Workbench API Reference

class pyexclient.workbench.ActivityMetrics(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io activity_metric records

Resource type name is activity_metrics.

Example JSON record:

{           'activity': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'data': {},
    'ended_at': '2019-01-15T15:35:00-05:00',
    'referring_url': 'https://company.com/',
    'started_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'url': 'https://company.com/'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Activity Allows: “”, null

activity

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Additional data about the activity Allows: null: no-sort

data

object

Y

N

Date/Time of when the activity concluded

ended_at

string

Y

N

Referring url Allows: “”, null

referring_url

string

Y

N

Date/Time of when the activity started

started_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Url Allows: “”, null

url

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

Investigations

investigation

Investigations

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Actors(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io actor records

Resource type name is actors.

Example JSON record:

{'actor_type': 'system', 'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'is_expel': True, 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Actor type Restricted to: “system”, “user”, “organization”, “api”, “service”: immutable

actor_type

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Display name Allows: “”, null

display_name

string

Y

N

Meta: readonly, no-sort, no-filter

is_expel

boolean

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

investigative actions

analysis_assigned_investigative_actions

InvestigativeActions

N

Y

Expel alerts

assigned_expel_alerts

ExpelAlerts

N

Y

Investigations

assigned_investigations

Investigations

N

Y

investigative actions

assigned_investigative_actions

InvestigativeActions

N

Y

Organization to resilience actions

assigned_organization_resilience_actions

OrganizationResilienceActions

N

Y

Organization to resilience actions

assigned_organization_resilience_actions_list

OrganizationResilienceActions

N

Y

Remediation actions

assigned_remediation_actions

RemediationActions

N

Y

Defines/retrieves expel.io remediation_action_setting records

automate_opt_in_for_remediation_action_setting

RemediationActionSettings

N

Y

Defines/retrieves expel.io actor records

child_actors

Actors

N

Y

Defines/retrieves expel.io organization records

child_organizations

Organizations

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

investigative actions

current_assigned_investigative_actions_classification

InvestigativeActions

N

Y

User Notification Preferences

notification_preferences

NotificationPreferences

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

parent_actor

Actors

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

User accounts

user_account

UserAccounts

N

Y

class pyexclient.workbench.ApiKeys(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token.

Resource type name is api_keys.

Example JSON record:

{           'access_token': 'string',
    'active': True,
    'assignable': True,
    'created_at': '2019-01-15T15:35:00-05:00',
    'display_name': 'string',
    'name': 'string',
    'realm': 'public',
    'restrictions': [],
    'role': 'expel_admin',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Only upon initial api key creation (POST), contains the bearer api key token required for api access.: readonly, no-sort, no-filter

access_token

string

Y

N

Active Allows: null

active

boolean

Y

N

Can Api key be assigned items (e.g. investigations, etc)

assignable

boolean

Y

N

Created timestamp: readonly

created_at

string

Y

N

Display name Allows: null

display_name

string

Y

N

Missing Description

name

string

Y

N

Realm in which the api key can be used. Restricted to: “public”, “internal”

realm

any

Y

N

Special authorization restrictions for this api key

restrictions

array

Y

N

Role Restricted to: “expel_admin”, “expel_analyst”, “organization_admin”, “organization_analyst”, “system”, “anonymous”, “restricted”

role

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.AssemblerImages(data, conn, included=None)[source]

Bases: ResourceInstance

Assembler Images

Resource type name is assembler_images.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'hash_md5': 'string',
    'hash_sha1': 'string',
    'hash_sha256': 'string',
    'platform': 'VMWARE',
    'release_date': '2019-01-15T15:35:00-05:00',
    'size': 100,
    'updated_at': '2019-01-15T15:35:00-05:00',
    'version': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Assembler image md5 hash Allows: null

hash_md5

string

Y

N

Assembler image sh1 hash Allows: null

hash_sha1

string

Y

N

Assembler image sha256 hash Allows: null

hash_sha256

string

Y

N

Platform Restricted to: “VMWARE”, “HYPERV”, “AZURE”, “AMAZON”

platform

any

Y

N

Assembler image release date Allows: null

release_date

string

Y

N

Assembler image size Allows: null

size

number

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Assembler image version Allows: “”, null

version

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Assemblers(data, conn, included=None)[source]

Bases: ResourceInstance

Assemblers

Resource type name is assemblers.

Example JSON record:

{           'connection_status': 'Never Connected',
    'connection_status_updated_at': '2019-01-15T15:35:00-05:00',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'install_code': 'string',
    'lifecycle_status': 'New',
    'lifecycle_status_updated_at': '2019-01-15T15:35:00-05:00',
    'location': 'string',
    'name': 'string',
    'status': 'string',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'vpn_ip': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Assembler connection status Restricted to: “Never Connected”, “Connection Lost”, “Connected to Provisioning”, “Connected to Service” Allows: null

connection_status

any

Y

N

Assembler connection status update timestamp: readonly

connection_status_updated_at

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Assembler install code Allows: null

install_code

string

Y

N

Assembler life cycle status Restricted to: “New”, “Authorized”, “Transitioning”, “Transitioned”, “Transition Failed”, “Configuring”, “Configuration Failed”, “Active”, “Inactive”, “Deleted” Allows: null

lifecycle_status

any

Y

N

Assembler lifecycle status update timestamp: readonly

lifecycle_status_updated_at

string

Y

N

Location of assembler Allows: “”, null

location

string

Y

N

Name of assembler Allows: “”, null

name

string

Y

N

Assembler status Restricted to: “not_yet_connected”, “connection_lost”, “connected”, “error”, “configuring”, “transition_failed”, “configuration_failed”, “active”, “inactive”, “deleted” Allows: “”, null: readonly

status

string

Y

N

Assembler last status update timestamp: readonly

status_updated_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Assembler VPN ip address Allows: null

vpn_ip

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Security devices

security_devices

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Vendor alerts

vendor_alerts

VendorAlerts

N

Y

class pyexclient.workbench.BaseResourceObject(cls, content=None, api_type=None, conn=None)[source]

Bases: object

count()[source]

Return the number of records in a JSON API response. You can get the count for entries returned by filtering, or you can request the count of the total number of resource instances. The total number of resource instances does not require paginating overall entries.

Returns:

The number of records in a JSON API response

Return type:

int

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> print("Investigation Count: ", xc.investigations.filter_by(customer_id='1').count())
>>> print("Investigation Count: ", xc.investigations.count())
create(**kwargs)[source]

Create a ResourceInstance object that represents some Json API resource.

Parameters:

kwargs (dict) – Attributes to set on the new JSON API resource.

Returns:

A ResourceInstance object that represents the JSON API resource type requested by the dev.

Return type:

ResourceInstance

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=CUSTOMER_GUID, relationship_assigned_to_actor=PETER_S)
>>> i.save()
filter_by(**kwargs)[source]

Issue a JSON API call requesting a JSON API resource is filtered by some set of attributes, id, limit, etc.

Parameters:

kwargs (dict) – The base JSON API resource type

Returns:

A BaseResourceObject object

Return type:

BaseResourceObject

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> for inv in xc.investigations.filter_by(customer_id='1'):
>>>     print(inv.title)
get(**kwargs)[source]

Request a JSON api resource by id.

Parameters:

id (str) – The GUID of the resource

Returns:

A BaseResourceObject object

Return type:

BaseResourceObject

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> inv = xc.investigations.get(id=investigation_guid)
>>> print(inv.title)
one_or_none()[source]

Return one record from a JSON API response or None if there were no records.

Returns:

A BaseResourceObject object

Return type:

BaseResourceObject

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> inv = xc.investigations.filter_by(customer_id=CUSTOMER_GUID).one_or_none()
>>> print(inv.title)
search(*args, **kwargs)[source]

Search based on a set of criteria made up of operators and attributes.

Parameters:
  • args (tuple) – Operators of relationship|limit|include|sort

  • kwargs (dict) – Fields and values to search on

Returns:

A BaseResourceObject object

Return type:

BaseResourceObject

Examples:
>>> # field filter
>>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID):
>>>     print(inv.title)
>>> # operator field filter
>>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID, created_at=gt("2020-01-01")):
>>>     print(inv.title)
>>> # relationship field filter
>>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID, relationship("investigative_actions.created_at", gt("2020-01-01"))):
>>>     print(inv.title)
class pyexclient.workbench.CommentHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io comment_history records

Resource type name is comment_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Comment history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Comment history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io comment records

comment

Comments

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

class pyexclient.workbench.Comments(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io comment records

Resource type name is comments.

Example JSON record:

{'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Comment: markdown

comment

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io comment_history records

comment_histories

CommentHistories

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Configurations(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io configuration records

Resource type name is configurations.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'default_value': 'object',
    'description': 'string',
    'is_override': True,
    'key': 'string',
    'metadata': {},
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'validation': {},
    'value': 'object',
    'visibility': 'EXPEL',
    'write_permission_level': 'EXPEL'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Default configuration value Allows: null: readonly, no-sort

default_value

any

Y

N

Description of configuration value Allows: “”, null: readonly, markdown

description

string

Y

N

Configuration value is an override: readonly

is_override

boolean

Y

N

Configuration key: readonly

key

string

Y

N

Configuration metadata Allows: null: readonly, no-sort

metadata

object

Y

N

Title of configuration value Allows: “”, null: readonly

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Configuration value validation Allows: null: readonly, no-sort

validation

object

Y

N

Configuration value Allows: null: no-sort

value

any

Y

N

Configuration visibility Restricted to: “EXPEL”, “ORGANIZATION”, “SYSTEM”

visibility

any

Y

N

Write permission required Restricted to: “EXPEL”, “ORGANIZATION”, “SYSTEM”

write_permission_level

any

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ContextCategories(data, conn, included=None)[source]

Bases: ResourceInstance

Groups for organizing context variables outside of any specific use case

Resource type name is context_categories.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'image': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

A description for this context category Allows: null

description

string

Y

N

Filename for the image used in the context category card in Workbench: immutable

image

string

Y

N

Unique name of this context category

name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Reusable strongly typed context variables which can be referenced by other features

context_variables

ContextVariables

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ContextCategoryDefaults(data, conn, included=None)[source]

Bases: ResourceInstance

A set of global seed categories which will be added for each new organization

Resource type name is context_category_defaults.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'image': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

A description for this context category Allows: null

description

string

Y

N

Filename for the image used in the context category card in Workbench

image

string

Y

N

Unique name of this context category

name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ContextLabelActionHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io context_label_action_history records

Resource type name is context_label_action_histories.

Example JSON record:

{'action': 'CREATED', 'action_type': 'ALERT_ON', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Context label action history Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Action type of source parent remediation action Restricted to: “ALERT_ON”, “ADD_TO”, “SUPPRESS”

action_type

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Context label action history details (contains important fields that changed) Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io context_label records

context_label

ContextLabels

N

Y

Defines/retrieves expel.io context_label_action records

context_label_action

ContextLabelActions

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

class pyexclient.workbench.ContextLabelActions(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io context_label_action records

Resource type name is context_label_actions.

Example JSON record:

{'action_type': 'ALERT_ON', 'created_at': '2019-01-15T15:35:00-05:00', 'expel_severity_threshold': 'CRITICAL', 'expel_signature_id': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

What action to take Restricted to: “ALERT_ON”, “ADD_TO”, “SUPPRESS”

action_type

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” Allows: null

expel_severity_threshold

any

Y

N

Expel alert signature Allows: “”, null

expel_signature_id

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io context_label records

context_label

ContextLabels

N

Y

Defines/retrieves expel.io context_label_action_history records

context_label_action_histories

ContextLabelActionHistories

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Timeline Entries

timeline_entries

TimelineEntries

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ContextLabelHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io context_label_history records

Resource type name is context_label_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Context label history action Restricted to: “CREATED”, “UPDATED”, “DELETED”, “ASSIGNED_TAG_CREATED”, “ASSIGNED_TAG_DELETED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Context label history details (contains important fields that changed) Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io context_label records

context_label

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

class pyexclient.workbench.ContextLabelTags(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io context_label_tag records

Resource type name is context_label_tags.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'metadata': {}, 'tag': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Description Allows: null, “”

description

string

Y

N

Metadata about the context label tag Allows: null: no-sort

metadata

object

Y

N

Tag

tag

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Remediation action assets

remediation_action_assets

RemediationActionAssets

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ContextLabels(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io context_label records

Resource type name is context_labels.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'definition': {},
    'description': 'string',
    'ends_at': '2019-01-15T15:35:00-05:00',
    'initial_edit_at': '2019-01-15T15:35:00-05:00',
    'metadata': {},
    'resolved_definition': {},
    'review_status': 'APPROVED',
    'starts_at': '2019-01-15T15:35:00-05:00',
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Definition: no-sort

definition

object

Y

N

Description Allows: null, “”

description

string

Y

N

Date/Time of when the context_label should end being tested Allows: null

ends_at

string

Y

N

Date/Time of when the drawer was first opened to create the context label Allows: null

initial_edit_at

string

Y

N

Metadata about the context label Allows: null: no-sort

metadata

object

Y

N

Definition where all variables are replaced with their current values Allows: null: readonly, no-sort

resolved_definition

object

Y

N

Current status of the review process Restricted to: “APPROVED”, “REVIEW_REQUESTED”, “CHANGES_REQUESTED”, “DECLINED” Allows: null

review_status

any

Y

N

Date/Time of when the context_label should start being tested

starts_at

string

Y

N

Title Allows: null, “”

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io context_label_action records

add_to_actions

ContextLabelActions

N

Y

Defines/retrieves expel.io context_label_action records

alert_on_actions

ContextLabelActions

N

Y

Defines/retrieves expel.io context_label_history records

approval_histories

ContextLabelHistories

N

Y

Defines/retrieves expel.io context_label_action_history records

context_label_action_histories

ContextLabelActionHistories

N

Y

Defines/retrieves expel.io context_label_action records

context_label_actions

ContextLabelActions

N

Y

Defines/retrieves expel.io context_label_history records

context_label_histories

ContextLabelHistories

N

Y

Defines/retrieves expel.io context_label_tag records

context_label_tags

ContextLabelTags

N

Y

Reusable strongly typed context variables which can be referenced by other features

context_variables

ContextVariables

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alerts

ExpelAlerts

N

Y

Investigations

investigations

Investigations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Expel alerts

originating_expel_alerts

ExpelAlerts

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records

remediation_action_setting_list_source_histories

RemediationActionSettingListSourceHistories

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source records

remediation_action_setting_list_sources

RemediationActionSettingListSources

N

Y

Defines/retrieves expel.io remediation_action_setting records

remediation_action_settings

RemediationActionSettings

N

Y

Defines/retrieves expel.io context_label_action records

suppress_actions

ContextLabelActions

N

Y

Timeline Entries

timeline_entries

TimelineEntries

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ContextVariableHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io context_variable_history records

Resource type name is context_variable_histories.

