This page contains a full list of our supported integrations. We connect to these integrations in one of the following ways:

Direct (via API)
Direct (via a collector)
Via a SIEM connection (learn more)

In cases where the integration is only available via a SIEM connection, all supported SIEMs are listed in the chart. For more information about each integration's detection strategy (including supported versions, platforms, event log sources, detection rules, etc.) refer to the detection strategy guides.

Security Device Integrations

To access an integration's setup guide, select the integration name. Integrations with an asterisk (*) are investigative-only.

Supported Integration	Supported Connection(s)
1Password	Direct (via API)
Abnormal AI	Direct (via API)
Akamai Guardicore Segmentation (formerly Guardicore Centra)	Direct (via API)
Amazon Elastic Kubernetes Service	Direct (via API)
Arista NDR (via Webhook)	Direct (via API)
Aurora Endpoint Security (formerly Cylance PROTECT AV)	Direct (via API)
AWS CloudTrail	Direct (via API)
AWS GuardDuty	Direct (via API)
Box	Direct (via API)
Broadcom Carbon Black Cloud (formerly CB ThreatHunter and CB Defense)	Direct (via API)
Broadcom Carbon Black EDR (formerly CB Response)	Direct (via API)
Broadcom Symantec Endpoint Protection (via SIEM)	Exabeam Fusion New-Scale SIEM Splunk Sumo Logic
CatoSASE	Direct (via API)
Check Point AV, Anti-Bot, and IPS (via SIEM)	Sumo Logic
Check Point Quantum Network Security	Direct (via API)
Cisco ASA (via SIEM)	Exabeam Fusion New-Scale SIEM Splunk Sumo Logic
Cisco Duo	Direct (via API)
Cisco Firepower (via SIEM)	Exabeam Fusion New-Scale SIEM Microsoft Sentinel Splunk Sumo Logic
Cisco Meraki	Direct (via API)
Cisco Meraki (via SIEM)	Splunk Sumo Logic
Cisco Secure Endpoint (formerly AMP)	Direct (via API)
Cisco Umbrella	Direct (via API)
Cloudflare WAF*	Direct (via API)
Corelight Open NDR (via Collector)	Direct (via the Splunk Collector)
CrowdStrike Falcon Identity Protection	Direct (via API)
CrowdStrike Falcon Insight XDR	Direct (via API)
CrowdStrike Logscale	Direct (via API)
Cyberark Identity	Direct (via API)
Cyberark Privileged Access Management (PAM) (via SIEM)	Splunk
Cybereason Endpoint Detection and Response (EDR)	Direct (via API)
Darktrace	Direct (via API)
Datadog Observability & Analytics Platform	Direct (via API)
Devo*	Direct (via API)
Dropbox	Direct (via API)
Elastic Elasticsearch	Direct (via API)
Elastic Security	Direct (via API)
Exabeam Fusion New-Scale SIEM Collector	Direct (via API)
Exabeam Fusion SIEM*	Direct (via API)
Exabeam Fusion XDR*	Direct (via API)
Exabeam Threat Center	Direct (via API)
ExtraHop Reveal(x) 360	Direct (via API)
ExtraHop Reveal(x) Enterprise	Direct (via API)
Fastly Next-Gen WAF (formerly Signal Sciences WAF)*	Direct (via API)
Forcepoint Web Filter (via SIEM)	Exabeam Fusion New-Scale SIEM
Fortinet FortiAnalyzer	Direct (via API)
Fortinet FortiCNAPP (formerly Lacework)	Direct (via API)
Fortinet FortiGate (via SIEM)	Microsoft Sentinel Securonix Splunk Sumo Logic
GitHub	Direct (via API)
GitLab	Direct (via API)
Google Cloud Platform	Direct (via API)
Google Kubernetes Engine	Direct (via API)
Google Security Operations (SecOps)	Direct (via API)
Google Workspace (formerly G Suite)	Direct (via API)
Google Workspace Alert Center	Direct (via API)
LastPass	Direct (via API)
Logz.io*	Direct (via API)
Microsoft 365	Direct (via API)
Microsoft Azure	Direct (via API)
Microsoft Azure Kubernetes Service	Direct (via API)
Microsoft Azure Log Analytics Collector	Direct (via API)
