...
Expel is a SOC-as-a-service platform that provides security monitoring and response for cloud, hybrid, and on-premises environments.
Connect Expel with Devo SOAR
Navigate to Automations > Integrations.
Search for Expel.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Api Token: Api Token to access Expel.
After you've entered all the details, click Connect.
Actions for Expel
List Open Investigations
List open investigations in Workbench.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Output
JSON containing following items:
...
| Code Block |
|---|
## List All Investigations
Retrieve all the investigations. If user provides the ID then only return that investigation, but default return all investigations.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :-------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id to look up for. | Optional |
| Output Type | [Jinja-templated](doc:jinja-template) text, enter '1' for one JSON per input row or '2' for JSON per investigation found (Default is 1) | Optional |
### Output
JSON containing following items:
``` {json}{
"result": [{
"id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b",
"status": "TESTING",
"short_link": "ENVEST-43341",
"expel_alerts": [
{
"id": "20asdffc-079f-437d-87c9-f03asdf1a7",
"alert_type": "CLOUD",
"expel_name": "Potential mining",
"expel_severity": "HIGH",
"status": "CLOSED"
}
]
}],
"error": null,
"has_error": false
} |
Close Investigations
Update an investigation’s state by closing it. Note that setting an investigation’s decision to anything other than None will close it.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
Decision | Jinja-templated text containing the Decision of the investigation. | Required |
Comment | Jinja-templated text containing the comment for the investigation. (Default is None) | Optional |
Output
JSON containing following items:
...
| Code Block |
|---|
## List Investigations Comments
List all comments, displaying when they were created and its id. If user provides the ID then only return that investigation, but default return all investigations.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :----------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id to look up for. | Optional |
### Output
JSON containing following items:
``` {json}{
"result": [{
"timestamp": "2021-09-16T19:29:41.097Z",
"comment": "Test",
"id": "abcd"
}],
"error": null,
"has_error": false
} |
Create Investigation Comments
Create a comment and associate it with an investigation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
Comment | Jinja-templated text containing the Comment for the Investigation. | Required |
Output
JSON containing following items:
...
| Code Block |
|---|
## Create Findings For Incident
Create new investigative findings for an incident.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :------------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id to look up for. | Required |
| Finding Title | [Jinja-templated](doc:jinja-template) text containing the Finding Title of incident. | Required |
| Finding Rank | [Jinja-templated](doc:jinja-template) number containing the Rank of incident. (Default is 1) | Optional |
| Finding | [Jinja-templated](doc:jinja-template) text containing the Finding of incident. | Required |
### Output
JSON containing following items:
``` {json}{
"Result": "Finding for incident created successfully",
"error": null,
"has_error": false
} |
Get Expel Alert
Get expel alert by its id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Expel Alert Id | Jinja-templated text containing the Expel Alert Id to look up for. | Required |
Output
JSON containing following items:
...
| Code Block |
|---|
## Get Vendor Alert
Get vendor alert by its id.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :-------------- | :---------------------------------------------------------------------------------------- | :------- |
| Vendor Alert Id | [Jinja-templated](doc:jinja-template) text containing the Vendor Alert Id to look up for. | Required |
### Output
JSON containing following items:
``` {json}{
"evidence_summary": [
{
"process_evidence": {
"src_process_v1": {
"started_at": "2022-03-16T11:53:09",
"process_name": "msedg.exe",
"process_user": {
"username": "aman.Keramagi",
"username_norm": "aman.keramagi",
"sid": "S-1-5-21-2043237595-5324247304-483988704-76616"
},
"process_args": "--type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2088,i,11427051102919855135,10905934713271070491,131072 /prefetch:3",
"process_args_norm": "--type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=2088,i,11427051102919855135,10905934713271070491,131072 /prefetch:3",
"process_path": {
"file_hash": [
{
"type": "SHA256",
"value": "91e3dd07e4e8f44asdfsadfdae18b05865d5ea2f48a01b9aa"
}
],
"file_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\msedge.exe",
"file_path_norm": "c:/program files (x86)/microsoft/application/msedge.exe",
"filename": "msedge.exe",
"filename_norm": "msedge.exe"
},
"asset": {
"asset_name": "IN-L2426",
"asset_name_norm": "in-l22346",
"asset_types": [
"ENDPOINT"
],
"agents": [
{
"identifier": "3c8c3c7392e2asdf8d34c4521f981209",
"version": "6.33.14.0"
}
],
"domain": "corp.yodl33.com",
"os": {
"name": "Windows 10",
"os_type": "WINDOWS",
"major_version": "10",
"minor_version": "0"
},
"manufacturer": "LENOVO",
"model": "20Vdf05U00",
"nics": [
{
"ip_addr": {
"ip": "192.1.29.103"
},
"mac_addr": {
"mac_addr": "7c-35-ad-1b-6b-29"
}
}
],
"external_ip": {
"ip": "121.2.1.1"
},
"first_seen": "2022-01-19T10:21:40Z",
"last_seen": "2022-03-16T11:44:02Z"
}
},
"alert_action": "ACTION_ALERT"
}
}
],
"has_error": false,
"id": "6b7500f3-6975-4525-9731-a0b4basdf0d9",
"original_alert_id": "sadfkjnsof-wefnwfn234re-ru23r23",
"error": null,
"status": "NORMAL"
} |
Get Investigation
Get investigation by its short link.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Investigation Short Link | Jinja-templated text containing the Short link of Investigation to look up for. | Required |
Output
JSON containing following items:
...
| Code Block |
|---|
## Get Investigative Actions
Get the investigative actions for given investigation id.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :---------------------------------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id for which actions has to be retrieved. | Required |
### Output
JSON containing following items:
``` {json}{
"jsonapi": {
"version": "1.0"
},
"meta": {
"reqId": "03918aca-7e2-e0907df40b8a",
"page": {
"offset": 0,
"limit": 50,
"total": 27
}
},
"links": {
"self": "/api/v2/investigative_actions?filter%5Binvestigation%5D%5Bid%5D=:e6c40f86-4c18-4d5a-9963238e4b"
},
"data": [
{
"type": "investigative_actions",
"id": "063315be-1bf5-4da4-9de3-45db08dbede7",
"attributes": {
"status": "COMPLETED",
"title": "PDNS Do.pool.minergate.com",
"instructions": "",
"created_at": "2021-09-28T20:12:31.879Z",
"updated_at": "2021-09-28T20:14:17.614Z",
"status_updated_at": "2021-09-28T20:12:31.935Z",
"reason": "Robotic Action",
"results": "| DNS Resolution | Count | First Seen | Last Seen | Record Type\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| **176.9.2.145** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |\n| **176.9.147.78** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |\n| **176.9.147.178** | **28035** | **2018-04-06T02:21:35-07:00** | **2019-08-05T06:07:02-07:00** | **A** |",
"close_reason": null,
"input_args": null,
"capability_name": null,
"taskability_action_id": null,
"result_task_id": null,
"deleted_at": null,
"action_type": "MANUAL",
"tasking_error": null,
"robot_action": true,
"activity_authorized": null,
"activity_verified_by": null,
"downgrade_reason": null,
"files_count": 0,
"workflow_name": "Domain Info",
"workflow_job_id": null,
"result_byte_size": 0,
"content_driven_results": null,
"rank": 0
},
"links": {
"self": "/api/v2/investigative_actions/06335db08dbede7"
},
"relationships": {
