This article helps you connect your Elasticsearch installation with the Expel Workbench.

Step 1: Enable console and API access


Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Open Kibana and use the User Creation Wizard to to create a user for Expel with a role that grants Read privileges to the Indices that host your security logs. For instructions, see:

  2. Make note of the Username and Password for later use.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, login to

  2. For Where is your device? select Cloud or On-prem.

  3. Fill in the other fields like this:

    • For Assembler, select your Assembler from the list. (On-prem only.)

    • For Name and Location, type in a unique name and describe the general physical location of the server.

    • For Username and Password, type in the credentials you created in Step 1.

    • For Server address, copy/paste the Elasticsearch endpoint. Be sure to use the Elasticsearch endpoint and not the Kibana endpoint.

    • For Index, type in where the security logs are hosted on the server.

  4. You can provide console access now or set it up later. Use the instructions below to set it up later.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!