Example JSON record:

{'action': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Context variable history action Restricted to: “CREATED”, “UPDATED”, “DELETED”

action

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Context variable history details Allows: null: no-sort

value

object

Y

N

Reusable strongly typed context variables which can be referenced by other features

context_variable

ContextVariables

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.ContextVariables(data, conn, included=None)[source]

Bases: ResourceInstance

Reusable strongly typed context variables which can be referenced by other features

Resource type name is context_variables.

Example JSON record:

{           'context_type': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'description': 'string',
    'is_array': True,
    'name': 'string',
    'surface_context': True,
    'updated_at': '2019-01-15T15:35:00-05:00',
    'value': 'object',
    'value_type': 'cidr_block'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

One of a few common types for context variables or other Restricted to: “cidr_block”, “domain”, “email_address”, “file_hash”, “hostname”, “ip_address”, “other”, “port”, “url”, “username”: immutable

context_type

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Optional description of this context variable Allows: null

description

string

Y

N

Whether or not the value of this context variable is an array: immutable

is_array

boolean

Y

N

Name of this context variable

name

string

Y

N

Whether or not to surface this context variable in Workbench

surface_context

boolean

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Value of this context variable: allowStringOperators, no-sort

value

any

Y

N

Value type of this context variable Restricted to: “cidr_block”, “integer”, “ip_address”, “regex”, “string”: immutable

value_type

any

Y

N

Groups for organizing context variables outside of any specific use case

context_categories

ContextCategories

N

Y

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Defines/retrieves expel.io context_variable_history records

context_variable_histories

ContextVariableHistories

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Historical event log for each note model

note_histories

Organizations

N

Y

A model for tying a message to a specific context variable or term for a specified period of time

notes

Notes

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Detections(data, conn, included=None)[source]

Bases: ResourceInstance

How we determine security-relevant data for analyst review

Resource type name is detections.

Example JSON record:

{           'author_type': 'string',
    'configuration_slugs': [],
    'created_at': '2019-01-15T15:35:00-05:00',
    'customer_context_tags': [],
    'description': 'string',
    'engine': 'string',
    'logic_blob': 'string',
    'name': 'string',
    'priority': 100,
    'severity': 'string',
    'status': 'string',
    'supported_tech': [],
    'tags': [],
    'test_blob': 'string',
    'unique_on': [],
    'unique_within': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

The author of this detection Allows: “”, null

author_type

string

Y

N

A list of configuration tags used in the logic of this detection: no-filter, no-sort

configuration_slugs

array

Y

N

The time this detection was created Allows: null

created_at

string

Y

N

A list of customer context tags used in the logic of this detection: no-filter, no-sort

customer_context_tags

array

Y

N

What this detection is looking for Allows: “”, null

description

string

Y

N

The parent detection engine Allows: “”, null

engine

string

Y

N

A JSON formatted blob of Josie detection logic Allows: “”, null

logic_blob

string

Y

N

The name of the detection Allows: “”, null

name

string

Y

N

The order in which Josie applies this detection to security alerts, 0 being a higher priority Allows: null

priority

number

Y

N

The potential impact of detected incidents Allows: “”, null

severity

string

Y

N

The production status of this detection Allows: “”, null

status

string

Y

N

The technology that this detection supports

supported_tech

array

Y

N

A list of tags which may affect upstream behavior: no-filter, no-sort

tags

array

Y

N

A JSON formatted list of conditions (vendor alerts) that trigger this detection, in turn creating an Expel alert Allows: “”, null

test_blob

string

Y

N

A list of Josie expressions that make this alert unique: no-filter, no-sort

unique_on

array

Y

N

The time period in which this alert is unique Allows: “”, null

unique_within

string

Y

N

The last time this detection was updated Allows: null

updated_at

string

Y

N

Detection categories

expel_alert_categories

ExpelDetectionCategories

N

Y

Detection categories

expel_response_categories

ExpelDetectionCategories

N

Y

Detection categories

expel_triage_categories

ExpelDetectionCategories

N

Y

Mitre Tactics

mitre_tactics

MitreTactics

N

Y

Defines/retrieves expel.io organization records

organizations

Organizations

N

Y

class pyexclient.workbench.Digests(data, conn, included=None)[source]

Bases: ResourceInstance

Digests

Resource type name is digests.

Example JSON record:

{'email': 'name@company.com', 'schedule': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Email of the user, overwritten by the API during creation Allows: null, “”

email

string

Y

N

Missing Description

schedule

string

Y

N

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

User accounts

user_account

UserAccounts

N

Y

class pyexclient.workbench.EngagementManagers(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io engagement_manager records

Resource type name is engagement_managers.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'email': 'name@company.com', 'pagerduty_id': 'string', 'phone_number': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Display name Allows: “”, null

display_name

string

Y

N

Email Allows: null

email

string

Y

N

Pagerduty ID Allows: null

pagerduty_id

string

Y

N

Phone number Allows: null

phone_number

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organizations

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Entitlements(data, conn, included=None)[source]

Bases: ResourceInstance

path to entitlements service

Resource type name is entitlements.

Example JSON record:

{           'entitlement': {           'enabled_plugin_slugs': [],
                               'investigative_tech_enabled_plugin_slugs': [],
                               'organization_id': 'string',
                               'service_offerings': [],
                               'service_offerings_for_hunting': [],
                               'service_types': []},
    'skus': []}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Allows: null: readonly

entitlement

object

Y

N

Missing Description

skus

array

Y

N

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.ExpelAlertHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Expel alert histories

Resource type name is expel_alert_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Expel alert history action Restricted to: “CREATED”, “ASSIGNED”, “STATUS_CHANGED”, “INVESTIGATING”, “TUNING_CHANGED”, “DELETED”, “VIEWED”, “RAPID_TRIAGE_PRIORITY_CHANGED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Expel alert history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

Investigations

investigation

Investigations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.ExpelAlertThresholdHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io expel_alert_threshold_history records

Resource type name is expel_alert_threshold_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Expel alert threshold history action Restricted to: “CREATED”, “BREACHED”, “ACKNOWLEDGED”, “RECOVERED”, “DELETED”

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Expel alert threshold history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io expel_alert_threshold records

expel_alert_threshold

ExpelAlertThresholds

N

Y

class pyexclient.workbench.ExpelAlertThresholds(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io expel_alert_threshold records

Resource type name is expel_alert_thresholds.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'name': 'string', 'threshold': 100, 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Name

name

string

Y

N

Threshold value

threshold

number

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io expel_alert_threshold_history records

expel_alert_threshold_histories

ExpelAlertThresholdHistories

N

Y

Defines/retrieves expel.io expel_alert_threshold records

suppressed_by

ExpelAlertThresholds

N

Y

Defines/retrieves expel.io expel_alert_threshold records

suppresses

ExpelAlertThresholds

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ExpelAlerts(data, conn, included=None)[source]

Bases: ResourceInstance

Expel alerts

Resource type name is expel_alerts.

Example JSON record:

{           'activity_first_at': '2019-01-15T15:35:00-05:00',
    'activity_last_at': '2019-01-15T15:35:00-05:00',
    'alert_type': 'ENDPOINT',
    'close_comment': 'string',
    'close_reason': 'FALSE_POSITIVE',
    'created_at': '2019-01-15T15:35:00-05:00',
    'cust_disp_alerts_in_critical_incidents_count': 100,
    'cust_disp_alerts_in_incidents_count': 100,
    'cust_disp_alerts_in_investigations_count': 100,
    'cust_disp_closed_alerts_count': 100,
    'cust_disp_disposed_alerts_count': 100,
    'disposition_alerts_in_critical_incidents_count': 100,
    'disposition_alerts_in_incidents_count': 100,
    'disposition_alerts_in_investigations_count': 100,
    'disposition_closed_alerts_count': 100,
    'disposition_disposed_alerts_count': 100,
    'expel_alert_time': '2019-01-15T15:35:00-05:00',
    'expel_alias_name': 'string',
    'expel_message': 'string',
    'expel_name': 'string',
    'expel_severity': 'CRITICAL',
    'expel_signature_id': 'string',
    'expel_version': 'string',
    'git_rule_url': 'https://company.com/',
    'investigative_action_count': 100,
    'is_auto_add': True,
    'is_viewed_by_assignable_expel_user': True,
    'rapid_triage_priority': 'string',
    'ref_event_id': 'string',
    'status': 'string',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'tuning_requested': True,
    'updated_at': '2019-01-15T15:35:00-05:00',
    'vendor_alert_count': 100,
    'vendor_disp_alerts_in_critical_incidents_count': 100,
    'vendor_disp_alerts_in_incidents_count': 100,
    'vendor_disp_alerts_in_investigations_count': 100,
    'vendor_disp_closed_alerts_count': 100,
    'vendor_disp_disposed_alerts_count': 100}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Allows: null: readonly, no-sort, no-filter

activity_first_at

string

Y

N

Allows: null: readonly, no-sort, no-filter

activity_last_at

string

Y

N

Expel alert type Restricted to: “ENDPOINT”, “NETWORK”, “SIEM”, “RULE_ENGINE”, “EXTERNAL”, “OTHER”, “CLOUD”, “PHISHING_SUBMISSION”, “PHISHING_SUBMISSION_SIMILAR” Allows: null

alert_type

any

Y

N

Expel alert close comment Allows: “”, null

close_comment

string

Y

N

Expel alert close reason Restricted to: “FALSE_POSITIVE”, “TRUE_POSITIVE”, “OTHER”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “TESTING”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “INCONCLUSIVE”, “SUPPRESSED”, “PHISHING_SIMULATION”, “SUPPRESSED_NEW_DEVICE”, “SUPPRESSED_THRESHOLD_EXCEEDED” Allows: null

close_reason

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Allows: null

cust_disp_alerts_in_critical_incidents_count

number

Y

N

Allows: null

cust_disp_alerts_in_incidents_count

number

Y

N

Allows: null

cust_disp_alerts_in_investigations_count

number

Y

N

Allows: null

cust_disp_closed_alerts_count

number

Y

N

Allows: null

cust_disp_disposed_alerts_count

number

Y

N

Allows: null

disposition_alerts_in_critical_incidents_count

number

Y

N

Allows: null

disposition_alerts_in_incidents_count

number

Y

N

Allows: null

disposition_alerts_in_investigations_count

number

Y

N

Allows: null

disposition_closed_alerts_count

number

Y

N

Allows: null

disposition_disposed_alerts_count

number

Y

N

Expel Alert Time first seen time: immutable

expel_alert_time

string

Y

N

Expel alert alias Allows: “”, null

expel_alias_name

string

Y

N

Expel alert message Allows: “”, null

expel_message

string

Y

N

Expel alert name Allows: “”, null

expel_name

string

Y

N

Expel alert severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING”

expel_severity

any

Y

N

Expel alert signature Allows: “”, null

expel_signature_id

string

Y

N

Expel alert version Allows: “”, null

expel_version

string

Y

N

URL to rule definition for alert Allows: “”, null

git_rule_url

string

Y

N

Allows: null: readonly, no-sort, no-filter

investigative_action_count

number

Y

N

Was this expel_alert added to an investigation by one of the robots (i.e. an automated process)?: readonly

is_auto_add

boolean

Y

N

Was this expel_alert viewed by an expel assignable user at-least once?: readonly

is_viewed_by_assignable_expel_user

boolean

Y

N

Expel alert rapid triage priority Restricted to: “UNKNOWN”, “HIGH”, “LOW”

rapid_triage_priority

string

Y

N

Referring event id Allows: null

ref_event_id

string

Y

N

Expel alert status Restricted to: “OPEN”, “IN_PROGRESS”, “CLOSED” Allows: null

status

string

Y

N

Status Updated At Allows: null: readonly

status_updated_at

string

Y

N

tuning requested

tuning_requested

boolean

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Allows: null: readonly, no-sort, no-filter

vendor_alert_count

number

Y

N

Allows: null

vendor_disp_alerts_in_critical_incidents_count

number

Y

N

Allows: null

vendor_disp_alerts_in_incidents_count

number

Y

N

Allows: null

vendor_disp_alerts_in_investigations_count

number

Y

N

Allows: null

vendor_disp_closed_alerts_count

number

Y

N

Allows: null

vendor_disp_disposed_alerts_count

number

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

close_comment_last_updated_by

Actors

N

Y

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

IP addresses

destination_ip_addresses

IpAddresses

N

Y

Vendor alert evidences are extracted from a vendor alert’s evidence summary

evidence

VendorAlertEvidences

N

Y

Expel alert histories

expel_alert_assignable_expel_user_view_histories

ExpelAlertHistories

N

Y

Expel alert histories

expel_alert_histories

ExpelAlertHistories

N

Y

Expel alert histories

expel_alert_rapid_triage_priority_histories

ExpelAlertHistories

N

Y

Expel alert histories

expel_alert_view_histories

ExpelAlertHistories

N

Y

Investigations

investigation

Investigations

N

Y

Investigative action histories

investigative_action_histories

InvestigativeActionHistories

N

Y

investigative actions

investigative_actions

InvestigativeActions

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io context_label records

originated_context_labels

ContextLabels

N

Y

Phishing submissions

phishing_submissions

PhishingSubmissions

N

Y

Investigations

related_investigations

Investigations

N

Y

Investigations

related_investigations_via_involved_host_ips

Investigations

N

Y

Expel alerts

similar_alerts

ExpelAlerts

N

Y

IP addresses

source_ip_addresses

IpAddresses

N

Y

Defines/retrieves expel.io actor records

status_last_updated_by

Actors

N

Y

Defines/retrieves expel.io suggestions

suggestions

Suggestions

N

Y

Expel alert histories

suppression_histories

ExpelAlertHistories

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Defines/retrieves expel.io user task records

user_tasks

UserTasks

N

Y

Vendors

vendor

Vendors

N

Y

Vendor alerts

vendor_alerts

VendorAlerts

N

Y

class pyexclient.workbench.ExpelDetectionCategories(data, conn, included=None)[source]

Bases: ResourceInstance

Detection categories

Resource type name is expel_detection_categories.

