Skip to content

Instantly share code, notes, and snippets.

@mwollenweber

mwollenweber/gist:e30d9b3a759aed177cf78e530041d8a2

Created July 6, 2020 18:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mwollenweber/e30d9b3a759aed177cf78e530041d8a2 to your computer and use it in GitHub Desktop.
Save mwollenweber/e30d9b3a759aed177cf78e530041d8a2 to your computer and use it in GitHub Desktop.
Download ZIP
Expel Demisto
Raw
gistfile1.txt
#!/usr/bin/env python
import copy
import io
import json
import os
import pprint
import sys
import time
from collections import OrderedDict
from urllib.parse import urlencode
from urllib.parse import urljoin
from datetime import datetime, timedelta
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from urllib3.util.retry import Retry
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# __version__ = (0,0,42)
DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
''' REMOVE the following '''
class JsonResp(object):
'''
This class wraps the all HTTP request responses that meet the JSON API spec. It transparently
handles the following situations:
* Automatically paginate if you iterate over the response object
* If an error is detected raise the descriptive error handed back by the API server
* Handle creation of new objects, filtering (querying out objects), and retrevial of results
'''
def __init__(self, cls, content=None, api_type=None, conn=None):
self.cls = cls
self.content = content
self.api_type = cls._api_type
self.conn = conn
def make_url(self, api_type, relation=None, valu=None, relationship=False, include=None):
'''
Construct a JSON API compliant URL that handles requesting relationships, filtering, and including resources.
:param api_type: The base JSON API resource type
:type api_type: str
:param relation: A JSON API resource type relationship to filter by
:type relation: str or None
:param valu: The ID for the ``api_type``
:type valu: GUID or None
:param relationship: A flag indicating the relationships suffix should be used when constructing the JSON API URL
:type relationship: bool or None
:param include: The resource to include
:type include: str or None
:return: A JSON API compliant URL
:rtype: str
Examples:
>>> url = self.make_url('actors', valu='d5f17397-aab2-4c0d-ae1e-b3cd3b95501e', include='assigned_investigations')
>>> url = self.make_url('customers', valu='90e00eb7-b942-4ddf-bea0-4a733e68908a', filter_by='investigations')
'''
url = '/api/v2/%s' % api_type
if valu is not None:
url += '/%s' % valu
if relation and relation != api_type:
if relationship:
url += '/relationships'
# NOTE:
# The route `GET /:resource/:id/:relation` returns related data (and allows sorting, filtering, etc of that data).
# the routes `GET|POST|PATCH|DELETE /:resource/:id/relationships/:relation` Are used to view and manipulate the *relationships* themselves (i.e. they are not designed for viewing the actual data of the related records).
url += '/%s' % relation
return url
def build_url(self, id=None, relation=None, limit=None, include=None, **kwargs):
'''
Given some JSON API retrieval inputs such as id, limit, or other filters. Build the URI that is JSON API compliant.
:param id: The ID of the resource
:type id: str or None
:param relation: A relation that will return related data
:type relation: str or None
:param limit: limit the number of resources returned
:type limit: int or None
:param kwargs: This kwargs dict is any attribute that the JSON resource has that a developer wants to filter on
:type kwargs: dict or None
:return: A JSON API compliant URL
:rtype: str
Examples:
>>> url = xc.investigations.build_url(id=some_guid)
>>> url = xc.investigations.build_url(customer_id=CUSTOMER_GUID, limit=10)
'''
query = []
url = ''
if kwargs:
# Pull out anything that starts with `flag_` .. to create the flag parameter..
# Example:?flag[scope]=exclude_expired
for name, value in dict(kwargs).items():
if name.startswith('flag_'):
_, flag_name = name.split('_', 1)
query.append(('flag[%s]' % flag_name, value))
kwargs.pop(name)
# Extract from kwargs filter by params that specify gte, gt, lte, lt
op_look_up = {'_gt': '>', '_lt': '<'}
# Do we have relationships that have this field as an attribute
# so we are doing a second level filter..
# filter_by(action_type='MANUAL', investigation__customer_id)
# `curl /api/v2/investigative_action?filter[action_type]=MANUAL&filter[investigation][customer][id]=c2510e19-be36-4fbd-9567-b625d57c720f&page[limit]=0 | jq '.meta.page.total`;`
for name, value in dict(kwargs).items():
orig_name = name
for op_name, op in op_look_up.items():
if name.endswith(op_name):
name = name[:-len(op_name)]
value = '%s%s' % (op, value)
# print('{} => {}'.format(name, value))
if name in self.cls._def_attributes:
query.append(('filter[%s]' % name, value))
kwargs.pop(orig_name)
# Create the relationship name
rname = name
has_id = False
if name.endswith('_id'):
rname = name.replace('_id', '')
has_id = True
parts = rname.split('__')
# NOTE: users can specify __ to indicate a relationship to a new object that they then want to filter on the body of..
# For example investigative_actions.filter_by(action_type='MANUAL', investigation__customer_id='someguid") would filter on investigative actions
# that are manual and map to an investigation owned by customer someguid..
if parts[0] in self.cls._def_relationships:
qstr = 'filter' + ''.join(['[%s]' % part for part in parts])
if has_id:
qstr += '[id]'
query.append((qstr, value))
kwargs.pop(orig_name, None)
if not len(kwargs):
break
if kwargs:
raise Exception("Unrecognized parameters %s!" % ','.join(["%s=%s" % (k, v) for k, v in kwargs.items()]))
# NOTE: This is how you can do multilple filter bys.. We aren't going to leave this code enabled..
# if type(id) == list:
# for val in id:
# query.append(('filter[id][]', val))
# id = None
url = self.make_url(self.api_type, valu=id, relation=relation, include=include)
if limit is not None:
query.append(('page[limit]', limit))
if include is not None:
query.append(('include', include))
if query:
url = url + '?' + urlencode(query)
return url
def filter_by(self, **kwargs):
'''
Issue a JSON API call requesting a JSON API resource is filtered by some set
of attributes, id, limit, etc.
:param kwargs: The base JSON API resource type
:type kwargs: dict
:return: A JsonResp object
:rtype: JsonResp
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> for inv in xc.investigations.filter_by(customer_id=CUSTOMER_GUID):
>>> print(inv.title)
'''
url = self.build_url(**kwargs)
self.content = self.conn.request('get', url).json()
return self
def count(self):
'''
Return the number of records in a JSON API response.
:return: The number of records in a JSON API response
:rtype: int
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> print("Investigation Count: ", xc.investigations.filter_by(customer_id=CUSTOMER_GUID).count())
'''
if not self.content:
raise Exception('No data to count!')
return self.content.get('meta', {}).get('page', {}).get('total', 0)
def one_or_none(self):
'''
Return one record from a JSON API response or None if there were no records.
:return: A JsonResp object
:rtype: JsonResp
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> inv = xc.investigations.filter_by(customer_id=CUSTOMER_GUID).one_or_none()
>>> print(inv.title)
'''
entry = None
for item in self:
entry = item
break
return entry
def get(self, **kwargs):
'''
Request a JSON api resource by id.
:param id: The GUID of the resource
:type id: str
:return: A JsonResp object
:rtype: JsonResp
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> inv = xc.investigations.get(id=investigation_guid)
>>> print(inv.title)
'''
assert 'id' in kwargs
assert len(kwargs) == 1
url = self.build_url(**kwargs)
content = self.conn.request('get', url).json()
assert type(content['data']) == dict
return self.cls(content['data'], self.conn)
def __iter__(self):
'''
Iterate over the JSON response. This iterator will paginate the response to traverse all records return by
the JSON API request.
:return: A JsonResp object
:rtype: JsonResp
'''
if self.content is None:
url = self.make_url(self.api_type)
self.content = self.conn.request('get', url).json()
content = self.content
next_uri = content.get('links', {}).get('next')
entries = content.get('data', [])
included = content.get('included')
if type(entries) != list:
entries = [entries]
# REFACTOR THIS CODE!
for entry in entries:
yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn)
for entry in included:
yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn)
# TODO: need unit tests to test paginations
while next_uri:
content = self.conn.request('get', next_uri).json()
entries = content.get('data', [])
included = content.get('included')
if type(entries) != list:
entries = [entries]
for entry in entries:
yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn)
for entry in included:
yield RELATIONSHIP_TO_CLASS[entry['type']](entry, self.conn)
next_uri = content.get('links', {}).get('next')
def create(self, **kwargs):
'''
Create a BaseEntry object that represents some Json API resource.
:param kwargs: Attributes to set on the new JSON API resource.
:type kwargs: dict
:return: A BaseEntry object that represents the JSON API resource type requested by the dev.
:rtype: BaseEntry
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> i = xc.investigations.create(title='Peter: new investigation 1', relationship_customer=CUSTOMER_GUID, relationship_assigned_to_actor=PETER_S)
>>> i.save()
'''
return self.cls.create(self.conn, **kwargs)
# AUTO GENERATE FIELD TO TYPE
MACGYVER_FIELD_TO_TYPE = {'actor': 'actors',
'analysis_assigned_investigative_actions': 'investigative_actions',
'analysis_assigned_to_actor': 'actors',
'api_keys': 'api_keys',
'assembler': 'assemblers',
'assemblers': 'assemblers',
'asset_groups': 'asset_groups',
'assets': 'assets',
'assignables': 'actors',
'assigned_customer_resilience_actions': 'customer_resilience_actions',
'assigned_customer_resilience_actions_list': 'customer_resilience_actions',
'assigned_expel_alerts': 'expel_alerts',
'assigned_investigations': 'investigations',
'assigned_investigative_actions': 'investigative_actions',
'assigned_organization_resilience_actions': 'organization_resilience_actions',
'assigned_organization_resilience_actions_list': 'organization_resilience_actions',
'assigned_remediation_actions': 'remediation_actions',
'assigned_to_actor': 'actors',
'assigned_to_org': 'actors',
'child_actors': 'actors',
'child_security_devices': 'security_devices',
'child_vendor_devices': 'vendor_devices',
'coincident_vendor_alerts': 'vendor_alerts',
'comment': 'comments',
'comment_histories': 'comment_histories',
'comments': 'comments',
'configuration_default': 'configuration_defaults',
'configuration_defaults': 'configuration_defaults',
'configurations': 'configurations',
'context_label': 'context_labels',
'context_label_actions': 'context_label_actions',
'context_label_tags': 'context_label_tags',
'context_labels': 'context_labels',
'created_by': 'actors',
'customer': 'customers',
'customer_device': 'customer_devices',
'customer_devices': 'customer_devices',
'customer_em_meta': 'customer_em_meta',
'customer_resilience_action': 'customer_resilience_actions',
'customer_resilience_action_group': 'customer_resilience_action_groups',
'customer_resilience_action_groups': 'customer_resilience_action_groups',
'customer_resilience_actions': 'customer_resilience_actions',
'customers': 'customers',
'dependent_investigative_actions': 'investigative_actions',
'depends_on_investigative_action': 'investigative_actions',
'destination_expel_alerts': 'expel_alerts',
'destination_investigations': 'investigations',
'destination_ip_addresses': 'ip_addresses',
'engagement_manager': 'engagement_managers',
'evidence': 'vendor_alert_evidences',
'evidenced_expel_alerts': 'expel_alerts',
'evidences': 'vendor_alert_evidences',
'expel_alert': 'expel_alerts',
'expel_alert_histories': 'expel_alert_histories',
'expel_alert_threshold': 'expel_alert_thresholds',
'expel_alert_threshold_histories': 'expel_alert_threshold_histories',
'expel_alerts': 'expel_alerts',
'expel_user': 'user_accounts',
'expel_users': 'expel_users',
'features': 'features',
'files': 'files',
'findings': 'investigation_findings',
'hunting_statuses': 'hunting_statuses',
'integrations': 'integrations',
'investigation': 'investigations',
'investigation_histories': 'investigation_histories',
'investigation_resilience_actions': 'investigation_resilience_actions',
'investigations': 'investigations',
'investigative_action': 'investigative_actions',
'investigative_action_histories': 'investigative_action_histories',
'investigative_actions': 'investigative_actions',
'ip_addresses': 'ip_addresses',
'labels': 'configuration_labels',
'lead_expel_alert': 'expel_alerts',
'nist_category': 'nist_categories',
'nist_subcategories': 'nist_subcategories',
'nist_subcategory': 'nist_subcategories',
'nist_subcategory_score': 'nist_subcategory_scores',
'nist_subcategory_score_histories': 'nist_subcategory_score_histories',
'nist_subcategory_scores': 'nist_subcategory_scores',
'notification_preferences': 'notification_preferences',
'organization': 'organizations',
'organization_em_meta': 'organization_em_meta',
'organization_resilience_action': 'organization_resilience_actions',
'organization_resilience_action_group': 'organization_resilience_action_groups',
'organization_resilience_action_group_actions': 'organization_resilience_actions',
'organization_resilience_action_groups': 'organization_resilience_action_groups',
'organization_resilience_actions': 'organization_resilience_actions',
'organization_status': 'organization_statuses',
'organization_user_account_roles': 'user_account_roles',
'organizations': 'organizations',
'parent_actor': 'actors',
'parent_security_device': 'security_devices',
'parent_vendor_device': 'vendor_devices',
'primary_organization': 'organizations',
'products': 'products',
'related_investigations': 'investigations',
'related_investigations_via_involved_host_ips': 'investigations',
'remediation_action': 'remediation_actions',
'remediation_action_histories': 'remediation_action_histories',
'remediation_action_type': 'remediation_action_types',
'remediation_actions': 'remediation_actions',
'resilience_action_group': 'resilience_action_groups',
'resilience_actions': 'resilience_actions',
'review_requested_by': 'actors',
'saml_identity_provider': 'saml_identity_providers',
'secret': 'secrets',
'security_device': 'security_devices',
'security_devices': 'security_devices',
'similar_alerts': 'expel_alerts',
'source_expel_alerts': 'expel_alerts',
'source_investigations': 'investigations',
'source_ip_addresses': 'ip_addresses',
'source_resilience_action': 'resilience_actions',
'source_resilience_action_group': 'resilience_action_groups',
'status_last_updated_by': 'actors',
'suppressed_by': 'expel_alert_thresholds',
'suppresses': 'expel_alert_thresholds',
'timeline_entries': 'timeline_entries',
'ui_discoveries': 'ui_discoveries',
'updated_by': 'actors',
'user_account': 'user_accounts',
'user_account_roles': 'user_account_roles',
'user_account_status': 'user_account_statuses',
'user_accounts': 'user_accounts',
'user_accounts_with_roles': 'user_accounts',
'vendor': 'vendors',
'vendor_alert': 'vendor_alerts',
'vendor_alerts': 'vendor_alerts',
'vendor_device': 'vendor_devices',
'vendor_devices': 'vendor_devices'}
# END AUTO GENERATE FIELD TO TYPE
class Relationship(object):
'''
The object acts a helper to handle JSON API relationships. The object is just a dummy that
allows for setting / getting attributes that are extracted from the relationship part of the
JSON API response. Additionally, the object will allow for conversion to a JSON API compliant
relationship block to include in a request.
'''
def __init__(self):
self._rels = {}
self._modified = False
def __getattr__(self, key):
if key[0] != '_':
return self._rels[key]
return super().__getattr__(key)
def __setattr__(self, key, valu):
if key[0] != '_':
self._rels[key] = valu
super().__setattr__('_modified', True)
super().__setattr__(key, valu)
def to_relationship(self):
'''
Generate a JSON API compliant relationship section.
:return: A dict that is JSON API compliant relationship section.
