Created
July 6, 2020 18:07
-
-
Save mwollenweber/e30d9b3a759aed177cf78e530041d8a2 to your computer and use it in GitHub Desktop.
Expel Demisto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import copy | |
| import io | |
| import json | |
| import os | |
| import pprint | |
| import sys | |
| import time | |
| from collections import OrderedDict | |
| from urllib.parse import urlencode | |
| from urllib.parse import urljoin | |
| from datetime import datetime, timedelta | |
| import requests | |
| from requests.adapters import HTTPAdapter | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| from urllib3.util.retry import Retry | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| # __version__ = (0,0,42) | |
| DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' | |
| ''' REMOVE the following ''' | |
| class JsonResp(object): | |
| ''' | |
| This class wraps the all HTTP request responses that meet the JSON API spec. It transparently | |
| handles the following situations: | |
| * Automatically paginate if you iterate over the response object | |
| * If an error is detected raise the descriptive error handed back by the API server | |
| * Handle creation of new objects, filtering (querying out objects), and retrevial of results | |
| ''' | |
| def __init__(self, cls, content=None, api_type=None, conn=None): | |
| self.cls = cls | |
| self.content = content | |
| self.api_type = cls._api_type | |
| self.conn = conn | |
| def make_url(self, api_type, relation=None, valu=None, relationship=False, include=None): | |
| ''' | |
| Construct a JSON API compliant URL that handles requesting relationships, filtering, and including resources. | |
| :param api_type: The base JSON API resource type | |
| :type api_type: str | |
| :param relation: A JSON API resource type relationship to filter by | |
| :type relation: str or None | |
| :param valu: The ID for the ``api_type`` | |
| :type valu: GUID or None | |
| :param relationship: A flag indicating the relationships suffix should be used when constructing the JSON API URL | |
| :type relationship: bool or None | |
| :param include: The resource to include | |
| :type include: str or None | |
| :return: A JSON API compliant URL | |
| :rtype: str | |
| Examples: | |
| >>> url = self.make_url('actors', valu='d5f17397-aab2-4c0d-ae1e-b3cd3b95501e', include='assigned_investigations') | |
| >>> url = self.make_url('customers', valu='90e00eb7-b942-4ddf-bea0-4a733e68908a', filter_by='investigations') | |
| ''' | |
| url = '/api/v2/%s' % api_type | |
| if valu is not None: | |
| url += '/%s' % valu | |
| if relation and relation != api_type: | |
| if relationship: | |
| url += '/relationships' | |
| # NOTE: | |
| # The route `GET /:resource/:id/:relation` returns related data (and allows sorting, filtering, etc of that data). | |
| # the routes `GET|POST|PATCH|DELETE /:resource/:id/relationships/:relation` Are used to view and manipulate the *relationships* themselves (i.e. they are not designed for viewing the actual data of the related records). | |
| url += '/%s' % relation | |
| return url | |
| def build_url(self, id=None, relation=None, limit=None, include=None, **kwargs): | |
| ''' | |
| Given some JSON API retrieval inputs such as id, limit, or other filters. Build the URI that is JSON API compliant. | |
| :param id: The ID of the resource | |
| :type id: str or None | |
| :param relation: A relation that will return related data | |
| :type relation: str or None | |
| :param limit: limit the number of resources returned | |
| :type limit: int or None | |
| :param kwargs: This kwargs dict is any attribute that the JSON resource has that a developer wants to filter on | |
| :type kwargs: dict or None | |
| :return: A JSON API compliant URL | |
| :rtype: str | |
| Examples: | |
| >>> url = xc.investigations.build_url(id=some_guid) | |
| >>> url = xc.investigations.build_url(customer_id=CUSTOMER_GUID, limit=10) | |
| ''' | |
| query = [] | |
| url = '' | |
| if kwargs: | |
| # Pull out anything that starts with `flag_` .. to create the flag parameter.. | |
| # Example:?flag[scope]=exclude_expired | |
| for name, value in dict(kwargs).items(): | |
| if name.startswith('flag_'): | |
| _, flag_name = name.split('_', 1) | |
| query.append(('flag[%s]' % flag_name, value)) | |
| kwargs.pop(name) | |
| # Extract from kwargs filter by params that specify gte, gt, lte, lt | |
| op_look_up = {'_gt': '>', '_lt': '<'} | |
| # Do we have relationships that have this field as an attribute | |
| # so we are doing a second level filter.. | |
| # filter_by(action_type='MANUAL', investigation__customer_id) | |
| # `curl /api/v2/investigative_action?filter[action_type]=MANUAL&filter[investigation][customer][id]=c2510e19-be36-4fbd-9567-b625d57c720f&page[limit]=0 | jq '.meta.page.total`;` | |
| for name, value in dict(kwargs).items(): | |
| orig_name = name | |
| for op_name, op in op_look_up.items(): | |
| if name.endswith(op_name): | |
| name = name[:-len(op_name)] | |
| value = '%s%s' % (op, value) | |
| # print('{} => {}'.format(name, value)) | |
| if name in self.cls._def_attributes: | |
| query.append(('filter[%s]' % name, value)) | |
| kwargs.pop(orig_name) | |
| # Create the relationship name | |
| rname = name | |
| has_id = False | |
| if name.endswith('_id'): | |
| rname = name.replace('_id', '') | |
| has_id = True | |
| parts = rname.split('__') | |
| # NOTE: users can specify __ to indicate a relationship to a new object that they then want to filter on the body of.. | |
| # For example investigative_actions.filter_by(action_type='MANUAL', investigation__customer_id='someguid") would filter on investigative actions | |
| # that are manual and map to an investigation owned by customer someguid.. | |
| if parts[0] in self.cls._def_relationships: | |
| qstr = 'filter' + ''.join(['[%s]' % part for part in parts]) | |
| if has_id: | |
| qstr += '[id]' | |
| query.append((qstr, value)) | |
| kwargs.pop(orig_name, None) | |
| if not len(kwargs): | |
| break | |
| if kwargs: | |
| raise Exception("Unrecognized parameters %s!" % ','.join(["%s=%s" % (k, v) for k, v in kwargs.items()])) | |
| # NOTE: This is how you can do multilple filter bys.. We aren't going to leave this code enabled.. | |
| # if type(id) == list: | |
| # for val in id: | |
| # query.append(('filter[id][]', val)) | |
| # id = None | |
| url = self.make_url(self.api_type, valu=id, relation=relation, include=include) | |
| if limit is not None: | |
| query.append(('page[limit]', limit)) | |
| if include is not None: | |
| query.append(('include', include)) | |
| if query: | |
| url = url + '?' + urlencode(query) | |
| return url | |
| def filter_by(self, **kwargs): | |
| ''' | |
| Issue a JSON API call requesting a JSON API resource is filtered by some set | |
| of attributes, id, limit, etc. | |
| :param kwargs: The base JSON API resource type | |
| :type kwargs: dict | |
| :return: A JsonResp object | |
| :rtype: JsonResp | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> for inv in xc.investigations.filter_by(customer_id=CUSTOMER_GUID): | |
| >>> print(inv.title) | |
| ''' | |
| url = self.build_url(**kwargs) | |
| self.content = self.conn.request('get', url).json() | |
| return self | |
| def count(self): | |
| ''' | |
| Return the number of records in a JSON API response. | |
| :return: The number of records in a JSON API response | |
| :rtype: int | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> print("Investigation Count: ", xc.investigations.filter_by(customer_id=CUSTOMER_GUID).count()) | |
| ''' | |
| if not self.content: | |
| raise Exception('No data to count!') | |
| return self.content.get('meta', {}).get('page', {}).get('total', 0) | |
| def one_or_none(self): | |
| ''' | |
| Return one record from a JSON API response or None if there were no records. | |
| :return: A JsonResp object | |
| :rtype: JsonResp | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> inv = xc.investigations.filter_by(customer_id=CUSTOMER_GUID).one_or_none() | |
| >>> print(inv.title) | |
| ''' | |
| entry = None | |
| for item in self: | |
| entry = item | |
| break | |
| return entry | |
| def get(self, **kwargs): | |
| ''' | |
| Request a JSON api resource by id. | |
| :param id: The GUID of the resource | |
| :type id: str | |
| :return: A JsonResp object | |
| :rtype: JsonResp | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> inv = xc.investigations.get(id=investigation_guid) | |
| >>> print(inv.title) | |
| ''' | |
| assert 'id' in kwargs | |
| assert len(kwargs) == 1 | |
| url = self.build_url(**kwargs) | |
| content = self.conn.request('get', url).json() | |
| assert type(content['data']) == dict | |
| return self.cls(content['data'], self.conn) | |
| def __iter__(self): | |
| ''' | |
| Iterate over the JSON response. This iterator will paginate the response to traverse all records return by | |
| the JSON API request. | |
| :return: A JsonResp object | |
| :rtype: JsonResp | |
| ''' | |
| if self.content is None: | |
| url = self.make_url(self.api_type) | |
| self.content = self.conn.request('get', url).json() | |
| content = self.content | |
| next_uri = content.get('links', {}).get('next') | |
| entries = content.get('data', []) | |
| included = content.get('included') | |
| if type(entries) != list: | |
| entries = [entries] | |
| # REFACTOR THIS CODE! | |
| for entry in entries: | |
| yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn) | |
| for entry in included: | |
| yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn) | |
| # TODO: need unit tests to test paginations | |
| while next_uri: | |
| content = self.conn.request('get', next_uri).json() | |
| entries = content.get('data', []) | |
| included = content.get('included') | |
| if type(entries) != list: | |
| entries = [entries] | |
| for entry in entries: | |
| yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn) | |
| for entry in included: | |
| yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn) | |
| next_uri = content.get('links', {}).get('next') | |
| def create(self, **kwargs): | |
| ''' | |
| Create a BaseEntry object that represents some Json API resource. | |
| :param kwargs: Attributes to set on the new JSON API resource. | |
| :type kwargs: dict | |
| :return: A BaseEntry object that represents the JSON API resource type requested by the dev. | |
| :rtype: BaseEntry | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=CUSTOMER_GUID, relationship_assigned_to_actor=PETER_S) | |
| >>> i.save() | |
| ''' | |
| return self.cls.create(self.conn, **kwargs) | |
| # AUTO GENERATE FIELD TO TYPE | |
| MACGYVER_FIELD_TO_TYPE = {'actor': 'actors', | |
| 'analysis_assigned_investigative_actions': 'investigative_actions', | |
| 'analysis_assigned_to_actor': 'actors', | |
| 'api_keys': 'api_keys', | |
| 'assembler': 'assemblers', | |
| 'assemblers': 'assemblers', | |
| 'asset_groups': 'asset_groups', | |
| 'assets': 'assets', | |
| 'assignables': 'actors', | |
| 'assigned_customer_resilience_actions': 'customer_resilience_actions', | |
| 'assigned_customer_resilience_actions_list': 'customer_resilience_actions', | |
| 'assigned_expel_alerts': 'expel_alerts', | |
| 'assigned_investigations': 'investigations', | |
| 'assigned_investigative_actions': 'investigative_actions', | |
| 'assigned_organization_resilience_actions': 'organization_resilience_actions', | |
| 'assigned_organization_resilience_actions_list': 'organization_resilience_actions', | |
| 'assigned_remediation_actions': 'remediation_actions', | |
| 'assigned_to_actor': 'actors', | |
| 'assigned_to_org': 'actors', | |
| 'child_actors': 'actors', | |
| 'child_security_devices': 'security_devices', | |
| 'child_vendor_devices': 'vendor_devices', | |
| 'coincident_vendor_alerts': 'vendor_alerts', | |
| 'comment': 'comments', | |
| 'comment_histories': 'comment_histories', | |
| 'comments': 'comments', | |
| 'configuration_default': 'configuration_defaults', | |
| 'configuration_defaults': 'configuration_defaults', | |
| 'configurations': 'configurations', | |
| 'context_label': 'context_labels', | |
| 'context_label_actions': 'context_label_actions', | |
| 'context_label_tags': 'context_label_tags', | |
| 'context_labels': 'context_labels', | |
| 'created_by': 'actors', | |
| 'customer': 'customers', | |
| 'customer_device': 'customer_devices', | |
| 'customer_devices': 'customer_devices', | |
| 'customer_em_meta': 'customer_em_meta', | |
| 'customer_resilience_action': 'customer_resilience_actions', | |
| 'customer_resilience_action_group': 'customer_resilience_action_groups', | |
| 'customer_resilience_action_groups': 'customer_resilience_action_groups', | |
| 'customer_resilience_actions': 'customer_resilience_actions', | |
| 'customers': 'customers', | |
| 'dependent_investigative_actions': 'investigative_actions', | |
| 'depends_on_investigative_action': 'investigative_actions', | |
| 'destination_expel_alerts': 'expel_alerts', | |
| 'destination_investigations': 'investigations', | |
| 'destination_ip_addresses': 'ip_addresses', | |
| 'engagement_manager': 'engagement_managers', | |
| 'evidence': 'vendor_alert_evidences', | |
| 'evidenced_expel_alerts': 'expel_alerts', | |
| 'evidences': 'vendor_alert_evidences', | |
| 'expel_alert': 'expel_alerts', | |
| 'expel_alert_histories': 'expel_alert_histories', | |
| 'expel_alert_threshold': 'expel_alert_thresholds', | |
| 'expel_alert_threshold_histories': 'expel_alert_threshold_histories', | |
| 'expel_alerts': 'expel_alerts', | |
| 'expel_user': 'user_accounts', | |
| 'expel_users': 'expel_users', | |
| 'features': 'features', | |
| 'files': 'files', | |
| 'findings': 'investigation_findings', | |
| 'hunting_statuses': 'hunting_statuses', | |
| 'integrations': 'integrations', | |
| 'investigation': 'investigations', | |
| 'investigation_histories': 'investigation_histories', | |
| 'investigation_resilience_actions': 'investigation_resilience_actions', | |
| 'investigations': 'investigations', | |
| 'investigative_action': 'investigative_actions', | |
| 'investigative_action_histories': 'investigative_action_histories', | |
| 'investigative_actions': 'investigative_actions', | |
| 'ip_addresses': 'ip_addresses', | |
| 'labels': 'configuration_labels', | |
| 'lead_expel_alert': 'expel_alerts', | |
| 'nist_category': 'nist_categories', | |
| 'nist_subcategories': 'nist_subcategories', | |
| 'nist_subcategory': 'nist_subcategories', | |
| 'nist_subcategory_score': 'nist_subcategory_scores', | |
| 'nist_subcategory_score_histories': 'nist_subcategory_score_histories', | |
| 'nist_subcategory_scores': 'nist_subcategory_scores', | |
| 'notification_preferences': 'notification_preferences', | |
| 'organization': 'organizations', | |
| 'organization_em_meta': 'organization_em_meta', | |
| 'organization_resilience_action': 'organization_resilience_actions', | |
| 'organization_resilience_action_group': 'organization_resilience_action_groups', | |
| 'organization_resilience_action_group_actions': 'organization_resilience_actions', | |
| 'organization_resilience_action_groups': 'organization_resilience_action_groups', | |
| 'organization_resilience_actions': 'organization_resilience_actions', | |
| 'organization_status': 'organization_statuses', | |
| 'organization_user_account_roles': 'user_account_roles', | |
| 'organizations': 'organizations', | |
| 'parent_actor': 'actors', | |
| 'parent_security_device': 'security_devices', | |
| 'parent_vendor_device': 'vendor_devices', | |
| 'primary_organization': 'organizations', | |
| 'products': 'products', | |
| 'related_investigations': 'investigations', | |
| 'related_investigations_via_involved_host_ips': 'investigations', | |
| 'remediation_action': 'remediation_actions', | |
| 'remediation_action_histories': 'remediation_action_histories', | |
| 'remediation_action_type': 'remediation_action_types', | |
| 'remediation_actions': 'remediation_actions', | |
| 'resilience_action_group': 'resilience_action_groups', | |
| 'resilience_actions': 'resilience_actions', | |
| 'review_requested_by': 'actors', | |
| 'saml_identity_provider': 'saml_identity_providers', | |
| 'secret': 'secrets', | |
| 'security_device': 'security_devices', | |
| 'security_devices': 'security_devices', | |
| 'similar_alerts': 'expel_alerts', | |
| 'source_expel_alerts': 'expel_alerts', | |
| 'source_investigations': 'investigations', | |
| 'source_ip_addresses': 'ip_addresses', | |
| 'source_resilience_action': 'resilience_actions', | |
| 'source_resilience_action_group': 'resilience_action_groups', | |
| 'status_last_updated_by': 'actors', | |
| 'suppressed_by': 'expel_alert_thresholds', | |
| 'suppresses': 'expel_alert_thresholds', | |
| 'timeline_entries': 'timeline_entries', | |
| 'ui_discoveries': 'ui_discoveries', | |
| 'updated_by': 'actors', | |
| 'user_account': 'user_accounts', | |
| 'user_account_roles': 'user_account_roles', | |
| 'user_account_status': 'user_account_statuses', | |
| 'user_accounts': 'user_accounts', | |
| 'user_accounts_with_roles': 'user_accounts', | |
| 'vendor': 'vendors', | |
| 'vendor_alert': 'vendor_alerts', | |
| 'vendor_alerts': 'vendor_alerts', | |
| 'vendor_device': 'vendor_devices', | |
| 'vendor_devices': 'vendor_devices'} | |
| # END AUTO GENERATE FIELD TO TYPE | |
| class Relationship(object): | |
| ''' | |
| The object acts a helper to handle JSON API relationships. The object is just a dummy that | |
| allows for setting / getting attributes that are extracted from the relationship part of the | |
| JSON API response. Additionally, the object will allow for conversion to a JSON API compliant | |
| relationship block to include in a request. | |
| ''' | |
| def __init__(self): | |
| self._rels = {} | |
| self._modified = False | |
| def __getattr__(self, key): | |
| if key[0] != '_': | |
| return self._rels[key] | |
| return super().__getattr__(key) | |
| def __setattr__(self, key, valu): | |
| if key[0] != '_': | |
| self._rels[key] = valu | |
| super().__setattr__('_modified', True) | |
| super().__setattr__(key, valu) | |
| def to_relationship(self): | |
| ''' | |
| Generate a JSON API compliant relationship section. | |
| :return: A dict that is JSON API compliant relationship section. | |
| :rtype: dict | |
| ''' | |
| relationships = {} | |
| for relname, relid in self._rels.items(): | |
| reltype = MACGYVER_FIELD_TO_TYPE.get(relname, relname) | |
| if reltype[-1] != 's': | |
| reltype = '%ss' % relname | |
| if type(relid) == RelEntry: | |
| if relid.type is not None: | |
| reltype = relid.type | |
| relid = relid.id | |
| else: | |
| continue | |
| if relid is None: | |
| continue | |
| # TODO: Remove this when MacGyver issues fix .. I think.. | |
| if relname in ['notification_preferences', 'organization_status']: | |
| continue | |
| if relname[-1] == 's': | |
| if type(relid) == list: | |
| relationships[relname] = {'data': [{'id': rid, 'type': reltype} for rid in relid]} | |
| else: | |
| relationships[relname] = {'data': [{'id': relid, 'type': reltype}]} | |
| else: | |
| relationships[relname] = {'data': {'id': relid, 'type': reltype}} | |
| return relationships | |
| class RelEntry(object): | |
| def __init__(self, relentry): | |
| self.id = None | |
| self.type = None | |
| if relentry is None: | |
| relentry = dict() | |
| if type(relentry) == list: | |
| print("HIT A RELATIONSHIP ENTRY THAT IS A LIST!") | |
| return | |
| self.id = relentry.get('id') | |
| self.type = relentry.get('type') | |
| class BaseEntry(object): | |
| _api_type = None | |
| def __init__(self, data, conn): | |
| self._data = data | |
| self._id = data.get('id') | |
| self._create_id = data['attributes'].get('id') | |
| self._create = False | |
| if self._id is None: | |
| self._create = True | |
| self._attrs = data['attributes'] | |
| self._conn = conn | |
| self._modified_fields = set() | |
| self._relationship = Relationship() | |
| self._relobjs = {} | |
| self._deleted = False | |
| for relname, relinfo in self._data.get('relationships', {}).items(): | |
| reldata = relinfo.get('data') | |
| if type(reldata) == list: | |
| for d in reldata: | |
| setattr(self._relationship, relname, RelEntry(d)) | |
| setattr(self._relationship, relname, RelEntry(reldata)) | |
| # Modified flag gets flipped to true when we build the relationships .. So we set it to False | |
| # once we are done.. This is pretty hacky.. | |
| setattr(self._relationship, '_modified', False) | |
| def __enter__(self): | |
| return self | |
| def __exit__(self, type, value, traceback): | |
| if self._deleted: | |
| return | |
| # If we aren't creating a new resource, we haven't modified any attributes, and we have no modified relationships | |
| # then all we've done is grab fields out the object.. THere is no need to issue a patch. | |
| elif not self._create and not self._modified_fields and not self._relationship._modified: | |
| return | |
| self.save() | |
| return | |
| def _rel_to_class(self, key): | |
| if key in RELATIONSHIP_TO_CLASS: | |
| return RELATIONSHIP_TO_CLASS[key] | |
| if key in RELATIONSHIP_TO_CLASS_EXT: | |
| return RELATIONSHIP_TO_CLASS_EXT[key] | |
| return RELATIONSHIP_TO_CLASS[MACGYVER_FIELD_TO_TYPE[key]] | |
| def __getattr__(self, key): | |
| if key[0] != '_': | |
| # The accessed member is in the relationships definition | |
| if key in self._data['relationships']: | |
| if key not in self._relobjs: | |
| # Look up the relationship information | |
| url = self._data['relationships'][key]['links']['related'] | |
| resp_data = self._conn.request('get', url).json()['data'] | |
| if resp_data is None: | |
| return None | |
| if type(resp_data) == dict: | |
| self._relobjs[key] = self._rel_to_class(key)(resp_data, self._conn) | |
| else: | |
| # Soemtimes we get data as a list, example if investigation_findings response | |
| self._relobjs[key] = [self._rel_to_class(key)(entry, self._conn) for entry in resp_data] | |
| return self._relobjs[key] | |
| elif key in self._attrs: | |
| # Get a field in the attributes | |
| return self._attrs[key] | |
| elif key == 'relationship': | |
| return self._relationship | |
| raise ValueError('Looking up %s, relationship doesnt exist!' % key) | |
| return super().__getattr__(key) | |
| def __setattr__(self, key, valu): | |
| if key[0] != '_': | |
| if key in self._attrs: | |
| self._attrs[key] = valu | |
| self._modified_fields.add(key) | |
| else: | |
| raise ValueError('%s is an unrecognized attribute!' % key) | |
| return | |
| super().__setattr__(key, valu) | |
| @classmethod | |