Example JSON record:

{'category_type': 'string', 'customer_context_tags': [], 'description': 'string', 'investigative_questions': [], 'name': 'string', 'number_of_detections': 100}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Which part of the detection & response process this category takes effect in Allows: “”, null: no-sort

category_type

string

Y

N

Customer context tags used in this category’s detections

customer_context_tags

array

Y

N

The category description Allows: “”, null

description

string

Y

N

The questions analysts ask when responding to Expel alerts

investigative_questions

array

Y

N

The name of the category Allows: “”, null

name

string

Y

N

The number of detections in this category, based on the plugin_slugs filter

number_of_detections

number

Y

N

class pyexclient.workbench.Files(data, conn, included=None)[source]

Bases: FilesResourceInstance

File

Resource type name is files.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'expel_file_type': 'string',
    'file_meta': {'investigative_action': {'file_type': 'string'}, 'rich_result': {}},
    'filename': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Expel file type Allows: null, “”

expel_file_type

string

Y

N

Metadata about the file Allows: null: no-sort

file_meta

object

Y

N

Filename

filename

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigations

Investigations

N

Y

investigative actions

investigative_actions

InvestigativeActions

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Phishing submissions

phishing_submission

PhishingSubmissions

N

Y

Phishing submission attachments

phishing_submission_attachment

PhishingSubmissionAttachments

N

Y

investigative actions

result_investigative_actions

InvestigativeActions

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.FilesResourceInstance(data, conn, included=None)[source]

Bases: ResourceInstance

download(fd, fmt='json')[source]

Download data from an investigative action. This can only be called on InvestigativeAction or Files objects.

Parameters:
  • fd (File bytes object) – Buffer to write response too.

  • fmt (str) – The format to request the data be returned in.

Examples:
>>> import json
>>> import pprint
>>> import tempfile
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> with xc.investigative_actions.get(id=inv_act_id) as ia:
>>>     fd = tempfile.NamedTemporaryFile(delete=False)
>>>     ia.download(fd)
>>>     with open(fd.name, 'r') as fd:
>>>     pprint.pprint(json.loads(fd.read()))
class pyexclient.workbench.Findings(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io finding records

Resource type name is findings.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'rank': 100, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Seed Rank

rank

number

Y

N

Title Allows: “”, null

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Integrations(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io integration records

Resource type name is integrations.

Example JSON record:

{           'account': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'integration_meta': {},
    'integration_type': 'pagerduty',
    'last_tested_at': '2019-01-15T15:35:00-05:00',
    'service_name': 'string',
    'status': 'UNTESTED',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Service account identifier

account

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Needed information for integration type Allows: null: allowStringOperators, no-sort

integration_meta

object

Y

N

Type of integration Restricted to: “pagerduty”, “slack”, “ticketing”, “service_now”, “teams”, “ops_genie”, “o365_reporting”, “palo_alto_networks_cxdr”, “webhook”: immutable

integration_type

any

Y

N

Last Successful Test Allows: null: readonly

last_tested_at

string

Y

N

Service display name

service_name

string

Y

N

Integration status Restricted to: “UNTESTED”, “TEST_SUCCESS”, “TEST_FAIL”: readonly

status

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Organization secrets. Note - these requests must be in the format of /secrets/security_device-<guid>

secret

Secrets

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.InvestigationFindingHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io investigation_finding_history records

Resource type name is investigation_finding_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Investigation finding history action Restricted to: “CREATED”, “CHANGED”, “DELETED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Investigation finding history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Investigation findings

investigation_finding

InvestigationFindings

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.InvestigationFindings(data, conn, included=None)[source]

Bases: ResourceInstance

Investigation findings

Resource type name is investigation_findings.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'finding': 'string', 'rank': 100, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Finding Allows: “”, null: markdown

finding

string

Y

N

Visualization Rank

rank

number

Y

N

Title Allows: “”, null

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Defines/retrieves expel.io investigation_finding_history records

investigation_finding_histories

InvestigationFindingHistories

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.InvestigationHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Investigation histories

Resource type name is investigation_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'is_incident': True, 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Investigation history action Restricted to: “CREATED”, “ASSIGNED”, “CHANGED”, “CLOSED”, “SUMMARY”, “REOPENED”, “PUBLISHED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Is Incidence

is_incident

boolean

Y

N

Investigation history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.InvestigationResilienceActionHints(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io investigation_organization_resilience_action_hint records

Resource type name is investigation_resilience_action_hints.

Example JSON record:

{}

Below are valid filter by parameters:

class pyexclient.workbench.InvestigationResilienceActions(data, conn, included=None)[source]

Bases: ResourceInstance

Investigation to resilience actions

Resource type name is investigation_resilience_actions.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Organization to resilience actions

organization_resilience_action

OrganizationResilienceActions

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Investigations(data, conn, included=None)[source]

Bases: ResourceInstance

Investigations

Resource type name is investigations.

Example JSON record:

{           'analyst_severity': 'CRITICAL',
    'attack_lifecycle': 'INITIAL_RECON',
    'attack_timing': 'HISTORICAL',
    'attack_vector': 'DRIVE_BY',
    'close_comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'critical_comment': 'string',
    'decision': 'FALSE_POSITIVE',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'detection_type': 'UNKNOWN',
    'has_hunting_status': True,
    'initial_attack_vector': 'string',
    'is_downgrade': True,
    'is_incident': True,
    'is_incident_status_updated_at': '2019-01-15T15:35:00-05:00',
    'is_soc_support_required': True,
    'is_surge': True,
    'last_published_at': '2019-01-15T15:35:00-05:00',
    'last_published_value': 'string',
    'lead_description': 'string',
    'malware_family': 'string',
    'next_steps': 'string',
    'open_reason': 'ACCESS_KEYS',
    'open_summary': 'string',
    'review_requested_at': '2019-01-15T15:35:00-05:00',
    'short_link': 'string',
    'source_reason': 'HUNTING',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'threat_type': 'TARGETED',
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Analyst Severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “INFO” Allows: null

analyst_severity

any

Y

N

Attack Lifecycle Restricted to: “INITIAL_RECON”, “DELIVERY”, “EXPLOITATION”, “INSTALLATION”, “COMMAND_CONTROL”, “LATERAL_MOVEMENT”, “ACTION_TARGETS”, “UNKNOWN” Allows: null

attack_lifecycle

any

Y

N

Attack Timing Restricted to: “HISTORICAL”, “PRESENT” Allows: null

attack_timing

any

Y

N

Attack Vector Restricted to: “DRIVE_BY”, “PHISHING”, “PHISHING_LINK”, “PHISHING_ATTACHMENT”, “REV_MEDIA”, “SPEAR_PHISHING”, “SPEAR_PHISHING_LINK”, “SPEAR_PHISHING_ATTACHMENT”, “STRAG_WEB_COMP”, “SERVER_SIDE_VULN”, “CRED_THEFT”, “MISCONFIG”, “UNKNOWN” Allows: null

attack_vector

any

Y

N

Close Comment Allows: “”, null: markdown

close_comment

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Critical Comment Allows: “”, null

critical_comment

string

Y

N

Decision Restricted to: “FALSE_POSITIVE”, “TRUE_POSITIVE”, “CLOSED”, “OTHER”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “TESTING”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “INCONCLUSIVE”, “PHISHING_SIMULATION” Allows: null

decision

any

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Detection Type Restricted to: “UNKNOWN”, “ENDPOINT”, “SIEM”, “NETWORK”, “EXPEL”, “HUNTING”, “CLOUD”, “PHISHING” Allows: null

detection_type

any

Y

N

Meta: readonly, no-sort, no-filter

has_hunting_status

boolean

Y

N

Initial attack vector Allows: “”, null

initial_attack_vector

string

Y

N

Is downgrade

is_downgrade

boolean

Y

N

Is Incident

is_incident

boolean

Y

N

Incident Status timestamp Allows: null: readonly

is_incident_status_updated_at

string

Y

N

Is Expel SOC support required for this investigation?: immutable

is_soc_support_required

boolean

Y

N

Is surge

is_surge

boolean

Y

N

Last Published At Allows: null

last_published_at

string

Y

N

Last Published Value Allows: “”, null

last_published_value

string

Y

N

Lead Description Allows: null: markdown

lead_description

string

Y

N

Malware family Allows: “”, null

malware_family

string

Y

N

Recommended next steps for starting this investigation or handling this incident Allows: “”, null

next_steps

string

Y

N

Open Reason Restricted to: “ACCESS_KEYS”, “EC2”, “S3_BUCKETS”, “OTHER” Allows: null

open_reason

any

Y

N

Reason the investigation/incident was opened Allows: “”, null

open_summary

string

Y

N

Review Requested At Allows: null

review_requested_at

string

Y

N

Investigation short link: readonly

short_link

string

Y

N

Source Reason Restricted to: “HUNTING”, “ORGANIZATION_REPORTED”, “DISCOVERY”, “PHISHING”, “SURRE”, “VULNERABILITY” Allows: null

source_reason

any

Y

N

Status Updated At Allows: null: readonly

status_updated_at

string

Y

N

Threat Type Restricted to: “TARGETED”, “TARGETED_APT”, “TARGETED_RANSOMWARE”, “BUSINESS_EMAIL_COMPROMISE”, “NON_TARGETED”, “NON_TARGETED_MALWARE”, “POLICY_VIOLATION”, “UNKNOWN”, “RED_TEAM” Allows: null

threat_type

any

Y

N

Title Allows: “”, null

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io comment_history records

comment_histories

CommentHistories

N

Y

Defines/retrieves expel.io comment records

comments

Comments

N

Y

Defines/retrieves expel.io context_label_action_history records

context_label_action_histories

ContextLabelActionHistories

N

Y

Defines/retrieves expel.io context_label_action records

context_label_actions

ContextLabelActions

N

Y

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

IP addresses

destination_ip_addresses

IpAddresses

N

Y

Vendor alert evidences are extracted from a vendor alert’s evidence summary

evidence

VendorAlertEvidences

N

Y

Expel alert histories

expel_alert_histories

ExpelAlertHistories

N

Y

Expel alerts

expel_alerts

ExpelAlerts

N

Y

File

files

Files

N

Y

Defines/retrieves expel.io finding records

findings

InvestigationFindings

N

Y

Defines/retrieves expel.io investigation_finding_history records

investigation_finding_histories

InvestigationFindingHistories

N

Y

Investigation histories

investigation_histories

InvestigationHistories

N

Y

Investigation to resilience actions

investigation_resilience_actions

InvestigationResilienceActions

N

Y

Investigative action histories

investigative_action_histories

InvestigativeActionHistories

N

Y

investigative actions

investigative_actions

InvestigativeActions

N

Y

IP addresses

ip_addresses

IpAddresses

N

Y

Defines/retrieves expel.io actor records

last_published_by

Actors

N

Y

Expel alerts

lead_expel_alert

ExpelAlerts

N

Y

investigative actions

most_recent_investigative_action

InvestigativeActions

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Organization to resilience actions

organization_resilience_action_hints

OrganizationResilienceActions

N

Y

Organization to resilience actions

organization_resilience_actions

OrganizationResilienceActions

N

Y

Investigations

related_investigations_via_involved_host_ips

Investigations

N

Y

Remediation action asset histories

remediation_action_asset_histories

RemediationActionAssetHistories

N

Y

Remediation action assets

remediation_action_assets

RemediationActionAssets

N

Y

Remediation action histories

remediation_action_histories

RemediationActionHistories

N

Y

Remediation actions

remediation_actions

RemediationActions

N

Y

Defines/retrieves expel.io actor records

review_requested_by

Actors

N

Y

IP addresses

source_ip_addresses

IpAddresses

N

Y

Defines/retrieves expel.io actor records

status_last_updated_by

Actors

N

Y

Timeline Entries

timeline_entries

TimelineEntries

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Defines/retrieves expel.io user task records

user_tasks

UserTasks

N

Y

class pyexclient.workbench.InvestigativeActionHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Investigative action histories

Resource type name is investigative_action_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Investigative action history action Restricted to: “CREATED”, “ASSIGNED”, “CLOSED”, “ACKNOWLEDGED”, “CLASSIFIED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Investigative action history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

Investigations

investigation

Investigations

N

Y

investigative actions

investigative_action

InvestigativeActions

N

Y

class pyexclient.workbench.InvestigativeActions(data, conn, included=None)[source]

Bases: InvestigativeActionsResourceInstance

investigative actions

Resource type name is investigative_actions.

