This page includes a complete list of integrations supported by Workbench. More are being added each month (please contact support if you do not see what you are looking for).
Unless otherwise indicated:
- Expel integrations are direct via API.
- In the cases where the integration is via SIEM only, all supported SIEMs are listed in the chart.
- Expel integrations support both detection (alert ingestion) and investigation (querying for supporting evidence).
- In the few cases where alerting isn't supported, we can still use the integration to gather investigative evidence.
Cloud
Vendor Technology |
Security Signal |
---|---|
✅ Audit Logs |
|
✅ CloudTrail ✅ GuardDuty ✅ GovCloud CloudTrail (by request only) ✅ GovCloud GuardDuty (by request only) |
|
✅ AuditLogs |
|
✅ (for investigative support only) |
|
✅ Admin Activity ✅ Event Thread Detection (ETD) |
|
✅ Audit Logs |
|
✅ AWS Workload Events |
|
Microsoft |
✅ Defender for Cloud Apps ✅ Activity Log ✅ Microsoft Entra ID Sign-ins ✅ Microsoft Entra ID Protection |
✅ Query Alerts Endpoint |
|
Palo Alto Networks Prisma Cloud Compute (formerly Twistlock) |
✅ Audit Events |
✅ (for investigative support only) |
|
✅ Wiz Issues |
Endpoint
Vendor technology |
Integration Type: Direct |
Integration Type: Via SIEM |
---|---|---|
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅ Splunk |
||
✅
|
||
Elastic Security (formerly Endgame) |
✅
|
|
✅
|
||
✅
|
||
✅
|
||
✅ Exabeam Fusion New-Scale SIEM ✅ Splunk ✅ Sumo Logic |
||
✅
|
||
✅
|
||
✅
|
||
VMware Carbon Black EDR (formerly CB Response) |
✅
|
|
VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense) |
✅
|
|
✅
|
Network Integrations
Vendor Technology |
Integration Type: Direct |
Integration Type: via SIEM |
|||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅ Sumo Logic |
|||||||||||||||||||||||||||||||||||||||||||||||||
✅ Exabeam Fusion New-Scale SIEM ✅ Splunk ✅ Sumo Logic |
|||||||||||||||||||||||||||||||||||||||||||||||||
✅ Exabeam Fusion New-Scale SIEM ✅ Microsoft Sentinel ✅ Splunk ✅ Sumo Logic |
|||||||||||||||||||||||||||||||||||||||||||||||||
✅ |
✅ Splunk ✅ Sumo Logic |
||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅ Exabeam |
|||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Fortinet FortiGate |
✅ Exabeam Fusion New-Scale SIEM ✅ Microsoft Sentinel ✅ Splunk ✅ Sumo Logic ✅ Securonix |
||||||||||||||||||||||||||||||||||||||||||||||||
iboss Secure Access Service Edge (SASE) |
✅ Splunk |
||||||||||||||||||||||||||||||||||||||||||||||||
McAfee IDS |
✅ Exabeam Fusion New-Scale SIEM |
||||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Palo Alto Networks Next Gen Firewall |
✅
|
✅ Devo ✅ Splunk Enterprise Security ✅ Sumo Logic |
|||||||||||||||||||||||||||||||||||||||||||||||
✅
|
|||||||||||||||||||||||||||||||||||||||||||||||||
✅ Splunk ✅ Sumo Logic |
|||||||||||||||||||||||||||||||||||||||||||||||||
Verizon Network Detection and Response (formerly ProtectWise) |
✅
|
||||||||||||||||||||||||||||||||||||||||||||||||
✅ Microsoft Sentinel ✅ Splunk ✅ Sumo Logic |
|||||||||||||||||||||||||||||||||||||||||||||||||
[a] Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM. |
SIEM Integrations
Expel can query SIEMs to improve the investigations of alerts coming from other sources. Expel also supports some SIEMs as a detection source, and can use the alerts from these SIEMs to improve detection.
Vendor Technology |
Investigative Source |
Detection Source |
---|---|---|
✅
|
||
✅
|
✅
|
|
✅
|
||
✅
|
✅
|
|
✅ (by request only)
|
(Exabeam Fusion XDR is supported by request only) |
|
✅
|
||
✅
|
✅
|
|
IBM QRadar on Cloud (QRoC) |
✅
|
✅
|
✅
|
✅
|
|
✅
|
||
✅
|
✅
|
|
Sumo Logic Enterprise |
✅
|
|
✅
|
||
Splunk Enterprise Security |
✅
|
✅
|
✅
|
✅
|
UEBA
Vendor technology |
Integration Type: Direct |
Integration Type: via SIEM |
---|---|---|
Exabeam Fusion XDR |
✅
|
|
Proofpoint Insider Threat Management |
✅ Sumo Logic |
SaaS and Identity
Vendor technology |
Integration Type: Direct |
Integration Type: via SIEM |
---|---|---|
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
LastPass |
✅
|
|
Microsoft Entra ID Protection |
✅
|
|
Microsoft Defender for Cloud Apps - formerly MCAS (includes Defender for Identity) |
✅
|
|
✅
|
||
✅
|
||
Netskope CASB |
✅
|
|
✅
|
||
✅
|
||
Ping Identity via Exabeam |
✅
|
|
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|
Ticketing and Notifications Systems
Vendor Technology |
Notifications |
Ticketing System |
---|---|---|
Asana |
✅
|
|
Jira |
✅
|
|
OpsGenie |
✅
|
|
PagerDuty |
✅
|
|
Request Tracker for Incident Response |
✅
|
|
Slack |
✅
|
|
Splunk On-Call |
✅
|
|
Striven |
✅
|
|
Teams |
✅
|
Vulnerability Prioritization
Vendor Technology |
Availability |
|
---|---|---|
Rapid7 InsightVM |
✅
|
|
Tenable Vulnerability Management (previously called Tenable.io) |
✅
|
Hunting
Vendor Technology |
Availability: Yes |
Availability: via SIEM |
---|---|---|
On-prem (Endpoint and Network) |
||
CrowdStrike Falcon Elite, Enterprise, and Premium (Falcon Data Replicator subscription required) |
✅ Sumo Logic |
|
Elastic Security (formerly Endgame) |
✅
|
|
✅
|
||
✅ DEVO |
||
✅
|
||
VMware Carbon Black EDR (formerly CB Response) |
✅
|
|
VMware Carbon Black Cloud (formerly CB ThreatHunter and CB Defense) |
✅
|
|
Cloud |
||
✅
|
||
✅
|
||
SaaS and Identity |
||
✅
|
||
✅
|
||
✅
|
||
✅
|
||
✅
|