| def from_resp(cls, data): | |
| return cls(data) | |
| def __repr__(self): | |
| attrs = copy.deepcopy(self._attrs) | |
| attrs['id'] = self._id | |
| return pprint.pformat(attrs) | |
| @property | |
| def id(self): | |
| return self._id | |
| def save(self): | |
| if not self._create: | |
| attrs = {field: self._attrs[field] for field in self._modified_fields} | |
| body = {'data': {'type': self._api_type, 'attributes': attrs}} | |
| body['data']['relationships'] = self._relationship.to_relationship() | |
| body['id'] = self._id | |
| resp = self._conn.request('patch', '/api/v2/{}/{}'.format(self._api_type, self._id), data=json.dumps(body)) | |
| else: | |
| body = {'data': {'type': self._api_type, 'attributes': self._attrs}} | |
| body['data']['relationships'] = self._relationship.to_relationship() | |
| if self._create_id: | |
| body['id'] = self._create_id | |
| resp = self._conn.request('post', '/api/v2/{}'.format(self._api_type), data=json.dumps(body)) | |
| self._id = resp.json()['data']['id'] | |
| self._create = False | |
| return self._rel_to_class(self._api_type)(resp.json()['data'], self._conn) | |
| @classmethod | |
| def create(cls, conn, **kwargs): | |
| attrs = {k: v for k, v in kwargs.items() if not k.startswith('relationship_') and v is not None} | |
| rels = {} | |
| for k, v in kwargs.items(): | |
| if k.startswith('relationship_'): | |
| _, name = k.split('_', 1) | |
| rels[name] = {'data': {'id': v, 'type': MACGYVER_FIELD_TO_TYPE.get(name, '%ss' % name)}} | |
| body = {'attributes': attrs, 'relationships': rels} | |
| c = cls(body, conn) | |
| return c | |
| def delete(self): | |
| body = {'data': {'type': self._api_type, 'attributes': self._attrs}} | |
| body['id'] = self._id | |
| resp = self._conn.request('delete', '/api/v2/{}/{}'.format(self._api_type, self._id), data=json.dumps(body)) | |
| self._deleted = True | |
| # TODO: Depreciate this in favor of download, need to update Jager's use of this first | |
| def download_csv(self, fn): | |
| if self._api_type != 'files': | |
| return None | |
| resp = self._conn.request('get', '/api/v2/{}/{}/download?format=csv'.format(self._api_type, self._id)) | |
| with open(fn, 'wb') as fd: | |
| for chunk in resp.iter_content(chunk_size=1024): | |
| if chunk: | |
| fd.write(chunk) | |
| def download(self, fd, fmt='json'): | |
| ''' | |
| Download data from an investigative action. This can only be called on InvestigativeAction or Files objects. | |
| :param fd: Buffer to write response too. | |
| :type fd: File bytes object | |
| :param fmt: The format to request the data be returned in. This is handled by MacGyver. | |
| :type fmt: str | |
| Examples: | |
| >>> import json | |
| >>> import pprint | |
| >>> import tempfile | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> with xc.investigative_actions.get(id=inv_act_id) as ia: | |
| >>> fd = tempfile.NamedTemporaryFile(delete=False) | |
| >>> ia.download(fd) | |
| >>> with open(fd.name, 'r') as fd: | |
| >>> pprint.pprint(json.loads(fd.read())) | |
| ''' | |
| if self._api_type == 'files': | |
| resp = self._conn.request('get', '/api/v2/{}/{}/download?format={}'.format(self._api_type, self._id, fmt)) | |
| elif self._api_type == 'investigative_actions': | |
| resp = self._conn.request('get', '/api/v2/tasks/{}/download?format={}'.format(self.result_task_id, fmt)) | |
| else: | |
| raise Exception("Can not download from api type: %s!" % self._api_type) | |
| for chunk in resp.iter_content(chunk_size=1024): | |
| if chunk: | |
| fd.write(chunk) | |
| def upload(self, filename, fbytes, expel_file_type=None, file_meta=None): | |
| ''' | |
| Upload data associated with an investigative action. Can only be called on InvestigativeAction objects. | |
| :param filename: Filename, this shows up in Workbench. | |
| :type filename: str | |
| :param fbytes: A bytes string representing raw bytes to upload | |
| :type fbytes: bytes | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> with xc.investigative_actions.get(id=inv_act_id) as ia: | |
| >>> ia.upload('test.txt', b'hello world') | |
| ''' | |
| if self._api_type != 'investigative_actions': | |
| raise Exception("Can not upload for api type: %s!" % self._api_type) | |
| # set file_meta to a default.. | |
| if file_meta is None: | |
| file_meta = {'investigative_action': {'file_type': 'results'}} | |
| # Get the customer id from the inv or expel alert relationship | |
| customer_id = None | |
| if self.relationship.investigation.id: | |
| customer_id = self._conn.investigations.get(id=self.relationship.investigation.id).customer.id | |
| elif self.relationship.expel_alert.id: | |
| customer_id = self._conn.expel_alerts.get(id=self.relationship.expel_alert.id).customer.id | |
| else: | |
| raise Exception("Could not determine customer id") | |
| # Create a files object | |
| f = self._conn.files.create(filename=filename, file_meta=file_meta, expel_file_type=expel_file_type) | |
| f.relationship.customer = customer_id | |
| # This gets pluralized .. | |
| f.relationship.investigative_actions = self.id | |
| resp = f.save() | |
| fid = resp.id | |
| # Upload the data | |
| files = {'file': io.BytesIO(fbytes)} | |
| resp = self._conn.request('post', '/api/v2/files/{}/upload'.format(fid), files=files) | |
| # Set it ready for analysis. | |
| with self._conn.investigative_actions.get(id=self.id) as ia: | |
| ia.status = 'READY_FOR_ANALYSIS' | |
| ia.relationship.files = fid | |
| return fid | |
| # AUTO GENERATE JSONAPI CLASSES | |
| class EngagementManagers(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io engagement_manager records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+===================+================+===============+==================+ | |
| | Phone number<br/>Allows: null | phone_number | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Active<br/>Allows: null | active | boolean | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Email<br/>Allows: null | email | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Display name<br/>Allows: "", null | display_name | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | organizations | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | customers | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'engagement_managers' | |
| _def_attributes = ["phone_number", "created_at", "updated_at", "active", "email", "display_name"] | |
| _def_relationships = ["created_by", "updated_by", "organizations", "customers"] | |
| class VendorAlertEvidences(BaseEntry): | |
| ''' | |
| Vendor alert evidences are extracted from a vendor alert's evidence summary | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +====================================================================================================================================================================================+============================+================+===============+==================+ | |
| | Evidence | evidence | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Type<br/>Restricted to: "HOSTNAME", "URL", "PROCESS_ARGUMENTS", "PROCESS_PATH", "PROCESS_MD5", "USERNAME", "SRC_IP", "DST_IP", "PARENT_ARGUMENTS", "PARENT_PATH", "PARENT_MD5" | evidence_type | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | evidenced_expel_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alert | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'vendor_alert_evidences' | |
| _def_attributes = ["evidence", "evidence_type"] | |
| _def_relationships = ["evidenced_expel_alerts", "vendor_alert"] | |
| class RemediationActionHistories(BaseEntry): | |
| ''' | |
| Remediation action histories | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================================================================+========================+================+===============+==================+ | |
| | Remediation action history action<br/>Restricted to: "CREATED", "ASSIGNED"<br/>Allows: null | action | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Remediation action history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | remediation_action | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'remediation_action_histories' | |
| _def_attributes = ["action", "value", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "assigned_to_actor", "remediation_action"] | |
| class ExpelUsers(BaseEntry): | |
| ''' | |
| Expel users | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===================================================================================================================================================================================================+===================================================+================+===============+==================+ | |
| | Language<br/>Allows: "", null | language | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Locale<br/>Allows: "", null | locale | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Is an engagement manager | engagement_manager | boolean | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Can user be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Password reset token<br/>Allows: null<br/>Meta: readonly, private | password_reset_token | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Invite token expiry<br/>Allows: null<br/>Meta: readonly, private | invite_token_expires_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Email<br/>Allows: null | email | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Name<br/>Allows: "", null | last_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Phone number<br/>Allows: null | phone_number | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | User account primary role<br/>Restricted to: "expel_admin", "expel_analyst", "organization_admin", "organization_analyst", "system", "anonymous"<br/>Allows: null<br/>Meta: readonly, no-sort | role | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Restricted to: "ACTIVE", "LOCKED", "LOCKED_INVITED", "LOCKED_EXPIRED", "ACTIVE_INVITED", "ACTIVE_EXPIRED"<br/>Meta: readonly, no-sort | active_status | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Timezone<br/>Allows: "", null | timezone | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Password reset token expiry<br/>Allows: null<br/>Meta: readonly, private | password_reset_token_expires_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Active<br/>Allows: null | active | boolean | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Invite token<br/>Allows: null<br/>Meta: readonly, private | invite_token | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | First Name<br/>Allows: "", null | first_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Display name<br/>Allows: "", null | display_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Homepage preferences<br/>Allows: null<br/>Meta: no-sort | homepage_preferences | object | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account_roles | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigative_actions | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigations | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_remediation_actions | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions_list | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions_list | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | notification_preferences | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | analysis_assigned_investigative_actions | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_expel_alerts | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_users' | |
| _def_attributes = ["language", "locale", "engagement_manager", "assignable", "created_at", "password_reset_token", | |
| "invite_token_expires_at", "email", "last_name", "phone_number", "role", "active_status", | |
| "timezone", "password_reset_token_expires_at", "updated_at", "active", "invite_token", | |
| "first_name", "display_name", "homepage_preferences"] | |
| _def_relationships = ["user_account_roles", "assigned_investigative_actions", "assigned_investigations", | |
| "assigned_remediation_actions", "organization", | |
| "assigned_organization_resilience_actions_list", "assigned_customer_resilience_actions_list", | |
| "assigned_customer_resilience_actions", "updated_by", "notification_preferences", | |
| "analysis_assigned_investigative_actions", "created_by", "assigned_expel_alerts", | |
| "assigned_organization_resilience_actions", "customer"] | |
| class ResilienceActionGroups(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io resilience_action_group records | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================================================================+========================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Group title | title | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Global Resilience Group Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS" | category | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'resilience_action_groups' | |
| _def_attributes = ["updated_at", "title", "category", "created_at"] | |
| _def_relationships = ["created_by", "updated_by", "resilience_actions"] | |
| class CustomerResilienceActionList(BaseEntry): | |
| ''' | |
| Organization to resilience action list | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +======================================================================================================+======================================+================+===============+==================+ | |
| | Visible<br/>Allows: null | visible | boolean | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH"<br/>Allows: null | impact | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Incident count<br/>Allows: null | incident_count | number | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Comment<br/>Allows: "", null | comment | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Title<br/>Allows: "", null | title | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED"<br/>Allows: null | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Details<br/>Allows: "", null | details | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_action | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_action_group | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customer_resilience_action_list' | |
| _def_attributes = ["visible", "impact", "incident_count", "comment", "title", "category", "status", "details"] | |
| _def_relationships = ["customer_resilience_action", "organization", "customer", "customer_resilience_action_group", | |
| "assigned_to_actor"] | |
| class Assets(BaseEntry): | |
| ''' | |
| Organization assets | |
| Below are valid filter by parameters: | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==================================================================================================================================+==================+================+===============+==================+ | |
| | Restricted to: "IP", "CIDR", "MACADDR", "USERNAME", "USERNAME_REGEX", "HOSTNAME", "HOSTNAME_REGEX", "AGENT"<br/>Allows: null | asset_type | any | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Allows: null | asset_value | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Allows: null, "" | desc | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | asset_groups | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'assets' | |
| _def_attributes = ["asset_type", "asset_value", "desc"] | |
| _def_relationships = ["asset_groups", "organization", "customer"] | |
| class UserAccountStatuses(BaseEntry): | |
| ''' | |
| User account status | |
| Below are valid filter by parameters: | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==================================================================================================================================+=====================================+================+===============+==================+ | |
| | Allows: null<br/>Meta: readonly | password_reset_token_expires_at | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Restricted to: "ACTIVE", "LOCKED", "LOCKED_INVITED", "LOCKED_EXPIRED", "ACTIVE_INVITED", "ACTIVE_EXPIRED"<br/>Meta: readonly | active_status | any | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Meta: readonly | created_at | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Meta: readonly | updated_at | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | active | boolean | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null<br/>Meta: readonly | invite_token_expires_at | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | primary_organization | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'user_account_statuses' | |
| _def_attributes = ["password_reset_token_expires_at", "active_status", "created_at", "updated_at", "active", | |
| "invite_token_expires_at"] | |
| _def_relationships = ["created_by", "user_account", "updated_by", "primary_organization"] | |
| class Actors(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io actor records | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================+===================================================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Meta: readonly, no-sort | is_expel | boolean | Y | N | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Actor type<br/>Restricted to: "system", "user", "organization", "api" | actor_type | any | Y | N | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Display name<br/>Allows: "", null | display_name | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | child_actors | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigative_actions | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigations | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_remediation_actions | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions_list | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions_list | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | notification_preferences | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | analysis_assigned_investigative_actions | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_expel_alerts | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | parent_actor | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'actors' | |
| _def_attributes = ["updated_at", "is_expel", "actor_type", "display_name", "created_at"] | |
| _def_relationships = ["child_actors", "assigned_investigative_actions", "assigned_investigations", | |
| "assigned_remediation_actions", "organization", | |
| "assigned_organization_resilience_actions_list", "assigned_customer_resilience_actions_list", | |
| "assigned_customer_resilience_actions", "user_account", "updated_by", | |
| "notification_preferences", "analysis_assigned_investigative_actions", "created_by", | |
| "assigned_expel_alerts", "assigned_organization_resilience_actions", "parent_actor", | |
| "customer"] | |
| class SecurityDevices(BaseEntry): | |
| ''' | |
| Security devices | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +======================================================================================================+============================+================+===============+==================+ | |
| | Allows: "", null | plugin_slug | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Location<br/>Allows: "", null | location | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Device Spec<br/>Allows: null<br/>Meta: no-sort | device_spec | object | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Name | name | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Has 2fa secret stored in vault<br/>Meta: readonly | has_two_factor_secret | boolean | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "healthy", "unhealthy", "health_checks_not_supported"<br/>Allows: null | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Device Type<br/>Restricted to: "ENDPOINT", "NETWORK", "SIEM", "OTHER", "CLOUD" | device_type | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Location where tasks are run<br/>Restricted to: "CUSTOMER_PREMISE", "EXPEL_TASKPOOL" | task_source | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Status Details<br/>Allows: null<br/>Meta: no-sort | status_details | object | Y | N | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | parent_security_device | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assembler | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | child_security_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'security_devices' | |
| _def_attributes = ["plugin_slug", "location", "created_at", "status_updated_at", "device_spec", "deleted_at", | |
| "name", "has_two_factor_secret", "status", "device_type", "updated_at", "task_source", | |
| "status_details"] | |
| _def_relationships = ["parent_security_device", "assembler", "investigative_actions", "updated_by", "created_by", | |
| "vendor_alerts", "organization", "customer", "vendor", "child_security_devices"] | |
| class ExpelAlertHistories(BaseEntry): | |
| ''' | |
| Expel alert histories | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================================================================================================================+=======================+================+===============+==================+ | |
| | Expel alert history action<br/>Restricted to: "CREATED", "ASSIGNED", "STATUS_CHANGED", "INVESTIGATING", "TUNING_CHANGED"<br/>Allows: null | action | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Expel alert history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_alert_histories' | |
| _def_attributes = ["action", "value", "created_at"] | |
| _def_relationships = ["investigation", "expel_alert", "created_by", "organization", "customer", "assigned_to_actor"] | |
| class Organizations(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io organization records | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +====================================================================================+===================================================+================+===============+==================+ | |
