Step 1: Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the CB Defense console.

Create an analyst account

1. Navigate to gear icon on left side and click Users. Then click Add User on the top right of the screen.
   
2. For First name type Expel.
   
   
   • For Last name type SOC.
   • For Email type soc+<client name>@expel.io.
   • For Role select Level 2 Analyst.
   • Click Save.

Step 2: Generate API credentials and SIEM access

To integrate the technology with Expel, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel Customer Success Engineer, or email customerhealth@expel.io.

This procedure creates an authentication token that allows the Expel Assembler to access the CB Defense API and SIEM.

Obtain the API and SIEM key for the Expel account

1. Navigate to gear icon on the left side and click API Keys then click ADD API Keys.
   
2. For Name type Expel. 
   
   
   • • For Access Level select API.
     • For Authorized IP address, type the IP address of the externally facing IP of the Expel Assembler. If you're unsure, the following code can be run on the Assembler to list the current IP: curl -s http://ipchicken.com | egrep -o ‘([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}’
     • Click Save.
3. For SIEM access, follow the same steps above and select SIEM for Access level.
4. Make note of the API, SIEM API, and API IDs for each which is used in Step 3 for registration within Expel Workbench.

Subscribe to notifications

1. Navigate to the gear icon on the left side, click Notifications, then click ADD NOTIFICATION.  
2. For Name type Expel Threat.
   
3. For Notify when select Threat and select Alert priority 3.
4. For Policy select All Policies.
5. Click in Search for API field and search for the SIEM API Key created for Expel in Obtain the API and SIEM key for the Expel account.
6. Click Save.

Step 3: Configure the technology in Workbench

Now that we have all the correct access configured and noted the credentials, we can integrate CB Defense with Expel.  

Register device in Expel Workbench

1. In a new browser tab, login to https://workbench.expel.io. 
2. On the console page, navigate to Settings and click Security Devices.
3. At the upper right of the page, select Add Security Device.
4. Search for and select CB Defense.
   
5. Complete all fields using the credentials and information you collected in Step 1 and Step 2.
   
6. Select an Assembler from the list. Select the assembler you set up in Step 2 of the Getting  Started with Expel guide.
7. Enter Assembler Name and Location. For example: CB Defense and Expel Lab.
   
   
   • • For Server address enter the URL for the Cb Defense server, including the port.
     • For SIEM key, enter the SIEM API Key generated in Step 2.
     • For API connect, enter API ID generated in Step 2.
     • For SIEM connect, enter SIEM’s API ID generated in Step 2.
     • For API key enter the API generated in Step 2.
     • Username and Password fields are optional and can be left blank.
8. Click Save.

After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.

To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.