Workbench API Reference
- class pyexclient.workbench.ActivityMetrics(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io activity_metric records
Resource type name is activity_metrics.
Example JSON record:
{ 'activity': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'data': {}, 'ended_at': '2019-01-15T15:35:00-05:00', 'referring_url': 'https://company.com/', 'started_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00', 'url': 'https://company.com/'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Activity Allows: “”, null
activity
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Additional data about the activity Allows: null: no-sort
data
object
Y
N
Date/Time of when the activity concluded
ended_at
string
Y
N
Referring url Allows: “”, null
referring_url
string
Y
N
Date/Time of when the activity started
started_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Url Allows: “”, null
url
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alert
N
Y
Investigations
investigation
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Actors(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io actor records
Resource type name is actors.
Example JSON record:
{'actor_type': 'system', 'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'is_expel': True, 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Actor type Restricted to: “system”, “user”, “organization”, “api”, “service”: immutable
actor_type
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Display name Allows: “”, null
display_name
string
Y
N
Meta: readonly, no-sort, no-filter
is_expel
boolean
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
investigative actions
analysis_assigned_investigative_actions
N
Y
Expel alerts
assigned_expel_alerts
N
Y
Investigations
assigned_investigations
N
Y
investigative actions
assigned_investigative_actions
N
Y
Organization to resilience actions
assigned_organization_resilience_actions
N
Y
Organization to resilience actions
assigned_organization_resilience_actions_list
N
Y
Remediation actions
assigned_remediation_actions
N
Y
Defines/retrieves expel.io remediation_action_setting records
automate_opt_in_for_remediation_action_setting
N
Y
Defines/retrieves expel.io actor records
child_actors
N
Y
Defines/retrieves expel.io organization records
child_organizations
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
investigative actions
current_assigned_investigative_actions_classification
N
Y
User Notification Preferences
notification_preferences
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
parent_actor
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
User accounts
user_account
N
Y
- class pyexclient.workbench.ApiKeys(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token.
Resource type name is api_keys.
Example JSON record:
{ 'access_token': 'string', 'active': True, 'assignable': True, 'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'name': 'string', 'realm': 'public', 'restrictions': [], 'role': 'expel_admin', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Only upon initial api key creation (POST), contains the bearer api key token required for api access.: readonly, no-sort, no-filter
access_token
string
Y
N
Active Allows: null
active
boolean
Y
N
Can Api key be assigned items (e.g. investigations, etc)
assignable
boolean
Y
N
Created timestamp: readonly
created_at
string
Y
N
Display name Allows: null
display_name
string
Y
N
Missing Description
name
string
Y
N
Realm in which the api key can be used. Restricted to: “public”, “internal”
realm
any
Y
N
Special authorization restrictions for this api key
restrictions
array
Y
N
Role Restricted to: “expel_admin”, “expel_analyst”, “organization_admin”, “organization_analyst”, “system”, “anonymous”, “restricted”
role
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.AssemblerImages(data, conn, included=None)[source]
Bases:
ResourceInstance
Assembler Images
Resource type name is assembler_images.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'hash_md5': 'string', 'hash_sha1': 'string', 'hash_sha256': 'string', 'platform': 'VMWARE', 'release_date': '2019-01-15T15:35:00-05:00', 'size': 100, 'updated_at': '2019-01-15T15:35:00-05:00', 'version': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Assembler image md5 hash Allows: null
hash_md5
string
Y
N
Assembler image sh1 hash Allows: null
hash_sha1
string
Y
N
Assembler image sha256 hash Allows: null
hash_sha256
string
Y
N
Platform Restricted to: “VMWARE”, “HYPERV”, “AZURE”, “AMAZON”
platform
any
Y
N
Assembler image release date Allows: null
release_date
string
Y
N
Assembler image size Allows: null
size
number
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Assembler image version Allows: “”, null
version
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Assemblers(data, conn, included=None)[source]
Bases:
ResourceInstance
Assemblers
Resource type name is assemblers.
Example JSON record:
{ 'connection_status': 'Never Connected', 'connection_status_updated_at': '2019-01-15T15:35:00-05:00', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'install_code': 'string', 'lifecycle_status': 'New', 'lifecycle_status_updated_at': '2019-01-15T15:35:00-05:00', 'location': 'string', 'name': 'string', 'status': 'string', 'status_updated_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00', 'vpn_ip': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Assembler connection status Restricted to: “Never Connected”, “Connection Lost”, “Connected to Provisioning”, “Connected to Service” Allows: null
connection_status
any
Y
N
Assembler connection status update timestamp: readonly
connection_status_updated_at
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Assembler install code Allows: null
install_code
string
Y
N
Assembler life cycle status Restricted to: “New”, “Authorized”, “Transitioning”, “Transitioned”, “Transition Failed”, “Configuring”, “Configuration Failed”, “Active”, “Inactive”, “Deleted” Allows: null
lifecycle_status
any
Y
N
Assembler lifecycle status update timestamp: readonly
lifecycle_status_updated_at
string
Y
N
Location of assembler Allows: “”, null
location
string
Y
N
Name of assembler Allows: “”, null
name
string
Y
N
Assembler status Restricted to: “not_yet_connected”, “connection_lost”, “connected”, “error”, “configuring”, “transition_failed”, “configuration_failed”, “active”, “inactive”, “deleted” Allows: “”, null: readonly
status
string
Y
N
Assembler last status update timestamp: readonly
status_updated_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Assembler VPN ip address Allows: null
vpn_ip
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Security devices
security_devices
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Vendor alerts
vendor_alerts
N
Y
- class pyexclient.workbench.BaseResourceObject(cls, content=None, api_type=None, conn=None)[source]
Bases:
object
- count()[source]
Return the number of records in a JSON API response. You can get the count for entries returned by filtering, or you can request the count of the total number of resource instances. The total number of resource instances does not require paginating overall entries.
- Returns:
The number of records in a JSON API response
- Return type:
int
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> print("Investigation Count: ", xc.investigations.filter_by(customer_id='1').count()) >>> print("Investigation Count: ", xc.investigations.count())
- create(**kwargs)[source]
Create a ResourceInstance object that represents some Json API resource.
- Parameters:
kwargs (dict) – Attributes to set on the new JSON API resource.
- Returns:
A ResourceInstance object that represents the JSON API resource type requested by the dev.
- Return type:
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=CUSTOMER_GUID, relationship_assigned_to_actor=PETER_S) >>> i.save()
- filter_by(**kwargs)[source]
Issue a JSON API call requesting a JSON API resource is filtered by some set of attributes, id, limit, etc.
- Parameters:
kwargs (dict) – The base JSON API resource type
- Returns:
A BaseResourceObject object
- Return type:
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> for inv in xc.investigations.filter_by(customer_id='1'): >>> print(inv.title)
- get(**kwargs)[source]
Request a JSON api resource by id.
- Parameters:
id (str) – The GUID of the resource
- Returns:
A BaseResourceObject object
- Return type:
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> inv = xc.investigations.get(id=investigation_guid) >>> print(inv.title)
- one_or_none()[source]
Return one record from a JSON API response or None if there were no records.
- Returns:
A BaseResourceObject object
- Return type:
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> inv = xc.investigations.filter_by(customer_id=CUSTOMER_GUID).one_or_none() >>> print(inv.title)
- search(*args, **kwargs)[source]
Search based on a set of criteria made up of operators and attributes.
- Parameters:
args (tuple) – Operators of relationship|limit|include|sort
kwargs (dict) – Fields and values to search on
- Returns:
A BaseResourceObject object
- Return type:
- Examples:
>>> # field filter >>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID): >>> print(inv.title)
>>> # operator field filter >>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID, created_at=gt("2020-01-01")): >>> print(inv.title)
>>> # relationship field filter >>> for inv in xc.investigations.search(customer_id=CUSTOMER_GUID, relationship("investigative_actions.created_at", gt("2020-01-01"))): >>> print(inv.title)
- class pyexclient.workbench.CommentHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io comment_history records
Resource type name is comment_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Comment history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Comment history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io comment records
comment
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
- class pyexclient.workbench.Comments(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io comment records
Resource type name is comments.
Example JSON record:
{'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Comment: markdown
comment
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io comment_history records
comment_histories
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Configurations(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io configuration records
Resource type name is configurations.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'default_value': 'object', 'description': 'string', 'is_override': True, 'key': 'string', 'metadata': {}, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'validation': {}, 'value': 'object', 'visibility': 'EXPEL', 'write_permission_level': 'EXPEL'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Default configuration value Allows: null: readonly, no-sort
default_value
any
Y
N
Description of configuration value Allows: “”, null: readonly, markdown
description
string
Y
N
Configuration value is an override: readonly
is_override
boolean
Y
N
Configuration key: readonly
key
string
Y
N
Configuration metadata Allows: null: readonly, no-sort
metadata
object
Y
N
Title of configuration value Allows: “”, null: readonly
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Configuration value validation Allows: null: readonly, no-sort
validation
object
Y
N
Configuration value Allows: null: no-sort
value
any
Y
N
Configuration visibility Restricted to: “EXPEL”, “ORGANIZATION”, “SYSTEM”
visibility
any
Y
N
Write permission required Restricted to: “EXPEL”, “ORGANIZATION”, “SYSTEM”
write_permission_level
any
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ContextCategories(data, conn, included=None)[source]
Bases:
ResourceInstance
Groups for organizing context variables outside of any specific use case
Resource type name is context_categories.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'image': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
A description for this context category Allows: null
description
string
Y
N
Filename for the image used in the context category card in Workbench: immutable
image
string
Y
N
Unique name of this context category
name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Reusable strongly typed context variables which can be referenced by other features
context_variables
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ContextCategoryDefaults(data, conn, included=None)[source]
Bases:
ResourceInstance
A set of global seed categories which will be added for each new organization
Resource type name is context_category_defaults.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'image': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
A description for this context category Allows: null
description
string
Y
N
Filename for the image used in the context category card in Workbench
image
string
Y
N
Unique name of this context category
name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ContextLabelActionHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io context_label_action_history records
Resource type name is context_label_action_histories.
Example JSON record:
{'action': 'CREATED', 'action_type': 'ALERT_ON', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Context label action history Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Action type of source parent remediation action Restricted to: “ALERT_ON”, “ADD_TO”, “SUPPRESS”
action_type
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Context label action history details (contains important fields that changed) Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io context_label records
context_label
N
Y
Defines/retrieves expel.io context_label_action records
context_label_action
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
- class pyexclient.workbench.ContextLabelActions(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io context_label_action records
Resource type name is context_label_actions.
Example JSON record:
{'action_type': 'ALERT_ON', 'created_at': '2019-01-15T15:35:00-05:00', 'expel_severity_threshold': 'CRITICAL', 'expel_signature_id': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
What action to take Restricted to: “ALERT_ON”, “ADD_TO”, “SUPPRESS”
action_type
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” Allows: null
expel_severity_threshold
any
Y
N
Expel alert signature Allows: “”, null
expel_signature_id
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io context_label records
context_label
N
Y
Defines/retrieves expel.io context_label_action_history records
context_label_action_histories
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Timeline Entries
timeline_entries
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ContextLabelHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io context_label_history records
Resource type name is context_label_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Context label history action Restricted to: “CREATED”, “UPDATED”, “DELETED”, “ASSIGNED_TAG_CREATED”, “ASSIGNED_TAG_DELETED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Context label history details (contains important fields that changed) Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io context_label records
context_label
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
- class pyexclient.workbench.ContextLabelTags(data, conn, included=None)[source]
Bases:
ResourceInstance
Resource type name is context_label_tags.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'metadata': {}, 'tag': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Description Allows: null, “”
description
string
Y
N
Metadata about the context label tag Allows: null: no-sort
metadata
object
Y
N
Tag
tag
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io context_label records
context_labels
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Remediation action assets
remediation_action_assets
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ContextLabels(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io context_label records
Resource type name is context_labels.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'definition': {}, 'description': 'string', 'ends_at': '2019-01-15T15:35:00-05:00', 'initial_edit_at': '2019-01-15T15:35:00-05:00', 'metadata': {}, 'resolved_definition': {}, 'review_status': 'APPROVED', 'starts_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Definition: no-sort
definition
object
Y
N
Description Allows: null, “”
description
string
Y
N
Date/Time of when the context_label should end being tested Allows: null
ends_at
string
Y
N
Date/Time of when the drawer was first opened to create the context label Allows: null
initial_edit_at
string
Y
N
Metadata about the context label Allows: null: no-sort
metadata
object
Y
N
Definition where all variables are replaced with their current values Allows: null: readonly, no-sort
resolved_definition
object
Y
N
Current status of the review process Restricted to: “APPROVED”, “REVIEW_REQUESTED”, “CHANGES_REQUESTED”, “DECLINED” Allows: null
review_status
any
Y
N
Date/Time of when the context_label should start being tested
starts_at
string
Y
N
Title Allows: null, “”
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io context_label_action records
add_to_actions
N
Y
Defines/retrieves expel.io context_label_action records
alert_on_actions
N
Y
Defines/retrieves expel.io context_label_history records
approval_histories
N
Y
Defines/retrieves expel.io context_label_action_history records
context_label_action_histories
N
Y
Defines/retrieves expel.io context_label_action records
context_label_actions
N
Y
Defines/retrieves expel.io context_label_history records
context_label_histories
N
Y
Defines/retrieves expel.io context_label_tag records
context_label_tags
N
Y
Reusable strongly typed context variables which can be referenced by other features
context_variables
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alerts
N
Y
Investigations
investigations
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Expel alerts
originating_expel_alerts
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source_history records
remediation_action_setting_list_source_histories
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source records
remediation_action_setting_list_sources
N
Y
Defines/retrieves expel.io remediation_action_setting records
remediation_action_settings
N
Y
Defines/retrieves expel.io context_label_action records
suppress_actions
N
Y
Timeline Entries
timeline_entries
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ContextVariableHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io context_variable_history records
Resource type name is context_variable_histories.
