Skip to main content


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Darktrace is an Intrusion Detection Device (IDS) that leverages machine learning to detect emerging threats, including insider threats, low-and-slow attacks, and automated viruses.

Step 1: Enable console access

Expel requires a Darktrace user account to review Alerts and Models within the console.

  1. From the menu located at the top left, select Add New User.

  2. Username: Expel.

  3. Password: set a temporary password — this is changed on initial login.

  4. Account Permissions: select all available permissions, except User Admin or Group Admin. These can be left cleared.

Step 2: Generate API credentials

  1. Log into the Darktrace console.

  2. Navigate to Admin > System Config.

    Screen Shot 2021-03-05 at 10.29.52 AM.png
  3. Near the bottom of the page, under API Token, click New.

    Screen Shot 2021-03-05 at 10.30.40 AM.png
  4. The Darktrace system generates a Token and a Private Token. The Private Token can only be seen 1 time after the token pair is initially generated. Make note of the tokens for onboarding in Workbench. The system can only have 1 token pair, so if one already exists and you don't have a record of this, you must generate another token pair.


If a replacement Token pair is generated, other clients using the API must be reconfigured with the new credentials.

Step 3: Configure the technology in Workbench

  1. In a new browser tab, login to

  2. On the console page, click Settings and click Security Devices.

  3. At the top of the page, click Add Security Device.

    Screen Shot 2021-03-05 at 10.31.18 AM.png
  4. Search for and select your technology.

    Screen Shot 2021-03-05 at 10.31.45 AM.png
  5. Select an Assembler from the list. Select the assembler you set up in Getting Connected to Expel Workbench.

    Screen Shot 2021-07-16 at 5.29.17 PM.png
    • Type Name and Location.

    • For Private key, type the private token used to authenticate to the device from Step 2.

    • For Public key, type the API token used to authenticate to the device from Step 2.

    • For Server address, type the server address of the vendor’s server, which must include the port. For example: or