1. Expel Help Center
  2. Connect Your Technology
  3. Q-Z Integrations
  4. Sumo Logic

Sumo Logic Cloud SIEM Enterprise Setup for Workbench

This guide covers how to connect Sumo Logic Cloud SIEM Enterprise to Expel Workbench.

Quick Links

  1. Create a New Role in Sumo Logic
  2. Create a New User in Sumo Logic

Step 1: Create a New Role in Sumo Logic

This step creates a role that provides permissions to SOC analysts in order to fully triage and research events that result in an Expel Alert. For more information, see Why Expel Asks for Console Access. This step also adds a permission allowing Expel to obtain API credentials and complete the integration.

  1. Log in to the Sumo Logic Cloud Intelligence Platform console.
  2. Navigate to Administration > Users and Roles > Roles and and select the Add Role button at the top right of the page.
    add-role.png
  3. On the Create New Role screen, configure the settings as follows:
    1. Name - enter "View CSE Role".
    2. Description (optional) - enter a description for the role.
    3. Under Capabilities, scroll to the Security section and select Create Access Keys.
    4. Scroll down to the Cloud SIEM Enterprise section and check View Cloud SIEM Enterprise.
    5. Expand the dropdown for Content permissions and select the following:
      • View Rules
      • View Threat Intelligence (recommended, not required)
      • View Match Lists
      • View File Analysis
      • View Custom Insights
      • View Network Blocks
      • View Suppressed Entities
    6. Expand the dropdown for Configuration permissions and select those listed below. The permissions in this section are recommended, but not required.
      • View Mappings
      • View Workflow
      • View Context Actions
      • View Actions
      • View Enrichments
      • View Custom Entity Types
      • View Entity
      • View Entity Normalization
      • View Entity Criticality
      • View Tag Schemas
      • View Entity Groups
      • View Automations
  4. Select Save.

Step 2: Create a New User in Sumo Logic

In this step you will create a new Sumo Logic user and assign it the role you created in Step 1.

  1. Navigate to Administration > Users and Roles > Users and select the Add User button at the top right of the page.
    add_user.png
  2. On the Create New User screen, configure the settings as follows:
    • First Name - enter "Expel".
    • Last Name - enter "SOC Analysts"
    • Email - enter "soc+<your_company_name>@expel.io".
      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
    • Assigned Roles - select Analyst and View CSE Role.
      user_config2.png
  3. Select Save.
  4. Verify that "Expel SOC Analysts" now appears on the Users page with the appropriate roles applied. Sumo Logic automatically sends an invitation to the Expel SOC email address, allowing them activate the account and set a new password. 

Using the account and permissions you granted, Expel will generate the required Access Key and complete onboarding your device in Workbench. You will receive a notification that the device is added in Workbench within one business day.

 

Once your device is created, you can monitor it in Workbench. A few reminders:

  • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
  • To check on the status, select the downward arrow for your device in the first column and choose View details.
  • Polling will happen first; data will be received after that. You must refresh the page to see updates.
  • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
  • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles