Skip to main content

This procedure helps you to connect your Active Directory via SIEM to the Expel Workbench. The procedure is to port in logs by creating a new Syslog source, configuring that source in Workbench, then your Active Directory via SIEM device in Workbench.


Some steps in this procedure vary greatly depending upon the SIEM-based technology you use.

Step 1: Logging Active Directory to a desired SIEM

Refer to your SIEM documentation or work with your SIEM representative to port in Active Directory logs. You can also refer to the following web references for creating a new Syslog source:

Step 2: Configure the SIEM in Workbench

This link opens the Expel Knowledge Base section for connecting SIEM-based technology to Workbench. Follow the applicable article to configure your SIEM-based tech and confirm that Active Directory logs are flowing through and available.

Step 3: Configure Active Directory via SIEM in Workbench

  1. In a new browser tab, go to

  2. Fill in the device fields like this:

    • For SIEM, select the SIEM that was onboarded in step 2.

    • For Name, type the name you want to assign to the security device.

    • For Location, type the location of the logs (Cloud or On Prem).

  3. Fill in the Connection Settings fields based on the SIEM you selected:

    • For Source Category, type the Sumo Logic source category for this device.

    • For Source type, type the Splunk source type for this device.

    • For Server address, type the server address of the vendor's server.

    • For Index, type in the Splunk index where the logs are located. By default this is filled in with a wildcard (*).