Integrations portfolio

You’ve invested in technology that’s right for your environment. We make it work harder. Here are the products we have integrations with and we’re continually adding to the list.

Cloud integrations

We’ve got you covered in the cloud. We ingest signal from your cloud infrastructure and SaaS apps and watch for signs of suspicious activity and unusual user behavior. We’ll also let you know about possible policy violations.

Amazon Web Services

Expel uses API integrations to connect directly to the AWS platform like GuardDuty, Amazon Inspector and CloudTrail. We apply our detection strategy to identify and chase down security risks unique to AWS.

Azure

Expel uses built-in APIs to connect to your Azure environment. We collect to a number of Microsoft services like Security Center, ATP and MCAS to detect and chase down alerts.

Google Cloud Platform

We leverage an API integration to collect data from GCP services like Event Threat Detection and Admin Activity Audit Logs. Applying our detection strategy we connect the dots from suspicious alerts back to the root cause.

Lacework

Expel ingest alert signal from Lacework through it’s direct integration to triage alerts and provide you with answers.

Orca Security

Expel monitors Orca Security alerts, allowing SOC analysts to quickly and efficiently gather data for triage and investigation of alerts.

Prisma Cloud Compute

Endpoint integrations

We’ll ingest the alert signal from your endpoint solution, add context and surface up the alerts that matter so our analysts can quickly chase them down. We also exercise endpoint products’ investigative capabilities so we can give you answers.

Cisco AMP

Expel consumes alerts generated by Cisco AMP to Workbench where our analysts leverage the signal from AMP to triage alerts and provide you with answers.

CrowdStrike Falcon

Expel provides 24×7 monitoring and response with our direct integration of CrowdStrike Falcon endpoint platform. Our analysts leverage CrowdStrike Falcon to investigate and determine what happened … providing you with answers, not alerts.

Crowdstrike Falcon Identity Protection

Expel integrates with CrowdStrike Falcon Identity Protection to detect suspicious account activity from IPs with bad reputation, brute force attacks, escalation of privileges, and more.

CyberArk PAM

Expel ingests your alerts from CyberArk via Splunk into Workbench to detect suspicious activity

Cybereason

CylancePROTECT AV

Expel integrates directly with Cylance Protect AV. We ingest the alerts from Cylance and investigate suspicious activity.

Elastic (formerly Endgame)

Expel analysts monitor your environment 24×7 with our direct integration to Elastic Endpoint Security (formerly Endgame). We ingest your alerts, apply enrichment and investigate suspicious activity.

FireEye HX

Expel direct integration with FireEye HX takes the existing alerts and provides 24×7 monitoring and response. Our analysts leverage FireEye HX to investigate and determine what happened … providing you with answers, not alerts.

Microsoft Defender for Endpoint

Expel directly integrates with Microsoft Defender for Endpoint. Our analysts leverage the signal from Defender to triage alerts and provide you with answers.

Palo Alto Network Cortex XDR Pro

Expel integrates directly with Palo Alto Network Cortex XDR Pro to provide 24×7 monitoring and response. We ingest the alerts from Cortex XDR Pro and investigate suspicious activity … reducing the workload for your security team.

SentinelOne

Expel consumes alerts generated by SentinelOne to Workbench where our analysts leverage the signal from SentinelOne to triage alerts and provide you with answers.

Symantec Endpoint Protection

Expel consumes alerts generated by Symantec Endpoint Protection via your SIEM. Our analysts leverage the signal from SentinelOne to triage alerts and provide you with answers.

Tanium Core

Expel integrates directly with Tanium Core to provide 24×7 monitoring and response. We ingest the alerts from Tanium Core and investigate suspicious activity … reducing the workload for your security team.

Trellix HX

Expel direct integration with Trellix HX takes the existing alerts and provides 24×7 monitoring and response. Our analysts leverage FireEye HX to investigate and determine what happened … providing you with answers, not alerts.

Trend Micro Apex One

vmware Carbon Black

Expel integrates directly with and CB Defense, Carbon Black EDR and Carbon Black Cloud. We ingest the alerts from these products and investigate suspicious activity … reducing the workload for your security team.

Wazuh

Expel consumes alerts generated by Wazuh to Workbench where our analysts leverage the signal from Wazuh to triage alerts and provide you with answers.

Kubernetes integrations

Expel monitors your Kubernetes clusters, enabling you to adopt Kubernetes at scale without security concerns. Our platform generates answers, not alerts, working with your Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) infrastructure.

