Workbench API Reference¶

class pyexclient.workbench.ActivityMetrics(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io activity_metric records

Resource type name is activity_metrics.

Example JSON record:

{           'activity': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'data': {},
    'ended_at': '2019-01-15T15:35:00-05:00',
    'referring_url': 'https://company.com/',
    'started_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'url': 'https://company.com/'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Activity Allows: “”, null activity string Y N

Created timestamp: readonly created_at string Y N

Additional data about the activity Allows: null: no-sort data object Y N

Date/Time of when the activity concluded ended_at string Y N

Referring url Allows: “”, null referring_url string Y N

Date/Time of when the activity started started_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Url Allows: “”, null url string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alert ExpelAlerts N Y

Investigations investigation Investigations N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Actors(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io actor records

Resource type name is actors.

Example JSON record:

{'actor_type': 'system', 'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'is_expel': True, 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Actor type Restricted to: “system”, “user”, “organization”, “api”, “service”: immutable actor_type any Y N

Created timestamp: readonly created_at string Y N

Display name Allows: “”, null display_name string Y N

Meta: readonly, no-sort, no-filter is_expel boolean Y N

Last Updated timestamp: readonly updated_at string Y N

investigative actions analysis_assigned_investigative_actions InvestigativeActions N Y

Expel alerts assigned_expel_alerts ExpelAlerts N Y

Investigations assigned_investigations Investigations N Y

investigative actions assigned_investigative_actions InvestigativeActions N Y

Organization to resilience actions assigned_organization_resilience_actions OrganizationResilienceActions N Y

Organization to resilience actions assigned_organization_resilience_actions_list OrganizationResilienceActions N Y

Remediation actions assigned_remediation_actions RemediationActions N Y

Defines/retrieves expel.io remediation_action_setting records automate_opt_in_for_remediation_action_setting RemediationActionSettings N Y

Defines/retrieves expel.io actor records child_actors Actors N Y

Defines/retrieves expel.io organization records child_organizations Organizations N Y

Defines/retrieves expel.io actor records created_by Actors N Y

investigative actions current_assigned_investigative_actions_classification InvestigativeActions N Y

User Notification Preferences notification_preferences NotificationPreferences N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records parent_actor Actors N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

User accounts user_account UserAccounts N Y

class pyexclient.workbench.ApiKeys(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token.

Resource type name is api_keys.

Example JSON record:

{           'access_token': 'string',
    'active': True,
    'assignable': True,
    'created_at': '2019-01-15T15:35:00-05:00',
    'display_name': 'string',
    'name': 'string',
    'realm': 'public',
    'restrictions': [],
    'role': 'expel_admin',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Only upon initial api key creation (POST), contains the bearer api key token required for api access.: readonly, no-sort, no-filter access_token string Y N

Active Allows: null active boolean Y N

Can Api key be assigned items (e.g. investigations, etc) assignable boolean Y N

Created timestamp: readonly created_at string Y N

Display name Allows: null display_name string Y N

Missing Description name string Y N

Realm in which the api key can be used. Restricted to: “public”, “internal” realm any Y N

Special authorization restrictions for this api key restrictions array Y N

Role Restricted to: “expel_admin”, “expel_analyst”, “organization_admin”, “organization_analyst”, “system”, “anonymous”, “restricted” role any Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.AssemblerImages(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Assembler Images

Resource type name is assembler_images.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'hash_md5': 'string',
    'hash_sha1': 'string',
    'hash_sha256': 'string',
    'platform': 'VMWARE',
    'release_date': '2019-01-15T15:35:00-05:00',
    'size': 100,
    'updated_at': '2019-01-15T15:35:00-05:00',
    'version': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Assembler image md5 hash Allows: null hash_md5 string Y N

Assembler image sh1 hash Allows: null hash_sha1 string Y N

Assembler image sha256 hash Allows: null hash_sha256 string Y N

Platform Restricted to: “VMWARE”, “HYPERV”, “AZURE”, “AMAZON” platform any Y N

Assembler image release date Allows: null release_date string Y N

Assembler image size Allows: null size number Y N

Last Updated timestamp: readonly updated_at string Y N

Assembler image version Allows: “”, null version string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Assemblers(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Assemblers

Resource type name is assemblers.

Example JSON record:

{           'connection_status': 'Never Connected',
    'connection_status_updated_at': '2019-01-15T15:35:00-05:00',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'install_code': 'string',
    'lifecycle_status': 'New',
    'lifecycle_status_updated_at': '2019-01-15T15:35:00-05:00',
    'location': 'string',
    'name': 'string',
    'status': 'string',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'vpn_ip': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Assembler connection status Restricted to: “Never Connected”, “Connection Lost”, “Connected to Provisioning”, “Connected to Service” Allows: null connection_status any Y N

Assembler connection status update timestamp: readonly connection_status_updated_at string Y N

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Assembler install code Allows: null install_code string Y N

Assembler life cycle status Restricted to: “New”, “Authorized”, “Transitioning”, “Transitioned”, “Transition Failed”, “Configuring”, “Configuration Failed”, “Active”, “Inactive”, “Deleted” Allows: null lifecycle_status any Y N

Assembler lifecycle status update timestamp: readonly lifecycle_status_updated_at string Y N

Location of assembler Allows: “”, null location string Y N

Name of assembler Allows: “”, null name string Y N

Assembler status Restricted to: “not_yet_connected”, “connection_lost”, “connected”, “error”, “configuring”, “transition_failed”, “configuration_failed”, “active”, “inactive”, “deleted” Allows: “”, null: readonly status string Y N

Assembler last status update timestamp: readonly status_updated_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Assembler VPN ip address Allows: null vpn_ip string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Security devices security_devices SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Vendor alerts vendor_alerts VendorAlerts N Y

class pyexclient.workbench.BaseResourceObject(cls, content=None, api_type=None, conn=None)[source]¶

Bases: object

count()[source]¶

Return the number of records in a JSON API response. You can get the count for entries returned by filtering, or you can request the count of the total number of resource instances. The total number of resource instances does not require paginating overall entries.

Returns:	The number of records in a JSON API response
Return type:	int

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> print("Investigation Count: ", xc.investigations.filter_by(customer_id='1').count())
>>> print("Investigation Count: ", xc.investigations.count())

create(**kwargs)[source]¶

Create a ResourceInstance object that represents some Json API resource.

Parameters:	kwargs (dict) – Attributes to set on the new JSON API resource.
Returns:	A ResourceInstance object that represents the JSON API resource type requested by the dev.
Return type:	ResourceInstance

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=CUSTOMER_GUID, relationship_assigned_to_actor=PETER_S)
>>> i.save()

filter_by(**kwargs)[source]¶

Issue a JSON API call requesting a JSON API resource is filtered by some set of attributes, id, limit, etc.

Parameters:	kwargs (dict) – The base JSON API resource type
Returns:	A BaseResourceObject object
Return type:	BaseResourceObject

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> for inv in xc.investigations.filter_by(customer_id='1'):
>>>     print(inv.title)

get(**kwargs)[source]¶

Request a JSON api resource by id.

Parameters:	id (str) – The GUID of the resource
Returns:	A BaseResourceObject object
Return type:	BaseResourceObject

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> inv = xc.investigations.get(id=investigation_guid)
>>> print(inv.title)

one_or_none()[source]¶

Return one record from a JSON API response or None if there were no records.

Returns:	A BaseResourceObject object
Return type:	BaseResourceObject

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> inv = xc.investigations.filter_by(customer_id=CUSTOMER_GUID).one_or_none()
>>> print(inv.title)

search(*args, **kwargs)[source]¶

Search based on a set of criteria made up of operators and attributes.

Parameters:	args (tuple) – Operators of relationship\|limit\|include\|sort kwargs (dict) – Fields and values to search on
Returns:	A BaseResourceObject object
Return type:	`BaseResourceObject`

Examples:

>>> # field filter
>>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID):
>>>     print(inv.title)

>>> # operator field filter
>>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID, created_at=gt("2020-01-01")):
>>>     print(inv.title)

>>> # relationship field filter
>>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID, relationship("investigative_actions.created_at", gt("2020-01-01"))):
>>>     print(inv.title)

class pyexclient.workbench.CommentHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io comment_history records

Resource type name is comment_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Comment history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Comment history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io comment records comment Comments N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

class pyexclient.workbench.Comments(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io comment records

Resource type name is comments.

Example JSON record:

{'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Comment: markdown comment string Y N

Created timestamp: readonly created_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io comment_history records comment_histories CommentHistories N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Configurations(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io configuration records

Resource type name is configurations.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'default_value': 'object',
    'description': 'string',
    'is_override': True,
    'key': 'string',
    'metadata': {},
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'validation': {},
    'value': 'object',
    'visibility': 'EXPEL',
    'write_permission_level': 'EXPEL'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Default configuration value Allows: null: readonly, no-sort default_value any Y N

Description of configuration value Allows: “”, null: readonly, markdown description string Y N

Configuration value is an override: readonly is_override boolean Y N

Configuration key: readonly key string Y N

Configuration metadata Allows: null: readonly, no-sort metadata object Y N

Title of configuration value Allows: “”, null: readonly title string Y N

Last Updated timestamp: readonly updated_at string Y N

Configuration value validation Allows: null: readonly, no-sort validation object Y N

Configuration value Allows: null: no-sort value any Y N

Configuration visibility Restricted to: “EXPEL”, “ORGANIZATION”, “SYSTEM” visibility any Y N

Write permission required Restricted to: “EXPEL”, “ORGANIZATION”, “SYSTEM” write_permission_level any Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ContextCategories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Groups for organizing context variables outside of any specific use case

Resource type name is context_categories.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'image': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

A description for this context category Allows: null description string Y N

Filename for the image used in the context category card in Workbench: immutable image string Y N

Unique name of this context category name string Y N

Last Updated timestamp: readonly updated_at string Y N

Reusable strongly typed context variables which can be referenced by other features context_variables ContextVariables N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ContextCategoryDefaults(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

A set of global seed categories which will be added for each new organization

Resource type name is context_category_defaults.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'image': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

A description for this context category Allows: null description string Y N

Filename for the image used in the context category card in Workbench image string Y N

Unique name of this context category name string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ContextLabelActionHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io context_label_action_history records

Resource type name is context_label_action_histories.

Example JSON record:

{'action': 'CREATED', 'action_type': 'ALERT_ON', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Context label action history Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null action any Y N

Action type of source parent remediation action Restricted to: “ALERT_ON”, “ADD_TO”, “SUPPRESS” action_type any Y N

Created timestamp: readonly created_at string Y N

Context label action history details (contains important fields that changed) Allows: null: no-sort value object Y N

Defines/retrieves expel.io context_label records context_label ContextLabels N Y

Defines/retrieves expel.io context_label_action records context_label_action ContextLabelActions N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

class pyexclient.workbench.ContextLabelActions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io context_label_action records

Resource type name is context_label_actions.

Example JSON record:

{'action_type': 'ALERT_ON', 'created_at': '2019-01-15T15:35:00-05:00', 'expel_severity_threshold': 'CRITICAL', 'expel_signature_id': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

What action to take Restricted to: “ALERT_ON”, “ADD_TO”, “SUPPRESS” action_type any Y N

Created timestamp: readonly created_at string Y N

Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” Allows: null expel_severity_threshold any Y N

Expel alert signature Allows: “”, null expel_signature_id string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io context_label records context_label ContextLabels N Y

Defines/retrieves expel.io context_label_action_history records context_label_action_histories ContextLabelActionHistories N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Timeline Entries timeline_entries TimelineEntries N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ContextLabelHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io context_label_history records

Resource type name is context_label_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Context label history action Restricted to: “CREATED”, “UPDATED”, “DELETED”, “ASSIGNED_TAG_CREATED”, “ASSIGNED_TAG_DELETED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Context label history details (contains important fields that changed) Allows: null: no-sort value object Y N

Defines/retrieves expel.io context_label records context_label ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

class pyexclient.workbench.ContextLabelTags(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io context_label_tag records

Resource type name is context_label_tags.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'metadata': {}, 'tag': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Description Allows: null, “” description string Y N

Metadata about the context label tag Allows: null: no-sort metadata object Y N

Tag tag string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Remediation action assets remediation_action_assets RemediationActionAssets N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ContextLabels(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io context_label records

Resource type name is context_labels.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'definition': {},
    'description': 'string',
    'ends_at': '2019-01-15T15:35:00-05:00',
    'initial_edit_at': '2019-01-15T15:35:00-05:00',
    'metadata': {},
    'resolved_definition': {},
    'review_status': 'APPROVED',
    'starts_at': '2019-01-15T15:35:00-05:00',
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Definition: no-sort definition object Y N

Description Allows: null, “” description string Y N

Date/Time of when the context_label should end being tested Allows: null ends_at string Y N

Date/Time of when the drawer was first opened to create the context label Allows: null initial_edit_at string Y N

Metadata about the context label Allows: null: no-sort metadata object Y N

Definition where all variables are replaced with their current values Allows: null: readonly, no-sort resolved_definition object Y N

Current status of the review process Restricted to: “APPROVED”, “REVIEW_REQUESTED”, “CHANGES_REQUESTED”, “DECLINED” Allows: null review_status any Y N

Date/Time of when the context_label should start being tested starts_at string Y N

Title Allows: null, “” title string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io context_label_action records add_to_actions ContextLabelActions N Y

Defines/retrieves expel.io context_label_action records alert_on_actions ContextLabelActions N Y

Defines/retrieves expel.io context_label_history records approval_histories ContextLabelHistories N Y

Defines/retrieves expel.io context_label_action_history records context_label_action_histories ContextLabelActionHistories N Y

Defines/retrieves expel.io context_label_action records context_label_actions ContextLabelActions N Y

Defines/retrieves expel.io context_label_history records context_label_histories ContextLabelHistories N Y

Defines/retrieves expel.io context_label_tag records context_label_tags ContextLabelTags N Y

Reusable strongly typed context variables which can be referenced by other features context_variables ContextVariables N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alerts ExpelAlerts N Y

Investigations investigations Investigations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Expel alerts originating_expel_alerts ExpelAlerts N Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records remediation_action_setting_list_source_histories RemediationActionSettingListSourceHistories N Y

Defines/retrieves expel.io remediation_action_setting_list_source records remediation_action_setting_list_sources RemediationActionSettingListSources N Y

Defines/retrieves expel.io remediation_action_setting records remediation_action_settings RemediationActionSettings N Y

Defines/retrieves expel.io context_label_action records suppress_actions ContextLabelActions N Y

Timeline Entries timeline_entries TimelineEntries N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ContextVariableHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io context_variable_history records

Resource type name is context_variable_histories.