Example JSON record:

{           'action_type': 'TASKABILITY',
    'activity_acknowledged_at': '2019-01-15T15:35:00-05:00',
    'activity_acknowledged_by': 'string',
    'activity_authorized': True,
    'activity_verified_by': 'string',
    'capability_name': 'string',
    'classification': 'MALICIOUS',
    'close_reason': 'string',
    'content_driven_results': {},
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'downgrade_reason': 'FALSE_POSITIVE',
    'files_count': 100,
    'input_args': {},
    'instructions': 'string',
    'rank': 100,
    'reason': 'string',
    'result_byte_size': 100,
    'result_task_id': 'object',
    'results': 'string',
    'robot_action': True,
    'status': 'RUNNING',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'taskability_action_id': 'string',
    'tasking_error': {},
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'workflow_job_id': 'string',
    'workflow_name': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Investigative Action Type Restricted to: “TASKABILITY”, “HUNTING”, “MANUAL”, “RESEARCH”, “PIVOT”, “QUICK_UPLOAD”, “VERIFY”, “DOWNGRADE”, “WORKFLOW”, “NOTIFY”

action_type

any

Y

N

Verify investigative action acknowledged at Allows: null

activity_acknowledged_at

string

Y

N

Verify investigative action acknowledged by Allows: null

activity_acknowledged_by

string

Y

N

Verify Investigative action is authorized Allows: null

activity_authorized

boolean

Y

N

Verify Investigative action verified by Allows: null

activity_verified_by

string

Y

N

Capability name Allows: “”, null

capability_name

string

Y

N

Investigative action classification Restricted to: “MALICIOUS”, “SUSPICIOUS”, “NOT_SUSPICIOUS” Allows: null

classification

any

Y

N

Close Reason Allows: null: markdown

close_reason

string

Y

N

Content driven results Allows: “”, null: no-sort

content_driven_results

object

Y

N

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Downgrade reason Restricted to: “FALSE_POSITIVE”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “OTHER” Allows: null

downgrade_reason

any

Y

N

Downgrade reason: readonly

files_count

number

Y

N

Task input arguments Allows: null: no-sort

input_args

object

Y

N

Instructions Allows: “”, null: markdown

instructions

string

Y

N

Visualization Rank

rank

number

Y

N

Reason: markdown

reason

string

Y

N

Result byte size: readonly

result_byte_size

number

Y

N

Result task id Allows: null: readonly

result_task_id

any

Y

N

Results/Analysis Allows: “”, null

results

string

Y

N

Investigative action created by robot action: readonly

robot_action

boolean

Y

N

Status Restricted to: “RUNNING”, “FAILED”, “READY_FOR_ANALYSIS”, “CLOSED”, “COMPLETED”

status

any

Y

N

Status Updated At Allows: null: readonly

status_updated_at

string

Y

N

Taskability action id Allows: “”, null

taskability_action_id

string

Y

N

Taskabilities error Allows: “”, null: no-sort

tasking_error

object

Y

N

Title: markdown

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Workflow job id Allows: “”, null

workflow_job_id

string

Y

N

Workflow name Allows: “”, null

workflow_name

string

Y

N

Defines/retrieves expel.io actor records

analysis_assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

classified_by_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

investigative actions

dependent_investigative_actions

InvestigativeActions

N

Y

investigative actions

depends_on_investigative_action

InvestigativeActions

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

File

files

Files

N

Y

Investigations

investigation

Investigations

N

Y

Investigative action histories

investigative_action_histories

InvestigativeActionHistories

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

File

result_file

Files

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.InvestigativeActionsResourceInstance(data, conn, included=None)[source]

Bases: FilesResourceInstance

upload(filename, fbytes, expel_file_type=None, file_meta=None)[source]

Upload data associated with an investigative action. Can only be called on InvestigativeAction objects.

Parameters:
  • filename (str) – Filename, this shows up in Workbench.

  • fbytes (bytes) – A bytes string representing raw bytes to upload

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> with xc.investigative_actions.get(id=inv_act_id) as ia:
>>>     ia.upload('test.txt', b'hello world')
class pyexclient.workbench.IpAddresses(data, conn, included=None)[source]

Bases: ResourceInstance

IP addresses

Resource type name is ip_addresses.

Example JSON record:

{'address': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

IP Address: readonly

address

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

destination_expel_alerts

ExpelAlerts

N

Y

Investigations

destination_investigations

Investigations

N

Y

Investigations

investigations

Investigations

N

Y

Expel alerts

source_expel_alerts

ExpelAlerts

N

Y

Investigations

source_investigations

Investigations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Vendor alerts

vendor_alerts

VendorAlerts

N

Y

class pyexclient.workbench.JsonApiRelationship(relationships: dict | None = None)[source]

Bases: object

The object acts a helper to handle JSON API relationships. The object is just a dummy that allows for setting / getting attributes that are extracted from the relationship part of the JSON API response. Additionally, the object will allow for conversion to a JSON API compliant relationship block to include in a request.

to_relationship()[source]

Generate a JSON API compliant relationship section.

Returns:

A dict that is JSON API compliant relationship section.

Return type:

dict

class pyexclient.workbench.MitreTactics(data, conn, included=None)[source]

Bases: ResourceInstance

Mitre Tactics

Resource type name is mitre_tactics.

Example JSON record:

{'description': 'string', 'name': 'string', 'number_of_expel_detections': 100, 'number_of_vendor_detections': 100}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

The tactic description Allows: “”, null

description

string

Y

N

The name of the tactic Allows: “”, null

name

string

Y

N

The number of Expel-based detections in this category, based on the plugin_slugs filter

number_of_expel_detections

number

Y

N

The number of vendor-based detections in this category, based on the plugin_slugs filter

number_of_vendor_detections

number

Y

N

class pyexclient.workbench.NistCategories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io nist_category records

Resource type name is nist_categories.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'function_type': 'IDENTIFY', 'identifier': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Actor type Restricted to: “IDENTIFY”, “PROTECT”, “DETECT”, “RECOVER”, “RESPOND”

function_type

any

Y

N

Nist category abbreviated identifier

identifier

string

Y

N

Nist category name

name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io nist_subcategory records

nist_subcategories

NistSubcategories

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.NistSubcategories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io nist_subcategory records

Resource type name is nist_subcategories.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'identifier': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Nist subcategory abbreviated identifier

identifier

string

Y

N

Nist subcategory title Allows: “”, null

name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io nist_category records

nist_category

NistCategories

N

Y

Latest NIST subcategory scores

nist_subcategory_scores

NistSubcategoryScores

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.NistSubcategoryScoreHistories(data, conn, included=None)[source]

Bases: ResourceInstance

NIST Subcategory Score History

Resource type name is nist_subcategory_score_histories.

Example JSON record:

{'action': 'SCORE_UPDATED', 'actual_score': 100, 'assessment_date': '2019-01-15T15:35:00-05:00', 'created_at': '2019-01-15T15:35:00-05:00', 'target_score': 100}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

NIST subcategory score history action Restricted to: “SCORE_UPDATED”, “COMMENT_UPDATED”, “PRIORITY_UPDATED”, “IMPORT”

action

any

Y

N

Organization actual score for this nist subcategory

actual_score

number

Y

N

Recorded date of the score assessment (Note: Dates with times will be truncated to the day. Warning: Dates times and timezones will be converted to UTC before they are truncated. Providing non-UTC timezones is not recommeneded.): immutable

assessment_date

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Organization target score for this nist subcategory

target_score

number

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Latest NIST subcategory scores

nist_subcategory_score

NistSubcategoryScores

N

Y

class pyexclient.workbench.NistSubcategoryScores(data, conn, included=None)[source]

Bases: ResourceInstance

Latest NIST subcategory scores

Resource type name is nist_subcategory_scores.

Example JSON record:

{           'actual_score': 100,
    'assessment_date': '2019-01-15T15:35:00-05:00',
    'category_identifier': 'string',
    'category_name': 'string',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'function_type': 'string',
    'is_priority': True,
    'subcategory_identifier': 'string',
    'subcategory_name': 'string',
    'target_score': 100,
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Organization actual score for this nist subcategory Allows: null

actual_score

number

Y

N

Recorded date of the score assessment (Note: Dates with times will be truncated to the day. Warning: Dates times and timezones will be converted to UTC before they are truncated. Providing non-UTC timezones is not recommeneded.) Allows: null: immutable

assessment_date

string

Y

N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter

category_identifier

string

Y

N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter

category_name

string

Y

N

Organization comment for this nist subcategory Allows: “”, null

comment

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter

function_type

string

Y

N

Organization nist subcategory is a priority

is_priority

boolean

Y

N

Allows: “”, null: immutable, no-sort, no-filter

subcategory_identifier

string

Y

N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter

subcategory_name

string

Y

N

Organization target score for this nist subcategory Allows: null

target_score

number

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io nist_subcategory records

nist_subcategory

NistSubcategories

N

Y

NIST Subcategory Score History

nist_subcategory_score_histories

NistSubcategoryScoreHistories

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.NoteHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Historical event log for each note model

Resource type name is note_histories.

Example JSON record:

{'action': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Whether this is a create, update, or delete event Restricted to: “CREATED”, “UPDATED”, “DELETED”

action

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Complete state at the time of a create or delete event or the state changes for an update event: no-sort

value

object

Y

N

Reusable strongly typed context variables which can be referenced by other features

context_variable

ContextVariables

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

A model for tying a message to a specific context variable or term for a specified period of time

note

Notes

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.Notes(data, conn, included=None)[source]

Bases: ResourceInstance

A model for tying a message to a specific context variable or term for a specified period of time

Resource type name is notes.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'ends_at': '2019-01-15T15:35:00-05:00',
    'message': 'string',
    'starts_at': '2019-01-15T15:35:00-05:00',
    'term': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

When the note should stop showing up as associated with context or global terms Allows: null

ends_at

string

Y

N

The message to display when a matching term or variable is highlighted

message

string

Y

N

When the note should begin showing up as associated with context or global terms

starts_at

string

Y

N

The term to match if and only if this is a global note Allows: null

term

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Reusable strongly typed context variables which can be referenced by other features

context_variable

ContextVariables

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Historical event log for each note model

note_histories

Organizations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.NotificationEvents(data, conn, included=None)[source]

Bases: ResourceInstance

Notification events

Resource type name is notification_events.

Example JSON record:

{           'event_at': '2019-01-15T15:35:00-05:00',
    'event_name': 'string',
    'sent_notifications': [],
    'subject': {'display_name': 'string', 'meta': {}, 'model_id': 'string', 'model_type': 'string', 'parent_model_id': 'string', 'parent_model_type': 'string'}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Timestamp of the event triggering the notification

event_at

string

Y

N

Name of the event triggering the notification

event_name

string

Y

N

Missing Description

sent_notifications

array

Y

N

Missing Description

subject

object

Y

N

class pyexclient.workbench.NotificationPreferences(data, conn, included=None)[source]

Bases: ResourceInstance

User Notification Preferences

Resource type name is notification_preferences.

Example JSON record:

{'preferences': []}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Missing Description

preferences

array

Y

N

Defines/retrieves expel.io actor records

actor

Actors

N

Y

class pyexclient.workbench.NotificationRules(data, conn, included=None)[source]

Bases: ResourceInstance

Notification rules

Resource type name is notification_rules.

Example JSON record:

{'condition_operator': 'string', 'conditionals': [], 'created_at': '2019-01-15T15:35:00-05:00', 'created_by': 'string', 'destinations': [], 'short_name': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

The logical operator applied to the conditions Restricted to: “UNSPECIFIED”, “ALL_OF”, “ANY_OF”

condition_operator

string

Y

N

Rule conditions that must be met Allows: null: no-filter

conditionals

array

Y

N

The time this rule was created at Allows: null: readonly

created_at

string

Y

N

The actor who created this rule Allows: null, “”: readonly

created_by

string

Y

N

Rule destinations: no-filter

destinations

array

Y

N

The short name of the associated organization Allows: null, “”

short_name

string

Y

N

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Notification rule definitions

rule_definition

RuleDefinitions

N

Y

User accounts

user_account

UserAccounts

N

Y

class pyexclient.workbench.OrganizationContacts(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io organization_contact records

Resource type name is organization_contacts.

Example JSON record:

{'contact_type': 'ORGANIZATION_CONTACT', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Contact Type Restricted to: “ORGANIZATION_CONTACT”, “SECURITY_DEVICE_CONTACT”

contact_type

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

User accounts

contact_user

UserAccounts

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.OrganizationResilienceActionGroups(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io organization_resilience_action_group records

Resource type name is organization_resilience_action_groups.

Example JSON record:

{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'visible': True}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Organization Resilience Group Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS”

category

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Group title

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Visible

visible

boolean

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Organization to resilience actions

organization_resilience_action_group_actions

OrganizationResilienceActions

N

Y

Defines/retrieves expel.io resilience_action_group records

source_resilience_action_group

ResilienceActionGroups

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.OrganizationResilienceActions(data, conn, included=None)[source]

Bases: ResourceInstance

Organization to resilience actions

Resource type name is organization_resilience_actions.

Example JSON record:

{           'category': 'DISRUPT_ATTACKERS',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'details': 'string',
    'impact': 'LOW',
    'status': 'TOP_PRIORITY',
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'visible': True}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” Allows: null

category

any

Y

N

Comment Allows: “”, null

comment

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Details: markdown

details

string

Y

N

Impact Restricted to: “LOW”, “MEDIUM”, “HIGH”

impact

any

Y

N

Status Restricted to: “TOP_PRIORITY”, “IN_PROGRESS”, “WONT_DO”, “COMPLETED”

status

any

Y

N

Title

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Visible

visible

boolean

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation_hints

Investigations

N

Y

Investigation to resilience actions

investigation_resilience_actions

InvestigationResilienceActions

N

Y

Investigations

investigations

Investigations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io organization_resilience_action_group records

organization_resilience_action_group

OrganizationResilienceActionGroups

N

Y

Resilience actions

source_resilience_action

ResilienceActions

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.OrganizationStatuses(data, conn, included=None)[source]

Bases: ResourceInstance

Organization status

Resource type name is organization_statuses.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'enabled_login_types': [], 'restrictions': [], 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Meta: readonly

created_at

string

Y

N

Missing Description

enabled_login_types

array

Y

N

Missing Description

restrictions

array

Y

N

Meta: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Organizations(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io organization records

Resource type name is organizations.

