1. Expel Support Center
  2. Connect your technology
  3. About integrations

Expel integrations guide

Scott Dewbre
  • Updated

Expel has out-of-the-box integrations with many cloud, endpoint, SaaS, network, and SIEM technologies. This article lists direct and indirect integrations currently in progress, as well as completed integrations. Those not listed as direct require either sending logs to one of our supported SIEMs or network technologies. We also include a list of technologies we can use for hunting.

The integrations available specifically for your organization depend on what your organization purchased. For more information about what your organization purchased, talk to the decision makers at your organization.

Note on Early Access: New integrations and features go through a period of Early Access before being made Generally Available.  During Early Access, Integrations and Features are exposed to a wide range of customers, and refinements and fixes are made.

 

Kubernetes

 

Vendor technology Security signal
Amazon Elastic Kubernetes Service (EKS)

YesIcon.png Audit Logs
Google Kubernetes Engine (GKE)

YesIcon.png Audit Logs

 

Cloud Infrastructure

 

Vendor technology Security signal
Amazon Web Services (AWS)

YesIcon.png CloudTrail
YesIcon.png Guard Duty
Microsoft Azure

YesIcon.png Defender for Cloud Apps
YesIcon.png Activity Log
YesIcon.png Azure AD Sign-ins
YesIcon.png Azure AD Identity Protect
Google Cloud Platform

YesIcon.png Admin Activity
YesIcon.png Event Thread Detection (ETD)
Lacework (Early Access) YesIcon.png AWS Workload Events
Prisma Cloud Compute  YesIcon.png Audit Events

 

Endpoint

Integration type

Vendor Technology Direct via SIEM

Cisco AMP

 YesIcon.png

CrowdStrike Falcon

 YesIcon.png

CyberArk PAM

 YesIcon.png Splunk

Cybereason 

 YesIcon.png

CylancePROTECT AV

 YesIcon.png

Endgame

 YesIcon.png

Microsoft Defender for Endpoint

 YesIcon.png

Palo Alto Networks Cortex XDR Pro

 YesIcon.png

SentinelOne

 YesIcon.png

Symantec Endpoint Protection

 YesIcon.png Exabeam Fusion SIEM
YesIcon.png Splunk
YesIcon.png Sumo Logic

Tanium Core

 YesIcon.png

Trellix HX (formerly FireEye HX)

 YesIcon.png
VMware Carbon Black EDR YesIcon.png
VMware Carbon Black Cloud YesIcon.png

Wazuh 

 YesIcon.png

 

Network

Integration type
Vendor Technology Direct via SIEM

Attivo BOTSink

 YesIcon.png Splunk
YesIcon.png Sumo Logic

Check Point - AV, Anti-Bot, and IPS (Early Access)

YesIcon.png Sumo Logic

Cisco ASA (Early Access)

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Firepower

 YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Meraki 

 YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Umbrella

 YesIcon.png

Darktrace

 YesIcon.png

ExtraHop (Early Access)

 YesIcon.png

Forcepoint W Filter

 YesIcon.png Exabeam

Fortinet FortiGate 

YesIcon.png Azure Sentinel

YesIcon.png Exabeam Fusion SIEM

YesIcon.png Splunk

YesIcon.png Sumo Logic

YesIcon.png Securonix

Guardicore (Early Access)

 YesIcon.png

iBoss (Early Access)

 YesIcon.png Splunk

McAfee IDS (Early Access)

 YesIcon.png Exabeam Fusion SIEM

Netskope SWG

 YesIcon.png

Palo Alto Firewall

 YesIcon.png

Palo Alto Networks Prisma Access

 YesIcon.png

ProtectWise

 YesIcon.png

Signal Sciences WAF

 YesIcon.png

Zscaler1

YesIcon.png Azure Sentinel

YesIcon.png Splunk
YesIcon.png Sumo Logic

1 Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.