Example JSON record:

{'action': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Context variable history action Restricted to: “CREATED”, “UPDATED”, “DELETED” action string Y N

Created timestamp: readonly created_at string Y N

Context variable history details Allows: null: no-sort value object Y N

Reusable strongly typed context variables which can be referenced by other features context_variable ContextVariables N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.ContextVariables(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Reusable strongly typed context variables which can be referenced by other features

Resource type name is context_variables.

Example JSON record:

{           'context_type': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'description': 'string',
    'is_array': True,
    'name': 'string',
    'surface_context': True,
    'updated_at': '2019-01-15T15:35:00-05:00',
    'value': 'object',
    'value_type': 'cidr_block'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

One of a few common types for context variables or other Restricted to: “cidr_block”, “domain”, “email_address”, “file_hash”, “hostname”, “ip_address”, “other”, “port”, “url”, “username”: immutable context_type string Y N

Created timestamp: readonly created_at string Y N

Optional description of this context variable Allows: null description string Y N

Whether or not the value of this context variable is an array: immutable is_array boolean Y N

Name of this context variable name string Y N

Whether or not to surface this context variable in Workbench surface_context boolean Y N

Last Updated timestamp: readonly updated_at string Y N

Value of this context variable: allowStringOperators, no-sort value any Y N

Value type of this context variable Restricted to: “cidr_block”, “integer”, “ip_address”, “regex”, “string”: immutable value_type any Y N

Groups for organizing context variables outside of any specific use case context_categories ContextCategories N Y

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Defines/retrieves expel.io context_variable_history records context_variable_histories ContextVariableHistories N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Historical event log for each note model note_histories Organizations N Y

A model for tying a message to a specific context variable or term for a specified period of time notes Notes N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Detections(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

How we determine security-relevant data for analyst review

Resource type name is detections.

Example JSON record:

{           'author_type': 'string',
    'configuration_slugs': [],
    'created_at': '2019-01-15T15:35:00-05:00',
    'customer_context_tags': [],
    'description': 'string',
    'engine': 'string',
    'logic_blob': 'string',
    'name': 'string',
    'priority': 100,
    'severity': 'string',
    'status': 'string',
    'supported_tech': [],
    'tags': [],
    'test_blob': 'string',
    'unique_on': [],
    'unique_within': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

The author of this detection Allows: “”, null author_type string Y N

A list of configuration tags used in the logic of this detection: no-filter, no-sort configuration_slugs array Y N

The time this detection was created Allows: null created_at string Y N

A list of customer context tags used in the logic of this detection: no-filter, no-sort customer_context_tags array Y N

What this detection is looking for Allows: “”, null description string Y N

The parent detection engine Allows: “”, null engine string Y N

A JSON formatted blob of Josie detection logic Allows: “”, null logic_blob string Y N

The name of the detection Allows: “”, null name string Y N

The order in which Josie applies this detection to security alerts, 0 being a higher priority Allows: null priority number Y N

The potential impact of detected incidents Allows: “”, null severity string Y N

The production status of this detection Allows: “”, null status string Y N

The technology that this detection supports supported_tech array Y N

A list of tags which may affect upstream behavior: no-filter, no-sort tags array Y N

A JSON formatted list of conditions (vendor alerts) that trigger this detection, in turn creating an Expel alert Allows: “”, null test_blob string Y N

A list of Josie expressions that make this alert unique: no-filter, no-sort unique_on array Y N

The time period in which this alert is unique Allows: “”, null unique_within string Y N

The last time this detection was updated Allows: null updated_at string Y N

Detection categories expel_alert_categories ExpelDetectionCategories N Y

Detection categories expel_response_categories ExpelDetectionCategories N Y

Detection categories expel_triage_categories ExpelDetectionCategories N Y

Mitre Tactics mitre_tactics MitreTactics N Y

Defines/retrieves expel.io organization records organizations Organizations N Y

class pyexclient.workbench.Digests(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Digests

Resource type name is digests.

Example JSON record:

{'email': 'name@company.com', 'schedule': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Email of the user, overwritten by the API during creation Allows: null, “” email string Y N

Missing Description schedule string Y N

Defines/retrieves expel.io organization records organization Organizations N Y

User accounts user_account UserAccounts N Y

class pyexclient.workbench.EngagementManagers(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io engagement_manager records

Resource type name is engagement_managers.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'email': 'name@company.com', 'pagerduty_id': 'string', 'phone_number': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Display name Allows: “”, null display_name string Y N

Email Allows: null email string Y N

Pagerduty ID Allows: null pagerduty_id string Y N

Phone number Allows: null phone_number string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organizations Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Entitlements(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

path to entitlements service

Resource type name is entitlements.

Example JSON record:

{           'entitlement': {           'enabled_plugin_slugs': [],
                               'investigative_tech_enabled_plugin_slugs': [],
                               'organization_id': 'string',
                               'service_offerings': [],
                               'service_offerings_for_hunting': [],
                               'service_types': []},
    'skus': []}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Allows: null: readonly entitlement object Y N

Missing Description skus array Y N

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.ExpelAlertHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Expel alert histories

Resource type name is expel_alert_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Expel alert history action Restricted to: “CREATED”, “ASSIGNED”, “STATUS_CHANGED”, “INVESTIGATING”, “TUNING_CHANGED”, “DELETED”, “VIEWED”, “RAPID_TRIAGE_PRIORITY_CHANGED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Expel alert history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alert ExpelAlerts N Y

Investigations investigation Investigations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.ExpelAlertThresholdHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io expel_alert_threshold_history records

Resource type name is expel_alert_threshold_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Expel alert threshold history action Restricted to: “CREATED”, “BREACHED”, “ACKNOWLEDGED”, “RECOVERED”, “DELETED” action any Y N

Created timestamp: readonly created_at string Y N

Expel alert threshold history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io expel_alert_threshold records expel_alert_threshold ExpelAlertThresholds N Y

class pyexclient.workbench.ExpelAlertThresholds(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io expel_alert_threshold records

Resource type name is expel_alert_thresholds.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'name': 'string', 'threshold': 100, 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Name name string Y N

Threshold value threshold number Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io expel_alert_threshold_history records expel_alert_threshold_histories ExpelAlertThresholdHistories N Y

Defines/retrieves expel.io expel_alert_threshold records suppressed_by ExpelAlertThresholds N Y

Defines/retrieves expel.io expel_alert_threshold records suppresses ExpelAlertThresholds N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ExpelAlerts(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Expel alerts

Resource type name is expel_alerts.

Example JSON record:

{           'activity_first_at': '2019-01-15T15:35:00-05:00',
    'activity_last_at': '2019-01-15T15:35:00-05:00',
    'alert_type': 'ENDPOINT',
    'close_comment': 'string',
    'close_reason': 'FALSE_POSITIVE',
    'created_at': '2019-01-15T15:35:00-05:00',
    'cust_disp_alerts_in_critical_incidents_count': 100,
    'cust_disp_alerts_in_incidents_count': 100,
    'cust_disp_alerts_in_investigations_count': 100,
    'cust_disp_closed_alerts_count': 100,
    'cust_disp_disposed_alerts_count': 100,
    'disposition_alerts_in_critical_incidents_count': 100,
    'disposition_alerts_in_incidents_count': 100,
    'disposition_alerts_in_investigations_count': 100,
    'disposition_closed_alerts_count': 100,
    'disposition_disposed_alerts_count': 100,
    'expel_alert_time': '2019-01-15T15:35:00-05:00',
    'expel_alias_name': 'string',
    'expel_message': 'string',
    'expel_name': 'string',
    'expel_severity': 'CRITICAL',
    'expel_signature_id': 'string',
    'expel_version': 'string',
    'git_rule_url': 'https://company.com/',
    'investigative_action_count': 100,
    'is_auto_add': True,
    'is_viewed_by_assignable_expel_user': True,
    'rapid_triage_priority': 'string',
    'ref_event_id': 'string',
    'status': 'string',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'tuning_requested': True,
    'updated_at': '2019-01-15T15:35:00-05:00',
    'vendor_alert_count': 100,
    'vendor_disp_alerts_in_critical_incidents_count': 100,
    'vendor_disp_alerts_in_incidents_count': 100,
    'vendor_disp_alerts_in_investigations_count': 100,
    'vendor_disp_closed_alerts_count': 100,
    'vendor_disp_disposed_alerts_count': 100}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Allows: null: readonly, no-sort, no-filter activity_first_at string Y N

Allows: null: readonly, no-sort, no-filter activity_last_at string Y N

Expel alert type Restricted to: “ENDPOINT”, “NETWORK”, “SIEM”, “RULE_ENGINE”, “EXTERNAL”, “OTHER”, “CLOUD”, “PHISHING_SUBMISSION”, “PHISHING_SUBMISSION_SIMILAR” Allows: null alert_type any Y N

Expel alert close comment Allows: “”, null close_comment string Y N

Expel alert close reason Restricted to: “FALSE_POSITIVE”, “TRUE_POSITIVE”, “OTHER”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “TESTING”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “INCONCLUSIVE”, “SUPPRESSED”, “PHISHING_SIMULATION”, “SUPPRESSED_NEW_DEVICE”, “SUPPRESSED_THRESHOLD_EXCEEDED” Allows: null close_reason any Y N

Created timestamp: readonly created_at string Y N

Allows: null cust_disp_alerts_in_critical_incidents_count number Y N

Allows: null cust_disp_alerts_in_incidents_count number Y N

Allows: null cust_disp_alerts_in_investigations_count number Y N

Allows: null cust_disp_closed_alerts_count number Y N

Allows: null cust_disp_disposed_alerts_count number Y N

Allows: null disposition_alerts_in_critical_incidents_count number Y N

Allows: null disposition_alerts_in_incidents_count number Y N

Allows: null disposition_alerts_in_investigations_count number Y N

Allows: null disposition_closed_alerts_count number Y N

Allows: null disposition_disposed_alerts_count number Y N

Expel Alert Time first seen time: immutable expel_alert_time string Y N

Expel alert alias Allows: “”, null expel_alias_name string Y N

Expel alert message Allows: “”, null expel_message string Y N

Expel alert name Allows: “”, null expel_name string Y N

Expel alert severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” expel_severity any Y N

Expel alert signature Allows: “”, null expel_signature_id string Y N

Expel alert version Allows: “”, null expel_version string Y N

URL to rule definition for alert Allows: “”, null git_rule_url string Y N

Allows: null: readonly, no-sort, no-filter investigative_action_count number Y N

Was this expel_alert added to an investigation by one of the robots (i.e. an automated process)?: readonly is_auto_add boolean Y N

Was this expel_alert viewed by an expel assignable user at-least once?: readonly is_viewed_by_assignable_expel_user boolean Y N

Expel alert rapid triage priority Restricted to: “UNKNOWN”, “HIGH”, “LOW” rapid_triage_priority string Y N

Referring event id Allows: null ref_event_id string Y N

Expel alert status Restricted to: “OPEN”, “IN_PROGRESS”, “CLOSED” Allows: null status string Y N

Status Updated At Allows: null: readonly status_updated_at string Y N

tuning requested tuning_requested boolean Y N

Last Updated timestamp: readonly updated_at string Y N

Allows: null: readonly, no-sort, no-filter vendor_alert_count number Y N

Allows: null vendor_disp_alerts_in_critical_incidents_count number Y N

Allows: null vendor_disp_alerts_in_incidents_count number Y N

Allows: null vendor_disp_alerts_in_investigations_count number Y N

Allows: null vendor_disp_closed_alerts_count number Y N

Allows: null vendor_disp_disposed_alerts_count number Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records close_comment_last_updated_by Actors N Y

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

IP addresses destination_ip_addresses IpAddresses N Y

Vendor alert evidences are extracted from a vendor alert’s evidence summary evidence VendorAlertEvidences N Y

Expel alert histories expel_alert_assignable_expel_user_view_histories ExpelAlertHistories N Y

Expel alert histories expel_alert_histories ExpelAlertHistories N Y

Expel alert histories expel_alert_rapid_triage_priority_histories ExpelAlertHistories N Y

Expel alert histories expel_alert_view_histories ExpelAlertHistories N Y

Investigations investigation Investigations N Y

Investigative action histories investigative_action_histories InvestigativeActionHistories N Y

investigative actions investigative_actions InvestigativeActions N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io context_label records originated_context_labels ContextLabels N Y

Phishing submissions phishing_submissions PhishingSubmissions N Y

Investigations related_investigations Investigations N Y

Investigations related_investigations_via_involved_host_ips Investigations N Y

Expel alerts similar_alerts ExpelAlerts N Y

IP addresses source_ip_addresses IpAddresses N Y

Defines/retrieves expel.io actor records status_last_updated_by Actors N Y

Defines/retrieves expel.io suggestions suggestions Suggestions N Y

Expel alert histories suppression_histories ExpelAlertHistories N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Defines/retrieves expel.io user task records user_tasks UserTasks N Y

Vendors vendor Vendors N Y

Vendor alerts vendor_alerts VendorAlerts N Y

class pyexclient.workbench.ExpelDetectionCategories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Detection categories

Resource type name is expel_detection_categories.