Example JSON record:

{           'address_1': 'string',
    'address_2': 'string',
    'city': 'string',
    'country_code': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'hq_city': 'string',
    'hq_utc_offset': 'string',
    'industry': 'string',
    'is_surge': True,
    'is_testing_organization': True,
    'name': 'string',
    'nodes_count': 100,
    'o365_tos_id': 'string',
    'onboarding_preferences': {},
    'organization_type': 'standard',
    'postal_code': 'string',
    'region': 'string',
    'service_end_at': '2019-01-15T15:35:00-05:00',
    'service_renewal_at': '2019-01-15T15:35:00-05:00',
    'service_start_at': '2019-01-15T15:35:00-05:00',
    'short_name': 'EXP',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'users_count': 100}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Address 1 Allows: “”, null

address_1

string

Y

N

Address 2 Allows: “”, null

address_2

string

Y

N

City Allows: “”, null

city

string

Y

N

Country Code Allows: null

country_code

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

The city where the organization’s headquarters is located Allows: “”, null

hq_city

string

Y

N

Allows: “”, null

hq_utc_offset

string

Y

N

The organization’s primary industry Allows: “”, null

industry

string

Y

N

Is surge

is_surge

boolean

Y

N

Whether or not this organization is a testing organization or a real organization

is_testing_organization

boolean

Y

N

The organization’s operating name

name

string

Y

N

Number of nodes covered for this organization Allows: null

nodes_count

number

Y

N

o365 Terms of Service identifier (e.g. hubspot id, etc.) Allows: null

o365_tos_id

string

Y

N

Organization onboarding preferences: no-sort

onboarding_preferences

object

Y

N

Organization type Restricted to: “standard”, “prospect”, “free_trial”, “demo”, “partner”, “test_temp”, “test_perm” Allows: null

organization_type

any

Y

N

Postal Code Allows: null

postal_code

string

Y

N

State/Province/Region Allows: “”, null

region

string

Y

N

Organization service end date Allows: null

service_end_at

string

Y

N

Organization service renewal date Allows: null

service_renewal_at

string

Y

N

Organization service start date Allows: null

service_start_at

string

Y

N

Organization short name Allows: null

short_name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Number of users covered for this organization Allows: null

users_count

number

Y

N

Defines/retrieves expel.io actor records

actor

Actors

N

Y

investigative actions

analysis_assigned_investigative_actions

InvestigativeActions

N

Y

Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token.

api_keys

ApiKeys

N

Y

Assemblers

assemblers

Assemblers

N

Y

Defines/retrieves expel.io actor records

assignables

Actors

N

Y

Expel alerts

assigned_expel_alerts

ExpelAlerts

N

Y

Investigations

assigned_investigations

Investigations

N

Y

investigative actions

assigned_investigative_actions

InvestigativeActions

N

Y

Organization to resilience actions

assigned_organization_resilience_actions

OrganizationResilienceActions

N

Y

Organization to resilience actions

assigned_organization_resilience_actions_list

OrganizationResilienceActions

N

Y

Remediation actions

assigned_remediation_actions

RemediationActions

N

Y

Defines/retrieves expel.io remediation_action_setting records

automate_opt_in_for_remediation_action_setting

RemediationActionSettings

N

Y

Defines/retrieves expel.io comment records

comments

Comments

N

Y

Defines/retrieves expel.io configuration records

configurations

Configurations

N

Y

Groups for organizing context variables outside of any specific use case

context_categories

ContextCategories

N

Y

Defines/retrieves expel.io context_label_tag records

context_label_tags

ContextLabelTags

N

Y

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Reusable strongly typed context variables which can be referenced by other features

context_variables

ContextVariables

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

investigative actions

current_assigned_investigative_actions_classification

InvestigativeActions

N

Y

Defines/retrieves expel.io engagement_manager records

engagement_manager

EngagementManagers

N

Y

path to entitlements service

entitlement

Entitlements

N

Y

Expel alert histories

expel_alert_histories

ExpelAlertHistories

N

Y

Expel alerts

expel_alerts

ExpelAlerts

N

Y

File

files

Files

N

Y

Defines/retrieves expel.io integration records

integrations

Integrations

N

Y

Investigation histories

investigation_histories

InvestigationHistories

N

Y

Investigations

investigations

Investigations

N

Y

investigative actions

investigative_actions

InvestigativeActions

N

Y

Latest NIST subcategory scores

nist_subcategory_scores

NistSubcategoryScores

N

Y

Historical event log for each note model

note_histories

Organizations

N

Y

A model for tying a message to a specific context variable or term for a specified period of time

notes

Notes

N

Y

User Notification Preferences

notification_preferences

NotificationPreferences

N

Y

Defines/retrieves expel.io organization_contact records

organization_contacts

OrganizationContacts

N

Y

Defines/retrieves expel.io organization_resilience_action_group records

organization_resilience_action_groups

OrganizationResilienceActionGroups

N

Y

Organization to resilience actions

organization_resilience_actions

OrganizationResilienceActions

N

Y

Organization status

organization_status

OrganizationStatuses

N

Y

Defines/retrieves expel.io user_account_role records

organization_user_account_roles

UserAccountRoles

N

Y

Defines/retrieves expel.io actor records

parent_organization_actor

Actors

N

Y

Defines/retrieves expel.io remediation_action_setting_history records

remediation_action_setting_histories

RemediationActionSettingHistories

N

Y

Defines/retrieves expel.io remediation_action_setting records

remediation_action_settings

RemediationActionSettings

N

Y

Defines/retrieves expel.io review summary records

review_summaries

ReviewSummaries

N

Y

SAML Identity Providers

saml_identity_provider

SamlIdentityProviders

N

Y

Defines/retrieves expel.io security_device_count records

security_device_counts

SecurityDeviceCounts

N

Y

Security Device histories

security_device_histories

SecurityDeviceHistories

N

Y

Security devices

security_devices

SecurityDevices

N

Y

Service Skus

skus

Skus

N

Y

Defines/retrieves expel.io suggestions

suggestions

Suggestions

N

Y

Defines/retrieves expel.io actor records

tacs_confirmed_actor

Actors

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

User accounts

user_accounts

UserAccounts

N

Y

User accounts

user_accounts_with_roles

UserAccounts

N

Y

Defines/retrieves expel.io user task records

user_tasks

UserTasks

N

Y

Vendor alerts

vendor_alerts

VendorAlerts

N

Y

class pyexclient.workbench.PhishingSubmissionAttachments(data, conn, included=None)[source]

Bases: ResourceInstance

Phishing submission attachments

Resource type name is phishing_submission_attachments.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'file_md5': 'string', 'file_mime': 'string', 'file_name': 'string', 'file_sha1': 'string', 'file_sha256': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

File md5 hash Allows: null

file_md5

string

Y

N

File mime type Allows: null

file_mime

string

Y

N

File name Allows: null

file_name

string

Y

N

File sha1 hash Allows: null

file_sha1

string

Y

N

File sha256 hash Allows: null

file_sha256

string

Y

N

File

attachment_file

Files

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Phishing submissions

phishing_submission

PhishingSubmissions

N

Y

class pyexclient.workbench.PhishingSubmissionDomains(data, conn, included=None)[source]

Bases: ResourceInstance

Phishing submission domains

Resource type name is phishing_submission_domains.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'value': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Value

value

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Phishing submissions

phishing_submission

PhishingSubmissions

N

Y

class pyexclient.workbench.PhishingSubmissionHeaders(data, conn, included=None)[source]

Bases: ResourceInstance

Phishing submission headers

Resource type name is phishing_submission_headers.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'email_order_index': 'name@company.com', 'name': 'string', 'value': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Email Order Index Allows: null

email_order_index

string

Y

N

Name

name

string

Y

N

Value

value

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Phishing submissions

phishing_submission

PhishingSubmissions

N

Y

class pyexclient.workbench.PhishingSubmissionUrls(data, conn, included=None)[source]

Bases: ResourceInstance

Phishing submission URLs

Resource type name is phishing_submission_urls.

Example JSON record:

{           'contains_sub_elements': True,
    'created_at': '2019-01-15T15:35:00-05:00',
    'link_text': 'string',
    'rewritten_url': 'https://company.com/',
    'tags': 'https://company.com/',
    'url_type': 'https://company.com/',
    'value': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Was sonar prediction correct

contains_sub_elements

boolean

Y

N

Created timestamp: readonly

created_at

string

Y

N

Link text value

link_text

string

Y

N

The new url, if it was rewritten by assorted security products Allows: null

rewritten_url

string

Y

N

Interesting URL tags: no-sort

tags

string

Y

N

URL type

url_type

string

Y

N

Value

value

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Phishing submissions

phishing_submission

PhishingSubmissions

N

Y

class pyexclient.workbench.PhishingSubmissions(data, conn, included=None)[source]

Bases: ResourceInstance

Phishing submissions

Resource type name is phishing_submissions.

Example JSON record:

{           'add_to_at': '2019-01-15T15:35:00-05:00',
    'arthurai_inference_id': 'string',
    'automated_action_type': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'email_msg_id': 'name@company.com',
    'email_type': 'name@company.com',
    'external_case_number': 'string',
    'full_sender': 'string',
    'ingest_source': 'string',
    'msg_id': 'string',
    'organization_id': 'string',
    'properties': {},
    'received_at': '2019-01-15T15:35:00-05:00',
    'reported_at': '2019-01-15T15:35:00-05:00',
    'return_path': 'string',
    'sender': 'string',
    'sender_domain': 'string',
    'source_object_type': 'string',
    'subject': 'string',
    'submitted_by': 'string',
    'triaged_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'was_sonar_correct': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Added at Allows: null

add_to_at

string

Y

N

ArthurAI Inference ID Allows: null

arthurai_inference_id

string

Y

N

Automated action type Allows: “”, null

automated_action_type

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Internal email message id Allows: “”, null

email_msg_id

string

Y

N

Email type Allows: “”, null

email_type

string

Y

N

Case number for external ticketing systems Allows: “”, null

external_case_number

string

Y

N

Full sender value, which may contain both a display address and a true address Allows: “”, null

full_sender

string

Y

N

Ingest source Allows: “”

ingest_source

string

Y

N

Message ID

msg_id

string

Y

N

Organization ID Allows: null

organization_id

string

Y

N

Generic properties json blob: no-sort

properties

object

Y

N

Received at

received_at

string

Y

N

Reported at

reported_at

string

Y

N

Return path Allows: “”

return_path

string

Y

N

Sender

sender

string

Y

N

Sender domain

sender_domain

string

Y

N

Submission source object type Allows: “”, null

source_object_type

string

Y

N

Subject Allows: “”

subject

string

Y

N

Submitted by

submitted_by

string

Y

N

Triaged at Allows: null

triaged_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Was sonar prediction correct: no-sort

was_sonar_correct

object

Y

N

File

analysis_email_file

Files

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

File

initial_email_file

Files

N

Y

File

modified_email_file

Files

N

Y

Phishing submission attachments

phishing_submission_attachments

PhishingSubmissionAttachments

N

Y

Phishing submission domains

phishing_submission_domains

PhishingSubmissionDomains

N

Y

Phishing submission headers

phishing_submission_headers

PhishingSubmissionHeaders

N

Y

Phishing submission URLs

phishing_submission_urls

PhishingSubmissionUrls

N

Y

File

raw_body_file

Files

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.Plugins(data, conn, included=None)[source]

Bases: ResourceInstance

Plugins

Resource type name is plugins.

Example JSON record:

{           'active': True,
    'assembler_dependency': 'string',
    'assembler_for_console_only': True,
    'company_name': 'string',
    'current_status': 100,
    'depends_on': [],
    'description': 'string',
    'device_spec_json': {},
    'display_name': 'string',
    'extra': {},
    'hide_console_login': True,
    'internal_only': True,
    'is_investigative_tech': True,
    'logo': 'string',
    'logo_image_url': 'string',
    'onboarding_doc_url': 'string',
    'organization_id': 'string',
    'plugin_slug': 'string',
    'service_offerings': [],
    'sfa_integration_slug': 'string',
    'show_display_name_with_logo': True,
    'tasks': [],
    'vendor_name': 'string',
    'vendor_type': 'string',
    'version': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Missing Description

active

boolean

Y

N

Missing Description

assembler_dependency

string

Y

N

Missing Description

assembler_for_console_only

boolean

Y

N

Missing Description

company_name

string

Y

N

Missing Description

current_status

number

Y

N

Missing Description

depends_on

array

Y

N

Missing Description

description

string

Y

N

Missing Description

device_spec_json

object

Y

N

Missing Description

display_name

string

Y

N

Missing Description

extra

object

Y

N

Missing Description

hide_console_login

boolean

Y

N

Missing Description

internal_only

boolean

Y

N

Missing Description

is_investigative_tech

boolean

Y

N

Missing Description

logo

string

Y

N

Missing Description

logo_image_url

string

Y

N

Missing Description

onboarding_doc_url

string

Y

N

Allows: null

organization_id

string

Y

N

Missing Description

plugin_slug

string

Y

N

Missing Description

service_offerings

array

Y

N

Missing Description

sfa_integration_slug

string

Y

N

Missing Description

show_display_name_with_logo

boolean

Y

N

Missing Description

tasks

array

Y

N

Missing Description

vendor_name

string

Y

N

Missing Description

vendor_type

string

Y

N

Missing Description

version

string

Y

N

class pyexclient.workbench.RemediationActionAssetHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Remediation action asset histories

Resource type name is remediation_action_asset_histories.

