EXPEL WORKBENCH™ INTEGRATIONS
Integrations portfolio
You've invested in the right tech for your environment, and we make it work harder. Check out our integrations, and if yours isn't listed, reach out—we're likely adding it!
1Password
1Password
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Amazon GuardDuty
Amazon
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Apex One
Trend Micro
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
ASA
Cisco
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Splunk Enterprise Security
Sumo Logic
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Auth0
Okta
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
AV, Anti-Bot, and IPS
Check Point
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Splunk
Sumo Logic
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
AWS CloudTrail
Amazon
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Azure Kubernetes Service (AKS)
Microsoft
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Azure Monitor activity log
Microsoft
Formerly Activity Log
Operational capabilities
Data Ingestion
Expel services
MDR
Threat Hunting
Azure Monitor log analytics
Microsoft
Formerly Azure Log Analytics
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Box
Box
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Cloud Access Security Broker (CASB)
Netskope
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Cloud SIEM
Sumo Logic
Formerly Sumo Logic Cloud SIEM Enterprise, JASK
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Cortex XDR
Palo Alto Networks
Ingestion methods
Direct API
Supported versions
XDR Pro
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
CylanceENDPOINT
Blackberry
Formerly CylancePROTECT AV
Ingestion methods
Direct API
via SIEM
SIEM sources
Sumo Logic
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Datadog
Datadog
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
DatAlert
Varonis
Ingestion methods
Direct API
via SIEM
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Defender for Cloud Apps
Microsoft
Formerly Microsoft Cloud Application Security
Ingestion methods
Direct API
Supported versions
Defender for Cloud Apps
Defender for Identity
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Defender for Endpoint
Microsoft
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Dropbox
Dropbox
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Duo
Cisco
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
EDR/XDR
Cybereason
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Elastic Kubernetes Service (EKS)
Amazon
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Elastic Security
Elastic
Formerly Endgame
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Elasticsearch
Elastic
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Endpoint Security (HX)
Trellix
Formerly FireEye HX
Ingestion methods
Direct API
Supported versions
Trellix HX 3.6+
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Entra ID Protection
Microsoft
Formerly Azure AD Identity Protect
Ingestion methods
Direct API
Supported versions
Azure AD Identity Protection (through Microsoft Graph API)
MCAS Sentinel
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Falcon
Crowdstrike
Ingestion methods
Direct API
Supported versions
Falcon Elite
Falcon Enterprise
Falcon Complete
Operational capabilities
Data Ingestion
Investigative Access
Response Actions
Expel services
MDR
Check out the Setup guide in our help center.
Falcon Data Replicator
Crowdstrike
Ingestion methods
via SIEM
SIEM sources
Sumo Logic
Operational capabilities
Data Ingestion
Expel services
Threat Hunting
Falcon Identity Protection
Crowdstrike
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Firepower
Cisco
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Microsoft Sentinel
Splunk Enterprise Security
Sumo Logic
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
FortiAnalyzer
Fortinet
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
FortiGate
Fortinet
Ingestion methods
via SIEM
SIEM sources
Microsoft Sentinel
Exabeam Fusion New-Scale SIEM
Securonix Unified Defense SIEM
Sumo Logic
Splunk Enterprise Security
Operational capabilities
Data Ingestion
Expel services
MDR
GitHub
GitHub
Ingestion methods
Direct API
via SIEM
SIEM sources
AWS S3
Supported versions
GitHub Enterprise
Cloud
On-prem
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
GitLab
GitLab
Ingestion methods
Direct API
Supported versions
GitLab SaaS
Cloud
On-prem
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Google Cloud Platform (GCP)
Google Cloud
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Google Kubernetes Engine (GKE)
Google Cloud
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Guardicore Segmentation
Akamai
Formerly Guardicore
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Identity
CyberArk
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
IDS
McAfee
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Imperva WAF
Thales
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Insider Threat Management
Proofpoint
Ingestion methods
via SIEM
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
InsightVM
Rapid7
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
Vulnerability Prioritization
Intune
Microsoft
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Jira
Atlassian
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Check out the Setup guide in our help center.
LastPass
LastPass
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Logz.io
Logz.io
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Meraki
Cisco
Ingestion methods
Direct API
via SIEM
SIEM sources
Splunk Enterprise Security
Sumo Logic
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Microsoft 365
Microsoft
Formerly Office 365
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Network Detection and Response
Verizon
Formerly ProtectWise
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Next Gen Firewall
Palo Alto Networks
Ingestion methods
via SIEM
SIEM sources
Devo
Splunk Enterprise Security
Sumo Logic
Supported versions
Version 6+
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Next Gen SWG
Netskope
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Next-Gen WAF
Fastly
Formerly Signal Sciences WAF
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
OneLogin
One Identity
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Threat Hunting
OpsGenie
Atlassian
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Check out the Setup guide in our help center.
Orca Security
Orca Security
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
PagerDuty
PagerDuty
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Check out the Setup guide in our help center.
