Org Context refers to stored reference information about your environment that you are able to manage. You can add or edit this information on the Org Context page (Organization Settings > Context).
Prerequisites
- You must be an organization admin in Workbench to add Org Context.
Quick Links
- Why Add Org Context
- Types of Org Context
- Which Org Context is Most Helpful to the SOC?
- Add Org Context
- Edit Org Context
- Delete Org Context
- CSV Troubleshooting
Why Add Org Context
When an Investigation becomes flagged as an incident, Expel must do some work on your behalf to contain or resolve the issue. To do this, we perform a number of Investigative Actions that sometimes result in us asking you to complete a manual verification of some kind (received by you as a Verify Action).
Adding reference information as Org Context can eliminate some of these Verify Actions, because we can refer to it during all of our investigative activities to see if the answer to a manual verification question has already been provided. The more Org Context you add, the less Verify Actions will be needed from you, and the more efficiently our SOC analysts can act when an incident occurs.
We encourage you to add as much reference information for each type of Org Context as you can during your onboarding, and to actively maintain it over time. However, there is some Org Context that is more useful to our SOC than others, so you should focus on those types if your ability to perform this task is limited.
Types of Org Context
We currently support all of the following types of Org Context:
|
Context Type Select it from the dropdown menu in Workbench. |
Examples Enter this type of reference information. |
| cidr_block |
|
| domain |
|
| email_address |
|
| file_hash |
|
| hostname |
|
| ip_address |
|
| port |
|
| url |
|
| username |
|
| other (string) |
|
| other (integer) |
|
The Type column in your CSV file (if doing a batch upload) must contain only one of these types, and it must match exactly. Example: a type entered as email address will fail upon upload; it must be entered as email_address (with an underscore). If you need to upload batches of multiple types of context, you must upload separate CSV files for each type.
Which Org Context is Most Helpful to the SOC?
Adding as much Org Context as possible when you onboard is the most helpful option, but if you have limited time, focus on adding the following:
|
Context |
Explanation |
|
Executives at your organizations
|
Helps our SOC understand which users are of highest risk at your organization. |
|
Approved applications
|
Helps our SOC understand which applications are approved and normal in your environment. |
|
Network IP ranges
|
Helps our SOC understand normal network behavior. |
|
Approved security tools
|
Helps our SOC understand which security tools are approved and normal in your environment. |
Add Org Context
Org Context can be added by you or it may be added proactively by our SOC analysts. Here are our recommendations for how to choose your method:
- If you have a single piece of Org Context to add:
- Follow the Wizard instructions.
- Choose the Simple form in step 8.
- If you have multiple pieces of Org Context to add and you want a single unique name to reference the full list:
- Follow the Wizard instructions.
- Choose the Advanced form in step 8.
- You must complete the Wizard for each type of context, as each list and unique name can only reference one context type.
- If you have only a few pieces of Org Context to add and you want a unique name for each one:
- Follow the Wizard instructions.
- Choose the Simple form in step 8.
- You must complete the Wizard for each piece of context, and choose a unique name for each one.
- If you have extensive Org Context to add and you want each piece of context to have its own unique name:
- Follow the Batch Upload instructions.
- Make sure to download the CSV template file and use it for your data.
- You must use separate CSV files for each type of context.
Note
You are also able to add some Org Context during your initial onboarding through the Welcome screen.
Wizard
The wizard option lets you add one or more pieces of context, either with a 1:1 relationship to a name (Simple form) or a 1:many relationship where a single name references a list of context values (Advanced form).
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Context.
- If you have multiple organizations, be sure to also select the organization using the top dropdown menu.
- Select the All context hyperlink.
- Select Add Context.
- Decide whether or not you would like to add detection tag(s) for this piece of context.
- Detection tags are solely used by the detection engine to give it additional information that helps it action more quickly on the associated context.
- Detection tags that are added here cannot be changed later.
- Select Do not add detection tags if you do not want to add any tags for the detection engine.