| | The organization's primary industry<br/>Allows: "", null | industry | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | City<br/>Allows: "", null | city | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of nodes covered for this organization<br/>Allows: null | nodes_count | number | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | State/Province/Region<br/>Allows: "", null | region | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of users covered for this organization<br/>Allows: null | users_count | number | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Vault Token<br/>Allows: null<br/>Meta: private | vault_token | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Address 2<br/>Allows: "", null | address_2 | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | o365 Terms of Service identifier (e.g. hubspot id, etc.)<br/>Allows: null | o365_tos_id | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null | hq_utc_offset | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Address 1<br/>Allows: "", null | address_1 | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization short name<br/>Allows: null | short_name | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization service renewal date<br/>Allows: null | service_renewal_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Postal Code<br/>Allows: null | postal_code | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Is surge | is_surge | boolean | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Is Prospective/Demo Organization<br/>Meta: private | prospect | boolean | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Country Code<br/>Allows: null | country_code | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization service start date<br/>Allows: null | service_start_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | o365 Microsoft tenant id<br/>Allows: null<br/>Meta: private | o365_tenant_id | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | The organization's operating name | name | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | The city where the organization's headquarters is located<br/>Allows: "", null | hq_city | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null<br/>Meta: private | vault_token_expires | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | configurations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_users | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_accounts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions_list | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions_list | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_label_tags | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_action_groups | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | features | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_accounts_with_roles | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | files | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert_histories | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assignables | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | notification_preferences | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | comments | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_expel_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | saml_identity_provider | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_em_meta | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | api_keys | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_subcategory_scores | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigative_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation_histories | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_status | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_remediation_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | engagement_manager | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | products | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_user_account_roles | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_labels | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assemblers | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | analysis_assigned_investigative_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | actor | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | integrations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organizations' | |
| _def_attributes = ["industry", "city", "nodes_count", "region", "users_count", "vault_token", "address_2", | |
| "o365_tos_id", "hq_utc_offset", "address_1", "short_name", "service_renewal_at", "postal_code", | |
| "is_surge", "prospect", "country_code", "created_at", "service_start_at", "o365_tenant_id", | |
| "deleted_at", "name", "hq_city", "updated_at", "vault_token_expires"] | |
| _def_relationships = ["configurations", "vendor_alerts", "updated_by", "expel_users", "vendor_devices", | |
| "user_accounts", "assigned_organization_resilience_actions_list", "security_devices", | |
| "assigned_customer_resilience_actions_list", "context_label_tags", | |
| "organization_resilience_action_groups", "features", "user_accounts_with_roles", "files", | |
| "expel_alert_histories", "assignables", "notification_preferences", "comments", | |
| "assigned_expel_alerts", "assigned_organization_resilience_actions", "expel_alerts", | |
| "saml_identity_provider", "organization_em_meta", "api_keys", "nist_subcategory_scores", | |
| "assigned_investigative_actions", "assigned_investigations", "investigation_histories", | |
| "organization_status", "investigations", "assigned_remediation_actions", "engagement_manager", | |
| "products", "organization_resilience_actions", "assigned_customer_resilience_actions", | |
| "organization_user_account_roles", "context_labels", "assemblers", "customer_devices", | |
| "created_by", "analysis_assigned_investigative_actions", "actor", "integrations"] | |
| class NotificationPreferences(BaseEntry): | |
| ''' | |
| User Notification Preferences | |
| Below are valid filter by parameters: | |
| +-------------------------+-----------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=========================+=================+================+===============+==================+ | |
| | Missing Description | preferences | array | Y | N | | |
| +-------------------------+-----------------+----------------+---------------+------------------+ | |
| | Missing Description | actor | object | N | Y | | |
| +-------------------------+-----------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'notification_preferences' | |
| _def_attributes = ["preferences"] | |
| _def_relationships = ["actor"] | |
| class TimelineEntries(BaseEntry): | |
| ''' | |
| Timeline Entries | |
| Below are valid filter by parameters: | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +============================================================================+===========================+================+===============+==================+ | |
| | The type of the event, such as Carbon Black Alert<br/>Allows: "", null | event_type | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Has been selected for final report. | is_selected | boolean | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Date/Time of when the event occurred | event_date | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Comment on this Timeline Entry<br/>Allows: "", null | comment | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Destination Host (IP or Hostname)<br/>Allows: "", null | dest_host | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Attack phase of the Timeline Entry<br/>Allows: "", null | attack_phase | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | The event, such as Powershell Attack<br/>Allows: "", null | event | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Source Host (IP or Hostname)<br/>Allows: "", null | src_host | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_labels | object | N | Y | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_label_actions | object | N | Y | | |
| +----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'timeline_entries' | |
| _def_attributes = ["event_type", "updated_at", "deleted_at", "is_selected", "event_date", "comment", "dest_host", | |
| "attack_phase", "event", "src_host", "created_at"] | |
| _def_relationships = ["investigation", "expel_alert", "updated_by", "created_by", "context_labels", | |
| "context_label_actions"] | |
| class NistSubcategories(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io nist_subcategory records | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================+=============================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Nist subcategory title<br/>Allows: "", null | name | string | Y | N | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Nist subcategory abbreviated identifier | identifier | string | Y | N | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_subcategory_scores | object | N | Y | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_category | object | N | Y | | |
| +-------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'nist_subcategories' | |
| _def_attributes = ["updated_at", "name", "identifier", "created_at"] | |
| _def_relationships = ["created_by", "nist_subcategory_scores", "updated_by", "nist_category"] | |
| class IpAddresses(BaseEntry): | |
| ''' | |
| IP addresses | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+================================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | IP Address<br/>Meta: readonly | address | string | Y | N | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_investigations | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | destination_expel_alerts | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_expel_alerts | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | destination_investigations | object | N | Y | | |
| +-----------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'ip_addresses' | |
| _def_attributes = ["updated_at", "created_at", "address"] | |
| _def_relationships = ["investigations", "source_investigations", "updated_by", "created_by", "vendor_alerts", | |
| "destination_expel_alerts", "source_expel_alerts", "destination_investigations"] | |
| class Secrets(BaseEntry): | |
| ''' | |
| Organization secrets. Note - these requests must be in the format of `/secrets/security_device-<guid>` | |
| Below are valid filter by parameters: | |
| +-------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=========================+==================+================+===============+==================+ | |
| | Allows: null | secret | object | Y | N | | |
| +-------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'secrets' | |
| _def_attributes = ["secret"] | |
| _def_relationships = ["organization", "customer"] | |
| class OrganizationResilienceActionList(BaseEntry): | |
| ''' | |
| Organization to resilience action list | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +======================================================================================================+==========================================+================+===============+==================+ | |
| | Visible<br/>Allows: null | visible | boolean | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH"<br/>Allows: null | impact | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Incident count<br/>Allows: null | incident_count | number | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Comment<br/>Allows: "", null | comment | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Title<br/>Allows: "", null | title | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED"<br/>Allows: null | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Details<br/>Allows: "", null | details | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_action | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_action_group | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organization_resilience_action_list' | |
| _def_attributes = ["visible", "impact", "incident_count", "comment", "title", "category", "status", "details"] | |
| _def_relationships = ["organization_resilience_action", "organization", "organization_resilience_action_group", | |
| "assigned_to_actor"] | |
| class UiDiscoveries(BaseEntry): | |
| ''' | |
| Defines/retrieves UI discovery records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+===================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | name | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_accounts | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'ui_discoveries' | |
| _def_attributes = ["updated_at", "name", "created_at"] | |
| _def_relationships = ["created_by", "user_accounts", "updated_by"] | |
| class HuntingStatuses(BaseEntry): | |
| ''' | |
| Investigation hunting statuses | |
| Below are valid filter by parameters: | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=========================+===================+================+===============+==================+ | |
| | Allows: null | log_offset | string | Y | N | | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| | Allows: null | log_start | string | Y | N | | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| | Allows: null | log_end | string | Y | N | | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'hunting_statuses' | |
| _def_attributes = ["log_offset", "log_start", "log_end"] | |
| _def_relationships = ["investigation", "organization", "customer"] | |
| class Configurations(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io configuration records | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +====================================================================================+============================+================+===============+==================+ | |
| | Configuration value validation<br/>Allows: null<br/>Meta: readonly, no-sort | validation | object | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Title of configuration value<br/>Allows: "", null<br/>Meta: readonly | title | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration visibility<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | visibility | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration metadata<br/>Allows: null<br/>Meta: readonly, no-sort | metadata | object | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration value is an override<br/>Meta: readonly | is_override | boolean | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Default configuration value<br/>Allows: null<br/>Meta: readonly, no-sort | default_value | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration key<br/>Meta: readonly | key | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration value<br/>Allows: null<br/>Meta: no-sort | value | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Description of configuration value<br/>Allows: "", null<br/>Meta: readonly | description | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Write permission required<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | write_permission_level | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | configuration_default | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'configurations' | |
| _def_attributes = ["validation", "title", "visibility", "created_at", "metadata", "is_override", "default_value", | |
| "key", "value", "description", "updated_at", "write_permission_level"] | |
| _def_relationships = ["created_by", "organization", "customer", "updated_by", "configuration_default"] | |
| class InvestigativeActions(BaseEntry): | |
| ''' | |
| investigative actions | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=========================================================================================================================================================================================+=====================================+================+===============+==================+ | |
| | Title | title | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Verify Investigative action verified by<br/>Allows: null | activity_verified_by | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Result task id<br/>Allows: null<br/>Meta: readonly | result_task_id | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Taskabilities error<br/>Allows: "", null<br/>Meta: no-sort | tasking_error | object | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Close Reason<br/>Allows: null | close_reason | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Task input arguments<br/>Allows: null<br/>Meta: no-sort | input_args | object | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Investigative action created by robot action<br/>Meta: readonly | robot_action | boolean | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Capability name<br/>Allows: "", null | capability_name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Reason | reason | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Taskability action id<br/>Allows: "", null | taskability_action_id | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Instructions<br/>Allows: "", null | instructions | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Investigative Action Type<br/>Restricted to: "TASKABILITY", "HUNTING", "MANUAL", "RESEARCH", "PIVOT", "QUICK_UPLOAD", "VERIFY", "DOWNGRADE" | action_type | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Results/Analysis<br/>Allows: "", null | results | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Verify Investigative action is authorized<br/>Allows: null | activity_authorized | boolean | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "RUNNING", "FAILED", "READY_FOR_ANALYSIS", "CLOSED", "COMPLETED" | status | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Downgrade reason<br/>Restricted to: "FALSE_POSITIVE", "ATTACK_FAILED", "POLICY_VIOLATION", "ACTIVITY_BLOCKED", "PUP_PUA", "BENIGN", "IT_MISCONFIGURATION", "OTHER"<br/>Allows: null | downgrade_reason | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | analysis_assigned_to_actor | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_device | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | depends_on_investigative_action | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | files | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_device | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | dependent_investigative_actions | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_action_histories | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'investigative_actions' | |
| _def_attributes = ["title", "activity_verified_by", "created_at", "result_task_id", "tasking_error", "close_reason", | |
| "input_args", "robot_action", "capability_name", "status_updated_at", "deleted_at", "reason", | |
| "taskability_action_id", "instructions", "updated_at", "action_type", "results", | |
| "activity_authorized", "status", "downgrade_reason"] | |
| _def_relationships = ["analysis_assigned_to_actor", "vendor_device", "updated_by", | |
| "depends_on_investigative_action", "created_by", "files", "expel_alert", "security_device", | |
| "investigation", "dependent_investigative_actions", "assigned_to_actor", | |
| "investigative_action_histories"] | |
| class Vendors(BaseEntry): | |
| ''' | |
| Vendors | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+======================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Name<br/>Allows: "", null | name | string | Y | N | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Icon<br/>Allows: "", null | icon | string | Y | N | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_devices | object | N | Y | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alerts | object | N | Y | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_devices | object | N | Y | | |
| +-----------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'vendors' | |
| _def_attributes = ["updated_at", "name", "icon", "created_at"] | |
| _def_relationships = ["vendor_devices", "updated_by", "created_by", "vendor_alerts", "expel_alerts", | |
| "security_devices"] | |
| class ConfigurationLabels(BaseEntry): | |
| ''' | |
| Configuration labels | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=============================================================+============================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Description of configuration label<br/>Allows: "", null | description | string | Y | N | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Title of configuration label<br/>Allows: "", null | title | string | Y | N | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | configuration_defaults | object | N | Y | | |
| +-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'configuration_labels' | |
| _def_attributes = ["updated_at", "description", "title", "created_at"] | |
| _def_relationships = ["created_by", "updated_by", "configuration_defaults"] | |
| class CpeImages(BaseEntry): | |
| ''' | |
| CPE Images | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=======================================================================+==================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | CPE image image size<br/>Allows: null | size | number | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | CPE image image md5 hash<br/>Allows: null | hash_md5 | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | CPE image image sha256 hash<br/>Allows: null | hash_sha256 | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | CPE image image sh1 hash<br/>Allows: null | hash_sha1 | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | CPE image image release date<br/>Allows: null | release_date | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | CPE image image version<br/>Allows: "", null | version | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Platform<br/>Restricted to: "VMWARE", "HYPERV", "AZURE", "AMAZON" | platform | any | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'cpe_images' | |
| _def_attributes = ["updated_at", "size", "hash_md5", "hash_sha256", "hash_sha1", "created_at", "release_date", | |
| "version", "platform"] | |
| _def_relationships = ["created_by", "updated_by"] | |
| class Products(BaseEntry): | |
| ''' | |
| Products | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+===================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | name | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | description | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | features | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | organizations | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | customers | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'products' | |