:rtype: dict
'''
relationships = {}
for relname, relid in self._rels.items():
reltype = MACGYVER_FIELD_TO_TYPE.get(relname, relname)
if reltype[-1] != 's':
reltype = '%ss' % relname
if type(relid) == RelEntry:
if relid.type is not None:
reltype = relid.type
relid = relid.id
else:
continue
if relid is None:
continue
# TODO: Remove this when MacGyver issues fix .. I think..
if relname in ['notification_preferences', 'organization_status']:
continue
if relname[-1] == 's':
if type(relid) == list:
relationships[relname] = {'data': [{'id': rid, 'type': reltype} for rid in relid]}
else:
relationships[relname] = {'data': [{'id': relid, 'type': reltype}]}
else:
relationships[relname] = {'data': {'id': relid, 'type': reltype}}
return relationships
class RelEntry(object):
def __init__(self, relentry):
self.id = None
self.type = None
if relentry is None:
relentry = dict()
if type(relentry) == list:
print("HIT A RELATIONSHIP ENTRY THAT IS A LIST!")
return
self.id = relentry.get('id')
self.type = relentry.get('type')
class BaseEntry(object):
_api_type = None
def __init__(self, data, conn):
self._data = data
self._id = data.get('id')
self._create_id = data['attributes'].get('id')
self._create = False
if self._id is None:
self._create = True
self._attrs = data['attributes']
self._conn = conn
self._modified_fields = set()
self._relationship = Relationship()
self._relobjs = {}
self._deleted = False
for relname, relinfo in self._data.get('relationships', {}).items():
reldata = relinfo.get('data')
if type(reldata) == list:
for d in reldata:
setattr(self._relationship, relname, RelEntry(d))
setattr(self._relationship, relname, RelEntry(reldata))
# Modified flag gets flipped to true when we build the relationships .. So we set it to False
# once we are done.. This is pretty hacky..
setattr(self._relationship, '_modified', False)
def __enter__(self):
return self
def __exit__(self, type, value, traceback):
if self._deleted:
return
# If we aren't creating a new resource, we haven't modified any attributes, and we have no modified relationships
# then all we've done is grab fields out the object.. THere is no need to issue a patch.
elif not self._create and not self._modified_fields and not self._relationship._modified:
return
self.save()
return
def _rel_to_class(self, key):
if key in RELATIONSHIP_TO_CLASS:
return RELATIONSHIP_TO_CLASS[key]
if key in RELATIONSHIP_TO_CLASS_EXT:
return RELATIONSHIP_TO_CLASS_EXT[key]
return RELATIONSHIP_TO_CLASS[MACGYVER_FIELD_TO_TYPE[key]]
def __getattr__(self, key):
if key[0] != '_':
# The accessed member is in the relationships definition
if key in self._data['relationships']:
if key not in self._relobjs:
# Look up the relationship information
url = self._data['relationships'][key]['links']['related']
resp_data = self._conn.request('get', url).json()['data']
if resp_data is None:
return None
if type(resp_data) == dict:
self._relobjs[key] = self._rel_to_class(key)(resp_data, self._conn)
else:
# Soemtimes we get data as a list, example if investigation_findings response
self._relobjs[key] = [self._rel_to_class(key)(entry, self._conn) for entry in resp_data]
return self._relobjs[key]
elif key in self._attrs:
# Get a field in the attributes
return self._attrs[key]
elif key == 'relationship':
return self._relationship
raise ValueError('Looking up %s, relationship doesnt exist!' % key)
return super().__getattr__(key)
def __setattr__(self, key, valu):
if key[0] != '_':
if key in self._attrs:
self._attrs[key] = valu
self._modified_fields.add(key)
else:
raise ValueError('%s is an unrecognized attribute!' % key)
return
super().__setattr__(key, valu)
@classmethod
def from_resp(cls, data):
return cls(data)
def __repr__(self):
attrs = copy.deepcopy(self._attrs)
attrs['id'] = self._id
return pprint.pformat(attrs)
@property
def id(self):
return self._id
def save(self):
if not self._create:
attrs = {field: self._attrs[field] for field in self._modified_fields}
body = {'data': {'type': self._api_type, 'attributes': attrs}}
body['data']['relationships'] = self._relationship.to_relationship()
body['id'] = self._id
resp = self._conn.request('patch', '/api/v2/{}/{}'.format(self._api_type, self._id), data=json.dumps(body))
else:
body = {'data': {'type': self._api_type, 'attributes': self._attrs}}
body['data']['relationships'] = self._relationship.to_relationship()
if self._create_id:
body['id'] = self._create_id
resp = self._conn.request('post', '/api/v2/{}'.format(self._api_type), data=json.dumps(body))
self._id = resp.json()['data']['id']
self._create = False
return self._rel_to_class(self._api_type)(resp.json()['data'], self._conn)
@classmethod
def create(cls, conn, **kwargs):
attrs = {k: v for k, v in kwargs.items() if not k.startswith('relationship_') and v is not None}
rels = {}
for k, v in kwargs.items():
if k.startswith('relationship_'):
_, name = k.split('_', 1)
rels[name] = {'data': {'id': v, 'type': MACGYVER_FIELD_TO_TYPE.get(name, '%ss' % name)}}
body = {'attributes': attrs, 'relationships': rels}
c = cls(body, conn)
return c
def delete(self):
body = {'data': {'type': self._api_type, 'attributes': self._attrs}}
body['id'] = self._id
resp = self._conn.request('delete', '/api/v2/{}/{}'.format(self._api_type, self._id), data=json.dumps(body))
self._deleted = True
# TODO: Depreciate this in favor of download, need to update Jager's use of this first
def download_csv(self, fn):
if self._api_type != 'files':
return None
resp = self._conn.request('get', '/api/v2/{}/{}/download?format=csv'.format(self._api_type, self._id))
with open(fn, 'wb') as fd:
for chunk in resp.iter_content(chunk_size=1024):
if chunk:
fd.write(chunk)
def download(self, fd, fmt='json'):
'''
Download data from an investigative action. This can only be called on InvestigativeAction or Files objects.
:param fd: Buffer to write response too.
:type fd: File bytes object
:param fmt: The format to request the data be returned in. This is handled by MacGyver.
:type fmt: str
Examples:
>>> import json
>>> import pprint
>>> import tempfile
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> with xc.investigative_actions.get(id=inv_act_id) as ia:
>>> fd = tempfile.NamedTemporaryFile(delete=False)
>>> ia.download(fd)
>>> with open(fd.name, 'r') as fd:
>>> pprint.pprint(json.loads(fd.read()))
'''
if self._api_type == 'files':
resp = self._conn.request('get', '/api/v2/{}/{}/download?format={}'.format(self._api_type, self._id, fmt))
elif self._api_type == 'investigative_actions':
resp = self._conn.request('get', '/api/v2/tasks/{}/download?format={}'.format(self.result_task_id, fmt))
else:
raise Exception("Can not download from api type: %s!" % self._api_type)
for chunk in resp.iter_content(chunk_size=1024):
if chunk:
fd.write(chunk)
def upload(self, filename, fbytes, expel_file_type=None, file_meta=None):
'''
Upload data associated with an investigative action. Can only be called on InvestigativeAction objects.
:param filename: Filename, this shows up in Workbench.
:type filename: str
:param fbytes: A bytes string representing raw bytes to upload
:type fbytes: bytes
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> with xc.investigative_actions.get(id=inv_act_id) as ia:
>>> ia.upload('test.txt', b'hello world')
'''
if self._api_type != 'investigative_actions':
raise Exception("Can not upload for api type: %s!" % self._api_type)
# set file_meta to a default..
if file_meta is None:
file_meta = {'investigative_action': {'file_type': 'results'}}
# Get the customer id from the inv or expel alert relationship
customer_id = None
if self.relationship.investigation.id:
customer_id = self._conn.investigations.get(id=self.relationship.investigation.id).customer.id
elif self.relationship.expel_alert.id:
customer_id = self._conn.expel_alerts.get(id=self.relationship.expel_alert.id).customer.id
else:
raise Exception("Could not determine customer id")
# Create a files object
f = self._conn.files.create(filename=filename, file_meta=file_meta, expel_file_type=expel_file_type)
f.relationship.customer = customer_id
# This gets pluralized ..
f.relationship.investigative_actions = self.id
resp = f.save()
fid = resp.id
# Upload the data
files = {'file': io.BytesIO(fbytes)}
resp = self._conn.request('post', '/api/v2/files/{}/upload'.format(fid), files=files)
# Set it ready for analysis.
with self._conn.investigative_actions.get(id=self.id) as ia:
ia.status = 'READY_FOR_ANALYSIS'
ia.relationship.files = fid
return fid
# AUTO GENERATE JSONAPI CLASSES
class EngagementManagers(BaseEntry):
'''
Defines/retrieves expel.io engagement_manager records
Below are valid filter by parameters:
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+===================+================+===============+==================+
| Phone number<br/>Allows: null | phone_number | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Active<br/>Allows: null | active | boolean | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Email<br/>Allows: null | email | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Display name<br/>Allows: "", null | display_name | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | organizations | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | customers | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'engagement_managers'
_def_attributes = ["phone_number", "created_at", "updated_at", "active", "email", "display_name"]
_def_relationships = ["created_by", "updated_by", "organizations", "customers"]
class VendorAlertEvidences(BaseEntry):
'''
Vendor alert evidences are extracted from a vendor alert's evidence summary
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+====================================================================================================================================================================================+============================+================+===============+==================+
| Evidence | evidence | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Type<br/>Restricted to: "HOSTNAME", "URL", "PROCESS_ARGUMENTS", "PROCESS_PATH", "PROCESS_MD5", "USERNAME", "SRC_IP", "DST_IP", "PARENT_ARGUMENTS", "PARENT_PATH", "PARENT_MD5" | evidence_type | any | Y | N |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | evidenced_expel_alerts | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alert | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
'''
_api_type = 'vendor_alert_evidences'
_def_attributes = ["evidence", "evidence_type"]
_def_relationships = ["evidenced_expel_alerts", "vendor_alert"]
class RemediationActionHistories(BaseEntry):
'''
Remediation action histories
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================================================================+========================+================+===============+==================+
| Remediation action history action<br/>Restricted to: "CREATED", "ASSIGNED"<br/>Allows: null | action | any | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Remediation action history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | remediation_action | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
'''
_api_type = 'remediation_action_histories'
_def_attributes = ["action", "value", "created_at"]
_def_relationships = ["created_by", "investigation", "assigned_to_actor", "remediation_action"]
class ExpelUsers(BaseEntry):
'''
Expel users
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===================================================================================================================================================================================================+===================================================+================+===============+==================+
| Language<br/>Allows: "", null | language | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Locale<br/>Allows: "", null | locale | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Is an engagement manager | engagement_manager | boolean | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Can user be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Password reset token<br/>Allows: null<br/>Meta: readonly, private | password_reset_token | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Invite token expiry<br/>Allows: null<br/>Meta: readonly, private | invite_token_expires_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Email<br/>Allows: null | email | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Last Name<br/>Allows: "", null | last_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Phone number<br/>Allows: null | phone_number | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| User account primary role<br/>Restricted to: "expel_admin", "expel_analyst", "organization_admin", "organization_analyst", "system", "anonymous"<br/>Allows: null<br/>Meta: readonly, no-sort | role | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Restricted to: "ACTIVE", "LOCKED", "LOCKED_INVITED", "LOCKED_EXPIRED", "ACTIVE_INVITED", "ACTIVE_EXPIRED"<br/>Meta: readonly, no-sort | active_status | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Timezone<br/>Allows: "", null | timezone | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Password reset token expiry<br/>Allows: null<br/>Meta: readonly, private | password_reset_token_expires_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Active<br/>Allows: null | active | boolean | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Invite token<br/>Allows: null<br/>Meta: readonly, private | invite_token | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| First Name<br/>Allows: "", null | first_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Display name<br/>Allows: "", null | display_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Homepage preferences<br/>Allows: null<br/>Meta: no-sort | homepage_preferences | object | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_account_roles | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigative_actions | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigations | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_remediation_actions | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions_list | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions_list | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | notification_preferences | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | analysis_assigned_investigative_actions | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_expel_alerts | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'expel_users'
_def_attributes = ["language", "locale", "engagement_manager", "assignable", "created_at", "password_reset_token",
"invite_token_expires_at", "email", "last_name", "phone_number", "role", "active_status",
"timezone", "password_reset_token_expires_at", "updated_at", "active", "invite_token",
"first_name", "display_name", "homepage_preferences"]
_def_relationships = ["user_account_roles", "assigned_investigative_actions", "assigned_investigations",
"assigned_remediation_actions", "organization",
"assigned_organization_resilience_actions_list", "assigned_customer_resilience_actions_list",
"assigned_customer_resilience_actions", "updated_by", "notification_preferences",
"analysis_assigned_investigative_actions", "created_by", "assigned_expel_alerts",
"assigned_organization_resilience_actions", "customer"]
class ResilienceActionGroups(BaseEntry):
'''
Defines/retrieves expel.io resilience_action_group records
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================================================================+========================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Group title | title | string | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Global Resilience Group Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS" | category | any | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
'''
_api_type = 'resilience_action_groups'
_def_attributes = ["updated_at", "title", "category", "created_at"]
_def_relationships = ["created_by", "updated_by", "resilience_actions"]
class CustomerResilienceActionList(BaseEntry):
'''
Organization to resilience action list
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+======================================================================================================+======================================+================+===============+==================+
| Visible<br/>Allows: null | visible | boolean | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH"<br/>Allows: null | impact | any | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Incident count<br/>Allows: null | incident_count | number | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Comment<br/>Allows: "", null | comment | string | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Title<br/>Allows: "", null | title | string | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED"<br/>Allows: null | status | any | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Details<br/>Allows: "", null | details | string | Y | N |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_action | object | N | Y |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_action_group | object | N | Y |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+------------------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'customer_resilience_action_list'
_def_attributes = ["visible", "impact", "incident_count", "comment", "title", "category", "status", "details"]
_def_relationships = ["customer_resilience_action", "organization", "customer", "customer_resilience_action_group",
"assigned_to_actor"]
class Assets(BaseEntry):
'''
Organization assets
Below are valid filter by parameters:
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==================================================================================================================================+==================+================+===============+==================+
| Restricted to: "IP", "CIDR", "MACADDR", "USERNAME", "USERNAME_REGEX", "HOSTNAME", "HOSTNAME_REGEX", "AGENT"<br/>Allows: null | asset_type | any | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Allows: null | asset_value | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Allows: null, "" | desc | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | asset_groups | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'assets'
_def_attributes = ["asset_type", "asset_value", "desc"]
_def_relationships = ["asset_groups", "organization", "customer"]
class UserAccountStatuses(BaseEntry):
'''
User account status
Below are valid filter by parameters:
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==================================================================================================================================+=====================================+================+===============+==================+
| Allows: null<br/>Meta: readonly | password_reset_token_expires_at | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Restricted to: "ACTIVE", "LOCKED", "LOCKED_INVITED", "LOCKED_EXPIRED", "ACTIVE_INVITED", "ACTIVE_EXPIRED"<br/>Meta: readonly | active_status | any | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Meta: readonly | created_at | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Meta: readonly | updated_at | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | active | boolean | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Allows: null<br/>Meta: readonly | invite_token_expires_at | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | user_account | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | primary_organization | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'user_account_statuses'
_def_attributes = ["password_reset_token_expires_at", "active_status", "created_at", "updated_at", "active",
"invite_token_expires_at"]
_def_relationships = ["created_by", "user_account", "updated_by", "primary_organization"]
class Actors(BaseEntry):
'''
Defines/retrieves expel.io actor records
Below are valid filter by parameters:
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================+===================================================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Meta: readonly, no-sort | is_expel | boolean | Y | N |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Actor type<br/>Restricted to: "system", "user", "organization", "api" | actor_type | any | Y | N |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Display name<br/>Allows: "", null | display_name | string | Y | N |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | child_actors | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigative_actions | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigations | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_remediation_actions | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions_list | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions_list | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_account | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | notification_preferences | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | analysis_assigned_investigative_actions | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_expel_alerts | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | parent_actor | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+---------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'actors'
_def_attributes = ["updated_at", "is_expel", "actor_type", "display_name", "created_at"]
_def_relationships = ["child_actors", "assigned_investigative_actions", "assigned_investigations",
"assigned_remediation_actions", "organization",
"assigned_organization_resilience_actions_list", "assigned_customer_resilience_actions_list",
"assigned_customer_resilience_actions", "user_account", "updated_by",
"notification_preferences", "analysis_assigned_investigative_actions", "created_by",
"assigned_expel_alerts", "assigned_organization_resilience_actions", "parent_actor",
"customer"]
class SecurityDevices(BaseEntry):
'''
Security devices
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+======================================================================================================+============================+================+===============+==================+
| Allows: "", null | plugin_slug | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Location<br/>Allows: "", null | location | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Device Spec<br/>Allows: null<br/>Meta: no-sort | device_spec | object | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Name | name | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Has 2fa secret stored in vault<br/>Meta: readonly | has_two_factor_secret | boolean | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "healthy", "unhealthy", "health_checks_not_supported"<br/>Allows: null | status | any | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Device Type<br/>Restricted to: "ENDPOINT", "NETWORK", "SIEM", "OTHER", "CLOUD" | device_type | any | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Location where tasks are run<br/>Restricted to: "CUSTOMER_PREMISE", "EXPEL_TASKPOOL" | task_source | any | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Status Details<br/>Allows: null<br/>Meta: no-sort | status_details | object | Y | N |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | parent_security_device | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | assembler | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | investigative_actions | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | vendor | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | child_security_devices | object | N | Y |
+------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
'''
_api_type = 'security_devices'
_def_attributes = ["plugin_slug", "location", "created_at", "status_updated_at", "device_spec", "deleted_at",
"name", "has_two_factor_secret", "status", "device_type", "updated_at", "task_source",
"status_details"]
_def_relationships = ["parent_security_device", "assembler", "investigative_actions", "updated_by", "created_by",
"vendor_alerts", "organization", "customer", "vendor", "child_security_devices"]
class ExpelAlertHistories(BaseEntry):
'''
Expel alert histories
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================================================================================================================+=======================+================+===============+==================+
| Expel alert history action<br/>Restricted to: "CREATED", "ASSIGNED", "STATUS_CHANGED", "INVESTIGATING", "TUNING_CHANGED"<br/>Allows: null | action | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Expel alert history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
'''
_api_type = 'expel_alert_histories'
_def_attributes = ["action", "value", "created_at"]
_def_relationships = ["investigation", "expel_alert", "created_by", "organization", "customer", "assigned_to_actor"]
class Organizations(BaseEntry):
'''
Defines/retrieves expel.io organization records
Below are valid filter by parameters:
