1. Expel Help Center
  2. Connect Your Technology
  3. SIEM Integrations
  4. Sumo Logic

Sumo Logic Cloud Infrastructure Security Setup for Workbench

This article explains how to connect Sumo Logic Cloud Infrastructure Security to Workbench.

Prerequisites

  • You must have the Enterprise account type of Sumo Logic Cloud Infrastructure Security. Other account types don't allow searches using the API, which is key to how Expel uses Sumo Logic Cloud Infrastructure Security. If you don't have the Enterprise account type, contact your Sumo Logic representative to upgrade.
  • If you are on a traditional Sumo Logic pricing model, the data Expel accesses must be in the Continuous (preferred) or Frequent data tiers. Expel can not programmatically access data in the Infrequent data tier. Learn more about Sumo Logic data tiers.

Quick Links

  1. Enable Console Access

  2. Generate API Credentials

  3. Change Email Address

  4. Configure the Technology in Workbench

  5. Edit the Device to Add Console Access

Step 1: Enable Console Access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Sumo Logic Cloud Infrastructure Security console.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

Create a Role

  1. Log into the Sumo Logic Cloud Infrastructure Security device.

  2. Navigate to Administration > Users and Roles.

  3. Select the Roles tab and then select the Add Role button at the top right of the page.

  4. Complete the information:

    • Name - type "Expel".

    • Description - type "Expel".

    • Capabilities - check:

      • View Collectors - this gives Expel read-only access to your data.

      • Create access keys - this allows this account to create an API key for programmatic access.

  5. Select Save at the top to finish creating the role.

Create a User

You have two options for creating a new user.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.

Method

Tasks

Time frame

Self onboard

  1. Create a user account that you have access to.

  2. Activate the account and generate API credentials to onboard yourself.

  3. Change registered email address to an Expel email address allowing Expel to manage the account and API management.

Immediate

Expel onboard

  1. Create an Expel user account.

  2. Expel generates the API credentials.

  3. Expel adds device to Workbench.

1 business day

Option 1: Self Onboarding

  1. Select the Users tab and then select the Add User button at the top right of the page.

  2. Complete the information:

    • First Name - enter "Expel".

    • Last Name - enter "SOC".

    • Email - provide your email address (youremailaddress@yourcompanyname.com).

    • Roles - select the Expel role you created in the previous step.

    • Select Add New User.

  3. Log out of Sumo Logic Cloud Infrastructure Security from your personal account.

  4. Go to your email and open the "Welcome to Sumo Logic Cloud Infrastructure Security!" email.

  5. Log in to https://service.sumologic.com with the username and password from the email.

  6. Set a new password for the account. Make note of this password because you later share it with Expel.

  7. Go to Step 2 to generate API credentials.

  8. Go to Step 3 to change the registered email address to an Expel email address.

Option 2: Expel Onboarding

  1. Select the Users tab and then select the Add User button at the top right of the page.

  2. Complete the information.

    • First Name - type "Expel".

    • Last Name - type "SOC".

    • Email - enter: "soc+<your_company_name>@expel.io".
      Note
      Yes, the "+" sign is part of the email address, and it's important. Learn more about email address variations.

    • For Roles, select the Expel role you created in the previous step.

    • Select Add New User.

  3. Notify your Expel customer success manager or Expel Support that you created the new user account.

    • Your Expel team will activate the account, generate API credentials, and add the device to Workbench.

    • You will receive a notification that the device is added in Workbench within one business day.

    • You can close this guide as Expel will continue this process for you.

Step 2: Generate API Credentials

The normal interaction with Sumo Logic Cloud Infrastructure Security is through the API. This step creates the Access Key that allows Expel to use the API.

Note
API access keys are associated with the user account that creates them.

  1. Make sure you're still logged into Sumo Logic Cloud Infrastructure Security as the new user created in the previous step.

  2. Navigate to Expel SOC > Preference and select Add Access Key at the top right of the page.

  3. For Name type "Expel API," leave Allowlisted CORS Domains blank, and select Create Key.

  4. Make note of the newly generated Access ID and Access Key, which is used for registration in Workbench in Step 4.

  5. Select Done.

Step 3: Change Email Address

Expel access to Sumo Logic emails enables us to rotate the password on the account when necessary.

  1. Under My Profile, select Change Email Address.

  2. For Your New Email, type "soc+<Your_Organization_Name>@expel.io".
    Note
    Yes, the "+" sign is part of the email address, and it's important. Learn more about email address variations.

  3. Type your current password to authorize the change.

  4. Select Submit.

Step 4: Configure the Technology in Workbench

Now that you have the correct access configured and noted the credentials, you can integrate your tech with Workbench.

  1. Log in to Workbench.

  2. In the side menu, navigate to Organization Settings > Security Devices.

  3. In the search box, type “Sumo Logic” and then select the Sumo Logic Cloud Infrastructure Security integration.

    Screenshot 2025-04-22 at 11.15.07 AM.png

  4. A configuration pane displays. Complete the fields as follows:

    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Sumo Logic Cloud Infrastructure Security”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Username - enter the Access ID from Step 2.
    • Password - enter the the Access Key from Step 2.
    • Server address - enter "https://service.us2.sumologic.com".
    • Data tier - configure this depending on your Sumo Logic pricing model:
      • Traditional Sumo Logic pricing:
        • Continuous is the preferred data tier and the default selection.
        • Frequent is supported by Expel, but isn't recommended.
        • Infrequent is not supported by Expel.
      • Sumo Logic Flex pricing - select All. Before selecting this option, please be sure to configure index filters in all via SIEM devices connected to your Sumo instance. This is to prevent Expel from pulling more data than you intend.

  5. Select Save.

Your device should be created successfully within a few seconds. A few reminders:

  • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
  • To check on the status, select the downward arrow for your device in the first column and choose View details
  • Polling will happen first; data will be received after that. You must refresh the page to see updates.
  • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
  • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Step 5: Edit the Device to Add Console Access

Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.

  1. Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, select the down arrow and select Edit.

  2. In the Console Login area, complete the fields as follows:

    • Console URL - type the console URL from the Server address in the Connection Settings area above. At the end of the URL, type /login.

    • Username - type the user name you created above.

    • Password - type the password you created above.

    • Two-factor secret key (32-character code) - depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional. If you have questions or concerns, reach out to your engagement manager or Expel support.

  3. Select Save.

Note
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Related articles