This article explains how to connect Sumo Logic Cloud Infrastructure Security to Workbench.
Quick Start
- You must have the Enterprise account type of Sumo Logic Cloud Infrastructure Security. Other account types don't allow searches using the API, which is key to how Expel uses Sumo Logic Cloud Infrastructure Security. If you don't have the Enterprise account type, contact your Sumo Logic representative to upgrade.
- The data Expel accesses must be in the Continuous (preferred) or Frequent data tiers. Expel can not programmatically access data in the Infrequent data tier. Learn more about Sumo Logic data tiers.
Step 1: Enable Console Access
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Sumo Logic Cloud Infrastructure Security console.
Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
Create a Role
-
Log into the Sumo Logic Cloud Infrastructure Security device.
-
Navigate to Administration > Users and Roles.
-
Select the Roles tab and then select the Add Role button at the top right of the page.
-
Complete the information.
-
For Name type Expel.
-
For Description type Expel.
-
For Capabilities check:
-
View Collectors: this gives Expel read-only access to your data.
-
Create access keys: this allows this account to create an API key for programmatic access.
-
-
-
Select Save at the top to finish creating the role.
Create a User
You have two options for creating a new user.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.
Method |
Tasks |
Time frame |
---|---|---|
Self onboard |
|
Immediate |
Expel onboard |
|
1 business day |
Option 1: Self Onboarding
-
Select the Users tab and then select the Add User button at the top right of the page.
-
Complete the information.
-
For First Name type Expel.
-
For Last Name type SOC.
-
For Email type: youremailaddress@yourcompanyname.com.
-
For Roles select the Expel role you created in the previous step.
-
Select Add New User.
-
-
Log out of Sumo Logic Cloud Infrastructure Security from your personal account.
-
Go to your email and open the "Welcome to Sumo Logic Cloud Infrastructure Security!" email.
-
Log in to https://service.sumologic.com with the username and password from the email.
-
Set a new password for the account. Make note of this password because you later share it with Expel.
-
Go to Step 2 to generate API credentials.
-
Go to Step 3 to change the registered email address to an Expel email address.
Option 2: Expel Onboarding
-
Select the Users tab and then select the Add User button at the top right of the page.
-
Complete the information.
-
For First Name type Expel.
-
For Last Name type SOC.
-
For Email enter: soc+<your_company_name>@expel.io.
Note
Yes, the "+" sign is part of the email address, and it's important. Learn more about email address variations. -
For Roles select the Expel role you created in the previous step.
-
Select Add New User.
-
-
Notify the Expel customer success engineer or your engagement manager that you created the new user account.
-
Your Expel team activates the account, generates API credentials, and adds the device to Workbench.
-
You will receive a notification that the device is added in Workbench within one business day.
-
You can close this article because Expel continues this process for you.
-
Step 2: Generate API Credentials
The normal interaction with Sumo Logic Cloud Infrastructure Security is through the API. This step creates the Access Key that allows Expel to use the API.
Note
API access keys are associated with the user account that creates them.
-
Make sure you're still logged into Sumo Logic Cloud Infrastructure Security as the new user created in the previous step.
-
Navigate to Expel SOC > Preference and select Add Access Key at the top right of the page.
-
For Name type Expel API, leave Allowlisted CORS Domains blank, and select Create Key.
-
Make note of the newly generated Access ID and Access Key, which is used for registration in Workbench in Step 4.
-
Select Done.
Step 3: Change Email Address
Expel access to Sumo Logic emails enables us to rotate the password on the account when necessary.
-
Under My Profile, select Change Email Address.
-
For Your New Email, type soc+<Your_Organization_Name>@expel.io.
Note
Yes, the "+" sign is part of the email address, and it's important. Learn more about email address variations. -
Type your current password to authorize the change.
-
Select Submit.
Step 4: Configure the Technology in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.
-
In a new browser tab, log into https://workbench.expel.io.
-
On the console page, navigate to Settings and select Security Devices.
-
At the top of the page, select + Add Security Device.
-
Search for and select Sumo Logic Cloud Infrastructure Security.
-
Type Name and Location. For example, Sumo Logic Cloud Infrastructure Security and Expel Lab.
-
In the Connection Settings area, type the Access ID from Step 2 for the Username.
-
In the Connection Settings area, type the Access Key from Step 2 for the Password.
-
For Server address type
https://service.us2.sumologic.com
. - Select the Data Tier to run queries against within the Sumo Logic Cloud Infrastructure Security instance.
-
Continuous is the preferred data tier and the default selection.
-
Frequent is supported by Expel, but isn't recommended.
-
Infrequent is not supported by Expel.
Note
If you need to support multiple data tiers, onboard a device for each tier.
-
-
-
Select Save.
-
You can provide console access now or set it up later. Use the instructions below to set it up later.
You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.
To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and select View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup as we tune your device.
Step 5: Edit the Device to Add Console Access
Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.
-
Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, select the down arrow and select Edit.
-
In the Console Login area, complete the fields as follows:
-
Console URL - type the console URL from the Server address in the Connection Settings area above. At the end of the URL, type /login.
-
Username - type the user name you created above.
-
Password - type the password you created above.
-
Two-factor secret key (32-character code) - depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional. If you have questions or concerns, reach out to your engagement manager or Expel support.
-
-
Select Save.
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!