| _def_attributes = ["updated_at", "name", "description", "created_at"] | |
| _def_relationships = ["created_by", "features", "updated_by", "organizations", "customers"] | |
| class RemediationActions(BaseEntry): | |
| ''' | |
| Remediation actions | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================================================+==================================+================+===============+==================+ | |
| | Remediation action details markdown<br/>Allows: "", null<br/>Meta: readonly | detail_markdown | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Remediation Action Values<br/>Meta: no-sort | values | object | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Action<br/>Allows: "", null | action | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Remediation Action Template and Values<br/>Meta: no-sort | template_values | object | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Remediation Action Template Name<br/>Allows: "", null | template_name | string | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "IN_PROGRESS", "COMPLETED", "CLOSED" | status | any | Y | N | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | remediation_action_type | object | N | Y | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | remediation_action_histories | object | N | Y | | |
| +---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'remediation_actions' | |
| _def_attributes = ["detail_markdown", "status_updated_at", "deleted_at", "values", "created_at", "action", | |
| "template_values", "updated_at", "template_name", "status"] | |
| _def_relationships = ["investigation", "updated_by", "remediation_action_type", "created_by", "assigned_to_actor", | |
| "remediation_action_histories"] | |
| class ExpelAlerts(BaseEntry): | |
| ''' | |
| Expel alerts | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=============================================================================================================================================================================================================================+====================================================+================+===============+==================+ | |
| | Allows: null<br/>Meta: readonly, no-sort | vendor_alert_count | number | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel Alert Time first seen time<br/>Meta: immutable | expel_alert_time | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | URL to rule definition for alert<br/>Allows: "", null | git_rule_url | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null | disposition_alerts_in_incidents_count | number | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert alias<br/>Allows: "", null | expel_alias_name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null | disposition_closed_alerts_count | number | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert name<br/>Allows: "", null | expel_name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert type<br/>Restricted to: "ENDPOINT", "NETWORK", "SIEM", "RULE_ENGINE", "EXTERNAL", "OTHER", "CLOUD"<br/>Allows: null | alert_type | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert version<br/>Allows: "", null | expel_version | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Referring event id<br/>Allows: null | ref_event_id | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null | disposition_alerts_in_investigations_count | number | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null | disposition_disposed_alerts_count | number | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | tuning requested | tuning_requested | boolean | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert message<br/>Allows: "", null | expel_message | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert close reason<br/>Restricted to: "FALSE_POSITIVE", "TRUE_POSITIVE", "OTHER", "ATTACK_FAILED", "POLICY_VIOLATION", "ACTIVITY_BLOCKED", "TESTING", "PUP_PUA", "BENIGN", "IT_MISCONFIGURATION"<br/>Allows: null | close_reason | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null | disposition_alerts_in_critical_incidents_count | number | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null<br/>Meta: readonly, no-sort | activity_last_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert signature<br/>Allows: "", null | expel_signature_id | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null<br/>Meta: readonly, no-sort | activity_first_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert severity<br/>Restricted to: "CRITICAL", "HIGH", "MEDIUM", "LOW", "TESTING", "TUNING"<br/>Allows: null | expel_severity | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert close comment<br/>Allows: "", null | close_comment | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Expel alert status<br/>Restricted to: "OPEN", "IN_PROGRESS", "CLOSED"<br/>Allows: null | status | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | similar_alerts | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_actions | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | status_last_updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert_histories | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | coincident_vendor_alerts | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_ip_addresses | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | related_investigations | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_labels | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | evidence | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | related_investigations_via_involved_host_ips | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | destination_ip_addresses | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_action_histories | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_alerts' | |
| _def_attributes = ["vendor_alert_count", "expel_alert_time", "git_rule_url", | |
| "disposition_alerts_in_incidents_count", "expel_alias_name", "disposition_closed_alerts_count", | |
| "expel_name", "alert_type", "expel_version", "ref_event_id", | |
| "disposition_alerts_in_investigations_count", "disposition_disposed_alerts_count", | |
| "status_updated_at", "created_at", "tuning_requested", "expel_message", "close_reason", | |
| "disposition_alerts_in_critical_incidents_count", "activity_last_at", "expel_signature_id", | |
| "activity_first_at", "expel_severity", "updated_at", "close_comment", "status"] | |
| _def_relationships = ["similar_alerts", "investigative_actions", "updated_by", "status_last_updated_by", | |
| "organization", "expel_alert_histories", "coincident_vendor_alerts", "source_ip_addresses", | |
| "vendor", "vendor_alerts", "created_by", "related_investigations", "context_labels", | |
| "assigned_to_actor", "investigation", "evidence", | |
| "related_investigations_via_involved_host_ips", "destination_ip_addresses", "customer", | |
| "investigative_action_histories"] | |
| class NistSubcategoryScoreHistories(BaseEntry): | |
| ''' | |
| NIST Subcategory Score History | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=====================================================================================================================+============================+================+===============+==================+ | |
| | NIST subcategory score history action<br/>Restricted to: "SCORE_UPDATED", "COMMENT_UPDATED", "PRIORITY_UPDATED" | action | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Organization actual score for this nist subcategory | actual_score | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Organization target score for this nist subcategory | target_score | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_subcategory_score | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'nist_subcategory_score_histories' | |
| _def_attributes = ["action", "actual_score", "target_score", "created_at"] | |
| _def_relationships = ["created_by", "nist_subcategory_score"] | |
| class CustomerEmMeta(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io customer_em_meta records | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +============================================================================================================+====================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Renewal Status<br/>Restricted to: "WONT_RENEW", "AT_RISK", "WILL_RENEW", "WILL_REFER"<br/>Allows: null | renewal_status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customer_em_meta' | |
| _def_attributes = ["updated_at", "renewal_status", "created_at"] | |
| _def_relationships = ["created_by", "customer", "updated_by"] | |
| class ContextLabels(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io context_label records | |
| Below are valid filter by parameters: | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==================================================================================+===========================+================+===============+==================+ | |
| | Definition<br/>Meta: no-sort | definition | object | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Title<br/>Allows: null, "" | title | string | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Metadata about the context label<br/>Allows: null<br/>Meta: no-sort | metadata | object | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Description<br/>Allows: null, "" | description | string | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Date/Time of when the context_label should start being tested | starts_at | string | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Date/Time of when the context_label should end being tested<br/>Allows: null | ends_at | string | Y | N | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | timeline_entries | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alerts | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_label_actions | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_label_tags | object | N | Y | | |
| +----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'context_labels' | |
| _def_attributes = ["definition", "title", "created_at", "updated_at", "metadata", "description", "starts_at", | |
| "ends_at"] | |
| _def_relationships = ["investigations", "updated_by", "timeline_entries", "created_by", "organization", | |
| "expel_alerts", "context_label_actions", "context_label_tags"] | |
| class ExpelAlertThresholds(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io expel_alert_threshold records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+=====================================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Name | name | string | Y | N | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Threshold value | threshold | number | Y | N | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | suppressed_by | object | N | Y | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | suppresses | object | N | Y | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert_threshold_histories | object | N | Y | | |
| +-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_alert_thresholds' | |
| _def_attributes = ["updated_at", "name", "threshold", "created_at"] | |
| _def_relationships = ["created_by", "suppressed_by", "suppresses", "updated_by", "expel_alert_threshold_histories"] | |
| class UserAccountRoles(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io user_account_role records | |
| Below are valid filter by parameters: | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +====================================================================================================================================================================+==================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | If this role is active | active | boolean | Y | N | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Can user be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | User account role for this organization<br/>Restricted to: "expel_admin", "expel_analyst", "organization_admin", "organization_analyst", "system", "anonymous" | role | any | Y | N | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account | object | N | Y | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'user_account_roles' | |
| _def_attributes = ["updated_at", "active", "assignable", "role", "created_at"] | |
| _def_relationships = ["created_by", "organization", "user_account", "updated_by"] | |
| class CustomerDevices(BaseEntry): | |
| ''' | |
| Organization devices | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================================================================================================================================================================================================+==================================+================+===============+==================+ | |
| | Location of organization device<br/>Allows: "", null | location | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device VPN ip address<br/>Allows: null | vpn_ip | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device life cycle status<br/>Restricted to: "New", "Authorized", "Transitioning", "Transitioned", "Transition Failed", "Configuring", "Configuration Failed", "Active", "Inactive", "Deleted"<br/>Allows: null | lifecycle_status | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device last status update timestamp<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device install code<br/>Allows: null | install_code | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Name of organization device<br/>Allows: "", null | name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device connection status<br/>Restricted to: "Never Connected", "Connection Lost", "Connected to Provisioning", "Connected to Service"<br/>Allows: null | connection_status | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device connection status update timestamp<br/>Meta: readonly | connection_status_updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device status<br/>Allows: "", null<br/>Meta: readonly, no-sort | status | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Organization device lifecycle status update timestamp<br/>Meta: readonly | lifecycle_status_updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_devices | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customer_devices' | |
| _def_attributes = ["location", "vpn_ip", "created_at", "lifecycle_status", "status_updated_at", "install_code", | |
| "deleted_at", "name", "updated_at", "connection_status", "connection_status_updated_at", | |
| "status", "lifecycle_status_updated_at"] | |
| _def_relationships = ["vendor_devices", "vendor_alerts", "updated_by", "created_by", "organization", "customer"] | |
| class Investigations(BaseEntry): | |
| ''' | |
| Investigations | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=====================================================================================================================================================================================================================================================================================+==================================================+================+===============+==================+ | |
| | Analyst Severity<br/>Restricted to: "CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"<br/>Allows: null | analyst_severity | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Is Incident | is_incident | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Threat Type<br/>Restricted to: "TARGETED", "NON_TARGETED", "POLICY_VIOLATION", "UNKNOWN"<br/>Allows: null | threat_type | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Title<br/>Allows: "", null | title | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Incident Status timestamp<br/>Allows: null<br/>Meta: readonly | is_incident_status_updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Critical Comment<br/>Allows: "", null | critical_comment | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Investigation short link<br/>Meta: readonly | short_link | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Lead Description<br/>Allows: null | lead_description | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Detection Type<br/>Restricted to: "UNKNOWN", "ENDPOINT", "SIEM", "NETWORK", "EXPEL", "HUNTING", "CLOUD"<br/>Allows: null | detection_type | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Close Comment<br/>Allows: "", null | close_comment | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Attack Timing<br/>Restricted to: "HISTORICAL", "PRESENT"<br/>Allows: null | attack_timing | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Attack Vector<br/>Restricted to: "DRIVE_BY", "PHISHING", "PHISHING_LINK", "PHISHING_ATTACHMENT", "REV_MEDIA", "SPEAR_PHISHING", "SPEAR_PHISHING_LINK", "SPEAR_PHISHING_ATTACHMENT", "STRAG_WEB_COMP", "SERVER_SIDE_VULN", "CRED_THEFT", "MISCONFIG", "UNKNOWN"<br/>Allows: null | attack_vector | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Is surge | is_surge | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Threat Nature<br/>Restricted to: "MASS_MALWARE", "APT"<br/>Allows: null | threat_nature | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Source Reason<br/>Restricted to: "HUNTING", "ORGANIZATION_REPORTED", "DISCOVERY"<br/>Allows: null | source_reason | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Decision<br/>Restricted to: "FALSE_POSITIVE", "TRUE_POSITIVE", "CLOSED", "OTHER", "ATTACK_FAILED", "POLICY_VIOLATION", "ACTIVITY_BLOCKED", "TESTING", "PUP_PUA", "BENIGN", "IT_MISCONFIGURATION"<br/>Allows: null | decision | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Review Requested At<br/>Allows: null | review_requested_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Attack Lifecycle<br/>Restricted to: "INITIAL_RECON", "DELIVERY", "EXPLOITATION", "INSTALLATION", "COMMAND_CONTROL", "LATERAL_MOVEMENT", "ACTION_TARGETS", "UNKNOWN"<br/>Allows: null | attack_lifecycle | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Meta: readonly, no-sort | has_hunting_status | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Is downgrade | is_downgrade | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | timeline_entries | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | status_last_updated_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | related_investigations_via_involved_host_ips | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_ip_addresses | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | review_requested_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | comment_histories | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | lead_expel_alert | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert_histories | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | comments | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | hunting_statuses | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alerts | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | destination_ip_addresses | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_action_histories | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation_histories | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation_resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_label_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | remediation_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | files | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_labels | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | evidence | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | findings | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | ip_addresses | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | remediation_action_histories | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'investigations' | |
| _def_attributes = ["analyst_severity", "is_incident", "threat_type", "title", "is_incident_status_updated_at", | |
| "critical_comment", "short_link", "lead_description", "detection_type", "close_comment", | |
| "attack_timing", "attack_vector", "is_surge", "created_at", "threat_nature", "source_reason", | |
| "decision", "status_updated_at", "deleted_at", "review_requested_at", "attack_lifecycle", | |
| "has_hunting_status", "updated_at", "is_downgrade"] | |
| _def_relationships = ["timeline_entries", "status_last_updated_by", "related_investigations_via_involved_host_ips", | |
| "customer", "source_ip_addresses", "review_requested_by", "comment_histories", | |
| "lead_expel_alert", "expel_alert_histories", "organization_resilience_actions", "comments", | |
| "hunting_statuses", "expel_alerts", "destination_ip_addresses", "customer_resilience_actions", | |
| "investigative_action_histories", "investigative_actions", "updated_by", | |
| "investigation_histories", "investigation_resilience_actions", "organization", | |
| "context_label_actions", "remediation_actions", "files", "context_labels", | |
| "assigned_to_actor", "created_by", "evidence", "findings", "ip_addresses", | |
| "remediation_action_histories"] | |
| class OrganizationEmMeta(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io organization_em_meta records | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +============================================================================================================+====================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Renewal Status<br/>Restricted to: "WONT_RENEW", "AT_RISK", "WILL_RENEW", "WILL_REFER"<br/>Allows: null | renewal_status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organization_em_meta' | |
| _def_attributes = ["updated_at", "renewal_status", "created_at"] | |
| _def_relationships = ["created_by", "organization", "updated_by"] | |
| class NistCategories(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io nist_category records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=========================================================================================+========================+================+===============+==================+ | |
| | Nist category abbreviated identifier | identifier | string | Y | N | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Nist category name | name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Actor type<br/>Restricted to: "IDENTIFY", "PROTECT", "DETECT", "RECOVER", "RESPOND" | function_type | any | Y | N | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_subcategories | object | N | Y | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'nist_categories' | |