Example JSON record:

{           'action': 'CREATED',
    'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS',
    'asset_type': 'ACCOUNT',
    'automate_revert': True,
    'automate_status': 'NEW',
    'created_at': '2019-01-15T15:35:00-05:00',
    'status': 'OPEN',
    'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Remediation action asset history action Restricted to: “CREATED”, “COMPLETED”, “REOPENED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Action type of associated parent remediation action Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null

action_type

any

Y

N

Remediation asset type history Restricted to: “ACCOUNT”, “ACCESS_KEY”, “DESCRIPTION”, “DEVICE”, “DOMAIN_NAME”, “EMAIL”, “FILE”, “HASH”, “HOST”, “INBOX_RULE_NAME”, “IP_ADDRESS” Allows: null

asset_type

any

Y

N

Automated remediation asset revert history Allows: null

automate_revert

boolean

Y

N

Automated remediation asset status history Restricted to: “NEW”, “CREATED”, “STARTING”, “VERIFYING”, “COMPLETED”, “FAILED”, “AWAITING_CHECKS” Allows: null

automate_status

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Remediation asset status history Restricted to: “OPEN”, “COMPLETED” Allows: null

status

any

Y

N

Remediation action asset history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Remediation action assets

remediation_action_asset

RemediationActionAssets

N

Y

Security devices

security_device

SecurityDevices

N

Y

class pyexclient.workbench.RemediationActionAssets(data, conn, included=None)[source]

Bases: ResourceInstance

Remediation action assets

Resource type name is remediation_action_assets.

Example JSON record:

{           'asset_type': 'ACCOUNT',
    'automate_revert': True,
    'automate_status': 'NEW',
    'automate_status_updated_at': '2019-01-15T15:35:00-05:00',
    'automate_task_error': {},
    'automate_task_id': 'string',
    'automate_task_result_id': 'object',
    'automate_task_results': {},
    'cannot_automate_reason': 'DEVICE_ID_MISSING',
    'category': 'AFFECTED_ACCOUNT',
    'created_at': '2019-01-15T15:35:00-05:00',
    'status': 'OPEN',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'value': 'object'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Remediation asset type Restricted to: “ACCOUNT”, “ACCESS_KEY”, “DESCRIPTION”, “DEVICE”, “DOMAIN_NAME”, “EMAIL”, “FILE”, “HASH”, “HOST”, “INBOX_RULE_NAME”, “IP_ADDRESS”

asset_type

any

Y

N

Start automated remediation revert process

automate_revert

boolean

Y

N

Automated remediation status for this asset Restricted to: “NEW”, “CREATED”, “STARTING”, “VERIFYING”, “COMPLETED”, “FAILED”, “AWAITING_CHECKS” Allows: null: readonly

automate_status

any

Y

N

Automated remediation status last updated at Allows: null: readonly

automate_status_updated_at

string

Y

N

Automated remediation task error Allows: “”, null: readonly, no-sort

automate_task_error

object

Y

N

Automated remediation task id Allows: “”, null: readonly

automate_task_id

string

Y

N

Automated remediation task result id Allows: null: readonly

automate_task_result_id

any

Y

N

Automated remediation task results Allows: “”, null: no-sort

automate_task_results

object

Y

N

Reason this asset cannot be automated Restricted to: “DEVICE_ID_MISSING”, “ACTION_NOT_SUPPORTED”, “DEVICE_NOT_SUPPORTED”, “FEATURE_FLAG_ACTION_DISABLED”, “FEATURE_FLAG_VENDOR_NOT_ALLOWED”, “CUSTOMER_CONFIG_DISABLED”, “ALLOWED_ASSETS_EMPTY”, “ASSETS_NOT_ALLOWED”, “RED_TEAM_INVESTIGATION”, “ASSET_NOT_APPLICABLE” Allows: null: readonly

cannot_automate_reason

any

Y

N

Remediation asset category Restricted to: “AFFECTED_ACCOUNT”, “COMPROMISED_ACCOUNT”, “FORWARDING_ADDRESS” Allows: null

category

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Asset status Restricted to: “OPEN”, “COMPLETED”

status

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Remediation asset value: allowStringOperators, no-sort

value

alternatives

Y

N

Defines/retrieves expel.io context_label_tag records

context_label_tags

ContextLabelTags

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Remediation actions

remediation_action

RemediationActions

N

Y

Remediation action asset histories

remediation_action_asset_histories

RemediationActionAssetHistories

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.RemediationActionHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Remediation action histories

Resource type name is remediation_action_histories.

Example JSON record:

{'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'can_automate': True, 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Remediation action history action Restricted to: “CREATED”, “ASSIGNED”, “COMPLETED”, “CLOSED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Action type of source parent remediation action Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null

action_type

any

Y

N

Remediation action can be automated history

can_automate

boolean

Y

N

Created timestamp: readonly

created_at

string

Y

N

Remediation action history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Remediation actions

remediation_action

RemediationActions

N

Y

Security devices

security_device

SecurityDevices

N

Y

class pyexclient.workbench.RemediationActionSettingHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io remediation_action_setting_history records

Resource type name is remediation_action_setting_histories.

Example JSON record:

{'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Remediation action setting history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Action type of source parent remediation action setting Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null

action_type

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Remediation action setting history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io remediation_action_setting records

remediation_action_setting

RemediationActionSettings

N

Y

class pyexclient.workbench.RemediationActionSettingListSourceHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io remediation_action_setting_list_source_history records

Resource type name is remediation_action_setting_list_source_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'source_type': 'CONTEXT_LABEL', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Remediation action setting list source history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Source type Restricted to: “CONTEXT_LABEL”, “EXTERNAL_TASKABILITIES”

source_type

any

Y

N

Remediation action setting list source history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io context_label records

context_label

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io remediation_action_setting records

remediation_action_setting

RemediationActionSettings

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source records

remediation_action_setting_list_source

RemediationActionSettingListSources

N

Y

Security devices

security_device

SecurityDevices

N

Y

class pyexclient.workbench.RemediationActionSettingListSources(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io remediation_action_setting_list_source records

Resource type name is remediation_action_setting_list_sources.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'external_value': {}, 'source_type': 'CONTEXT_LABEL', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

External value Allows: null: allowStringOperators, no-sort

external_value

object

Y

N

Source type Restricted to: “CONTEXT_LABEL”, “EXTERNAL_TASKABILITIES”

source_type

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io context_label records

context_label

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io remediation_action_setting records

remediation_action_setting

RemediationActionSettings

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records

remediation_action_setting_list_source_histories

RemediationActionSettingListSourceHistories

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.RemediationActionSettings(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io remediation_action_setting records

Resource type name is remediation_action_settings.

Example JSON record:

{           'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS',
    'automate_list_type': 'DENY',
    'automate_opt_in': True,
    'automate_opt_in_agreement_version': 'V1<br/>Allows: null',
    'automate_opt_in_at': '2019-01-15T15:35:00-05:00',
    'created_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Setting’s remediation action type Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP”

action_type

any

Y

N

Automated remediation setting list type Restricted to: “DENY”, “ALLOW” Allows: null

automate_list_type

any

Y

N

Opted in to automated remediations

automate_opt_in

boolean

Y

N

Automated remediations opt in agreement version Restricted to: “V1” Allows: null

automate_opt_in_agreement_version

any

Y

N

Last opted in to automated remediations time Allows: null: readonly

automate_opt_in_at

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

automate_opt_in_actor

Actors

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source records

context_label_list_sources

RemediationActionSettingListSources

N

Y

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source records

external_list_sources

RemediationActionSettingListSources

N

Y

Defines/retrieves expel.io remediation_action_setting_history records

opt_in_histories

RemediationActionSettingHistories

N

Y

Defines/retrieves expel.io remediation_action_setting_history records

opt_out_histories

RemediationActionSettingHistories

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io remediation_action_setting_history records

remediation_action_setting_histories

RemediationActionSettingHistories

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records

remediation_action_setting_list_source_histories

RemediationActionSettingListSourceHistories

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source records

remediation_action_setting_list_sources

RemediationActionSettingListSources

N

Y

Security devices

security_devices

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.RemediationActions(data, conn, included=None)[source]

Bases: ResourceInstance

Remediation actions

Resource type name is remediation_actions.

Example JSON record:

{           'action': 'string',
    'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS',
    'asset_state_counts': {},
    'can_automate': True,
    'can_automate_completely': True,
    'cannot_automate_reason': 'DEVICE_ID_MISSING',
    'close_reason': 'string',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'status': 'IN_PROGRESS',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'template_name': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'version': 'V1'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Action Allows: “”, null

action

string

Y

N

Action type Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null

action_type

any

Y

N

Asset state counts Allows: null: no-sort

asset_state_counts

object

Y

N

Remediation action can be automated: readonly

can_automate

boolean

Y

N

Remediation action can be completely automated: readonly

can_automate_completely

boolean

Y

N

Reason this action cannot be automated Restricted to: “DEVICE_ID_MISSING”, “ACTION_NOT_SUPPORTED”, “DEVICE_NOT_SUPPORTED”, “FEATURE_FLAG_ACTION_DISABLED”, “FEATURE_FLAG_VENDOR_NOT_ALLOWED”, “CUSTOMER_CONFIG_DISABLED”, “ALLOWED_ASSETS_EMPTY”, “ASSETS_NOT_ALLOWED”, “RED_TEAM_INVESTIGATION”, “ASSET_NOT_APPLICABLE” Allows: null: readonly

cannot_automate_reason

any

Y

N

Close Reason Allows: null: markdown

close_reason

string

Y

N

Comment Allows: “”, null: markdown

comment

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Status Restricted to: “IN_PROGRESS”, “COMPLETED”, “CLOSED”

status

any

Y

N

Status Updated At Allows: null: readonly

status_updated_at

string

Y

N

Remediation Action Template Name Allows: “”, null

template_name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Version Restricted to: “V1”, “V2”, “V3”

version

any

Y

N

Defines/retrieves expel.io actor records

assigned_to_actor

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Investigations

investigation

Investigations

N

Y

Remediation action assets

remediation_action_assets

RemediationActionAssets

N

Y

Remediation action histories

remediation_action_histories

RemediationActionHistories

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ResilienceActionGroups(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io resilience_action_group records

Resource type name is resilience_action_groups.

Example JSON record:

{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Global Resilience Group Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS”

category

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Group title

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Resilience actions

resilience_actions

ResilienceActions

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ResilienceActions(data, conn, included=None)[source]

Bases: ResourceInstance

Resilience actions

Resource type name is resilience_actions.

Example JSON record:

{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'details': 'string', 'impact': 'LOW', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” Allows: null

category

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Details: markdown

details

string

Y

N

Impact Restricted to: “LOW”, “MEDIUM”, “HIGH”

impact

any

Y

N

Title

title

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io resilience_action_group records

resilience_action_group

ResilienceActionGroups

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.ResourceInstance(data, conn, included=None)[source]

Bases: object

Represents an instance of a base resource.

classmethod create(conn, **kwargs)[source]

Create a new resource instance. Users need to call save() after create to write changes to the server.

Returns:

The updated resource instance

Return type:

ResourceInstance

Examples:
>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=ORGANIZATION_ID, relationship_assigned_to_actor=ACTOR_ID)
>>> i.save()
delete(prompt_on_delete=True)[source]

Delete a resource instance.

Parameters:

prompt_on_delete (bool, optional) – True if user wants to be prompted when delete is issued and False otherwise., defaults to True.

Examples:
>>> inv = xc.investigations.get(id='a8bf9750-6a79-4415-9558-a56253606b9f')
>>> inv.delete()
property id

Retreive the identifier for the resource instance.

Returns:

A GUID representing the unique instance

Return type:

str

Examples:
>>> for inv in xc.investigations.filter_by(status='OPEN'):
>>>     print("Investigation ID is %s" % inv.id)
save()[source]

Write changes made to a resource instance back to the sever.

Returns:

The updated resource instance

Return type:

ResourceInstance

Examples:
>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=ORGANIZATION_ID, relationship_assigned_to_actor=ACTOR_ID)
>>> i.save()
class pyexclient.workbench.ReviewSummaries(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io review summary records

Resource type name is review_summaries.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'data': {},
    'process_name': 'SOC_QC_REVIEW',
    'reporting_at': '2019-01-15T15:35:00-05:00',
    'task_type': 'ALERT_REVIEW',
    'total': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

data for the specific review summary Allows: null: no-sort

data

object

Y

N

Process name Restricted to: “SOC_QC_REVIEW”, “PHISHING_AUDIT”, “SIMILARITY_REVIEW”

process_name

any

Y

N

Date used to report the counts Allows: null

reporting_at

string

Y

N

Task type Restricted to: “ALERT_REVIEW”, “INCIDENT_REVIEW”, “INVESTIGATION_REVIEW”

task_type

any

Y

N

Total number of errors for this date Allows: null

total

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.RuleDefinitions(data, conn, included=None)[source]

Bases: ResourceInstance

Notification rule definitions

Resource type name is rule_definitions.

Example JSON record:

{'conditions': [], 'event_definitions': [], 'owner_id': 'string', 'rule_action': 'string', 'rule_definition_type': 'UNSPECIFIED', 'rule_model': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Allows: null: readonly, no-filter

conditions

array

Y

N

Allows: null: readonly, no-filter

event_definitions

array

Y

N

The rule definition’s owner id Allows: null, “”

owner_id

string

Y

N

The rule definition’s action description

rule_action

string

Y

N

The type of rule definition (required) Restricted to: “UNSPECIFIED”, “ORG”, “OPS”, “INFRA”, “EM”, “USER”

rule_definition_type

any

Y

N

The name of the model being acted on

rule_model

string

Y

N

class pyexclient.workbench.SamlIdentityProviders(data, conn, included=None)[source]

Bases: ResourceInstance

SAML Identity Providers

Resource type name is saml_identity_providers.

Example JSON record:

{'callback_uri': 'string', 'cert': 'string', 'entity_id': 'string', 'status': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Allows: “”

callback_uri

string

Y

N

Allows: “”, null

cert

string

Y

N

Allows: “”

entity_id

string

Y

N

Restricted to: “not_configured”, “configured”

status

string

Y

N

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.Secrets(data, conn, included=None)[source]

Bases: ResourceInstance

Organization secrets. Note - these requests must be in the format of /secrets/security_device-<guid>

Resource type name is secrets.

