Expel Destination (Beta)

Overview

Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring Expel as the destination where you will receive alerts.

How to set up an Expel alert destination in Panther

Prerequisite

• In Expel Workbench, your user must have organization admin permissions.

Step 1: Create a service user account in Panther

You'll create a service account in Panther and provide its credentials to Expel in a later step. When needed, Expel analysts will use this service account to log in to your Panther Console to investigate alerts.

• Follow the Inviting a user to Panther instructions, using the following values:

  • Email address: enter soc+<your_company_name>@expel.io

  • First Name: enter Expel

  • Last Name: enter SOC analysts

  • Role: select AnalystReadOnly

Step 2: Create an API token in Panther

You'll create an API token in Panther, which you'll provide to Expel in a later step. The API token allows Expel to query additional context after receiving an alert.

1. Follow the How to create a Panther API token instructions, being sure to select the following permissions:

   • Read Alerts

   • View Rules

   • View Policies

   • Query Data Lake

   • View Cloud Security Sources

   • View Log Sources

   • Read User Info

2. Copy the API token and store it in a secure location, as you will need it in the next step.

Step 3: Create a security device in Expel Workbench

In Expel Workbench, you'll create a security device for Panther. This will both provide Expel the Panther service user credentials and API token you created above, as well as generate a webhook URL and credentials, which you'll provide to Panther in the next step.

1. Log in to https://workbench.expel.io.

2. Navigate to Settings, then click Security Devices.

3. At the top of the page, click Add Security Device.

4. Search for "Panther," then select it.

5. Fill in the form:

   • Name: enter a descriptive name, e.g., Panther alerts.

   • Location: enter a descriptive location, e.g., Expel Lab.

   • Server: enter your Panther GraphQL API URL.

     • This value can be found in your Panther Console at the top of the API Tokens page—see Identify your Panther GraphQL API URL for more details.

   • API Key: enter the API token you created in Step 2.

   • Console Login: enter the user credentials you used in Step 1.

6. Click Save.

7. Locate the newly created Panther security device, and click Edit.

8. Copy the following values and store them in a secure location, as you will need them in the next step:

   • Webhook URL

   • Webhook Username

   • Webhook Password

Step 4: Configure the Expel alert destination in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Alert Destinations.

2. Click +Add your first Destination.

   • If you have already created Destinations, click Create New in the upper right side

     of the page to add a new Destination.

3. Click Expel.

4. Fill out the form to configure the Destination:

   • Display Name: enter a name for your Expel alert destination.

   • Webhook URL: enter the Webhook URL value you copied from Expel Workbench in Step 3.

   • Webhook Username: enter the Webhook Username value you copied from Expel Workbench in Step 3.

   • Webhook Password: enter the Webhook Password value you copied from Expel Workbench in Step 3.

   • Severity: select the severity level of alerts to send to Expel.

   • Alert Types: select the alert types to send to Expel.

   • Log Types: by default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.

5. Click Add Destination.

6. On the final page, optionally click Send Test Alert to test the integration. When you are finished, click Finish Setup.

Additional Information on Destinations

For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: Destinations.