Expel has out-of-the-box integrations with many cloud, endpoint, SaaS, network, and SIEM technologies. This article lists direct and indirect integrations currently in progress, as well as completed integrations. Those not listed as direct require either sending logs to one of our supported SIEMs or network technologies. We also include a list of technologies we can use for hunting.

The integrations available specifically for your organization depend on what your organization purchased. For more information about what your organization purchased, talk to the decision makers at your organization.

Note on Early Access: New integrations and features go through a period of Early Access before being made Generally Available.  During Early Access, Integrations and Features are exposed to a wide range of customers, and refinements and fixes are made.

 

Kubernetes

 

Vendor technology Security signal
Amazon Elastic Kubernetes Service (EKS)

YesIcon.png Audit Logs

Google Kubernetes Engine (GKE)

YesIcon.png Audit Logs

 

Cloud Infrastructure

 

Vendor technology Security signal
Amazon Web Services (AWS)

YesIcon.png CloudTrail
YesIcon.png Guard Duty

Microsoft Azure

YesIcon.png Defender for Cloud Apps
YesIcon.png Activity Log
YesIcon.png Azure AD Sign-ins
YesIcon.png Azure AD Identity Protect

Google Cloud Platform

YesIcon.png Admin Activity
YesIcon.png Event Thread Detection (ETD)

Lacework (Early Access) YesIcon.png AWS Workload Events
Prisma Cloud Compute  YesIcon.png Audit Events

 

Endpoint

Integration type

Vendor Technology Direct via SIEM

Cisco AMP

YesIcon.png

CrowdStrike Falcon

YesIcon.png

CyberArk PAM

YesIcon.png Splunk

Cybereason 

YesIcon.png

CylancePROTECT AV

YesIcon.png

Endgame

YesIcon.png

Microsoft Defender for Endpoint

YesIcon.png

Palo Alto Networks Cortex XDR Pro

YesIcon.png

SentinelOne

YesIcon.png

Symantec Endpoint Protection

YesIcon.png Exabeam Fusion SIEM
YesIcon.png Splunk
YesIcon.png Sumo Logic

Tanium Core

YesIcon.png

Trellix HX (formerly FireEye HX)

YesIcon.png
VMware Carbon Black EDR YesIcon.png
VMware Carbon Black Cloud YesIcon.png

Wazuh 

YesIcon.png

 

Network

Integration type

Vendor Technology Direct via SIEM

Attivo BOTSink

YesIcon.png Splunk
YesIcon.png Sumo Logic

Check Point - AV, Anti-Bot, and IPS (Early Access)

YesIcon.png Sumo Logic

Cisco ASA (Early Access)

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Firepower

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Meraki 

YesIcon.png Splunk
YesIcon.png Sumo Logic

Cisco Umbrella

YesIcon.png

Darktrace

YesIcon.png

ExtraHop (Early Access)

YesIcon.png

Forcepoint W Filter

YesIcon.png Exabeam

Fortinet FortiGate 

YesIcon.png Azure Sentinel

YesIcon.png Exabeam Fusion SIEM

YesIcon.png Splunk

YesIcon.png Sumo Logic

YesIcon.png Securonix

Guardicore (Early Access)

YesIcon.png

iBoss (Early Access)

YesIcon.png Splunk

McAfee IDS (Early Access)

YesIcon.png Exabeam Fusion SIEM

Netskope SWG

YesIcon.png

Palo Alto Firewall

YesIcon.png

Palo Alto Networks Prisma Access

YesIcon.png

ProtectWise

YesIcon.png

Signal Sciences WAF

YesIcon.png

Zscaler1

YesIcon.png Azure Sentinel

YesIcon.png Splunk
YesIcon.png Sumo Logic

1 Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.

 

SIEM

Type of support

Vendor Technology Investigative source* Detection source**

Azure Log Analytics

YesIcon.png

Datadog (Early Access)

YesIcon.png YesIcon.png

DEVO

YesIcon.png

Elastic 

YesIcon.png YesIcon.png

Exabeam Fusion XDR

YesIcon.png YesIcon.png

Exabeam Fusion SIEM

YesIcon.png

IBM QRadar

YesIcon.png YesIcon.png

IBM QRadar on Cloud (QRoC)

YesIcon.png YesIcon.png

Microsoft Azure Sentinel

YesIcon.png YesIcon.png

Securonix (Early Access)

YesIcon.png YesIcon.png

Sumo Logic Cloud SIEM Enterprise
(Early Access)

YesIcon.png YesIcon.png

Sumo Logic Enterprise

YesIcon.png

Splunk Core

YesIcon.png

Splunk Enterprise Security

YesIcon.png YesIcon.png

Wazuh 

YesIcon.png YesIcon.png

* Expel can query this SIEM to get more information to support the investigations of alerts coming from other sources.

** This SIEM generates alerts that Expel can use to add detection value.

 

UEBA

Integration type

Vendor Technology Direct via SIEM

Proofpoint Insider Threat Management (Early Access)

YesIcon.png Sumo Logic

S

SaaS apps

Integration type

Vendor Technology Direct via SIEM

Box 

YesIcon.png
CyberArk Identity (Early Access) YesIcon.png

Dropbox

YesIcon.png

Duo

YesIcon.png

GitHub

YesIcon.png

GitLab (Early Access)

YesIcon.png

Google Workspace

YesIcon.png
Microsoft Azure AD YesIcon.png
Microsoft Defender for Cloud Apps - formerly MCAS 
(includes Defender for Identity) 
YesIcon.png
Microsoft Intune (Early Access) YesIcon.png
Microsoft Office 365 (includes Azure AD) YesIcon.png
Netskope CASB YesIcon.png

Okta

YesIcon.png

OneLogin

YesIcon.png
Ping Identity via Exabeam YesIcon.png
SaaS Security, formerly Prisma SaaS  YesIcon.png
Salesforce (Early Access) YesIcon.png
Slack (Early Access) YesIcon.png

Varonis  

YesIcon.png
Workday (Early Access) YesIcon.png

 

Ticketing and notifications systems

Vendor Technology Notifications Ticketing system

Asana

  YesIcon.png

Jira

  YesIcon.png

OpsGenie

YesIcon.png  

PagerDuty

YesIcon.png  

Request Tracker for Incident Response

  YesIcon.png

Slack

YesIcon.png  

ServiceNow

  YesIcon.png

Splunk On-Call

  YesIcon.png

Striven

  YesIcon.png

Teams

YesIcon.png  

 

Hunting

Availability

On-prem infrastructure

Vendor Technology

Yes

via SIEM

CrowdStrike Falcon (Falcon Data Replicator subscription required)

 

YesIcon.png Sumo Logic

Endgame

YesIcon.png

 

Microsoft Defender for Endpoint YesIcon.png  

Palo Alto Networks (Firewall)

 

YesIcon.png Azure Log Analytics (ALA)
YesIcon.png Exabeam Fusion SIEM
YesIcon.png Splunk  
YesIcon.png Sumo Logic

SentinelOne YesIcon.png  

VMware Carbon Black EDR

YesIcon.png  

VMware Carbon Black Cloud

YesIcon.png  

Cloud Infrastructure

Vendor Technology

Yes

Via SIEM

Amazon Web Services (AWS)

YesIcon.png  
Azure YesIcon.png  

SaaS apps

Vendor Technology

Yes

Via SIEM

Duo

YesIcon.png  

Google Workspace

YesIcon.png  

Microsoft Office 365

YesIcon.png  

Okta

YesIcon.png  

OneLogin

YesIcon.png