1. Expel Help Center
  2. Connect Your Technology
  3. About Integrations

About SIEM Integrations and Connections

There are security devices with SIEM-based technology (like Splunk) that you may integrate via a direct API connection, and there are via SIEM connections that can be leveraged for supported vendor technology. A via SIEM connection can be set up in lieu of a direct API connection, or it can be used to onboard vendor technology that we currently only support by connecting via a SIEM. This topic helps you understand both options and how you can leverage each one.

Quick Links

  1. About SIEM Integrations
  2. About via SIEM Connections
  3. FAQs
  4. Find Your Setup Guide(s)

About SIEM Integrations

Ingestion and Triage Process

For SIEM-based technology that is set up in Workbench as a direct API connection, we leverage your SIEM's out-of-the-box detection rules and/or your custom detection rules to map the SIEM alerts to our own ingestion criteria. This enables our Josie bot to follow the normal event triage process, and to create an Expel Alert that is sent to our SOC analysts for analysis. We also run queries against your SIEM logs to search for additional types of data, which may result in the creation of an Expel Alert.

Console Access

A SIEM alert does not typically include all of the contextual timeline activity surrounding an event of interest, and sometimes we cannot get all necessary data via API. In those cases, we will ask you for a certain level of console access during onboarding. Granting it is optional, but we strongly recommend you provide it.

The level of access that we require is meant to support essential triage and research activities, and to help us determine the vector and extent of attacker activity for an identified threat. At minimum, we will ask for visibility into alert data, timeline events recorded, and live response/real time response shell (if applicable). 

For more information about console access, see Why Expel Asks for Console Access.

Setup Process

Setting up a SIEM device follows the same general process as setting up any direct integration in Workbench. You may, however, have a second step if you wish to use custom detection rules:

  1. Set up the SIEM device in Workbench by locating its setup guide.
  2. If you have custom detection rules enabled or if you wish to add some, follow the detection rule submission process.
    • Your device will show as "Healthy" in Workbench, but Expel Alerts will not appear until the rule review process is complete.

Note

Setting up your device as a first step (including granting all necessary console access) greatly facilitates the evaluation and approval process for your custom detection rules.

Criteria for Detection Rule Acceptance

Our SIEM-based technology integrations do not necessarily support all of your custom detection rules. We will partner with you to evaluate all detection rules and inform you on how much we can support them based on the following criteria:

  • Fidelity - the detection rule should have an alert volume that suggests high fidelity (for example, an average of 3 or fewer weekly false positives suggests the rule has high fidelity)
  • Redundancy - the detection rule name, description, and query should not duplicate (or suggest a duplication of) alerts that would surface through a direct API integration with a non-SIEM technology
  • Evidence - the detection rule must provide us with an adequate number of artifacts to action upon (two or fewer artifacts suggests insufficient information for our SOC analysts)
  • Scope - the detection rule name, description, and query must align with your service and should not be written for a different category of service

If we are unable to support your custom detection rule because it does not meet the criteria above, we will let you know so that you can make modifications and resubmit it to us.

How to Submit Your Custom Detection Rule(s)

To submit your new custom detection rule(s), contact Support and be sure to include all details (rule name, description, query) in your request. You may submit multiple custom detection rules in a single support request. 

We will then review the submission and create our own custom mapping to determine how each rule should be handled. Please allow 10 to 20 business days for us to complete this process and notify you of a decision. If your custom detection rule did not meet our criteria for acceptance, you may make changes and re-submit it to us through the same process. 

Note

If you need expedited processing for a small amount of urgently needed custom detection rules, let us know in your initial request and we will do our best to meet your timelines.

About via SIEM Connections

A direct API connection is the conventional (and more robust) way to set up your integration if it is available. But in cases where we do not yet support an API connection for the technology, or where you already have some internal SOC tuning in place for your vendor alerts, you can set up a connection via a SIEM instead. You must use a supported SIEM to set up this type of connection, and you must also connect to a supported vendor technology.

Visit the Expel Integrations page to see which integrations allow you to connect via a SIEM, and which SIEMs are supported.

Considerations and Limitations

Our ability to perform follow-up or triage for your data is limited in this type of connection, as we do not have access to the full security data for the source nor do we have access to the console. This is why a direct API connection is the preferred method of integration when available—especially in cases where a vendor alert from a supported (direct API) integration is only passing through a SIEM because of a custom detection rule. 

However, if the vendor alert coming into your SIEM has already been tuned by your own SOC, the SIEM alert is likely stronger than the original vendor alert. In these instances, a via SIEM connection may be preferable to a direct API connection. But you must choose one or the other. If you have already set up your integration as a direct API connection, you should not also create a via SIEM connection due to duplication issues.

Ingestion and Triage Process

Expel Alerts are created by ingesting your SIEM alerts and also by looking at its log data. This will result in any of the following triage actions:

  • Our SOC analysts creating an Investigation
  • Our SOC analysts storing evidence from the SIEM logs that we can use to inform future Investigations
  • Our SOC analysts sending a question directly to you about an event's authorization (or lack of authorization) that is referenced in the Expel Alert

Note

We can only ingest SIEM alerts for connected vendor technology that we already support via a direct integration.

Setup Process

Setting up a via SIEM connection requires three steps: 

  1. Make sure your SIEM's data sources are logging properly.
    • You will need to specify which logs the SIEM should ingest, where they should be stored, and any other data quality information that should be included.
    • If you need help with this step, follow your SIEM's documentation or work with your SIEM's representative.
  2. Set up the SIEM as a security device in Workbench by locating its setup guide.
  3. Set up a via SIEM connection as a separate security device in Workbench (you will find these instructions in your setup guide).

Custom detection rules cannot be used for a via SIEM connection.

FAQs

Do all SIEM integrations receive the same level of support?

Our SIEM integrations are broken into tiers. See Integration Tiers and Support for more information.

Is there a security device tuning period after setup?

Yes, for about 48 hours. Sometimes we are not able to apply the proper tuning on our end, so we may reach out with tuning suggestions for you to apply within your SIEM. Learn more about device tuning.

Who maintains a custom detection rule after it is implemented?

Our SOC analysts may apply minor suppressions to maintain fidelity but, ultimately, you are responsible for the performance of the rule and its adherence to our criteria.

Why might you adjust the severity of a custom detection rule?

We make decisions about how to surface your custom detection rules according to their projected fidelity and impact. If the alert volume begins suggesting a different level of fidelity that does not align with the currently assigned severity, we will adjust it.

Do you support Windows event logs?

No, we no longer support this type of SIEM log.

Find Your Setup Guide(s)

If you are ready to get started, visit the Expel Integrations page to find your technology and a link to its setup guide.

Related articles