Amazon Elastic Kubernetes Service (EKS)

Azure Kubernetes Service (AKS)

Google Kubernetes Engine (GKE)

Network integrations

We sift through all of the noise coming from your network devices, find suspicious activity and follow the investigative trail to determine what happened. We’ll provide context about the incident and what actions to take.

Active Directory

Attivo BOTSink

We pull alerts from Attivo BOTSink via Sumo Logic or Splunk to detect suspicious activity in your environment.

Check Point

Expel ingests your alerts from Check Point AV, Anti-bot, IPS and SandBlast via Sumo Logic into Workbench to detect suspicious activity.

Cisco ASA

Expel ingest the alerts from Cisco ASA. Our analysts use Cisco ASA and Umbrella to investigate suspicious activity to determine what happened.

Cisco Firepower

Expel ingest the alerts from Cisco FirePower. Our analysts use Cisco ASA and Umbrella to investigate suspicious activity to determine what happened.

Cisco Meraki

Expel ingest the alerts from Cisco Meraki. Our analysts use Cisco ASA and Umbrella to investigate suspicious activity to determine what happened.

Cisco Umbrella

Expel ingest the alerts from Cisco Umbrella. Our analysts use Cisco ASA and Umbrella to investigate suspicious activity to determine what happened.

Cloudflare WAF

Expel uses the security events in Cloudflare to provide additional context and correlation during alert triage

 

ExtraHop

Expel integrates with ExtraHop via API to identify interesting events such as searching for a specific user in a given time range.

Forcepoint W Filter

Expel integrates with Forcepoint Web Filter via Exabeam. We ingest the alerts and investigate suspicious activity … reducing the workload for your security team.

Fortinet FortiGate

We pull alerts from FortiGate via the SIEM to detect and investigate suspicious activity.

Guardicore

iBoss

Expel ingest your iBoss alerts via Splunk into Workbench to detect suspicious activity.

Imperva WAF

Expel uses the security events in Imperva to provide additional context and correlation during alert triage.

McAfee IDS

We pull alerts from McAfee IDS via Exabeam Data Lake to detect suspicious activity in your environment.

Netskope SWG

We pull alerts from Netskope SWG to detect suspicious activity in your environment.

Palo Alto Firewall

Expel collects data via direct API integrations with Palo Alto SaaS Security to provide you 24×7 detection and response.

Palo Alto Networks Prisma Access

Expel integrates directly with Palo Alto Networks firewall and Prisma Access. We ingest the alerts and investigate suspicious activity … reducing the workload for your security team.

ProtectWise

Expel’s direct integration with Protectwise allows our analyst team to take existing rules that come off of Protectwise and determine what events serve as investigative leads, supporting evidences, and events that should be dropped all together.

Signal Sciences WAF

Via its direct integration with Signal Sciences Web Application Firewall (WAF), our analysts leverage Signal Sciences to investigate and determine what happened … providing you with answers, not alerts.

ZScaler

Expel integrates with Zscaler via Sumo Logic or Splunk. We ingest the alerts and investigate suspicious activity … reducing the workload for your security team.

Other integrations

We work with different ticketing, authentication, and call management products, so we fit seamlessly into your processes. Interested in another type of integration? Let’s talk.

Jira

With our JIRA integration, Expel is able to integrate with your ticketing system, enabling us to automatically create a ticket in your ticketing system when we create a remediation action, making us more of a seamless extension of your security team.

Opsgenie

Our Opsgenie integration provides notifications to your team when we discover an incident in your environment or assign an action.

PagerDuty

Our PagerDuty integration lets you choose how you want to be notified (via phone or text) about incidents we find in your environment.

ServiceNow

Expel integrates bi-drectionally with your ServiceNow integration to simplify life for your analysts through ingesting and resolving ServiceNow tickets. Expel Workbench can also ingest ServiceNow tickets as alerts.

Tenable

Expel integrates with Tenable Vulnerability Management (formerly Tenable.io) importing information from customer vulnerability scans. This data is used as an input into our MDR for On-Prem and Vulnerability Prioritization services.

SaaS integrations

We ingest signal from your SaaS apps and watch for signs of suspicious activity and unusual user behavior. We’ll also let you know about possible policy violations.

1Password

Expel integrates with 1Password to detect successful authentication with suspicious user agent string, changes to sensitive configurations, authentication from suspicious countries and more.

Active Directory

Auth0

Expel integrates with Auth0 to detect successful authentication with suspicious user agent string, changes to sensitive configurations, authentication from suspicious countries and more.

Azure

Expel uses built-in APIs to connect to your Azure environment. We collect to a number of Microsoft services like Security Center, ATP and MCAS to detect and chase down alerts.