Example JSON record:
{'action': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Context variable history action Restricted to: “CREATED”, “UPDATED”, “DELETED”
action
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Context variable history details Allows: null: no-sort
value
object
Y
N
Reusable strongly typed context variables which can be referenced by other features
context_variable
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.ContextVariables(data, conn, included=None)[source]
Bases:
ResourceInstance
Reusable strongly typed context variables which can be referenced by other features
Resource type name is context_variables.
Example JSON record:
{ 'context_type': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'is_array': True, 'name': 'string', 'surface_context': True, 'updated_at': '2019-01-15T15:35:00-05:00', 'value': 'object', 'value_type': 'cidr_block'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
One of a few common types for context variables or other Restricted to: “cidr_block”, “domain”, “email_address”, “file_hash”, “hostname”, “ip_address”, “other”, “port”, “url”, “username”: immutable
context_type
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Optional description of this context variable Allows: null
description
string
Y
N
Whether or not the value of this context variable is an array: immutable
is_array
boolean
Y
N
Name of this context variable
name
string
Y
N
Whether or not to surface this context variable in Workbench
surface_context
boolean
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Value of this context variable: allowStringOperators, no-sort
value
any
Y
N
Value type of this context variable Restricted to: “cidr_block”, “integer”, “ip_address”, “regex”, “string”: immutable
value_type
any
Y
N
Groups for organizing context variables outside of any specific use case
context_categories
N
Y
Defines/retrieves expel.io context_label records
context_labels
N
Y
Defines/retrieves expel.io context_variable_history records
context_variable_histories
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Historical event log for each note model
note_histories
N
Y
A model for tying a message to a specific context variable or term for a specified period of time
notes
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Detections(data, conn, included=None)[source]
Bases:
ResourceInstance
How we determine security-relevant data for analyst review
Resource type name is detections.
Example JSON record:
{ 'author_type': 'string', 'configuration_slugs': [], 'created_at': '2019-01-15T15:35:00-05:00', 'customer_context_tags': [], 'description': 'string', 'engine': 'string', 'logic_blob': 'string', 'name': 'string', 'priority': 100, 'severity': 'string', 'status': 'string', 'supported_tech': [], 'tags': [], 'test_blob': 'string', 'unique_on': [], 'unique_within': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
The author of this detection Allows: “”, null
author_type
string
Y
N
A list of configuration tags used in the logic of this detection: no-filter, no-sort
configuration_slugs
array
Y
N
The time this detection was created Allows: null
created_at
string
Y
N
A list of customer context tags used in the logic of this detection: no-filter, no-sort
customer_context_tags
array
Y
N
What this detection is looking for Allows: “”, null
description
string
Y
N
The parent detection engine Allows: “”, null
engine
string
Y
N
A JSON formatted blob of Josie detection logic Allows: “”, null
logic_blob
string
Y
N
The name of the detection Allows: “”, null
name
string
Y
N
The order in which Josie applies this detection to security alerts, 0 being a higher priority Allows: null
priority
number
Y
N
The potential impact of detected incidents Allows: “”, null
severity
string
Y
N
The production status of this detection Allows: “”, null
status
string
Y
N
The technology that this detection supports
supported_tech
array
Y
N
A list of tags which may affect upstream behavior: no-filter, no-sort
tags
array
Y
N
A JSON formatted list of conditions (vendor alerts) that trigger this detection, in turn creating an Expel alert Allows: “”, null
test_blob
string
Y
N
A list of Josie expressions that make this alert unique: no-filter, no-sort
unique_on
array
Y
N
The time period in which this alert is unique Allows: “”, null
unique_within
string
Y
N
The last time this detection was updated Allows: null
updated_at
string
Y
N
Detection categories
expel_alert_categories
N
Y
Detection categories
expel_response_categories
N
Y
Detection categories
expel_triage_categories
N
Y
Mitre Tactics
mitre_tactics
N
Y
Defines/retrieves expel.io organization records
organizations
N
Y
- class pyexclient.workbench.Digests(data, conn, included=None)[source]
Bases:
ResourceInstance
Digests
Resource type name is digests.
Example JSON record:
{'email': 'name@company.com', 'schedule': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Email of the user, overwritten by the API during creation Allows: null, “”
email
string
Y
N
Missing Description
schedule
string
Y
N
Defines/retrieves expel.io organization records
organization
N
Y
User accounts
user_account
N
Y
- class pyexclient.workbench.EngagementManagers(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io engagement_manager records
Resource type name is engagement_managers.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'display_name': 'string', 'email': 'name@company.com', 'pagerduty_id': 'string', 'phone_number': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Display name Allows: “”, null
display_name
string
Y
N
Email Allows: null
email
string
Y
N
Pagerduty ID Allows: null
pagerduty_id
string
Y
N
Phone number Allows: null
phone_number
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organizations
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Entitlements(data, conn, included=None)[source]
Bases:
ResourceInstance
path to entitlements service
Resource type name is entitlements.
Example JSON record:
{ 'entitlement': { 'enabled_plugin_slugs': [], 'investigative_tech_enabled_plugin_slugs': [], 'organization_id': 'string', 'service_offerings': [], 'service_offerings_for_hunting': [], 'service_types': []}, 'skus': []}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Allows: null: readonly
entitlement
object
Y
N
Missing Description
skus
array
Y
N
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.ExpelAlertHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Expel alert histories
Resource type name is expel_alert_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Expel alert history action Restricted to: “CREATED”, “ASSIGNED”, “STATUS_CHANGED”, “INVESTIGATING”, “TUNING_CHANGED”, “DELETED”, “VIEWED”, “RAPID_TRIAGE_PRIORITY_CHANGED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Expel alert history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alert
N
Y
Investigations
investigation
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.ExpelAlertThresholdHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io expel_alert_threshold_history records
Resource type name is expel_alert_threshold_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Expel alert threshold history action Restricted to: “CREATED”, “BREACHED”, “ACKNOWLEDGED”, “RECOVERED”, “DELETED”
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Expel alert threshold history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io expel_alert_threshold records
expel_alert_threshold
N
Y
- class pyexclient.workbench.ExpelAlertThresholds(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io expel_alert_threshold records
Resource type name is expel_alert_thresholds.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'name': 'string', 'threshold': 100, 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Name
name
string
Y
N
Threshold value
threshold
number
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io expel_alert_threshold_history records
expel_alert_threshold_histories
N
Y
Defines/retrieves expel.io expel_alert_threshold records
suppressed_by
N
Y
Defines/retrieves expel.io expel_alert_threshold records
suppresses
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ExpelAlerts(data, conn, included=None)[source]
Bases:
ResourceInstance
Expel alerts
Resource type name is expel_alerts.
Example JSON record:
{ 'activity_first_at': '2019-01-15T15:35:00-05:00', 'activity_last_at': '2019-01-15T15:35:00-05:00', 'alert_type': 'ENDPOINT', 'close_comment': 'string', 'close_reason': 'FALSE_POSITIVE', 'created_at': '2019-01-15T15:35:00-05:00', 'cust_disp_alerts_in_critical_incidents_count': 100, 'cust_disp_alerts_in_incidents_count': 100, 'cust_disp_alerts_in_investigations_count': 100, 'cust_disp_closed_alerts_count': 100, 'cust_disp_disposed_alerts_count': 100, 'disposition_alerts_in_critical_incidents_count': 100, 'disposition_alerts_in_incidents_count': 100, 'disposition_alerts_in_investigations_count': 100, 'disposition_closed_alerts_count': 100, 'disposition_disposed_alerts_count': 100, 'expel_alert_time': '2019-01-15T15:35:00-05:00', 'expel_alias_name': 'string', 'expel_message': 'string', 'expel_name': 'string', 'expel_severity': 'CRITICAL', 'expel_signature_id': 'string', 'expel_version': 'string', 'git_rule_url': 'https://company.com/', 'investigative_action_count': 100, 'is_auto_add': True, 'is_viewed_by_assignable_expel_user': True, 'rapid_triage_priority': 'string', 'ref_event_id': 'string', 'status': 'string', 'status_updated_at': '2019-01-15T15:35:00-05:00', 'tuning_requested': True, 'updated_at': '2019-01-15T15:35:00-05:00', 'vendor_alert_count': 100, 'vendor_disp_alerts_in_critical_incidents_count': 100, 'vendor_disp_alerts_in_incidents_count': 100, 'vendor_disp_alerts_in_investigations_count': 100, 'vendor_disp_closed_alerts_count': 100, 'vendor_disp_disposed_alerts_count': 100}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Allows: null: readonly, no-sort, no-filter
activity_first_at
string
Y
N
Allows: null: readonly, no-sort, no-filter
activity_last_at
string
Y
N
Expel alert type Restricted to: “ENDPOINT”, “NETWORK”, “SIEM”, “RULE_ENGINE”, “EXTERNAL”, “OTHER”, “CLOUD”, “PHISHING_SUBMISSION”, “PHISHING_SUBMISSION_SIMILAR” Allows: null
alert_type
any
Y
N
Expel alert close comment Allows: “”, null
close_comment
string
Y
N
Expel alert close reason Restricted to: “FALSE_POSITIVE”, “TRUE_POSITIVE”, “OTHER”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “TESTING”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “INCONCLUSIVE”, “SUPPRESSED”, “PHISHING_SIMULATION”, “SUPPRESSED_NEW_DEVICE”, “SUPPRESSED_THRESHOLD_EXCEEDED” Allows: null
close_reason
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Allows: null
cust_disp_alerts_in_critical_incidents_count
number
Y
N
Allows: null
cust_disp_alerts_in_incidents_count
number
Y
N
Allows: null
cust_disp_alerts_in_investigations_count
number
Y
N
Allows: null
cust_disp_closed_alerts_count
number
Y
N
Allows: null
cust_disp_disposed_alerts_count
number
Y
N
Allows: null
disposition_alerts_in_critical_incidents_count
number
Y
N
Allows: null
disposition_alerts_in_incidents_count
number
Y
N
Allows: null
disposition_alerts_in_investigations_count
number
Y
N
Allows: null
disposition_closed_alerts_count
number
Y
N
Allows: null
disposition_disposed_alerts_count
number
Y
N
Expel Alert Time first seen time: immutable
expel_alert_time
string
Y
N
Expel alert alias Allows: “”, null
expel_alias_name
string
Y
N
Expel alert message Allows: “”, null
expel_message
string
Y
N
Expel alert name Allows: “”, null
expel_name
string
Y
N
Expel alert severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING”
expel_severity
any
Y
N
Expel alert signature Allows: “”, null
expel_signature_id
string
Y
N
Expel alert version Allows: “”, null
expel_version
string
Y
N
URL to rule definition for alert Allows: “”, null
git_rule_url
string
Y
N
Allows: null: readonly, no-sort, no-filter
investigative_action_count
number
Y
N
Was this expel_alert added to an investigation by one of the robots (i.e. an automated process)?: readonly
is_auto_add
boolean
Y
N
Was this expel_alert viewed by an expel assignable user at-least once?: readonly
is_viewed_by_assignable_expel_user
boolean
Y
N
Expel alert rapid triage priority Restricted to: “UNKNOWN”, “HIGH”, “LOW”
rapid_triage_priority
string
Y
N
Referring event id Allows: null
ref_event_id
string
Y
N
Expel alert status Restricted to: “OPEN”, “IN_PROGRESS”, “CLOSED” Allows: null
status
string
Y
N
Status Updated At Allows: null: readonly
status_updated_at
string
Y
N
tuning requested
tuning_requested
boolean
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Allows: null: readonly, no-sort, no-filter
vendor_alert_count
number
Y
N
Allows: null
vendor_disp_alerts_in_critical_incidents_count
number
Y
N
Allows: null
vendor_disp_alerts_in_incidents_count
number
Y
N
Allows: null
vendor_disp_alerts_in_investigations_count
number
Y
N
Allows: null
vendor_disp_closed_alerts_count
number
Y
N
Allows: null
vendor_disp_disposed_alerts_count
number
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
close_comment_last_updated_by
N
Y
Defines/retrieves expel.io context_label records
context_labels
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
IP addresses
destination_ip_addresses
N
Y
Vendor alert evidences are extracted from a vendor alert’s evidence summary
evidence
N
Y
Expel alert histories
expel_alert_assignable_expel_user_view_histories
N
Y
Expel alert histories
expel_alert_histories
N
Y
Expel alert histories
expel_alert_rapid_triage_priority_histories
N
Y
Expel alert histories
expel_alert_view_histories
N
Y
Investigations
investigation
N
Y
Investigative action histories
investigative_action_histories
N
Y
investigative actions
investigative_actions
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io context_label records
originated_context_labels
N
Y
Phishing submissions
phishing_submissions
N
Y
Investigations
related_investigations
N
Y
Investigations
related_investigations_via_involved_host_ips
N
Y
Expel alerts
similar_alerts
N
Y
IP addresses
source_ip_addresses
N
Y
Defines/retrieves expel.io actor records
status_last_updated_by
N
Y
Defines/retrieves expel.io suggestions
suggestions
N
Y
Expel alert histories
suppression_histories
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Defines/retrieves expel.io user task records
user_tasks
N
Y
Vendors
vendor
N
Y
Vendor alerts
vendor_alerts
N
Y
- class pyexclient.workbench.ExpelDetectionCategories(data, conn, included=None)[source]
Bases:
ResourceInstance
Detection categories
Resource type name is expel_detection_categories.
