This page includes a complete list of integrations supported by Workbench. More are being added each month (please contact support if you do not see what you are looking for). 

Unless otherwise indicated:

  • Expel integrations are direct via API.
    • In the cases where the integration is via SIEM only, all supported SIEMs are listed in the chart. 
  • Expel integrations support both detection (alert ingestion) and investigation (querying for supporting evidence).
    • In the few cases where alerting isn't supported, we can still use the integration to gather investigative evidence.

Cloud

Vendor Technology

Security Signal

Amazon Elastic Kubernetes Service (EKS)

Audit Logs

Amazon Web Services (AWS)

CloudTrail

GuardDuty

GovCloud CloudTrail (by request only)

GovCloud GuardDuty (by request only)

Azure Kubernetes Engine (AKS)

AuditLogs

Cloudflare WAF

 (for investigative support only)

Google Cloud Platform

Admin Activity

Event Thread Detection (ETD)

Google Kubernetes Engine (GKS)

Audit Logs

Lacework

AWS Workload Events

Microsoft

Defender for Cloud Apps

Activity Log

Microsoft Entra ID Sign-ins

Microsoft Entra ID Protection

Orca Security

Query Alerts Endpoint

Palo Alto Networks Prisma Cloud Compute (formerly Twistlock)

Audit Events

Thales Imperva WAF

✅  (for investigative support only)

Wiz

Wiz Issues

Endpoint

Vendor technology

Integration Type:

Direct

Integration Type:

Via SIEM

Blackberry CylanceENDPOINT (formerly CylancePROTECT AV)

 

Cisco Secure Endpoint (formerly Cisco AMP)

 

CrowdStrike Falcon Elite, Enterprise, and Premium

 

CrowdStrike Falcon Identity Protection

 

CyberArk PAM

 

Splunk

Cybereason

 

Elastic Security (formerly Endgame)

 

Microsoft Defender for Endpoint

 

Palo Alto Networks Cortex XDR Pro

 

SentinelOne

 

Symantec Endpoint Protection

 

Exabeam Fusion New-Scale SIEM

Splunk

Sumo Logic

Tanium XEM Core

 

Trellix Endpoint Security (HX) (formerly FireEye HX)

 

Trend Micro Apex One

 

VMware Carbon Black EDR (formerly CB Response)

 

VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense)

 

Wazuh

 

Network Integrations

Vendor Technology

Integration Type:

Direct

Integration Type:

via SIEM

Akamai Guardicore Segmentation

 

Check Point - AV, Anti-Bot, and IPS

 

Sumo Logic

Cisco ASA

 

Exabeam Fusion New-Scale SIEM

Splunk

Sumo Logic

Cisco Firepower

 

Exabeam Fusion New-Scale SIEM

Microsoft Sentinel

Splunk

Sumo Logic

Cisco Meraki

Splunk

Sumo Logic

Cisco Umbrella

 

Darktrace

 

ExtraHop Reveal(x) Enterprise

 

ExtraHop Reveal(x) 360

 

Fastly Next-Gen WAF (formerly Signal Sciences WAF)

 

Forcepoint Web Filter

 

Exabeam

Fortinet FortiAnalyzer

 

Fortinet FortiGate

 

Exabeam Fusion New-Scale SIEM

Microsoft Sentinel

Splunk

Sumo Logic

Securonix

iboss Secure Access Service Edge (SASE)

 

Splunk

McAfee IDS

 

Exabeam Fusion New-Scale SIEM

Netskope Next Gen SWG

 

Palo Alto Networks Next Gen Firewall

Devo
Splunk Enterprise Security
Sumo Logic

Palo Alto Networks Panorama

 

SentinelOne Singularity Hologram (formerly Attivo BOTSink)

 

Splunk

Sumo Logic

Verizon Network Detection and Response (formerly ProtectWise)

 

Zscaler Secure Internet Access (ZIA)[a]

 

Microsoft Sentinel

Splunk

Sumo Logic

[a] Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.

SIEM Integrations

Expel can query SIEMs to improve the investigations of alerts coming from other sources. Expel also supports some SIEMs as a detection source, and can use the alerts from these SIEMs to improve detection.

Vendor Technology

Investigative Source

Detection Source

Azure Log Analytics

 

Datadog

DEVO

 

Elastic Elasticsearch

Exabeam Fusion SIEM 

(by request only)

(Exabeam Fusion XDR is supported by request only)

Exabeam Fusion New-Scale SIEM

 

IBM QRadar

IBM QRadar on Cloud (QRoC)

Microsoft Sentinel

Securonix

 

Sumo Logic Cloud SIEM Enterprise

Sumo Logic Enterprise

 

Splunk Core

 

Splunk Enterprise Security

Wazuh

UEBA

Vendor technology

Integration Type:

Direct

Integration Type:

via SIEM

Exabeam Fusion XDR

 

Proofpoint Insider Threat Management

 

Sumo Logic

SaaS and Identity

Vendor technology

Integration Type:

Direct

Integration Type:

via SIEM

1Password

 

Auth0

 

Box

 

CyberArk Identity

 

Dropbox

 

Duo

 

GitHub

 

GitLab

 

Google Workspace

 

LastPass

 

Microsoft Entra ID Protection

 

Microsoft Defender for Cloud Apps - formerly MCAS (includes Defender for Identity)

 

Microsoft Intune

 

Microsoft 365 (includes Microsoft Entra ID)

 

Netskope CASB

 

Okta Workforce Identity Cloud

 

One Identity OneLogin

 

Ping Identity via Exabeam

 

SaaS Security, formerly Prisma SaaS

 

Salesforce

 

Slack

 

Snowflake

 

Varonis

 

Workday

 

Ticketing and Notifications Systems

Vendor Technology

Notifications

Ticketing System

Asana

 

Jira

 

OpsGenie

 

PagerDuty

 

Request Tracker for Incident Response

 

Slack

 

Splunk On-Call

 

Striven

 

Teams

 

Vulnerability Prioritization

Vendor Technology

Availability

Rapid7 InsightVM

Tenable Vulnerability Management (previously called Tenable.io)

Hunting

Vendor Technology

Availability:

Yes

Availability:

via SIEM

On-prem (Endpoint and Network)

CrowdStrike Falcon Elite, Enterprise, and Premium (Falcon Data Replicator subscription required)

 

Sumo Logic

Elastic Security (formerly Endgame)

 

Microsoft Defender for Endpoint

 

Palo Alto Networks Next Gen Firewall

 

DEVO

SentinelOne

 

VMware Carbon Black EDR (formerly CB Response)

 

VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense)

 

Cloud

Amazon Web Services (AWS)

 

Azure

 

SaaS and Identity

Duo

 

Google Workspace

 

Microsoft 365

 

Okta Workforce Identity Cloud

 

One Identity OneLogin