This onboarding guide covers how to set up a Splunk Collector with Workbench.


To ensure Expel will be able to connect, contact Splunk and ask them to allow traffic from the IP addresses listed in this topic.

Quick Start

Setup includes the following steps (select any step for detailed instructions):

  1. Add Splunk as a Security Device in Workbench
  2. Enable Console Access

Step 1: Add Splunk as a Security Device in Workbench

Make sure you have met the prerequisites before proceeding with this step.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Splunk” and then select the Splunk Collector integration.
  5. A configuration pane displays. Complete the fields as follows:
    1. Where is your device? - select the location of your device.
    2. Name - enter a name that might help you more easily identify this integration, such as “CompanyName Splunk Collector”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    3. Location - enter the location of your integration, for example, “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    4. Connection Settings - provide the appropriate information:
      • Username - enter the username used to authenticate with this device.
      • Password - enter the password used to authenticate with this device.
      • Server address - Splunk Cloud: enter the Splunk server address and port. Splunk On-Premises: enter the console IP address and port.
      • API token - enter the Splunk API token used to authenticate the device. If none is provided, username and password will be used.
  6. Select Save.
  7. Your device should be created successfully within a few seconds.
    • Note: Collector integrations don't support health checks and appearing to have little or no activity is expected. The (via Collector) integrations are what‌ present data – the Collector itself just facilitates passing the query to the integration receiving the information.

Step 2: Enable Console Access

To provide effective triage and analysis, we ask that customers enable Expel with console access. Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn about the IP addresses Expel traffic comes from.

  1. Log in to Splunk.
  2. Navigate to Settings > Access Controls > Users.
  3. Select Add new.
  4. Enter the following information:
    1. Name - enter "Expel".
    2. Full name - enter "Expel SOC".
    3. Email address - enter "".
    4. Password - set the Password.
    5. Time Zone - select GMT (or UTC).
    6. Assign roles - select User.
    7. Require password change on first login - set this to unchecked.
  5. Select Save.
  6. Now that you have enabled console access in Splunk, you may choose to enable console access in Workbench on your own, or you may contact Expel Support to do it for you. If you would like to do it yourself, continue with the following steps. If not, connect with your Engagement Manager to finish this process.
  7. Log in to Workbench.
  8. In the side menu, navigate to Organization Settings > Security Devices.
  9. Locate the Splunk Collector you added in Step 1. Select the dropdown arrow in the first column and select Edit.
  10. Enter your credentials into the Console Login (Optional) section.
  11. Select Save.