Expel has out-of-the-box integrations with many cloud, endpoint, SaaS, network, and SIEM technologies. This article lists direct and indirect integrations currently in progress, as well as completed integrations. Those not listed as direct require either sending logs to one of our supported SIEMs or network technologies. We also include a list of technologies we can use for hunting.
The integrations available specifically for your organization depend on what your organization purchased. For more information about what your organization purchased, talk to the decision makers at your organization.
Note on Limited Availability: new integrations go through a period of Limited Availability before being made generally available.
Cloud Infrastructure |
|
---|---|
Vendor technology | Security signal |
Amazon Web Services (AWS) |
|
Microsoft Azure |
|
Google Cloud Platform |
|
Lacework (Limited availability) |
![]() |
Prisma Cloud Compute |
![]() |
Endpoint |
Integration type |
|
---|---|---|
Vendor Technology | Direct | Via SIEM |
Cisco AMP |
![]() |
— |
CrowdStrike Falcon |
![]() |
— |
CyberArk (Limited availability) |
— | ![]() |
Cybereason (Limited availability) |
![]() |
— |
CylancePROTECT AV |
![]() |
— |
Endgame |
![]() |
— |
FireEye HX |
![]() |
— |
Microsoft Defender for Endpoint |
![]() |
— |
Palo Alto Networks Cortex XDR Pro |
![]() |
— |
SentinelOne |
![]() |
— |
Symantec Endpoint Protection |
— |
![]() ![]() ![]() |
Tanium Core |
![]() |
— |
VMware Carbon Black EDR | ![]() |
— |
VMware Carbon Black Cloud | ![]() |
— |
Wazuh (Limited availability) |
![]() |
— |
Network |
Integration type |
|
---|---|---|
Vendor Technology | Direct | Via SIEM |
Active Directory (Limited availability) |
— |
![]() ![]() |
Attivo BOTSink |
— |
![]() ![]() |
Check Point - AV, Anti-Bot, and IPS (Limited availability) |
— |
|
Cisco ASA (Limited availability) |
— |
|
Cisco Firepower |
— |
![]() ![]() |
Cisco Meraki |
— |
![]() ![]() |
Cisco Umbrella |
![]() |
— |
Darktrace |
![]() |
— |
Forcepoint W Filter |
— |
![]() |
Fortinet FortiGate |
— |
|
Guardicore (Limited availability) |
![]() |
— |
iBoss (Limited availability) |
— |
![]() |
McAfee IDS (Limited availability) |
— |
![]() |
Netskope SWG |
![]() |
— |
Palo Alto Firewall |
![]() |
— |
Palo Alto Networks Prisma Access |
![]() |
— |
ProtectWise |
![]() |
— |
Signal Sciences WAF |
![]() |
— |
Zscaler1 |
— |
|
1 Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.
SIEM |
Type of support |
|
---|---|---|
Vendor Technology | Investigative source* | Detection source** |
Azure Log Analytics |
![]() |
— |
Datadog (Limited availability) |
![]() |
![]() |
DEVO |
![]() |
— |
Elastic (Limited availability) |
![]() |
![]() |
Exabeam Fusion XDR |
![]() |
![]() |
Exabeam Fusion SIEM |
![]() |
— |
IBM QRadar |
![]() |
![]() |
IBM QRadar on Cloud (QRoC) |
![]() |
![]() |
Microsoft Azure Sentinel |
![]() |
![]() |
Securonix (Limited availability) |
![]() |
![]() |
Sumo Logic Cloud SIEM Enterprise |
![]() |
![]() |
Sumo Logic Enterprise |
![]() |
— |
Splunk Core |
![]() |
— |
Splunk Enterprise Security |
![]() |
![]() |
Wazuh |
![]() |
![]() |
* Expel can query this SIEM to get more information to support the investigations of alerts coming from other sources.
** This SIEM generates alerts that Expel can use to add detection value.
UEBA |
Integration type |
|
---|---|---|
Vendor Technology | Direct | Via SIEM |
Netskope CASB (Limited availability) |
![]() |
— |
Proofpoint Insider Threat Management (Limited availability) |
— |
![]() |
Varonis |
![]() |
— |
S
SaaS apps |
Integration type |
|
---|---|---|
Vendor Technology | Direct | Via SIEM |
Box |
![]() |
— |
CyberArk Identity, formerly Centrify (Limited availability) |
![]() |
— |
Dropbox |
![]() |
— |
Duo |
![]() |
— |
Github |
![]() |
— |
Google Workspace |
![]() |
— |
Microsoft Azure AD | ![]() |
— |
Microsoft Defender for Cloud Apps - formerly MCAS (includes Defender for Identity) |
![]() |
— |
Microsoft Office 365 (includes Azure AD) | ![]() |
— |
Okta |
![]() |
— |
OneLogin |
![]() |
— |
Ping Identity via Exabeam | — | ![]() |
SaaS Security formerly Prisma SaaS | ![]() |
— |
Hunting |
Availability |
|
---|---|---|
On-prem infrastructure |
||
Vendor Technology |
Yes |
Via SIEM |
CrowdStrike Falcon |
|
|
Endgame |
|
|
Microsoft Defender for Endpoint | ![]() |
|
Palo Alto Networks (Firewall) |
|
|
SentinelOne | ![]() |
|
VMware Carbon Black EDR |
![]() |
|
VMware Carbon Black Cloud |
![]() |
|
Cloud Infrastructure |
||
Vendor Technology |
Yes |
Via SIEM |
Amazon Web Services (AWS) |
![]() |
|
Azure | ![]() |
|
SaaS apps |
||
Vendor Technology |
Yes |
Via SIEM |
Duo |
![]() |
|
Google Workspace |
![]() |
|
Microsoft Office 365 |
![]() |
|
Okta |
![]() |
|
OneLogin |
![]() |
Comments
0 comments
Please sign in to leave a comment.