Example JSON record:
{'category_type': 'string', 'customer_context_tags': [], 'description': 'string', 'investigative_questions': [], 'name': 'string', 'number_of_detections': 100}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Which part of the detection & response process this category takes effect in Allows: “”, null: no-sort
category_type
string
Y
N
Customer context tags used in this category’s detections
customer_context_tags
array
Y
N
The category description Allows: “”, null
description
string
Y
N
The questions analysts ask when responding to Expel alerts
investigative_questions
array
Y
N
The name of the category Allows: “”, null
name
string
Y
N
The number of detections in this category, based on the plugin_slugs filter
number_of_detections
number
Y
N
- class pyexclient.workbench.Files(data, conn, included=None)[source]
Bases:
FilesResourceInstance
File
Resource type name is files.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'expel_file_type': 'string', 'file_meta': {'investigative_action': {'file_type': 'string'}, 'rich_result': {}}, 'filename': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Expel file type Allows: null, “”
expel_file_type
string
Y
N
Metadata about the file Allows: null: no-sort
file_meta
object
Y
N
Filename
filename
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigations
N
Y
investigative actions
investigative_actions
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Phishing submissions
phishing_submission
N
Y
Phishing submission attachments
phishing_submission_attachment
N
Y
investigative actions
result_investigative_actions
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.FilesResourceInstance(data, conn, included=None)[source]
Bases:
ResourceInstance
- download(fd, fmt='json')[source]
Download data from an investigative action. This can only be called on InvestigativeAction or Files objects.
- Parameters:
fd (File bytes object) – Buffer to write response too.
fmt (str) – The format to request the data be returned in.
- Examples:
>>> import json >>> import pprint >>> import tempfile >>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> with xc.investigative_actions.get(id=inv_act_id) as ia: >>> fd = tempfile.NamedTemporaryFile(delete=False) >>> ia.download(fd) >>> with open(fd.name, 'r') as fd: >>> pprint.pprint(json.loads(fd.read()))
- class pyexclient.workbench.Findings(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io finding records
Resource type name is findings.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'rank': 100, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Seed Rank
rank
number
Y
N
Title Allows: “”, null
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Integrations(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io integration records
Resource type name is integrations.
Example JSON record:
{ 'account': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'integration_meta': {}, 'integration_type': 'pagerduty', 'last_tested_at': '2019-01-15T15:35:00-05:00', 'service_name': 'string', 'status': 'UNTESTED', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Service account identifier
account
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Needed information for integration type Allows: null: allowStringOperators, no-sort
integration_meta
object
Y
N
Type of integration Restricted to: “pagerduty”, “slack”, “ticketing”, “service_now”, “teams”, “ops_genie”, “o365_reporting”, “palo_alto_networks_cxdr”, “webhook”: immutable
integration_type
any
Y
N
Last Successful Test Allows: null: readonly
last_tested_at
string
Y
N
Service display name
service_name
string
Y
N
Integration status Restricted to: “UNTESTED”, “TEST_SUCCESS”, “TEST_FAIL”: readonly
status
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Organization secrets. Note - these requests must be in the format of /secrets/security_device-<guid>
secret
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.InvestigationFindingHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io investigation_finding_history records
Resource type name is investigation_finding_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Investigation finding history action Restricted to: “CREATED”, “CHANGED”, “DELETED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Investigation finding history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Investigation findings
investigation_finding
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.InvestigationFindings(data, conn, included=None)[source]
Bases:
ResourceInstance
Investigation findings
Resource type name is investigation_findings.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'finding': 'string', 'rank': 100, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Finding Allows: “”, null: markdown
finding
string
Y
N
Visualization Rank
rank
number
Y
N
Title Allows: “”, null
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Defines/retrieves expel.io investigation_finding_history records
investigation_finding_histories
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.InvestigationHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Investigation histories
Resource type name is investigation_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'is_incident': True, 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Investigation history action Restricted to: “CREATED”, “ASSIGNED”, “CHANGED”, “CLOSED”, “SUMMARY”, “REOPENED”, “PUBLISHED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Is Incidence
is_incident
boolean
Y
N
Investigation history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.InvestigationResilienceActionHints(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io investigation_organization_resilience_action_hint records
Resource type name is investigation_resilience_action_hints.
Example JSON record:
{}
Below are valid filter by parameters:
- class pyexclient.workbench.InvestigationResilienceActions(data, conn, included=None)[source]
Bases:
ResourceInstance
Investigation to resilience actions
Resource type name is investigation_resilience_actions.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Organization to resilience actions
organization_resilience_action
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Investigations(data, conn, included=None)[source]
Bases:
ResourceInstance
Investigations
Resource type name is investigations.
Example JSON record:
{ 'analyst_severity': 'CRITICAL', 'attack_lifecycle': 'INITIAL_RECON', 'attack_timing': 'HISTORICAL', 'attack_vector': 'DRIVE_BY', 'close_comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'critical_comment': 'string', 'decision': 'FALSE_POSITIVE', 'deleted_at': '2019-01-15T15:35:00-05:00', 'detection_type': 'UNKNOWN', 'has_hunting_status': True, 'initial_attack_vector': 'string', 'is_downgrade': True, 'is_incident': True, 'is_incident_status_updated_at': '2019-01-15T15:35:00-05:00', 'is_soc_support_required': True, 'is_surge': True, 'last_published_at': '2019-01-15T15:35:00-05:00', 'last_published_value': 'string', 'lead_description': 'string', 'malware_family': 'string', 'next_steps': 'string', 'open_reason': 'ACCESS_KEYS', 'open_summary': 'string', 'review_requested_at': '2019-01-15T15:35:00-05:00', 'short_link': 'string', 'source_reason': 'HUNTING', 'status_updated_at': '2019-01-15T15:35:00-05:00', 'threat_type': 'TARGETED', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Analyst Severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “INFO” Allows: null
analyst_severity
any
Y
N
Attack Lifecycle Restricted to: “INITIAL_RECON”, “DELIVERY”, “EXPLOITATION”, “INSTALLATION”, “COMMAND_CONTROL”, “LATERAL_MOVEMENT”, “ACTION_TARGETS”, “UNKNOWN” Allows: null
attack_lifecycle
any
Y
N
Attack Timing Restricted to: “HISTORICAL”, “PRESENT” Allows: null
attack_timing
any
Y
N
Attack Vector Restricted to: “DRIVE_BY”, “PHISHING”, “PHISHING_LINK”, “PHISHING_ATTACHMENT”, “REV_MEDIA”, “SPEAR_PHISHING”, “SPEAR_PHISHING_LINK”, “SPEAR_PHISHING_ATTACHMENT”, “STRAG_WEB_COMP”, “SERVER_SIDE_VULN”, “CRED_THEFT”, “MISCONFIG”, “UNKNOWN” Allows: null
attack_vector
any
Y
N
Close Comment Allows: “”, null: markdown
close_comment
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Critical Comment Allows: “”, null
critical_comment
string
Y
N
Decision Restricted to: “FALSE_POSITIVE”, “TRUE_POSITIVE”, “CLOSED”, “OTHER”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “TESTING”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “INCONCLUSIVE”, “PHISHING_SIMULATION” Allows: null
decision
any
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Detection Type Restricted to: “UNKNOWN”, “ENDPOINT”, “SIEM”, “NETWORK”, “EXPEL”, “HUNTING”, “CLOUD”, “PHISHING” Allows: null
detection_type
any
Y
N
Meta: readonly, no-sort, no-filter
has_hunting_status
boolean
Y
N
Initial attack vector Allows: “”, null
initial_attack_vector
string
Y
N
Is downgrade
is_downgrade
boolean
Y
N
Is Incident
is_incident
boolean
Y
N
Incident Status timestamp Allows: null: readonly
is_incident_status_updated_at
string
Y
N
Is Expel SOC support required for this investigation?: immutable
is_soc_support_required
boolean
Y
N
Is surge
is_surge
boolean
Y
N
Last Published At Allows: null
last_published_at
string
Y
N
Last Published Value Allows: “”, null
last_published_value
string
Y
N
Lead Description Allows: null: markdown
lead_description
string
Y
N
Malware family Allows: “”, null
malware_family
string
Y
N
Recommended next steps for starting this investigation or handling this incident Allows: “”, null
next_steps
string
Y
N
Open Reason Restricted to: “ACCESS_KEYS”, “EC2”, “S3_BUCKETS”, “OTHER” Allows: null
open_reason
any
Y
N
Reason the investigation/incident was opened Allows: “”, null
open_summary
string
Y
N
Review Requested At Allows: null
review_requested_at
string
Y
N
Investigation short link: readonly
short_link
string
Y
N
Source Reason Restricted to: “HUNTING”, “ORGANIZATION_REPORTED”, “DISCOVERY”, “PHISHING”, “SURRE”, “VULNERABILITY” Allows: null
source_reason
any
Y
N
Status Updated At Allows: null: readonly
status_updated_at
string
Y
N
Threat Type Restricted to: “TARGETED”, “TARGETED_APT”, “TARGETED_RANSOMWARE”, “BUSINESS_EMAIL_COMPROMISE”, “NON_TARGETED”, “NON_TARGETED_MALWARE”, “POLICY_VIOLATION”, “UNKNOWN”, “RED_TEAM” Allows: null
threat_type
any
Y
N
Title Allows: “”, null
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io comment_history records
comment_histories
N
Y
Defines/retrieves expel.io comment records
comments
N
Y
Defines/retrieves expel.io context_label_action_history records
context_label_action_histories
N
Y
Defines/retrieves expel.io context_label_action records
context_label_actions
N
Y
Defines/retrieves expel.io context_label records
context_labels
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
IP addresses
destination_ip_addresses
N
Y
Vendor alert evidences are extracted from a vendor alert’s evidence summary
evidence
N
Y
Expel alert histories
expel_alert_histories
N
Y
Expel alerts
expel_alerts
N
Y
File
files
N
Y
Defines/retrieves expel.io finding records
findings
N
Y
Defines/retrieves expel.io investigation_finding_history records
investigation_finding_histories
N
Y
Investigation histories
investigation_histories
N
Y
Investigation to resilience actions
investigation_resilience_actions
N
Y
Investigative action histories
investigative_action_histories
N
Y
investigative actions
investigative_actions
N
Y
IP addresses
ip_addresses
N
Y
Defines/retrieves expel.io actor records
last_published_by
N
Y
Expel alerts
lead_expel_alert
N
Y
investigative actions
most_recent_investigative_action
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Organization to resilience actions
organization_resilience_action_hints
N
Y
Organization to resilience actions
organization_resilience_actions
N
Y
Investigations
related_investigations_via_involved_host_ips
N
Y
Remediation action asset histories
remediation_action_asset_histories
N
Y
Remediation action assets
remediation_action_assets
N
Y
Remediation action histories
remediation_action_histories
N
Y
Remediation actions
remediation_actions
N
Y
Defines/retrieves expel.io actor records
review_requested_by
N
Y
IP addresses
source_ip_addresses
N
Y
Defines/retrieves expel.io actor records
status_last_updated_by
N
Y
Timeline Entries
timeline_entries
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Defines/retrieves expel.io user task records
user_tasks
N
Y
- class pyexclient.workbench.InvestigativeActionHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Investigative action histories
Resource type name is investigative_action_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Investigative action history action Restricted to: “CREATED”, “ASSIGNED”, “CLOSED”, “ACKNOWLEDGED”, “CLASSIFIED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Investigative action history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alert
N
Y
Investigations
investigation
N
Y
investigative actions
investigative_action
N
Y
- class pyexclient.workbench.InvestigativeActions(data, conn, included=None)[source]
Bases:
InvestigativeActionsResourceInstance
investigative actions
Resource type name is investigative_actions.
