This article provides instructions for connecting your Salesforce to the Expel Workbench.

Step 1: Create Profile for access control

Salesforce uses profiles to manage user access to data, so the first step is to create a profile for Expel.

  1. In Salesforce, navigate to Profiles.

  2. Clone the Read Only profile and name it Expel. Click Save.

  3. Verify that API Enabled is selected under Administrative Permissions.

  4. Enable Customize Application Permissions under Administrative Permissions. This is required to enable Logout Events.

  5. Enable View Real-Time Event Monitoring Data under General User Permissions.

  6. Click Save Profile.

Step 2: Enable event streaming

To properly ingest logs and process alerts, Expel queries specific endpoints in Salesforce. For Expel to be able to access events in those endpoints, you must enable event streaming.

  1. By using the search box, find and open Event Manager.

  2. In the Events section, enable Streaming Data for the following subscription channels:

    • /event/ApiAnomalyEvent

    • /event/ApiEventStream

    • /event/BulkApiResultEvent

    • /event/ConcurLongRunApexErrEvent

    • /event/CredentialStuffingEvent

    • /event/LightningUriEventStream

    • /event/ListViewEventStream

    • /event/LoginEventStream

    • /event/LoginAsEventStream

    • /event/LogoutEventStream

    • /event/PermissionSetEvent

    • /event/ReportAnomalyEvent

    • /event/ReportEventStream

    • /event/SessionHijackingEvent

    • /event/UriEventStream

Step 3: Create Expel user

Now that the Expel profile is created, the next step is to create a user with that profile.


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Navigate to Users.

  2. Click New User.

  3. Type in the required information:

    • For Last Name type ExpelAPI.

    • For Alias type expelapi.

    • For Email: soc+<Your_Organization_Name>


      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Username and Nickname use the Salesforce default entries.

    • For Role select any role.

    • For User License select Salesforce.

    • For Profile select Expel.

  4. Reset Password for the user.


    The new password is sent to the email address for the Expel Salesforce User.

Step 4: Get security token

  1. From your personal settings, type reset in the Quick Find text box, and then select Reset My Security Token.

  2. Click Reset Security Token.


    The new security token is sent to the email address for the Expel Salesforce User.

Step 5: Create connected app

  1. Login to Salesforce with the same user credentials that you want to collect data in your Salesforce deployment.

  2. From Setup, type App Manager in the Quick Find text box, then select App Manager.

  3. Click New Connected App.

  4. Type the connected app name (Expel), which appears in the App Manager and on its App Launcher tile.

  5. Type the API name.


    The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name.

  6. Type your contact email for Salesforce.

  7. In the API (Enable OAuth Settings) area of the page, select Enable OAuth Settings.

  8. Select Enable for Device Flow.

  9. Select the following OAuth scopes to apply to the connected app:

    • Manage user data via APIs (api)

  10. Note

    It can take about 10 minutes for the changes to take effect.

  11. Retrieve the Consumer Key and Consumer Secret from the app page.


    Save this info for later use.

Step 6. Connect your technology to Workbench

  1. In a new browser tab, log into

  2. On the console page, navigate to Organization Settings and click Security Devices.

  3. At the top of the page, click + Add Security Device.

  4. Type in the required information:

    • For Name create a name.

    • For Location type the physical location of your Salesforce domain.

    • For Salesforce domain type your Salesforce domain info from Before You Begin.

    • For Client ID type the Connected App’s Consumer Key.

    • For Client secret, type the Connected App’s Consumer Secret.

    • For Username type the Expel user’s username.

    • For Password type the Expel user’s password.

    • For Security token, type the Expel user’s security token.


This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.