Microsoft Azure Monitor (formerly Azure Activity logs)*	Direct (via API)
Microsoft Defender for Cloud Apps	Direct (via API)
Microsoft Defender for Endpoint	Direct (via API)
Microsoft Defender for Identity	Direct (via API)
Microsoft Defender XDR	Direct (via API)
Microsoft Entra ID Protection	Direct (via API)
Microsoft Intune	Direct (via API)
Microsoft Sentinel	Direct (via API)
Netskope CASB and Next Gen SWG	Direct (via API)
Okta Auth0	Direct (via API)
Okta Workforce Identity	Direct (via API)
OneLogin	Direct (via API)
Oracle Cloud Infrastructure	Direct (via API)
Orca Security	Direct (via API)
Palo Alto Networks Cortex XDR Pro	Direct (via API)
Palo Alto Networks Cortex XSIAM	Direct (via API)
Palo Alto Networks Next Gen Firewall	Direct (via API)
Palo Alto Networks SaaS Security (formerly Prisma SaaS)	Direct (via API)
Palo Alto Prisma Cloud Compute (formerly Twistlock)	Direct (via API)
Palo Alto Strata	Direct (via API)
Panther Cloud SIEM	Direct (via API)
PingOne Platform (via Collector)	Direct (via the Splunk Collector or Exabeam Fusion New-Scale SIEM Collector)
Proofpoint Insider Threat Management (via SIEM)	Sumo Logic
Proofpoint TAP for MDR	Direct (via API)
QRadar	Direct (via API)
Qualys VMDR	Direct (via API)
Rapid7 InsightVM	Direct (via API)
Salesforce	Direct (via API)
Securonix Next-Gen SIEM*	Direct (via API)
SentinelOne Singularity Data Lake*	Direct (via API)
SentinelOne Singularity Endpoint	Direct (via API)
SentinelOne Singularity Hologram (formerly Attivo) (via SIEM)	Splunk Sumo Logic
ServiceNow	Direct (via API)
Slack	Direct (via API)
Snowflake	Direct (via API)
Splunk	Direct (via API)
Splunk Collector	Direct (via API)
Splunk Core Alerts (via Collector)	Direct (via the Splunk Collector)
Sublime Security	Direct (via API)
Sumo Logic Cloud Infrastructure Security*	Direct (via API)
Sumo Logic Cloud SIEM Enterprise	Direct (via API)
Sumo Logic Collector	Direct (via API)
Tanium XEM Core	Direct (via API)
Tenable Vulnerability Management	Direct (via API)
Thales Imperva Cloud Web Application Firewall (formerly Imperva Cloud)*	Direct (via API)
Thales Imperva Web Application Firewall (formerly Imperva SecureSphere)*	Direct (via API)
Trellix Endpoint Security (HX) (formerly FireEye HX)	Direct (via API)
Trend Micro Apex One	Direct (via API)
Varonis SaaS	Direct (via API)
Vectra AI (NDR)	Direct (via API)
Verizon Network Detection and Response (formerly ProtectWise)	Direct (via API)
Wazuh*	Direct (via API)
Wiz	Direct (via API)
Workday	Direct (via API)
Zscaler Internet Access (ZIA) (via SIEM)	Microsoft Sentinel Splunk Sumo Logic
Zscaler Internet Access (ZIA) (via Webhook)	Direct (via API)

*Investigative-only

Other Integrations

You can also integrate with certain supported systems or notification methods in Workbench via your Organization Settings.

Method	Usage
Microsoft Teams	To receive messages from Expel, including notifications
Opsgenie	To be notified of incidents in Workbench at a specific Opsgenie destination
PagerDuty	To be notified of important events at a specific PagerDuty destination
Single Sign-On	To log into Workbench using your SSO provider
Slack	To receive messages from Expel, including notifications
Ticketing Systems	To receive a plain text email of your organization's assigned actions in a ticketing destination
Webhooks	To be notified of important events at a specific webhook destination
Wiz	To sync Expel Alerts with the originating Wiz issues

Expel Integrations

Security Device Integrations

Other Integrations

Related articles

Promoted articles