Example JSON record:

{           'secret': {           'device_info': {'access_id': '7b0a343c-860e-442e-ab0b-d6f349d364d9', 'access_key': 'secret-access-key', 'source_category': 'alpha'},
                          'device_secret': {'console_url': 'https://console-access-point.com', 'password': 'password', 'username': 'admin@company.com'},
                          'two_factor_secret': 'GNFXSU2OKNJXUPTGJVQUMNDHM4YVEKRJ'}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Allows: null

secret

object

Y

N

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

class pyexclient.workbench.SecurityDeviceCounts(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io security_device_count records

Resource type name is security_device_counts.

Example JSON record:

{'counts': {}, 'created_at': '2019-01-15T15:35:00-05:00', 'error_message': 'string', 'missing_permissions_detail': {}, 'organization_id': 'string', 'security_device_id': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

The security device counts: readonly, no-sort

counts

object

Y

N

Created timestamp: readonly

created_at

string

Y

N

Error message when retrieving counts: readonly

error_message

string

Y

N

Missing permissions details: no-sort

missing_permissions_detail

object

Y

N

Organization ID the security device belongs to: readonly

organization_id

string

Y

N

Security Device ID: readonly

security_device_id

string

Y

N

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Security devices

security_device

SecurityDevices

N

Y

class pyexclient.workbench.SecurityDeviceHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Security Device histories

Resource type name is security_device_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Security device history action Restricted to: “CREATED”, “UPDATED”, “UPDATED_SECRETS”, “DELETED”

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Security device history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Security devices

security_device

SecurityDevices

N

Y

class pyexclient.workbench.SecurityDevices(data, conn, included=None)[source]

Bases: ResourceInstance

Security devices

Resource type name is security_devices.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'device_spec': {},
    'device_type': 'ENDPOINT',
    'has_console_credentials': True,
    'has_two_factor_secret': True,
    'is_verifying_status': True,
    'location': 'string',
    'name': 'string',
    'no_alert_threshold_hours': 100,
    'plugin_slug': 'string',
    'properties': {},
    'status': 'healthy',
    'status_details': {},
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'task_source': 'CUSTOMER_PREMISE',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Device Spec Allows: null: no-sort

device_spec

object

Y

N

Device Type Restricted to: “ENDPOINT”, “NETWORK”, “SIEM”, “OTHER”, “CLOUD”

device_type

any

Y

N

Has console credentials stored in vault: readonly

has_console_credentials

boolean

Y

N

Has 2fa secret stored in vault: readonly

has_two_factor_secret

boolean

Y

N

A health check is in progress for device

is_verifying_status

boolean

Y

N

Location Allows: “”, null

location

string

Y

N

Name

name

string

Y

N

Number of hours to wait before sending an alert for a device that has not checked in Allows: null

no_alert_threshold_hours

number

Y

N

Allows: “”, null

plugin_slug

string

Y

N

Properties about the security device: no-sort

properties

object

Y

N

Status. Note: By default if the security device has an assembler, and that assembler is unhealthy, the status will return that information rather than the raw status of the security device. To disable this behavior, add the query parameter flag[raw_status]=true. Restricted to: “healthy”, “unhealthy”, “health_checks_not_supported” Allows: null

status

any

Y

N

Status Details. Note: By default if the security device has an assembler, and that assembler is unhealthy, the status details will return that information rather than the raw status of the security device. To disable this behavior, add the query parameter flag[raw_status]=true. Allows: null: no-sort

status_details

object

Y

N

Status Updated At Allows: null: readonly

status_updated_at

string

Y

N

Location where tasks are run Restricted to: “CUSTOMER_PREMISE”, “EXPEL_TASKPOOL”

task_source

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Assemblers

assembler

Assemblers

N

Y

Security devices

child_security_devices

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

investigative actions

investigative_actions

InvestigativeActions

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io organization_contact records

organization_contacts

OrganizationContacts

N

Y

Security devices

parent_security_device

SecurityDevices

N

Y

Remediation action asset histories

remediation_action_asset_histories

RemediationActionAssetHistories

N

Y

Remediation action assets

remediation_action_assets

RemediationActionAssets

N

Y

Remediation action histories

remediation_action_histories

RemediationActionHistories

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records

remediation_action_setting_list_source_histories

RemediationActionSettingListSourceHistories

N

Y

Defines/retrieves expel.io remediation_action_setting_list_source records

remediation_action_setting_list_sources

RemediationActionSettingListSources

N

Y

Defines/retrieves expel.io remediation_action_setting records

remediation_action_settings

RemediationActionSettings

N

Y

Remediation actions

remediation_actions

RemediationActions

N

Y

Defines/retrieves expel.io security_device_count records

security_device_counts

SecurityDeviceCounts

N

Y

Security Device histories

security_device_histories

SecurityDeviceHistories

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Vendors

vendor

Vendors

N

Y

Vendor alerts

vendor_alerts

VendorAlerts

N

Y

class pyexclient.workbench.Skus(data, conn, included=None)[source]

Bases: ResourceInstance

Service Skus

Resource type name is skus.

Example JSON record:

{           'allows_integrations': True,
    'attack_surfaces': [],
    'display_name': 'string',
    'hunting_attack_surfaces': [],
    'investigative_tech_attack_surfaces': [],
    'is_single_license': True,
    'name': 'string',
    'service_type': 'string',
    'version': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Meta: readonly, no-filter, no-sort

allows_integrations

boolean

Y

N

Meta: no-filter, no-sort

attack_surfaces

array

Y

N

Missing Description

display_name

string

Y

N

Meta: no-filter, no-sort

hunting_attack_surfaces

array

Y

N

Meta: no-filter, no-sort

investigative_tech_attack_surfaces

array

Y

N

Missing Description

is_single_license

boolean

Y

N

Missing Description

name

string

Y

N

Missing Description

service_type

string

Y

N

Missing Description

version

string

Y

N

class pyexclient.workbench.SuggestionHistories(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io suggestion_history records

Resource type name is suggestion_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'suggestion_action': 'ADD_TO', 'value': {}}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Suggestion history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Suggestion action Restricted to: “ADD_TO”, “CLOSE”, “SUPPRESS”, “INVESTIGATE”

suggestion_action

any

Y

N

Suggestion history details Allows: null: no-sort

value

object

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io suggestions

suggestion

Suggestions

N

Y

class pyexclient.workbench.Suggestions(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io suggestions

Resource type name is suggestions.

Example JSON record:

{'action': 'ADD_TO', 'created_at': '2019-01-15T15:35:00-05:00', 'metadata': {}, 'rank': 100, 'suggestion': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Action Restricted to: “ADD_TO”, “CLOSE”, “SUPPRESS”, “INVESTIGATE”

action

any

Y

N

Created timestamp: readonly

created_at

string

Y

N

Metadata for the suggestion Allows: null: no-sort

metadata

object

Y

N

Visualization rank

rank

number

Y

N

Body of the suggestion Allows: “”, null: markdown

suggestion

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alerts

ExpelAlerts

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io suggestion_history records

suggestion_histories

SuggestionHistories

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.TimelineEntries(data, conn, included=None)[source]

Bases: ResourceInstance

Timeline Entries

Resource type name is timeline_entries.

Example JSON record:

{           'attack_phase': 'string',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'dest_host': 'string',
    'event': 'string',
    'event_date': '2019-01-15T15:35:00-05:00',
    'event_type': 'string',
    'is_selected': True,
    'src_host': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Attack phase of the Timeline Entry Allows: “”, null

attack_phase

string

Y

N

Comment on this Timeline Entry Allows: “”, null

comment

string

Y

N

Created timestamp: readonly

created_at

string

Y

N

Deleted At timestamp Allows: null

deleted_at

string

Y

N

Destination Host (IP or Hostname) Allows: “”, null

dest_host

string

Y

N

The event, such as Powershell Attack Allows: “”, null

event

string

Y

N

Date/Time of when the event occurred

event_date

string

Y

N

The type of the event, such as Carbon Black Alert Allows: “”, null

event_type

string

Y

N

Has been selected for final report.

is_selected

boolean

Y

N

Source Host (IP or Hostname) Allows: “”, null

src_host

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io context_label_action records

context_label_actions

ContextLabelActions

N

Y

Defines/retrieves expel.io context_label records

context_labels

ContextLabels

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

Investigations

investigation

Investigations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.UserAccountRoles(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io user_account_role records

Resource type name is user_account_roles.

Example JSON record:

{'active': True, 'assignable': True, 'created_at': '2019-01-15T15:35:00-05:00', 'role': 'expel_admin', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

If this role is active

active

boolean

Y

N

Can user be assigned items (e.g. investigations, etc)

assignable

boolean

Y

N

Created timestamp: readonly

created_at

string

Y

N

User account role for this organization Restricted to: “expel_admin”, “expel_analyst”, “organization_admin”, “organization_analyst”, “system”, “anonymous”, “restricted”

role

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

User accounts

user_account

UserAccounts

N

Y

class pyexclient.workbench.UserAccountStatuses(data, conn, included=None)[source]

Bases: ResourceInstance

User account status

Resource type name is user_account_statuses.

Example JSON record:

{           'active': True,
    'active_status': 'ACTIVE',
    'created_at': '2019-01-15T15:35:00-05:00',
    'invite_token_expires_at': '2019-01-15T15:35:00-05:00',
    'password_reset_token_expires_at': '2019-01-15T15:35:00-05:00',
    'restrictions': [],
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Missing Description

active

boolean

Y

N

Restricted to: “ACTIVE”, “LOCKED”, “LOCKED_INVITED”, “LOCKED_EXPIRED”, “ACTIVE_INVITED”, “ACTIVE_EXPIRED”: readonly

active_status

any

Y

N

Meta: readonly

created_at

string

Y

N

Allows: null: readonly

invite_token_expires_at

string

Y

N

Allows: null: readonly

password_reset_token_expires_at

string

Y

N

Missing Description

restrictions

array

Y

N

Meta: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Defines/retrieves expel.io organization records

primary_organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

User accounts

user_account

UserAccounts

N

Y

class pyexclient.workbench.UserAccounts(data, conn, included=None)[source]

Bases: ResourceInstance

User accounts

Resource type name is user_accounts.

Example JSON record:

{           'active': True,
    'active_status': 'ACTIVE',
    'assignable': True,
    'created_at': '2019-01-15T15:35:00-05:00',
    'default_filter': 'ALL',
    'display_name': 'string',
    'email': 'name@company.com',
    'engagement_manager': True,
    'first_name': 'string',
    'homepage_preferences': {},
    'language': 'string',
    'last_name': 'string',
    'locale': 'string',
    'pagerduty_id': 'string',
    'phone_number': 'string',
    'show_highlighting': True,
    'show_new_nav': True,
    'timezone': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Active Allows: null

active

boolean

Y

N

Restricted to: “ACTIVE”, “LOCKED”, “LOCKED_INVITED”, “LOCKED_EXPIRED”, “ACTIVE_INVITED”, “ACTIVE_EXPIRED”: readonly, no-sort, no-filter

active_status

any

Y

N

Can user be assigned items (e.g. investigations, etc)

assignable

boolean

Y

N

Created timestamp: readonly

created_at

string

Y

N

User account default filter Restricted to: “ALL”, “MDR”, “PHISHING”

default_filter

any

Y

N

Display name Allows: “”, null

display_name

string

Y

N

Email

email

string

Y

N

Is an engagement manager

engagement_manager

boolean

Y

N

First Name

first_name

string

Y

N

Homepage preferences Allows: null: no-sort

homepage_preferences

object

Y

N

Language Allows: “”, null

language

string

Y

N

Last Name

last_name

string

Y

N

Locale Allows: “”, null

locale

string

Y

N

Pagerduty ID Allows: null

pagerduty_id

string

Y

N

Phone number Allows: null

phone_number

string

Y

N

Whether or not highlighting is enabled

show_highlighting

boolean

Y

N

Whether or not the new navigation UI is displayed: readonly

show_new_nav

boolean

Y

N

Timezone Allows: “”, null

timezone

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

actor

Actors

N

Y

investigative actions

analysis_assigned_investigative_actions

InvestigativeActions

N

Y

Expel alerts

assigned_expel_alerts

ExpelAlerts

N

Y

Investigations

assigned_investigations

Investigations

N

Y

investigative actions

assigned_investigative_actions

InvestigativeActions

N

Y

Organization to resilience actions

assigned_organization_resilience_actions

OrganizationResilienceActions

N

Y

Organization to resilience actions

assigned_organization_resilience_actions_list

OrganizationResilienceActions

N

Y

Remediation actions

assigned_remediation_actions

RemediationActions

N

Y

Defines/retrieves expel.io remediation_action_setting records

automate_opt_in_for_remediation_action_setting

RemediationActionSettings

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

investigative actions

current_assigned_investigative_actions_classification

InvestigativeActions

N

Y

User Notification Preferences

notification_preferences

NotificationPreferences

N

Y

Defines/retrieves expel.io organization records

organizations

Organizations

N

Y

Defines/retrieves expel.io organization records

primary_organization

Organizations

N

Y

Defines/retrieves expel.io user_account_role records

primary_user_account_role

UserAccountRoles

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Defines/retrieves expel.io user_account_role records

user_account_roles

UserAccountRoles

N

Y

User account status

user_account_status

UserAccountStatuses

N

Y

class pyexclient.workbench.UserTasks(data, conn, included=None)[source]

Bases: ResourceInstance

Defines/retrieves expel.io user task records

Resource type name is user_tasks.

