Cybereason REST APIs use an auth token to make authorized calls to the API. Expel uses Cybereason REST APIs to access resources through URI paths. You need to generate an API key and an Application key.

Step 1: Generate user credentials


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In the Cybereason UI, navigate to the User screen.

  2. Click Create New User. The Create New User screen appears.

  3. Type the required details.

    • Username: an email address. Make note of this for later use.

    • Password: a password. Make note of this for later use.

    • Change password on next login: don't select this.

    • Enable Two Factor Authentication (TFA): don't select this.

    • Custom roles: select Analyst and L3.

    • Predefined roles: select API User.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, log into

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click Add Security Device.

  4. Search for and select your technology Cybereason.

  5. Complete all fields using the credentials and information you collected in Step 1.

    • For Name type the host name of the device.

    • For Location type the geographic location of the appliance.

    • For Username type the username generated in Step 1.

    • For Password type the password generated in Step 1.

    • For Server URL type the Cybereason device address.

  6. You can provide console access now or set it up later. Use the instructions below to set it up later.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Cyber reason, cyberreason,