Example JSON record:

{'category_type': 'string', 'customer_context_tags': [], 'description': 'string', 'investigative_questions': [], 'name': 'string', 'number_of_detections': 100}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Which part of the detection & response process this category takes effect in Allows: “”, null: no-sort category_type string Y N

Customer context tags used in this category’s detections customer_context_tags array Y N

The category description Allows: “”, null description string Y N

The questions analysts ask when responding to Expel alerts investigative_questions array Y N

The name of the category Allows: “”, null name string Y N

The number of detections in this category, based on the plugin_slugs filter number_of_detections number Y N

class pyexclient.workbench.Files(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.FilesResourceInstance

File

Resource type name is files.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'expel_file_type': 'string',
    'file_meta': {'investigative_action': {'file_type': 'string'}, 'rich_result': {}},
    'filename': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Expel file type Allows: null, “” expel_file_type string Y N

Metadata about the file Allows: null: no-sort file_meta object Y N

Filename filename string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigations Investigations N Y

investigative actions investigative_actions InvestigativeActions N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Phishing submissions phishing_submission PhishingSubmissions N Y

Phishing submission attachments phishing_submission_attachment PhishingSubmissionAttachments N Y

investigative actions result_investigative_actions InvestigativeActions N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.FilesResourceInstance(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

download(fd, fmt='json')[source]¶

Download data from an investigative action. This can only be called on InvestigativeAction or Files objects.

Parameters:	fd (File bytes object) – Buffer to write response too. fmt (str) – The format to request the data be returned in.

Examples:

>>> import json
>>> import pprint
>>> import tempfile
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> with xc.investigative_actions.get(id=inv_act_id) as ia:
>>>     fd = tempfile.NamedTemporaryFile(delete=False)
>>>     ia.download(fd)
>>>     with open(fd.name, 'r') as fd:
>>>     pprint.pprint(json.loads(fd.read()))

class pyexclient.workbench.Findings(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io finding records

Resource type name is findings.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'rank': 100, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Seed Rank rank number Y N

Title Allows: “”, null title string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Integrations(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io integration records

Resource type name is integrations.

Example JSON record:

{           'account': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'integration_meta': {},
    'integration_type': 'pagerduty',
    'last_tested_at': '2019-01-15T15:35:00-05:00',
    'service_name': 'string',
    'status': 'UNTESTED',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Service account identifier account string Y N

Created timestamp: readonly created_at string Y N

Needed information for integration type Allows: null: allowStringOperators, no-sort integration_meta object Y N

Type of integration Restricted to: “pagerduty”, “slack”, “ticketing”, “service_now”, “teams”, “ops_genie”, “o365_reporting”, “palo_alto_networks_cxdr”, “webhook”: immutable integration_type any Y N

Last Successful Test Allows: null: readonly last_tested_at string Y N

Service display name service_name string Y N

Integration status Restricted to: “UNTESTED”, “TEST_SUCCESS”, “TEST_FAIL”: readonly status any Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Organization secrets. Note - these requests must be in the format of /secrets/security_device-<guid> secret Secrets N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.InvestigationFindingHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io investigation_finding_history records

Resource type name is investigation_finding_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Investigation finding history action Restricted to: “CREATED”, “CHANGED”, “DELETED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Investigation finding history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Investigation findings investigation_finding InvestigationFindings N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.InvestigationFindings(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Investigation findings

Resource type name is investigation_findings.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'finding': 'string', 'rank': 100, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Finding Allows: “”, null: markdown finding string Y N

Visualization Rank rank number Y N

Title Allows: “”, null title string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Defines/retrieves expel.io investigation_finding_history records investigation_finding_histories InvestigationFindingHistories N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.InvestigationHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Investigation histories

Resource type name is investigation_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'is_incident': True, 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Investigation history action Restricted to: “CREATED”, “ASSIGNED”, “CHANGED”, “CLOSED”, “SUMMARY”, “REOPENED”, “PUBLISHED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Is Incidence is_incident boolean Y N

Investigation history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.InvestigationResilienceActionHints(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io investigation_organization_resilience_action_hint records

Resource type name is investigation_resilience_action_hints.

Example JSON record:

{}

Below are valid filter by parameters:

class pyexclient.workbench.InvestigationResilienceActions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Investigation to resilience actions

Resource type name is investigation_resilience_actions.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Organization to resilience actions organization_resilience_action OrganizationResilienceActions N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Investigations(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Investigations

Resource type name is investigations.

Example JSON record:

{           'analyst_severity': 'CRITICAL',
    'attack_lifecycle': 'INITIAL_RECON',
    'attack_timing': 'HISTORICAL',
    'attack_vector': 'DRIVE_BY',
    'close_comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'critical_comment': 'string',
    'decision': 'FALSE_POSITIVE',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'detection_type': 'UNKNOWN',
    'has_hunting_status': True,
    'initial_attack_vector': 'string',
    'is_downgrade': True,
    'is_incident': True,
    'is_incident_status_updated_at': '2019-01-15T15:35:00-05:00',
    'is_soc_support_required': True,
    'is_surge': True,
    'last_published_at': '2019-01-15T15:35:00-05:00',
    'last_published_value': 'string',
    'lead_description': 'string',
    'malware_family': 'string',
    'next_steps': 'string',
    'open_reason': 'ACCESS_KEYS',
    'open_summary': 'string',
    'review_requested_at': '2019-01-15T15:35:00-05:00',
    'short_link': 'string',
    'source_reason': 'HUNTING',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'threat_type': 'TARGETED',
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Analyst Severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “INFO” Allows: null analyst_severity any Y N

Attack Lifecycle Restricted to: “INITIAL_RECON”, “DELIVERY”, “EXPLOITATION”, “INSTALLATION”, “COMMAND_CONTROL”, “LATERAL_MOVEMENT”, “ACTION_TARGETS”, “UNKNOWN” Allows: null attack_lifecycle any Y N

Attack Timing Restricted to: “HISTORICAL”, “PRESENT” Allows: null attack_timing any Y N

Attack Vector Restricted to: “DRIVE_BY”, “PHISHING”, “PHISHING_LINK”, “PHISHING_ATTACHMENT”, “REV_MEDIA”, “SPEAR_PHISHING”, “SPEAR_PHISHING_LINK”, “SPEAR_PHISHING_ATTACHMENT”, “STRAG_WEB_COMP”, “SERVER_SIDE_VULN”, “CRED_THEFT”, “MISCONFIG”, “UNKNOWN” Allows: null attack_vector any Y N

Close Comment Allows: “”, null: markdown close_comment string Y N

Created timestamp: readonly created_at string Y N

Critical Comment Allows: “”, null critical_comment string Y N

Decision Restricted to: “FALSE_POSITIVE”, “TRUE_POSITIVE”, “CLOSED”, “OTHER”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “TESTING”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “INCONCLUSIVE”, “PHISHING_SIMULATION” Allows: null decision any Y N

Deleted At timestamp Allows: null deleted_at string Y N

Detection Type Restricted to: “UNKNOWN”, “ENDPOINT”, “SIEM”, “NETWORK”, “EXPEL”, “HUNTING”, “CLOUD”, “PHISHING” Allows: null detection_type any Y N

Meta: readonly, no-sort, no-filter has_hunting_status boolean Y N

Initial attack vector Allows: “”, null initial_attack_vector string Y N

Is downgrade is_downgrade boolean Y N

Is Incident is_incident boolean Y N

Incident Status timestamp Allows: null: readonly is_incident_status_updated_at string Y N

Is Expel SOC support required for this investigation?: immutable is_soc_support_required boolean Y N

Is surge is_surge boolean Y N

Last Published At Allows: null last_published_at string Y N

Last Published Value Allows: “”, null last_published_value string Y N

Lead Description Allows: null: markdown lead_description string Y N

Malware family Allows: “”, null malware_family string Y N

Recommended next steps for starting this investigation or handling this incident Allows: “”, null next_steps string Y N

Open Reason Restricted to: “ACCESS_KEYS”, “EC2”, “S3_BUCKETS”, “OTHER” Allows: null open_reason any Y N

Reason the investigation/incident was opened Allows: “”, null open_summary string Y N

Review Requested At Allows: null review_requested_at string Y N

Investigation short link: readonly short_link string Y N

Source Reason Restricted to: “HUNTING”, “ORGANIZATION_REPORTED”, “DISCOVERY”, “PHISHING”, “SURRE”, “VULNERABILITY” Allows: null source_reason any Y N

Status Updated At Allows: null: readonly status_updated_at string Y N

Threat Type Restricted to: “TARGETED”, “TARGETED_APT”, “TARGETED_RANSOMWARE”, “BUSINESS_EMAIL_COMPROMISE”, “NON_TARGETED”, “NON_TARGETED_MALWARE”, “POLICY_VIOLATION”, “UNKNOWN”, “RED_TEAM” Allows: null threat_type any Y N

Title Allows: “”, null title string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io comment_history records comment_histories CommentHistories N Y

Defines/retrieves expel.io comment records comments Comments N Y

Defines/retrieves expel.io context_label_action_history records context_label_action_histories ContextLabelActionHistories N Y

Defines/retrieves expel.io context_label_action records context_label_actions ContextLabelActions N Y

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

IP addresses destination_ip_addresses IpAddresses N Y

Vendor alert evidences are extracted from a vendor alert’s evidence summary evidence VendorAlertEvidences N Y

Expel alert histories expel_alert_histories ExpelAlertHistories N Y

Expel alerts expel_alerts ExpelAlerts N Y

File files Files N Y

Defines/retrieves expel.io finding records findings InvestigationFindings N Y

Defines/retrieves expel.io investigation_finding_history records investigation_finding_histories InvestigationFindingHistories N Y

Investigation histories investigation_histories InvestigationHistories N Y

Investigation to resilience actions investigation_resilience_actions InvestigationResilienceActions N Y

Investigative action histories investigative_action_histories InvestigativeActionHistories N Y

investigative actions investigative_actions InvestigativeActions N Y

IP addresses ip_addresses IpAddresses N Y

Defines/retrieves expel.io actor records last_published_by Actors N Y

Expel alerts lead_expel_alert ExpelAlerts N Y

investigative actions most_recent_investigative_action InvestigativeActions N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Organization to resilience actions organization_resilience_action_hints OrganizationResilienceActions N Y

Organization to resilience actions organization_resilience_actions OrganizationResilienceActions N Y

Investigations related_investigations_via_involved_host_ips Investigations N Y

Remediation action asset histories remediation_action_asset_histories RemediationActionAssetHistories N Y

Remediation action assets remediation_action_assets RemediationActionAssets N Y

Remediation action histories remediation_action_histories RemediationActionHistories N Y

Remediation actions remediation_actions RemediationActions N Y

Defines/retrieves expel.io actor records review_requested_by Actors N Y

IP addresses source_ip_addresses IpAddresses N Y

Defines/retrieves expel.io actor records status_last_updated_by Actors N Y

Timeline Entries timeline_entries TimelineEntries N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Defines/retrieves expel.io user task records user_tasks UserTasks N Y

class pyexclient.workbench.InvestigativeActionHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Investigative action histories

Resource type name is investigative_action_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Investigative action history action Restricted to: “CREATED”, “ASSIGNED”, “CLOSED”, “ACKNOWLEDGED”, “CLASSIFIED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Investigative action history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alert ExpelAlerts N Y

Investigations investigation Investigations N Y

investigative actions investigative_action InvestigativeActions N Y

class pyexclient.workbench.InvestigativeActions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.InvestigativeActionsResourceInstance

investigative actions

Resource type name is investigative_actions.

