TESTING",
"short_link": "ENVEST-43341",
"expel_alerts": [
{
"id": "20asdffc-079f-437d-87c9-f03asdf1a7",
"alert_type": "CLOUD",
"expel_name": "Potential mining",
"expel_severity": "HIGH",
"status": "CLOSED"
}
]
}],
"error": null,
"has_error": false
}
Close Investigations
Update an investigation’s state by closing it. Note that setting an investigation’s decision to anything other than None will close it.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
| Decision | Jinja-templated text containing the Decision of the investigation. | Required |
| Comment | Jinja-templated text containing the comment for the investigation. (Default is None) | Optional |
Output
JSON containing following items:
{
"Result": "Investigation closed successfully",
"error": null,
"has_error": false
}
List Investigations Comments
List all comments, displaying when they were created and its id. If user provides the ID then only return that investigation, but default return all investigations.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Optional |
Output
JSON containing following items:
{
"result": [{
"timestamp": "2021-09-16T19:29:41.097Z",
"comment": "Test",
"id": "abcd"
}],
"error": null,
"has_error": false
}
Create Investigation Comments
Create a comment and associate it with an investigation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
| Comment | Jinja-templated text containing the Comment for the Investigation. | Required |
Output
JSON containing following items:
{
"Result": "Investigation comment created successfully",
"error": null,
"has_error": false
}
Create Findings For Incident
Create new investigative findings for an incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
| Finding Title | Jinja-templated text containing the Finding Title of incident. | Required |
| Finding Rank | Jinja-templated number containing the Rank of incident. (Default is 1) | Optional |
| Finding | Jinja-templated text containing the Finding of incident. | Required |
Output
JSON containing following items:
{
"Result": "Finding for incident created successfully",
"error": null,
"has_error": false
}
Get Expel Alert
Get expel alert by its id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Expel Alert Id | Jinja-templated text containing the Expel Alert Id to look up for. | Required |
Output
JSON containing following items:
{
"disposition_alerts_in_investigations_count": null,
"cust_disp_alerts_in_critical_incidents_count": null,
"activity_last_at": "2021-09-28T20:09:24.963Z",
"expel_alert_time": "2021-09-28T20:12:28.918Z",
"tuning_requested": false,
"vendor_disp_alerts_in_investigations_count": null,
"is_auto_add": false,
"investigative_action_count": 4,
"disposition_closed_alerts_count": null,
"cust_disp_closed_alerts_count": null,
"alert_type": "CLOUD",
"disposition_alerts_in_critical_incidents_count": null,
"activity_first_at": "2021-09-28T20:09:24.963Z",
"vendor_disp_disposed_alerts_count": null,
"expel_message": null,
"vendor_disp_alerts_in_incidents_count": null,
"expel_signature_id": "execution_bitcoinmining",
"close_comment": "This activity was generated as a result of authorized testing. Envestnet has verified this activity. This is internal testing activity. This was confirmed via comments within the assigned remediation actions. ",
"status_updated_at": "2021-09-28T20:12:29.069Z",
"relationships": {
"vendor": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7/relationships/vendor",
"related": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7/vendor"
},
"data": {
"type": "vendors",
"id": "742fc1a2-a400-40e5-9b8e-113fd2a97d8f"
}
},
},
"cust_disp_disposed_alerts_count": null,
"links": {
"self": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7"
},
"expel_alias_name": null,
"has_error": false,
"vendor_alerts": [
{
"id": "bf9250cc-cfc0-4f75-ad8e-0e4caff86af8",
"status": "NORMAL",
"vendor_severity": "HIGH"
}
],
"id": "20d4e12c-079f-437d-87c9-f030e7f061a7",
"vendor_disp_closed_alerts_count": null,
"git_rule_url": "https://github.com/expel-io/expel-eye/edit/main/rules/vendor/AWS/bitcoinmining.yml",
"properties": null,
"vendor_disp_alerts_in_critical_incidents_count": null,
"error": null,
"vendor_alert_count": 1,
"status": "CLOSED",
"cust_disp_alerts_in_incidents_count": null,
"disposition_disposed_alerts_count": null,
"created_at": "2021-09-28T20:12:29.069Z",
"expel_severity": "HIGH",
"expel_name": "Potential bitcoin mining",
"type": "expel_alerts",