Example JSON record:
{ 'action_type': 'TASKABILITY', 'activity_acknowledged_at': '2019-01-15T15:35:00-05:00', 'activity_acknowledged_by': 'string', 'activity_authorized': True, 'activity_verified_by': 'string', 'capability_name': 'string', 'classification': 'MALICIOUS', 'close_reason': 'string', 'content_driven_results': {}, 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'downgrade_reason': 'FALSE_POSITIVE', 'files_count': 100, 'input_args': {}, 'instructions': 'string', 'rank': 100, 'reason': 'string', 'result_byte_size': 100, 'result_task_id': 'object', 'results': 'string', 'robot_action': True, 'status': 'RUNNING', 'status_updated_at': '2019-01-15T15:35:00-05:00', 'taskability_action_id': 'string', 'tasking_error': {}, 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'workflow_job_id': 'string', 'workflow_name': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Investigative Action Type Restricted to: “TASKABILITY”, “HUNTING”, “MANUAL”, “RESEARCH”, “PIVOT”, “QUICK_UPLOAD”, “VERIFY”, “DOWNGRADE”, “WORKFLOW”, “NOTIFY”
action_type
any
Y
N
Verify investigative action acknowledged at Allows: null
activity_acknowledged_at
string
Y
N
Verify investigative action acknowledged by Allows: null
activity_acknowledged_by
string
Y
N
Verify Investigative action is authorized Allows: null
activity_authorized
boolean
Y
N
Verify Investigative action verified by Allows: null
activity_verified_by
string
Y
N
Capability name Allows: “”, null
capability_name
string
Y
N
Investigative action classification Restricted to: “MALICIOUS”, “SUSPICIOUS”, “NOT_SUSPICIOUS” Allows: null
classification
any
Y
N
Close Reason Allows: null: markdown
close_reason
string
Y
N
Content driven results Allows: “”, null: no-sort
content_driven_results
object
Y
N
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Downgrade reason Restricted to: “FALSE_POSITIVE”, “ATTACK_FAILED”, “POLICY_VIOLATION”, “ACTIVITY_BLOCKED”, “PUP_PUA”, “BENIGN”, “IT_MISCONFIGURATION”, “OTHER” Allows: null
downgrade_reason
any
Y
N
Downgrade reason: readonly
files_count
number
Y
N
Task input arguments Allows: null: no-sort
input_args
object
Y
N
Instructions Allows: “”, null: markdown
instructions
string
Y
N
Visualization Rank
rank
number
Y
N
Reason: markdown
reason
string
Y
N
Result byte size: readonly
result_byte_size
number
Y
N
Result task id Allows: null: readonly
result_task_id
any
Y
N
Results/Analysis Allows: “”, null
results
string
Y
N
Investigative action created by robot action: readonly
robot_action
boolean
Y
N
Status Restricted to: “RUNNING”, “FAILED”, “READY_FOR_ANALYSIS”, “CLOSED”, “COMPLETED”
status
any
Y
N
Status Updated At Allows: null: readonly
status_updated_at
string
Y
N
Taskability action id Allows: “”, null
taskability_action_id
string
Y
N
Taskabilities error Allows: “”, null: no-sort
tasking_error
object
Y
N
Title: markdown
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Workflow job id Allows: “”, null
workflow_job_id
string
Y
N
Workflow name Allows: “”, null
workflow_name
string
Y
N
Defines/retrieves expel.io actor records
analysis_assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
classified_by_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
investigative actions
dependent_investigative_actions
N
Y
investigative actions
depends_on_investigative_action
N
Y
Expel alerts
expel_alert
N
Y
File
files
N
Y
Investigations
investigation
N
Y
Investigative action histories
investigative_action_histories
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
File
result_file
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.InvestigativeActionsResourceInstance(data, conn, included=None)[source]
Bases:
FilesResourceInstance
- upload(filename, fbytes, expel_file_type=None, file_meta=None)[source]
Upload data associated with an investigative action. Can only be called on InvestigativeAction objects.
- Parameters:
filename (str) – Filename, this shows up in Workbench.
fbytes (bytes) – A bytes string representing raw bytes to upload
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> with xc.investigative_actions.get(id=inv_act_id) as ia: >>> ia.upload('test.txt', b'hello world')
- class pyexclient.workbench.IpAddresses(data, conn, included=None)[source]
Bases:
ResourceInstance
IP addresses
Resource type name is ip_addresses.
Example JSON record:
{'address': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
IP Address: readonly
address
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
destination_expel_alerts
N
Y
Investigations
destination_investigations
N
Y
Investigations
investigations
N
Y
Expel alerts
source_expel_alerts
N
Y
Investigations
source_investigations
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Vendor alerts
vendor_alerts
N
Y
- class pyexclient.workbench.JsonApiRelationship(relationships: dict | None = None)[source]
Bases:
object
The object acts a helper to handle JSON API relationships. The object is just a dummy that allows for setting / getting attributes that are extracted from the relationship part of the JSON API response. Additionally, the object will allow for conversion to a JSON API compliant relationship block to include in a request.
- class pyexclient.workbench.MitreTactics(data, conn, included=None)[source]
Bases:
ResourceInstance
Mitre Tactics
Resource type name is mitre_tactics.
Example JSON record:
{'description': 'string', 'name': 'string', 'number_of_expel_detections': 100, 'number_of_vendor_detections': 100}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
The tactic description Allows: “”, null
description
string
Y
N
The name of the tactic Allows: “”, null
name
string
Y
N
The number of Expel-based detections in this category, based on the plugin_slugs filter
number_of_expel_detections
number
Y
N
The number of vendor-based detections in this category, based on the plugin_slugs filter
number_of_vendor_detections
number
Y
N
- class pyexclient.workbench.NistCategories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io nist_category records
Resource type name is nist_categories.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'function_type': 'IDENTIFY', 'identifier': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Actor type Restricted to: “IDENTIFY”, “PROTECT”, “DETECT”, “RECOVER”, “RESPOND”
function_type
any
Y
N
Nist category abbreviated identifier
identifier
string
Y
N
Nist category name
name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io nist_subcategory records
nist_subcategories
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.NistSubcategories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io nist_subcategory records
Resource type name is nist_subcategories.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'identifier': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Nist subcategory abbreviated identifier
identifier
string
Y
N
Nist subcategory title Allows: “”, null
name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io nist_category records
nist_category
N
Y
Latest NIST subcategory scores
nist_subcategory_scores
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.NistSubcategoryScoreHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
NIST Subcategory Score History
Resource type name is nist_subcategory_score_histories.
Example JSON record:
{'action': 'SCORE_UPDATED', 'actual_score': 100, 'assessment_date': '2019-01-15T15:35:00-05:00', 'created_at': '2019-01-15T15:35:00-05:00', 'target_score': 100}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
NIST subcategory score history action Restricted to: “SCORE_UPDATED”, “COMMENT_UPDATED”, “PRIORITY_UPDATED”, “IMPORT”
action
any
Y
N
Organization actual score for this nist subcategory
actual_score
number
Y
N
Recorded date of the score assessment (Note: Dates with times will be truncated to the day. Warning: Dates times and timezones will be converted to UTC before they are truncated. Providing non-UTC timezones is not recommeneded.): immutable
assessment_date
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Organization target score for this nist subcategory
target_score
number
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Latest NIST subcategory scores
nist_subcategory_score
N
Y
- class pyexclient.workbench.NistSubcategoryScores(data, conn, included=None)[source]
Bases:
ResourceInstance
Latest NIST subcategory scores
Resource type name is nist_subcategory_scores.
Example JSON record:
{ 'actual_score': 100, 'assessment_date': '2019-01-15T15:35:00-05:00', 'category_identifier': 'string', 'category_name': 'string', 'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'function_type': 'string', 'is_priority': True, 'subcategory_identifier': 'string', 'subcategory_name': 'string', 'target_score': 100, 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Organization actual score for this nist subcategory Allows: null
actual_score
number
Y
N
Recorded date of the score assessment (Note: Dates with times will be truncated to the day. Warning: Dates times and timezones will be converted to UTC before they are truncated. Providing non-UTC timezones is not recommeneded.) Allows: null: immutable
assessment_date
string
Y
N
Allows: “”, null: readonly, csv_ignore, no-sort, no-filter
category_identifier
string
Y
N
Allows: “”, null: readonly, csv_ignore, no-sort, no-filter
category_name
string
Y
N
Organization comment for this nist subcategory Allows: “”, null
comment
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Allows: “”, null: readonly, csv_ignore, no-sort, no-filter
function_type
string
Y
N
Organization nist subcategory is a priority
is_priority
boolean
Y
N
Allows: “”, null: immutable, no-sort, no-filter
subcategory_identifier
string
Y
N
Allows: “”, null: readonly, csv_ignore, no-sort, no-filter
subcategory_name
string
Y
N
Organization target score for this nist subcategory Allows: null
target_score
number
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io nist_subcategory records
nist_subcategory
N
Y
NIST Subcategory Score History
nist_subcategory_score_histories
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.NoteHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Historical event log for each note model
Resource type name is note_histories.
Example JSON record:
{'action': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Whether this is a create, update, or delete event Restricted to: “CREATED”, “UPDATED”, “DELETED”
action
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Complete state at the time of a create or delete event or the state changes for an update event: no-sort
value
object
Y
N
Reusable strongly typed context variables which can be referenced by other features
context_variable
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
A model for tying a message to a specific context variable or term for a specified period of time
note
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.Notes(data, conn, included=None)[source]
Bases:
ResourceInstance
A model for tying a message to a specific context variable or term for a specified period of time
Resource type name is notes.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'ends_at': '2019-01-15T15:35:00-05:00', 'message': 'string', 'starts_at': '2019-01-15T15:35:00-05:00', 'term': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
When the note should stop showing up as associated with context or global terms Allows: null
ends_at
string
Y
N
The message to display when a matching term or variable is highlighted
message
string
Y
N
When the note should begin showing up as associated with context or global terms
starts_at
string
Y
N
The term to match if and only if this is a global note Allows: null
term
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Reusable strongly typed context variables which can be referenced by other features
context_variable
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Historical event log for each note model
note_histories
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.NotificationEvents(data, conn, included=None)[source]
Bases:
ResourceInstance
Notification events
Resource type name is notification_events.
Example JSON record:
{ 'event_at': '2019-01-15T15:35:00-05:00', 'event_name': 'string', 'sent_notifications': [], 'subject': {'display_name': 'string', 'meta': {}, 'model_id': 'string', 'model_type': 'string', 'parent_model_id': 'string', 'parent_model_type': 'string'}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Timestamp of the event triggering the notification
event_at
string
Y
N
Name of the event triggering the notification
event_name
string
Y
N
Missing Description
sent_notifications
array
Y
N
Missing Description
subject
object
Y
N
- class pyexclient.workbench.NotificationPreferences(data, conn, included=None)[source]
Bases:
ResourceInstance
User Notification Preferences
Resource type name is notification_preferences.
Example JSON record:
{'preferences': []}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Missing Description
preferences
array
Y
N
Defines/retrieves expel.io actor records
actor
N
Y
- class pyexclient.workbench.NotificationRules(data, conn, included=None)[source]
Bases:
ResourceInstance
Notification rules
Resource type name is notification_rules.
Example JSON record:
{'condition_operator': 'string', 'conditionals': [], 'created_at': '2019-01-15T15:35:00-05:00', 'created_by': 'string', 'destinations': [], 'short_name': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
The logical operator applied to the conditions Restricted to: “UNSPECIFIED”, “ALL_OF”, “ANY_OF”
condition_operator
string
Y
N
Rule conditions that must be met Allows: null: no-filter
conditionals
array
Y
N
The time this rule was created at Allows: null: readonly
created_at
string
Y
N
The actor who created this rule Allows: null, “”: readonly
created_by
string
Y
N
Rule destinations: no-filter
destinations
array
Y
N
The short name of the associated organization Allows: null, “”
short_name
string
Y
N
Defines/retrieves expel.io organization records
organization
N
Y
Notification rule definitions
rule_definition
N
Y
User accounts
user_account
N
Y
- class pyexclient.workbench.OrganizationContacts(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io organization_contact records
Resource type name is organization_contacts.
Example JSON record:
{'contact_type': 'ORGANIZATION_CONTACT', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Contact Type Restricted to: “ORGANIZATION_CONTACT”, “SECURITY_DEVICE_CONTACT”
contact_type
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
User accounts
contact_user
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.OrganizationResilienceActionGroups(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io organization_resilience_action_group records
Resource type name is organization_resilience_action_groups.
Example JSON record:
{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'visible': True}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Organization Resilience Group Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS”
category
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Group title
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Visible
visible
boolean
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Organization to resilience actions
organization_resilience_action_group_actions
N
Y
Defines/retrieves expel.io resilience_action_group records
source_resilience_action_group
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.OrganizationResilienceActions(data, conn, included=None)[source]
Bases:
ResourceInstance
Organization to resilience actions
Resource type name is organization_resilience_actions.
Example JSON record:
{ 'category': 'DISRUPT_ATTACKERS', 'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'details': 'string', 'impact': 'LOW', 'status': 'TOP_PRIORITY', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'visible': True}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” Allows: null
category
any
Y
N
Comment Allows: “”, null
comment
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Details: markdown
details
string
Y
N
Impact Restricted to: “LOW”, “MEDIUM”, “HIGH”
impact
any
Y
N
Status Restricted to: “TOP_PRIORITY”, “IN_PROGRESS”, “WONT_DO”, “COMPLETED”
status
any
Y
N
Title
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Visible
visible
boolean
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation_hints
N
Y
Investigation to resilience actions
investigation_resilience_actions
N
Y
Investigations
investigations
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io organization_resilience_action_group records
organization_resilience_action_group
N
Y
Resilience actions
source_resilience_action
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.OrganizationStatuses(data, conn, included=None)[source]
Bases:
ResourceInstance
Organization status
Resource type name is organization_statuses.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'enabled_login_types': [], 'restrictions': [], 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Meta: readonly
created_at
string
Y
N
Missing Description
enabled_login_types
array
Y
N
Missing Description
restrictions
array
Y
N
Meta: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Organizations(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io organization records
Resource type name is organizations.