Example JSON record:

{           'action_type': 'TASKABILITY',
    'activity_acknowledged_at': '2019-01-15T15:35:00-05:00',
    'activity_acknowledged_by': 'string',
    'activity_authorized': True,
    'activity_verified_by': 'string',
    'capability_name': 'string',
    'classification': 'MALICIOUS',
    'close_reason': 'string',
    'content_driven_results': {},
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'downgrade_reason': 'FALSE_POSITIVE',
    'files_count': 100,
    'input_args': {},
    'instructions': 'string',
    'rank': 100,
    'reason': 'string',
    'result_byte_size': 100,
    'result_task_id': 'object',
    'results': 'string',
    'robot_action': True,
    'status': 'RUNNING',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'taskability_action_id': 'string',
    'tasking_error': {},
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'workflow_job_id': 'string',
    'workflow_name': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Investigative Action Type Restricted to: “TASKABILITY”, “HUNTING”, “MANUAL”, “RESEARCH”, “PIVOT”, “QUICK_UPLOAD”, “VERIFY”, “DOWNGRADE”, “WORKFLOW”, “NOTIFY” action_type any Y N

Verify investigative action acknowledged at Allows: null activity_acknowledged_at string Y N

Verify investigative action acknowledged by Allows: null activity_acknowledged_by string Y N

Verify Investigative action is authorized Allows: null activity_authorized boolean Y N

Verify Investigative action verified by Allows: null activity_verified_by string Y N

Capability name Allows: “”, null capability_name string Y N

Investigative action classification Restricted to: “MALICIOUS”, “SUSPICIOUS”, “NOT_SUSPICIOUS” Allows: null classification any Y N

Close Reason Allows: null: markdown close_reason string Y N

Content driven results Allows: “”, null: no-sort content_driven_results object Y N

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Downgrade reason Restricted to: “FALSE_POSITIVE”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “OTHER” Allows: null downgrade_reason any Y N

Downgrade reason: readonly files_count number Y N

Task input arguments Allows: null: no-sort input_args object Y N

Instructions Allows: “”, null: markdown instructions string Y N

Visualization Rank rank number Y N

Reason: markdown reason string Y N

Result byte size: readonly result_byte_size number Y N

Result task id Allows: null: readonly result_task_id any Y N

Results/Analysis Allows: “”, null results string Y N

Investigative action created by robot action: readonly robot_action boolean Y N

Status Restricted to: “RUNNING”, “FAILED”, “READY_FOR_ANALYSIS”, “CLOSED”, “COMPLETED” status any Y N

Status Updated At Allows: null: readonly status_updated_at string Y N

Taskability action id Allows: “”, null taskability_action_id string Y N

Taskabilities error Allows: “”, null: no-sort tasking_error object Y N

Title: markdown title string Y N

Last Updated timestamp: readonly updated_at string Y N

Workflow job id Allows: “”, null workflow_job_id string Y N

Workflow name Allows: “”, null workflow_name string Y N

Defines/retrieves expel.io actor records analysis_assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records classified_by_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

investigative actions dependent_investigative_actions InvestigativeActions N Y

investigative actions depends_on_investigative_action InvestigativeActions N Y

Expel alerts expel_alert ExpelAlerts N Y

File files Files N Y

Investigations investigation Investigations N Y

Investigative action histories investigative_action_histories InvestigativeActionHistories N Y

Defines/retrieves expel.io organization records organization Organizations N Y

File result_file Files N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.InvestigativeActionsResourceInstance(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.FilesResourceInstance

upload(filename, fbytes, expel_file_type=None, file_meta=None)[source]¶

Upload data associated with an investigative action. Can only be called on InvestigativeAction objects.

Parameters:	filename (str) – Filename, this shows up in Workbench. fbytes (bytes) – A bytes string representing raw bytes to upload

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> with xc.investigative_actions.get(id=inv_act_id) as ia:
>>>     ia.upload('test.txt', b'hello world')

class pyexclient.workbench.IpAddresses(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

IP addresses

Resource type name is ip_addresses.

Example JSON record:

{'address': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

IP Address: readonly address string Y N

Created timestamp: readonly created_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts destination_expel_alerts ExpelAlerts N Y

Investigations destination_investigations Investigations N Y

Investigations investigations Investigations N Y

Expel alerts source_expel_alerts ExpelAlerts N Y

Investigations source_investigations Investigations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Vendor alerts vendor_alerts VendorAlerts N Y

class pyexclient.workbench.JsonApiRelationship(relationships: dict = None)[source]¶

Bases: object

The object acts a helper to handle JSON API relationships. The object is just a dummy that allows for setting / getting attributes that are extracted from the relationship part of the JSON API response. Additionally, the object will allow for conversion to a JSON API compliant relationship block to include in a request.

to_relationship()[source]¶

Generate a JSON API compliant relationship section.

Returns:	A dict that is JSON API compliant relationship section.
Return type:	dict

class pyexclient.workbench.MitreTactics(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Mitre Tactics

Resource type name is mitre_tactics.

Example JSON record:

{'description': 'string', 'name': 'string', 'number_of_expel_detections': 100, 'number_of_vendor_detections': 100}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

The tactic description Allows: “”, null description string Y N

The name of the tactic Allows: “”, null name string Y N

The number of Expel-based detections in this category, based on the plugin_slugs filter number_of_expel_detections number Y N

The number of vendor-based detections in this category, based on the plugin_slugs filter number_of_vendor_detections number Y N

class pyexclient.workbench.NistCategories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io nist_category records

Resource type name is nist_categories.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'function_type': 'IDENTIFY', 'identifier': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Actor type Restricted to: “IDENTIFY”, “PROTECT”, “DETECT”, “RECOVER”, “RESPOND” function_type any Y N

Nist category abbreviated identifier identifier string Y N

Nist category name name string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io nist_subcategory records nist_subcategories NistSubcategories N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.NistSubcategories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io nist_subcategory records

Resource type name is nist_subcategories.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'identifier': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Nist subcategory abbreviated identifier identifier string Y N

Nist subcategory title Allows: “”, null name string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io nist_category records nist_category NistCategories N Y

Latest NIST subcategory scores nist_subcategory_scores NistSubcategoryScores N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.NistSubcategoryScoreHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

NIST Subcategory Score History

Resource type name is nist_subcategory_score_histories.

Example JSON record:

{'action': 'SCORE_UPDATED', 'actual_score': 100, 'assessment_date': '2019-01-15T15:35:00-05:00', 'created_at': '2019-01-15T15:35:00-05:00', 'target_score': 100}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

NIST subcategory score history action Restricted to: “SCORE_UPDATED”, “COMMENT_UPDATED”, “PRIORITY_UPDATED”, “IMPORT” action any Y N

Organization actual score for this nist subcategory actual_score number Y N

Recorded date of the score assessment (Note: Dates with times will be truncated to the day. Warning: Dates times and timezones will be converted to UTC before they are truncated. Providing non-UTC timezones is not recommeneded.): immutable assessment_date string Y N

Created timestamp: readonly created_at string Y N

Organization target score for this nist subcategory target_score number Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Latest NIST subcategory scores nist_subcategory_score NistSubcategoryScores N Y

class pyexclient.workbench.NistSubcategoryScores(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Latest NIST subcategory scores

Resource type name is nist_subcategory_scores.

Example JSON record:

{           'actual_score': 100,
    'assessment_date': '2019-01-15T15:35:00-05:00',
    'category_identifier': 'string',
    'category_name': 'string',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'function_type': 'string',
    'is_priority': True,
    'subcategory_identifier': 'string',
    'subcategory_name': 'string',
    'target_score': 100,
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Organization actual score for this nist subcategory Allows: null actual_score number Y N

Recorded date of the score assessment (Note: Dates with times will be truncated to the day. Warning: Dates times and timezones will be converted to UTC before they are truncated. Providing non-UTC timezones is not recommeneded.) Allows: null: immutable assessment_date string Y N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter category_identifier string Y N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter category_name string Y N

Organization comment for this nist subcategory Allows: “”, null comment string Y N

Created timestamp: readonly created_at string Y N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter function_type string Y N

Organization nist subcategory is a priority is_priority boolean Y N

Allows: “”, null: immutable, no-sort, no-filter subcategory_identifier string Y N

Allows: “”, null: readonly, csv_ignore, no-sort, no-filter subcategory_name string Y N

Organization target score for this nist subcategory Allows: null target_score number Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io nist_subcategory records nist_subcategory NistSubcategories N Y

NIST Subcategory Score History nist_subcategory_score_histories NistSubcategoryScoreHistories N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.NoteHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Historical event log for each note model

Resource type name is note_histories.

Example JSON record:

{'action': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Whether this is a create, update, or delete event Restricted to: “CREATED”, “UPDATED”, “DELETED” action string Y N

Created timestamp: readonly created_at string Y N

Complete state at the time of a create or delete event or the state changes for an update event: no-sort value object Y N

Reusable strongly typed context variables which can be referenced by other features context_variable ContextVariables N Y

Defines/retrieves expel.io actor records created_by Actors N Y

A model for tying a message to a specific context variable or term for a specified period of time note Notes N Y

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.Notes(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

A model for tying a message to a specific context variable or term for a specified period of time

Resource type name is notes.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'ends_at': '2019-01-15T15:35:00-05:00',
    'message': 'string',
    'starts_at': '2019-01-15T15:35:00-05:00',
    'term': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

When the note should stop showing up as associated with context or global terms Allows: null ends_at string Y N

The message to display when a matching term or variable is highlighted message string Y N

When the note should begin showing up as associated with context or global terms starts_at string Y N

The term to match if and only if this is a global note Allows: null term string Y N

Last Updated timestamp: readonly updated_at string Y N

Reusable strongly typed context variables which can be referenced by other features context_variable ContextVariables N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Historical event log for each note model note_histories Organizations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.NotificationEvents(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Notification events

Resource type name is notification_events.

Example JSON record:

{           'event_at': '2019-01-15T15:35:00-05:00',
    'event_name': 'string',
    'sent_notifications': [],
    'subject': {'display_name': 'string', 'meta': {}, 'model_id': 'string', 'model_type': 'string', 'parent_model_id': 'string', 'parent_model_type': 'string'}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Timestamp of the event triggering the notification event_at string Y N

Name of the event triggering the notification event_name string Y N

Missing Description sent_notifications array Y N

Missing Description subject object Y N

class pyexclient.workbench.NotificationPreferences(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

User Notification Preferences

Resource type name is notification_preferences.

Example JSON record:

{'preferences': []}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Missing Description preferences array Y N

Defines/retrieves expel.io actor records actor Actors N Y

class pyexclient.workbench.NotificationRules(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Notification rules

Resource type name is notification_rules.

Example JSON record:

{'condition_operator': 'string', 'conditionals': [], 'created_at': '2019-01-15T15:35:00-05:00', 'created_by': 'string', 'destinations': [], 'short_name': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

The logical operator applied to the conditions Restricted to: “UNSPECIFIED”, “ALL_OF”, “ANY_OF” condition_operator string Y N

Rule conditions that must be met Allows: null: no-filter conditionals array Y N

The time this rule was created at Allows: null: readonly created_at string Y N

The actor who created this rule Allows: null, “”: readonly created_by string Y N

Rule destinations: no-filter destinations array Y N

The short name of the associated organization Allows: null, “” short_name string Y N

Defines/retrieves expel.io organization records organization Organizations N Y

Notification rule definitions rule_definition RuleDefinitions N Y

User accounts user_account UserAccounts N Y

class pyexclient.workbench.OrganizationContacts(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io organization_contact records

Resource type name is organization_contacts.

Example JSON record:

{'contact_type': 'ORGANIZATION_CONTACT', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Contact Type Restricted to: “ORGANIZATION_CONTACT”, “SECURITY_DEVICE_CONTACT” contact_type any Y N

Created timestamp: readonly created_at string Y N

Last Updated timestamp: readonly updated_at string Y N

User accounts contact_user UserAccounts N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.OrganizationResilienceActionGroups(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io organization_resilience_action_group records

Resource type name is organization_resilience_action_groups.

Example JSON record:

{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'visible': True}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Organization Resilience Group Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” category any Y N

Created timestamp: readonly created_at string Y N

Group title title string Y N

Last Updated timestamp: readonly updated_at string Y N

Visible visible boolean Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Organization to resilience actions organization_resilience_action_group_actions OrganizationResilienceActions N Y

Defines/retrieves expel.io resilience_action_group records source_resilience_action_group ResilienceActionGroups N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.OrganizationResilienceActions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Organization to resilience actions

Resource type name is organization_resilience_actions.

Example JSON record:

{           'category': 'DISRUPT_ATTACKERS',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'details': 'string',
    'impact': 'LOW',
    'status': 'TOP_PRIORITY',
    'title': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'visible': True}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” Allows: null category any Y N

Comment Allows: “”, null comment string Y N

Created timestamp: readonly created_at string Y N

Details: markdown details string Y N

Impact Restricted to: “LOW”, “MEDIUM”, “HIGH” impact any Y N

Status Restricted to: “TOP_PRIORITY”, “IN_PROGRESS”, “WONT_DO”, “COMPLETED” status any Y N

Title title string Y N

Last Updated timestamp: readonly updated_at string Y N

Visible visible boolean Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation_hints Investigations N Y

Investigation to resilience actions investigation_resilience_actions InvestigationResilienceActions N Y

Investigations investigations Investigations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io organization_resilience_action_group records organization_resilience_action_group OrganizationResilienceActionGroups N Y

Resilience actions source_resilience_action ResilienceActions N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.OrganizationStatuses(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Organization status

Resource type name is organization_statuses.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'enabled_login_types': [], 'restrictions': [], 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Meta: readonly created_at string Y N

Missing Description enabled_login_types array Y N

Missing Description restrictions array Y N

Meta: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Organizations(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io organization records

Resource type name is organizations.

