Skip to main content
 

Expel has out-of-the-box integrations with many cloud, endpoint, SaaS, network, and SIEM technologies. This article lists direct and indirect integrations currently in progress, as well as completed integrations. Those not listed as direct require either sending logs to one of our supported SIEMs or network technologies. We also include a list of technologies we can use for hunting.

The integrations available specifically for your organization depend on what your organization purchased. For more information about what your organization purchased, talk to the decision makers at your organization.

Note on Limited Availability: new integrations go through a period of Limited Availability before being made generally available.

Cloud Infrastructure

 

Vendor technology Security signal
Amazon Web Services (AWS)

YesIcon.png CloudTrail
YesIcon.png CloudWatch
YesIcon.png Guard Duty

Microsoft Azure

YesIcon.png Defender for Cloud (formerly Security Center)
YesIcon.png Activity Log
YesIcon.png Azure AD Sign-ins
YesIcon.png Azure AD Identity Protect

Google Cloud Platform

YesIcon.png Admin Activity
YesIcon.png Event Thread Detection (ETD)

Lacework (Limited availability) AWS Workload Events
Prisma Cloud Compute  YesIcon.png Audit Events

 

Endpoint

Integration type

Vendor Technology Direct via SIEM

Cisco AMP

YesIcon.png

CrowdStrike Falcon

YesIcon.png

CyberArk (Limited availability)

YesIcon.png Splunk

Cybereason (Limited availability)

YesIcon.png

CylancePROTECT AV

YesIcon.png

Endgame

YesIcon.png

FireEye HX

YesIcon.png

Microsoft Defender for Endpoint

YesIcon.png

Palo Alto Networks Cortex XDR Pro

YesIcon.png

SentinelOne

YesIcon.png

Symantec Endpoint Protection

YesIcon.png Exabeam Fusion SIEM
YesIcon.png Splunk
YesIcon.png Sumo Logic

Tanium Core

YesIcon.png
VMware Carbon Black EDR YesIcon.png
VMware Carbon Black Cloud YesIcon.png

Wazuh (Limited availability)

YesIcon.png

 

Network

Integration type

Vendor Technology Direct via SIEM

Active Directory (Limited availability)

YesIcon.png Splunk
YesIcon.png Sumo Logic

Attivo BOTSink

YesIcon.png Splunk
YesIcon.png Sumo Logic

Check Point - AV, Anti-Bot, and IPS (Limited availability)

YesIcon.png Sumo Logic

Cisco ASA (Limited availability)

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Firepower

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Meraki 

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Umbrella

YesIcon.png

Darktrace

YesIcon.png

Forcepoint W Filter

YesIcon.png Exabeam

Fortinet FortiGate 

YesIcon.png Azure Sentinel

YesIcon.png Exabeam Fusion SIEM

YesIcon.png Splunk

YesIcon.png Sumo Logic

YesIcon.png Securonix

Guardicore (Limited availability)

YesIcon.png

iBoss (Limited availability)

YesIcon.png Splunk

McAfee IDS (Limited availability)

YesIcon.png Exabeam Fusion SIEM

Netskope SWG

YesIcon.png

Palo Alto Firewall

YesIcon.png

Palo Alto Networks Prisma Access

YesIcon.png

ProtectWise

YesIcon.png

Signal Sciences WAF

YesIcon.png

Zscaler1

YesIcon.png Azure Sentinel

YesIcon.png Splunk
YesIcon.png Sumo Logic

1 Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.

 

SIEM

Type of support

Vendor Technology Investigative source* Detection source**

Azure Log Analytics

YesIcon.png

Datadog (Limited availability)

YesIcon.png YesIcon.png

DEVO

YesIcon.png

Elastic (Limited availability)

YesIcon.png YesIcon.png

Exabeam Fusion XDR

YesIcon.png YesIcon.png

Exabeam Fusion SIEM

YesIcon.png

IBM QRadar

YesIcon.png YesIcon.png

IBM QRadar on Cloud (QRoC)

YesIcon.png YesIcon.png

Microsoft Azure Sentinel

YesIcon.png YesIcon.png

Securonix (Limited availability)

YesIcon.png YesIcon.png

Sumo Logic Cloud SIEM Enterprise
(Limited availability)

YesIcon.png YesIcon.png

Sumo Logic Enterprise

YesIcon.png

Splunk Core

YesIcon.png

Splunk Enterprise Security

YesIcon.png YesIcon.png

Wazuh 

YesIcon.png YesIcon.png

* Expel can query this SIEM to get more information to support the investigations of alerts coming from other sources.

** This SIEM generates alerts that Expel can use to add detection value.

 

UEBA

Integration type

Vendor Technology Direct via SIEM

Netskope CASB (Limited availability)

YesIcon.png

Proofpoint Insider Threat Management 

(Limited availability)

YesIcon.png Sumo Logic

Varonis  

YesIcon.png

S

SaaS apps

Integration type

Vendor Technology Direct via SIEM

Box 

YesIcon.png
CyberArk Identity, formerly Centrify
(Limited availability)
YesIcon.png

Dropbox

YesIcon.png

Duo

YesIcon.png

Github

YesIcon.png

Google Workspace

YesIcon.png
Microsoft Azure AD YesIcon.png
Microsoft Defender for Cloud Apps - formerly MCAS
(includes Defender for Identity) 
YesIcon.png
Microsoft Office 365 (includes Azure AD) YesIcon.png

Okta

YesIcon.png

OneLogin

YesIcon.png
Ping Identity via Exabeam YesIcon.png
SaaS Security formerly Prisma SaaS  YesIcon.png

 

Hunting

Availability

On-prem infrastructure

Vendor Technology

Yes

via SIEM

CrowdStrike Falcon

 

YesIcon.png Sumo Logic

Endgame

YesIcon.png

 

Microsoft Defender for Endpoint YesIcon.png  

Palo Alto Networks (Firewall)

 

YesIcon.png Azure Log Analytics (ALA)
YesIcon.png Exabeam Fusion SIEM
YesIcon.png Splunk  
YesIcon.png Sumo Logic

SentinelOne YesIcon.png  

VMware Carbon Black EDR

YesIcon.png  

VMware Carbon Black Cloud

YesIcon.png  

Cloud Infrastructure

Vendor Technology

Yes

Via SIEM

Amazon Web Services (AWS)

YesIcon.png  
Azure YesIcon.png  

SaaS apps

Vendor Technology

Yes

Via SIEM

Duo

YesIcon.png  

Google Workspace

YesIcon.png  

Microsoft Office 365

YesIcon.png  

Okta

YesIcon.png  

OneLogin

YesIcon.png  

 

Comments

0 comments

Please sign in to leave a comment.