This article explains how to connect Sumo Logic Cloud Infrastructure Security to Workbench.

You must have the Enterprise account type of Sumo Logic Cloud Infrastructure Security. Other account types don't allow searches using the API, which is key to how Expel uses Sumo Logic Cloud Infrastructure Security. If you don't have the Enterprise account type, contact your Sumo Logic representative to upgrade.

Step 1: Enable console access

This procedure creates a user account for Expel that keeps the Expel activity separate from other activity happening on the Sumo Logic Cloud Infrastructure Security console.

Create a role

  1. Log into the Sumo Logic Cloud Infrastructure Security device.

  2. Navigate to Administration > Users and Roles.

  3. Click the Roles tab and then click the Add Role button at the top right of the page.

  4. Complete the information.

    • For Name type Expel.

    • For Description type Expel.

    • For Capabilities check:

      • View Collectors: this gives Expel read-only access to your data.

      • Create access keys: this allows this account to create an API key for programmatic access.

  5. Click Save at the top to finish creating the role.

Create a user

You have 2 options for creating a new user.

Note

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

Method

Tasks

Time frame

Self onboard

  1. Create a user account that you have access to.

  2. Activate the account and generate API credentials to onboard yourself.

  3. Change registered email address to an Expel email address allowing Expel to manage the account and API management.

Immediate

Expel onboard

  1. Create an Expel user account.

  2. Expel generates the API credentials.

  3. Expel adds device to Workbench.

1 business day

Option 1: Self onboarding

  1. Click the Users tab and then click the Add User button at the top right of the page.

  2. Complete the information.

    • For First Name type Expel.

    • For Last Name type SOC.

    • For Email type: youremailaddress@yourcompanyname.com.

    • For Roles select the Expel role you created in the previous step.

    • Click Add New User.

  3. Log out of Sumo Logic Cloud Infrastructure Security from your personal account.

  4. Go to your email and open the "Welcome to Sumo Logic Cloud Infrastructure Security!" email.

  5. Log into https://service.sumologic.com with the username and password from the email.

  6. Set a new password for the account. Make note of this password because you later share it with Expel.

  7. Go to step 2 to generate API credentials.

  8. Go to step 3 to change the registered email address to an Expel email address.

Option 2: Expel onboarding

  1. Click the Users tab and then click the Add User button at the top right of the page.

  2. Complete the information.

    • For First Name type Expel.

    • For Last Name type SOC.

    • For Email enter: soc+<your_company_name>@expel.io.

      Tip

      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Roles select the Expel role you created in the previous step.

    • Click Add New User.

  3. Notify the Expel customer success engineer or your engagement manager that you created the new user account.

    • Your Expel team activates the account, generates API credentials, and adds the device to Workbench. You receive a notification that the device is added in Workbench within 1 business day. You can close this article because Expel continues this process for you.

Step 2: Generate API credentials

The normal interaction with Sumo Logic Cloud Infrastructure Security is through the API. This step creates the Access Key that allows Expel to use the API.

Caution

API access keys are associated with the user account that creates them.

  1. Make sure you're still logged into Sumo Logic Cloud Infrastructure Security as the new user created in the previous step.

  2. Navigate to Expel SOC > Preference and click Add Access Key at the top right of the page.

  3. For Name type Expel API, leave Allowlisted CORS Domains blank, and click Create Key.

  4. Make note of the newly generated Access ID and Access Key which is used for registration in Workbench in step 4.

Step 3: Change email address

Having access to the emails from Sumo Logic enables Expel to rotate the password on the account when necessary.

  1. Under My Profile, click Change Email Address.

  2. For Your New Email, type soc+<Your_Organization_Name>@expel.io.

    Tip

    Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

  3. Type your current password to authorize the change.

  4. Click Submit.

Step 4: Configure the technology in Workbench

  1. In a new browser tab, log into https://workbench.expel.io.

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click + Add Security Device.

  4. Search for and select Sumo Logic Cloud Infrastructure Security .

  5. Type Name and Location. For example, Sumo Logic Cloud Infrastructure Security and Expel Lab.

    SumoLogic_AddSecDev.png
    • In the Connection Settings area, type the Access ID from step 2 for the Username.

    • In the Connection Settings area, type the Access Key from step 2 for the Password.

    • For Server address type https://service.us2.sumologic.com.

  6. Select the Data tier to run queries against within the Sumo Logic Cloud Infrastructure Security instance.

    • Continuous is the preferred data tier and the default selection.

    • Frequent is supported by Expel, but isn't recommended.

    Note

    If you need to support multiple data tiers, onboard a device for each tier.

  7. You can provide console access now or set it up later. Use the instructions below to set it up later.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!