If you are onboarding a "via SIEM" integration utilizing Sumo Logic and are subject to Sumo Logic’s new Flex pricing, you will need to use Sumo Logic indexes in your device configuration in Workbench. This will prevent Expel from querying data outside of the indexes you wish us to monitor.

If you are using the traditional Sumo Logic pricing model, no action is needed at this time.

How can I verify my Sumo Logic pricing plan?

If you are unsure of your Sumo Logic plan type, navigate to the Account Overview page in Sumo Logic and confirm your plan type.

Enter Indexes in Workbench

Identify the indexes you wish Expel to query, and make a comma-separated list of them. For example: sumologic_default,sumologic_audit_events,sumologic_system_events

You can reference names you may want to query by navigating to the Partitions page in Sumo Logic.

When configuring the new security device in Workbench, enter the list into the Sumologic query indices field: