This page includes a complete list of integrations supported by Workbench. More are being added each month (please contact your sales person or Engagement Manager if you do not see what you are looking for). 

Unless otherwise indicated:

  • Expel integrations are direct via API.
    • In the cases where the integration is via SIEM only, all supported SIEMs are listed in the chart. 
  • Expel integrations support both detection (alert ingestion) and investigation (querying for supporting evidence).
    • In the few cases where alerting isn't supported, we can still use the integration to gather investigative evidence.

Cloud

Vendor Technology

Security Signal

Amazon Elastic Kubernetes Service (EKS)

Audit Logs

Amazon Web Services (AWS)

CloudTrail

GuardDuty

GovCloud CloudTrail (by request only)

GovCloud GuardDuty (by request only)

Azure Kubernetes Engine (AKS)

AuditLogs

Cloudflare WAF

 (for investigative support only)

Google Cloud Platform

Admin Activity

Event Thread Detection (ETD)

Google Kubernetes Engine (GKS)

Audit Logs

Lacework

AWS Workload Events

Microsoft

Defender for Cloud Apps

Activity Log

Microsoft Entra ID Sign-ins

Microsoft Entra ID Protection

Orca Security

Query Alerts Endpoint

Palo Alto Networks Prisma Cloud Compute (formerly Twistlock)

Audit Events

Thales Imperva WAF

(for investigative support only)

Wiz

Endpoint

Vendor technology

Integration Type:

Direct

Integration Type:

via SIEM

Blackberry CylanceENDPOINT (formerly CylancePROTECT AV)

 

Cisco Secure Endpoint (formerly Cisco AMP)

 

CrowdStrike Falcon Elite, Enterprise, and Premium

 

CrowdStrike Falcon Identity Protection (Early Access)

 

CyberArk PAM

 

Splunk

Cybereason

 

Elastic Security (formerly Endgame)

 

Microsoft Defender for Endpoint

 

Palo Alto Networks Cortex XDR Pro

 

SentinelOne

 

Symantec Endpoint Protection

 

Exabeam Fusion New-Scale SIEM

Splunk

Sumo Logic

Tanium XEM Core

 

Trellix Endpoint Security (HX) (formerly FireEye HX)

 

Trend Micro Apex One (Early Access)

 

VMware Carbon Black EDR (formerly CB Response)

 

VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense)

 

Wazuh

 

Network Integrations

Vendor Technology

Integration Type:

Direct

Integration Type:

via SIEM

Akamai Guardicore Segmentation (Early Access)

 

Check Point - AV, Anti-Bot, and IPS (Early Access)

 

Sumo Logic

Cisco ASA

 

Splunk

Sumo Logic

Exabeam Fusion New-Scale SIEM

Cisco Firepower

 

Splunk

Sumo Logic

Exabeam Fusion New-Scale SIEM

Cisco Meraki

 

Splunk

Sumo Logic

Cisco Umbrella

 

Darktrace

 

ExtraHop Reveal(x) Enterprise (Early Access) *360 is not supported*

 

Fastly Next-Gen WAF (formerly Signal Sciences WAF)

 

Forcepoint Web Filter

 

Exabeam

Fortinet FortiAnalyzer

 

Fortinet FortiGate

 

Microsoft Sentinel

Exabeam Fusion New-Scale SIEM

Splunk

Sumo Logic

Securonix

iboss Secure Access Service Edge (SASE) (Early Access)

 

Splunk

McAfee IDS (Early Access)

 

Exabeam Fusion New-Scale SIEM

Netskope Next Gen SWG

 

Palo Alto Networks Next Gen Firewall

 

Palo Alto Networks Panorama

 

SentinelOne Singularity Hologram (formerly Attivo BOTSink)

 

Splunk

Sumo Logic

Verizon Network Detection and Response (formerly ProtectWise)

 

Zscaler Secure Internet Access (ZIA)[a]

 

Microsoft Sentinel

Splunk

Sumo Logic

[a] Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.

SIEM Integrations

Expel can query SIEMs to improve the investigations of alerts coming from other sources. Expel also supports some SIEMs as a detection source, and can use the alerts from these SIEMs to improve detection.

Vendor Technology

Investigative Source

Detection Source

Azure Log Analytics

 

Datadog

DEVO

 

Elastic Elasticsearch

Exabeam Fusion SIEM 

(by request only)

(Exabeam Fusion XDR is supported by request only)

Exabeam Fusion New-Scale SIEM

 

IBM QRadar

IBM QRadar on Cloud (QRoC)

Microsoft Sentinel

Securonix (Early Access)

 

Sumo Logic Cloud SIEM Enterprise (Early Access)

Sumo Logic Enterprise

 

Splunk Core

 

Splunk Enterprise Security

Wazuh

UEBA

Vendor technology

Integration Type:

Direct

Integration Type:

via SIEM

Exabeam Fusion XDR

 

Proofpoint Insider Threat Management (Early Access)

 

Sumo Logic

SaaS and Identity

Vendor technology

Integration Type:

Direct

Integration Type:

via SIEM

1Password

 

Auth0

 

Box

 

CyberArk Identity (Early Access)

 

Dropbox

 

Duo

 

GitHub

 

GitLab (Early Access)

 

Google Workspace

 

LastPass (Early Access)

 

Microsoft Entra ID Protection

 

Microsoft Defender for Cloud Apps - formerly MCAS (includes Defender for Identity)

 

Microsoft Intune

 

Microsoft 365 (includes Microsoft Entra ID)

 

Netskope CASB

 

Okta Workforce Identity Cloud

 

One Identity OneLogin

 

Ping Identity via Exabeam

 

SaaS Security, formerly Prisma SaaS

 

Salesforce

 

Slack

 

Snowflake (Early Access)

 

Varonis

 

Workday

 

Ticketing and Notifications Systems

Vendor Technology

Notifications

Ticketing System

Asana

 

Jira

 

OpsGenie

 

PagerDuty

 

Request Tracker for Incident Response

 

Slack

 

Splunk On-Call

 

Striven

 

Teams

 

Vulnerability Prioritization

Vendor Technology

Availability

Rapid7 InsightVM

Tenable Vulnerability Management (previously called Tenable.io)

Hunting

Vendor Technology

Availability:

Yes

Availability:

via SIEM

On-prem (Endpoint and Network)

CrowdStrike Falcon Elite, Enterprise, and Premium (Falcon Data Replicator subscription required)

 

Sumo Logic

Elastic Security (formerly Endgame)

 

Microsoft Defender for Endpoint

 

Palo Alto Networks Next Gen Firewall

 

DEVO

SentinelOne

 

VMware Carbon Black EDR (formerly CB Response)

 

VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense)

 

Cloud

Amazon Web Services (AWS)

 

Azure

 

SaaS and Identity

Duo

 

Google Workspace

 

Microsoft 365

 

Okta Workforce Identity Cloud

 

One Identity OneLogin