This article helps you connect your Elastic Elasticsearch installation with the Expel Workbench.

Step 1: Enable console and API access


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Open Kibana and use the User Creation Wizard to to create a user for Expel with a role that grants Read privileges to the Indices that host your security logs. For instructions, see:

  2. Make note of the Username and Password for later use.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, login to

  2. For Where is your device? select Cloud or On-prem.

  3. Fill in the other fields like this:

    • For Assembler, select your Assembler from the list. (On-prem only.)

    • For Name and Location, type in a unique name and describe the general physical location of the server.

    • For Username and Password, type in the credentials you created in Step 1.

    • For Server address, copy/paste the Elasticsearch endpoint. Be sure to use the Elasticsearch endpoint and not the Kibana endpoint.

    • For Index, type in where the security logs are hosted on the server.

  4. You can provide console access now or set it up later. Use the instructions below to set it up later.


This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.