Skip to main content


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Step 1: Enable console access

  1. In the OneLogin console, select Administration.

  2. Select Users and then New User.

  3. Fill in the following fields:

    • First name: Expel

    • Last name: SOC

    • For Email: soc+<Your_Organization_Name>


      Yes, the "+" sign is part of the email address (as in and it's important. Click here to find out why.

    • Username: same as email

    • Password: set by user

    • Company: Expel

    • Leave the other fields blank.

  4. Click Save User.

  5. Notify your engagement manager that the registration email is sent.

Step 2: Generate API Credentials

  1. Sign into your OneLogin as a user with Admin privileges.

  2. Navigate to Administration.

  3. Navigate to Developers > API Credentials.

  4. Select New Credential.

  5. Give the credential a name (such as Expel API) and select Read All and click Save.

  6. Save a copy of the Client ID and Client Secret.


Step 3: Configure the technology in Workbench

  1. Login to

  2. Navigate to Settings > Security Devices.

  3. At the top of the page, click Add New Device.

  4. Search for and select OneLogin (direct).

  5. Select Expel Cloud Service for the SIEM.

  6. Give the device a Name and Location.

  7. Fill in fields for Client Secret and Client ID with credentials generated in Step 2.

  8. Specify the Region of the OneLogin device (US, EU).