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+====================================================================================+===================================================+================+===============+==================+
| The organization's primary industry<br/>Allows: "", null | industry | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| City<br/>Allows: "", null | city | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Number of nodes covered for this organization<br/>Allows: null | nodes_count | number | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| State/Province/Region<br/>Allows: "", null | region | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Number of users covered for this organization<br/>Allows: null | users_count | number | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Vault Token<br/>Allows: null<br/>Meta: private | vault_token | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Address 2<br/>Allows: "", null | address_2 | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| o365 Terms of Service identifier (e.g. hubspot id, etc.)<br/>Allows: null | o365_tos_id | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Allows: "", null | hq_utc_offset | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Address 1<br/>Allows: "", null | address_1 | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Organization short name<br/>Allows: null | short_name | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Organization service renewal date<br/>Allows: null | service_renewal_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Postal Code<br/>Allows: null | postal_code | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Is surge | is_surge | boolean | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Is Prospective/Demo Organization<br/>Meta: private | prospect | boolean | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Country Code<br/>Allows: null | country_code | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Organization service start date<br/>Allows: null | service_start_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| o365 Microsoft tenant id<br/>Allows: null<br/>Meta: private | o365_tenant_id | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| The organization's operating name | name | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| The city where the organization's headquarters is located<br/>Allows: "", null | hq_city | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Allows: null<br/>Meta: private | vault_token_expires | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | configurations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_users | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_devices | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_accounts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions_list | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | security_devices | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions_list | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | context_label_tags | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_action_groups | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | features | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_accounts_with_roles | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | files | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert_histories | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assignables | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | notification_preferences | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | comments | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_expel_alerts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alerts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | saml_identity_provider | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_em_meta | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | api_keys | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | nist_subcategory_scores | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigative_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation_histories | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_status | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_remediation_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | engagement_manager | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | products | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_user_account_roles | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | context_labels | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assemblers | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_devices | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | analysis_assigned_investigative_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | actor | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | integrations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'organizations'
_def_attributes = ["industry", "city", "nodes_count", "region", "users_count", "vault_token", "address_2",
"o365_tos_id", "hq_utc_offset", "address_1", "short_name", "service_renewal_at", "postal_code",
"is_surge", "prospect", "country_code", "created_at", "service_start_at", "o365_tenant_id",
"deleted_at", "name", "hq_city", "updated_at", "vault_token_expires"]
_def_relationships = ["configurations", "vendor_alerts", "updated_by", "expel_users", "vendor_devices",
"user_accounts", "assigned_organization_resilience_actions_list", "security_devices",
"assigned_customer_resilience_actions_list", "context_label_tags",
"organization_resilience_action_groups", "features", "user_accounts_with_roles", "files",
"expel_alert_histories", "assignables", "notification_preferences", "comments",
"assigned_expel_alerts", "assigned_organization_resilience_actions", "expel_alerts",
"saml_identity_provider", "organization_em_meta", "api_keys", "nist_subcategory_scores",
"assigned_investigative_actions", "assigned_investigations", "investigation_histories",
"organization_status", "investigations", "assigned_remediation_actions", "engagement_manager",
"products", "organization_resilience_actions", "assigned_customer_resilience_actions",
"organization_user_account_roles", "context_labels", "assemblers", "customer_devices",
"created_by", "analysis_assigned_investigative_actions", "actor", "integrations"]
class NotificationPreferences(BaseEntry):
'''
User Notification Preferences
Below are valid filter by parameters:
+-------------------------+-----------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=========================+=================+================+===============+==================+
| Missing Description | preferences | array | Y | N |
+-------------------------+-----------------+----------------+---------------+------------------+
| Missing Description | actor | object | N | Y |
+-------------------------+-----------------+----------------+---------------+------------------+
'''
_api_type = 'notification_preferences'
_def_attributes = ["preferences"]
_def_relationships = ["actor"]
class TimelineEntries(BaseEntry):
'''
Timeline Entries
Below are valid filter by parameters:
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+============================================================================+===========================+================+===============+==================+
| The type of the event, such as Carbon Black Alert<br/>Allows: "", null | event_type | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Has been selected for final report. | is_selected | boolean | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Date/Time of when the event occurred | event_date | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Comment on this Timeline Entry<br/>Allows: "", null | comment | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Destination Host (IP or Hostname)<br/>Allows: "", null | dest_host | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Attack phase of the Timeline Entry<br/>Allows: "", null | attack_phase | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| The event, such as Powershell Attack<br/>Allows: "", null | event | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Source Host (IP or Hostname)<br/>Allows: "", null | src_host | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | context_labels | object | N | Y |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | context_label_actions | object | N | Y |
+----------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
'''
_api_type = 'timeline_entries'
_def_attributes = ["event_type", "updated_at", "deleted_at", "is_selected", "event_date", "comment", "dest_host",
"attack_phase", "event", "src_host", "created_at"]
_def_relationships = ["investigation", "expel_alert", "updated_by", "created_by", "context_labels",
"context_label_actions"]
class NistSubcategories(BaseEntry):
'''
Defines/retrieves expel.io nist_subcategory records
Below are valid filter by parameters:
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================+=============================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Nist subcategory title<br/>Allows: "", null | name | string | Y | N |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Nist subcategory abbreviated identifier | identifier | string | Y | N |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | nist_subcategory_scores | object | N | Y |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | nist_category | object | N | Y |
+-------------------------------------------------+-----------------------------+----------------+---------------+------------------+
'''
_api_type = 'nist_subcategories'
_def_attributes = ["updated_at", "name", "identifier", "created_at"]
_def_relationships = ["created_by", "nist_subcategory_scores", "updated_by", "nist_category"]
class IpAddresses(BaseEntry):
'''
IP addresses
Below are valid filter by parameters:
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+================================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| IP Address<br/>Meta: readonly | address | string | Y | N |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | source_investigations | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | destination_expel_alerts | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | source_expel_alerts | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | destination_investigations | object | N | Y |
+-----------------------------------------------+--------------------------------+----------------+---------------+------------------+
'''
_api_type = 'ip_addresses'
_def_attributes = ["updated_at", "created_at", "address"]
_def_relationships = ["investigations", "source_investigations", "updated_by", "created_by", "vendor_alerts",
"destination_expel_alerts", "source_expel_alerts", "destination_investigations"]
class Secrets(BaseEntry):
'''
Organization secrets. Note - these requests must be in the format of `/secrets/security_device-<guid>`
Below are valid filter by parameters:
+-------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=========================+==================+================+===============+==================+
| Allows: null | secret | object | Y | N |
+-------------------------+------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-------------------------+------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'secrets'
_def_attributes = ["secret"]
_def_relationships = ["organization", "customer"]
class OrganizationResilienceActionList(BaseEntry):
'''
Organization to resilience action list
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+======================================================================================================+==========================================+================+===============+==================+
| Visible<br/>Allows: null | visible | boolean | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH"<br/>Allows: null | impact | any | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Incident count<br/>Allows: null | incident_count | number | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Comment<br/>Allows: "", null | comment | string | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Title<br/>Allows: "", null | title | string | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED"<br/>Allows: null | status | any | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Details<br/>Allows: "", null | details | string | Y | N |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_action | object | N | Y |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_action_group | object | N | Y |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+------------------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'organization_resilience_action_list'
_def_attributes = ["visible", "impact", "incident_count", "comment", "title", "category", "status", "details"]
_def_relationships = ["organization_resilience_action", "organization", "organization_resilience_action_group",
"assigned_to_actor"]
class UiDiscoveries(BaseEntry):
'''
Defines/retrieves UI discovery records
Below are valid filter by parameters:
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+===================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | name | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | user_accounts | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'ui_discoveries'
_def_attributes = ["updated_at", "name", "created_at"]
_def_relationships = ["created_by", "user_accounts", "updated_by"]
class HuntingStatuses(BaseEntry):
'''
Investigation hunting statuses
Below are valid filter by parameters:
+-------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=========================+===================+================+===============+==================+
| Allows: null | log_offset | string | Y | N |
+-------------------------+-------------------+----------------+---------------+------------------+
| Allows: null | log_start | string | Y | N |
+-------------------------+-------------------+----------------+---------------+------------------+
| Allows: null | log_end | string | Y | N |
+-------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'hunting_statuses'
_def_attributes = ["log_offset", "log_start", "log_end"]
_def_relationships = ["investigation", "organization", "customer"]
class Configurations(BaseEntry):
'''
Defines/retrieves expel.io configuration records
Below are valid filter by parameters:
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+====================================================================================+============================+================+===============+==================+
| Configuration value validation<br/>Allows: null<br/>Meta: readonly, no-sort | validation | object | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Title of configuration value<br/>Allows: "", null<br/>Meta: readonly | title | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration visibility<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | visibility | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration metadata<br/>Allows: null<br/>Meta: readonly, no-sort | metadata | object | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration value is an override<br/>Meta: readonly | is_override | boolean | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Default configuration value<br/>Allows: null<br/>Meta: readonly, no-sort | default_value | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration key<br/>Meta: readonly | key | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration value<br/>Allows: null<br/>Meta: no-sort | value | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Description of configuration value<br/>Allows: "", null<br/>Meta: readonly | description | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Write permission required<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | write_permission_level | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | configuration_default | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
'''
_api_type = 'configurations'
_def_attributes = ["validation", "title", "visibility", "created_at", "metadata", "is_override", "default_value",
"key", "value", "description", "updated_at", "write_permission_level"]
_def_relationships = ["created_by", "organization", "customer", "updated_by", "configuration_default"]
class InvestigativeActions(BaseEntry):
'''
investigative actions
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=========================================================================================================================================================================================+=====================================+================+===============+==================+
| Title | title | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Verify Investigative action verified by<br/>Allows: null | activity_verified_by | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Result task id<br/>Allows: null<br/>Meta: readonly | result_task_id | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Taskabilities error<br/>Allows: "", null<br/>Meta: no-sort | tasking_error | object | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Close Reason<br/>Allows: null | close_reason | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Task input arguments<br/>Allows: null<br/>Meta: no-sort | input_args | object | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Investigative action created by robot action<br/>Meta: readonly | robot_action | boolean | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Capability name<br/>Allows: "", null | capability_name | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Reason | reason | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Taskability action id<br/>Allows: "", null | taskability_action_id | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Instructions<br/>Allows: "", null | instructions | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Investigative Action Type<br/>Restricted to: "TASKABILITY", "HUNTING", "MANUAL", "RESEARCH", "PIVOT", "QUICK_UPLOAD", "VERIFY", "DOWNGRADE" | action_type | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Results/Analysis<br/>Allows: "", null | results | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Verify Investigative action is authorized<br/>Allows: null | activity_authorized | boolean | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "RUNNING", "FAILED", "READY_FOR_ANALYSIS", "CLOSED", "COMPLETED" | status | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Downgrade reason<br/>Restricted to: "FALSE_POSITIVE", "ATTACK_FAILED", "POLICY_VIOLATION", "ACTIVITY_BLOCKED", "PUP_PUA", "BENIGN", "IT_MISCONFIGURATION", "OTHER"<br/>Allows: null | downgrade_reason | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | analysis_assigned_to_actor | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_device | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | depends_on_investigative_action | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | files | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | security_device | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | dependent_investigative_actions | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | investigative_action_histories | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'investigative_actions'
_def_attributes = ["title", "activity_verified_by", "created_at", "result_task_id", "tasking_error", "close_reason",
"input_args", "robot_action", "capability_name", "status_updated_at", "deleted_at", "reason",
"taskability_action_id", "instructions", "updated_at", "action_type", "results",
"activity_authorized", "status", "downgrade_reason"]
_def_relationships = ["analysis_assigned_to_actor", "vendor_device", "updated_by",
"depends_on_investigative_action", "created_by", "files", "expel_alert", "security_device",
"investigation", "dependent_investigative_actions", "assigned_to_actor",
"investigative_action_histories"]
class Vendors(BaseEntry):
'''
Vendors
Below are valid filter by parameters:
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+======================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Name<br/>Allows: "", null | name | string | Y | N |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Icon<br/>Allows: "", null | icon | string | Y | N |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | vendor_devices | object | N | Y |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | expel_alerts | object | N | Y |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | security_devices | object | N | Y |
+-----------------------------------------------+----------------------+----------------+---------------+------------------+
'''
_api_type = 'vendors'
_def_attributes = ["updated_at", "name", "icon", "created_at"]
_def_relationships = ["vendor_devices", "updated_by", "created_by", "vendor_alerts", "expel_alerts",
"security_devices"]
class ConfigurationLabels(BaseEntry):
'''
Configuration labels
Below are valid filter by parameters:
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=============================================================+============================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Description of configuration label<br/>Allows: "", null | description | string | Y | N |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Title of configuration label<br/>Allows: "", null | title | string | Y | N |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | configuration_defaults | object | N | Y |
+-------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
'''
_api_type = 'configuration_labels'
_def_attributes = ["updated_at", "description", "title", "created_at"]
_def_relationships = ["created_by", "updated_by", "configuration_defaults"]
class CpeImages(BaseEntry):
'''
CPE Images
Below are valid filter by parameters:
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=======================================================================+==================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| CPE image image size<br/>Allows: null | size | number | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| CPE image image md5 hash<br/>Allows: null | hash_md5 | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| CPE image image sha256 hash<br/>Allows: null | hash_sha256 | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| CPE image image sh1 hash<br/>Allows: null | hash_sha1 | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| CPE image image release date<br/>Allows: null | release_date | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| CPE image image version<br/>Allows: "", null | version | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Platform<br/>Restricted to: "VMWARE", "HYPERV", "AZURE", "AMAZON" | platform | any | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'cpe_images'
_def_attributes = ["updated_at", "size", "hash_md5", "hash_sha256", "hash_sha1", "created_at", "release_date",
"version", "platform"]
_def_relationships = ["created_by", "updated_by"]
class Products(BaseEntry):
'''
Products
Below are valid filter by parameters:
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+===================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | name | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | description | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | features | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | organizations | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | customers | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'products'
_def_attributes = ["updated_at", "name", "description", "created_at"]
_def_relationships = ["created_by", "features", "updated_by", "organizations", "customers"]
class RemediationActions(BaseEntry):
'''
Remediation actions
Below are valid filter by parameters:
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================================================+==================================+================+===============+==================+
| Remediation action details markdown<br/>Allows: "", null<br/>Meta: readonly | detail_markdown | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Remediation Action Values<br/>Meta: no-sort | values | object | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Action<br/>Allows: "", null | action | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Remediation Action Template and Values<br/>Meta: no-sort | template_values | object | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Remediation Action Template Name<br/>Allows: "", null | template_name | string | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "IN_PROGRESS", "COMPLETED", "CLOSED" | status | any | Y | N |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | remediation_action_type | object | N | Y |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | remediation_action_histories | object | N | Y |
+---------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
'''
_api_type = 'remediation_actions'