Example JSON record:

{           'assigned_to_id': {},
    'created_at': '2019-01-15T15:35:00-05:00',
    'data': {},
    'process_name': 'SOC_QC_REVIEW',
    'reporting_at': '2019-01-15T15:35:00-05:00',
    'task_status': 'NEW',
    'task_type': 'ALERT_REVIEW',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

actor to whome the task is assigned Allows: null

assigned_to_id

object

Y

N

Created timestamp: readonly

created_at

string

Y

N

data for the specific user task Allows: null: no-sort

data

object

Y

N

Process name Restricted to: “SOC_QC_REVIEW”, “PHISHING_AUDIT”, “SIMILARITY_REVIEW”

process_name

any

Y

N

Date used to report the item status Allows: null

reporting_at

string

Y

N

Task status Restricted to: “NEW”, “ASSIGNED”, “COMPLETED”

task_status

any

Y

N

Task type Restricted to: “ALERT_REVIEW”, “INCIDENT_REVIEW”, “INVESTIGATION_REVIEW”

task_type

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

assigned_to

Actors

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alert

ExpelAlerts

N

Y

Investigations

investigation

Investigations

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

class pyexclient.workbench.VendorAlertEvidences(data, conn, included=None)[source]

Bases: ResourceInstance

Vendor alert evidences are extracted from a vendor alert’s evidence summary

Resource type name is vendor_alert_evidences.

Example JSON record:

{'evidence': 'string', 'evidence_type': 'HOSTNAME'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Evidence

evidence

string

Y

N

Type Restricted to: “HOSTNAME”, “URL”, “PROCESS_ARGUMENTS”, “PROCESS_PATH”, “PROCESS_MD5”, “USERNAME”, “SRC_IP”, “DST_IP”, “PARENT_ARGUMENTS”, “PARENT_PATH”, “PARENT_MD5”, “SRC_USERNAME”, “DST_USERNAME”, “ALERT_ACTION”, “ALERT_DESCRIPTION”, “ALERT_MESSAGE”, “ALERT_NAME”, “SRC_PORT”, “DST_PORT”, “USER_AGENT”, “VENDOR_NAME”, “DOMAIN”, “FILE_HASH”, “FILE_PATH”

evidence_type

any

Y

N

Expel alerts

evidenced_expel_alerts

ExpelAlerts

N

Y

Vendor alerts

vendor_alert

VendorAlerts

N

Y

class pyexclient.workbench.VendorAlerts(data, conn, included=None)[source]

Bases: ResourceInstance

Vendor alerts

Resource type name is vendor_alerts.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'description': 'string',
    'evidence_activity_end_at': '2019-01-15T15:35:00-05:00',
    'evidence_activity_start_at': '2019-01-15T15:35:00-05:00',
    'evidence_summary': [],
    'first_seen': '2019-01-15T15:35:00-05:00',
    'original_alert_id': 'string',
    'original_source_id': 'string',
    'signals': [],
    'signature_id': 'string',
    'status': 'NORMAL',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'vendor_message': 'string',
    'vendor_severity': 'CRITICAL',
    'vendor_sig_name': 'string'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Description Allows: “”, null

description

string

Y

N

Evidence activity end datetime Allows: null: immutable

evidence_activity_end_at

string

Y

N

Evidence activity start datetime Allows: null: immutable

evidence_activity_start_at

string

Y

N

Evidence summary Allows: null: no-sort

evidence_summary

array

Y

N

First Seen

first_seen

string

Y

N

Allows: null: immutable

original_alert_id

string

Y

N

Allows: null: immutable

original_source_id

string

Y

N

Signal evidence: no-sort

signals

array

Y

N

Signature ID Allows: “”, null

signature_id

string

Y

N

Status Restricted to: “NORMAL”, “PROVISIONAL” Allows: null: readonly

status

any

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Vendor Message Allows: “”, null

vendor_message

string

Y

N

Vendor alert severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” Allows: null

vendor_severity

any

Y

N

Vendor Sig Name Allows: “”, null

vendor_sig_name

string

Y

N

Assemblers

assembler

Assemblers

N

Y

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Vendor alert evidences are extracted from a vendor alert’s evidence summary

evidences

VendorAlertEvidences

N

Y

Expel alerts

expel_alerts

ExpelAlerts

N

Y

IP addresses

ip_addresses

IpAddresses

N

Y

Defines/retrieves expel.io organization records

organization

Organizations

N

Y

Security devices

security_device

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Vendors

vendor

Vendors

N

Y

class pyexclient.workbench.Vendors(data, conn, included=None)[source]

Bases: ResourceInstance

Vendors

Resource type name is vendors.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'icon': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description

Field Name

Field Type

Attribute

Relationship

Created timestamp: readonly

created_at

string

Y

N

Icon Allows: “”, null

icon

string

Y

N

Name Allows: “”, null

name

string

Y

N

Last Updated timestamp: readonly

updated_at

string

Y

N

Defines/retrieves expel.io actor records

created_by

Actors

N

Y

Expel alerts

expel_alerts

ExpelAlerts

N

Y

Security devices

security_devices

SecurityDevices

N

Y

Defines/retrieves expel.io actor records

updated_by

Actors

N

Y

Vendor alerts

vendor_alerts

VendorAlerts

N

Y

class pyexclient.workbench.WorkbenchClient(base_url, username=None, password=None, mfa_code=None, token=None, prompt_on_delete=True)[source]

Bases: WorkbenchCoreClient

Instantiate a client that interacts with Workbench’s API server.

If the developer specifies a username, then password and mfa_code are required inputs. If the developer has a token then username, password and mfa_code parameters are ignored.

Parameters:
  • cls (WorkbenchClient) – A Workbench class reference.

  • username (str or None) – The username

  • password (str or None) – The username’s password

  • mfa_code (int or None) – The multi factor authenticate code generated by google authenticator.

  • token (str or None) – The bearer token of an authorized session. Can be used instead of username/password combo.

Returns:

An initialized, and authorized Workbench client.

Return type:

WorkbenchClient

capabilities(customer_id: str)[source]

Get a list of capabilities for a given customer.

Parameters:

customer_id (str) – The customer ID

Examples:
>>> xc.workbench.capabilities("my-customer-guid-123")
create_auto_inv_action(customer_id: str, security_device_id: str, created_by_id: str, capability_name: str, input_args: dict, title: str, reason: str, investigation_id: str | None = None, expel_alert_id: str | None = None)[source]

Create an automatic investigative action.

Parameters:
  • customer_id (str) – The customer ID

  • investigation_id (str) – The investigation ID to associate the action with.

  • expel_alert_id (str) – The expel alert id

  • security_device_id (str) – The security device ID, to dispatch the task against.

  • created_by_id (str) – The user ID that created the action

  • capability_name (str) – The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.

  • input_args (dict) – The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.

  • title (str) – The title of the investigative action, shows up in Workbench.

  • reason (str) – The reason for running the investigative action, shows up in Workbench.

Returns:

Investigative action response

Return type:

InvestigativeActions

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> input_args = &#123;"user_name": 'willy.wonka@expel.io', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z'&#125;
>>> o = xc.create_auto_inv_action(customer_guid, inv_guid, device_guid, user_guid, 'query_user', input_args, 'Query User', 'Getting user login activity to determine if login is normal')
>>> print("Investigative Action ID: ", o.id)
create_manual_inv_action(title: str, reason: str, instructions: str, investigation_id: str | None = None, expel_alert_id: str | None = None, security_device_id: str | None = None, action_type: str = 'MANUAL')[source]

Create a manual investigative action.

Parameters:
  • title (str) – The title of the investigative action, shows up in Workbench.

  • reason (str) – The reason for running the investigative action, shows up in Workbench.

  • instructions (str) – The instructions for running the investigative action.

  • investigation_id (str) – The investigation ID to associate the action with.

  • expel_alert_id (str) – The expel alert id

  • security_device_id (str) – The security device ID, to dispatch the task against.

  • action_type (str) – The type of action that will be run.

Returns:

Investigative action response

Return type:

InvestigativeActions

Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> o = xc.create_manual_inv_action('title foo', 'reason bar', 'instructions blah')
>>> print("Investigative Action ID: ", o.id)
fetch_plugins()[source]

Get a list of plugins.

Examples:
>>> xc.workbench.plugins()
class pyexclient.workbench.WorkbenchCoreClient(base_url, username=None, password=None, mfa_code=None, token=None, retries=3, prompt_on_delete=True)[source]

Bases: object

Instantiate a Workbench core client that provides just authentication and request capabilities to Workbench

If the developer specifies a username, then password and mfa_code are required inputs. If the developer has a token then username, password and mfa_code parameters are ignored.

Parameters:
  • cls (WorkbenchClient) – A Workbench class reference.

  • username (str or None) – The username

  • password (str or None) – The username’s password

  • mfa_code (int or None) – The multi factor authenticate code generated by google authenticator.

  • token (str or None) – The bearer token of an authorized session. Can be used instead of username/password combo.

Returns:

An initialized, and authorized Workbench client.

Return type:

WorkbenchClient

login(username, password, code)[source]

Authenticate as a human, this requires providing the 2FA code.

Parameters:
  • username (str) – The user’s e-mail address.

  • password (str) – The user’s password.

  • code (str) – The 2FA code

Returns:

The bearer token that allows users to call Workbench APIs.

Return type:

str

make_session()[source]

Create a session with Workbench

class pyexclient.workbench.base_filter(filter_value)[source]

Bases: operator

Base class for operators which take the form filter[field]. Can be used to create a basic one field filter, or subclassed by special operators for more complicated logic

class pyexclient.workbench.contains(*args)[source]

Bases: base_filter

The contains operator is used to search for fields that contain a sub string..

Parameters:

value (str) – A substring to be checked against the value of a field.

Examples:
>>> for ea in xc.expel_alerts.search(close_comment=contains("foo")):
>>>     print("%s contains foo in the close comment" % ea.expel_name)
class pyexclient.workbench.flag(filter_value)[source]

Bases: operator

Base class for operators which take the form flag[field]. Can be used to create a basic one field flag, or subclassed by special operators for more complicated logic

class pyexclient.workbench.gt(value)[source]

Bases: base_filter

The gt (greater than) operator is used to search a specific field for values greater than X.

Parameters:

value (str) – The greater than value to be used in comparison during a search.

Examples:
>>> for ea in xc.expel_alerts.search(created_at=gt("2020-01-01")):
>>>     print("%s was created after 2020-01-01" % ea.expel_name)
class pyexclient.workbench.include(include)[source]

Bases: operator

The include operator requests base resource names in a search. Cannot be used with sort or filtering. Passed as arg to search TODO enforce this constraint with asserts

Parameters:

include (str) – Include specific base resource names in request

Examples: >>> for ea in xc.expel_alerts.search(include(‘organization,created_by,updated_by’)): >>> print(ea.organization)

pyexclient.workbench.is_operator(value)[source]

Determine if a value implements an operator.

Parameters:

value (object) – The value to check

Returns:

True if value is an operator False otherwise.

Return type:

bool

class pyexclient.workbench.isnull(filter_value=True)[source]

Bases: base_filter

The isnull operator is used to search for fields that are null.

Examples:
>>> for ea in xc.expel_alerts.search(close_comment=isnull()):
>>>     print("%s has no close comment" % ea.expel_name)
class pyexclient.workbench.limit(limit)[source]

Bases: operator

The limit operator adds a limit to a search. Passed as arg to search

Parameters:

limit (int) – Limit the number of results returned.

class pyexclient.workbench.lt(value)[source]

Bases: base_filter

The lt (less than) operator is used to search a specific field for values greater than X.

Parameters:

value (str) – The less than value to be used in comparison during a search.

Examples:
>>> for ea in xc.expel_alerts.search(created_at=lt("2020-01-01")):
>>>     print("%s was created before 2020-01-01" % ea.expel_name)
class pyexclient.workbench.neq(*args)[source]

Bases: base_filter

The neq operator is used to search for for fields that are not equal to a specified value.

Parameters:

value (str) – The value to assert the field is not equal too

Examples:
>>> for ea in xc.expel_alerts.search(close_comment=neq("foo")):
>>>     print("%s has a close comment that is not equal to 'foo'" % ea.expel_name)
class pyexclient.workbench.notnull(filter_value=True)[source]

Bases: base_filter

The notnull operator is used to search for fields that are not null.

Examples:
>>> for ea in xc.expel_alerts.search(close_comment=notnull()):
>>>     print("%s has a close comment of %s" % (ea.expel_name, ea.close_comment))
class pyexclient.workbench.operator(filter_value)[source]

Bases: object

Base class for all operators. This should not be used directly.

class pyexclient.workbench.relationship(rel_path, value)[source]

Bases: operator

relationship operator allows for searching of resource objects based on their relationship to other resource objects. Passed as arg to search

Parameters:
  • rel_path (str) – A dot notation of the relationship path to a resource object.

  • value (object) – The value the rel_path be compared to. This can be an operator, or a primitive value.

Examples:
>>> for inv_action in xc.investigative_actions.search(relationship("investigation.close_comment", notnull()):
>>>     print("Found investigative action associated with an investigation that has no close comment.")
class pyexclient.workbench.sort(sort, order='asc')[source]

Bases: operator

The sort operator passes a sort request to a search. Can add multiple sort operators to a single search. If no sort is provided the default of sorting by created_at (asc) -> id (asc) will be used. Passed as arg to search TODO enforce this with asserts

Parameters:

sort (str) – The column to sort on. Expects asc or desc. The database will translate asc->+ and desc->-

class pyexclient.workbench.startswith(swith)[source]

Bases: base_filter

The startswith operator is used to search for values that start with a specified string..

Parameters:

value (str) – The startswith string

Examples:
>>> for ea in xc.expel_alerts.search(close_comment=startswith("foo")):
>>>     print("%s starts with foo in the close comment" % ea.expel_name)
class pyexclient.workbench.window(start, end)[source]

Bases: base_filter

The window operator is used to search a specific field that is within a window (range) of values

Parameters:
  • start (Union[str, int, datetime.datetime]) – The begining of the window range

  • end (str) – The end of the window range

Examples:
>>> for ea in xc.expel_alerts.search(created_at=window("2020-01-01", "2020-05-01")):
>>>     print("%s was created after 2020-01-01 and before 2020-05-01" % ea.expel_name)