1. Expel Help Center
  2. Connect Your Technology
  3. Q-Z Integrations
  4. Sumo Logic

Sumo Logic Cloud Infrastructure Security Setup for Workbench

This guide covers how to connect Sumo Logic Cloud Infrastructure Security to Workbench.

Prerequisites

  • You must have the Enterprise account type of Sumo Logic Cloud Infrastructure Security. Other account types don't allow searches using the API, which is key to how Expel uses Sumo Logic Cloud Infrastructure Security. If you don't have the Enterprise account type, contact your Sumo Logic representative to upgrade.
  • If you are on a traditional Sumo Logic pricing model, the data Expel accesses must be in the Continuous (preferred) or Frequent data tiers. Expel can not programmatically access data in the Infrequent data tier. Learn more about Sumo Logic data tiers.

Quick Links

  1. Enable Console Access

  2. Generate API Credentials

  3. Change Email Address

  4. Add Sumo Logic Cloud Infrastructure Security as a Security Device in Workbench

  5. Edit the Device to Add Console Access

Step 1: Enable Console Access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Sumo Logic Cloud Infrastructure Security console.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

Create a Role

  1. Log into the Sumo Logic Cloud Infrastructure Security device.

  2. Navigate to Administration > Users and Roles.

  3. Select the Roles tab and then select the Add Role button at the top right of the page.

  4. Complete the settings as follows:

    • Name - enter "Expel".

    • Description - enter "Expel".

    • Scroll down to the Capabilities section and select:

      • View Collectors - this gives Expel read-only access to your data.

      • Create Access Keys - this allows this role to create an API key for programmatic access.

  5. Select Save at the top to finish creating the role.

Create a User

You have two options for creating a new user:

Method

Tasks

Time frame

Self onboarding

  1. Create a user account that you have access to.

  2. Activate the account and generate API credentials to onboard yourself.

  3. Change registered email address to an Expel email address allowing Expel to manage the account and API credentials.

Immediate

Expel onboarding

  1. Create an Expel user account.

  2. Expel generates the API credentials.

  3. Expel adds your device to Workbench.

1 business day

Option 1: Self Onboarding

  1. Select the Users tab and then select Add User at the top right of the page.

  2. Complete the settings as follows:

    • First Name - enter "Expel".

    • Last Name - enter "SOC".

    • Email - provide your email address (youremailaddress@yourcompanyname.com).

    • Assigned Roles - select the "Expel" role you created in the previous step.

    • Select Save.

  3. Log out of Sumo Logic Cloud Infrastructure Security from your personal account.

  4. Go to your email and open the welcome email from Sumo Logic.

  5. Activate your new user account and set a new password. Make note of this password because you will later share it with Expel.

  6. Go to Step 2 and proceed from there.

Option 2: Expel Onboarding

  1. Select the Users tab and then select Add User at the top right of the page.

  2. Complete the settings as follows:

    • First Name - enter "Expel".

    • Last Name - enter "SOC".

    • Email - enter: "soc+<your_company_name>@expel.io".

      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".

    • Assigned Roles - select the "Expel" role you created in the previous step.

    • Select Add New User.

  3. Notify your Expel Customer Success Manager (CSM) or Expel Support that you created the new user account.

    • Your Expel team will activate the account, generate API credentials, and add the device to Workbench.

    • You will receive a notification that the device is added in Workbench within one business day.

    • You can close this guide as Expel will continue this process for you.

Step 2: Generate API Credentials

The normal interaction with Sumo Logic Cloud Infrastructure Security is through the API. This step creates the Access Key that allows Expel to use the API.

Note
API access keys are associated with the user account that creates them.

  1. Make sure you're logged into Sumo Logic Cloud Infrastructure Security as the new user created in the previous step.

  2. Select the user profile icon in the top right, and select Personal Access Keys.

  3. Select Add Access Key.

  4. Configure the key as follows:

    • Name - enter "Expel API".

    • Leave Allowed CORS Domains blank.

    • Leave Scopes set to Default.

    • Select Save.

  5. On the next page, make note of the newly generated Access ID and Access Key in a safe place, as they will be used when adding the device in Workbench in Step 4.

  6. Select Done.

Step 3: Change Email Address

Email access to the Sumo Logic account enables us to rotate the password on the account when necessary.

  1. Select the user profile icon in the top right and select Preferences.

  2. Select Change Email.

  3. For Your New Email, type "soc+<Your_Organization_Name>@expel.io".

    • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".

  4. Type your current password to authorize the change.

  5. Select Submit.

Step 4: Add Sumo Logic Cloud Infrastructure Security as a Security Device in Workbench

Now that you have the correct access configured and noted the credentials, you can integrate your tech with Workbench.

  1. Log in to Workbench.

  2. In the side menu, navigate to Organization Settings > Security Devices.

  3. In the search box, type “Sumo Logic” and then select the Sumo Logic Cloud Infrastructure Security integration.

    Screenshot 2025-04-22 at 11.15.07 AM.png

  4. A configuration pane displays. Complete the fields as follows:

    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Sumo Logic Cloud Infrastructure Security”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Username - enter the Access ID from Step 2.
    • Password - enter the the Access Key from Step 2.
    • Server address - enter "https://service.us2.sumologic.com".
    • Data tier - configure this depending on your Sumo Logic pricing model:
      • If you have Traditional Sumo Logic pricing:
        • Continuous is the preferred data tier and the default selection.
        • Frequent is supported by Expel, but isn't recommended.
        • Infrequent is not supported by Expel.
      • If you have Sumo Logic Flex pricing - select All. Before selecting this option, please be sure to configure index filters in all via SIEM devices connected to your Sumo instance. This is to prevent Expel from pulling more data than you intend.

  5. Select Save.

Your device should be created successfully within a few seconds. A few reminders:

  • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
  • To check on the status, select the downward arrow for your device in the first column and choose View details
  • Polling will happen first; data will be received after that. You must refresh the page to see updates.
  • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
  • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Step 5: Edit the Device to Add Console Access

Expel requires console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion. Learn more in Why Expel Asks for Console Access.

  1. In Workbench, navigate to Organization Settings > Security Devices. Next to the device you just connected, select the down arrow and select Edit from the dropdown.

  2. In the Console Login area, complete the fields as follows:

    • Console URL - enter the console URL from the Server address in the Connection Settings area above. At the end of the URL, enter "/login".

    • Username - enter the username for the new user you created in Step 1.

    • Password - enter the password for the new user.

    • Two-factor secret key (32-character code) - depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional. If you have questions or concerns, reach out to your engagement manager or Expel support.

  3. Select Save.

Related articles