Example JSON record:

{           'address_1': 'string',
    'address_2': 'string',
    'city': 'string',
    'country_code': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'hq_city': 'string',
    'hq_utc_offset': 'string',
    'industry': 'string',
    'is_surge': True,
    'is_testing_organization': True,
    'name': 'string',
    'nodes_count': 100,
    'o365_tos_id': 'string',
    'onboarding_preferences': {},
    'organization_type': 'standard',
    'postal_code': 'string',
    'region': 'string',
    'service_end_at': '2019-01-15T15:35:00-05:00',
    'service_renewal_at': '2019-01-15T15:35:00-05:00',
    'service_start_at': '2019-01-15T15:35:00-05:00',
    'short_name': 'EXP',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'users_count': 100}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Address 1 Allows: “”, null address_1 string Y N

Address 2 Allows: “”, null address_2 string Y N

City Allows: “”, null city string Y N

Country Code Allows: null country_code string Y N

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

The city where the organization’s headquarters is located Allows: “”, null hq_city string Y N

Allows: “”, null hq_utc_offset string Y N

The organization’s primary industry Allows: “”, null industry string Y N

Is surge is_surge boolean Y N

Whether or not this organization is a testing organization or a real organization is_testing_organization boolean Y N

The organization’s operating name name string Y N

Number of nodes covered for this organization Allows: null nodes_count number Y N

o365 Terms of Service identifier (e.g. hubspot id, etc.) Allows: null o365_tos_id string Y N

Organization onboarding preferences: no-sort onboarding_preferences object Y N

Organization type Restricted to: “standard”, “prospect”, “free_trial”, “demo”, “partner”, “test_temp”, “test_perm” Allows: null organization_type any Y N

Postal Code Allows: null postal_code string Y N

State/Province/Region Allows: “”, null region string Y N

Organization service end date Allows: null service_end_at string Y N

Organization service renewal date Allows: null service_renewal_at string Y N

Organization service start date Allows: null service_start_at string Y N

Organization short name Allows: null short_name string Y N

Last Updated timestamp: readonly updated_at string Y N

Number of users covered for this organization Allows: null users_count number Y N

Defines/retrieves expel.io actor records actor Actors N Y

investigative actions analysis_assigned_investigative_actions InvestigativeActions N Y

Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token. api_keys ApiKeys N Y

Assemblers assemblers Assemblers N Y

Defines/retrieves expel.io actor records assignables Actors N Y

Expel alerts assigned_expel_alerts ExpelAlerts N Y

Investigations assigned_investigations Investigations N Y

investigative actions assigned_investigative_actions InvestigativeActions N Y

Organization to resilience actions assigned_organization_resilience_actions OrganizationResilienceActions N Y

Organization to resilience actions assigned_organization_resilience_actions_list OrganizationResilienceActions N Y

Remediation actions assigned_remediation_actions RemediationActions N Y

Defines/retrieves expel.io remediation_action_setting records automate_opt_in_for_remediation_action_setting RemediationActionSettings N Y

Defines/retrieves expel.io comment records comments Comments N Y

Defines/retrieves expel.io configuration records configurations Configurations N Y

Groups for organizing context variables outside of any specific use case context_categories ContextCategories N Y

Defines/retrieves expel.io context_label_tag records context_label_tags ContextLabelTags N Y

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Reusable strongly typed context variables which can be referenced by other features context_variables ContextVariables N Y

Defines/retrieves expel.io actor records created_by Actors N Y

investigative actions current_assigned_investigative_actions_classification InvestigativeActions N Y

Defines/retrieves expel.io engagement_manager records engagement_manager EngagementManagers N Y

path to entitlements service entitlement Entitlements N Y

Expel alert histories expel_alert_histories ExpelAlertHistories N Y

Expel alerts expel_alerts ExpelAlerts N Y

File files Files N Y

Defines/retrieves expel.io integration records integrations Integrations N Y

Investigation histories investigation_histories InvestigationHistories N Y

Investigations investigations Investigations N Y

investigative actions investigative_actions InvestigativeActions N Y

Latest NIST subcategory scores nist_subcategory_scores NistSubcategoryScores N Y

Historical event log for each note model note_histories Organizations N Y

A model for tying a message to a specific context variable or term for a specified period of time notes Notes N Y

User Notification Preferences notification_preferences NotificationPreferences N Y

Defines/retrieves expel.io organization_contact records organization_contacts OrganizationContacts N Y

Defines/retrieves expel.io organization_resilience_action_group records organization_resilience_action_groups OrganizationResilienceActionGroups N Y

Organization to resilience actions organization_resilience_actions OrganizationResilienceActions N Y

Organization status organization_status OrganizationStatuses N Y

Defines/retrieves expel.io user_account_role records organization_user_account_roles UserAccountRoles N Y

Defines/retrieves expel.io actor records parent_organization_actor Actors N Y

Defines/retrieves expel.io remediation_action_setting_history records remediation_action_setting_histories RemediationActionSettingHistories N Y

Defines/retrieves expel.io remediation_action_setting records remediation_action_settings RemediationActionSettings N Y

Defines/retrieves expel.io review summary records review_summaries ReviewSummaries N Y

SAML Identity Providers saml_identity_provider SamlIdentityProviders N Y

Defines/retrieves expel.io security_device_count records security_device_counts SecurityDeviceCounts N Y

Security Device histories security_device_histories SecurityDeviceHistories N Y

Security devices security_devices SecurityDevices N Y

Service Skus skus Skus N Y

Defines/retrieves expel.io suggestions suggestions Suggestions N Y

Defines/retrieves expel.io actor records tacs_confirmed_actor Actors N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

User accounts user_accounts UserAccounts N Y

User accounts user_accounts_with_roles UserAccounts N Y

Defines/retrieves expel.io user task records user_tasks UserTasks N Y

Vendor alerts vendor_alerts VendorAlerts N Y

class pyexclient.workbench.PhishingSubmissionAttachments(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Phishing submission attachments

Resource type name is phishing_submission_attachments.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'file_md5': 'string', 'file_mime': 'string', 'file_name': 'string', 'file_sha1': 'string', 'file_sha256': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

File md5 hash Allows: null file_md5 string Y N

File mime type Allows: null file_mime string Y N

File name Allows: null file_name string Y N

File sha1 hash Allows: null file_sha1 string Y N

File sha256 hash Allows: null file_sha256 string Y N

File attachment_file Files N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Phishing submissions phishing_submission PhishingSubmissions N Y

class pyexclient.workbench.PhishingSubmissionDomains(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Phishing submission domains

Resource type name is phishing_submission_domains.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'value': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Value value string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Phishing submissions phishing_submission PhishingSubmissions N Y

class pyexclient.workbench.PhishingSubmissionHeaders(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Phishing submission headers

Resource type name is phishing_submission_headers.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'email_order_index': 'name@company.com', 'name': 'string', 'value': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Email Order Index Allows: null email_order_index string Y N

Name name string Y N

Value value string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Phishing submissions phishing_submission PhishingSubmissions N Y

class pyexclient.workbench.PhishingSubmissionUrls(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Phishing submission URLs

Resource type name is phishing_submission_urls.

Example JSON record:

{           'contains_sub_elements': True,
    'created_at': '2019-01-15T15:35:00-05:00',
    'link_text': 'string',
    'rewritten_url': 'https://company.com/',
    'tags': 'https://company.com/',
    'url_type': 'https://company.com/',
    'value': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Was sonar prediction correct contains_sub_elements boolean Y N

Created timestamp: readonly created_at string Y N

Link text value link_text string Y N

The new url, if it was rewritten by assorted security products Allows: null rewritten_url string Y N

Interesting URL tags: no-sort tags string Y N

URL type url_type string Y N

Value value string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Phishing submissions phishing_submission PhishingSubmissions N Y

class pyexclient.workbench.PhishingSubmissions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Phishing submissions

Resource type name is phishing_submissions.

Example JSON record:

{           'add_to_at': '2019-01-15T15:35:00-05:00',
    'arthurai_inference_id': 'string',
    'automated_action_type': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'email_msg_id': 'name@company.com',
    'email_type': 'name@company.com',
    'external_case_number': 'string',
    'full_sender': 'string',
    'ingest_source': 'string',
    'msg_id': 'string',
    'organization_id': 'string',
    'properties': {},
    'received_at': '2019-01-15T15:35:00-05:00',
    'reported_at': '2019-01-15T15:35:00-05:00',
    'return_path': 'string',
    'sender': 'string',
    'sender_domain': 'string',
    'source_object_type': 'string',
    'subject': 'string',
    'submitted_by': 'string',
    'triaged_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'was_sonar_correct': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Added at Allows: null add_to_at string Y N

ArthurAI Inference ID Allows: null arthurai_inference_id string Y N

Automated action type Allows: “”, null automated_action_type string Y N

Created timestamp: readonly created_at string Y N

Internal email message id Allows: “”, null email_msg_id string Y N

Email type Allows: “”, null email_type string Y N

Case number for external ticketing systems Allows: “”, null external_case_number string Y N

Full sender value, which may contain both a display address and a true address Allows: “”, null full_sender string Y N

Ingest source Allows: “” ingest_source string Y N

Message ID msg_id string Y N

Organization ID Allows: null organization_id string Y N

Generic properties json blob: no-sort properties object Y N

Received at received_at string Y N

Reported at reported_at string Y N

Return path Allows: “” return_path string Y N

Sender sender string Y N

Sender domain sender_domain string Y N

Submission source object type Allows: “”, null source_object_type string Y N

Subject Allows: “” subject string Y N

Submitted by submitted_by string Y N

Triaged at Allows: null triaged_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Was sonar prediction correct: no-sort was_sonar_correct object Y N

File analysis_email_file Files N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alert ExpelAlerts N Y

File initial_email_file Files N Y

File modified_email_file Files N Y

Phishing submission attachments phishing_submission_attachments PhishingSubmissionAttachments N Y

Phishing submission domains phishing_submission_domains PhishingSubmissionDomains N Y

Phishing submission headers phishing_submission_headers PhishingSubmissionHeaders N Y

Phishing submission URLs phishing_submission_urls PhishingSubmissionUrls N Y

File raw_body_file Files N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.Plugins(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Plugins

Resource type name is plugins.

Example JSON record:

{           'active': True,
    'assembler_dependency': 'string',
    'assembler_for_console_only': True,
    'company_name': 'string',
    'current_status': 100,
    'depends_on': [],
    'description': 'string',
    'device_spec_json': {},
    'display_name': 'string',
    'extra': {},
    'hide_console_login': True,
    'internal_only': True,
    'is_investigative_tech': True,
    'logo': 'string',
    'logo_image_url': 'string',
    'onboarding_doc_url': 'string',
    'organization_id': 'string',
    'plugin_slug': 'string',
    'service_offerings': [],
    'sfa_integration_slug': 'string',
    'show_display_name_with_logo': True,
    'tasks': [],
    'vendor_name': 'string',
    'vendor_type': 'string',
    'version': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Missing Description active boolean Y N

Missing Description assembler_dependency string Y N

Missing Description assembler_for_console_only boolean Y N

Missing Description company_name string Y N

Missing Description current_status number Y N

Missing Description depends_on array Y N

Missing Description description string Y N

Missing Description device_spec_json object Y N

Missing Description display_name string Y N

Missing Description extra object Y N

Missing Description hide_console_login boolean Y N

Missing Description internal_only boolean Y N

Missing Description is_investigative_tech boolean Y N

Missing Description logo string Y N

Missing Description logo_image_url string Y N

Missing Description onboarding_doc_url string Y N

Allows: null organization_id string Y N

Missing Description plugin_slug string Y N

Missing Description service_offerings array Y N

Missing Description sfa_integration_slug string Y N

Missing Description show_display_name_with_logo boolean Y N

Missing Description tasks array Y N

Missing Description vendor_name string Y N

Missing Description vendor_type string Y N

Missing Description version string Y N

class pyexclient.workbench.RemediationActionAssetHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Remediation action asset histories

Resource type name is remediation_action_asset_histories.

Example JSON record:

{           'action': 'CREATED',
    'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS',
    'asset_type': 'ACCOUNT',
    'automate_revert': True,
    'automate_status': 'NEW',
    'created_at': '2019-01-15T15:35:00-05:00',
    'status': 'OPEN',
    'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Remediation action asset history action Restricted to: “CREATED”, “COMPLETED”, “REOPENED”, “UPDATED”, “DELETED” Allows: null action any Y N

Action type of associated parent remediation action Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null action_type any Y N

Remediation asset type history Restricted to: “ACCOUNT”, “ACCESS_KEY”, “DESCRIPTION”, “DEVICE”, “DOMAIN_NAME”, “EMAIL”, “FILE”, “HASH”, “HOST”, “INBOX_RULE_NAME”, “IP_ADDRESS” Allows: null asset_type any Y N

Automated remediation asset revert history Allows: null automate_revert boolean Y N

Automated remediation asset status history Restricted to: “NEW”, “CREATED”, “STARTING”, “VERIFYING”, “COMPLETED”, “FAILED”, “AWAITING_CHECKS” Allows: null automate_status any Y N

Created timestamp: readonly created_at string Y N

Remediation asset status history Restricted to: “OPEN”, “COMPLETED” Allows: null status any Y N

Remediation action asset history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Remediation action assets remediation_action_asset RemediationActionAssets N Y

Security devices security_device SecurityDevices N Y

class pyexclient.workbench.RemediationActionAssets(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Remediation action assets

Resource type name is remediation_action_assets.

