1. Expel Help Center
  2. Auto Remediations
  3. Get Started with Auto Remediations

Auto Remediation Manual Fallback

This guide supports an optional feature as part of the larger setup process in Enable an Auto Remediation in Workbench.

If you opt to enable manual fallback, in the event that an automated action fails and Expel has console access, our SOC will attempt to manually perform hands-on remediation on your behalf. 

The manual fallback option is available to customers who have purchased Expel's Pro Support or MDR Premium Pro tier and have enabled a supported auto remediation. If you don't have access to certain auto remediation components and would like to, contact your Customer Success Manager (CSM) or Support. Manual fallback is supported for one security device per auto remediation.

This option is available for the following auto remediations:

To enable manual fallback:

  1. Select the device on which you'd like to configure manual fallback.
  2. In the Recommended actions field, provide specific instructions for any unique workflows or setup that SOC analysts may need to perform remediation actions in your environment. This text will be sent to the SOC analyst when manual fallback is required to help them successfully perform the response in your console.
    manual_fallback_section-2.png

    Note
    If you have "Auto-Remediation Failed" notifications enabled on a device configured for manual fallback, the notifications will include contextual text indicating if a manual fallback is underway for that specific failed remediation.

Required Permissions

Depending on the technology, Expel may require more than console access to support manual fallback. Please review the requirements below to ensure Expel has access to perform remediation when needed.


Cortex XDR: Contain Hosts

The Palo Alto Networks Cortex XDR Pro setup guide provides the necessary permissions within the console access section (Privileged Security Admin role). Ensure your configuration includes this role.


CrowdStrike: Contain Hosts

Expel requires additional permissions than what are included in the CrowdStrike Falcon Insight XDR setup guide. To enable manual fallback, you must log into your CrowdStrike Falcon console and update the API Client so that the API scopes for Hosts and Real Time Response are set to Read/Write access. This scope allows Expel to view hosts and perform critical actions like Network Containment and Remove from Containment.


Microsoft Defender for Endpoint: Contain Hosts

If you chose Option 1: Basic AAD Permissions during setup, ensure you have granted full access, which we require to complete manual fallback.

If you chose Option 2: RBAC Permissions during setup, ensure that you have granted the following permissions depending on your technology:

Microsoft Defender for Endpoint
  1. Active remediation actions (all)
Microsoft Defender XDR
  1. Security operations \ Security data \ Response (manage)
  2. Security operations \ Advanced live response (manage)

After you have completed the above, refer back to Step 2.7 of Enable an Auto Remediation in Workbench to finish configuring the auto remediation.

Related articles