Panorama
Palo Alto Networks
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Ping One for Workforce
Ping Identity
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Polygraph
Lacework
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Prevent / Detect
DarkTrace
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Prisma Access
Palo Alto Networks
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Prisma Cloud Compute
Palo Alto Networks
Formerly Twistlock
Ingestion methods
Direct API
Supported versions
Prisma Cloud Compute (self-hosted)
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Privileged Access (PAM)
CyberArk
Ingestion methods
via SIEM
SIEM sources
Splunk Enterprise Security
Operational capabilities
Data Ingestion
QRadar SIEM
IBM
Ingestion methods
Direct API
Supported versions
QRadar on Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Quantum Network Security
Check Point
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Request Tracker for Incident Response
(Open Source)
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Check out the Setup guide in our help center.
Reveal(x) 360
ExtraHop
Ingestion methods
Direct API
Supported versions
On-prem, Cloud
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Reveal(x) Enterprise
ExtraHop
Ingestion methods
Direct API
Supported versions
On-prem
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
SaaS Security
Palo Alto Networks
Formerly Prisma SaaS
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Secure Access Service Edge (SASE)
iboss
Ingestion methods
via SIEM
SIEM sources
Splunk Enterprise Security
Operational capabilities
Data Ingestion
Expel services
MDR
Secure Endpoint
Cisco
Formerly AMP for Endpoints
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Secure Internet Access (ZIA)
Zscaler
Ingestion methods
via SIEM
SIEM sources
Microsoft Sentinel
Splunk Enterprise Security
Sumo Logic
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Security Analytics
Exabeam
Formerly Advanced Analytics
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Security Command Center Event Threat Detection
Google Cloud
Formerly Event Threat Detection
Operational capabilities
Data Ingestion
Expel services
MDR
Sentinel
Microsoft
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
SentinelOne
SentinelOne
Ingestion methods
Direct API
Supported versions
Iguazu and later
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
ServiceNow ITSM
ServiceNow
Ingestion methods
Direct API
Operational capabilities
Investigative Access
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Shield
Salesforce
Ingestion methods
Direct API
Supported versions
Salesforce Shield or real-time monitoring
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Singularity Hologram
SentinelOne
Formerly Attivo BOTSink
Ingestion methods
via SIEM
SIEM sources
Splunk Enterprise Security
Sumo Logic
Supported versions
BOTsink
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Slack Enterprise Grid
Slack
Ingestion methods
Direct API
Supported versions
Slack Enterprise Grid
Operational capabilities
Data Ingestion
Investigative Access
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Check out the Setup guide in our help center.
Snowflake
Snowflake
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Splunk Enterprise (Core)
Splunk
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Splunk Enterprise Security
Splunk
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Splunk On-Call
Splunk On-Call
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Vulnerability Prioritization
Threat Hunting
Check out the Setup guide in our help center.
Striven
Striven
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Vulnerability Prioritization
Threat Hunting
Check out the Setup guide in our help center.
Symantec Endpoint Protection
Broadcom
Formerly Symantec Endpoint Protection Enterprise
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Splunk Enterprise Security
Sumo Logic
Supported versions
Endpoint Protection versions 11 to 14
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Teams
Microsoft
Ingestion methods
Direct API
Operational capabilities
Response Actions
Expel services
MDR
Phishing
Threat Hunting
Vulnerability Prioritization
Check out the Setup guide in our help center.
Umbrella
Cisco
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
VMDR
Qualys
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
Vulnerability Prioritization
Check out the Setup guide in our help center.
VMware Carbon Black Cloud
Broadcom
Formerly CB ThreatHunter / CB Defense
Ingestion methods
Direct API
Supported versions
Enterprise Standard
Enterprise EDR
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
VMware Carbon Black Endpoint
Broadcom
Formerly CB Response
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Vulnerability Management
Tenable
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Web Filter
Forcepoint
Ingestion methods
via SIEM
SIEM sources
Exabeam Fusion New-Scale SIEM
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
Wiz
Wiz
Ingestion methods
Direct API
Supported versions
Wiz Advanced Tier
CIEM
CNAPP
DSPM
CSPM / Vulnerability
Operational capabilities
Data Ingestion
Investigative Access
Alert Data Sync
Expel services
MDR
Workday
Workday
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Workforce Identity Cloud
Okta
Ingestion methods
Direct API
via SIEM
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Workspace
Formerly G Suite
Ingestion methods
Direct API
Operational capabilities
Data Ingestion
Expel services
MDR
Threat Hunting
Check out the Setup guide in our help center.
Workspace Alert Center
Google Cloud
Formerly Admin Activity
Ingestion methods
Direct API
Supported versions
Cloud Audit Logs OR Security Command Center Sensitive Actions Service
Operational capabilities
Data Ingestion
Expel services
MDR
Check out the Setup guide in our help center.
XEM Core
Tanium
Ingestion methods
Direct API
Supported versions
Cloud
On-prem
Operational capabilities
Data Ingestion
Investigative Access
Expel services
MDR
Check out the Setup guide in our help center.
Not seeing an integration?
New integrations are being added each month, reach out to discuss our capabilities.