This procedure helps you to connect your Cisco FirePower via SIEM to the Expel Workbench. The procedure is to port in logs by creating a new Syslog source, configuring that source in Workbench, then configure your Cisco FirePower via SIEM device in Workbench.


Some steps in this procedure vary greatly depending upon the SIEM-based technology you use.

Step 1: Logging Cisco FirePower to a desired SIEM

Refer to your SIEM documentation or work with your SIEM representative to port in Cisco FirePower logs. You can also refer to the following web references for creating a new Syslog source:

Step 2: Configure the SIEM in Workbench

This link opens the Expel Knowledge Base section for connecting SIEM-based technology to Workbench. Follow the applicable article to configure your SIEM-based tech and confirm that Cisco FirePower logs are flowing through and available.

Step 3: Configure Cisco FirePower via SIEM in Workbench


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, go to

  2. Click +Add Security Device.

  3. Find and select Cisco FirePower (via SIEM).

  4. Fill in the device fields like this:

    • For SIEM, select the SIEM that was onboarded in Step 2.

    • For Name, type the host name of the Cisco FirePower device.

    • For Location, type the geographic location of the device.

  5. Fill in the Connection Settings fields based on the SIEM you selected:

    • For Index, type in the SIEM index.

    • For Source type, type the Splunk source type for this device.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!