"updated_at": "2021-09-28T20:14:17.614Z",
"ref_event_id": null,
"cust_disp_alerts_in_investigations_count": null,
"close_reason": "TESTING",
"disposition_alerts_in_incidents_count": null,
"expel_version": "f12457aa70250901805623a30972c22b571702b6"
}
Get Vendor Alert
Get vendor alert by its id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Vendor Alert Id | Jinja-templated text containing the Vendor Alert Id to look up for. | Required |
Output
JSON containing following items:
{
"evidence_summary": [
{
"process_evidence": {
"src_process_v1": {
"started_at": "2022-03-16T11:53:09",
"process_name": "msedg.exe",
"process_user": {
"username": "aman.Keramagi",
"username_norm": "aman.keramagi",
"sid": "S-1-5-21-2043237595-5324247304-483988704-76616"
},
"process_args": "--type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2088,i,11427051102919855135,10905934713271070491,131072 /prefetch:3",
"process_args_norm": "--type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2088,i,11427051102919855135,10905934713271070491,131072 /prefetch:3",
"process_path": {
"file_hash": [
{
"type": "SHA256",
"value": "91e3dd07e4e8f44asdfsadfdae18b05865d5ea2f48a01b9aa"
}
],
"file_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\msedge.exe",
"file_path_norm": "c:/program files (x86)/microsoft/application/msedge.exe",
"filename": "msedge.exe",
"filename_norm": "msedge.exe"
},
"asset": {
"asset_name": "IN-L2426",
"asset_name_norm": "in-l22346",
"asset_types": [
"ENDPOINT"
],
"agents": [
{
"identifier": "3c8c3c7392e2asdf8d34c4521f981209",
"version": "6.33.14.0"
}
],
"domain": "corp.yodl33.com",
"os": {
"name": "Windows 10",
"os_type": "WINDOWS",
"major_version": "10",
"minor_version": "0"
},
"manufacturer": "LENOVO",
"model": "20Vdf05U00",
"nics": [
{
"ip_addr": {
"ip": "192.1.29.103"
},
"mac_addr": {
"mac_addr": "7c-35-ad-1b-6b-29"
}
}
],
"external_ip": {
"ip": "121.2.1.1"
},
"first_seen": "2022-01-19T10:21:40Z",
"last_seen": "2022-03-16T11:44:02Z"
}
},
"alert_action": "ACTION_ALERT"
}
}
],
"has_error": false,
"id": "6b7500f3-6975-4525-9731-a0b4basdf0d9",
"original_alert_id": "sadfkjnsof-wefnwfn234re-ru23r23",
"error": null,
"status": "NORMAL"
}
Get Investigation
Get investigation by its short link.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Short Link | Jinja-templated text containing the Short link of Investigation to look up for. | Required |
Output
JSON containing following items:
{
"result": {
"id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b",
"status": "TESTING",
"short_link": "ENVEST-43341",
"expel_alerts": [
{
"id": "20asdffc-079f-437d-87c9-f03asdf1a7",
"alert_type": "CLOUD",
"expel_name": "Potential mining",
"expel_severity": "HIGH",
"status": "CLOSED"
}
]
},
"error": null,
"has_error": false
}
Get Investigative Actions
Get the investigative actions for given investigation id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Investigation Id | Jinja-templated text containing the Investigation Id for which actions has to be retrieved. | Required |
Output
JSON containing following items:
{
"jsonapi": {
"version": "1.0"
},
"meta": {
"reqId": "03918aca-7e2-e0907df40b8a",
"page": {
"offset": 0,
"limit": 50,
"total": 27
}
},
"links": {
"self": "/api/v2/investigative_actions?filter%5Binvestigation%5D%5Bid%5D=:e6c40f86-4c18-4d5a-9963238e4b"
},
"data": [
{
"type": "investigative_actions",
"id": "063315be-1bf5-4da4-9de3-45db08dbede7",
"attributes": {
"status": "COMPLETED",
"title": "PDNS Do.pool.minergate.com",
"instructions": "",
"created_at": "2021-09-28T20:12:31.879Z",
"updated_at": "2021-09-28T20:14:17.614Z",
"status_updated_at": "2021-09-28T20:12:31.935Z",
"reason": "Robotic Action",
"results": "| DNS Resolution | Count | First Seen | Last Seen | Record Type\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| **176.9.2.145** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |\n| **176.9.147.78** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |\n| **176.9.147.178** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |",
"close_reason": null,
"input_args": null,
"capability_name": null,
"taskability_action_id": null,
"result_task_id": null,
"deleted_at": null,
"action_type": "MANUAL",
"tasking_error": null,
"robot_action": true,
"activity_authorized": null,
"activity_verified_by": null,
"downgrade_reason": null,
"files_count": 0,
"workflow_name": "Domain Info",
"workflow_job_id": null,
"result_byte_size": 0,
"content_driven_results": null,
"rank": 0
},
"links": {
"self": "/api/v2/investigative_actions/06335db08dbede7"
},
"relationships": {
"assigned_to_actor": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/0633155db08dbede7/relationships/assigned_to_actor",
"related": "/api/v2/investigative_actions/063315e3-45db08dbede7/assigned_to_actor"
},
"data": {
"type": "actors",
"id": "ab5aed32--aaeff8c22fc3"
}
},
"investigation": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/0633153-45db08dbede7/relationships/investigation",
"related": "/api/v2/investigative_actions/063315bb08dbede7/investigation"
},
"data": {
"type": "investigations",
"id": "e6c40f86-b63238e4b"
}
},
"depends_on_investigative_action": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315be-45db08dbede7/relationships/depends_on_investigative_action",
"related": "/api/v2/investigative_actions/063315bedb08dbede7/depends_on_investigative_action"
},
"data": null
},
"dependent_investigative_actions": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063313-45db08dbede7/relationships/dependent_investigative_actions",
"related": "/api/v2/investigative_actions/0633155db08dbede7/dependent_investigative_actions"
}
},
"expel_alert": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315b45db08dbede7/relationships/expel_alert",
"related": "/api/v2/investigative_actions/063315be5db08dbede7/expel_alert"
},
"data": {
"type": "expel_alerts",
"id": "20d4e130e7f061a7"
}
},
"analysis_assigned_to_actor": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315be-1db08dbede7/relationships/analysis_assigned_to_actor",
"related": "/api/v2/investigative_actions/063315be-15db08dbede7/analysis_assigned_to_actor"
},
"data": {
"type": "actors",
"id": "ab5aed32-ff8c22fc3"
}
},
"security_device": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/06331bede7/relationships/security_device",
"related": "/api/v2/investigative_actions/063315bdb08dbede7/security_device"
},
"data": null
},
"organization": {
"meta": {
"relation": "primary",
"readOnly": true
},
"links": {
"self": "/api/v2/investigative_actions/0633-45db08dbede7/relationships/organization",
"related": "/api/v2/investigative_actions/06331-45db08dbede7/organization"
},
"data": {
"type": "organizations",
"id": "8cc558f1-56f4f44dcc"
}
},
"result_file": {
"meta": {
"relation": "primary",
"readOnly": true
},
"links": {
"self": "/api/v2/investigative_actions/063315bede3-45db08dbede7/relationships/result_file",
"related": "/api/v2/investigative_actions/063315b-45db08dbede7/result_file"
},
"data": null
},
"created_by": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315bede7/relationships/created_by",
"related": "/api/v2/investigative_actions/063315b3-45db08dbede7/created_by"
},
"data": {
"type": "actors",
"id": "ab5aed32-061f-5d75-86b2-aaeff8c22fc3"
}
},
"updated_by": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/0633db08dbede7/relationships/updated_by",
"related": "/api/v2/investigative_actions/06331545db08dbede7/updated_by"
},
"data": {
"type": "actors",
"id": "ae4298a3af8935"
}
},
"files": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315be-18dbede7/relationships/files",
"related": "/api/v2/investigative_actions/063315b08dbede7/files"
}
},
"investigative_action_histories": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315b08dbede7/relationships/investigative_action_histories",
"related": "/api/v2/investigative_actions/06338dbede7/investigative_action_histories"
}
}
}
}
],
"included": [],
"error": null,
"has_error": false
}
Get All Expel Alerts (CSV)
Download Expel Alert CSV Data.
Input Field
Choose a connection that you have previously created.
Output
JSON containing the following items:
{
"result":{
"file_id":"3i24uhro324uhrp9r3fpiuh3"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.8- Validation Bug fix forGet Expel Alertv2.0.0- Updated architecture to support IO via filesystemv1.5.0- Added newGet All Expel Alerts (CSV)action.v1.4.1- Added multiple fields inGet Expel Alertaction's response.v1.4.0- Added 'original_alert_id' field inGet Vendor Alertaction's response.v1.3.0- Added new 'Get Investigative Actions' action.v1.2.3- Added 'output type' optional field to theList All Investigationsaction.v1.2.2- Added 1 actionGet Investigationwhich retrieves investigation using their short link.v1.1.0- Modifiedlist all Investigationsaction: added new fields to the response and added two more actions:Get Expel AlertandGet Vendor Alertv1.0.2- Added 6 actions to perform investigation operations.
Updated 4 months ago