"assigned_to_actor": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/0633155db08dbede7/relationships/assigned_to_actor",
"related": "/api/v2/investigative_actions/063315e3-45db08dbede7/assigned_to_actor"
},
"data": {
"type": "actors",
"id": "ab5aed32--aaeff8c22fc3"
}
},
"investigation": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/0633153-45db08dbede7/relationships/investigation",
"related": "/api/v2/investigative_actions/063315bb08dbede7/investigation"
},
"data": {
"type": "investigations",
"id": "e6c40f86-b63238e4b"
}
},
"depends_on_investigative_action": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315be-45db08dbede7/relationships/depends_on_investigative_action",
"related": "/api/v2/investigative_actions/063315bedb08dbede7/depends_on_investigative_action"
},
"data": null
},
"dependent_investigative_actions": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063313-45db08dbede7/relationships/dependent_investigative_actions",
"related": "/api/v2/investigative_actions/0633155db08dbede7/dependent_investigative_actions"
}
},
"expel_alert": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315b45db08dbede7/relationships/expel_alert",
"related": "/api/v2/investigative_actions/063315be5db08dbede7/expel_alert"
},
"data": {
"type": "expel_alerts",
"id": "20d4e130e7f061a7"
}
},
"analysis_assigned_to_actor": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315be-1db08dbede7/relationships/analysis_assigned_to_actor",
"related": "/api/v2/investigative_actions/063315be-15db08dbede7/analysis_assigned_to_actor"
},
"data": {
"type": "actors",
"id": "ab5aed32-ff8c22fc3"
}
},
"security_device": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/06331bede7/relationships/security_device",
"related": "/api/v2/investigative_actions/063315bdb08dbede7/security_device"
},
"data": null
},
"organization": {
"meta": {
"relation": "primary",
"readOnly": true
},
"links": {
"self": "/api/v2/investigative_actions/0633-45db08dbede7/relationships/organization",
"related": "/api/v2/investigative_actions/06331-45db08dbede7/organization"
},
"data": {
"type": "organizations",
"id": "8cc558f1-56f4f44dcc"
}
},
"result_file": {
"meta": {
"relation": "primary",
"readOnly": true
},
"links": {
"self": "/api/v2/investigative_actions/063315bede3-45db08dbede7/relationships/result_file",
"related": "/api/v2/investigative_actions/063315b-45db08dbede7/result_file"
},
"data": null
},
"created_by": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315bede7/relationships/created_by",
"related": "/api/v2/investigative_actions/063315b3-45db08dbede7/created_by"
},
"data": {
"type": "actors",
"id": "ab5aed32-061f-5d75-86b2-aaeff8c22fc3"
}
},
"updated_by": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/0633db08dbede7/relationships/updated_by",
"related": "/api/v2/investigative_actions/06331545db08dbede7/updated_by"
},
"data": {
"type": "actors",
"id": "ae4298a3af8935"
}
},
"files": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315be-18dbede7/relationships/files",
"related": "/api/v2/investigative_actions/063315b08dbede7/files"
}
},
"investigative_action_histories": {
"meta": {
"relation": "primary",
"readOnly": false
},
"links": {
"self": "/api/v2/investigative_actions/063315b08dbede7/relationships/investigative_action_histories",
"related": "/api/v2/investigative_actions/06338dbede7/investigative_action_histories"
}
}
}
}
],
"included": [],
"error": null,
"has_error": false
} |
Get All Expel Alerts (CSV)
Download Expel Alert CSV Data.
Input Field
Choose a connection that you have previously created.
Output
JSON containing the following items:
{json}{ "result":{ "file_id":"3i24uhro324uhrp9r3fpiuh3" }, "error": null, "has_error": false }
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.5.0- Added newGet All Expel Alerts (CSV)action.v1.4.1- Added multiple fields inGet Expel Alertaction's response.v1.4.0- Added 'original_alert_id' field inGet Vendor Alertaction's response.v1.3.0- Added new 'Get Investigative Actions' action.v1.2.3- Added 'output type' optional field to theList All Investigationsaction.v1.2.2- Added 1 actionGet Investigationwhich retrieves investigation using their short link.v1.1.0- Modifiedlist all Investigationsaction: added new fields to the response and added two more actions:Get Expel AlertandGet Vendor Alertv1.0.2- Added 6 actions to perform investigation operations.
...