Example JSON record:

{           'asset_type': 'ACCOUNT',
    'automate_revert': True,
    'automate_status': 'NEW',
    'automate_status_updated_at': '2019-01-15T15:35:00-05:00',
    'automate_task_error': {},
    'automate_task_id': 'string',
    'automate_task_result_id': 'object',
    'automate_task_results': {},
    'cannot_automate_reason': 'DEVICE_ID_MISSING',
    'category': 'AFFECTED_ACCOUNT',
    'created_at': '2019-01-15T15:35:00-05:00',
    'status': 'OPEN',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'value': 'object'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Remediation asset type Restricted to: “ACCOUNT”, “ACCESS_KEY”, “DESCRIPTION”, “DEVICE”, “DOMAIN_NAME”, “EMAIL”, “FILE”, “HASH”, “HOST”, “INBOX_RULE_NAME”, “IP_ADDRESS” asset_type any Y N

Start automated remediation revert process automate_revert boolean Y N

Automated remediation status for this asset Restricted to: “NEW”, “CREATED”, “STARTING”, “VERIFYING”, “COMPLETED”, “FAILED”, “AWAITING_CHECKS” Allows: null: readonly automate_status any Y N

Automated remediation status last updated at Allows: null: readonly automate_status_updated_at string Y N

Automated remediation task error Allows: “”, null: readonly, no-sort automate_task_error object Y N

Automated remediation task id Allows: “”, null: readonly automate_task_id string Y N

Automated remediation task result id Allows: null: readonly automate_task_result_id any Y N

Automated remediation task results Allows: “”, null: no-sort automate_task_results object Y N

Reason this asset cannot be automated Restricted to: “DEVICE_ID_MISSING”, “ACTION_NOT_SUPPORTED”, “DEVICE_NOT_SUPPORTED”, “FEATURE_FLAG_ACTION_DISABLED”, “FEATURE_FLAG_VENDOR_NOT_ALLOWED”, “CUSTOMER_CONFIG_DISABLED”, “ALLOWED_ASSETS_EMPTY”, “ASSETS_NOT_ALLOWED”, “RED_TEAM_INVESTIGATION”, “ASSET_NOT_APPLICABLE” Allows: null: readonly cannot_automate_reason any Y N

Remediation asset category Restricted to: “AFFECTED_ACCOUNT”, “COMPROMISED_ACCOUNT”, “FORWARDING_ADDRESS” Allows: null category any Y N

Created timestamp: readonly created_at string Y N

Asset status Restricted to: “OPEN”, “COMPLETED” status any Y N

Last Updated timestamp: readonly updated_at string Y N

Remediation asset value: allowStringOperators, no-sort value alternatives Y N

Defines/retrieves expel.io context_label_tag records context_label_tags ContextLabelTags N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Remediation actions remediation_action RemediationActions N Y

Remediation action asset histories remediation_action_asset_histories RemediationActionAssetHistories N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.RemediationActionHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Remediation action histories

Resource type name is remediation_action_histories.

Example JSON record:

{'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'can_automate': True, 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Remediation action history action Restricted to: “CREATED”, “ASSIGNED”, “COMPLETED”, “CLOSED”, “UPDATED”, “DELETED” Allows: null action any Y N

Action type of source parent remediation action Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null action_type any Y N

Remediation action can be automated history can_automate boolean Y N

Created timestamp: readonly created_at string Y N

Remediation action history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Remediation actions remediation_action RemediationActions N Y

Security devices security_device SecurityDevices N Y

class pyexclient.workbench.RemediationActionSettingHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io remediation_action_setting_history records

Resource type name is remediation_action_setting_histories.

Example JSON record:

{'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Remediation action setting history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null action any Y N

Action type of source parent remediation action setting Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null action_type any Y N

Created timestamp: readonly created_at string Y N

Remediation action setting history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io remediation_action_setting records remediation_action_setting RemediationActionSettings N Y

class pyexclient.workbench.RemediationActionSettingListSourceHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io remediation_action_setting_list_source_history records

Resource type name is remediation_action_setting_list_source_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'source_type': 'CONTEXT_LABEL', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Remediation action setting list source history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Source type Restricted to: “CONTEXT_LABEL”, “EXTERNAL_TASKABILITIES” source_type any Y N

Remediation action setting list source history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io context_label records context_label ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io remediation_action_setting records remediation_action_setting RemediationActionSettings N Y

Defines/retrieves expel.io remediation_action_setting_list_source records remediation_action_setting_list_source RemediationActionSettingListSources N Y

Security devices security_device SecurityDevices N Y

class pyexclient.workbench.RemediationActionSettingListSources(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io remediation_action_setting_list_source records

Resource type name is remediation_action_setting_list_sources.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'external_value': {}, 'source_type': 'CONTEXT_LABEL', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

External value Allows: null: allowStringOperators, no-sort external_value object Y N

Source type Restricted to: “CONTEXT_LABEL”, “EXTERNAL_TASKABILITIES” source_type any Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io context_label records context_label ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io remediation_action_setting records remediation_action_setting RemediationActionSettings N Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records remediation_action_setting_list_source_histories RemediationActionSettingListSourceHistories N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.RemediationActionSettings(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io remediation_action_setting records

Resource type name is remediation_action_settings.

Example JSON record:

{           'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS',
    'automate_list_type': 'DENY',
    'automate_opt_in': True,
    'automate_opt_in_agreement_version': 'V1<br/>Allows: null',
    'automate_opt_in_at': '2019-01-15T15:35:00-05:00',
    'created_at': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Setting’s remediation action type Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” action_type any Y N

Automated remediation setting list type Restricted to: “DENY”, “ALLOW” Allows: null automate_list_type any Y N

Opted in to automated remediations automate_opt_in boolean Y N

Automated remediations opt in agreement version Restricted to: “V1” Allows: null automate_opt_in_agreement_version any Y N

Last opted in to automated remediations time Allows: null: readonly automate_opt_in_at string Y N

Created timestamp: readonly created_at string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records automate_opt_in_actor Actors N Y

Defines/retrieves expel.io remediation_action_setting_list_source records context_label_list_sources RemediationActionSettingListSources N Y

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io remediation_action_setting_list_source records external_list_sources RemediationActionSettingListSources N Y

Defines/retrieves expel.io remediation_action_setting_history records opt_in_histories RemediationActionSettingHistories N Y

Defines/retrieves expel.io remediation_action_setting_history records opt_out_histories RemediationActionSettingHistories N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io remediation_action_setting_history records remediation_action_setting_histories RemediationActionSettingHistories N Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records remediation_action_setting_list_source_histories RemediationActionSettingListSourceHistories N Y

Defines/retrieves expel.io remediation_action_setting_list_source records remediation_action_setting_list_sources RemediationActionSettingListSources N Y

Security devices security_devices SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.RemediationActions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Remediation actions

Resource type name is remediation_actions.

Example JSON record:

{           'action': 'string',
    'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS',
    'asset_state_counts': {},
    'can_automate': True,
    'can_automate_completely': True,
    'cannot_automate_reason': 'DEVICE_ID_MISSING',
    'close_reason': 'string',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'status': 'IN_PROGRESS',
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'template_name': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'version': 'V1'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Action Allows: “”, null action string Y N

Action type Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null action_type any Y N

Asset state counts Allows: null: no-sort asset_state_counts object Y N

Remediation action can be automated: readonly can_automate boolean Y N

Remediation action can be completely automated: readonly can_automate_completely boolean Y N

Reason this action cannot be automated Restricted to: “DEVICE_ID_MISSING”, “ACTION_NOT_SUPPORTED”, “DEVICE_NOT_SUPPORTED”, “FEATURE_FLAG_ACTION_DISABLED”, “FEATURE_FLAG_VENDOR_NOT_ALLOWED”, “CUSTOMER_CONFIG_DISABLED”, “ALLOWED_ASSETS_EMPTY”, “ASSETS_NOT_ALLOWED”, “RED_TEAM_INVESTIGATION”, “ASSET_NOT_APPLICABLE” Allows: null: readonly cannot_automate_reason any Y N

Close Reason Allows: null: markdown close_reason string Y N

Comment Allows: “”, null: markdown comment string Y N

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Status Restricted to: “IN_PROGRESS”, “COMPLETED”, “CLOSED” status any Y N

Status Updated At Allows: null: readonly status_updated_at string Y N

Remediation Action Template Name Allows: “”, null template_name string Y N

Last Updated timestamp: readonly updated_at string Y N

Version Restricted to: “V1”, “V2”, “V3” version any Y N

Defines/retrieves expel.io actor records assigned_to_actor Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Investigations investigation Investigations N Y

Remediation action assets remediation_action_assets RemediationActionAssets N Y

Remediation action histories remediation_action_histories RemediationActionHistories N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ResilienceActionGroups(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io resilience_action_group records

Resource type name is resilience_action_groups.

Example JSON record:

{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Global Resilience Group Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” category any Y N

Created timestamp: readonly created_at string Y N

Group title title string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Resilience actions resilience_actions ResilienceActions N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ResilienceActions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Resilience actions

Resource type name is resilience_actions.

Example JSON record:

{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'details': 'string', 'impact': 'LOW', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” Allows: null category any Y N

Created timestamp: readonly created_at string Y N

Details: markdown details string Y N

Impact Restricted to: “LOW”, “MEDIUM”, “HIGH” impact any Y N

Title title string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io resilience_action_group records resilience_action_group ResilienceActionGroups N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.ResourceInstance(data, conn, included=None)[source]¶

Bases: object

Represents an instance of a base resource.

classmethod create(conn, **kwargs)[source]¶

Create a new resource instance. Users need to call save() after create to write changes to the server.

Returns:	The updated resource instance
Return type:	`ResourceInstance`

Examples:

>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=ORGANIZATION_ID, relationship_assigned_to_actor=ACTOR_ID)
>>> i.save()

delete(prompt_on_delete=True)[source]¶

Delete a resource instance.

Parameters:	prompt_on_delete (bool, optional) – True if user wants to be prompted when delete is issued and False otherwise., defaults to True.

Examples:

>>> inv = xc.investigations.get(id='a8bf9750-6a79-4415-9558-a56253606b9f')
>>> inv.delete()

id¶

Retreive the identifier for the resource instance.

Returns:	A GUID representing the unique instance
Return type:	str

Examples:

>>> for inv in xc.investigations.filter_by(status='OPEN'):
>>>     print("Investigation ID is %s" % inv.id)

save()[source]¶

Write changes made to a resource instance back to the sever.

Returns:	The updated resource instance
Return type:	`ResourceInstance`

Examples:

>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=ORGANIZATION_ID, relationship_assigned_to_actor=ACTOR_ID)
>>> i.save()

class pyexclient.workbench.ReviewSummaries(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io review summary records

Resource type name is review_summaries.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'data': {},
    'process_name': 'SOC_QC_REVIEW',
    'reporting_at': '2019-01-15T15:35:00-05:00',
    'task_type': 'ALERT_REVIEW',
    'total': '2019-01-15T15:35:00-05:00',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

data for the specific review summary Allows: null: no-sort data object Y N

Process name Restricted to: “SOC_QC_REVIEW”, “PHISHING_AUDIT”, “SIMILARITY_REVIEW” process_name any Y N

Date used to report the counts Allows: null reporting_at string Y N

Task type Restricted to: “ALERT_REVIEW”, “INCIDENT_REVIEW”, “INVESTIGATION_REVIEW” task_type any Y N

Total number of errors for this date Allows: null total string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.RuleDefinitions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Notification rule definitions

Resource type name is rule_definitions.

Example JSON record:

{'conditions': [], 'event_definitions': [], 'owner_id': 'string', 'rule_action': 'string', 'rule_definition_type': 'UNSPECIFIED', 'rule_model': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Allows: null: readonly, no-filter conditions array Y N

Allows: null: readonly, no-filter event_definitions array Y N

The rule definition’s owner id Allows: null, “” owner_id string Y N

The rule definition’s action description rule_action string Y N

The type of rule definition (required) Restricted to: “UNSPECIFIED”, “ORG”, “OPS”, “INFRA”, “EM”, “USER” rule_definition_type any Y N

The name of the model being acted on rule_model string Y N

class pyexclient.workbench.SamlIdentityProviders(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

SAML Identity Providers

Resource type name is saml_identity_providers.

Example JSON record:

{'callback_uri': 'string', 'cert': 'string', 'entity_id': 'string', 'status': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Allows: “” callback_uri string Y N

Allows: “”, null cert string Y N

Allows: “” entity_id string Y N

Restricted to: “not_configured”, “configured” status string Y N

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.Secrets(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Organization secrets. Note - these requests must be in the format of /secrets/security_device-<guid>

Resource type name is secrets.

Example JSON record:

{           'secret': {           'device_info': {'access_id': '7b0a343c-860e-442e-ab0b-d6f349d364d9', 'access_key': 'secret-access-key', 'source_category': 'alpha'},
                          'device_secret': {'console_url': 'https://console-access-point.com', 'password': 'password', 'username': 'admin@company.com'},
                          'two_factor_secret': 'GNFXSU2OKNJXUPTGJVQUMNDHM4YVEKRJ'}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Allows: null secret object Y N

Defines/retrieves expel.io organization records organization Organizations N Y

class pyexclient.workbench.SecurityDeviceCounts(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io security_device_count records

Resource type name is security_device_counts.