- Select Add detection tags to add tags for the detection engine, and then select one or more tags from the dropdown list (the available tags are managed by our SOC and cannot be edited by you).
- Select Next.
- Enter a unique name for your context.
- Decide whether to continue with the Simple form or select the Advanced form.
- The Simple form is appropriate for a single piece of reference information of a single type, and that you wish to add in a 1:1 relationship with a single unique name (specified in step 7).
- The Advanced form is appropriate for multiple pieces of reference information of a single type, and that you wish to add in a many:1 relationship to a single unique name (specified in step 7).
- Select a context type from the dropdown list.
- Enter or copy/paste in your context value(s). If using the Advanced form, you will have the option to paste in a list (make sure to use a line break between values).
- Select a category (optional).
- Context categories are tags that are used in Workbench for grouping purposes, and do not impact the detection engine.
- You can add new categories from this page by selecting the Manage categories link.
- Add a description (optional) that helps you quickly understand what the context is (example: "This is the CEO's email.").
- Select Save.
- Repeat this process if you have additional context types to add.
Batch Upload (CSV)
The batch upload option lets you quickly add multiple pieces of Org Context of the same type, each with a unique name. You must use a separate CSV file for each type of context.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Context.
- If you have multiple organizations, be sure to also select the organization using the top dropdown menu.
- Select the All context hyperlink.
- Select Add Context.
- Select the Upload a CSV hyperlink.
- First, download a template file. Choose the CSV option if you are using a non-Microsoft program like Google Sheets.
- Next, create your CSV file using the template and save it locally (if using Excel, the file format must be saved as .csv). Make sure you only have one type of Org Context in your CSV file.
- Then, select Attach File and locate your CSV file.
- Select Save.
- Repeat this process if you have additional context types to add.
- If you experience any issues with your file upload, refer to the CSV Troubleshooting section for help.
Edit Org Context
You must edit each piece of Org Context individually through Workbench; you cannot perform edits via a CSV file.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Context.
- If you have multiple organizations, be sure to also select the organization using the top dropdown menu.
- Select the All context hyperlink.
- Locate the piece of context you wish to edit. If you have a long list, you can filter in any column (some columns will allow filtering by a string, some will allow filtering by other criteria).
- Use the dropdown menu to select Edit.
- Make your edits, then select Save to save the changes.
Delete Org Context
You can only delete Org Context if it is not currently in use by Expel. If it is currently in use, you will be alerted during the deletion process and will not be able to complete the action.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Context.
- If you have multiple organizations, be sure to also select the organization using the top dropdown menu.
- Select the All context hyperlink.
- Locate the piece of context you wish to delete. If you have a long list, you can filter in any column (some columns will allow filtering by a string, some will allow filtering by other criteria).
- Use the dropdown menu to select Delete.
- If you receive a message that the context is in use (as shown below) and you still wish to delete it, contact support for assistance.
CSV Troubleshooting
If you are having trouble uploading your Org Context via a CSV file, it is almost always due to a formatting issue. Here are some things to check:
- Make sure each entry in the Name column is unique - both to the CSV file and to any other context you have already added to Workbench.
- Make sure you have used a supported type, and that the type is entered correctly in the Type column (for example, a type entered as "email address" will fail upon upload; it must be entered as "email_address"); refer to the list of types for help with formatting.
- Make sure you have only chosen one type per CSV file, as you must use separate CSV files for different types of Org Context.
- Make sure you do not have any leading zeros in your IP address or CIDR block values (e.g. 1.2.03.4 or 01.2.3.4)
- Make sure you have entered a supported value for your chosen type. Accepted values for each type are as follows (do not use quotes in the CSV file):
cidr_block: ['cidr'], domain: ['string'], email_address: ['string'], file_hash: ['string'], hostname: ['string'], ip_address: ['ip_address'], other: ['integer', 'string'] port: ['integer'], url: ['string'], username: ['string']