Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the FireEye HX console.
- Navigate to Admin > Appliance Settings.
- Click User Accounts on the left.
- For Username add Expel.
- Ensure the Role is set to Admin.
- Enter a Password.
Step 2: Generate API credentials
To integrate the technology with Expel, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel Customer Success Engineer, or email email@example.com.
This procedure creates an authentication token that allows the Expel Assembler to access the FireEye HX API.
- Go to the User Accounts section.
- For Username add expelapi.
- Make sure the Role is set to API Admin.
- Type a Password.
- Click Add User.
Step 3: Configure the technology in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate FireEye HX with Expel.
Register device in Expel Workbench
- In a new browser tab, log into https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, select Add Security Device.
- Search for and select FireEye HX.
- Select an Assembler from the list with network connectivity to the FireEye HX device. Select the assembler you set up in Step 2 of the Getting Started with Expel guide.
- For Name type the hostname of the FireEye HX device.
- For Location type the geographic location of the appliance.
- For Server address type the FireEye HX device IP and communications port in the following format: https://<serverip>:3000. Find the Device IP in the FireEye console > Admin > Appliance Settings > Network.
- For API Password and API Username type the API Admin credentials previously created in the FireEye console in Step 2.
- In the optional Console Login section, for Username and Password, type the Admin credentials created in the FireEye console in Step 1.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.