| _def_attributes = ["identifier", "updated_at", "name", "function_type", "created_at"] | |
| _def_relationships = ["created_by", "nist_subcategories", "updated_by"] | |
| class Assemblers(BaseEntry): | |
| ''' | |
| Assemblers | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=======================================================================================================================================================================================================================+==================================+================+===============+==================+ | |
| | Location of assembler<br/>Allows: "", null | location | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler VPN ip address<br/>Allows: null | vpn_ip | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler life cycle status<br/>Restricted to: "New", "Authorized", "Transitioning", "Transitioned", "Transition Failed", "Configuring", "Configuration Failed", "Active", "Inactive", "Deleted"<br/>Allows: null | lifecycle_status | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler last status update timestamp<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler install code<br/>Allows: null | install_code | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Name of assembler<br/>Allows: "", null | name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler connection status<br/>Restricted to: "Never Connected", "Connection Lost", "Connected to Provisioning", "Connected to Service"<br/>Allows: null | connection_status | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler connection status update timestamp<br/>Meta: readonly | connection_status_updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler status<br/>Allows: "", null<br/>Meta: readonly, no-sort | status | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Assembler lifecycle status update timestamp<br/>Meta: readonly | lifecycle_status_updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_devices | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_devices | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'assemblers' | |
| _def_attributes = ["location", "vpn_ip", "created_at", "lifecycle_status", "status_updated_at", "install_code", | |
| "deleted_at", "name", "updated_at", "connection_status", "connection_status_updated_at", | |
| "status", "lifecycle_status_updated_at"] | |
| _def_relationships = ["vendor_devices", "vendor_alerts", "updated_by", "created_by", "organization", "customer", | |
| "security_devices"] | |
| class AssetGroups(BaseEntry): | |
| ''' | |
| Organization asset groups | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================================================================================================================================================================================================================================================+==================+================+===============+==================+ | |
| | Restricted to: "DOMAIN_CONTROLLER", "EXCHANGE_SERVER", "MAIL_SERVER", "FILE_SERVER", "DNS_SERVER", "DHCP_SERVER", "DB_SERVER", "POINT_OF_SALE", "DMZ", "VPN", "SERVICE_ACCOUNT", "ADMINISTRATOR_ACCOUNT", "ENGINEERS", "HUMAN_RESOURCES", "SECURITY_STAFF", "SCANNER", "PEN_TEST", "OTHER_HIGH_VALUE" | group_type | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Allows: null | start_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | group_name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Allows: null | end_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | assets | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'asset_groups' | |
| _def_attributes = ["group_type", "start_at", "group_name", "end_at"] | |
| _def_relationships = ["organization", "customer", "assets"] | |
| class ApiKeys(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token. | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=======================================================================================================================================+==================+================+===============+==================+ | |
| | Role<br/>Restricted to: "expel_admin", "expel_analyst", "organization_admin", "organization_analyst", "system", "anonymous" | role | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Can Api key be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Realm in which the api key can be used.<br/>Restricted to: "public", "internal" | realm | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Active<br/>Allows: null | active | boolean | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Only upon initial api key creation (POST), contains the bearer api key token required for api access.<br/>Meta: readonly, no-sort | access_token | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Display name<br/>Allows: null | display_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'api_keys' | |
| _def_attributes = ["role", "name", "assignable", "created_at", "updated_at", "realm", "active", "access_token", | |
| "display_name"] | |
| _def_relationships = ["created_by", "organization", "customer", "updated_by"] | |
| class UserAccounts(BaseEntry): | |
| ''' | |
| User accounts | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================================================================================+===================================================+================+===============+==================+ | |
| | Language<br/>Allows: "", null | language | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Locale<br/>Allows: "", null | locale | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Is an engagement manager | engagement_manager | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Can user be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Password reset token<br/>Allows: null<br/>Meta: readonly, private | password_reset_token | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Invite token expiry<br/>Allows: null<br/>Meta: readonly, private | invite_token_expires_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Email | email | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Name | last_name | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Phone number<br/>Allows: null | phone_number | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Restricted to: "ACTIVE", "LOCKED", "LOCKED_INVITED", "LOCKED_EXPIRED", "ACTIVE_INVITED", "ACTIVE_EXPIRED"<br/>Meta: readonly, no-sort | active_status | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Timezone<br/>Allows: "", null | timezone | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Password reset token expiry<br/>Allows: null<br/>Meta: readonly, private | password_reset_token_expires_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Active<br/>Allows: null | active | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Invite token<br/>Allows: null<br/>Meta: readonly, private | invite_token | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | First Name | first_name | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Display name<br/>Allows: "", null | display_name | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Homepage preferences<br/>Allows: null<br/>Meta: no-sort | homepage_preferences | object | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | actor | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigations | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account_roles | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_remediation_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions_list | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions_list | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account_status | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organizations | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | notification_preferences | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | analysis_assigned_investigative_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_expel_alerts | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigative_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | ui_discoveries | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | primary_organization | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'user_accounts' | |
| _def_attributes = ["language", "locale", "engagement_manager", "assignable", "created_at", "password_reset_token", | |
| "invite_token_expires_at", "email", "last_name", "phone_number", "active_status", "timezone", | |
| "password_reset_token_expires_at", "updated_at", "active", "invite_token", "first_name", | |
| "display_name", "homepage_preferences"] | |
| _def_relationships = ["updated_by", "actor", "assigned_organization_resilience_actions", "assigned_investigations", | |
| "user_account_roles", "assigned_remediation_actions", | |
| "assigned_organization_resilience_actions_list", "assigned_customer_resilience_actions_list", | |
| "assigned_customer_resilience_actions", "user_account_status", "organizations", | |
| "notification_preferences", "analysis_assigned_investigative_actions", "created_by", | |
| "assigned_expel_alerts", "assigned_investigative_actions", "ui_discoveries", "customer", | |
| "primary_organization"] | |
| class Customers(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io customer records | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +====================================================================================+===================================================+================+===============+==================+ | |
| | The customer's primary industry<br/>Allows: "", null | industry | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | City<br/>Allows: "", null | city | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of nodes covered for this customer<br/>Allows: null | nodes_count | number | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | State/Province/Region<br/>Allows: "", null | region | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of users covered for this customer<br/>Allows: null | users_count | number | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Vault Token<br/>Allows: null<br/>Meta: private | vault_token | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Address 2<br/>Allows: "", null | address_2 | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | o365 Terms of Service identifier (e.g. hubspot id, etc.)<br/>Allows: null | o365_tos_id | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null | hq_utc_offset | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Address 1<br/>Allows: "", null | address_1 | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Customer short name<br/>Allows: null | short_name | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Customer service renewal date<br/>Allows: null | service_renewal_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Postal Code<br/>Allows: null | postal_code | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Is surge | is_surge | boolean | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Is Prospective/Demo Customer<br/>Meta: private | prospect | boolean | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Country Code<br/>Allows: null | country_code | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Customer service start date<br/>Allows: null | service_start_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | o365 Microsoft tenant id<br/>Allows: null<br/>Meta: private | o365_tenant_id | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | The customer's operating name | name | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | The city where the organization's headquarters is located<br/>Allows: "", null | hq_city | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: null<br/>Meta: private | vault_token_expires | string | Y | N | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | configurations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_users | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_accounts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions_list | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions_list | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | features | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | files | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert_histories | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assignables | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | notification_preferences | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_expel_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_organization_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_action_groups | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | api_keys | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigative_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_investigations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation_histories | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_remediation_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | engagement_manager | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | products | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_customer_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_em_meta | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assemblers | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | analysis_assigned_investigative_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | actor | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | integrations | object | N | Y | | |
| +------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customers' | |
| _def_attributes = ["industry", "city", "nodes_count", "region", "users_count", "vault_token", "address_2", | |
| "o365_tos_id", "hq_utc_offset", "address_1", "short_name", "service_renewal_at", "postal_code", | |
| "is_surge", "prospect", "country_code", "created_at", "service_start_at", "o365_tenant_id", | |
| "deleted_at", "name", "hq_city", "updated_at", "vault_token_expires"] | |
| _def_relationships = ["configurations", "vendor_alerts", "updated_by", "expel_users", "user_accounts", | |
| "assigned_organization_resilience_actions_list", "security_devices", | |
| "assigned_customer_resilience_actions_list", "features", "files", "expel_alert_histories", | |
| "assignables", "notification_preferences", "assigned_expel_alerts", | |
| "assigned_organization_resilience_actions", "customer_resilience_action_groups", | |
| "customer_resilience_actions", "vendor_devices", "api_keys", "assigned_investigative_actions", | |
| "assigned_investigations", "investigation_histories", "investigations", | |
| "assigned_remediation_actions", "expel_alerts", "engagement_manager", "products", | |
| "assigned_customer_resilience_actions", "customer_em_meta", "assemblers", "customer_devices", | |
| "created_by", "analysis_assigned_investigative_actions", "actor", "integrations"] | |
| class ExpelAlertThresholdHistories(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io expel_alert_threshold_history records | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================================================================+===========================+================+===============+==================+ | |
| | Expel alert threshold history action<br/>Restricted to: "CREATED", "BREACHED", "ACKNOWLEDGED", "RECOVERED", "DELETED" | action | any | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Expel alert threshold history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert_threshold | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_alert_threshold_histories' | |
| _def_attributes = ["action", "value", "created_at"] | |
| _def_relationships = ["created_by", "expel_alert_threshold"] | |
| class CustomerList(BaseEntry): | |
| ''' | |
| Retrieves expel.io organization records for the organization view | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================================================================+================================================+================+===============+==================+ | |
| | Organization service renewal date<br/>Allows: null | service_renewal_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | The organization's primary industry<br/>Allows: "", null | industry | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Engagement manager name<br/>Allows: "", null | engagement_manager_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of nodes covered for this organization<br/>Allows: null | nodes_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of investigative actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | investigative_actions_assigned_to_customer | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | The organization's operating name<br/>Allows: "", null | name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Overall security device health<br/>Allows: "", null | vendor_device_health | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of open investigations<br/>Allows: null | open_investigation_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Percent of resilience actions completed<br/>Allows: null | resilience_actions_ratio | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization short name<br/>Allows: null | short_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Comma delimited list of organization's vendors<br/>Allows: "", null | tech_stack | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization service start date<br/>Allows: null | service_start_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of resilience actions completed by the organization<br/>Allows: null | resilience_actions_completed | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of open incidents<br/>Allows: null | open_incident_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of remediation actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | remediation_actions_assigned_to_customer | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of users covered for this organization<br/>Allows: null | users_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of investigative actions assigned to Expel, or any Expel analyst<br/>Allows: null | investigative_actions_assigned_to_expel | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of resilience actions assigned to the organization<br/>Allows: null | resilience_actions_assigned | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_user | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | products | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customer_list' | |
| _def_attributes = ["service_renewal_at", "industry", "engagement_manager_name", "nodes_count", | |
| "investigative_actions_assigned_to_customer", "name", "vendor_device_health", | |
| "open_investigation_count", "resilience_actions_ratio", "short_name", "tech_stack", | |
| "service_start_at", "resilience_actions_completed", "open_incident_count", | |
| "remediation_actions_assigned_to_customer", "users_count", | |
| "investigative_actions_assigned_to_expel", "resilience_actions_assigned"] | |
| _def_relationships = ["customer", "expel_user", "products"] | |
| class RemediationActionTypes(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io remediation_action_type records | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===================================================+=========================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Name | name | string | Y | N | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Remediation Action Template<br/>Meta: no-sort | template | object | Y | N | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | remediation_actions | object | N | Y | | |
| +---------------------------------------------------+-------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'remediation_action_types' | |
| _def_attributes = ["updated_at", "name", "template", "created_at"] | |
| _def_relationships = ["created_by", "updated_by", "remediation_actions"] | |
| class ContextLabelTags(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io context_label_tag records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=============================================================================+====================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Metadata about the context label tag<br/>Allows: null<br/>Meta: no-sort | metadata | object | Y | N | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Description<br/>Allows: null, "" | description | string | Y | N | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Tag | tag | string | Y | N | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_labels | object | N | Y | | |
| +-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'context_label_tags' | |
| _def_attributes = ["updated_at", "metadata", "description", "tag", "created_at"] | |
| _def_relationships = ["created_by", "updated_by", "organization", "context_labels"] | |
| class CommentHistories(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io comment_history records | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +================================================================================================+===================+================+===============+==================+ | |
| | Comment history action<br/>Restricted to: "CREATED", "UPDATED", "DELETED"<br/>Allows: null | action | any | Y | N | | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Comment history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N | | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | comment | object | N | Y | | |
| +------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'comment_histories' | |
| _def_attributes = ["action", "value", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "comment"] | |
| class Files(BaseEntry): | |
| ''' | |
| File | |