Example JSON record:
{ 'address_1': 'string', 'address_2': 'string', 'city': 'string', 'country_code': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'hq_city': 'string', 'hq_utc_offset': 'string', 'industry': 'string', 'is_surge': True, 'is_testing_organization': True, 'name': 'string', 'nodes_count': 100, 'o365_tos_id': 'string', 'onboarding_preferences': {}, 'organization_type': 'standard', 'postal_code': 'string', 'region': 'string', 'service_end_at': '2019-01-15T15:35:00-05:00', 'service_renewal_at': '2019-01-15T15:35:00-05:00', 'service_start_at': '2019-01-15T15:35:00-05:00', 'short_name': 'EXP', 'updated_at': '2019-01-15T15:35:00-05:00', 'users_count': 100}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Address 1 Allows: “”, null
address_1
string
Y
N
Address 2 Allows: “”, null
address_2
string
Y
N
City Allows: “”, null
city
string
Y
N
Country Code Allows: null
country_code
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
The city where the organization’s headquarters is located Allows: “”, null
hq_city
string
Y
N
Allows: “”, null
hq_utc_offset
string
Y
N
The organization’s primary industry Allows: “”, null
industry
string
Y
N
Is surge
is_surge
boolean
Y
N
Whether or not this organization is a testing organization or a real organization
is_testing_organization
boolean
Y
N
The organization’s operating name
name
string
Y
N
Number of nodes covered for this organization Allows: null
nodes_count
number
Y
N
o365 Terms of Service identifier (e.g. hubspot id, etc.) Allows: null
o365_tos_id
string
Y
N
Organization onboarding preferences: no-sort
onboarding_preferences
object
Y
N
Organization type Restricted to: “standard”, “prospect”, “free_trial”, “demo”, “partner”, “test_temp”, “test_perm” Allows: null
organization_type
any
Y
N
Postal Code Allows: null
postal_code
string
Y
N
State/Province/Region Allows: “”, null
region
string
Y
N
Organization service end date Allows: null
service_end_at
string
Y
N
Organization service renewal date Allows: null
service_renewal_at
string
Y
N
Organization service start date Allows: null
service_start_at
string
Y
N
Organization short name Allows: null
short_name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Number of users covered for this organization Allows: null
users_count
number
Y
N
Defines/retrieves expel.io actor records
actor
N
Y
investigative actions
analysis_assigned_investigative_actions
N
Y
Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token.
api_keys
N
Y
Assemblers
assemblers
N
Y
Defines/retrieves expel.io actor records
assignables
N
Y
Expel alerts
assigned_expel_alerts
N
Y
Investigations
assigned_investigations
N
Y
investigative actions
assigned_investigative_actions
N
Y
Organization to resilience actions
assigned_organization_resilience_actions
N
Y
Organization to resilience actions
assigned_organization_resilience_actions_list
N
Y
Remediation actions
assigned_remediation_actions
N
Y
Defines/retrieves expel.io remediation_action_setting records
automate_opt_in_for_remediation_action_setting
N
Y
Defines/retrieves expel.io comment records
comments
N
Y
Defines/retrieves expel.io configuration records
configurations
N
Y
Groups for organizing context variables outside of any specific use case
context_categories
N
Y
Defines/retrieves expel.io context_label_tag records
context_label_tags
N
Y
Defines/retrieves expel.io context_label records
context_labels
N
Y
Reusable strongly typed context variables which can be referenced by other features
context_variables
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
investigative actions
current_assigned_investigative_actions_classification
N
Y
Defines/retrieves expel.io engagement_manager records
engagement_manager
N
Y
path to entitlements service
entitlement
N
Y
Expel alert histories
expel_alert_histories
N
Y
Expel alerts
expel_alerts
N
Y
File
files
N
Y
Defines/retrieves expel.io integration records
integrations
N
Y
Investigation histories
investigation_histories
N
Y
Investigations
investigations
N
Y
investigative actions
investigative_actions
N
Y
Latest NIST subcategory scores
nist_subcategory_scores
N
Y
Historical event log for each note model
note_histories
N
Y
A model for tying a message to a specific context variable or term for a specified period of time
notes
N
Y
User Notification Preferences
notification_preferences
N
Y
Defines/retrieves expel.io organization_contact records
organization_contacts
N
Y
Defines/retrieves expel.io organization_resilience_action_group records
organization_resilience_action_groups
N
Y
Organization to resilience actions
organization_resilience_actions
N
Y
Organization status
organization_status
N
Y
Defines/retrieves expel.io user_account_role records
organization_user_account_roles
N
Y
Defines/retrieves expel.io actor records
parent_organization_actor
N
Y
Defines/retrieves expel.io remediation_action_setting_history records
remediation_action_setting_histories
N
Y
Defines/retrieves expel.io remediation_action_setting records
remediation_action_settings
N
Y
Defines/retrieves expel.io review summary records
review_summaries
N
Y
SAML Identity Providers
saml_identity_provider
N
Y
Defines/retrieves expel.io security_device_count records
security_device_counts
N
Y
Security Device histories
security_device_histories
N
Y
Security devices
security_devices
N
Y
Service Skus
skus
N
Y
Defines/retrieves expel.io suggestions
suggestions
N
Y
Defines/retrieves expel.io actor records
tacs_confirmed_actor
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
User accounts
user_accounts
N
Y
User accounts
user_accounts_with_roles
N
Y
Defines/retrieves expel.io user task records
user_tasks
N
Y
Vendor alerts
vendor_alerts
N
Y
- class pyexclient.workbench.PhishingSubmissionAttachments(data, conn, included=None)[source]
Bases:
ResourceInstance
Phishing submission attachments
Resource type name is phishing_submission_attachments.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'file_md5': 'string', 'file_mime': 'string', 'file_name': 'string', 'file_sha1': 'string', 'file_sha256': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
File md5 hash Allows: null
file_md5
string
Y
N
File mime type Allows: null
file_mime
string
Y
N
File name Allows: null
file_name
string
Y
N
File sha1 hash Allows: null
file_sha1
string
Y
N
File sha256 hash Allows: null
file_sha256
string
Y
N
File
attachment_file
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Phishing submissions
phishing_submission
N
Y
- class pyexclient.workbench.PhishingSubmissionDomains(data, conn, included=None)[source]
Bases:
ResourceInstance
Phishing submission domains
Resource type name is phishing_submission_domains.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'value': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Value
value
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Phishing submissions
phishing_submission
N
Y
- class pyexclient.workbench.PhishingSubmissionHeaders(data, conn, included=None)[source]
Bases:
ResourceInstance
Phishing submission headers
Resource type name is phishing_submission_headers.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'email_order_index': 'name@company.com', 'name': 'string', 'value': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Email Order Index Allows: null
email_order_index
string
Y
N
Name
name
string
Y
N
Value
value
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Phishing submissions
phishing_submission
N
Y
- class pyexclient.workbench.PhishingSubmissionUrls(data, conn, included=None)[source]
Bases:
ResourceInstance
Phishing submission URLs
Resource type name is phishing_submission_urls.
Example JSON record:
{ 'contains_sub_elements': True, 'created_at': '2019-01-15T15:35:00-05:00', 'link_text': 'string', 'rewritten_url': 'https://company.com/', 'tags': 'https://company.com/', 'url_type': 'https://company.com/', 'value': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Was sonar prediction correct
contains_sub_elements
boolean
Y
N
Created timestamp: readonly
created_at
string
Y
N
Link text value
link_text
string
Y
N
The new url, if it was rewritten by assorted security products Allows: null
rewritten_url
string
Y
N
Interesting URL tags: no-sort
tags
string
Y
N
URL type
url_type
string
Y
N
Value
value
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Phishing submissions
phishing_submission
N
Y
- class pyexclient.workbench.PhishingSubmissions(data, conn, included=None)[source]
Bases:
ResourceInstance
Phishing submissions
Resource type name is phishing_submissions.
Example JSON record:
{ 'add_to_at': '2019-01-15T15:35:00-05:00', 'arthurai_inference_id': 'string', 'automated_action_type': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'email_msg_id': 'name@company.com', 'email_type': 'name@company.com', 'external_case_number': 'string', 'full_sender': 'string', 'ingest_source': 'string', 'msg_id': 'string', 'organization_id': 'string', 'properties': {}, 'received_at': '2019-01-15T15:35:00-05:00', 'reported_at': '2019-01-15T15:35:00-05:00', 'return_path': 'string', 'sender': 'string', 'sender_domain': 'string', 'source_object_type': 'string', 'subject': 'string', 'submitted_by': 'string', 'triaged_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00', 'was_sonar_correct': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Added at Allows: null
add_to_at
string
Y
N
ArthurAI Inference ID Allows: null
arthurai_inference_id
string
Y
N
Automated action type Allows: “”, null
automated_action_type
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Internal email message id Allows: “”, null
email_msg_id
string
Y
N
Email type Allows: “”, null
email_type
string
Y
N
Case number for external ticketing systems Allows: “”, null
external_case_number
string
Y
N
Full sender value, which may contain both a display address and a true address Allows: “”, null
full_sender
string
Y
N
Ingest source Allows: “”
ingest_source
string
Y
N
Message ID
msg_id
string
Y
N
Organization ID Allows: null
organization_id
string
Y
N
Generic properties json blob: no-sort
properties
object
Y
N
Received at
received_at
string
Y
N
Reported at
reported_at
string
Y
N
Return path Allows: “”
return_path
string
Y
N
Sender
sender
string
Y
N
Sender domain
sender_domain
string
Y
N
Submission source object type Allows: “”, null
source_object_type
string
Y
N
Subject Allows: “”
subject
string
Y
N
Submitted by
submitted_by
string
Y
N
Triaged at Allows: null
triaged_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Was sonar prediction correct: no-sort
was_sonar_correct
object
Y
N
File
analysis_email_file
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alert
N
Y
File
initial_email_file
N
Y
File
modified_email_file
N
Y
Phishing submission attachments
phishing_submission_attachments
N
Y
Phishing submission domains
phishing_submission_domains
N
Y
Phishing submission headers
phishing_submission_headers
N
Y
Phishing submission URLs
phishing_submission_urls
N
Y
File
raw_body_file
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.Plugins(data, conn, included=None)[source]
Bases:
ResourceInstance
Plugins
Resource type name is plugins.
Example JSON record:
{ 'active': True, 'assembler_dependency': 'string', 'assembler_for_console_only': True, 'company_name': 'string', 'current_status': 100, 'depends_on': [], 'description': 'string', 'device_spec_json': {}, 'display_name': 'string', 'extra': {}, 'hide_console_login': True, 'internal_only': True, 'is_investigative_tech': True, 'logo': 'string', 'logo_image_url': 'string', 'onboarding_doc_url': 'string', 'organization_id': 'string', 'plugin_slug': 'string', 'service_offerings': [], 'sfa_integration_slug': 'string', 'show_display_name_with_logo': True, 'tasks': [], 'vendor_name': 'string', 'vendor_type': 'string', 'version': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Missing Description
active
boolean
Y
N
Missing Description
assembler_dependency
string
Y
N
Missing Description
assembler_for_console_only
boolean
Y
N
Missing Description
company_name
string
Y
N
Missing Description
current_status
number
Y
N
Missing Description
depends_on
array
Y
N
Missing Description
description
string
Y
N
Missing Description
device_spec_json
object
Y
N
Missing Description
display_name
string
Y
N
Missing Description
extra
object
Y
N
Missing Description
hide_console_login
boolean
Y
N
Missing Description
internal_only
boolean
Y
N
Missing Description
is_investigative_tech
boolean
Y
N
Missing Description
logo
string
Y
N
Missing Description
logo_image_url
string
Y
N
Missing Description
onboarding_doc_url
string
Y
N
Allows: null
organization_id
string
Y
N
Missing Description
plugin_slug
string
Y
N
Missing Description
service_offerings
array
Y
N
Missing Description
sfa_integration_slug
string
Y
N
Missing Description
show_display_name_with_logo
boolean
Y
N
Missing Description
tasks
array
Y
N
Missing Description
vendor_name
string
Y
N
Missing Description
vendor_type
string
Y
N
Missing Description
version
string
Y
N
- class pyexclient.workbench.RemediationActionAssetHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Remediation action asset histories
Resource type name is remediation_action_asset_histories.
Example JSON record:
{ 'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'asset_type': 'ACCOUNT', 'automate_revert': True, 'automate_status': 'NEW', 'created_at': '2019-01-15T15:35:00-05:00', 'status': 'OPEN', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Remediation action asset history action Restricted to: “CREATED”, “COMPLETED”, “REOPENED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Action type of associated parent remediation action Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null
action_type
any
Y
N
Remediation asset type history Restricted to: “ACCOUNT”, “ACCESS_KEY”, “DESCRIPTION”, “DEVICE”, “DOMAIN_NAME”, “EMAIL”, “FILE”, “HASH”, “HOST”, “INBOX_RULE_NAME”, “IP_ADDRESS” Allows: null
asset_type
any
Y
N
Automated remediation asset revert history Allows: null
automate_revert
boolean
Y
N
Automated remediation asset status history Restricted to: “NEW”, “CREATED”, “STARTING”, “VERIFYING”, “COMPLETED”, “FAILED”, “AWAITING_CHECKS” Allows: null
automate_status
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Remediation asset status history Restricted to: “OPEN”, “COMPLETED” Allows: null
status
any
Y
N
Remediation action asset history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Remediation action assets
remediation_action_asset
N
Y
Security devices
security_device
N
Y
- class pyexclient.workbench.RemediationActionAssets(data, conn, included=None)[source]
Bases:
ResourceInstance
Remediation action assets
Resource type name is remediation_action_assets.
Example JSON record:
{ 'asset_type': 'ACCOUNT', 'automate_revert': True, 'automate_status': 'NEW', 'automate_status_updated_at': '2019-01-15T15:35:00-05:00', 'automate_task_error': {}, 'automate_task_id': 'string', 'automate_task_result_id': 'object', 'automate_task_results': {}, 'cannot_automate_reason': 'DEVICE_ID_MISSING', 'category': 'AFFECTED_ACCOUNT', 'created_at': '2019-01-15T15:35:00-05:00', 'status': 'OPEN', 'updated_at': '2019-01-15T15:35:00-05:00', 'value': 'object'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Remediation asset type Restricted to: “ACCOUNT”, “ACCESS_KEY”, “DESCRIPTION”, “DEVICE”, “DOMAIN_NAME”, “EMAIL”, “FILE”, “HASH”, “HOST”, “INBOX_RULE_NAME”, “IP_ADDRESS”
asset_type
any
Y
N
Start automated remediation revert process
automate_revert
boolean
Y
N
Automated remediation status for this asset Restricted to: “NEW”, “CREATED”, “STARTING”, “VERIFYING”, “COMPLETED”, “FAILED”, “AWAITING_CHECKS” Allows: null: readonly
automate_status
any
Y
N
Automated remediation status last updated at Allows: null: readonly
automate_status_updated_at
string
Y
N
Automated remediation task error Allows: “”, null: readonly, no-sort
automate_task_error
object
Y
N
Automated remediation task id Allows: “”, null: readonly
automate_task_id
string
Y
N
Automated remediation task result id Allows: null: readonly
automate_task_result_id
any
Y
N
Automated remediation task results Allows: “”, null: no-sort
automate_task_results
object
Y
N
Reason this asset cannot be automated Restricted to: “DEVICE_ID_MISSING”, “ACTION_NOT_SUPPORTED”, “DEVICE_NOT_SUPPORTED”, “FEATURE_FLAG_ACTION_DISABLED”, “FEATURE_FLAG_VENDOR_NOT_ALLOWED”, “CUSTOMER_CONFIG_DISABLED”, “ALLOWED_ASSETS_EMPTY”, “ASSETS_NOT_ALLOWED”, “RED_TEAM_INVESTIGATION”, “ASSET_NOT_APPLICABLE” Allows: null: readonly
cannot_automate_reason
any
Y
N
Remediation asset category Restricted to: “AFFECTED_ACCOUNT”, “COMPROMISED_ACCOUNT”, “FORWARDING_ADDRESS” Allows: null
category
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Asset status Restricted to: “OPEN”, “COMPLETED”
status
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Remediation asset value: allowStringOperators, no-sort
value
alternatives
Y
N
Defines/retrieves expel.io context_label_tag records
context_label_tags
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Remediation actions
remediation_action
N
Y
Remediation action asset histories
remediation_action_asset_histories
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.RemediationActionHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Remediation action histories
Resource type name is remediation_action_histories.
Example JSON record:
{'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'can_automate': True, 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Remediation action history action Restricted to: “CREATED”, “ASSIGNED”, “COMPLETED”, “CLOSED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Action type of source parent remediation action Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null
action_type
any
Y
N
Remediation action can be automated history
can_automate
boolean
Y
N
Created timestamp: readonly
created_at
string
Y
N
Remediation action history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Remediation actions
remediation_action
N
Y
Security devices
security_device
N
Y
- class pyexclient.workbench.RemediationActionSettingHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io remediation_action_setting_history records
Resource type name is remediation_action_setting_histories.
Example JSON record:
{'action': 'CREATED', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Remediation action setting history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Action type of source parent remediation action setting Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null
action_type
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Remediation action setting history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io remediation_action_setting records
remediation_action_setting
N
Y
- class pyexclient.workbench.RemediationActionSettingListSourceHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io remediation_action_setting_list_source_history records
Resource type name is remediation_action_setting_list_source_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'source_type': 'CONTEXT_LABEL', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Remediation action setting list source history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Source type Restricted to: “CONTEXT_LABEL”, “EXTERNAL_TASKABILITIES”
source_type
any
Y
N
Remediation action setting list source history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io context_label records
context_label
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io remediation_action_setting records
remediation_action_setting
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source records
remediation_action_setting_list_source
N
Y
Security devices
security_device
N
Y
- class pyexclient.workbench.RemediationActionSettingListSources(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io remediation_action_setting_list_source records
Resource type name is remediation_action_setting_list_sources.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'external_value': {}, 'source_type': 'CONTEXT_LABEL', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
External value Allows: null: allowStringOperators, no-sort
external_value
object
Y
N
Source type Restricted to: “CONTEXT_LABEL”, “EXTERNAL_TASKABILITIES”
source_type
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io context_label records
context_label
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io remediation_action_setting records
remediation_action_setting
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source_history records
remediation_action_setting_list_source_histories
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.RemediationActionSettings(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io remediation_action_setting records
Resource type name is remediation_action_settings.
Example JSON record:
{ 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'automate_list_type': 'DENY', 'automate_opt_in': True, 'automate_opt_in_agreement_version': 'V1<br/>Allows: null', 'automate_opt_in_at': '2019-01-15T15:35:00-05:00', 'created_at': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Setting’s remediation action type Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP”
action_type
any
Y
N
Automated remediation setting list type Restricted to: “DENY”, “ALLOW” Allows: null
automate_list_type
any
Y
N
Opted in to automated remediations
automate_opt_in
boolean
Y
N
Automated remediations opt in agreement version Restricted to: “V1” Allows: null
automate_opt_in_agreement_version
any
Y
N
Last opted in to automated remediations time Allows: null: readonly
automate_opt_in_at
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
automate_opt_in_actor
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source records
context_label_list_sources
N
Y
Defines/retrieves expel.io context_label records
context_labels
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source records
external_list_sources
N
Y
Defines/retrieves expel.io remediation_action_setting_history records
opt_in_histories
N
Y
Defines/retrieves expel.io remediation_action_setting_history records
opt_out_histories
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io remediation_action_setting_history records
remediation_action_setting_histories
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source_history records
remediation_action_setting_list_source_histories
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source records
remediation_action_setting_list_sources
N
Y
Security devices
security_devices
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.RemediationActions(data, conn, included=None)[source]
Bases:
ResourceInstance
Remediation actions
Resource type name is remediation_actions.
Example JSON record:
{ 'action': 'string', 'action_type': 'BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS', 'asset_state_counts': {}, 'can_automate': True, 'can_automate_completely': True, 'cannot_automate_reason': 'DEVICE_ID_MISSING', 'close_reason': 'string', 'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'status': 'IN_PROGRESS', 'status_updated_at': '2019-01-15T15:35:00-05:00', 'template_name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00', 'version': 'V1'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Action Allows: “”, null
action
string
Y
N
Action type Restricted to: “BLOCK_COMMAND_AND_CONTROL_COMMUNICATIONS”, “BLOCK_KNOWN_BAD_HASHES”, “CONTAIN_HOSTS”, “CONTAIN_INFECTED_REMOVABLE_MEDIA”, “DELETE_MALICIOUS_FILES”, “DISABLE_AND_MODIFY_AWS_ACCESS_KEYS”, “MITIGATE_VULNERABILITY”, “OTHER_REMEDIATION”, “REMOVE_AND_BLOCK_EMAIL_FORWARDING_ADDRESS”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_OTHER”, “REMOVE_COMPROMISED_SYSTEMS_FROM_NETWORK_AWS”, “REMOVE_INBOX_RULES_FOR_KNOWN_COMPROMISED_ACCOUNTS”, “RESET_CREDENTIALS_OTHER”, “RESET_CREDENTIALS_AWS”, “RESET_CREDENTIALS_O365”, “BLOCK_MALICIOUS_DOMAINS_AND_IPS”, “BLOCK_SENDER_ADDRESS”, “BLOCK_SENDER_DOMAIN”, “REMOVE_MALICIOUS_EMAIL”, “RESET_CREDENTIALS_GSUITE”, “DISABLE_USER_ACCOUNT”, “RESET_CREDENTIALS_OKTA”, “REMOVE_TAP_THREAT_ID”, “RESET_CREDENTIALS_AZURE”, “RESET_CREDENTIALS_SALESFORCE”, “RESET_CREDENTIALS_GCP” Allows: null
action_type
any
Y
N
Asset state counts Allows: null: no-sort
asset_state_counts
object
Y
N
Remediation action can be automated: readonly
can_automate
boolean
Y
N
Remediation action can be completely automated: readonly
can_automate_completely
boolean
Y
N
Reason this action cannot be automated Restricted to: “DEVICE_ID_MISSING”, “ACTION_NOT_SUPPORTED”, “DEVICE_NOT_SUPPORTED”, “FEATURE_FLAG_ACTION_DISABLED”, “FEATURE_FLAG_VENDOR_NOT_ALLOWED”, “CUSTOMER_CONFIG_DISABLED”, “ALLOWED_ASSETS_EMPTY”, “ASSETS_NOT_ALLOWED”, “RED_TEAM_INVESTIGATION”, “ASSET_NOT_APPLICABLE” Allows: null: readonly
cannot_automate_reason
any
Y
N
Close Reason Allows: null: markdown
close_reason
string
Y
N
Comment Allows: “”, null: markdown
comment
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Status Restricted to: “IN_PROGRESS”, “COMPLETED”, “CLOSED”
status
any
Y
N
Status Updated At Allows: null: readonly
status_updated_at
string
Y
N
Remediation Action Template Name Allows: “”, null
template_name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Version Restricted to: “V1”, “V2”, “V3”
version
any
Y
N
Defines/retrieves expel.io actor records
assigned_to_actor
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Investigations
investigation
N
Y
Remediation action assets
remediation_action_assets
N
Y
Remediation action histories
remediation_action_histories
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ResilienceActionGroups(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io resilience_action_group records
Resource type name is resilience_action_groups.
Example JSON record:
{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Global Resilience Group Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS”
category
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Group title
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Resilience actions
resilience_actions
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ResilienceActions(data, conn, included=None)[source]
Bases:
ResourceInstance
Resilience actions
Resource type name is resilience_actions.
Example JSON record:
{'category': 'DISRUPT_ATTACKERS', 'created_at': '2019-01-15T15:35:00-05:00', 'details': 'string', 'impact': 'LOW', 'title': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Category Restricted to: “DISRUPT_ATTACKERS”, “ENABLE_DEFENDERS” Allows: null
category
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Details: markdown
details
string
Y
N
Impact Restricted to: “LOW”, “MEDIUM”, “HIGH”
impact
any
Y
N
Title
title
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io resilience_action_group records
resilience_action_group
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.ResourceInstance(data, conn, included=None)[source]
Bases:
object
Represents an instance of a base resource.
- classmethod create(conn, **kwargs)[source]
Create a new resource instance. Users need to call save() after create to write changes to the server.
- Returns:
The updated resource instance
- Return type:
- Examples:
>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=ORGANIZATION_ID, relationship_assigned_to_actor=ACTOR_ID) >>> i.save()
- delete(prompt_on_delete=True)[source]
Delete a resource instance.
- Parameters:
prompt_on_delete (bool, optional) – True if user wants to be prompted when delete is issued and False otherwise., defaults to True.
- Examples:
>>> inv = xc.investigations.get(id='a8bf9750-6a79-4415-9558-a56253606b9f') >>> inv.delete()
- property id
Retreive the identifier for the resource instance.
- Returns:
A GUID representing the unique instance
- Return type:
str
- Examples:
>>> for inv in xc.investigations.filter_by(status='OPEN'): >>> print("Investigation ID is %s" % inv.id)
- class pyexclient.workbench.ReviewSummaries(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io review summary records
Resource type name is review_summaries.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'data': {}, 'process_name': 'SOC_QC_REVIEW', 'reporting_at': '2019-01-15T15:35:00-05:00', 'task_type': 'ALERT_REVIEW', 'total': '2019-01-15T15:35:00-05:00', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
data for the specific review summary Allows: null: no-sort
data
object
Y
N
Process name Restricted to: “SOC_QC_REVIEW”, “PHISHING_AUDIT”, “SIMILARITY_REVIEW”
process_name
any
Y
N
Date used to report the counts Allows: null
reporting_at
string
Y
N
Task type Restricted to: “ALERT_REVIEW”, “INCIDENT_REVIEW”, “INVESTIGATION_REVIEW”
task_type
any
Y
N
Total number of errors for this date Allows: null
total
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.RuleDefinitions(data, conn, included=None)[source]
Bases:
ResourceInstance
Notification rule definitions
Resource type name is rule_definitions.
Example JSON record:
{'conditions': [], 'event_definitions': [], 'owner_id': 'string', 'rule_action': 'string', 'rule_definition_type': 'UNSPECIFIED', 'rule_model': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Allows: null: readonly, no-filter
conditions
array
Y
N
Allows: null: readonly, no-filter
event_definitions
array
Y
N
The rule definition’s owner id Allows: null, “”
owner_id
string
Y
N
The rule definition’s action description
rule_action
string
Y
N
The type of rule definition (required) Restricted to: “UNSPECIFIED”, “ORG”, “OPS”, “INFRA”, “EM”, “USER”
rule_definition_type
any
Y
N
The name of the model being acted on
rule_model
string
Y
N
- class pyexclient.workbench.SamlIdentityProviders(data, conn, included=None)[source]
Bases:
ResourceInstance
SAML Identity Providers
Resource type name is saml_identity_providers.
Example JSON record:
{'callback_uri': 'string', 'cert': 'string', 'entity_id': 'string', 'status': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Allows: “”
callback_uri
string
Y
N
Allows: “”, null
cert
string
Y
N
Allows: “”
entity_id
string
Y
N
Restricted to: “not_configured”, “configured”
status
string
Y
N
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.Secrets(data, conn, included=None)[source]
Bases:
ResourceInstance
Organization secrets. Note - these requests must be in the format of /secrets/security_device-<guid>
Resource type name is secrets.
Example JSON record:
{ 'secret': { 'device_info': {'access_id': '7b0a343c-860e-442e-ab0b-d6f349d364d9', 'access_key': 'secret-access-key', 'source_category': 'alpha'}, 'device_secret': {'console_url': 'https://console-access-point.com', 'password': 'password', 'username': 'admin@company.com'}, 'two_factor_secret': 'GNFXSU2OKNJXUPTGJVQUMNDHM4YVEKRJ'}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Allows: null
secret
object
Y
N
Defines/retrieves expel.io organization records
organization
N
Y
- class pyexclient.workbench.SecurityDeviceCounts(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io security_device_count records
Resource type name is security_device_counts.
Example JSON record:
{'counts': {}, 'created_at': '2019-01-15T15:35:00-05:00', 'error_message': 'string', 'missing_permissions_detail': {}, 'organization_id': 'string', 'security_device_id': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
The security device counts: readonly, no-sort
counts
object
Y
N
Created timestamp: readonly
created_at
string
Y
N
Error message when retrieving counts: readonly
error_message
string
Y
N
Missing permissions details: no-sort
missing_permissions_detail
object
Y
N
Organization ID the security device belongs to: readonly
organization_id
string
Y
N
Security Device ID: readonly
security_device_id
string
Y
N
Defines/retrieves expel.io organization records
organization
N
Y
Security devices
security_device
N
Y
- class pyexclient.workbench.SecurityDeviceHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Security Device histories
Resource type name is security_device_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Security device history action Restricted to: “CREATED”, “UPDATED”, “UPDATED_SECRETS”, “DELETED”
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Security device history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Security devices
security_device
N
Y
- class pyexclient.workbench.SecurityDevices(data, conn, included=None)[source]
Bases:
ResourceInstance
Security devices
Resource type name is security_devices.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'device_spec': {}, 'device_type': 'ENDPOINT', 'has_console_credentials': True, 'has_two_factor_secret': True, 'is_verifying_status': True, 'location': 'string', 'name': 'string', 'no_alert_threshold_hours': 100, 'plugin_slug': 'string', 'properties': {}, 'status': 'healthy', 'status_details': {}, 'status_updated_at': '2019-01-15T15:35:00-05:00', 'task_source': 'CUSTOMER_PREMISE', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Device Spec Allows: null: no-sort
device_spec
object
Y
N
Device Type Restricted to: “ENDPOINT”, “NETWORK”, “SIEM”, “OTHER”, “CLOUD”
device_type
any
Y
N
Has console credentials stored in vault: readonly
has_console_credentials
boolean
Y
N
Has 2fa secret stored in vault: readonly
has_two_factor_secret
boolean
Y
N
A health check is in progress for device
is_verifying_status
boolean
Y
N
Location Allows: “”, null
location
string
Y
N
Name
name
string
Y
N
Number of hours to wait before sending an alert for a device that has not checked in Allows: null
no_alert_threshold_hours
number
Y
N
Allows: “”, null
plugin_slug
string
Y
N
Properties about the security device: no-sort
properties
object
Y
N
Status. Note: By default if the security device has an assembler, and that assembler is unhealthy, the status will return that information rather than the raw status of the security device. To disable this behavior, add the query parameter flag[raw_status]=true. Restricted to: “healthy”, “unhealthy”, “health_checks_not_supported” Allows: null
status
any
Y
N
Status Details. Note: By default if the security device has an assembler, and that assembler is unhealthy, the status details will return that information rather than the raw status of the security device. To disable this behavior, add the query parameter flag[raw_status]=true. Allows: null: no-sort
status_details
object
Y
N
Status Updated At Allows: null: readonly
status_updated_at
string
Y
N
Location where tasks are run Restricted to: “CUSTOMER_PREMISE”, “EXPEL_TASKPOOL”
task_source
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Assemblers
assembler
N
Y
Security devices
child_security_devices
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
investigative actions
investigative_actions
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io organization_contact records
organization_contacts
N
Y
Security devices
parent_security_device
N
Y
Remediation action asset histories
remediation_action_asset_histories
N
Y
Remediation action assets
remediation_action_assets
N
Y
Remediation action histories
remediation_action_histories
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source_history records
remediation_action_setting_list_source_histories
N
Y
Defines/retrieves expel.io remediation_action_setting_list_source records
remediation_action_setting_list_sources
N
Y
Defines/retrieves expel.io remediation_action_setting records
remediation_action_settings
N
Y
Remediation actions
remediation_actions
N
Y
Defines/retrieves expel.io security_device_count records
security_device_counts
N
Y
Security Device histories
security_device_histories
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Vendors
vendor
N
Y
Vendor alerts
vendor_alerts
N
Y
- class pyexclient.workbench.Skus(data, conn, included=None)[source]
Bases:
ResourceInstance
Service Skus
Resource type name is skus.
Example JSON record:
{ 'allows_integrations': True, 'attack_surfaces': [], 'display_name': 'string', 'hunting_attack_surfaces': [], 'investigative_tech_attack_surfaces': [], 'is_single_license': True, 'name': 'string', 'service_type': 'string', 'version': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Meta: readonly, no-filter, no-sort
allows_integrations
boolean
Y
N
Meta: no-filter, no-sort
attack_surfaces
array
Y
N
Missing Description
display_name
string
Y
N
Meta: no-filter, no-sort
hunting_attack_surfaces
array
Y
N
Meta: no-filter, no-sort
investigative_tech_attack_surfaces
array
Y
N
Missing Description
is_single_license
boolean
Y
N
Missing Description
name
string
Y
N
Missing Description
service_type
string
Y
N
Missing Description
version
string
Y
N
- class pyexclient.workbench.SuggestionHistories(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io suggestion_history records
Resource type name is suggestion_histories.
Example JSON record:
{'action': 'CREATED', 'created_at': '2019-01-15T15:35:00-05:00', 'suggestion_action': 'ADD_TO', 'value': {}}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Suggestion history action Restricted to: “CREATED”, “UPDATED”, “DELETED” Allows: null
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Suggestion action Restricted to: “ADD_TO”, “CLOSE”, “SUPPRESS”, “INVESTIGATE”
suggestion_action
any
Y
N
Suggestion history details Allows: null: no-sort
value
object
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io suggestions
suggestion
N
Y
- class pyexclient.workbench.Suggestions(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io suggestions
Resource type name is suggestions.
Example JSON record:
{'action': 'ADD_TO', 'created_at': '2019-01-15T15:35:00-05:00', 'metadata': {}, 'rank': 100, 'suggestion': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Action Restricted to: “ADD_TO”, “CLOSE”, “SUPPRESS”, “INVESTIGATE”
action
any
Y
N
Created timestamp: readonly
created_at
string
Y
N
Metadata for the suggestion Allows: null: no-sort
metadata
object
Y
N
Visualization rank
rank
number
Y
N
Body of the suggestion Allows: “”, null: markdown
suggestion
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alerts
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io suggestion_history records
suggestion_histories
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.TimelineEntries(data, conn, included=None)[source]
Bases:
ResourceInstance
Timeline Entries
Resource type name is timeline_entries.
Example JSON record:
{ 'attack_phase': 'string', 'comment': 'string', 'created_at': '2019-01-15T15:35:00-05:00', 'deleted_at': '2019-01-15T15:35:00-05:00', 'dest_host': 'string', 'event': 'string', 'event_date': '2019-01-15T15:35:00-05:00', 'event_type': 'string', 'is_selected': True, 'src_host': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Attack phase of the Timeline Entry Allows: “”, null
attack_phase
string
Y
N
Comment on this Timeline Entry Allows: “”, null
comment
string
Y
N
Created timestamp: readonly
created_at
string
Y
N
Deleted At timestamp Allows: null
deleted_at
string
Y
N
Destination Host (IP or Hostname) Allows: “”, null
dest_host
string
Y
N
The event, such as Powershell Attack Allows: “”, null
event
string
Y
N
Date/Time of when the event occurred
event_date
string
Y
N
The type of the event, such as Carbon Black Alert Allows: “”, null
event_type
string
Y
N
Has been selected for final report.
is_selected
boolean
Y
N
Source Host (IP or Hostname) Allows: “”, null
src_host
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io context_label_action records
context_label_actions
N
Y
Defines/retrieves expel.io context_label records
context_labels
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alert
N
Y
Investigations
investigation
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.UserAccountRoles(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io user_account_role records
Resource type name is user_account_roles.
Example JSON record:
{'active': True, 'assignable': True, 'created_at': '2019-01-15T15:35:00-05:00', 'role': 'expel_admin', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
If this role is active
active
boolean
Y
N
Can user be assigned items (e.g. investigations, etc)
assignable
boolean
Y
N
Created timestamp: readonly
created_at
string
Y
N
User account role for this organization Restricted to: “expel_admin”, “expel_analyst”, “organization_admin”, “organization_analyst”, “system”, “anonymous”, “restricted”
role
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
User accounts
user_account
N
Y
- class pyexclient.workbench.UserAccountStatuses(data, conn, included=None)[source]
Bases:
ResourceInstance
User account status
Resource type name is user_account_statuses.
Example JSON record:
{ 'active': True, 'active_status': 'ACTIVE', 'created_at': '2019-01-15T15:35:00-05:00', 'invite_token_expires_at': '2019-01-15T15:35:00-05:00', 'password_reset_token_expires_at': '2019-01-15T15:35:00-05:00', 'restrictions': [], 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Missing Description
active
boolean
Y
N
Restricted to: “ACTIVE”, “LOCKED”, “LOCKED_INVITED”, “LOCKED_EXPIRED”, “ACTIVE_INVITED”, “ACTIVE_EXPIRED”: readonly
active_status
any
Y
N
Meta: readonly
created_at
string
Y
N
Allows: null: readonly
invite_token_expires_at
string
Y
N
Allows: null: readonly
password_reset_token_expires_at
string
Y
N
Missing Description
restrictions
array
Y
N
Meta: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Defines/retrieves expel.io organization records
primary_organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
User accounts
user_account
N
Y
- class pyexclient.workbench.UserAccounts(data, conn, included=None)[source]
Bases:
ResourceInstance
User accounts
Resource type name is user_accounts.
Example JSON record:
{ 'active': True, 'active_status': 'ACTIVE', 'assignable': True, 'created_at': '2019-01-15T15:35:00-05:00', 'default_filter': 'ALL', 'display_name': 'string', 'email': 'name@company.com', 'engagement_manager': True, 'first_name': 'string', 'homepage_preferences': {}, 'language': 'string', 'last_name': 'string', 'locale': 'string', 'pagerduty_id': 'string', 'phone_number': 'string', 'show_highlighting': True, 'show_new_nav': True, 'timezone': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Active Allows: null
active
boolean
Y
N
Restricted to: “ACTIVE”, “LOCKED”, “LOCKED_INVITED”, “LOCKED_EXPIRED”, “ACTIVE_INVITED”, “ACTIVE_EXPIRED”: readonly, no-sort, no-filter
active_status
any
Y
N
Can user be assigned items (e.g. investigations, etc)
assignable
boolean
Y
N
Created timestamp: readonly
created_at
string
Y
N
User account default filter Restricted to: “ALL”, “MDR”, “PHISHING”
default_filter
any
Y
N
Display name Allows: “”, null
display_name
string
Y
N
Email
email
string
Y
N
Is an engagement manager
engagement_manager
boolean
Y
N
First Name
first_name
string
Y
N
Homepage preferences Allows: null: no-sort
homepage_preferences
object
Y
N
Language Allows: “”, null
language
string
Y
N
Last Name
last_name
string
Y
N
Locale Allows: “”, null
locale
string
Y
N
Pagerduty ID Allows: null
pagerduty_id
string
Y
N
Phone number Allows: null
phone_number
string
Y
N
Whether or not highlighting is enabled
show_highlighting
boolean
Y
N
Whether or not the new navigation UI is displayed: readonly
show_new_nav
boolean
Y
N
Timezone Allows: “”, null
timezone
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
actor
N
Y
investigative actions
analysis_assigned_investigative_actions
N
Y
Expel alerts
assigned_expel_alerts
N
Y
Investigations
assigned_investigations
N
Y
investigative actions
assigned_investigative_actions
N
Y
Organization to resilience actions
assigned_organization_resilience_actions
N
Y
Organization to resilience actions
assigned_organization_resilience_actions_list
N
Y
Remediation actions
assigned_remediation_actions
N
Y
Defines/retrieves expel.io remediation_action_setting records
automate_opt_in_for_remediation_action_setting
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
investigative actions
current_assigned_investigative_actions_classification
N
Y
User Notification Preferences
notification_preferences
N
Y
Defines/retrieves expel.io organization records
organizations
N
Y
Defines/retrieves expel.io organization records
primary_organization
N
Y
Defines/retrieves expel.io user_account_role records
primary_user_account_role
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Defines/retrieves expel.io user_account_role records
user_account_roles
N
Y
User account status
user_account_status
N
Y
- class pyexclient.workbench.UserTasks(data, conn, included=None)[source]
Bases:
ResourceInstance
Defines/retrieves expel.io user task records
Resource type name is user_tasks.
Example JSON record:
{ 'assigned_to_id': {}, 'created_at': '2019-01-15T15:35:00-05:00', 'data': {}, 'process_name': 'SOC_QC_REVIEW', 'reporting_at': '2019-01-15T15:35:00-05:00', 'task_status': 'NEW', 'task_type': 'ALERT_REVIEW', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
actor to whome the task is assigned Allows: null
assigned_to_id
object
Y
N
Created timestamp: readonly
created_at
string
Y
N
data for the specific user task Allows: null: no-sort
data
object
Y
N
Process name Restricted to: “SOC_QC_REVIEW”, “PHISHING_AUDIT”, “SIMILARITY_REVIEW”
process_name
any
Y
N
Date used to report the item status Allows: null
reporting_at
string
Y
N
Task status Restricted to: “NEW”, “ASSIGNED”, “COMPLETED”
task_status
any
Y
N
Task type Restricted to: “ALERT_REVIEW”, “INCIDENT_REVIEW”, “INVESTIGATION_REVIEW”
task_type
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
assigned_to
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alert
N
Y
Investigations
investigation
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
- class pyexclient.workbench.VendorAlertEvidences(data, conn, included=None)[source]
Bases:
ResourceInstance
Vendor alert evidences are extracted from a vendor alert’s evidence summary
Resource type name is vendor_alert_evidences.