 

SIEM

Type of support
Vendor Technology Investigative source* Detection source**

Azure Log Analytics

 YesIcon.png

Datadog (Early Access)

 YesIcon.png YesIcon.png

DEVO

 YesIcon.png

Elastic 

 YesIcon.png YesIcon.png

Exabeam Fusion XDR

 YesIcon.png YesIcon.png

Exabeam Fusion SIEM

 YesIcon.png

IBM QRadar

 YesIcon.png YesIcon.png

IBM QRadar on Cloud (QRoC)

 YesIcon.png YesIcon.png

Microsoft Azure Sentinel

 YesIcon.png YesIcon.png

Securonix (Early Access)

 YesIcon.png YesIcon.png

Sumo Logic Cloud SIEM Enterprise
(Early Access)

 YesIcon.png YesIcon.png

Sumo Logic Enterprise

 YesIcon.png

Splunk Core

 YesIcon.png

Splunk Enterprise Security

 YesIcon.png YesIcon.png

Wazuh 

 YesIcon.png YesIcon.png

* Expel can query this SIEM to get more information to support the investigations of alerts coming from other sources.

** This SIEM generates alerts that Expel can use to add detection value.

 

UEBA

Integration type
Vendor Technology Direct via SIEM

Proofpoint Insider Threat Management (Early Access)

 YesIcon.png Sumo Logic

S

SaaS apps

Integration type

Vendor Technology Direct via SIEM

Box 

 YesIcon.png
CyberArk Identity (Early Access) YesIcon.png

Dropbox

 YesIcon.png

Duo

 YesIcon.png

GitHub

 YesIcon.png

GitLab (Early Access)

 YesIcon.png

Google Workspace

 YesIcon.png
Microsoft Azure AD YesIcon.png
Microsoft Defender for Cloud Apps - formerly MCAS 
(includes Defender for Identity)  		YesIcon.png
Microsoft Intune (Early Access) YesIcon.png
Microsoft Office 365 (includes Azure AD) YesIcon.png
Netskope CASB YesIcon.png

Okta

 YesIcon.png

OneLogin

 YesIcon.png
Ping Identity via Exabeam YesIcon.png
SaaS Security, formerly Prisma SaaS  YesIcon.png
Salesforce (Early Access) YesIcon.png
Slack (Early Access) YesIcon.png

Varonis  

 YesIcon.png
Workday (Early Access) YesIcon.png

 

Ticketing and notifications systems
Vendor Technology Notifications Ticketing system

Asana

   YesIcon.png

Jira

   YesIcon.png

OpsGenie

 YesIcon.png  

PagerDuty

 YesIcon.png  

Request Tracker for Incident Response

   YesIcon.png

Slack

 YesIcon.png  

ServiceNow

   YesIcon.png

Splunk On-Call

   YesIcon.png

Striven

   YesIcon.png

Teams

 YesIcon.png  

 

Hunting

Availability

On-prem infrastructure

Vendor Technology

Yes

via SIEM

CrowdStrike Falcon (Falcon Data Replicator subscription required)

 

YesIcon.png Sumo Logic

Endgame

YesIcon.png

 
Microsoft Defender for Endpoint YesIcon.png  

Palo Alto Networks (Firewall)

  

YesIcon.png Azure Log Analytics (ALA)
YesIcon.png Exabeam Fusion SIEM
YesIcon.png Splunk  
YesIcon.png Sumo Logic
SentinelOne YesIcon.png  

VMware Carbon Black EDR

 YesIcon.png  

VMware Carbon Black Cloud

 YesIcon.png  

Cloud Infrastructure

Vendor Technology

Yes

Via SIEM

Amazon Web Services (AWS)

 YesIcon.png  
Azure YesIcon.png  

SaaS apps

Vendor Technology

Yes

Via SIEM

Duo

 YesIcon.png  

Google Workspace

 YesIcon.png  

Microsoft Office 365

 YesIcon.png  

Okta

 YesIcon.png  

OneLogin

 YesIcon.png  

 

  • Was this article helpful?

  • 18 out of 18 found this helpful

Related articles