Expel has out-of-the-box integrations with many cloud, endpoint, SaaS, network, and SIEM technologies. This article lists direct and indirect integrations currently in progress, as well as completed integrations. Those not listed as direct require either sending logs to one of our supported SIEMs or network technologies. We also include a list of technologies we can use for hunting.

The integrations available specifically for your organization depend on what your organization purchased. For more information about what your organization purchased, talk to the decision makers at your organization.

Note

New integrations and features go through a period of Early Access before being made Generally Available. During Early Access, integrations and features are exposed to a wide range of customers, and refinements and fixes are made.

Kubernetes

Vendor technology	Security signal
Amazon Elastic Kubernetes Service (EKS)	Audit Logs
Azure Kubernetes Engine (AKS)	Audit Logs
Google Kubernetes Engine (GKE)	Audit Logs

Cloud Infrastructure

Vendor technology	Security signal
Amazon Web Services (AWS)	CloudTrail Guard Duty
Cloudflare WAF
Google Cloud Platform	Admin Activity Event Thread Detection (ETD)
Imperva WAF
Lacework (Early Access)	AWS Workload Events
Lastpass (Early Access)
Microsoft Azure	Defender for Cloud Apps Activity Log Azure AD Sign-ins Azure AD Identity Protect
Orca Security	Query Alerts Endpoint
Prisma Cloud Compute	Audit Events

Endpoint

Vendor technology	Integration type Direct	Integration type via SIEM
Cisco AMP
CrowdStrike Falcon Elite, Enterprise, and Premium
CrowdStrike Falcon Identity Protection (Early Access)
CyberArk PAM		Splunk
Cybereason
CylancePROTECT AV
Endgame
Microsoft Defender for Endpoint
Palo Alto Networks Cortex XDR Pro
SentinelOne
Symantec Endpoint Protection		Exabeam Fusion SIEM Splunk Sumo Logic
Tanium Core
Trellix HX (formerly FireEye HX)
Trend Micro Apex One (Early Access)
VMware Carbon Black EDR
VMware Carbon Black Cloud
Wazuh

Network integrations

Vendor technology	Integration type Direct	Integration type via SIEM
Attivo BOTSink		Splunk Sumo Logic
Check Point - AV, Anti-Bot, and IPS (Early Access)		Sumo Logic
Cisco ASA		Splunk Sumo Logic
Cisco Firepower		Splunk Sumo Logic
Cisco Meraki		Splunk Sumo Logic
Cisco Umbrella
Darktrace
ExtraHop Reveal(x) Enterprise (Early Access) 360 is not supported
Forcepoint W Filter		Exabeam
Fortinet FortiGate		Microsoft Sentinel Exabeam Fusion SIEM Splunk Sumo Logic Securonix
Guardicore (Early Access)
iBoss (Early Access)		Splunk
McAfee IDS (Early Access)		Exabeam Fusion SIEM
Netskope SWG
Palo Alto Firewall
Palo Alto Networks Prisma Access
ProtectWise
Signal Sciences WAF
Zscaler^[a]		Microsoft Sentinel Splunk Sumo Logic
^[a] Requires the Nanolog Streaming Service (NSS), a virtual machine that must be hosted by the customer. Zscaler requires customers to use NSS to transport data from the customer’s Zscaler instance to a SIEM.

SIEM integrations

Vendor technology	Type of support^[a] Investigative source	Type of support^[b] Detection source
Azure Log Analytics
Datadog
DEVO
Elastic
Exabeam Fusion SIEM
IBM QRadar
IBM QRadar on Cloud (QRoC)
Microsoft Sentinel
Securonix (Early Access)
Sumo Logic Cloud SIEM Enterprise (Early Access)
Sumo Logic Enterprise
Splunk Core
Splunk Enterprise Security
Wazuh
^[a]Expel can query this SIEM to get more information to support the investigations of alerts coming from other sources. ^[b] This SIEM generates alerts that Expel can use to add detection value.

UEBA

Vendor technology

Integration type

Direct

Integration type

via SIEM

Exabeam Fusion XDR

Proofpoint Insider Threat Management (Early Access)

Sumo Logic

SaaS apps

Vendor technology	Integration type Direct	Integration type via SIEM
1Password (Early Access)
Auth0 (Early Access)
Box
CyberArk Identity (Early Access)
Dropbox
Duo
GitHub
GitLab (Early Access)
Google Workspace
Microsoft Azure AD
Microsoft Defender for Cloud Apps - formerly MCAS (includes Defender for Identity)
Microsoft Intune (Early Access)
Microsoft 365 (includes Azure AD)
Netskope CASB
Okta
OneLogin
Ping Identity via Exabeam
SaaS Security, formerly Prisma SaaS
Salesforce (Early Access)
Slack (Early Access)
Snowflake (Early Access)
Varonis
Workday

Ticketing and notifications systems

Vendor technology	Notifications	Ticketing system
Asana
Jira
OpsGenie
PagerDuty
Request Tracker for Incident Response
Slack
ServiceNow
Splunk On-Call
Striven
Teams

Hunting

Vendor technology	Availability Yes	Availability via SIEM
On-prem infrastructure
CrowdStrike Falcon Elite, Enterprise, and Premium (Falcon Data Replicator subscription required)		Sumo Logic
Endgame
Microsoft Defender for Endpoint
Palo Alto Networks (Firewall)		Azure Log Analytics (ALA) Exabeam Fusion SIEM Splunk Sumo Logic
SentinelOne
VMware Carbon Black EDR
VMware Carbon Black Cloud
Cloud Infrastructure
Amazon Web Services (AWS)
Azure
SaaS apps
Duo
Google Workspace
Microsoft 365
Okta
OneLogin

Expel integrations

Note

Kubernetes

Cloud Infrastructure

Endpoint

Network integrations

SIEM integrations

UEBA

SaaS apps

Ticketing and notifications systems

Hunting

Comments

Get a free trial!

Expel integrations

Note

Kubernetes

Cloud Infrastructure

Endpoint

Network integrations

SIEM integrations

UEBA

SaaS apps

Ticketing and notifications systems

Hunting

Related articles

Promoted articles

Get a free trial!