Example JSON record:

{'counts': {}, 'created_at': '2019-01-15T15:35:00-05:00', 'error_message': 'string', 'missing_permissions_detail': {}, 'organization_id': 'string', 'security_device_id': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

The security device counts: readonly, no-sort counts object Y N

Created timestamp: readonly created_at string Y N

Error message when retrieving counts: readonly error_message string Y N

Missing permissions details: no-sort missing_permissions_detail object Y N

Organization ID the security device belongs to: readonly organization_id string Y N

Security Device ID: readonly security_device_id string Y N

Defines/retrieves expel.io organization records organization Organizations N Y

Security devices security_device SecurityDevices N Y

class pyexclient.workbench.SecurityDeviceHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Security Device histories

Resource type name is security_device_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Security device history action Restricted to: “CREATED”, “UPDATED”, “UPDATED_SECRETS”, “DELETED” action any Y N

Created timestamp: readonly created_at string Y N

Security device history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Security devices security_device SecurityDevices N Y

class pyexclient.workbench.SecurityDevices(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Security devices

Resource type name is security_devices.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'device_spec': {},
    'device_type': 'ENDPOINT',
    'has_console_credentials': True,
    'has_two_factor_secret': True,
    'is_verifying_status': True,
    'location': 'string',
    'name': 'string',
    'no_alert_threshold_hours': 100,
    'plugin_slug': 'string',
    'properties': {},
    'status': 'healthy',
    'status_details': {},
    'status_updated_at': '2019-01-15T15:35:00-05:00',
    'task_source': 'CUSTOMER_PREMISE',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Device Spec Allows: null: no-sort device_spec object Y N

Device Type Restricted to: “ENDPOINT”, “NETWORK”, “SIEM”, “OTHER”, “CLOUD” device_type any Y N

Has console credentials stored in vault: readonly has_console_credentials boolean Y N

Has 2fa secret stored in vault: readonly has_two_factor_secret boolean Y N

A health check is in progress for device is_verifying_status boolean Y N

Location Allows: “”, null location string Y N

Name name string Y N

Number of hours to wait before sending an alert for a device that has not checked in Allows: null no_alert_threshold_hours number Y N

Allows: “”, null plugin_slug string Y N

Properties about the security device: no-sort properties object Y N

Status. Note: By default if the security device has an assembler, and that assembler is unhealthy, the status will return that information rather than the raw status of the security device. To disable this behavior, add the query parameter flag[raw_status]=true. Restricted to: “healthy”, “unhealthy”, “health_checks_not_supported” Allows: null status any Y N

Status Details. Note: By default if the security device has an assembler, and that assembler is unhealthy, the status details will return that information rather than the raw status of the security device. To disable this behavior, add the query parameter flag[raw_status]=true. Allows: null: no-sort status_details object Y N

Status Updated At Allows: null: readonly status_updated_at string Y N

Location where tasks are run Restricted to: “CUSTOMER_PREMISE”, “EXPEL_TASKPOOL” task_source any Y N

Last Updated timestamp: readonly updated_at string Y N

Assemblers assembler Assemblers N Y

Security devices child_security_devices SecurityDevices N Y

Defines/retrieves expel.io actor records created_by Actors N Y

investigative actions investigative_actions InvestigativeActions N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io organization_contact records organization_contacts OrganizationContacts N Y

Security devices parent_security_device SecurityDevices N Y

Remediation action asset histories remediation_action_asset_histories RemediationActionAssetHistories N Y

Remediation action assets remediation_action_assets RemediationActionAssets N Y

Remediation action histories remediation_action_histories RemediationActionHistories N Y

Defines/retrieves expel.io remediation_action_setting_list_source_history records remediation_action_setting_list_source_histories RemediationActionSettingListSourceHistories N Y

Defines/retrieves expel.io remediation_action_setting_list_source records remediation_action_setting_list_sources RemediationActionSettingListSources N Y

Defines/retrieves expel.io remediation_action_setting records remediation_action_settings RemediationActionSettings N Y

Remediation actions remediation_actions RemediationActions N Y

Defines/retrieves expel.io security_device_count records security_device_counts SecurityDeviceCounts N Y

Security Device histories security_device_histories SecurityDeviceHistories N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Vendors vendor Vendors N Y

Vendor alerts vendor_alerts VendorAlerts N Y

class pyexclient.workbench.Skus(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Service Skus

Resource type name is skus.

Example JSON record:

{           'allows_integrations': True,
    'attack_surfaces': [],
    'display_name': 'string',
    'hunting_attack_surfaces': [],
    'investigative_tech_attack_surfaces': [],
    'is_single_license': True,
    'name': 'string',
    'service_type': 'string',
    'version': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Meta: readonly, no-filter, no-sort allows_integrations boolean Y N

Meta: no-filter, no-sort attack_surfaces array Y N

Missing Description display_name string Y N

Meta: no-filter, no-sort hunting_attack_surfaces array Y N

Meta: no-filter, no-sort investigative_tech_attack_surfaces array Y N

Missing Description is_single_license boolean Y N

Missing Description name string Y N

Missing Description service_type string Y N

Missing Description version string Y N

class pyexclient.workbench.SuggestionHistories(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io suggestion_history records

Resource type name is suggestion_histories.

Example JSON record:

{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'suggestion_action': 'ADD_TO', 'value': {}}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Suggestion history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null action any Y N

Created timestamp: readonly created_at string Y N

Suggestion action Restricted to: “ADD_TO”, “CLOSE”, “SUPPRESS”, “INVESTIGATE” suggestion_action any Y N

Suggestion history details Allows: null: no-sort value object Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io suggestions suggestion Suggestions N Y

class pyexclient.workbench.Suggestions(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io suggestions

Resource type name is suggestions.

Example JSON record:

{'action': 'ADD_TO', 'created_at': '2019-01-15T15:35:00-05:00', 'metadata': {}, 'rank': 100, 'suggestion': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Action Restricted to: “ADD_TO”, “CLOSE”, “SUPPRESS”, “INVESTIGATE” action any Y N

Created timestamp: readonly created_at string Y N

Metadata for the suggestion Allows: null: no-sort metadata object Y N

Visualization rank rank number Y N

Body of the suggestion Allows: “”, null: markdown suggestion string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alerts ExpelAlerts N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io suggestion_history records suggestion_histories SuggestionHistories N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.TimelineEntries(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Timeline Entries

Resource type name is timeline_entries.

Example JSON record:

{           'attack_phase': 'string',
    'comment': 'string',
    'created_at': '2019-01-15T15:35:00-05:00',
    'deleted_at': '2019-01-15T15:35:00-05:00',
    'dest_host': 'string',
    'event': 'string',
    'event_date': '2019-01-15T15:35:00-05:00',
    'event_type': 'string',
    'is_selected': True,
    'src_host': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Attack phase of the Timeline Entry Allows: “”, null attack_phase string Y N

Comment on this Timeline Entry Allows: “”, null comment string Y N

Created timestamp: readonly created_at string Y N

Deleted At timestamp Allows: null deleted_at string Y N

Destination Host (IP or Hostname) Allows: “”, null dest_host string Y N

The event, such as Powershell Attack Allows: “”, null event string Y N

Date/Time of when the event occurred event_date string Y N

The type of the event, such as Carbon Black Alert Allows: “”, null event_type string Y N

Has been selected for final report. is_selected boolean Y N

Source Host (IP or Hostname) Allows: “”, null src_host string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io context_label_action records context_label_actions ContextLabelActions N Y

Defines/retrieves expel.io context_label records context_labels ContextLabels N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alert ExpelAlerts N Y

Investigations investigation Investigations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.UserAccountRoles(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io user_account_role records

Resource type name is user_account_roles.

Example JSON record:

{'active': True, 'assignable': True, 'created_at': '2019-01-15T15:35:00-05:00', 'role': 'expel_admin', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

If this role is active active boolean Y N

Can user be assigned items (e.g. investigations, etc) assignable boolean Y N

Created timestamp: readonly created_at string Y N

User account role for this organization Restricted to: “expel_admin”, “expel_analyst”, “organization_admin”, “organization_analyst”, “system”, “anonymous”, “restricted” role any Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

User accounts user_account UserAccounts N Y

class pyexclient.workbench.UserAccountStatuses(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

User account status

Resource type name is user_account_statuses.

Example JSON record:

{           'active': True,
    'active_status': 'ACTIVE',
    'created_at': '2019-01-15T15:35:00-05:00',
    'invite_token_expires_at': '2019-01-15T15:35:00-05:00',
    'password_reset_token_expires_at': '2019-01-15T15:35:00-05:00',
    'restrictions': [],
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Missing Description active boolean Y N

Restricted to: “ACTIVE”, “LOCKED”, “LOCKED_INVITED”, “LOCKED_EXPIRED”, “ACTIVE_INVITED”, “ACTIVE_EXPIRED”: readonly active_status any Y N

Meta: readonly created_at string Y N

Allows: null: readonly invite_token_expires_at string Y N

Allows: null: readonly password_reset_token_expires_at string Y N

Missing Description restrictions array Y N

Meta: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Defines/retrieves expel.io organization records primary_organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

User accounts user_account UserAccounts N Y

class pyexclient.workbench.UserAccounts(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

User accounts

Resource type name is user_accounts.

Example JSON record:

{           'active': True,
    'active_status': 'ACTIVE',
    'assignable': True,
    'created_at': '2019-01-15T15:35:00-05:00',
    'default_filter': 'ALL',
    'display_name': 'string',
    'email': 'name@company.com',
    'engagement_manager': True,
    'first_name': 'string',
    'homepage_preferences': {},
    'language': 'string',
    'last_name': 'string',
    'locale': 'string',
    'pagerduty_id': 'string',
    'phone_number': 'string',
    'show_highlighting': True,
    'show_new_nav': True,
    'timezone': 'string',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Active Allows: null active boolean Y N

Restricted to: “ACTIVE”, “LOCKED”, “LOCKED_INVITED”, “LOCKED_EXPIRED”, “ACTIVE_INVITED”, “ACTIVE_EXPIRED”: readonly, no-sort, no-filter active_status any Y N

Can user be assigned items (e.g. investigations, etc) assignable boolean Y N

Created timestamp: readonly created_at string Y N

User account default filter Restricted to: “ALL”, “MDR”, “PHISHING” default_filter any Y N

Display name Allows: “”, null display_name string Y N

Email email string Y N

Is an engagement manager engagement_manager boolean Y N

First Name first_name string Y N

Homepage preferences Allows: null: no-sort homepage_preferences object Y N

Language Allows: “”, null language string Y N

Last Name last_name string Y N

Locale Allows: “”, null locale string Y N

Pagerduty ID Allows: null pagerduty_id string Y N

Phone number Allows: null phone_number string Y N

Whether or not highlighting is enabled show_highlighting boolean Y N

Whether or not the new navigation UI is displayed: readonly show_new_nav boolean Y N

Timezone Allows: “”, null timezone string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records actor Actors N Y

investigative actions analysis_assigned_investigative_actions InvestigativeActions N Y

Expel alerts assigned_expel_alerts ExpelAlerts N Y

Investigations assigned_investigations Investigations N Y

investigative actions assigned_investigative_actions InvestigativeActions N Y

Organization to resilience actions assigned_organization_resilience_actions OrganizationResilienceActions N Y

Organization to resilience actions assigned_organization_resilience_actions_list OrganizationResilienceActions N Y

Remediation actions assigned_remediation_actions RemediationActions N Y

Defines/retrieves expel.io remediation_action_setting records automate_opt_in_for_remediation_action_setting RemediationActionSettings N Y

Defines/retrieves expel.io actor records created_by Actors N Y

investigative actions current_assigned_investigative_actions_classification InvestigativeActions N Y

User Notification Preferences notification_preferences NotificationPreferences N Y

Defines/retrieves expel.io organization records organizations Organizations N Y

Defines/retrieves expel.io organization records primary_organization Organizations N Y

Defines/retrieves expel.io user_account_role records primary_user_account_role UserAccountRoles N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Defines/retrieves expel.io user_account_role records user_account_roles UserAccountRoles N Y

User account status user_account_status UserAccountStatuses N Y

class pyexclient.workbench.UserTasks(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Defines/retrieves expel.io user task records

Resource type name is user_tasks.

Example JSON record:

{           'assigned_to_id': {},
    'created_at': '2019-01-15T15:35:00-05:00',
    'data': {},
    'process_name': 'SOC_QC_REVIEW',
    'reporting_at': '2019-01-15T15:35:00-05:00',
    'task_status': 'NEW',
    'task_type': 'ALERT_REVIEW',
    'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

actor to whome the task is assigned Allows: null assigned_to_id object Y N

Created timestamp: readonly created_at string Y N

data for the specific user task Allows: null: no-sort data object Y N

Process name Restricted to: “SOC_QC_REVIEW”, “PHISHING_AUDIT”, “SIMILARITY_REVIEW” process_name any Y N

Date used to report the item status Allows: null reporting_at string Y N

Task status Restricted to: “NEW”, “ASSIGNED”, “COMPLETED” task_status any Y N

Task type Restricted to: “ALERT_REVIEW”, “INCIDENT_REVIEW”, “INVESTIGATION_REVIEW” task_type any Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records assigned_to Actors N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alert ExpelAlerts N Y

Investigations investigation Investigations N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

class pyexclient.workbench.VendorAlertEvidences(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Vendor alert evidences are extracted from a vendor alert’s evidence summary

Resource type name is vendor_alert_evidences.