_def_attributes = ["detail_markdown", "status_updated_at", "deleted_at", "values", "created_at", "action",
"template_values", "updated_at", "template_name", "status"]
_def_relationships = ["investigation", "updated_by", "remediation_action_type", "created_by", "assigned_to_actor",
"remediation_action_histories"]
class ExpelAlerts(BaseEntry):
'''
Expel alerts
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=============================================================================================================================================================================================================================+====================================================+================+===============+==================+
| Allows: null<br/>Meta: readonly, no-sort | vendor_alert_count | number | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel Alert Time first seen time<br/>Meta: immutable | expel_alert_time | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| URL to rule definition for alert<br/>Allows: "", null | git_rule_url | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null | disposition_alerts_in_incidents_count | number | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert alias<br/>Allows: "", null | expel_alias_name | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null | disposition_closed_alerts_count | number | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert name<br/>Allows: "", null | expel_name | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert type<br/>Restricted to: "ENDPOINT", "NETWORK", "SIEM", "RULE_ENGINE", "EXTERNAL", "OTHER", "CLOUD"<br/>Allows: null | alert_type | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert version<br/>Allows: "", null | expel_version | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Referring event id<br/>Allows: null | ref_event_id | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null | disposition_alerts_in_investigations_count | number | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null | disposition_disposed_alerts_count | number | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| tuning requested | tuning_requested | boolean | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert message<br/>Allows: "", null | expel_message | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert close reason<br/>Restricted to: "FALSE_POSITIVE", "TRUE_POSITIVE", "OTHER", "ATTACK_FAILED", "POLICY_VIOLATION", "ACTIVITY_BLOCKED", "TESTING", "PUP_PUA", "BENIGN", "IT_MISCONFIGURATION"<br/>Allows: null | close_reason | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null | disposition_alerts_in_critical_incidents_count | number | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null<br/>Meta: readonly, no-sort | activity_last_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert signature<br/>Allows: "", null | expel_signature_id | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: null<br/>Meta: readonly, no-sort | activity_first_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert severity<br/>Restricted to: "CRITICAL", "HIGH", "MEDIUM", "LOW", "TESTING", "TUNING"<br/>Allows: null | expel_severity | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert close comment<br/>Allows: "", null | close_comment | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Expel alert status<br/>Restricted to: "OPEN", "IN_PROGRESS", "CLOSED"<br/>Allows: null | status | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | similar_alerts | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigative_actions | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | status_last_updated_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert_histories | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | coincident_vendor_alerts | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | source_ip_addresses | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | related_investigations | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | context_labels | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | evidence | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | related_investigations_via_involved_host_ips | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | destination_ip_addresses | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigative_action_histories | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'expel_alerts'
_def_attributes = ["vendor_alert_count", "expel_alert_time", "git_rule_url",
"disposition_alerts_in_incidents_count", "expel_alias_name", "disposition_closed_alerts_count",
"expel_name", "alert_type", "expel_version", "ref_event_id",
"disposition_alerts_in_investigations_count", "disposition_disposed_alerts_count",
"status_updated_at", "created_at", "tuning_requested", "expel_message", "close_reason",
"disposition_alerts_in_critical_incidents_count", "activity_last_at", "expel_signature_id",
"activity_first_at", "expel_severity", "updated_at", "close_comment", "status"]
_def_relationships = ["similar_alerts", "investigative_actions", "updated_by", "status_last_updated_by",
"organization", "expel_alert_histories", "coincident_vendor_alerts", "source_ip_addresses",
"vendor", "vendor_alerts", "created_by", "related_investigations", "context_labels",
"assigned_to_actor", "investigation", "evidence",
"related_investigations_via_involved_host_ips", "destination_ip_addresses", "customer",
"investigative_action_histories"]
class NistSubcategoryScoreHistories(BaseEntry):
'''
NIST Subcategory Score History
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=====================================================================================================================+============================+================+===============+==================+
| NIST subcategory score history action<br/>Restricted to: "SCORE_UPDATED", "COMMENT_UPDATED", "PRIORITY_UPDATED" | action | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Organization actual score for this nist subcategory | actual_score | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Organization target score for this nist subcategory | target_score | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | nist_subcategory_score | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
'''
_api_type = 'nist_subcategory_score_histories'
_def_attributes = ["action", "actual_score", "target_score", "created_at"]
_def_relationships = ["created_by", "nist_subcategory_score"]
class CustomerEmMeta(BaseEntry):
'''
Defines/retrieves expel.io customer_em_meta records
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+============================================================================================================+====================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Renewal Status<br/>Restricted to: "WONT_RENEW", "AT_RISK", "WILL_RENEW", "WILL_REFER"<br/>Allows: null | renewal_status | any | Y | N |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
'''
_api_type = 'customer_em_meta'
_def_attributes = ["updated_at", "renewal_status", "created_at"]
_def_relationships = ["created_by", "customer", "updated_by"]
class ContextLabels(BaseEntry):
'''
Defines/retrieves expel.io context_label records
Below are valid filter by parameters:
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==================================================================================+===========================+================+===============+==================+
| Definition<br/>Meta: no-sort | definition | object | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Title<br/>Allows: null, "" | title | string | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Metadata about the context label<br/>Allows: null<br/>Meta: no-sort | metadata | object | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Description<br/>Allows: null, "" | description | string | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Date/Time of when the context_label should start being tested | starts_at | string | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Date/Time of when the context_label should end being tested<br/>Allows: null | ends_at | string | Y | N |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | timeline_entries | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | expel_alerts | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | context_label_actions | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | context_label_tags | object | N | Y |
+----------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
'''
_api_type = 'context_labels'
_def_attributes = ["definition", "title", "created_at", "updated_at", "metadata", "description", "starts_at",
"ends_at"]
_def_relationships = ["investigations", "updated_by", "timeline_entries", "created_by", "organization",
"expel_alerts", "context_label_actions", "context_label_tags"]
class ExpelAlertThresholds(BaseEntry):
'''
Defines/retrieves expel.io expel_alert_threshold records
Below are valid filter by parameters:
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+=====================================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Name | name | string | Y | N |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Threshold value | threshold | number | Y | N |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | suppressed_by | object | N | Y |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | suppresses | object | N | Y |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert_threshold_histories | object | N | Y |
+-----------------------------------------------+-------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'expel_alert_thresholds'
_def_attributes = ["updated_at", "name", "threshold", "created_at"]
_def_relationships = ["created_by", "suppressed_by", "suppresses", "updated_by", "expel_alert_threshold_histories"]
class UserAccountRoles(BaseEntry):
'''
Defines/retrieves expel.io user_account_role records
Below are valid filter by parameters:
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+====================================================================================================================================================================+==================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| If this role is active | active | boolean | Y | N |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Can user be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| User account role for this organization<br/>Restricted to: "expel_admin", "expel_analyst", "organization_admin", "organization_analyst", "system", "anonymous" | role | any | Y | N |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | user_account | object | N | Y |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'user_account_roles'
_def_attributes = ["updated_at", "active", "assignable", "role", "created_at"]
_def_relationships = ["created_by", "organization", "user_account", "updated_by"]
class CustomerDevices(BaseEntry):
'''
Organization devices
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================================================================================================================================================================================================+==================================+================+===============+==================+
| Location of organization device<br/>Allows: "", null | location | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device VPN ip address<br/>Allows: null | vpn_ip | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device life cycle status<br/>Restricted to: "New", "Authorized", "Transitioning", "Transitioned", "Transition Failed", "Configuring", "Configuration Failed", "Active", "Inactive", "Deleted"<br/>Allows: null | lifecycle_status | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device last status update timestamp<br/>Meta: readonly | status_updated_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device install code<br/>Allows: null | install_code | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Name of organization device<br/>Allows: "", null | name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device connection status<br/>Restricted to: "Never Connected", "Connection Lost", "Connected to Provisioning", "Connected to Service"<br/>Allows: null | connection_status | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device connection status update timestamp<br/>Meta: readonly | connection_status_updated_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device status<br/>Allows: "", null<br/>Meta: readonly, no-sort | status | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Organization device lifecycle status update timestamp<br/>Meta: readonly | lifecycle_status_updated_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_devices | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
'''
_api_type = 'customer_devices'
_def_attributes = ["location", "vpn_ip", "created_at", "lifecycle_status", "status_updated_at", "install_code",
"deleted_at", "name", "updated_at", "connection_status", "connection_status_updated_at",
"status", "lifecycle_status_updated_at"]
_def_relationships = ["vendor_devices", "vendor_alerts", "updated_by", "created_by", "organization", "customer"]
class Investigations(BaseEntry):
'''
Investigations
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=====================================================================================================================================================================================================================================================================================+==================================================+================+===============+==================+
| Analyst Severity<br/>Restricted to: "CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"<br/>Allows: null | analyst_severity | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Is Incident | is_incident | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Threat Type<br/>Restricted to: "TARGETED", "NON_TARGETED", "POLICY_VIOLATION", "UNKNOWN"<br/>Allows: null | threat_type | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Title<br/>Allows: "", null | title | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Incident Status timestamp<br/>Allows: null<br/>Meta: readonly | is_incident_status_updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Critical Comment<br/>Allows: "", null | critical_comment | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Investigation short link<br/>Meta: readonly | short_link | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Lead Description<br/>Allows: null | lead_description | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Detection Type<br/>Restricted to: "UNKNOWN", "ENDPOINT", "SIEM", "NETWORK", "EXPEL", "HUNTING", "CLOUD"<br/>Allows: null | detection_type | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Close Comment<br/>Allows: "", null | close_comment | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Attack Timing<br/>Restricted to: "HISTORICAL", "PRESENT"<br/>Allows: null | attack_timing | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Attack Vector<br/>Restricted to: "DRIVE_BY", "PHISHING", "PHISHING_LINK", "PHISHING_ATTACHMENT", "REV_MEDIA", "SPEAR_PHISHING", "SPEAR_PHISHING_LINK", "SPEAR_PHISHING_ATTACHMENT", "STRAG_WEB_COMP", "SERVER_SIDE_VULN", "CRED_THEFT", "MISCONFIG", "UNKNOWN"<br/>Allows: null | attack_vector | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Is surge | is_surge | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Threat Nature<br/>Restricted to: "MASS_MALWARE", "APT"<br/>Allows: null | threat_nature | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Source Reason<br/>Restricted to: "HUNTING", "ORGANIZATION_REPORTED", "DISCOVERY"<br/>Allows: null | source_reason | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Decision<br/>Restricted to: "FALSE_POSITIVE", "TRUE_POSITIVE", "CLOSED", "OTHER", "ATTACK_FAILED", "POLICY_VIOLATION", "ACTIVITY_BLOCKED", "TESTING", "PUP_PUA", "BENIGN", "IT_MISCONFIGURATION"<br/>Allows: null | decision | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Review Requested At<br/>Allows: null | review_requested_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Attack Lifecycle<br/>Restricted to: "INITIAL_RECON", "DELIVERY", "EXPLOITATION", "INSTALLATION", "COMMAND_CONTROL", "LATERAL_MOVEMENT", "ACTION_TARGETS", "UNKNOWN"<br/>Allows: null | attack_lifecycle | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Meta: readonly, no-sort | has_hunting_status | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Is downgrade | is_downgrade | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | timeline_entries | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | status_last_updated_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | related_investigations_via_involved_host_ips | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | source_ip_addresses | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | review_requested_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | comment_histories | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | lead_expel_alert | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert_histories | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | comments | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | hunting_statuses | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alerts | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | destination_ip_addresses | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigative_action_histories | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigative_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation_histories | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation_resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | context_label_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | remediation_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | files | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | context_labels | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | evidence | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | findings | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | ip_addresses | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | remediation_action_histories | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'investigations'
_def_attributes = ["analyst_severity", "is_incident", "threat_type", "title", "is_incident_status_updated_at",
"critical_comment", "short_link", "lead_description", "detection_type", "close_comment",
"attack_timing", "attack_vector", "is_surge", "created_at", "threat_nature", "source_reason",
"decision", "status_updated_at", "deleted_at", "review_requested_at", "attack_lifecycle",
"has_hunting_status", "updated_at", "is_downgrade"]
_def_relationships = ["timeline_entries", "status_last_updated_by", "related_investigations_via_involved_host_ips",
"customer", "source_ip_addresses", "review_requested_by", "comment_histories",
"lead_expel_alert", "expel_alert_histories", "organization_resilience_actions", "comments",
"hunting_statuses", "expel_alerts", "destination_ip_addresses", "customer_resilience_actions",
"investigative_action_histories", "investigative_actions", "updated_by",
"investigation_histories", "investigation_resilience_actions", "organization",
"context_label_actions", "remediation_actions", "files", "context_labels",
"assigned_to_actor", "created_by", "evidence", "findings", "ip_addresses",
"remediation_action_histories"]
class OrganizationEmMeta(BaseEntry):
'''
Defines/retrieves expel.io organization_em_meta records
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+============================================================================================================+====================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Renewal Status<br/>Restricted to: "WONT_RENEW", "AT_RISK", "WILL_RENEW", "WILL_REFER"<br/>Allows: null | renewal_status | any | Y | N |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
'''
_api_type = 'organization_em_meta'
_def_attributes = ["updated_at", "renewal_status", "created_at"]
_def_relationships = ["created_by", "organization", "updated_by"]
class NistCategories(BaseEntry):
'''
Defines/retrieves expel.io nist_category records
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=========================================================================================+========================+================+===============+==================+
| Nist category abbreviated identifier | identifier | string | Y | N |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Nist category name | name | string | Y | N |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Actor type<br/>Restricted to: "IDENTIFY", "PROTECT", "DETECT", "RECOVER", "RESPOND" | function_type | any | Y | N |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | nist_subcategories | object | N | Y |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------------------------+------------------------+----------------+---------------+------------------+
'''
_api_type = 'nist_categories'
_def_attributes = ["identifier", "updated_at", "name", "function_type", "created_at"]
_def_relationships = ["created_by", "nist_subcategories", "updated_by"]
class Assemblers(BaseEntry):
'''
Assemblers
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=======================================================================================================================================================================================================================+==================================+================+===============+==================+
| Location of assembler<br/>Allows: "", null | location | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler VPN ip address<br/>Allows: null | vpn_ip | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler life cycle status<br/>Restricted to: "New", "Authorized", "Transitioning", "Transitioned", "Transition Failed", "Configuring", "Configuration Failed", "Active", "Inactive", "Deleted"<br/>Allows: null | lifecycle_status | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler last status update timestamp<br/>Meta: readonly | status_updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler install code<br/>Allows: null | install_code | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Name of assembler<br/>Allows: "", null | name | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler connection status<br/>Restricted to: "Never Connected", "Connection Lost", "Connected to Provisioning", "Connected to Service"<br/>Allows: null | connection_status | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler connection status update timestamp<br/>Meta: readonly | connection_status_updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler status<br/>Allows: "", null<br/>Meta: readonly, no-sort | status | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Assembler lifecycle status update timestamp<br/>Meta: readonly | lifecycle_status_updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_devices | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
| Missing Description | security_devices | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+----------------+---------------+------------------+
'''
_api_type = 'assemblers'
_def_attributes = ["location", "vpn_ip", "created_at", "lifecycle_status", "status_updated_at", "install_code",
"deleted_at", "name", "updated_at", "connection_status", "connection_status_updated_at",
"status", "lifecycle_status_updated_at"]
_def_relationships = ["vendor_devices", "vendor_alerts", "updated_by", "created_by", "organization", "customer",
"security_devices"]
class AssetGroups(BaseEntry):
'''
Organization asset groups
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================================================================================================================================================================================================================================================+==================+================+===============+==================+
| Restricted to: "DOMAIN_CONTROLLER", "EXCHANGE_SERVER", "MAIL_SERVER", "FILE_SERVER", "DNS_SERVER", "DHCP_SERVER", "DB_SERVER", "POINT_OF_SALE", "DMZ", "VPN", "SERVICE_ACCOUNT", "ADMINISTRATOR_ACCOUNT", "ENGINEERS", "HUMAN_RESOURCES", "SECURITY_STAFF", "SCANNER", "PEN_TEST", "OTHER_HIGH_VALUE" | group_type | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Allows: null | start_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | group_name | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Allows: null | end_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | assets | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'asset_groups'
_def_attributes = ["group_type", "start_at", "group_name", "end_at"]
_def_relationships = ["organization", "customer", "assets"]
class ApiKeys(BaseEntry):
'''
Defines/retrieves expel.io api_key records. These can only be created by a user and require an OTP token.