Example JSON record:
{'evidence': 'string', 'evidence_type': 'HOSTNAME'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Evidence
evidence
string
Y
N
Type Restricted to: “HOSTNAME”, “URL”, “PROCESS_ARGUMENTS”, “PROCESS_PATH”, “PROCESS_MD5”, “USERNAME”, “SRC_IP”, “DST_IP”, “PARENT_ARGUMENTS”, “PARENT_PATH”, “PARENT_MD5”, “SRC_USERNAME”, “DST_USERNAME”, “ALERT_ACTION”, “ALERT_DESCRIPTION”, “ALERT_MESSAGE”, “ALERT_NAME”, “SRC_PORT”, “DST_PORT”, “USER_AGENT”, “VENDOR_NAME”, “DOMAIN”, “FILE_HASH”, “FILE_PATH”
evidence_type
any
Y
N
Expel alerts
evidenced_expel_alerts
N
Y
Vendor alerts
vendor_alert
N
Y
- class pyexclient.workbench.VendorAlerts(data, conn, included=None)[source]
Bases:
ResourceInstance
Vendor alerts
Resource type name is vendor_alerts.
Example JSON record:
{ 'created_at': '2019-01-15T15:35:00-05:00', 'description': 'string', 'evidence_activity_end_at': '2019-01-15T15:35:00-05:00', 'evidence_activity_start_at': '2019-01-15T15:35:00-05:00', 'evidence_summary': [], 'first_seen': '2019-01-15T15:35:00-05:00', 'original_alert_id': 'string', 'original_source_id': 'string', 'signals': [], 'signature_id': 'string', 'status': 'NORMAL', 'updated_at': '2019-01-15T15:35:00-05:00', 'vendor_message': 'string', 'vendor_severity': 'CRITICAL', 'vendor_sig_name': 'string'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Description Allows: “”, null
description
string
Y
N
Evidence activity end datetime Allows: null: immutable
evidence_activity_end_at
string
Y
N
Evidence activity start datetime Allows: null: immutable
evidence_activity_start_at
string
Y
N
Evidence summary Allows: null: no-sort
evidence_summary
array
Y
N
First Seen
first_seen
string
Y
N
Allows: null: immutable
original_alert_id
string
Y
N
Allows: null: immutable
original_source_id
string
Y
N
Signal evidence: no-sort
signals
array
Y
N
Signature ID Allows: “”, null
signature_id
string
Y
N
Status Restricted to: “NORMAL”, “PROVISIONAL” Allows: null: readonly
status
any
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Vendor Message Allows: “”, null
vendor_message
string
Y
N
Vendor alert severity Restricted to: “CRITICAL”, “HIGH”, “MEDIUM”, “LOW”, “TESTING”, “TUNING” Allows: null
vendor_severity
any
Y
N
Vendor Sig Name Allows: “”, null
vendor_sig_name
string
Y
N
Assemblers
assembler
N
Y
Defines/retrieves expel.io actor records
created_by
N
Y
Vendor alert evidences are extracted from a vendor alert’s evidence summary
evidences
N
Y
Expel alerts
expel_alerts
N
Y
IP addresses
ip_addresses
N
Y
Defines/retrieves expel.io organization records
organization
N
Y
Security devices
security_device
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Vendors
vendor
N
Y
- class pyexclient.workbench.Vendors(data, conn, included=None)[source]
Bases:
ResourceInstance
Vendors
Resource type name is vendors.
Example JSON record:
{'created_at': '2019-01-15T15:35:00-05:00', 'icon': 'string', 'name': 'string', 'updated_at': '2019-01-15T15:35:00-05:00'}
Below are valid filter by parameters:
Field Description
Field Name
Field Type
Attribute
Relationship
Created timestamp: readonly
created_at
string
Y
N
Icon Allows: “”, null
icon
string
Y
N
Name Allows: “”, null
name
string
Y
N
Last Updated timestamp: readonly
updated_at
string
Y
N
Defines/retrieves expel.io actor records
created_by
N
Y
Expel alerts
expel_alerts
N
Y
Security devices
security_devices
N
Y
Defines/retrieves expel.io actor records
updated_by
N
Y
Vendor alerts
vendor_alerts
N
Y
- class pyexclient.workbench.WorkbenchClient(base_url, username=None, password=None, mfa_code=None, token=None, prompt_on_delete=True)[source]
Bases:
WorkbenchCoreClient
Instantiate a client that interacts with Workbench’s API server.
If the developer specifies a
username
, thenpassword
andmfa_code
are required inputs. If the developer has atoken
thenusername
,password
andmfa_code
parameters are ignored.- Parameters:
cls (WorkbenchClient) – A Workbench class reference.
username (str or None) – The username
password (str or None) – The username’s password
mfa_code (int or None) – The multi factor authenticate code generated by google authenticator.
token (str or None) – The bearer token of an authorized session. Can be used instead of
username
/password
combo.
- Returns:
An initialized, and authorized Workbench client.
- Return type:
- capabilities(customer_id: str)[source]
Get a list of capabilities for a given customer.
- Parameters:
customer_id (str) – The customer ID
- Examples:
>>> xc.workbench.capabilities("my-customer-guid-123")
- create_auto_inv_action(customer_id: str, security_device_id: str, created_by_id: str, capability_name: str, input_args: dict, title: str, reason: str, investigation_id: str | None = None, expel_alert_id: str | None = None)[source]
Create an automatic investigative action.
- Parameters:
customer_id (str) – The customer ID
investigation_id (str) – The investigation ID to associate the action with.
expel_alert_id (str) – The expel alert id
security_device_id (str) – The security device ID, to dispatch the task against.
created_by_id (str) – The user ID that created the action
capability_name (str) – The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.
input_args (dict) – The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.
title (str) – The title of the investigative action, shows up in Workbench.
reason (str) – The reason for running the investigative action, shows up in Workbench.
- Returns:
Investigative action response
- Return type:
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> input_args = {"user_name": 'willy.wonka@expel.io', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z'} >>> o = xc.create_auto_inv_action(customer_guid, inv_guid, device_guid, user_guid, 'query_user', input_args, 'Query User', 'Getting user login activity to determine if login is normal') >>> print("Investigative Action ID: ", o.id)
- create_manual_inv_action(title: str, reason: str, instructions: str, investigation_id: str | None = None, expel_alert_id: str | None = None, security_device_id: str | None = None, action_type: str = 'MANUAL')[source]
Create a manual investigative action.
- Parameters:
title (str) – The title of the investigative action, shows up in Workbench.
reason (str) – The reason for running the investigative action, shows up in Workbench.
instructions (str) – The instructions for running the investigative action.
investigation_id (str) – The investigation ID to associate the action with.
expel_alert_id (str) – The expel alert id
security_device_id (str) – The security device ID, to dispatch the task against.
action_type (str) – The type of action that will be run.
- Returns:
Investigative action response
- Return type:
- Examples:
>>> xc = WorkbenchClient('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) >>> o = xc.create_manual_inv_action('title foo', 'reason bar', 'instructions blah') >>> print("Investigative Action ID: ", o.id)
- class pyexclient.workbench.WorkbenchCoreClient(base_url, username=None, password=None, mfa_code=None, token=None, retries=3, prompt_on_delete=True)[source]
Bases:
object
Instantiate a Workbench core client that provides just authentication and request capabilities to Workbench
If the developer specifies a
username
, thenpassword
andmfa_code
are required inputs. If the developer has atoken
thenusername
,password
andmfa_code
parameters are ignored.- Parameters:
cls (WorkbenchClient) – A Workbench class reference.
username (str or None) – The username
password (str or None) – The username’s password
mfa_code (int or None) – The multi factor authenticate code generated by google authenticator.
token (str or None) – The bearer token of an authorized session. Can be used instead of
username
/password
combo.
- Returns:
An initialized, and authorized Workbench client.
- Return type:
- login(username, password, code)[source]
Authenticate as a human, this requires providing the 2FA code.
- Parameters:
username (str) – The user’s e-mail address.
password (str) – The user’s password.
code (str) – The 2FA code
- Returns:
The bearer token that allows users to call Workbench APIs.
- Return type:
str
- class pyexclient.workbench.base_filter(filter_value)[source]
Bases:
operator
Base class for operators which take the form filter[field]. Can be used to create a basic one field filter, or subclassed by special operators for more complicated logic
- class pyexclient.workbench.contains(*args)[source]
Bases:
base_filter
The contains operator is used to search for fields that contain a sub string..
- Parameters:
value (str) – A substring to be checked against the value of a field.
- Examples:
>>> for ea in xc.expel_alerts.search(close_comment=contains("foo")): >>> print("%s contains foo in the close comment" % ea.expel_name)
- class pyexclient.workbench.flag(filter_value)[source]
Bases:
operator
Base class for operators which take the form flag[field]. Can be used to create a basic one field flag, or subclassed by special operators for more complicated logic
- class pyexclient.workbench.gt(value)[source]
Bases:
base_filter
The gt (greater than) operator is used to search a specific field for values greater than X.
- Parameters:
value (str) – The greater than value to be used in comparison during a search.
- Examples:
>>> for ea in xc.expel_alerts.search(created_at=gt("2020-01-01")): >>> print("%s was created after 2020-01-01" % ea.expel_name)
- class pyexclient.workbench.include(include)[source]
Bases:
operator
The include operator requests base resource names in a search. Cannot be used with sort or filtering. Passed as arg to search TODO enforce this constraint with asserts
- Parameters:
include (str) – Include specific base resource names in request
Examples: >>> for ea in xc.expel_alerts.search(include(‘organization,created_by,updated_by’)): >>> print(ea.organization)
- pyexclient.workbench.is_operator(value)[source]
Determine if a value implements an operator.
- Parameters:
value (object) – The value to check
- Returns:
True if value is an operator False otherwise.
- Return type:
bool
- class pyexclient.workbench.isnull(filter_value=True)[source]
Bases:
base_filter
The isnull operator is used to search for fields that are null.
- Examples:
>>> for ea in xc.expel_alerts.search(close_comment=isnull()): >>> print("%s has no close comment" % ea.expel_name)
- class pyexclient.workbench.limit(limit)[source]
Bases:
operator
The limit operator adds a limit to a search. Passed as arg to search
- Parameters:
limit (int) – Limit the number of results returned.
- class pyexclient.workbench.lt(value)[source]
Bases:
base_filter
The lt (less than) operator is used to search a specific field for values greater than X.
- Parameters:
value (str) – The less than value to be used in comparison during a search.
- Examples:
>>> for ea in xc.expel_alerts.search(created_at=lt("2020-01-01")): >>> print("%s was created before 2020-01-01" % ea.expel_name)
- class pyexclient.workbench.neq(*args)[source]
Bases:
base_filter
The neq operator is used to search for for fields that are not equal to a specified value.
- Parameters:
value (str) – The value to assert the field is not equal too
- Examples:
>>> for ea in xc.expel_alerts.search(close_comment=neq("foo")): >>> print("%s has a close comment that is not equal to 'foo'" % ea.expel_name)
- class pyexclient.workbench.notnull(filter_value=True)[source]
Bases:
base_filter
The notnull operator is used to search for fields that are not null.
- Examples:
>>> for ea in xc.expel_alerts.search(close_comment=notnull()): >>> print("%s has a close comment of %s" % (ea.expel_name, ea.close_comment))
- class pyexclient.workbench.operator(filter_value)[source]
Bases:
object
Base class for all operators. This should not be used directly.
- class pyexclient.workbench.relationship(rel_path, value)[source]
Bases:
operator
relationship operator allows for searching of resource objects based on their relationship to other resource objects. Passed as arg to search
- Parameters:
rel_path (str) – A dot notation of the relationship path to a resource object.
value (object) – The value the rel_path be compared to. This can be an operator, or a primitive value.
- Examples:
>>> for inv_action in xc.investigative_actions.search(relationship("investigation.close_comment", notnull()): >>> print("Found investigative action associated with an investigation that has no close comment.")
- class pyexclient.workbench.sort(sort, order='asc')[source]
Bases:
operator
The sort operator passes a sort request to a search. Can add multiple sort operators to a single search. If no sort is provided the default of sorting by created_at (asc) -> id (asc) will be used. Passed as arg to search TODO enforce this with asserts
- Parameters:
sort (str) – The column to sort on. Expects asc or desc. The database will translate asc->+ and desc->-
- class pyexclient.workbench.startswith(swith)[source]
Bases:
base_filter
The startswith operator is used to search for values that start with a specified string..
- Parameters:
value (str) – The startswith string
- Examples:
>>> for ea in xc.expel_alerts.search(close_comment=startswith("foo")): >>> print("%s starts with foo in the close comment" % ea.expel_name)
- class pyexclient.workbench.window(start, end)[source]
Bases:
base_filter
The window operator is used to search a specific field that is within a window (range) of values
- Parameters:
start (Union[str, int, datetime.datetime]) – The begining of the window range
end (str) – The end of the window range
- Examples:
>>> for ea in xc.expel_alerts.search(created_at=window("2020-01-01", "2020-05-01")): >>> print("%s was created after 2020-01-01 and before 2020-05-01" % ea.expel_name)