Example JSON record:

{'evidence': 'string', 'evidence_type': 'HOSTNAME'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Evidence evidence string Y N

Type Restricted to: “HOSTNAME”, “URL”, “PROCESS_ARGUMENTS”, “PROCESS_PATH”, “PROCESS_MD5”, “USERNAME”, “SRC_IP”, “DST_IP”, “PARENT_ARGUMENTS”, “PARENT_PATH”, “PARENT_MD5”, “SRC_USERNAME”, “DST_USERNAME”, “ALERT_ACTION”, “ALERT_DESCRIPTION”, “ALERT_MESSAGE”, “ALERT_NAME”, “SRC_PORT”, “DST_PORT”, “USER_AGENT”, “VENDOR_NAME”, “DOMAIN”, “FILE_HASH”, “FILE_PATH” evidence_type any Y N

Expel alerts evidenced_expel_alerts ExpelAlerts N Y

Vendor alerts vendor_alert VendorAlerts N Y

class pyexclient.workbench.VendorAlerts(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Vendor alerts

Resource type name is vendor_alerts.

Example JSON record:

{           'created_at': '2019-01-15T15:35:00-05:00',
    'description': 'string',
    'evidence_activity_end_at': '2019-01-15T15:35:00-05:00',
    'evidence_activity_start_at': '2019-01-15T15:35:00-05:00',
    'evidence_summary': [],
    'first_seen': '2019-01-15T15:35:00-05:00',
    'original_alert_id': 'string',
    'original_source_id': 'string',
    'signals': [],
    'signature_id': 'string',
    'status': 'NORMAL',
    'updated_at': '2019-01-15T15:35:00-05:00',
    'vendor_message': 'string',
    'vendor_severity': 'CRITICAL',
    'vendor_sig_name': 'string'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Description Allows: “”, null description string Y N

Evidence activity end datetime Allows: null: immutable evidence_activity_end_at string Y N

Evidence activity start datetime Allows: null: immutable evidence_activity_start_at string Y N

Evidence summary Allows: null: no-sort evidence_summary array Y N

First Seen first_seen string Y N

Allows: null: immutable original_alert_id string Y N

Allows: null: immutable original_source_id string Y N

Signal evidence: no-sort signals array Y N

Signature ID Allows: “”, null signature_id string Y N

Status Restricted to: “NORMAL”, “PROVISIONAL” Allows: null: readonly status any Y N

Last Updated timestamp: readonly updated_at string Y N

Vendor Message Allows: “”, null vendor_message string Y N

Vendor alert severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” Allows: null vendor_severity any Y N

Vendor Sig Name Allows: “”, null vendor_sig_name string Y N

Assemblers assembler Assemblers N Y

Defines/retrieves expel.io actor records created_by Actors N Y

Vendor alert evidences are extracted from a vendor alert’s evidence summary evidences VendorAlertEvidences N Y

Expel alerts expel_alerts ExpelAlerts N Y

IP addresses ip_addresses IpAddresses N Y

Defines/retrieves expel.io organization records organization Organizations N Y

Security devices security_device SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Vendors vendor Vendors N Y

class pyexclient.workbench.Vendors(data, conn, included=None)[source]¶

Bases: pyexclient.workbench.ResourceInstance

Vendors

Resource type name is vendors.

Example JSON record:

{'created_at': '2019-01-15T15:35:00-05:00', 'icon': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}

Below are valid filter by parameters:

Field Description Field Name Field Type Attribute Relationship

Created timestamp: readonly created_at string Y N

Icon Allows: “”, null icon string Y N

Name Allows: “”, null name string Y N

Last Updated timestamp: readonly updated_at string Y N

Defines/retrieves expel.io actor records created_by Actors N Y

Expel alerts expel_alerts ExpelAlerts N Y

Security devices security_devices SecurityDevices N Y

Defines/retrieves expel.io actor records updated_by Actors N Y

Vendor alerts vendor_alerts VendorAlerts N Y

class pyexclient.workbench.WorkbenchClient(base_url, username=None, password=None, mfa_code=None, token=None, prompt_on_delete=True)[source]¶

Bases: pyexclient.workbench.WorkbenchCoreClient

Instantiate a client that interacts with Workbench’s API server.

If the developer specifies a username, then password and mfa_code are required inputs. If the developer has a token then username, password and mfa_code parameters are ignored.

Parameters:	cls (WorkbenchClient) – A Workbench class reference. username (str or None) – The username password (str or None) – The username’s password mfa_code (int or None) – The multi factor authenticate code generated by google authenticator. token (str or None) – The bearer token of an authorized session. Can be used instead of `username`/`password` combo.
Returns:	An initialized, and authorized Workbench client.
Return type:	WorkbenchClient

capabilities(customer_id: str)[source]¶

Get a list of capabilities for a given customer.

Parameters:	customer_id (str) – The customer ID

Examples:

>>> xc.workbench.capabilities("my-customer-guid-123")

create_auto_inv_action(customer_id: str, security_device_id: str, created_by_id: str, capability_name: str, input_args: dict, title: str, reason: str, investigation_id: str = None, expel_alert_id: str = None)[source]¶

Create an automatic investigative action.

Parameters:	customer_id (str) – The customer ID investigation_id (str) – The investigation ID to associate the action with. expel_alert_id (str) – The expel alert id security_device_id (str) – The security device ID, to dispatch the task against. created_by_id (str) – The user ID that created the action capability_name (str) – The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable. input_args (dict) – The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable. title (str) – The title of the investigative action, shows up in Workbench. reason (str) – The reason for running the investigative action, shows up in Workbench.
Returns:	Investigative action response
Return type:	InvestigativeActions

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> input_args = &#123;"user_name": 'willy.wonka@expel.io', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z'&#125;
>>> o = xc.create_auto_inv_action(customer_guid, inv_guid, device_guid, user_guid, 'query_user', input_args, 'Query User', 'Getting user login activity to determine if login is normal')
>>> print("Investigative Action ID: ", o.id)

create_manual_inv_action(title: str, reason: str, instructions: str, investigation_id: str = None, expel_alert_id: str = None, security_device_id: str = None, action_type: str = 'MANUAL')[source]¶

Create a manual investigative action.

Parameters:	title (str) – The title of the investigative action, shows up in Workbench. reason (str) – The reason for running the investigative action, shows up in Workbench. instructions (str) – The instructions for running the investigative action. investigation_id (str) – The investigation ID to associate the action with. expel_alert_id (str) – The expel alert id security_device_id (str) – The security device ID, to dispatch the task against. action_type (str) – The type of action that will be run.
Returns:	Investigative action response
Return type:	InvestigativeActions

Examples:

>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> o = xc.create_manual_inv_action('title foo', 'reason bar', 'instructions blah')
>>> print("Investigative Action ID: ", o.id)

fetch_plugins()[source]¶

Get a list of plugins.

Examples:

>>> xc.workbench.plugins()

class pyexclient.workbench.WorkbenchCoreClient(base_url, username=None, password=None, mfa_code=None, token=None, retries=3, prompt_on_delete=True)[source]¶

Bases: object

Instantiate a Workbench core client that provides just authentication and request capabilities to Workbench

If the developer specifies a username, then password and mfa_code are required inputs. If the developer has a token then username, password and mfa_code parameters are ignored.

Parameters:	cls (WorkbenchClient) – A Workbench class reference. username (str or None) – The username password (str or None) – The username’s password mfa_code (int or None) – The multi factor authenticate code generated by google authenticator. token (str or None) – The bearer token of an authorized session. Can be used instead of `username`/`password` combo.
Returns:	An initialized, and authorized Workbench client.
Return type:	WorkbenchClient

login(username, password, code)[source]¶

Authenticate as a human, this requires providing the 2FA code.

Parameters:	username (str) – The user’s e-mail address. password (str) – The user’s password. code (str) – The 2FA code
Returns:	The bearer token that allows users to call Workbench APIs.
Return type:	str

make_session()[source]¶: Create a session with Workbench

class pyexclient.workbench.base_filter(filter_value)[source]¶

Bases: pyexclient.workbench.operator

Base class for operators which take the form filter[field]. Can be used to create a basic one field filter, or subclassed by special operators for more complicated logic

class pyexclient.workbench.contains(*args)[source]¶

Bases: pyexclient.workbench.base_filter

The contains operator is used to search for fields that contain a sub string..

Parameters:	value (str) – A substring to be checked against the value of a field.

Examples:

>>> for ea in xc.expel_alerts.search(close_comment=contains("foo")):
>>>     print("%s contains foo in the close comment" % ea.expel_name)

class pyexclient.workbench.flag(filter_value)[source]¶

Bases: pyexclient.workbench.operator

Base class for operators which take the form flag[field]. Can be used to create a basic one field flag, or subclassed by special operators for more complicated logic

class pyexclient.workbench.gt(value)[source]¶

Bases: pyexclient.workbench.base_filter

The gt (greater than) operator is used to search a specific field for values greater than X.

Parameters:	value (str) – The greater than value to be used in comparison during a search.

Examples:

>>> for ea in xc.expel_alerts.search(created_at=gt("2020-01-01")):
>>>     print("%s was created after 2020-01-01" % ea.expel_name)

class pyexclient.workbench.include(include)[source]¶

Bases: pyexclient.workbench.operator

The include operator requests base resource names in a search. Cannot be used with sort or filtering. Passed as arg to search TODO enforce this constraint with asserts

Parameters:	include (str) – Include specific base resource names in request

Examples: >>> for ea in xc.expel_alerts.search(include(‘organization,created_by,updated_by’)): >>> print(ea.organization)

pyexclient.workbench.is_operator(value)[source]¶

Determine if a value implements an operator.

Parameters:	value (object) – The value to check
Returns:	True if value is an operator False otherwise.
Return type:	bool

class pyexclient.workbench.isnull(filter_value=True)[source]¶

Bases: pyexclient.workbench.base_filter

The isnull operator is used to search for fields that are null.

Examples:

>>> for ea in xc.expel_alerts.search(close_comment=isnull()):
>>>     print("%s has no close comment" % ea.expel_name)

class pyexclient.workbench.limit(limit)[source]¶

Bases: pyexclient.workbench.operator

The limit operator adds a limit to a search. Passed as arg to search

Parameters:	limit (int) – Limit the number of results returned.

class pyexclient.workbench.lt(value)[source]¶

Bases: pyexclient.workbench.base_filter

The lt (less than) operator is used to search a specific field for values greater than X.

Parameters:	value (str) – The less than value to be used in comparison during a search.

Examples:

>>> for ea in xc.expel_alerts.search(created_at=lt("2020-01-01")):
>>>     print("%s was created before 2020-01-01" % ea.expel_name)

class pyexclient.workbench.neq(*args)[source]¶

Bases: pyexclient.workbench.base_filter

The neq operator is used to search for for fields that are not equal to a specified value.

Parameters:	value (str) – The value to assert the field is not equal too

Examples:

>>> for ea in xc.expel_alerts.search(close_comment=neq("foo")):
>>>     print("%s has a close comment that is not equal to 'foo'" % ea.expel_name)

class pyexclient.workbench.notnull(filter_value=True)[source]¶

Bases: pyexclient.workbench.base_filter

The notnull operator is used to search for fields that are not null.

Examples:

>>> for ea in xc.expel_alerts.search(close_comment=notnull()):
>>>     print("%s has a close comment of %s" % (ea.expel_name, ea.close_comment))

class pyexclient.workbench.operator(filter_value)[source]¶

Bases: object

Base class for all operators. This should not be used directly.

class pyexclient.workbench.relationship(rel_path, value)[source]¶

Bases: pyexclient.workbench.operator

relationship operator allows for searching of resource objects based on their relationship to other resource objects. Passed as arg to search

Parameters:	rel_path (str) – A dot notation of the relationship path to a resource object. value (object) – The value the rel_path be compared to. This can be an operator, or a primitive value.

Examples:

>>> for inv_action in xc.investigative_actions.search(relationship("investigation.close_comment", notnull()):
>>>     print("Found investigative action associated with an investigation that has no close comment.")

class pyexclient.workbench.sort(sort, order='asc')[source]¶

Bases: pyexclient.workbench.operator

The sort operator passes a sort request to a search. Can add multiple sort operators to a single search. If no sort is provided the default of sorting by created_at (asc) -> id (asc) will be used. Passed as arg to search TODO enforce this with asserts

Parameters:	sort (str) – The column to sort on. Expects asc or desc. The database will translate asc->+ and desc->-

class pyexclient.workbench.startswith(swith)[source]¶

Bases: pyexclient.workbench.base_filter

The startswith operator is used to search for values that start with a specified string..

Parameters:	value (str) – The startswith string

Examples:

>>> for ea in xc.expel_alerts.search(close_comment=startswith("foo")):
>>>     print("%s starts with foo in the close comment" % ea.expel_name)

class pyexclient.workbench.window(start, end)[source]¶

Bases: pyexclient.workbench.base_filter

The window operator is used to search a specific field that is within a window (range) of values

Parameters:	start (Union[str, int, datetime.datetime]) – The begining of the window range end (str) – The end of the window range

Examples:

>>> for ea in xc.expel_alerts.search(created_at=window("2020-01-01", "2020-05-01")):
>>>     print("%s was created after 2020-01-01 and before 2020-05-01" % ea.expel_name)