Box

Expel uses built-in APIs to connect to your Box environment. We’ll triage alerts and provide you with answers.

CyberArk Identity

Dropbox

Our direct integration to Dropbox enables us to ingest activity events and alerts in order to monitor and secure your environment.

Duo

Expel’s direct integration with Duo enables us to ingest activity events and alerts in order to monitor your environment, provide investigative support and keep your devices secure.

GitHub

Expel directly integrates with GiHub and provides 24×7 monitoring. We apply our detection strategy to identify and chase down suspicious activity.

GitLab

Google Workspace

Our partnership with Google Workspace leverages APIs to consume and querying data from the Admin APIs. We apply our cloud detection methodology to detect and investigate threats in your environment.

LastPass

Expel integrates with LastPass to detect successful authentication with suspicious user agent string, changes to sensitive configurations, authentication from suspicious countries and more.

Microsoft 365

Expel collects data via direct API integrations with the Microsoft 365 platform. We leverage alerts and audit logs from Microsoft to provide you 24×7 detection and response.

Microsoft Defender for Cloud Apps

Microsoft Intune

Expel integrates with Microsoft Intune via API to monitor audit events and alerts.

Netskope CASB

Expel uses built-in APIs to connect to Netskope CASB. We ingest alerts to identify unusual activity.

Okta

Expel uses the admin and user activity data produced by Okta to augment the product during our own detections and gather more context on user authentication activity.

OneLogin

The OneLogin direct integration with Expel enables us to investigate standard activity logs and identify any malicious uses of the OneLogin application.

Ping Identity

Expel’s integration with Ping Identity enables us to ingest events to monitor your environment, provide investigative support and keep your devices secure.

Salesforce

The Salesforce integration identifies suspicious authentication requests including both the user and IP address behind the authentication event, credential stuffing and more.

Slack

Expel integrates with Slack via API to protect against suspicious IP address, time range and location-based authentication requests.

Snowflake

Expel integrates with Snowflake to protect against authentication from suspicious IP addresses, suspicious user agent strings, changes to sensitive configurations, and more.

Varonis

Expel integrates directly with Varonis. Our analysts leverage the signal to triage alerts and provide you with answers.

Workday

The Workday integration monitors suspicious IP addresses, domain names, and user agent strings.

SIEM integrations

We’ll connect directly to your SIEM whether it lives on-prem or in the cloud. We ingest data, and run ad-hoc queries to detect suspicious activity and gather investigative data to uncover attackers’ footprints.

Azure Log Analytics

Our analysts leverage our direct integration with Azure Log Analytics (ALA) to dig deeper when performing investigations.

Azure Sentinel

Expel integrates directly with Azure Sentinel. Our analysts leverage the signal from Sentinel to triage alerts and provide you with answers.

Darktrace

Expel direct integration with DarkTrace takes the existing alerts and provides 24×7 monitoring and response. Our analysts leverage DarkTrace to investigate and determine what happened … providing you with answers, not alerts.

Datadog

DEVO

Expel direct integration with DEVO enables our analysts to query log data when performing investigations.

Elastic

Expel integrates directly with Elastic SIEM. Our analysts leverage the signal from Elastic to triage alerts and provide you with answers.

Exabeam Fusion XDR

Expel’s integration with Exabeam Advanced Analytics (UBA) and Exabeam Data Lake enables our analysts to run automated
and ad-hoc queries against your Exabeam data to detect suspicious activity.

IBM QRadar

Our analysts leverage our direct integration with IBM Qradar and QRadar on the Cloud (QRoc) to detect suspicous activity and dig deeper when performing investigations.

IBM QRadar on Cloud (QRoC)

Logz

Netskope

Expel uses built-in APIs to connect to Netskope CASB. We ingest alerts to identify unusual activity.

Proofpoint Insider Threat Management

Expel consumes alerts generated by Proofpoint Insider Threat Management to Workbench where our analysts leverage the signal to triage alerts and provide you with answers.

Securonix

Expel consumes alerts generated by Securonix to Workbench where our analysts leverage the signal to triage alerts and provide you with answers.

Splunk Core

Expel integration Splunk’s Core and Enterprise Security enables our analysts to gather additional information when performing an investigation, providing you with answers … not alerts.

Sumo Logic Cloud SIEM Enterprise

Expel directly integrates with Sumo Logic. When an alert turns into an investigation, our analysts run automated and ad-hoc queries against your Sumo Logic data to gather additional information, providing you with answers … not alerts.

Wazuh

Expel consumes alerts generated by Wazuh to Workbench where our analysts leverage the signal from Wazuh to triage alerts and provide you with answers.