| Below are valid filter by parameters: | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +================================================================+===========================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Expel file type<br/>Allows: null, "" | expel_file_type | string | Y | N | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Metadata about the file<br/>Allows: null<br/>Meta: no-sort | file_meta | object | Y | N | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Filename | filename | string | Y | N | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_actions | object | N | Y | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'files' | |
| _def_attributes = ["updated_at", "expel_file_type", "file_meta", "filename", "created_at"] | |
| _def_relationships = ["investigations", "investigative_actions", "updated_by", "created_by", "organization", | |
| "customer"] | |
| class OrganizationResilienceActions(BaseEntry): | |
| ''' | |
| Organization to resilience actions | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==========================================================================================+==========================================+================+===============+==================+ | |
| | Visible | visible | boolean | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH" | impact | any | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Title | title | string | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Comment<br/>Allows: "", null | comment | string | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED" | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Details | details | string | Y | N | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_resilience_action | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_action_group | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organization_resilience_actions' | |
| _def_attributes = ["visible", "impact", "title", "comment", "created_at", "updated_at", "category", "status", | |
| "details"] | |
| _def_relationships = ["source_resilience_action", "investigation_resilience_actions", "updated_by", | |
| "investigations", "created_by", "organization", "organization_resilience_action_group", | |
| "assigned_to_actor"] | |
| class Comments(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io comment records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+=======================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Comment | comment | string | Y | N | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | comment_histories | object | N | Y | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'comments' | |
| _def_attributes = ["updated_at", "comment", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "comment_histories", "updated_by", "organization"] | |
| class AssemblerImages(BaseEntry): | |
| ''' | |
| Assembler Images | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=======================================================================+==================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Assembler image size<br/>Allows: null | size | number | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Assembler image md5 hash<br/>Allows: null | hash_md5 | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Assembler image sha256 hash<br/>Allows: null | hash_sha256 | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Assembler image sh1 hash<br/>Allows: null | hash_sha1 | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Assembler image release date<br/>Allows: null | release_date | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Assembler image version<br/>Allows: "", null | version | string | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Platform<br/>Restricted to: "VMWARE", "HYPERV", "AZURE", "AMAZON" | platform | any | Y | N | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'assembler_images' | |
| _def_attributes = ["updated_at", "size", "hash_md5", "hash_sha256", "hash_sha1", "created_at", "release_date", | |
| "version", "platform"] | |
| _def_relationships = ["created_by", "updated_by"] | |
| class CustomerResilienceActionGroups(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io customer_resilience_action_group records | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=======================================================================================================+====================================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Group title | title | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Organization Resilience Group Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS" | category | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Visible | visible | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_resilience_action_group | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customer_resilience_action_groups' | |
| _def_attributes = ["updated_at", "title", "category", "visible", "created_at"] | |
| _def_relationships = ["created_by", "customer", "updated_by", "source_resilience_action_group", | |
| "customer_resilience_actions"] | |
| class CustomerResilienceActions(BaseEntry): | |
| ''' | |
| Organization to resilience actions | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==========================================================================================+======================================+================+===============+==================+ | |
| | Visible | visible | boolean | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH" | impact | any | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Title | title | string | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Comment<br/>Allows: "", null | comment | string | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED" | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Details | details | string | Y | N | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_resilience_action | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation_resilience_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_action_group | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigations | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'customer_resilience_actions' | |
| _def_attributes = ["visible", "impact", "title", "comment", "created_at", "updated_at", "category", "status", | |
| "details"] | |
| _def_relationships = ["source_resilience_action", "investigation_resilience_actions", | |
| "customer_resilience_action_group", "updated_by", "investigations", "created_by", "customer", | |
| "assigned_to_actor"] | |
| class InvestigativeActionHistories(BaseEntry): | |
| ''' | |
| Investigative action histories | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=============================================================================================================+==========================+================+===============+==================+ | |
| | Investigative action history action<br/>Restricted to: "CREATED", "ASSIGNED", "CLOSED"<br/>Allows: null | action | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Investigative action history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_action | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'investigative_action_histories' | |
| _def_attributes = ["action", "value", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "expel_alert", "assigned_to_actor", "investigative_action"] | |
| class ExpelAlertGridV2(BaseEntry): | |
| ''' | |
| Elastic search backed Alert Grid | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================+==============================+==================+===============+==================+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | alert_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Allows: null | vendor_alert_count | number | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | urls | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | process_arguments | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | source_ip_addresses | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_sig_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | expel_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | alert_type | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | destination_ip_addresses | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | process_path | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | assignee_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | expel_guid | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | parent_md5 | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | process_md5 | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Allows: null | tuning_requested | boolean | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_device_guid | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | usernames | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | parent_path | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_last_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_first_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | close_comment | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | expel_severity | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | parent_arguments | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | organization_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | hostnames | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | status | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | vendor | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | assigned_to_org | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | security_devices | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_alert_grid_v2' | |
| _def_attributes = ["alert_at", "vendor_alert_count", "vendor_name", "urls", "process_arguments", | |
| "source_ip_addresses", "vendor_sig_name", "expel_name", "alert_type", "destination_ip_addresses", | |
| "process_path", "assignee_name", "expel_guid", "parent_md5", "process_md5", "tuning_requested", | |
| "vendor_device_guid", "usernames", "parent_path", "activity_last_at", "activity_first_at", | |
| "close_comment", "expel_severity", "parent_arguments", "updated_at", "organization_name", | |
| "hostnames", "status"] | |
| _def_relationships = ["expel_alert", "vendor", "investigation", "assigned_to_org", "vendor_alerts", "organization", | |
| "assigned_to_actor", "security_devices"] | |
| class NistSubcategoryScores(BaseEntry): | |
| ''' | |
| Latest NIST subcategory scores | |
| Below are valid filter by parameters: | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==========================================================================+======================================+================+===============+==================+ | |
| | Allows: "", null<br/>Meta: readonly, no-sort | subcategory_name | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Organization target score for this nist subcategory<br/>Allows: null | target_score | number | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Organization nist subcategory is a priority | is_priority | boolean | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Organization actual score for this nist subcategory<br/>Allows: null | actual_score | number | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Organization comment for this nist subcategory<br/>Allows: "", null | comment | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null<br/>Meta: readonly, no-sort | category_identifier | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null<br/>Meta: readonly, no-sort | function_type | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null<br/>Meta: readonly, no-sort | category_name | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null<br/>Meta: readonly, no-sort | subcategory_identifier | string | Y | N | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_subcategory_score_histories | object | N | Y | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | nist_subcategory | object | N | Y | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'nist_subcategory_scores' | |
| _def_attributes = ["subcategory_name", "target_score", "is_priority", "actual_score", "comment", "created_at", | |
| "updated_at", "category_identifier", "function_type", "category_name", "subcategory_identifier"] | |
| _def_relationships = ["created_by", "nist_subcategory_score_histories", "nist_subcategory", "updated_by", | |
| "organization"] | |
| class OrganizationResilienceActionGroups(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io organization_resilience_action_group records | |
| Below are valid filter by parameters: | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=======================================================================================================+==================================================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Group title | title | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization Resilience Group Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS" | category | any | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Visible | visible | boolean | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_action_group_actions | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | source_resilience_action_group | object | N | Y | | |
| +-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organization_resilience_action_groups' | |
| _def_attributes = ["updated_at", "title", "category", "visible", "created_at"] | |
| _def_relationships = ["created_by", "organization_resilience_action_group_actions", "organization", "updated_by", | |
| "source_resilience_action_group"] | |
| class InvestigationHistories(BaseEntry): | |
| ''' | |
| Investigation histories | |
| Below are valid filter by parameters: | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +========================================================================================================================================+=======================+================+===============+==================+ | |
| | Investigation history action<br/>Restricted to: "CREATED", "ASSIGNED", "CHANGED", "CLOSED", "SUMMARY", "REOPENED"<br/>Allows: null | action | any | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Investigation history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Is Incidence | is_incident | boolean | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'investigation_histories' | |
| _def_attributes = ["action", "value", "is_incident", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "organization", "customer", "assigned_to_actor"] | |
| class ResilienceActions(BaseEntry): | |
| ''' | |
| Resilience actions | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +==========================================================================================+=============================+================+===============+==================+ | |
| | Title | title | string | Y | N | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH" | impact | any | Y | N | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Details | details | string | Y | N | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | resilience_action_group | object | N | Y | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'resilience_actions' | |
| _def_attributes = ["title", "created_at", "updated_at", "impact", "category", "details"] | |
| _def_relationships = ["created_by", "resilience_action_group", "updated_by"] | |
| class Features(BaseEntry): | |
| ''' | |
| Product features | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+===================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | name | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | organizations | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | customers | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | products | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'features' | |
| _def_attributes = ["updated_at", "name", "created_at"] | |
| _def_relationships = ["created_by", "updated_by", "organizations", "customers", "products"] | |
| class InvestigationResilienceActions(BaseEntry): | |
| ''' | |
| Investigation to resilience actions | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+====================================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_resilience_action | object | N | Y | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization_resilience_action | object | N | Y | | |
| +-----------------------------------------------+------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'investigation_resilience_actions' | |
| _def_attributes = ["updated_at", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "customer_resilience_action", "updated_by", | |
| "organization_resilience_action"] | |
| class OrganizationList(BaseEntry): | |
| ''' | |
| Retrieves expel.io organization records for the organization view | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================================================================+====================================================+================+===============+==================+ | |
| | Organization service renewal date<br/>Allows: null | service_renewal_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | The organization's primary industry<br/>Allows: "", null | industry | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Engagement manager name<br/>Allows: "", null | engagement_manager_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of users covered for this organization<br/>Allows: null | users_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of nodes covered for this organization<br/>Allows: null | nodes_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Overall security device health<br/>Allows: "", null | security_device_health | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization service start date<br/>Allows: null | service_start_at | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | The organization's operating name<br/>Allows: "", null | name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of investigative actions assigned to Expel, or any Expel analyst<br/>Allows: null | investigative_actions_assigned_to_expel | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Percent of resilience actions completed<br/>Allows: null | resilience_actions_ratio | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Organization short name<br/>Allows: null | short_name | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Allows: "", null | hq_utc_offset | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of resilience actions completed by the organization<br/>Allows: null | resilience_actions_completed | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of open incidents<br/>Allows: null | open_incident_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of resilience actions assigned to the organization<br/>Allows: null | resilience_actions_assigned | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | The city where the organization's headquarters is located<br/>Allows: "", null | hq_city | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of open investigations<br/>Allows: null | open_investigation_count | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Comma delimited list of organization's vendors<br/>Allows: "", null | tech_stack | string | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of remediation actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | remediation_actions_assigned_to_organization | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Number of investigative actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | investigative_actions_assigned_to_organization | number | Y | N | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | user_account | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | products | object | N | Y | | |
| +---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organization_list' | |
| _def_attributes = ["service_renewal_at", "industry", "engagement_manager_name", "users_count", "nodes_count", | |
| "security_device_health", "service_start_at", "name", "investigative_actions_assigned_to_expel", | |
| "resilience_actions_ratio", "short_name", "hq_utc_offset", "resilience_actions_completed", | |
| "open_incident_count", "resilience_actions_assigned", "hq_city", "open_investigation_count", | |
| "tech_stack", "remediation_actions_assigned_to_organization", | |
| "investigative_actions_assigned_to_organization"] | |
| _def_relationships = ["organization", "user_account", "products"] | |
| class VendorAlerts(BaseEntry): | |
| ''' | |
| Vendor alerts | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +========================================================================================================================+================================+================+===============+==================+ | |
| | Signature ID<br/>Allows: "", null | signature_id | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Evidence summary<br/>Allows: null<br/>Meta: no-sort | evidence_summary | array | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Evidence activity start datetime<br/>Allows: null<br/>Meta: immutable | evidence_activity_start_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Allows: null<br/>Meta: immutable | original_alert_id | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Description<br/>Allows: "", null | description | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Vendor Sig Name<br/>Allows: "", null | vendor_sig_name | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Vendor Message<br/>Allows: "", null | vendor_message | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Evidence activity end datetime<br/>Allows: null<br/>Meta: immutable | evidence_activity_end_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Vendor alert severity<br/>Restricted to: "CRITICAL", "HIGH", "MEDIUM", "LOW", "TESTING", "TUNING"<br/>Allows: null | vendor_severity | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "NORMAL", "PROVISIONAL"<br/>Allows: null<br/>Meta: readonly | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | First Seen | first_seen | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_device | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assembler | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | evidences | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_device | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_device | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| | Missing Description | ip_addresses | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'vendor_alerts' | |
| _def_attributes = ["signature_id", "evidence_summary", "created_at", "evidence_activity_start_at", | |
| "original_alert_id", "description", "vendor_sig_name", "vendor_message", "updated_at", | |
| "evidence_activity_end_at", "vendor_severity", "status", "first_seen"] | |
| _def_relationships = ["vendor_device", "updated_by", "organization", "customer", "vendor", "assembler", "evidences", | |
| "customer_device", "created_by", "security_device", "expel_alerts", "ip_addresses"] | |
| class ContextLabelActions(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io context_label_action records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================================+======================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | What action to take<br/>Restricted to: "ALERT_ON", "ADD_TO" | action_type | any | Y | N | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | context_label | object | N | Y | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | timeline_entries | object | N | Y | | |
| +-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'context_label_actions' | |
| _def_attributes = ["updated_at", "action_type", "created_at"] | |
| _def_relationships = ["created_by", "investigation", "context_label", "updated_by", "timeline_entries"] | |
| class SamlIdentityProviders(BaseEntry): | |
| ''' | |
| SAML Identity Providers | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===================================================+==================+================+===============+==================+ | |
| | Allows: "", null | cert | string | Y | N | | |
| +---------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Allows: "" | callback_uri | string | Y | N | | |
| +---------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Restricted to: "not_configured", "configured" | status | string | Y | N | | |
| +---------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Allows: "" | entity_id | string | Y | N | | |
| +---------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------+------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'saml_identity_providers' | |
| _def_attributes = ["cert", "callback_uri", "status", "entity_id"] | |
| _def_relationships = ["organization"] | |
| class InvestigationFindings(BaseEntry): | |
| ''' | |
| Investigation findings | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+===================+================+===============+==================+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Visualization Rank | rank | number | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Finding<br/>Allows: "", null | finding | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Title<br/>Allows: "", null | title | string | Y | N | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+-------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'investigation_findings' | |
| _def_attributes = ["deleted_at", "rank", "created_at", "updated_at", "finding", "title"] | |
| _def_relationships = ["created_by", "investigation", "updated_by"] | |
| class VendorDevices(BaseEntry): | |
| ''' | |
| Vendor devices | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +======================================================================================================+===========================+================+===============+==================+ | |
| | Allows: "", null | plugin_slug | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Location<br/>Allows: "", null | location | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Device Spec<br/>Allows: null<br/>Meta: no-sort | device_spec | object | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Name | name | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Has 2fa secret stored in vault<br/>Meta: readonly | has_two_factor_secret | boolean | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Status<br/>Restricted to: "healthy", "unhealthy", "health_checks_not_supported"<br/>Allows: null | status | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Device Type<br/>Restricted to: "ENDPOINT", "NETWORK", "SIEM", "OTHER", "CLOUD" | device_type | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Location where tasks are run<br/>Restricted to: "CUSTOMER_PREMISE", "EXPEL_TASKPOOL" | task_source | any | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Status Details<br/>Allows: null<br/>Meta: no-sort | status_details | object | Y | N | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | assembler | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigative_actions | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | child_vendor_devices | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer_device | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | vendor | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| | Missing Description | parent_vendor_device | object | N | Y | | |
| +------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'vendor_devices' | |
| _def_attributes = ["plugin_slug", "location", "created_at", "status_updated_at", "device_spec", "deleted_at", | |
| "name", "has_two_factor_secret", "status", "device_type", "updated_at", "task_source", | |
| "status_details"] | |
| _def_relationships = ["vendor_alerts", "assembler", "investigative_actions", "child_vendor_devices", | |
| "customer_device", "created_by", "updated_by", "organization", "customer", "vendor", | |
| "parent_vendor_device"] | |
| class ConfigurationDefaults(BaseEntry): | |
| ''' | |
| Configuration defaults | |
| Below are valid filter by parameters: | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +====================================================================================+============================+================+===============+==================+ | |
| | Configuration value validation<br/>Meta: no-sort | validation | object | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Title of configuration value<br/>Allows: "", null | title | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration visibility<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | visibility | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration metadata<br/>Allows: null<br/>Meta: no-sort | metadata | object | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Description of configuration value<br/>Allows: "", null | description | string | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Configuration value<br/>Allows: null<br/>Meta: no-sort | value | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Write permission required<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | write_permission_level | any | Y | N | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | configurations | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| | Missing Description | labels | object | N | Y | | |
| +------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'configuration_defaults' | |
| _def_attributes = ["validation", "title", "visibility", "created_at", "updated_at", "metadata", "description", | |
| "value", "write_permission_level"] | |
| _def_relationships = ["configurations", "created_by", "updated_by", "labels"] | |
| class Findings(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io finding records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===============================================+================+================+===============+==================+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| | Seed Rank | rank | number | Y | N | | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| | Title<br/>Allows: "", null | title | string | Y | N | | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------+----------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'findings' | |
| _def_attributes = ["updated_at", "rank", "title", "created_at"] | |
| _def_relationships = ["created_by", "updated_by"] | |
| class ActivityMetrics(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io activity_metric records | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================+=====================+================+===============+==================+ | |
| | Date/Time of when the activity concluded | ended_at | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Url<br/>Allows: "", null | url | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Referring url<br/>Allows: "", null | referring_url | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Additional data about the activity<br/>Allows: null<br/>Meta: no-sort | data | object | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Date/Time of when the activity started | started_at | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Activity<br/>Allows: "", null | activity | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| | Missing Description | security_device | object | N | Y | | |
| +---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'activity_metrics' | |
| _def_attributes = ["ended_at", "url", "referring_url", "data", "started_at", "created_at", "activity", "updated_at"] | |
| _def_relationships = ["created_by", "investigation", "expel_alert", "updated_by", "security_device"] | |
| class OrganizationStatuses(BaseEntry): | |
| ''' | |
| Organization status | |
| Below are valid filter by parameters: | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=========================+=========================+================+===============+==================+ | |
| | Meta: readonly | updated_at | string | Y | N | | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | enabled_login_types | array | Y | N | | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Meta: readonly | created_at | string | Y | N | | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-------------------------+-------------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'organization_statuses' | |
| _def_attributes = ["updated_at", "enabled_login_types", "created_at"] | |
| _def_relationships = ["created_by", "organization", "updated_by"] | |
| class ExpelAlertGrid(BaseEntry): | |
| ''' | |
| Elastic search backed Alert Grid | |
| Below are valid filter by parameters: | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +===========================================================================+==============================+==================+===============+==================+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | alert_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Allows: null | vendor_alert_count | number | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | urls | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | process_arguments | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | source_ip_addresses | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_sig_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | expel_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | alert_type | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | destination_ip_addresses | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | process_path | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | assignee_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | expel_guid | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | parent_md5 | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | process_md5 | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Allows: null | tuning_requested | boolean | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_device_guid | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | usernames | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | parent_path | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_last_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_first_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | close_comment | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | expel_severity | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | parent_arguments | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | updated_at | string | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | organization_name | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | hostnames | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | May be a string or an array of strings<br/>Meta: allowStringOperators | status | alternatives | Y | N | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | expel_alert | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | vendor | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | investigation | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | assigned_to_org | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | vendor_alerts | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | assigned_to_actor | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| | Missing Description | security_devices | object | N | Y | | |
| +---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'expel_alert_grid' | |
| _def_attributes = ["alert_at", "vendor_alert_count", "vendor_name", "urls", "process_arguments", | |
| "source_ip_addresses", "vendor_sig_name", "expel_name", "alert_type", "destination_ip_addresses", | |
| "process_path", "assignee_name", "expel_guid", "parent_md5", "process_md5", "tuning_requested", | |
| "vendor_device_guid", "usernames", "parent_path", "activity_last_at", "activity_first_at", | |
| "close_comment", "expel_severity", "parent_arguments", "updated_at", "organization_name", | |
| "hostnames", "status"] | |
| _def_relationships = ["expel_alert", "vendor", "investigation", "assigned_to_org", "vendor_alerts", "organization", | |
| "assigned_to_actor", "security_devices"] | |
| class Integrations(BaseEntry): | |
| ''' | |
| Defines/retrieves expel.io integration records | |
| Below are valid filter by parameters: | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Field Description | Field Name | Field Type | Attribute | Relationship | | |
| +=================================================================================================================+======================+================+===============+==================+ | |
| | Service display name | service_name | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Type of integration<br/>Restricted to: "pagerduty", "slack", "ticketing", "service_now"<br/>Meta: immutable | integration_type | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Last Successful Test<br/>Allows: null<br/>Meta: readonly | last_tested_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Needed information for integration type<br/>Allows: null<br/>Meta: no-sort | integration_meta | object | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Created timestamp<br/>Meta: readonly | created_at | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Integration status<br/>Restricted to: "UNTESTED", "TEST_SUCCESS", "TEST_FAIL"<br/>Meta: readonly | status | any | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Service account identifier | account | string | Y | N | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | created_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | secret | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | organization | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | customer | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| | Missing Description | updated_by | object | N | Y | | |
| +-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+ | |
| ''' | |
| _api_type = 'integrations' | |
| _def_attributes = ["service_name", "integration_type", "last_tested_at", "updated_at", "integration_meta", | |
| "created_at", "status", "account"] | |
| _def_relationships = ["created_by", "secret", "organization", "customer", "updated_by"] | |
| # END AUTO GENERATE JSONAPI CLASSES | |
| RELATIONSHIP_TO_CLASS_EXT = { | |
| } | |
| # AUTO GENERATE RELATIONSHIP TO CLASS LOOKUP | |
| RELATIONSHIP_TO_CLASS = { | |
| "engagement_managers": EngagementManagers, | |
| "expel_users": ExpelUsers, | |
| "source_resilience_action_group": ResilienceActionGroups, | |
| "notification_preferences": NotificationPreferences, | |
| "nist_subcategories": NistSubcategories, | |
| "security_device": SecurityDevices, | |
| "vendors": Vendors, | |
| "nist_categories": NistCategories, | |
| "expel_alerts": ExpelAlerts, | |
| "customer_devices": CustomerDevices, | |
| "investigations": Investigations, | |
| "security_devices": SecurityDevices, | |
| "expel_alert": ExpelAlerts, | |
| "hunting_statuses": HuntingStatuses, | |
| "customer_resilience_action_groups": CustomerResilienceActionGroups, | |
| "expel_alert_thresholds": ExpelAlertThresholds, | |
| "resilience_action_groups": ResilienceActionGroups, | |
| "investigative_actions": InvestigativeActions, | |
| "resilience_actions": ResilienceActions, | |
| "organization_statuses": OrganizationStatuses, | |
| "integrations": Integrations, | |
| "user_account_roles": UserAccountRoles, | |
| "comment": Comments, | |
| "customer_resilience_action_list": CustomerResilienceActionList, | |
| "features": Features, | |
| "vendor_alert_evidences": VendorAlertEvidences, | |
| "organizations": Organizations, | |
| "secrets": Secrets, | |
| "ui_discoveries": UiDiscoveries, | |
| "configuration_labels": ConfigurationLabels, | |
| "cpe_images": CpeImages, | |
| "context_label": ContextLabels, | |
| "assemblers": Assemblers, | |
| "remediation_action_histories": RemediationActionHistories, | |
| "customers": Customers, | |
| "source_ip_addresses": IpAddresses, | |
| "context_label_tags": ContextLabelTags, | |
| "comment_histories": CommentHistories, | |
| "comments": Comments, | |
| "assigned_investigative_actions": InvestigativeActions, | |
| "customer_resilience_actions": CustomerResilienceActions, | |
| "investigative_action_histories": InvestigativeActionHistories, | |
| "organization_list": OrganizationList, | |
| "organization": Organizations, | |
| "context_label_actions": ContextLabelActions, | |
| "saml_identity_providers": SamlIdentityProviders, | |
| "saml_identity_provider": SamlIdentityProviders, | |
| "assets": Assets, | |
| "assigned_customer_resilience_actions_list": CustomerResilienceActions, | |
| "actors": Actors, | |
| "timeline_entries": TimelineEntries, | |
| "organization_resilience_action_list": OrganizationResilienceActionList, | |
| "api_keys": ApiKeys, | |
| "engagement_manager": EngagementManagers, | |
| "remediation_actions": RemediationActions, | |
| "labels": ConfigurationLabels, | |
| "expel_alert_grid_v2": ExpelAlertGridV2, | |
| "user_accounts": UserAccounts, | |
| "customer_list": CustomerList, | |
| "vendor": Vendors, | |
| "assembler_images": AssemblerImages, | |
| "user_account": UserAccounts, | |
| "investigation_histories": InvestigationHistories, | |
| "investigation_resilience_actions": InvestigationResilienceActions, | |
| "assigned_remediation_actions": RemediationActions, | |
| "investigation_findings": InvestigationFindings, | |
| "investigation": Investigations, | |
| "evidence": VendorAlertEvidences, | |
| "expel_alert_grid": ExpelAlertGrid, | |
| "source_resilience_action": ResilienceActions, | |
| "asset_groups": AssetGroups, | |
| "assigned_organization_resilience_actions_list": OrganizationResilienceActions, | |
| "expel_alert_histories": ExpelAlertHistories, | |
| "configurations": Configurations, | |
| "user_account_statuses": UserAccountStatuses, | |
| "products": Products, | |
| "nist_subcategory_score_histories": NistSubcategoryScoreHistories, | |
| "customer_em_meta": CustomerEmMeta, | |
| "context_labels": ContextLabels, | |
| "remediation_action_types": RemediationActionTypes, | |
| "created_by": Actors, | |
| "activity_metrics": ActivityMetrics, | |
| "expel_alert_threshold_histories": ExpelAlertThresholdHistories, | |
| "customer": Customers, | |
| "files": Files, | |
| "organization_em_meta": OrganizationEmMeta, | |
| "nist_subcategory_scores": NistSubcategoryScores, | |
| "expel_alert_threshold": ExpelAlertThresholds, | |
| "secret": Secrets, | |
| "vendor_alerts": VendorAlerts, | |
| "ip_addresses": IpAddresses, | |
| "vendor_devices": VendorDevices, | |
| "organization_resilience_actions": OrganizationResilienceActions, | |
| "findings": Findings, | |
| "organization_resilience_action_groups": OrganizationResilienceActionGroups, | |
| "configuration_defaults": ConfigurationDefaults | |
| } | |
| # END AUTO GENERATE RELATIONSHIP TO CLASS LOOKUP | |
| class WorkbenchCoreClient(object): | |
| ''' | |
| Instantiate a Workbench core client that provides just authentication and request capabilities to Workbench | |
| If the developer specifies a ``username``, then ``password`` and ``mfa_code`` are required inputs. If the developer | |
| has an ``apikey`` then ``username``, ``password`` and ``mfa_code`` parameters are ignored. | |
| :param cls: A Workbench class reference. | |
| :type cls: WorkbenchClient | |
| :param apikey: An apikey to use for authentication/authorization. | |
| :type apikey: str or None | |
| :param username: The username | |
| :type username: str or None | |
| :param password: The username's password | |
| :type password: str or None | |
| :param mfa_code: The multi factor authenticate code generated by google authenticator. | |
| :type mfa_code: int or None | |
| :param token: The bearer token of an authorized session. Can be used instead of ``apikey`` and ``username``/``password`` combo. | |
| :type token: str or None | |
| :return: An initialized, and authorized Workbench client. | |
| :rtype: WorkbenchClient | |
| ''' | |
| def __init__(self, base_url, apikey=None, username=None, password=None, mfa_code=None, token=None): | |
| self.base_url = base_url | |
| self.apikey = apikey | |
| self.token = token | |
| self.mfa_code = mfa_code | |
| self.username = username | |
| self.password = password | |
| self.debug = False | |
| self.debug_method = [] | |
| self.debug_url_contains = None | |
| self.default_request_kwargs = { | |
| 'timeout': 300, | |
| 'verify': False, | |
| } | |
| def _make_retry(): | |
| retryable_status_codes = [429, 500, 504] | |
| # Retry gives us some control over how retries are performed. | |
| # In particular, we're looking to backoff and retry on api rate limiting | |
| # See docs: https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html#urllib3.util.retry.Retry | |
| return Retry(connect=3, read=3, status=3, status_forcelist=retryable_status_codes, backoff_factor=2) | |
| session = requests.Session() | |
| a = HTTPAdapter(max_retries=_make_retry()) | |
| self.session = session | |
| self.session.headers = {'content-type': 'application/json'} | |
| if self.apikey: | |
| self.token = self.service_login(self.apikey) | |
| if self.mfa_code: | |
| self.token = self.login(self.username, self.password, self.mfa_code) | |
| # if not self.token: | |
| # raise Exception('No authorization information provided!') | |
| if self.token and not self.token.startswith('Bearer'): | |
| self.token = 'Bearer %s' % self.token | |
| self.session.headers.update({'Authorization': self.token}) | |
| def login(self, username, password, code): | |
| ''' | |
| Authenticate as a human, this requires providing the 2FA code. | |
| :param username: The user's e-mail address. | |
| :type username: str | |
| :param password: The user's password. | |
| :type password: str | |
| :param code: The 2FA code | |
| :type code: str | |
| :return: The bearer token that allows users to call Workbench APIs. | |
| :rtype: str | |
| ''' | |
| headers = {'content-type': 'application/x-www-form-urlencoded'} | |
| data = urlencode({'grant_type': 'password', 'username': username, 'password': password}) | |
| resp = self.request('post', '/auth/v0/login', data=data, headers=headers, skip_raise=True) | |
| # Note the login route returns 401 even when password is valid as a way to | |
| # move to the second phase which is posting the 2fa code.. | |
| if resp.status_code != 401: | |
| return None | |
| headers['x-expelinc-otp'] = str(code) | |
| resp = self.request('post', '/auth/v0/login', data=data, headers=headers) | |
| return resp.json()['access_token'] | |
| def service_login(self, apikey): | |
| ''' | |
| Authenticate as a service | |
| :param apikey: The API key to use to authenticate | |
| :type apikey: str | |
| :return: The bearer token that allows users to call Workbench APIs. | |
| :rtype: str | |
| ''' | |
| resp = self.request('post', '/api/v2/service_login', data=json.dumps({'id': apikey})) | |
| return resp.json()['access_token'] | |
| def request(self, method, url, data=None, skip_raise=False, files=None, **kwargs): | |
| url = urljoin(self.base_url, url) | |
| headers = kwargs.pop('headers', {}) | |
| request_kwargs = dict(self.default_request_kwargs) | |
| request_kwargs.update(kwargs) | |
| do_print = False | |
| if self.debug: | |
| if not self.debug_method and not self.debug_url_contains: | |
| do_print = True | |
| elif self.debug_method and method in self.debug_method: | |
| do_print = True | |
| elif self.debug_url_contains and url.lower().find(self.debug_url_contains.lower()) != -1: | |
| do_print = True | |
| if do_print: | |
| print(method, " ", url) | |
| if data: | |
| pprint.pprint(data) | |
| if files: | |
| headers['Authorization'] = self.session.headers['Authorization'] | |
| resp = requests.post(url, headers=headers, data=data, files=files, **request_kwargs) | |
| else: | |
| resp = self.session.request( | |
| method=method, | |
| url=url, | |
| headers=headers, | |
| data=data, | |
| **request_kwargs | |
| ) | |
| if self.debug and do_print: | |
| pprint.pprint(resp.json()) | |
| if skip_raise: | |
| return resp | |
| try: | |
| resp.raise_for_status() | |
| except requests.exceptions.HTTPError as e: | |
| # It's HTML code.. | |
| if resp.text.startswith('<'): | |
| raise e | |
| err = resp.json() | |
| errors = err.get('errors') | |
| if errors and 'detail' in errors[0]: | |
| raise requests.exceptions.HTTPError(err['errors'][0]['detail']) | |
| elif errors and 'status' in errors[0]: | |
| raise requests.exceptions.HTTPError("Got status code: %s" % err['errors'][0]['status']) | |
| elif errors and 'title' in errors[0]: | |
| raise requests.exceptions.HTTPError(err['errors'][0]['title']) | |
| elif err.get('message'): | |
| msg = '%s: %s' % (err['message'], str(err.get('validation'))) | |
| raise requests.exceptions.HTTPError(msg) | |
| if err.get('error_description'): | |
| raise requests.exceptions.HTTPError(err['error_description']) | |
| elif err.get('error'): | |
| raise requests.exceptions.HTTPError(err['error']) | |
| return resp | |
| class WorkbenchClient(WorkbenchCoreClient): | |
| ''' | |
| Instantiate a client that interacts with Workbench's API server. | |
| If the developer specifies a ``username``, then ``password`` and ``mfa_code`` are required inputs. If the developer | |
| has an ``apikey`` then ``username``, ``password`` and ``mfa_code`` parameters are ignored. | |
| :param cls: A Workbench class reference. | |
| :type cls: WorkbenchClient | |
| :param apikey: An apikey to use for authentication/authorization. | |
| :type apikey: str or None | |
| :param username: The username | |
| :type username: str or None | |
| :param password: The username's password | |
| :type password: str or None | |
| :param mfa_code: The multi factor authenticate code generated by google authenticator. | |
| :type mfa_code: int or None | |
| :param token: The bearer token of an authorized session. Can be used instead of ``apikey`` and ``username``/``password`` combo. | |
| :type token: str or None | |
| :return: An initialized, and authorized Workbench client. | |
| :rtype: WorkbenchClient | |
| ''' | |
| def __init__(self, base_url, apikey=None, username=None, password=None, mfa_code=None, token=None): | |
| super().__init__(base_url, apikey=apikey, username=username, password=password, mfa_code=mfa_code, token=token) | |
| def create_manual_inv_action(self, title: str, reason: str, instructions: str, investigation_id: str = None, | |
| expel_alert_id: str = None): | |
| ''' | |
| Create a manual investigative action via MacGyver. | |
| :param investigation_id: The investigation ID to associate the action with. | |
| :type investigation_id: str | |
| :param expel_alert_id: The expel alert id | |
| :type expel_alert_id: str | |
| :param vendor_device_id: The vendor device ID, to dispatch the task against. | |
| :type vendor_device_id: str | |
| :param capability_name: The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable. | |
| :type capability_name: str | |
| :param input_args: The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable. | |
| :type input_args: dict | |
| :param title: The title of the investigative action, shows up in Workbench. | |
| :type title: str | |
| :param reason: The reason for running the investigative action, shows up in Workbench. | |
| :type reason: str | |
| :return: Investigative action response | |
| :rtype: InvestigativeActions | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> input_args = "user_name": '[email protected]', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z' | |
| >>> o = xc.create_manual_inv_action(inv_guid, device_guid, 'title foo', 'reason bar', 'instructions blah') | |
| >>> print("Investigative Action ID: ", o.id) | |
| ''' | |
| if not expel_alert_id and not investigation_id: | |
| raise Exception("Must specify an expel_alert_id or an investigation_id") | |
| # Create the manual investigative action in WB via MacGyver | |
| ia = self.investigative_actions.create( | |
| title=title, status='READY_FOR_ANALYSIS', reason=reason, action_type='MANUAL', instructions=instructions) | |
| if investigation_id: | |
| ia.relationship.investigation = investigation_id | |
| else: | |
| ia.relationship.expel_alert = expel_alert_id | |
| return ia.save() | |
| def create_auto_inv_action(self, customer_id: str, vendor_device_id: str, created_by_id: str, capability_name: str, | |
| input_args: dict, title: str, reason: str, investigation_id: str = None, | |
| expel_alert_id: str = None): | |
| ''' | |
| Create an automatic investigative action via MacGyver. | |
| :param customer_id: The customer ID | |
| :type customer_id: str | |
| :param investigation_id: The investigation ID to associate the action with. | |
| :type investigation_id: str | |
| :param expel_alert_id: The expel alert id | |
| :type expel_alert_id: str | |
| :param vendor_device_id: The vendor device ID, to dispatch the task against. | |
| :type vendor_device_id: str | |
| :param created_by_id: The user ID that created the action | |
| :type created_by_id: str | |
| :param capability_name: The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable. | |
| :type capability_name: str | |
| :param input_args: The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable. | |
| :type input_args: dict | |
| :param title: The title of the investigative action, shows up in Workbench. | |
| :type title: str | |
| :param reason: The reason for running the investigative action, shows up in Workbench. | |
| :type reason: str | |
| :return: Investigative action response | |
| :rtype: InvestigativeActions | |
| Examples: | |
| >>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code) | |
| >>> input_args = {"user_name": '[email protected]', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z'} | |
| >>> o = xc.create_auto_inv_action(customer_guid, inv_guid, device_guid, user_guid, 'query_user', input_args, 'Query User', 'Getting user login activity to determine if login is normal') | |
| >>> print("Investigative Action ID: ", o.id) | |
| ''' | |
| if not expel_alert_id and not investigation_id: | |
| raise Exception("Must specify an expel_alert_id or an investigation_id") | |
| # Get the plugin slug for the vendor device | |
| with self.vendor_devices.get(id=vendor_device_id) as d: | |
| plugin_slug = d.plugin_slug | |
| # Create the investigative action in WB via MacGyver | |
| ia = self.investigative_actions.create(title=title, status='RUNNING', reason=reason, action_type='TASKABILITY', | |
| capability_name=capability_name, input_args=input_args) | |
| ia.relationship.vendor_device = vendor_device_id | |
| if investigation_id: | |
| ia.relationship.investigation = investigation_id | |
| else: | |
| ia.relationship.expel_alert = expel_alert_id | |
| return ia.save() | |
| def capabilities(self, customer_id: str): | |
| ''' | |
| Get a list of capabilities for a given customer. | |
| :param customer_id: The customer ID | |
| :type customer_id: str | |
| Examples: | |
| >>> xc.workbench.capabilities("my-customer-guid-123") | |
| ''' | |
| resp = self.request('get', '/api/v2/capabilities/%s' % customer_id) | |
| return resp.json() | |
| def plugins(self): | |
| ''' | |
| Get a list of plugins. | |
| Examples: | |
| >>> xc.workbench.plugins() | |
| ''' | |
| resp = self.request('get', '/api/v2/plugins') | |
| return resp.json() | |
| # AUTO GENERATE PROPERTIES | |
| @property | |
| def engagement_managers(self): | |
| return JsonResp(EngagementManagers, conn=self) | |
| @property | |
| def vendor_alert_evidences(self): | |
| return JsonResp(VendorAlertEvidences, conn=self) | |
| @property | |
| def remediation_action_histories(self): | |
| return JsonResp(RemediationActionHistories, conn=self) | |
| @property | |
| def expel_users(self): | |
| return JsonResp(ExpelUsers, conn=self) | |
| @property | |
| def resilience_action_groups(self): | |
| return JsonResp(ResilienceActionGroups, conn=self) | |
| @property | |
| def customer_resilience_action_list(self): | |
| return JsonResp(CustomerResilienceActionList, conn=self) | |
| @property | |
| def assets(self): | |
| return JsonResp(Assets, conn=self) | |
| @property | |
| def user_account_statuses(self): | |
| return JsonResp(UserAccountStatuses, conn=self) | |
| @property | |
| def actors(self): | |
| return JsonResp(Actors, conn=self) | |
| @property | |
| def security_devices(self): | |
| return JsonResp(SecurityDevices, conn=self) | |
| @property | |
| def expel_alert_histories(self): | |
| return JsonResp(ExpelAlertHistories, conn=self) | |
| @property | |
| def organizations(self): | |
| return JsonResp(Organizations, conn=self) | |
| @property | |
| def notification_preferences(self): | |
| return JsonResp(NotificationPreferences, conn=self) | |
| @property | |
| def timeline_entries(self): | |
| return JsonResp(TimelineEntries, conn=self) | |
| @property | |
| def nist_subcategories(self): | |
| return JsonResp(NistSubcategories, conn=self) | |
| @property | |
| def ip_addresses(self): | |
| return JsonResp(IpAddresses, conn=self) | |
| @property | |
| def secrets(self): | |
| return JsonResp(Secrets, conn=self) | |
| @property | |
| def organization_resilience_action_list(self): | |
| return JsonResp(OrganizationResilienceActionList, conn=self) | |
| @property | |
| def ui_discoveries(self): | |
| return JsonResp(UiDiscoveries, conn=self) | |
| @property | |
| def hunting_statuses(self): | |
| return JsonResp(HuntingStatuses, conn=self) | |
| @property | |
| def configurations(self): | |
| return JsonResp(Configurations, conn=self) | |
| @property | |
| def investigative_actions(self): | |
| return JsonResp(InvestigativeActions, conn=self) | |
| @property | |
| def vendors(self): | |
| return JsonResp(Vendors, conn=self) | |
| @property | |
| def configuration_labels(self): | |
| return JsonResp(ConfigurationLabels, conn=self) | |
| @property | |
| def cpe_images(self): | |
| return JsonResp(CpeImages, conn=self) | |
| @property | |
| def products(self): | |
| return JsonResp(Products, conn=self) | |
| @property | |
| def remediation_actions(self): | |
| return JsonResp(RemediationActions, conn=self) | |
| @property | |
| def expel_alerts(self): | |
| return JsonResp(ExpelAlerts, conn=self) | |
| @property | |
| def nist_subcategory_score_histories(self): | |
| return JsonResp(NistSubcategoryScoreHistories, conn=self) | |
| @property | |
| def customer_em_meta(self): | |
| return JsonResp(CustomerEmMeta, conn=self) | |
| @property | |
| def context_labels(self): | |
| return JsonResp(ContextLabels, conn=self) | |
| @property | |
| def expel_alert_thresholds(self): | |
| return JsonResp(ExpelAlertThresholds, conn=self) | |
| @property | |
| def user_account_roles(self): | |
| return JsonResp(UserAccountRoles, conn=self) | |
| @property | |
| def customer_devices(self): | |
| return JsonResp(CustomerDevices, conn=self) | |
| @property | |
| def investigations(self): | |
| return JsonResp(Investigations, conn=self) | |
| @property | |
| def organization_em_meta(self): | |
| return JsonResp(OrganizationEmMeta, conn=self) | |
| @property | |
| def nist_categories(self): | |
| return JsonResp(NistCategories, conn=self) | |
| @property | |
| def assemblers(self): | |
| return JsonResp(Assemblers, conn=self) | |
| @property | |
| def asset_groups(self): | |
| return JsonResp(AssetGroups, conn=self) | |
| @property | |
| def api_keys(self): | |
| return JsonResp(ApiKeys, conn=self) | |
| @property | |
| def user_accounts(self): | |
| return JsonResp(UserAccounts, conn=self) | |
| @property | |
| def customers(self): | |
| return JsonResp(Customers, conn=self) | |
| @property | |
| def expel_alert_threshold_histories(self): | |
| return JsonResp(ExpelAlertThresholdHistories, conn=self) | |
| @property | |
| def customer_list(self): | |
| return JsonResp(CustomerList, conn=self) | |
| @property | |
| def remediation_action_types(self): | |
| return JsonResp(RemediationActionTypes, conn=self) | |
| @property | |
| def context_label_tags(self): | |
| return JsonResp(ContextLabelTags, conn=self) | |
| @property | |
| def comment_histories(self): | |
| return JsonResp(CommentHistories, conn=self) | |
| @property | |
| def files(self): | |
| return JsonResp(Files, conn=self) | |
| @property | |
| def organization_resilience_actions(self): | |
| return JsonResp(OrganizationResilienceActions, conn=self) | |
| @property | |
| def comments(self): | |
| return JsonResp(Comments, conn=self) | |
| @property | |
| def assembler_images(self): | |
| return JsonResp(AssemblerImages, conn=self) | |
| @property | |
| def customer_resilience_action_groups(self): | |
| return JsonResp(CustomerResilienceActionGroups, conn=self) | |
| @property | |
| def customer_resilience_actions(self): | |
| return JsonResp(CustomerResilienceActions, conn=self) | |
| @property | |
| def investigative_action_histories(self): | |
| return JsonResp(InvestigativeActionHistories, conn=self) | |
| @property | |
| def expel_alert_grid_v2(self): | |
| return JsonResp(ExpelAlertGridV2, conn=self) | |
| @property | |
| def nist_subcategory_scores(self): | |
| return JsonResp(NistSubcategoryScores, conn=self) | |
| @property | |
| def organization_resilience_action_groups(self): | |
| return JsonResp(OrganizationResilienceActionGroups, conn=self) | |
| @property | |
| def investigation_histories(self): | |
| return JsonResp(InvestigationHistories, conn=self) | |
| @property | |
| def resilience_actions(self): | |
| return JsonResp(ResilienceActions, conn=self) | |
| @property | |
| def features(self): | |
| return JsonResp(Features, conn=self) | |
| @property | |
| def investigation_resilience_actions(self): | |
| return JsonResp(InvestigationResilienceActions, conn=self) | |
| @property | |
| def organization_list(self): | |
| return JsonResp(OrganizationList, conn=self) | |
| @property | |
| def vendor_alerts(self): | |
| return JsonResp(VendorAlerts, conn=self) | |
| @property | |
| def context_label_actions(self): | |
| return JsonResp(ContextLabelActions, conn=self) | |
| @property | |
| def saml_identity_providers(self): | |
| return JsonResp(SamlIdentityProviders, conn=self) | |
| @property | |
| def investigation_findings(self): | |
| return JsonResp(InvestigationFindings, conn=self) | |
| @property | |
| def vendor_devices(self): | |
| return JsonResp(VendorDevices, conn=self) | |
| @property | |
| def configuration_defaults(self): | |
| return JsonResp(ConfigurationDefaults, conn=self) | |
| @property | |
| def findings(self): | |
| return JsonResp(Findings, conn=self) | |
| @property | |
| def activity_metrics(self): | |
| return JsonResp(ActivityMetrics, conn=self) | |
| @property | |
| def organization_statuses(self): | |
| return JsonResp(OrganizationStatuses, conn=self) | |
| @property | |
| def expel_alert_grid(self): | |
| return JsonResp(ExpelAlertGrid, conn=self) | |
| @property | |
| def integrations(self): | |
| return JsonResp(Integrations, conn=self) | |
| # END AUTO GENERATE PROPERTIES | |
| ''' | |
| ABOVE - workbench.py | |
| BELOW - XSOAR integration | |
| ''' | |
| def get_results(xc, filter): | |
| results = [] | |
| # Testing data | |
| # test = ['title','short_link','analyst_severity','attack_lifecycle','threat_type','attack_vector','decision','detection_type','is_incident',] # 'critical_comment','close_comment','source_reason','lead_description', | |
| # print('|'.join(test)) | |
| for inv in xc.investigations.filter_by(**filter): | |
| # Main attributes for investigation | |
| result = inv._attrs | |
| # Add lead alert and associated vendor alert | |
| if inv.lead_expel_alert: | |
| alert = inv.lead_expel_alert._attrs | |
| alert['vendor_alerts'] = [] | |
| for va in inv.lead_expel_alert.vendor_alerts: | |
| alert['vendor_alerts'].append(va._attrs) | |
| result['lead_expel_alert'] = alert | |
| # Add other alerts | |
| if inv.expel_alerts: | |
| result['expel_alerts'] = [] | |
| for ea in inv.expel_alerts: | |
| alert = ea._attrs | |
| alert['vendor_alerts'] = [] | |
| for va in ea.vendor_alerts: | |
| alert['vendor_alerts'].append(va._attrs) | |
| result['expel_alerts'].append(alert) | |
| # Pull data from releationships (excluded ['related_investigations_via_involved_host_ips','investigation_histories', 'investigative_action_histories', 'files','remediation_action_histories','ip_addresses',]) | |
| relationships = [ | |
| 'evidence', # when escalated to incident | |
| 'findings', # on the fly during investigation or incident status | |
| 'investigative_actions', | |
| 'remediation_actions', | |
| 'timeline_entries', | |
| 'comments', | |
| ] | |
| for entry in relationships: | |
| temp = eval('inv.' + entry) | |
| if type(temp) == list: | |
| result[entry] = [] | |
| for item in temp: | |
| result[entry].append(item._attrs) | |
| else: | |
| result[entry] = item._attrs | |
| # Testing data | |
| # string = '' | |
| # for item in test: | |
| # if item == 'short_link': | |
| # string += 'https://workbench.expel.io/activity/investigations/' + str(result.get(item)) + '|' | |
| # else: | |
| # string += str(result.get(item)) + '|' | |
| # print(string) | |
| results.append(result) | |
| return results | |
| def test_module_command(xc): | |
| if xc.investigations.filter_by(limit=0): | |
| return 'ok' | |
| def get_investigations_command(xc, args): | |
| filter = {} | |
| for arg in args: | |
| if args[arg]: | |
| filter[arg] = args[arg] | |
| return get_results(xc, filter) | |
| def fetch_incidents_command(xc, args): | |
| # args['is_incident'] == True | |
| incidents = [] | |
| if args['created_at_gt']: | |
| results = get_investigations_command(xc, args) | |
| if results: | |
| for investigation in results: | |
| each = { | |
| 'name': investigation['short_link'] + ' - ' + investigation['title'], | |
| 'occurred': investigation['created_at'], | |
| 'rawJSON': json.dumps(investigation) | |
| } | |
| incidents.append(each) | |
| return incidents | |
| def main(): | |
| params = demisto.params() | |
| args = demisto.args() | |
| # Remove trailing slash to prevent wrong URL path to service | |
| server_url = params['url'][:-1] if (params['url'] and params['url'].endswith('/')) else params['url'] | |
| token = params.get('token') | |
| first_fetch_time = params.get('first_fetch_time') | |
| command = demisto.command() | |
| demisto.info(f'Command being called is {command}') | |
| #try: | |
| xc = WorkbenchClient(server_url, token=token) | |
| commands = { | |
| 'expel-get-investigations': get_investigations_command, | |
| } | |
| if command == 'test-module': | |
| return_results(test_module_command(xc)) | |
| elif command == 'fetch-incidents': | |
| last_run = demisto.getLastRun().get('start_time') | |
| #return_results('Current last_run set: {}'.format(str(last_run))) | |
| if last_run: | |
| args['created_at_gt'] = last_run | |
| else: | |
| args['created_at_gt'] = datetime.now() - timedelta(days=int(first_fetch_time)) | |
| start_time = datetime.strftime(datetime.now(), DATE_FORMAT) #datetime.isoformat(datetime.utcnow()) | |
| incidents = fetch_incidents_command(xc, args) | |
| demisto.setLastRun({'start_time': start_time}) | |
| demisto.incidents(incidents) | |
| elif command in commands: | |
| return_results(*commands[command](xc, args)) | |
| #except Exception as e: | |
| # return_error(str(e)) | |
| if __name__ in ('__main__', '__builtin__', 'builtins'): | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment