This onboarding guide takes you through how to connect your Corelight Open Network Detection and Response (NDR) to Expel Workbench via Collector.


  • You must have a Splunk Collector available as a Security Device in Expel Workbench before onboarding Corelight.
  • Also ensure you have your Collector query string, as you will need to enter it in Workbench. If you don't have it yet, please contact Expel Support to request it.

Add Corelight as a Security Device in Workbench

Please ensure you have met the prerequisites before proceeding with this step.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Corelight” and then select the Corelight (via Collector) integration.
  5. A configuration pane displays. Complete the fields as follows:
    • SIEM - select Splunk Collector from the dropdown.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Corelight”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Collector query - enter the query string provided by Expel Support.
  6. Select Save.
  7. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin receiving data.
    • To check on the status, click on the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our Support team for help.


Please ensure you have onboarded and selected the correct Splunk integration for the SIEM field. It should be the one that reads "Splunk Collector."

Splunk integration list in Workbench