This article helps you set up Auto Host Containment inside Expel Workbench™.
Expel provides remediation actions when we’re investigating an incident in your environment. Some actions are automated and others require you to take action. This article outlines how it works and how to set up automated host containment.
Remediation actions in Expel Workbench
As the Expel SOC creates remediation actions in Workbench, the action is taken inside of your vendor technology if it meets the requirements for setup in Workbench. If we can't successfully complete the remediation from Workbench, the item is assigned to you for completion. For the actions to work, we need the appropriate permissions for Expel to complete the actions in your tool.
How to setup host containment
Step 1: Allow appropriate permissions in your EDR console
- Ensure all API permissions from the Getting Started guide are setup.
- Enable both read and write permissions for Hosts for the Expel API client.
Step 2: Provide 1 of the following lists to Expel as a .csv file
- Host names you want Expel to automatically contain.
- Host names you don't want Expel to automatically contain.
We'll take this list of hosts and upload it to Workbench as context for you to select from.
Step 3: Add your hosts to the only/never contain list and enable the feature
Organization Admins need to head over to Expel Workbench to configure the Auto Host Containment for your organization and enable the feature. This includes setting up your never contain or only contain list for us to work from.
Step 4: Verify notification settings
Ensure you enable notifications for Remediation Actions assigned to your organization and Automated Remediation Actions in your Workbench settings.
How it works
During an investigation, our SOC analysts identify hosts to contain and create a remediation action in Workbench. If the host is on the approved list, Workbench completes the action automatically. If the host isn’t on the approved list, we assign the action to your team and notify you based on your notification preference.