Expel
- Jonas Gonzalez
Expel is a SOC-as-a-service platform that provides security monitoring and response for cloud, hybrid, and on-premises environments.
Connect Expel with Devo SOAR
Navigate to Automations > Integrations.
Search for Expel.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Api Token: Api Token to access Expel.
After you've entered all the details, click Connect.
Actions for Expel
List Open Investigations
List open investigations in Workbench.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
 |  |  |
Output
JSON containing following items:
``` {json}{ "result": [{ "id": "abcd" }, { "id": "abcde" }], "error": null, "has_error": false }
## List All Investigations
Retrieve all the investigations. If user provides the ID then only return that investigation, but default return all investigations.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :-------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id to look up for. | Optional |
| Output Type | [Jinja-templated](doc:jinja-template) text, enter '1' for one JSON per input row or '2' for JSON per investigation found (Default is 1) | Optional |
### Output
JSON containing following items:
``` {json}{
"result": [{
"id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b",
"status": "TESTING",
"short_link": "ENVEST-43341",
"expel_alerts": [
{
"id": "20asdffc-079f-437d-87c9-f03asdf1a7",
"alert_type": "CLOUD",
"expel_name": "Potential mining",
"expel_severity": "HIGH",
"status": "CLOSED"
}
]
}],
"error": null,
"has_error": false
}Close Investigations
Update an investigation’s state by closing it. Note that setting an investigation’s decision to anything other than None will close it.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
Decision | Jinja-templated text containing the Decision of the investigation. | Required |
Comment | Jinja-templated text containing the comment for the investigation. (Default is None) | Optional |
Output
JSON containing following items:
``` {json}{ "Result": "Investigation closed successfully", "error": null, "has_error": false }
## List Investigations Comments
List all comments, displaying when they were created and its id. If user provides the ID then only return that investigation, but default return all investigations.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :----------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id to look up for. | Optional |
### Output
JSON containing following items:
``` {json}{
"result": [{
"timestamp": "2021-09-16T19:29:41.097Z",
"comment": "Test",
"id": "abcd"
}],
"error": null,
"has_error": false
}Create Investigation Comments
Create a comment and associate it with an investigation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Investigation Id | Jinja-templated text containing the Investigation Id to look up for. | Required |
Comment | Jinja-templated text containing the Comment for the Investigation. | Required |
Output
JSON containing following items:
``` {json}{ "Result": "Investigation comment created successfully", "error": null, "has_error": false }
## Create Findings For Incident
Create new investigative findings for an incident.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :------------------------------------------------------------------------------------------- | :------- |
| Investigation Id | [Jinja-templated](doc:jinja-template) text containing the Investigation Id to look up for. | Required |
| Finding Title | [Jinja-templated](doc:jinja-template) text containing the Finding Title of incident. | Required |
| Finding Rank | [Jinja-templated](doc:jinja-template) number containing the Rank of incident. (Default is 1) | Optional |
| Finding | [Jinja-templated](doc:jinja-template) text containing the Finding of incident. | Required |
### Output
JSON containing following items:
``` {json}{
"Result": "Finding for incident created successfully",
"error": null,
"has_error": false
}Get Expel Alert
Get expel alert by its id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Expel Alert Id | Jinja-templated text containing the Expel Alert Id to look up for. | Required |
Output
JSON containing following items:
``` {json}{ "disposition_alerts_in_investigations_count": null, "cust_disp_alerts_in_critical_incidents_count": null, "activity_last_at": "2021-09-28T20:09:24.963Z", "expel_alert_time": "2021-09-28T20:12:28.918Z", "tuning_requested": false, "vendor_disp_alerts_in_investigations_count": null, "is_auto_add": false, "investigative_action_count": 4, "disposition_closed_alerts_count": null, "cust_disp_closed_alerts_count": null, "alert_type": "CLOUD", "disposition_alerts_in_critical_incidents_count": null, "activity_first_at": "2021-09-28T20:09:24.963Z", "vendor_disp_disposed_alerts_count": null, "expel_message": null, "vendor_disp_alerts_in_incidents_count": null, "expel_signature_id": "execution_bitcoinmining", "close_comment": "This activity was generated as a result of authorized testing. Envestnet has verified this activity. This is internal testing activity. This was confirmed via comments within the assigned remediation actions. ", "status_updated_at": "2021-09-28T20:12:29.069Z", "relationships": { "vendor": { "meta": { "relation": "primary", "readOnly": false }, "links": { "self": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7/relationships/vendor", "related": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7/vendor" }, "data": { "type": "vendors", "id": "742fc1a2-a400-40e5-9b8e-113fd2a97d8f" } }, }, "cust_disp_disposed_alerts_count": null, "links": { "self": "/api/v2/expel_alerts/20d4e12c-079f-437d-87c9-f030e7f061a7" }, "expel_alias_name": null, "has_error": false, "vendor_alerts": [ { "id": "bf9250cc-cfc0-4f75-ad8e-0e4caff86af8", "status": "NORMAL", "vendor_severity": "HIGH" } ], "id": "20d4e12c-079f-437d-87c9-f030e7f061a7", "vendor_disp_closed_alerts_count": null, "git_rule_url": "https://github.com/expel-io/expel-eye/edit/main/rules/vendor/AWS/bitcoinmining.yml", "properties": null, "vendor_disp_alerts_in_critical_incidents_count": null, "error": null, "vendor_alert_count": 1, "status": "CLOSED", "cust_disp_alerts_in_incidents_count": null, "disposition_disposed_alerts_count": null, "created_at": "2021-09-28T20:12:29.069Z", "expel_severity": "HIGH", "expel_name": "Potential bitcoin mining", "type": "expel_alerts", "updated_at": "2021-09-28T20:14:17.614Z", "ref_event_id": null, "cust_disp_alerts_in_investigations_count": null, "close_reason": "TESTING", "disposition_alerts_in_incidents_count": null, "expel_version": "f12457aa70250901805623a30972c22b571702b6" }
Get Investigation
Get investigation by its short link.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Investigation Short Link | Jinja-templated text containing the Short link of Investigation to look up for. | Required |
Output
JSON containing following items:
``` {json}{ "result": { "id": "e6c40f86-4c18-4d5a-999f-c10b63238e4b", "status": "TESTING", "short_link": "ENVEST-43341", "expel_alerts": [ { "id": "20asdffc-079f-437d-87c9-f03asdf1a7", "alert_type": "CLOUD", "expel_name": "Potential mining", "expel_severity": "HIGH", "status": "CLOSED" } ] }, "error": null, "has_error": false }
Get All Expel Alerts (CSV)
Download Expel Alert CSV Data.
Input Field
Choose a connection that you have previously created.
Output
JSON containing the following items:
{json}{
"result":{
"file_id":"3i24uhro324uhrp9r3fpiuh3"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.5.0- Added newGet All Expel Alerts (CSV)action.v1.4.1- Added multiple fields inGet Expel Alertaction's response.v1.4.0- Added 'original_alert_id' field inGet Vendor Alertaction's response.v1.3.0- Added new 'Get Investigative Actions' action.v1.2.3- Added 'output type' optional field to theList All Investigationsaction.v1.2.2- Added 1 actionGet Investigationwhich retrieves investigation using their short link.v1.1.0- Modifiedlist all Investigationsaction: added new fields to the response and added two more actions:Get Expel AlertandGet Vendor Alertv1.0.2- Added 6 actions to perform investigation operations.