Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
- Navigate to Corp Manage and click Corp Users.
- Click Add user.
Type the email address listed below and select User role and site memberships for Expel to watch.
- Email: soc+<company_name>@expel.io
- Role: User
- Click Invite User.
- After the user is invited, notify your Expel Engagement Manager to expect an email for account activation and password setup.
Step 2: Enable API Access for Expel
To integrate the technology with Expel, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel Customer Success Engineer, or email firstname.lastname@example.org.
- Go to My Profile and select API Access Tokens.
- Click Add API access token.
- Type Expel API as the name and click Create API access token.
- Copy the Token value and save it for later.
- Click Continue to finish creating the access token.
Step 3: Configure the technology in Workbench
Now that we have all the correct access configured, we can integrate Signal Sciences with Expel Workbench.
Register device in Expel Workbench
- In a new browser tab, login to https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, click Add Security Device.
- Search for and select Signal Sciences.
- For Name and Location type Signal Sciences and Cloud.
- For Username type the user created in Step 1.
- For API key enter the access token generated in Step 2.
- For Server address enter the hostname of the Signal Sciences dashboard.
- For Username and Password in the optional Console Login section fields can be filled in with the username and password created in Step 1.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.
Step 4: Deployment of Expel Custom Rules
Expel maintains a set of custom rules focused on detecting post exploitation web activity. These rules are not configured to block traffic. They are not automatically deployed upon onboarding the Signal Sciences application in Workbench. To deploy the Expel custom rules to your Signal Sciences instance, do the following steps:
- Send an email to Signal Sciences TAM team (email@example.com) providing written approval to deploy the Expel custom rules to your instance. See the email template below.
Hi Signal Sciences TAM team,
We are requesting with our written approval for you to deploy the Expel custom WAF rules. Please clone the advanced rule named "Send POST body and Query Values" from the Expel WAF deployment to our WAF deployment in the enabled state for all sites.
- After advanced logging is enabled, Expel creates the items listed below on all sites. Creation of the items requires at least “User” level access to the Signal Sciences application. If the Expel user has “Observer” level access, then schedule a time with your engagement manager to temporarily increase the Expel account’s privileges to “User” level. The Expel Detection & Response Engineering team will deploy the content.
- A new Site Signal named “expel-alert”.
- A new Site Alert named “Expel Webshell Alert”.
- New Site Rules that make up the Expel custom ruleset.
More details on our ruleset can be found here: https://expel.io/blog/better-web-shell-detections-with-signal-sciences-waf/