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=======================================================================================================================================+==================+================+===============+==================+
| Role<br/>Restricted to: "expel_admin", "expel_analyst", "organization_admin", "organization_analyst", "system", "anonymous" | role | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Can Api key be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Realm in which the api key can be used.<br/>Restricted to: "public", "internal" | realm | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Active<br/>Allows: null | active | boolean | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Only upon initial api key creation (POST), contains the bearer api key token required for api access.<br/>Meta: readonly, no-sort | access_token | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Display name<br/>Allows: null | display_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'api_keys'
_def_attributes = ["role", "name", "assignable", "created_at", "updated_at", "realm", "active", "access_token",
"display_name"]
_def_relationships = ["created_by", "organization", "customer", "updated_by"]
class UserAccounts(BaseEntry):
'''
User accounts
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================================================================================+===================================================+================+===============+==================+
| Language<br/>Allows: "", null | language | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Locale<br/>Allows: "", null | locale | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Is an engagement manager | engagement_manager | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Can user be assigned items (e.g. investigations, etc) | assignable | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Password reset token<br/>Allows: null<br/>Meta: readonly, private | password_reset_token | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Invite token expiry<br/>Allows: null<br/>Meta: readonly, private | invite_token_expires_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Email | email | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Last Name | last_name | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Phone number<br/>Allows: null | phone_number | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Restricted to: "ACTIVE", "LOCKED", "LOCKED_INVITED", "LOCKED_EXPIRED", "ACTIVE_INVITED", "ACTIVE_EXPIRED"<br/>Meta: readonly, no-sort | active_status | any | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Timezone<br/>Allows: "", null | timezone | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Password reset token expiry<br/>Allows: null<br/>Meta: readonly, private | password_reset_token_expires_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Active<br/>Allows: null | active | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Invite token<br/>Allows: null<br/>Meta: readonly, private | invite_token | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| First Name | first_name | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Display name<br/>Allows: "", null | display_name | string | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Homepage preferences<br/>Allows: null<br/>Meta: no-sort | homepage_preferences | object | Y | N |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | actor | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigations | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_account_roles | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_remediation_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions_list | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions_list | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_account_status | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organizations | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | notification_preferences | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | analysis_assigned_investigative_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_expel_alerts | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigative_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | ui_discoveries | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | primary_organization | object | N | Y |
+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'user_accounts'
_def_attributes = ["language", "locale", "engagement_manager", "assignable", "created_at", "password_reset_token",
"invite_token_expires_at", "email", "last_name", "phone_number", "active_status", "timezone",
"password_reset_token_expires_at", "updated_at", "active", "invite_token", "first_name",
"display_name", "homepage_preferences"]
_def_relationships = ["updated_by", "actor", "assigned_organization_resilience_actions", "assigned_investigations",
"user_account_roles", "assigned_remediation_actions",
"assigned_organization_resilience_actions_list", "assigned_customer_resilience_actions_list",
"assigned_customer_resilience_actions", "user_account_status", "organizations",
"notification_preferences", "analysis_assigned_investigative_actions", "created_by",
"assigned_expel_alerts", "assigned_investigative_actions", "ui_discoveries", "customer",
"primary_organization"]
class Customers(BaseEntry):
'''
Defines/retrieves expel.io customer records
Below are valid filter by parameters:
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+====================================================================================+===================================================+================+===============+==================+
| The customer's primary industry<br/>Allows: "", null | industry | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| City<br/>Allows: "", null | city | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Number of nodes covered for this customer<br/>Allows: null | nodes_count | number | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| State/Province/Region<br/>Allows: "", null | region | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Number of users covered for this customer<br/>Allows: null | users_count | number | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Vault Token<br/>Allows: null<br/>Meta: private | vault_token | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Address 2<br/>Allows: "", null | address_2 | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| o365 Terms of Service identifier (e.g. hubspot id, etc.)<br/>Allows: null | o365_tos_id | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Allows: "", null | hq_utc_offset | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Address 1<br/>Allows: "", null | address_1 | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Customer short name<br/>Allows: null | short_name | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Customer service renewal date<br/>Allows: null | service_renewal_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Postal Code<br/>Allows: null | postal_code | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Is surge | is_surge | boolean | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Is Prospective/Demo Customer<br/>Meta: private | prospect | boolean | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Country Code<br/>Allows: null | country_code | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Customer service start date<br/>Allows: null | service_start_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| o365 Microsoft tenant id<br/>Allows: null<br/>Meta: private | o365_tenant_id | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| The customer's operating name | name | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| The city where the organization's headquarters is located<br/>Allows: "", null | hq_city | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Allows: null<br/>Meta: private | vault_token_expires | string | Y | N |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | configurations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_users | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_accounts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions_list | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | security_devices | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions_list | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | features | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | files | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert_histories | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assignables | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | notification_preferences | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_expel_alerts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_organization_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_action_groups | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_devices | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | api_keys | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigative_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_investigations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation_histories | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_remediation_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alerts | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | engagement_manager | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | products | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_customer_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_em_meta | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | assemblers | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_devices | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | analysis_assigned_investigative_actions | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | actor | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
| Missing Description | integrations | object | N | Y |
+------------------------------------------------------------------------------------+---------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'customers'
_def_attributes = ["industry", "city", "nodes_count", "region", "users_count", "vault_token", "address_2",
"o365_tos_id", "hq_utc_offset", "address_1", "short_name", "service_renewal_at", "postal_code",
"is_surge", "prospect", "country_code", "created_at", "service_start_at", "o365_tenant_id",
"deleted_at", "name", "hq_city", "updated_at", "vault_token_expires"]
_def_relationships = ["configurations", "vendor_alerts", "updated_by", "expel_users", "user_accounts",
"assigned_organization_resilience_actions_list", "security_devices",
"assigned_customer_resilience_actions_list", "features", "files", "expel_alert_histories",
"assignables", "notification_preferences", "assigned_expel_alerts",
"assigned_organization_resilience_actions", "customer_resilience_action_groups",
"customer_resilience_actions", "vendor_devices", "api_keys", "assigned_investigative_actions",
"assigned_investigations", "investigation_histories", "investigations",
"assigned_remediation_actions", "expel_alerts", "engagement_manager", "products",
"assigned_customer_resilience_actions", "customer_em_meta", "assemblers", "customer_devices",
"created_by", "analysis_assigned_investigative_actions", "actor", "integrations"]
class ExpelAlertThresholdHistories(BaseEntry):
'''
Defines/retrieves expel.io expel_alert_threshold_history records
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================================================================+===========================+================+===============+==================+
| Expel alert threshold history action<br/>Restricted to: "CREATED", "BREACHED", "ACKNOWLEDGED", "RECOVERED", "DELETED" | action | any | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Expel alert threshold history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert_threshold | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
'''
_api_type = 'expel_alert_threshold_histories'
_def_attributes = ["action", "value", "created_at"]
_def_relationships = ["created_by", "expel_alert_threshold"]
class CustomerList(BaseEntry):
'''
Retrieves expel.io organization records for the organization view
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================================================================+================================================+================+===============+==================+
| Organization service renewal date<br/>Allows: null | service_renewal_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| The organization's primary industry<br/>Allows: "", null | industry | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Engagement manager name<br/>Allows: "", null | engagement_manager_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of nodes covered for this organization<br/>Allows: null | nodes_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of investigative actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | investigative_actions_assigned_to_customer | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| The organization's operating name<br/>Allows: "", null | name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Overall security device health<br/>Allows: "", null | vendor_device_health | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of open investigations<br/>Allows: null | open_investigation_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Percent of resilience actions completed<br/>Allows: null | resilience_actions_ratio | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Organization short name<br/>Allows: null | short_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Comma delimited list of organization's vendors<br/>Allows: "", null | tech_stack | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Organization service start date<br/>Allows: null | service_start_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of resilience actions completed by the organization<br/>Allows: null | resilience_actions_completed | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of open incidents<br/>Allows: null | open_incident_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of remediation actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | remediation_actions_assigned_to_customer | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of users covered for this organization<br/>Allows: null | users_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of investigative actions assigned to Expel, or any Expel analyst<br/>Allows: null | investigative_actions_assigned_to_expel | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Number of resilience actions assigned to the organization<br/>Allows: null | resilience_actions_assigned | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Missing Description | expel_user | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
| Missing Description | products | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'customer_list'
_def_attributes = ["service_renewal_at", "industry", "engagement_manager_name", "nodes_count",
"investigative_actions_assigned_to_customer", "name", "vendor_device_health",
"open_investigation_count", "resilience_actions_ratio", "short_name", "tech_stack",
"service_start_at", "resilience_actions_completed", "open_incident_count",
"remediation_actions_assigned_to_customer", "users_count",
"investigative_actions_assigned_to_expel", "resilience_actions_assigned"]
_def_relationships = ["customer", "expel_user", "products"]
class RemediationActionTypes(BaseEntry):
'''
Defines/retrieves expel.io remediation_action_type records
Below are valid filter by parameters:
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===================================================+=========================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Name | name | string | Y | N |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Remediation Action Template<br/>Meta: no-sort | template | object | Y | N |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | remediation_actions | object | N | Y |
+---------------------------------------------------+-------------------------+----------------+---------------+------------------+
'''
_api_type = 'remediation_action_types'
_def_attributes = ["updated_at", "name", "template", "created_at"]
_def_relationships = ["created_by", "updated_by", "remediation_actions"]
class ContextLabelTags(BaseEntry):
'''
Defines/retrieves expel.io context_label_tag records
Below are valid filter by parameters:
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=============================================================================+====================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Metadata about the context label tag<br/>Allows: null<br/>Meta: no-sort | metadata | object | Y | N |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Description<br/>Allows: null, "" | description | string | Y | N |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Tag | tag | string | Y | N |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
| Missing Description | context_labels | object | N | Y |
+-----------------------------------------------------------------------------+--------------------+----------------+---------------+------------------+
'''
_api_type = 'context_label_tags'
_def_attributes = ["updated_at", "metadata", "description", "tag", "created_at"]
_def_relationships = ["created_by", "updated_by", "organization", "context_labels"]
class CommentHistories(BaseEntry):
'''
Defines/retrieves expel.io comment_history records
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+================================================================================================+===================+================+===============+==================+
| Comment history action<br/>Restricted to: "CREATED", "UPDATED", "DELETED"<br/>Allows: null | action | any | Y | N |
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
| Comment history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N |
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | comment | object | N | Y |
+------------------------------------------------------------------------------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'comment_histories'
_def_attributes = ["action", "value", "created_at"]
_def_relationships = ["created_by", "investigation", "comment"]
class Files(BaseEntry):
'''
File
Below are valid filter by parameters:
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+================================================================+===========================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Expel file type<br/>Allows: null, "" | expel_file_type | string | Y | N |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Metadata about the file<br/>Allows: null<br/>Meta: no-sort | file_meta | object | Y | N |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Filename | filename | string | Y | N |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | investigative_actions | object | N | Y |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+----------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
'''
_api_type = 'files'
_def_attributes = ["updated_at", "expel_file_type", "file_meta", "filename", "created_at"]
_def_relationships = ["investigations", "investigative_actions", "updated_by", "created_by", "organization",
"customer"]
class OrganizationResilienceActions(BaseEntry):
'''
Organization to resilience actions
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==========================================================================================+==========================================+================+===============+==================+
| Visible | visible | boolean | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH" | impact | any | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Title | title | string | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Comment<br/>Allows: "", null | comment | string | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED" | status | any | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Details | details | string | Y | N |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | source_resilience_action | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_action_group | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+------------------------------------------------------------------------------------------+------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'organization_resilience_actions'
_def_attributes = ["visible", "impact", "title", "comment", "created_at", "updated_at", "category", "status",
"details"]
_def_relationships = ["source_resilience_action", "investigation_resilience_actions", "updated_by",
"investigations", "created_by", "organization", "organization_resilience_action_group",
"assigned_to_actor"]
class Comments(BaseEntry):
'''
Defines/retrieves expel.io comment records
Below are valid filter by parameters:
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+=======================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Comment | comment | string | Y | N |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | comment_histories | object | N | Y |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------+-----------------------+----------------+---------------+------------------+
'''
_api_type = 'comments'
_def_attributes = ["updated_at", "comment", "created_at"]
_def_relationships = ["created_by", "investigation", "comment_histories", "updated_by", "organization"]
class AssemblerImages(BaseEntry):
'''
Assembler Images
Below are valid filter by parameters:
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=======================================================================+==================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Assembler image size<br/>Allows: null | size | number | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Assembler image md5 hash<br/>Allows: null | hash_md5 | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Assembler image sha256 hash<br/>Allows: null | hash_sha256 | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Assembler image sh1 hash<br/>Allows: null | hash_sha1 | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Assembler image release date<br/>Allows: null | release_date | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Assembler image version<br/>Allows: "", null | version | string | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Platform<br/>Restricted to: "VMWARE", "HYPERV", "AZURE", "AMAZON" | platform | any | Y | N |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'assembler_images'
_def_attributes = ["updated_at", "size", "hash_md5", "hash_sha256", "hash_sha1", "created_at", "release_date",
"version", "platform"]
_def_relationships = ["created_by", "updated_by"]
class CustomerResilienceActionGroups(BaseEntry):
'''
Defines/retrieves expel.io customer_resilience_action_group records
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=======================================================================================================+====================================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Group title | title | string | Y | N |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Organization Resilience Group Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS" | category | any | Y | N |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Visible | visible | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | source_resilience_action_group | object | N | Y |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------+------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'customer_resilience_action_groups'
_def_attributes = ["updated_at", "title", "category", "visible", "created_at"]
_def_relationships = ["created_by", "customer", "updated_by", "source_resilience_action_group",
"customer_resilience_actions"]
class CustomerResilienceActions(BaseEntry):
'''
Organization to resilience actions
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==========================================================================================+======================================+================+===============+==================+
| Visible | visible | boolean | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH" | impact | any | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Title | title | string | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Comment<br/>Allows: "", null | comment | string | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "TOP_PRIORITY", "IN_PROGRESS", "WONT_DO", "COMPLETED" | status | any | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Details | details | string | Y | N |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | source_resilience_action | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation_resilience_actions | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_action_group | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | investigations | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+------------------------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'customer_resilience_actions'
_def_attributes = ["visible", "impact", "title", "comment", "created_at", "updated_at", "category", "status",
"details"]
_def_relationships = ["source_resilience_action", "investigation_resilience_actions",
"customer_resilience_action_group", "updated_by", "investigations", "created_by", "customer",
"assigned_to_actor"]
class InvestigativeActionHistories(BaseEntry):
'''
Investigative action histories
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=============================================================================================================+==========================+================+===============+==================+
| Investigative action history action<br/>Restricted to: "CREATED", "ASSIGNED", "CLOSED"<br/>Allows: null | action | any | Y | N |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Investigative action history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
| Missing Description | investigative_action | object | N | Y |
+-------------------------------------------------------------------------------------------------------------+--------------------------+----------------+---------------+------------------+
'''
_api_type = 'investigative_action_histories'
_def_attributes = ["action", "value", "created_at"]
_def_relationships = ["created_by", "investigation", "expel_alert", "assigned_to_actor", "investigative_action"]
class ExpelAlertGridV2(BaseEntry):
'''
Elastic search backed Alert Grid
Below are valid filter by parameters:
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================+==============================+==================+===============+==================+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | alert_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Allows: null | vendor_alert_count | number | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | urls | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | process_arguments | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | source_ip_addresses | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_sig_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | expel_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | alert_type | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | destination_ip_addresses | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | process_path | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | assignee_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | expel_guid | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | parent_md5 | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | process_md5 | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Allows: null | tuning_requested | boolean | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_device_guid | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | usernames | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | parent_path | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_last_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_first_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | close_comment | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | expel_severity | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | parent_arguments | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | updated_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | organization_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | hostnames | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | status | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | vendor | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | assigned_to_org | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | security_devices | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
'''
_api_type = 'expel_alert_grid_v2'
_def_attributes = ["alert_at", "vendor_alert_count", "vendor_name", "urls", "process_arguments",
"source_ip_addresses", "vendor_sig_name", "expel_name", "alert_type", "destination_ip_addresses",
"process_path", "assignee_name", "expel_guid", "parent_md5", "process_md5", "tuning_requested",
"vendor_device_guid", "usernames", "parent_path", "activity_last_at", "activity_first_at",
"close_comment", "expel_severity", "parent_arguments", "updated_at", "organization_name",
"hostnames", "status"]
_def_relationships = ["expel_alert", "vendor", "investigation", "assigned_to_org", "vendor_alerts", "organization",
"assigned_to_actor", "security_devices"]
class NistSubcategoryScores(BaseEntry):
'''
Latest NIST subcategory scores
Below are valid filter by parameters:
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==========================================================================+======================================+================+===============+==================+
| Allows: "", null<br/>Meta: readonly, no-sort | subcategory_name | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Organization target score for this nist subcategory<br/>Allows: null | target_score | number | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Organization nist subcategory is a priority | is_priority | boolean | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Organization actual score for this nist subcategory<br/>Allows: null | actual_score | number | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Organization comment for this nist subcategory<br/>Allows: "", null | comment | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Allows: "", null<br/>Meta: readonly, no-sort | category_identifier | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Allows: "", null<br/>Meta: readonly, no-sort | function_type | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Allows: "", null<br/>Meta: readonly, no-sort | category_name | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Allows: "", null<br/>Meta: readonly, no-sort | subcategory_identifier | string | Y | N |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | nist_subcategory_score_histories | object | N | Y |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | nist_subcategory | object | N | Y |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+--------------------------------------------------------------------------+--------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'nist_subcategory_scores'
_def_attributes = ["subcategory_name", "target_score", "is_priority", "actual_score", "comment", "created_at",
"updated_at", "category_identifier", "function_type", "category_name", "subcategory_identifier"]
_def_relationships = ["created_by", "nist_subcategory_score_histories", "nist_subcategory", "updated_by",
"organization"]
class OrganizationResilienceActionGroups(BaseEntry):
'''
Defines/retrieves expel.io organization_resilience_action_group records
Below are valid filter by parameters:
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=======================================================================================================+==================================================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Group title | title | string | Y | N |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Organization Resilience Group Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS" | category | any | Y | N |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Visible | visible | boolean | Y | N |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_action_group_actions | object | N | Y |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
| Missing Description | source_resilience_action_group | object | N | Y |
+-------------------------------------------------------------------------------------------------------+--------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'organization_resilience_action_groups'
_def_attributes = ["updated_at", "title", "category", "visible", "created_at"]
_def_relationships = ["created_by", "organization_resilience_action_group_actions", "organization", "updated_by",
"source_resilience_action_group"]
class InvestigationHistories(BaseEntry):
'''
Investigation histories
Below are valid filter by parameters:
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+========================================================================================================================================+=======================+================+===============+==================+
| Investigation history action<br/>Restricted to: "CREATED", "ASSIGNED", "CHANGED", "CLOSED", "SUMMARY", "REOPENED"<br/>Allows: null | action | any | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Investigation history details<br/>Allows: null<br/>Meta: no-sort | value | object | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Is Incidence | is_incident | boolean | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+----------------------------------------------------------------------------------------------------------------------------------------+-----------------------+----------------+---------------+------------------+
'''
_api_type = 'investigation_histories'
_def_attributes = ["action", "value", "is_incident", "created_at"]
_def_relationships = ["created_by", "investigation", "organization", "customer", "assigned_to_actor"]
class ResilienceActions(BaseEntry):
'''
Resilience actions
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+==========================================================================================+=============================+================+===============+==================+
| Title | title | string | Y | N |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Impact<br/>Restricted to: "LOW", "MEDIUM", "HIGH" | impact | any | Y | N |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Category<br/>Restricted to: "DISRUPT_ATTACKERS", "ENABLE_DEFENDERS"<br/>Allows: null | category | any | Y | N |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Details | details | string | Y | N |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | resilience_action_group | object | N | Y |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------+-----------------------------+----------------+---------------+------------------+
'''
_api_type = 'resilience_actions'
_def_attributes = ["title", "created_at", "updated_at", "impact", "category", "details"]
_def_relationships = ["created_by", "resilience_action_group", "updated_by"]
class Features(BaseEntry):
'''
Product features
Below are valid filter by parameters:
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+===================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | name | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | organizations | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | customers | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | products | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'features'
_def_attributes = ["updated_at", "name", "created_at"]
_def_relationships = ["created_by", "updated_by", "organizations", "customers", "products"]
class InvestigationResilienceActions(BaseEntry):
'''
Investigation to resilience actions
Below are valid filter by parameters:
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+====================================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | customer_resilience_action | object | N | Y |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
| Missing Description | organization_resilience_action | object | N | Y |
+-----------------------------------------------+------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'investigation_resilience_actions'
_def_attributes = ["updated_at", "created_at"]
_def_relationships = ["created_by", "investigation", "customer_resilience_action", "updated_by",
"organization_resilience_action"]
class OrganizationList(BaseEntry):
'''
Retrieves expel.io organization records for the organization view
Below are valid filter by parameters:
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================================================================+====================================================+================+===============+==================+
| Organization service renewal date<br/>Allows: null | service_renewal_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| The organization's primary industry<br/>Allows: "", null | industry | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Engagement manager name<br/>Allows: "", null | engagement_manager_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of users covered for this organization<br/>Allows: null | users_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of nodes covered for this organization<br/>Allows: null | nodes_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Overall security device health<br/>Allows: "", null | security_device_health | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Organization service start date<br/>Allows: null | service_start_at | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| The organization's operating name<br/>Allows: "", null | name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of investigative actions assigned to Expel, or any Expel analyst<br/>Allows: null | investigative_actions_assigned_to_expel | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Percent of resilience actions completed<br/>Allows: null | resilience_actions_ratio | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Organization short name<br/>Allows: null | short_name | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Allows: "", null | hq_utc_offset | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of resilience actions completed by the organization<br/>Allows: null | resilience_actions_completed | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of open incidents<br/>Allows: null | open_incident_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of resilience actions assigned to the organization<br/>Allows: null | resilience_actions_assigned | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| The city where the organization's headquarters is located<br/>Allows: "", null | hq_city | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of open investigations<br/>Allows: null | open_investigation_count | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Comma delimited list of organization's vendors<br/>Allows: "", null | tech_stack | string | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of remediation actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | remediation_actions_assigned_to_organization | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Number of investigative actions assigned to the organization, or any of that organization's analysts<br/>Allows: null | investigative_actions_assigned_to_organization | number | Y | N |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | user_account | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
| Missing Description | products | object | N | Y |
+---------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+----------------+---------------+------------------+
'''
_api_type = 'organization_list'
_def_attributes = ["service_renewal_at", "industry", "engagement_manager_name", "users_count", "nodes_count",
"security_device_health", "service_start_at", "name", "investigative_actions_assigned_to_expel",
"resilience_actions_ratio", "short_name", "hq_utc_offset", "resilience_actions_completed",
"open_incident_count", "resilience_actions_assigned", "hq_city", "open_investigation_count",
"tech_stack", "remediation_actions_assigned_to_organization",
"investigative_actions_assigned_to_organization"]
_def_relationships = ["organization", "user_account", "products"]
class VendorAlerts(BaseEntry):
'''
Vendor alerts
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+========================================================================================================================+================================+================+===============+==================+
| Signature ID<br/>Allows: "", null | signature_id | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Evidence summary<br/>Allows: null<br/>Meta: no-sort | evidence_summary | array | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Evidence activity start datetime<br/>Allows: null<br/>Meta: immutable | evidence_activity_start_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Allows: null<br/>Meta: immutable | original_alert_id | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Description<br/>Allows: "", null | description | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Vendor Sig Name<br/>Allows: "", null | vendor_sig_name | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Vendor Message<br/>Allows: "", null | vendor_message | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Evidence activity end datetime<br/>Allows: null<br/>Meta: immutable | evidence_activity_end_at | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Vendor alert severity<br/>Restricted to: "CRITICAL", "HIGH", "MEDIUM", "LOW", "TESTING", "TUNING"<br/>Allows: null | vendor_severity | any | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "NORMAL", "PROVISIONAL"<br/>Allows: null<br/>Meta: readonly | status | any | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| First Seen | first_seen | string | Y | N |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | vendor_device | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | vendor | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | assembler | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | evidences | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | customer_device | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | security_device | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | expel_alerts | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
| Missing Description | ip_addresses | object | N | Y |
+------------------------------------------------------------------------------------------------------------------------+--------------------------------+----------------+---------------+------------------+
'''
_api_type = 'vendor_alerts'
_def_attributes = ["signature_id", "evidence_summary", "created_at", "evidence_activity_start_at",
"original_alert_id", "description", "vendor_sig_name", "vendor_message", "updated_at",
"evidence_activity_end_at", "vendor_severity", "status", "first_seen"]
_def_relationships = ["vendor_device", "updated_by", "organization", "customer", "vendor", "assembler", "evidences",
"customer_device", "created_by", "security_device", "expel_alerts", "ip_addresses"]
class ContextLabelActions(BaseEntry):
'''
Defines/retrieves expel.io context_label_action records
Below are valid filter by parameters:
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================================+======================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| What action to take<br/>Restricted to: "ALERT_ON", "ADD_TO" | action_type | any | Y | N |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | context_label | object | N | Y |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | timeline_entries | object | N | Y |
+-----------------------------------------------------------------+----------------------+----------------+---------------+------------------+
'''
_api_type = 'context_label_actions'
_def_attributes = ["updated_at", "action_type", "created_at"]
_def_relationships = ["created_by", "investigation", "context_label", "updated_by", "timeline_entries"]
class SamlIdentityProviders(BaseEntry):
'''
SAML Identity Providers
Below are valid filter by parameters:
+---------------------------------------------------+------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===================================================+==================+================+===============+==================+
| Allows: "", null | cert | string | Y | N |
+---------------------------------------------------+------------------+----------------+---------------+------------------+
| Allows: "" | callback_uri | string | Y | N |
+---------------------------------------------------+------------------+----------------+---------------+------------------+
| Restricted to: "not_configured", "configured" | status | string | Y | N |
+---------------------------------------------------+------------------+----------------+---------------+------------------+
| Allows: "" | entity_id | string | Y | N |
+---------------------------------------------------+------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------+------------------+----------------+---------------+------------------+
'''
_api_type = 'saml_identity_providers'
_def_attributes = ["cert", "callback_uri", "status", "entity_id"]
_def_relationships = ["organization"]
class InvestigationFindings(BaseEntry):
'''
Investigation findings
Below are valid filter by parameters:
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+===================+================+===============+==================+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Visualization Rank | rank | number | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Finding<br/>Allows: "", null | finding | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Title<br/>Allows: "", null | title | string | Y | N |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+-------------------+----------------+---------------+------------------+
'''
_api_type = 'investigation_findings'
_def_attributes = ["deleted_at", "rank", "created_at", "updated_at", "finding", "title"]
_def_relationships = ["created_by", "investigation", "updated_by"]
class VendorDevices(BaseEntry):
'''
Vendor devices
Below are valid filter by parameters:
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+======================================================================================================+===========================+================+===============+==================+
| Allows: "", null | plugin_slug | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Location<br/>Allows: "", null | location | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Status Updated At<br/>Allows: null<br/>Meta: readonly | status_updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Device Spec<br/>Allows: null<br/>Meta: no-sort | device_spec | object | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Deleted At timestamp<br/>Allows: null | deleted_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Name | name | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Has 2fa secret stored in vault<br/>Meta: readonly | has_two_factor_secret | boolean | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Status<br/>Restricted to: "healthy", "unhealthy", "health_checks_not_supported"<br/>Allows: null | status | any | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Device Type<br/>Restricted to: "ENDPOINT", "NETWORK", "SIEM", "OTHER", "CLOUD" | device_type | any | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Location where tasks are run<br/>Restricted to: "CUSTOMER_PREMISE", "EXPEL_TASKPOOL" | task_source | any | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Status Details<br/>Allows: null<br/>Meta: no-sort | status_details | object | Y | N |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | assembler | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | investigative_actions | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | child_vendor_devices | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | customer_device | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | vendor | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
| Missing Description | parent_vendor_device | object | N | Y |
+------------------------------------------------------------------------------------------------------+---------------------------+----------------+---------------+------------------+
'''
_api_type = 'vendor_devices'
_def_attributes = ["plugin_slug", "location", "created_at", "status_updated_at", "device_spec", "deleted_at",
"name", "has_two_factor_secret", "status", "device_type", "updated_at", "task_source",
"status_details"]
_def_relationships = ["vendor_alerts", "assembler", "investigative_actions", "child_vendor_devices",
"customer_device", "created_by", "updated_by", "organization", "customer", "vendor",
"parent_vendor_device"]
class ConfigurationDefaults(BaseEntry):
'''
Configuration defaults
Below are valid filter by parameters:
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+====================================================================================+============================+================+===============+==================+
| Configuration value validation<br/>Meta: no-sort | validation | object | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Title of configuration value<br/>Allows: "", null | title | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration visibility<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | visibility | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration metadata<br/>Allows: null<br/>Meta: no-sort | metadata | object | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Description of configuration value<br/>Allows: "", null | description | string | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Configuration value<br/>Allows: null<br/>Meta: no-sort | value | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Write permission required<br/>Restricted to: "EXPEL", "ORGANIZATION", "SYSTEM" | write_permission_level | any | Y | N |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | configurations | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
| Missing Description | labels | object | N | Y |
+------------------------------------------------------------------------------------+----------------------------+----------------+---------------+------------------+
'''
_api_type = 'configuration_defaults'
_def_attributes = ["validation", "title", "visibility", "created_at", "updated_at", "metadata", "description",
"value", "write_permission_level"]
_def_relationships = ["configurations", "created_by", "updated_by", "labels"]
class Findings(BaseEntry):
'''
Defines/retrieves expel.io finding records
Below are valid filter by parameters:
+-----------------------------------------------+----------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===============================================+================+================+===============+==================+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------+----------------+----------------+---------------+------------------+
| Seed Rank | rank | number | Y | N |
+-----------------------------------------------+----------------+----------------+---------------+------------------+
| Title<br/>Allows: "", null | title | string | Y | N |
+-----------------------------------------------+----------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------+----------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------+----------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------+----------------+----------------+---------------+------------------+
'''
_api_type = 'findings'
_def_attributes = ["updated_at", "rank", "title", "created_at"]
_def_relationships = ["created_by", "updated_by"]
class ActivityMetrics(BaseEntry):
'''
Defines/retrieves expel.io activity_metric records
Below are valid filter by parameters:
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================+=====================+================+===============+==================+
| Date/Time of when the activity concluded | ended_at | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Url<br/>Allows: "", null | url | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Referring url<br/>Allows: "", null | referring_url | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Additional data about the activity<br/>Allows: null<br/>Meta: no-sort | data | object | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Date/Time of when the activity started | started_at | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Activity<br/>Allows: "", null | activity | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
| Missing Description | security_device | object | N | Y |
+---------------------------------------------------------------------------+---------------------+----------------+---------------+------------------+
'''
_api_type = 'activity_metrics'
_def_attributes = ["ended_at", "url", "referring_url", "data", "started_at", "created_at", "activity", "updated_at"]
_def_relationships = ["created_by", "investigation", "expel_alert", "updated_by", "security_device"]
class OrganizationStatuses(BaseEntry):
'''
Organization status
Below are valid filter by parameters:
+-------------------------+-------------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=========================+=========================+================+===============+==================+
| Meta: readonly | updated_at | string | Y | N |
+-------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | enabled_login_types | array | Y | N |
+-------------------------+-------------------------+----------------+---------------+------------------+
| Meta: readonly | created_at | string | Y | N |
+-------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-------------------------+-------------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-------------------------+-------------------------+----------------+---------------+------------------+
'''
_api_type = 'organization_statuses'
_def_attributes = ["updated_at", "enabled_login_types", "created_at"]
_def_relationships = ["created_by", "organization", "updated_by"]
class ExpelAlertGrid(BaseEntry):
'''
Elastic search backed Alert Grid
Below are valid filter by parameters:
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+===========================================================================+==============================+==================+===============+==================+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | alert_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Allows: null | vendor_alert_count | number | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | urls | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | process_arguments | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | source_ip_addresses | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_sig_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | expel_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | alert_type | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | destination_ip_addresses | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | process_path | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | assignee_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | expel_guid | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | parent_md5 | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | process_md5 | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Allows: null | tuning_requested | boolean | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | vendor_device_guid | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | usernames | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | parent_path | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_last_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | activity_first_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | close_comment | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | expel_severity | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | parent_arguments | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a date or an ISO 8601 date<br/>Meta: allowStringOperators | updated_at | string | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | organization_name | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | hostnames | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| May be a string or an array of strings<br/>Meta: allowStringOperators | status | alternatives | Y | N |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | expel_alert | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | vendor | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | investigation | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | assigned_to_org | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | vendor_alerts | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | assigned_to_actor | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
| Missing Description | security_devices | object | N | Y |
+---------------------------------------------------------------------------+------------------------------+------------------+---------------+------------------+
'''
_api_type = 'expel_alert_grid'
_def_attributes = ["alert_at", "vendor_alert_count", "vendor_name", "urls", "process_arguments",
"source_ip_addresses", "vendor_sig_name", "expel_name", "alert_type", "destination_ip_addresses",
"process_path", "assignee_name", "expel_guid", "parent_md5", "process_md5", "tuning_requested",
"vendor_device_guid", "usernames", "parent_path", "activity_last_at", "activity_first_at",
"close_comment", "expel_severity", "parent_arguments", "updated_at", "organization_name",
"hostnames", "status"]
_def_relationships = ["expel_alert", "vendor", "investigation", "assigned_to_org", "vendor_alerts", "organization",
"assigned_to_actor", "security_devices"]
class Integrations(BaseEntry):
'''
Defines/retrieves expel.io integration records
Below are valid filter by parameters:
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Field Description | Field Name | Field Type | Attribute | Relationship |
+=================================================================================================================+======================+================+===============+==================+
| Service display name | service_name | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Type of integration<br/>Restricted to: "pagerduty", "slack", "ticketing", "service_now"<br/>Meta: immutable | integration_type | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Last Successful Test<br/>Allows: null<br/>Meta: readonly | last_tested_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Last Updated timestamp<br/>Meta: readonly | updated_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Needed information for integration type<br/>Allows: null<br/>Meta: no-sort | integration_meta | object | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Created timestamp<br/>Meta: readonly | created_at | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Integration status<br/>Restricted to: "UNTESTED", "TEST_SUCCESS", "TEST_FAIL"<br/>Meta: readonly | status | any | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Service account identifier | account | string | Y | N |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | created_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | secret | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | organization | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | customer | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
| Missing Description | updated_by | object | N | Y |
+-----------------------------------------------------------------------------------------------------------------+----------------------+----------------+---------------+------------------+
'''
_api_type = 'integrations'
_def_attributes = ["service_name", "integration_type", "last_tested_at", "updated_at", "integration_meta",
"created_at", "status", "account"]
_def_relationships = ["created_by", "secret", "organization", "customer", "updated_by"]
# END AUTO GENERATE JSONAPI CLASSES
RELATIONSHIP_TO_CLASS_EXT = {
}
# AUTO GENERATE RELATIONSHIP TO CLASS LOOKUP
RELATIONSHIP_TO_CLASS = {
"engagement_managers": EngagementManagers,
"expel_users": ExpelUsers,
"source_resilience_action_group": ResilienceActionGroups,
"notification_preferences": NotificationPreferences,
"nist_subcategories": NistSubcategories,
"security_device": SecurityDevices,
"vendors": Vendors,
"nist_categories": NistCategories,
"expel_alerts": ExpelAlerts,
"customer_devices": CustomerDevices,
"investigations": Investigations,
"security_devices": SecurityDevices,
"expel_alert": ExpelAlerts,
"hunting_statuses": HuntingStatuses,
"customer_resilience_action_groups": CustomerResilienceActionGroups,
"expel_alert_thresholds": ExpelAlertThresholds,
"resilience_action_groups": ResilienceActionGroups,
"investigative_actions": InvestigativeActions,
"resilience_actions": ResilienceActions,
"organization_statuses": OrganizationStatuses,
"integrations": Integrations,
"user_account_roles": UserAccountRoles,
"comment": Comments,
"customer_resilience_action_list": CustomerResilienceActionList,
"features": Features,
"vendor_alert_evidences": VendorAlertEvidences,
"organizations": Organizations,
"secrets": Secrets,
"ui_discoveries": UiDiscoveries,
"configuration_labels": ConfigurationLabels,
"cpe_images": CpeImages,
"context_label": ContextLabels,
"assemblers": Assemblers,
"remediation_action_histories": RemediationActionHistories,
"customers": Customers,
"source_ip_addresses": IpAddresses,
"context_label_tags": ContextLabelTags,
"comment_histories": CommentHistories,
"comments": Comments,
"assigned_investigative_actions": InvestigativeActions,
"customer_resilience_actions": CustomerResilienceActions,
"investigative_action_histories": InvestigativeActionHistories,
"organization_list": OrganizationList,
"organization": Organizations,
"context_label_actions": ContextLabelActions,
"saml_identity_providers": SamlIdentityProviders,
"saml_identity_provider": SamlIdentityProviders,
"assets": Assets,
"assigned_customer_resilience_actions_list": CustomerResilienceActions,
"actors": Actors,
"timeline_entries": TimelineEntries,
"organization_resilience_action_list": OrganizationResilienceActionList,
"api_keys": ApiKeys,
"engagement_manager": EngagementManagers,
"remediation_actions": RemediationActions,
"labels": ConfigurationLabels,
"expel_alert_grid_v2": ExpelAlertGridV2,
"user_accounts": UserAccounts,
"customer_list": CustomerList,
"vendor": Vendors,
"assembler_images": AssemblerImages,
"user_account": UserAccounts,
"investigation_histories": InvestigationHistories,
"investigation_resilience_actions": InvestigationResilienceActions,
"assigned_remediation_actions": RemediationActions,
"investigation_findings": InvestigationFindings,
"investigation": Investigations,
"evidence": VendorAlertEvidences,
"expel_alert_grid": ExpelAlertGrid,
"source_resilience_action": ResilienceActions,
"asset_groups": AssetGroups,
"assigned_organization_resilience_actions_list": OrganizationResilienceActions,
"expel_alert_histories": ExpelAlertHistories,
"configurations": Configurations,
"user_account_statuses": UserAccountStatuses,
"products": Products,
"nist_subcategory_score_histories": NistSubcategoryScoreHistories,
"customer_em_meta": CustomerEmMeta,
"context_labels": ContextLabels,
"remediation_action_types": RemediationActionTypes,
"created_by": Actors,
"activity_metrics": ActivityMetrics,
"expel_alert_threshold_histories": ExpelAlertThresholdHistories,
"customer": Customers,
"files": Files,
"organization_em_meta": OrganizationEmMeta,
"nist_subcategory_scores": NistSubcategoryScores,
"expel_alert_threshold": ExpelAlertThresholds,
"secret": Secrets,
"vendor_alerts": VendorAlerts,
"ip_addresses": IpAddresses,
"vendor_devices": VendorDevices,
"organization_resilience_actions": OrganizationResilienceActions,
"findings": Findings,
"organization_resilience_action_groups": OrganizationResilienceActionGroups,
"configuration_defaults": ConfigurationDefaults
}
# END AUTO GENERATE RELATIONSHIP TO CLASS LOOKUP
class WorkbenchCoreClient(object):
'''
Instantiate a Workbench core client that provides just authentication and request capabilities to Workbench
If the developer specifies a ``username``, then ``password`` and ``mfa_code`` are required inputs. If the developer
has an ``apikey`` then ``username``, ``password`` and ``mfa_code`` parameters are ignored.
:param cls: A Workbench class reference.
:type cls: WorkbenchClient
:param apikey: An apikey to use for authentication/authorization.
:type apikey: str or None
:param username: The username
:type username: str or None
:param password: The username's password
:type password: str or None
:param mfa_code: The multi factor authenticate code generated by google authenticator.
:type mfa_code: int or None
:param token: The bearer token of an authorized session. Can be used instead of ``apikey`` and ``username``/``password`` combo.
:type token: str or None
:return: An initialized, and authorized Workbench client.
:rtype: WorkbenchClient
'''
def __init__(self, base_url, apikey=None, username=None, password=None, mfa_code=None, token=None):
self.base_url = base_url
self.apikey = apikey
self.token = token
self.mfa_code = mfa_code
self.username = username
self.password = password
self.debug = False
self.debug_method = []
self.debug_url_contains = None
self.default_request_kwargs = {
'timeout': 300,
'verify': False,
}
def _make_retry():
retryable_status_codes = [429, 500, 504]
# Retry gives us some control over how retries are performed.
# In particular, we're looking to backoff and retry on api rate limiting
# See docs: https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html#urllib3.util.retry.Retry
return Retry(connect=3, read=3, status=3, status_forcelist=retryable_status_codes, backoff_factor=2)
session = requests.Session()
a = HTTPAdapter(max_retries=_make_retry())
self.session = session
self.session.headers = {'content-type': 'application/json'}
if self.apikey:
self.token = self.service_login(self.apikey)
if self.mfa_code:
self.token = self.login(self.username, self.password, self.mfa_code)
# if not self.token:
# raise Exception('No authorization information provided!')
if self.token and not self.token.startswith('Bearer'):
self.token = 'Bearer %s' % self.token
self.session.headers.update({'Authorization': self.token})
def login(self, username, password, code):
'''
Authenticate as a human, this requires providing the 2FA code.
:param username: The user's e-mail address.
:type username: str
:param password: The user's password.
:type password: str
:param code: The 2FA code
:type code: str
:return: The bearer token that allows users to call Workbench APIs.
:rtype: str
'''
headers = {'content-type': 'application/x-www-form-urlencoded'}
data = urlencode({'grant_type': 'password', 'username': username, 'password': password})
resp = self.request('post', '/auth/v0/login', data=data, headers=headers, skip_raise=True)
# Note the login route returns 401 even when password is valid as a way to
# move to the second phase which is posting the 2fa code..
if resp.status_code != 401:
return None
headers['x-expelinc-otp'] = str(code)
resp = self.request('post', '/auth/v0/login', data=data, headers=headers)
return resp.json()['access_token']
def service_login(self, apikey):
'''
Authenticate as a service
:param apikey: The API key to use to authenticate
:type apikey: str
:return: The bearer token that allows users to call Workbench APIs.
:rtype: str
'''
resp = self.request('post', '/api/v2/service_login', data=json.dumps({'id': apikey}))
return resp.json()['access_token']
def request(self, method, url, data=None, skip_raise=False, files=None, **kwargs):
url = urljoin(self.base_url, url)
headers = kwargs.pop('headers', {})
request_kwargs = dict(self.default_request_kwargs)
request_kwargs.update(kwargs)
do_print = False
if self.debug:
if not self.debug_method and not self.debug_url_contains:
do_print = True
elif self.debug_method and method in self.debug_method:
do_print = True
elif self.debug_url_contains and url.lower().find(self.debug_url_contains.lower()) != -1:
do_print = True
if do_print:
print(method, " ", url)
if data:
pprint.pprint(data)
if files:
headers['Authorization'] = self.session.headers['Authorization']
resp = requests.post(url, headers=headers, data=data, files=files, **request_kwargs)
else:
resp = self.session.request(
method=method,
url=url,
headers=headers,
data=data,
**request_kwargs
)
if self.debug and do_print:
pprint.pprint(resp.json())
if skip_raise:
return resp
try:
resp.raise_for_status()
except requests.exceptions.HTTPError as e:
# It's HTML code..
if resp.text.startswith('<'):
raise e
err = resp.json()
errors = err.get('errors')
if errors and 'detail' in errors[0]:
raise requests.exceptions.HTTPError(err['errors'][0]['detail'])
elif errors and 'status' in errors[0]:
raise requests.exceptions.HTTPError("Got status code: %s" % err['errors'][0]['status'])
elif errors and 'title' in errors[0]:
raise requests.exceptions.HTTPError(err['errors'][0]['title'])
elif err.get('message'):
msg = '%s: %s' % (err['message'], str(err.get('validation')))
raise requests.exceptions.HTTPError(msg)
if err.get('error_description'):
raise requests.exceptions.HTTPError(err['error_description'])
elif err.get('error'):
raise requests.exceptions.HTTPError(err['error'])
return resp
class WorkbenchClient(WorkbenchCoreClient):
'''
Instantiate a client that interacts with Workbench's API server.
If the developer specifies a ``username``, then ``password`` and ``mfa_code`` are required inputs. If the developer
has an ``apikey`` then ``username``, ``password`` and ``mfa_code`` parameters are ignored.
:param cls: A Workbench class reference.
:type cls: WorkbenchClient
:param apikey: An apikey to use for authentication/authorization.
:type apikey: str or None
:param username: The username
:type username: str or None
:param password: The username's password
:type password: str or None
:param mfa_code: The multi factor authenticate code generated by google authenticator.
:type mfa_code: int or None
:param token: The bearer token of an authorized session. Can be used instead of ``apikey`` and ``username``/``password`` combo.
:type token: str or None
:return: An initialized, and authorized Workbench client.
:rtype: WorkbenchClient
'''
def __init__(self, base_url, apikey=None, username=None, password=None, mfa_code=None, token=None):
super().__init__(base_url, apikey=apikey, username=username, password=password, mfa_code=mfa_code, token=token)
def create_manual_inv_action(self, title: str, reason: str, instructions: str, investigation_id: str = None,
expel_alert_id: str = None):
'''
Create a manual investigative action via MacGyver.
:param investigation_id: The investigation ID to associate the action with.
:type investigation_id: str
:param expel_alert_id: The expel alert id
:type expel_alert_id: str
:param vendor_device_id: The vendor device ID, to dispatch the task against.
:type vendor_device_id: str
:param capability_name: The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.
:type capability_name: str
:param input_args: The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.
:type input_args: dict
:param title: The title of the investigative action, shows up in Workbench.
:type title: str
:param reason: The reason for running the investigative action, shows up in Workbench.
:type reason: str
:return: Investigative action response
:rtype: InvestigativeActions
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> input_args = "user_name": 'matt.peters@expel.io', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z'
>>> o = xc.create_manual_inv_action(inv_guid, device_guid, 'title foo', 'reason bar', 'instructions blah')
>>> print("Investigative Action ID: ", o.id)
'''
if not expel_alert_id and not investigation_id:
raise Exception("Must specify an expel_alert_id or an investigation_id")
# Create the manual investigative action in WB via MacGyver
ia = self.investigative_actions.create(
title=title, status='READY_FOR_ANALYSIS', reason=reason, action_type='MANUAL', instructions=instructions)
if investigation_id:
ia.relationship.investigation = investigation_id
else:
ia.relationship.expel_alert = expel_alert_id
return ia.save()
def create_auto_inv_action(self, customer_id: str, vendor_device_id: str, created_by_id: str, capability_name: str,
input_args: dict, title: str, reason: str, investigation_id: str = None,
expel_alert_id: str = None):
'''
Create an automatic investigative action via MacGyver.
:param customer_id: The customer ID
:type customer_id: str
:param investigation_id: The investigation ID to associate the action with.
:type investigation_id: str
:param expel_alert_id: The expel alert id
:type expel_alert_id: str
:param vendor_device_id: The vendor device ID, to dispatch the task against.
:type vendor_device_id: str
:param created_by_id: The user ID that created the action
:type created_by_id: str
:param capability_name: The name of the capability we are running. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.
:type capability_name: str
:param input_args: The input arguments to the capability to run. Defined in classes https://github.com/expel-io/taskabilities/tree/master/py/taskabilities/cpe/capabilities, look at name class variable.
:type input_args: dict
:param title: The title of the investigative action, shows up in Workbench.
:type title: str
:param reason: The reason for running the investigative action, shows up in Workbench.
:type reason: str
:return: Investigative action response
:rtype: InvestigativeActions
Examples:
>>> xc = XClient.workbench('https://workbench.expel.io', username=username, password=password, mfa_code=mfa_code)
>>> input_args = &#123;"user_name": 'matt.peters@expel.io', 'time_range_start':'2019-01-30T14:00:40Z', 'time_range_end':'2019-01-30T14:45:40Z'&#125;
>>> o = xc.create_auto_inv_action(customer_guid, inv_guid, device_guid, user_guid, 'query_user', input_args, 'Query User', 'Getting user login activity to determine if login is normal')
>>> print("Investigative Action ID: ", o.id)
'''
if not expel_alert_id and not investigation_id:
raise Exception("Must specify an expel_alert_id or an investigation_id")
# Get the plugin slug for the vendor device
with self.vendor_devices.get(id=vendor_device_id) as d:
plugin_slug = d.plugin_slug
# Create the investigative action in WB via MacGyver
ia = self.investigative_actions.create(title=title, status='RUNNING', reason=reason, action_type='TASKABILITY',
capability_name=capability_name, input_args=input_args)
ia.relationship.vendor_device = vendor_device_id
if investigation_id:
ia.relationship.investigation = investigation_id
else:
ia.relationship.expel_alert = expel_alert_id
return ia.save()
def capabilities(self, customer_id: str):
'''
Get a list of capabilities for a given customer.
:param customer_id: The customer ID
:type customer_id: str
Examples:
>>> xc.workbench.capabilities("my-customer-guid-123")
'''
resp = self.request('get', '/api/v2/capabilities/%s' % customer_id)
return resp.json()
def plugins(self):
'''
Get a list of plugins.
Examples:
>>> xc.workbench.plugins()
'''
resp = self.request('get', '/api/v2/plugins')
return resp.json()
# AUTO GENERATE PROPERTIES
@property
def engagement_managers(self):
return JsonResp(EngagementManagers, conn=self)
@property
def vendor_alert_evidences(self):
return JsonResp(VendorAlertEvidences, conn=self)
@property
def remediation_action_histories(self):
return JsonResp(RemediationActionHistories, conn=self)
@property
def expel_users(self):
return JsonResp(ExpelUsers, conn=self)
@property
def resilience_action_groups(self):
return JsonResp(ResilienceActionGroups, conn=self)
@property
def customer_resilience_action_list(self):
return JsonResp(CustomerResilienceActionList, conn=self)
@property
def assets(self):
return JsonResp(Assets, conn=self)
@property
def user_account_statuses(self):
return JsonResp(UserAccountStatuses, conn=self)
@property
def actors(self):
return JsonResp(Actors, conn=self)
@property
def security_devices(self):
return JsonResp(SecurityDevices, conn=self)
@property
def expel_alert_histories(self):
return JsonResp(ExpelAlertHistories, conn=self)
@property
def organizations(self):
return JsonResp(Organizations, conn=self)
@property
def notification_preferences(self):
return JsonResp(NotificationPreferences, conn=self)
@property
def timeline_entries(self):
return JsonResp(TimelineEntries, conn=self)
@property
def nist_subcategories(self):
return JsonResp(NistSubcategories, conn=self)
@property
def ip_addresses(self):
return JsonResp(IpAddresses, conn=self)
@property
def secrets(self):
return JsonResp(Secrets, conn=self)
@property
def organization_resilience_action_list(self):
return JsonResp(OrganizationResilienceActionList, conn=self)
@property
def ui_discoveries(self):
return JsonResp(UiDiscoveries, conn=self)
@property
def hunting_statuses(self):
return JsonResp(HuntingStatuses, conn=self)
@property
def configurations(self):
return JsonResp(Configurations, conn=self)
@property
def investigative_actions(self):
return JsonResp(InvestigativeActions, conn=self)
@property
def vendors(self):
return JsonResp(Vendors, conn=self)
@property
def configuration_labels(self):
return JsonResp(ConfigurationLabels, conn=self)
@property
def cpe_images(self):
return JsonResp(CpeImages, conn=self)
@property
def products(self):
return JsonResp(Products, conn=self)
@property
def remediation_actions(self):
return JsonResp(RemediationActions, conn=self)
@property
def expel_alerts(self):
return JsonResp(ExpelAlerts, conn=self)
@property
def nist_subcategory_score_histories(self):
return JsonResp(NistSubcategoryScoreHistories, conn=self)
@property
def customer_em_meta(self):
return JsonResp(CustomerEmMeta, conn=self)
@property
def context_labels(self):
return JsonResp(ContextLabels, conn=self)
@property
def expel_alert_thresholds(self):
return JsonResp(ExpelAlertThresholds, conn=self)
@property
def user_account_roles(self):
return JsonResp(UserAccountRoles, conn=self)
@property
def customer_devices(self):
return JsonResp(CustomerDevices, conn=self)
@property
def investigations(self):
return JsonResp(Investigations, conn=self)
@property
def organization_em_meta(self):
return JsonResp(OrganizationEmMeta, conn=self)
@property
def nist_categories(self):
return JsonResp(NistCategories, conn=self)
@property
def assemblers(self):
return JsonResp(Assemblers, conn=self)
@property
def asset_groups(self):
return JsonResp(AssetGroups, conn=self)
@property
def api_keys(self):
return JsonResp(ApiKeys, conn=self)
@property
def user_accounts(self):
return JsonResp(UserAccounts, conn=self)
@property
def customers(self):
return JsonResp(Customers, conn=self)
@property
def expel_alert_threshold_histories(self):
return JsonResp(ExpelAlertThresholdHistories, conn=self)
@property
def customer_list(self):
return JsonResp(CustomerList, conn=self)
@property
def remediation_action_types(self):
return JsonResp(RemediationActionTypes, conn=self)
@property
def context_label_tags(self):
return JsonResp(ContextLabelTags, conn=self)
@property
def comment_histories(self):
return JsonResp(CommentHistories, conn=self)
@property
def files(self):
return JsonResp(Files, conn=self)
@property
def organization_resilience_actions(self):
return JsonResp(OrganizationResilienceActions, conn=self)
@property
def comments(self):
return JsonResp(Comments, conn=self)
@property
def assembler_images(self):
return JsonResp(AssemblerImages, conn=self)
@property
def customer_resilience_action_groups(self):
return JsonResp(CustomerResilienceActionGroups, conn=self)
@property
def customer_resilience_actions(self):
return JsonResp(CustomerResilienceActions, conn=self)
@property
def investigative_action_histories(self):
return JsonResp(InvestigativeActionHistories, conn=self)
@property
def expel_alert_grid_v2(self):
return JsonResp(ExpelAlertGridV2, conn=self)
@property
def nist_subcategory_scores(self):
return JsonResp(NistSubcategoryScores, conn=self)
@property
def organization_resilience_action_groups(self):
return JsonResp(OrganizationResilienceActionGroups, conn=self)
@property
def investigation_histories(self):
return JsonResp(InvestigationHistories, conn=self)
@property
def resilience_actions(self):
return JsonResp(ResilienceActions, conn=self)
@property
def features(self):
return JsonResp(Features, conn=self)
@property
def investigation_resilience_actions(self):
return JsonResp(InvestigationResilienceActions, conn=self)
@property
def organization_list(self):
return JsonResp(OrganizationList, conn=self)
@property
def vendor_alerts(self):
return JsonResp(VendorAlerts, conn=self)
@property
def context_label_actions(self):
return JsonResp(ContextLabelActions, conn=self)
@property
def saml_identity_providers(self):
return JsonResp(SamlIdentityProviders, conn=self)
@property
def investigation_findings(self):
return JsonResp(InvestigationFindings, conn=self)
@property
def vendor_devices(self):
return JsonResp(VendorDevices, conn=self)
@property
def configuration_defaults(self):
return JsonResp(ConfigurationDefaults, conn=self)
@property
def findings(self):
return JsonResp(Findings, conn=self)
@property
def activity_metrics(self):
return JsonResp(ActivityMetrics, conn=self)
@property
def organization_statuses(self):
return JsonResp(OrganizationStatuses, conn=self)
@property
def expel_alert_grid(self):
return JsonResp(ExpelAlertGrid, conn=self)
@property
def integrations(self):
return JsonResp(Integrations, conn=self)
# END AUTO GENERATE PROPERTIES
'''
ABOVE - workbench.py
BELOW - XSOAR integration
'''
def get_results(xc, filter):
results = []
# Testing data
# test = ['title','short_link','analyst_severity','attack_lifecycle','threat_type','attack_vector','decision','detection_type','is_incident',] # 'critical_comment','close_comment','source_reason','lead_description',
# print('|'.join(test))
for inv in xc.investigations.filter_by(**filter):
# Main attributes for investigation
result = inv._attrs
# Add lead alert and associated vendor alert
if inv.lead_expel_alert:
alert = inv.lead_expel_alert._attrs
alert['vendor_alerts'] = []
for va in inv.lead_expel_alert.vendor_alerts:
alert['vendor_alerts'].append(va._attrs)
result['lead_expel_alert'] = alert
# Add other alerts
if inv.expel_alerts:
result['expel_alerts'] = []
for ea in inv.expel_alerts:
alert = ea._attrs
alert['vendor_alerts'] = []
for va in ea.vendor_alerts:
alert['vendor_alerts'].append(va._attrs)
result['expel_alerts'].append(alert)
# Pull data from releationships (excluded ['related_investigations_via_involved_host_ips','investigation_histories', 'investigative_action_histories', 'files','remediation_action_histories','ip_addresses',])
relationships = [
'evidence', # when escalated to incident
'findings', # on the fly during investigation or incident status
'investigative_actions',
'remediation_actions',
'timeline_entries',
'comments',
]
for entry in relationships:
temp = eval('inv.' + entry)
if type(temp) == list:
result[entry] = []
for item in temp:
result[entry].append(item._attrs)
else:
result[entry] = item._attrs
# Testing data
# string = ''
# for item in test:
# if item == 'short_link':
# string += 'https://workbench.expel.io/activity/investigations/' + str(result.get(item)) + '|'
# else:
# string += str(result.get(item)) + '|'
# print(string)
results.append(result)
return results
def test_module_command(xc):
if xc.investigations.filter_by(limit=0):
return 'ok'
def get_investigations_command(xc, args):
filter = {}
for arg in args:
if args[arg]:
filter[arg] = args[arg]
return get_results(xc, filter)
def fetch_incidents_command(xc, args):
# args['is_incident'] == True
incidents = []
if args['created_at_gt']:
results = get_investigations_command(xc, args)
if results:
for investigation in results:
each = {
'name': investigation['short_link'] + ' - ' + investigation['title'],
'occurred': investigation['created_at'],
'rawJSON': json.dumps(investigation)
}
incidents.append(each)
return incidents
def main():
params = demisto.params()
args = demisto.args()
# Remove trailing slash to prevent wrong URL path to service
server_url = params['url'][:-1] if (params['url'] and params['url'].endswith('/')) else params['url']
token = params.get('token')
first_fetch_time = params.get('first_fetch_time')
command = demisto.command()
demisto.info(f'Command being called is {command}')
#try:
xc = WorkbenchClient(server_url, token=token)
commands = {
'expel-get-investigations': get_investigations_command,
}
if command == 'test-module':
return_results(test_module_command(xc))
elif command == 'fetch-incidents':
last_run = demisto.getLastRun().get('start_time')
#return_results('Current last_run set: {}'.format(str(last_run)))
if last_run:
args['created_at_gt'] = last_run
else:
args['created_at_gt'] = datetime.now() - timedelta(days=int(first_fetch_time))
start_time = datetime.strftime(datetime.now(), DATE_FORMAT) #datetime.isoformat(datetime.utcnow())
incidents = fetch_incidents_command(xc, args)
demisto.setLastRun({'start_time': start_time})
demisto.incidents(incidents)
elif command in commands:
return_results(*commands[command](xc, args))
#except Exception as e:
# return_error(str(e))
if __name__ in ('__main__', '__builtin__', 'builtins'):
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment