Arctic Wolf Unified Portal User Guide

User Guide

Updated Mar 20, 2023

Arctic Wolf Unified Portal User Guide

Arctic Wolf Unified Portal Direct link to this section

The Arctic Wolf® Unified Portal provides a single point of access to your Concierge Security® Team (CST) and self-service applications for Arctic Wolf solutions, such as Managed Detection and Response (MDR) and Managed Risk (MR).

Tip: If you manage Arctic Wolf services for more than one organization, you can switch profiles by selecting the desired organization from the drop-down menu above the menu bar.

Switch service applications Direct link to this section

Each Arctic Wolf solution includes a dashboard that allows security administrators to manage some aspects of the solution and view reports on various security metrics. The Unified Portal allows security administrators to switch between these dashboards, depending on the subscription that their organization has purchased, such as Managed Risk.

Note: The options displayed depend on purchased subscriptions.

  1. In the Unified Portal, click App Launcher, located above the menu bar.

  2. Select the desired dashboard from the list.

    The dashboard opens in a new tab.

Resource Center Direct link to this section

View Allowlist Requirements Direct link to this section

The Allowlist Requirements page provides a summary of allowlist and third-party integration requirements (for example, DNS hostnames, IP addresses, ports, and stack links) for Arctic Wolf services. Use this information to update your allowlist configurations, so Arctic Wolf appliances can communicate out of your network to Arctic Wolf.

Change display settings Direct link to this section

  1. In the Unified Portal, click Settings.
  2. Change one or both of the following:
    • Display Time — Select Local or UTC.
    • Appearance — Select Light Mode or Dark Mode.

My Account resources Direct link to this section

View the Organization Profile Direct link to this section

Update the Organization Profile Direct link to this section

You can submit a support request ticket to your CST when you require changes to your Organization Profile.

  1. In the Unified Portal, click My Account > Organization Profile.
  2. Click Request an Update.

Export the Organization Profile Direct link to this section

You can export the contacts from your Organization Profile if you need to share or upload the information elsewhere.

  1. In the Unified Portal, click My Account > Organization Profile.
  2. Click Export Contacts.

Dashboard Direct link to this section

The Dashboard summarizes the security posture of an organization across all applicable Arctic Wolf service subscriptions. Dimensions of security posture include:

Other widgets on the Dashboard page provide more information about the current engagement of an organization with Arctic Wolf services.

See the following for more information:

Risk score Direct link to this section

The risk score that appears on the Unified Portal homepage summarizes the extent to which a network environment is at risk. The risk score is a weighted average of the scores of all unmitigated vulnerabilities within a network at a particular point in time.

This score is a number between 1 and 10, with 1 representing the lowest risk level:

Risk score Risk level
1–3 Low
4–6 Medium
7–8 High
9–10 Critical

A risk score is only available with the MR and MDR services:

Tip: See NIST compliance for more information about risk score calculations. For more information about EVA and iVA scanning, see Managed Risk Scanner FAQ.

The risk score updates automatically whenever there is a change, such as, when a scan identifies a new risk or when someone mitigates a risk.

NIST compliance Direct link to this section

Arctic Wolf calculates the risk score of an organization based on the Common Vulnerability Scoring System version 2 (CVSSv2), which provides an open framework for communicating the impacts of network vulnerabilities and an objective metric for prioritizing vulnerabilities so that the highest risk vulnerabilities are remediated first.

How Arctic Wolf calculates risk score is as follows:

  1. Each unmitigated vulnerability found in the network is scored independently.

    The CVSSv2 standard includes several metrics to calculate the base score of a vulnerability, such as:

    • Access vector — The accessibility of the exploitable vulnerability, including local access, adjacent access, and network access.
    • Access complexity — The complexity of the attack required to exploit the vulnerability once the targeted system is accessible.
    • Authentication — The number of times the attacker must authenticate for a targeted system to exploit the vulnerability.
    • Confidentiality impact — The impact on data confidentiality once a vulnerability is successfully exploited. Confidentiality refers to how data is accessed and/or disclosed, including preventing access to authorized users and disclosing data to unauthorized users.
    • Integrity impact — The impact on data integrity once a vulnerability is successfully exploited. Integrity refers to trustworthiness and the data accuracy.
    • Availability impact — The availability of data once a vulnerability is successfully exploited. Availability refers to the accessibility of the data/resource.

    See NIST CVSS Calculator for more information about CVSS base score calculations.

  2. All unmitigated vulnerabilities are categorized, for example, as a patch exploit or a configuration issue.

  3. For each risk category, this weighted-average formula is applied to the vulnerability scores within a category:

    risk score ≔ (avg(Low) × α + avg(Med) × β + avg(High) × γ) ÷ (α + β + γ)

    Where:

    • Low ≔ {δ|0 < δ <= 3.9} 
    • Med ≔ {δ|4 <= δ <= 6.9} 
    • High ≔ {δ|7 <= δ <= 10} 
    • δ ≔ {CVSSv2} 
    • α ≔ 1
    • β ≔ 10
    • γ ≔ 50
  4. The same weighted average formula is applied to all risk category scores to determine a final score for the entire network.

Tip: The National Institute of Standards and Technology (NIST) provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real time. Each CVE provides details about a known network vulnerability, including a CVSSv2 score.

Telemetry Management Direct link to this section

Arctic Wolf security services rely on telemetry sources in a network environment. Telemetry Management dashboards allow you to:

To review the status of one or more appliances:

  1. In the Unified Portal menu bar, click Telemetry Management > Health Overview.
  2. Select the desired telemetry dashboard, such as Sensors, to view information about specific telemetry sources.
  3. (Optional) Use the filter to isolate deployments with a particular status.
  4. Hover over the status of a telemetry appliance to see information about how to resolve health issues.

Scanners Direct link to this section

Arctic Wolf scanners provide continuous risk monitoring and vulnerability assessments of your environment. You can view information about the scanners in your environment on the Unified Portal Scanners page.

See the following for more information:

View scanner health Direct link to this section

Scanner filters Direct link to this section

You can use the following filters to refine the items that appear in the Scanners table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View scanners Direct link to this section

View scanner details Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to view, and then click Expand Row.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

    The following details display for physical or virtual scanners in your network:

    • Scanner UUID — Displays the universally unique identifier (UUID).
    • IP — Displays the IP address.
    • Netmask — Displays the subnet mask.
    • Scanner exclusion list — Displays any exclusion lists that the scanner is included on.
    • Host identification — Indicates whether host identification scanning is Enabled or Disabled.
    • Vulnerability scanning — Indicates whether vulnerability scanning is Enabled or Disabled.
    • Brute force checks — Indicates whether brute force checks are Enabled or Disabled.
    • CGI scanning — Indicates whether Common Gateway Interface (CGI) scanning is Enabled or Disabled.
    • Only ping target — Indicates whether the only ping target setting is Enabled or Disabled.
    • Host identification DNS servers — Displays a list of configured Domain Name System (DNS) resolvers that the scanner uses for host identification scanning.

View scanner configuration Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to view.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

    The following scanner configuration information is provided:

    Configuration detail Description
    Scanner Profile Displays the ID of the scanner.
    Scanner Name Displays the name of the scanner.
    IP Displays the IP address of the scanner.
    Scanner UUID Displays the universally unique identifier (UUID).
    Netmask Displays the subnet mask of the scanner.
    Product Type Displays the product type: Virtual, or Physical.
    Connection Status Displays the connection status of the scanner, including:
    • Connected — The scanner is online.
    • Disconnected — The scanner is offline.
    Version Displays the version number of the scanner.
    Status Displays the scanner status:
    • Connected — The scanner is connected to Arctic Wolf.
    • Scanning — The scanner is actively scanning.
    • Idle — The scanner is waiting for its next scheduled job.
    • Awaiting Activation — The scanner is registered, but not activated.
    • Degraded — The scanner encountered an issue while scanning.
    • Disconnected — The scanner is not visible on the network.
    Host Identification Displays whether host identification scans are enabled or disabled.

    Note: Vulnerability Scans must also be enabled for host identification scans to work. When Host Identification is disabled, Vulnerability Scanning is also disabled. See Enable or disable host identification for more information.

    Vulnerability Scanning Displays whether IVA scans are enabled or disabled. See Enable or disable vulnerability scanning for more information.
    CGI Scanning Displays whether the scanner acts as a Common Gateway Interface (CGI) or not. When turned on, it searches for well-known web vulnerabilities in web servers and similar software. See Enable or disable CGI scanning for more information.
    Brute Force Scanning Displays whether the scanner checks for brute force attempts in your network or not. See Enable or disable brute force scanning for more information.
    Ping Only Discovery Displays whether the scanner only scans hosts that respond to pings or not. See Enable or disable ping only discovery for more information.
    Host Identification DNS Servers Lists the host collection DNS servers that you have configured.

    Note: If this field is blank, we attempt to auto-discover the server name.

    See Add a host identification DNS server for more information.
    Scan Exclustion List Lists IP addresses or networks that are part of the denylist. These items are not scanned. See Add an IP address to the denylist for more information.

View a scanning schedule Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to view.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

    The Scanning Schedule section displays the scanning schedule for the scanner. The table has the following columns:

    Column Description
    Targets Displays the host that the scanner will scan.
    Name Displays the scan schedule name.
    Description Displays a description of the scan schedule.
    Next Scan Displays the date and time that the next scan will start.
    Frequency Displays the type of schedule for this scan:
    • Continuous — The scan runs continuously.
    • Daily — The scan runs once a day, based on the time that you configure.
    • Weekly — The scan runs once a week, based on the day and time that you configure.
    • Monthly — The scan runs once a month, based on the day and time that you configure.

    Scan Window Displays the window that the scan can run within, in hours. Options include 1 hour to 24 hours.

    Notes:

    • If you schedule a large scan in a small window, the scan may never complete.
    • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
    Priority Displays the priority of the scan:
    • Low — The scan runs last, after all other scans are complete.
    • Medium — The scan runs after High priority scans but before Low priority scans.
    • High — The scan completes first before all other scans.
    • Notes:
      • When scan schedules conflict, the priority of a scan determines which scan schedule should start first. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in numerical order based on the IP address listed in the Targets column.
      • If there is a High priority scan that does not complete in the scanning time window, any Low or Medium priority scans will never run.
      • If you start a new High priority scan when a Low priority scan is in progress, the High priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
    Scanning Displays whether the scan is Enabled or Disabled.
    Actions Provides controls that allow you to modify your scan schedule:

View scans that are queued Direct link to this section

If a scan schedule is actively running, you can view the targets that are currently being scanned and that are scheduled to be scanned.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find a scanner with a Status of Scanning that you want to view.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

    The Scanning Queue section displays all of the current and future scans for the selected scanner. The table has the following columns:

    Column Description
    Target Displays the host that the scanner will scan.
    Status Displays the status of the scan:
    • Scanning — The scan is in progress.
    • Scheduled — The scan is scheduled to run at a specified date and time.
    Last Scan Displays the date and time of the last completed scan.
    Range Displays the range of IP addresses that the scanner will scan.

Verify scanning health Direct link to this section

On a monthly or quarterly basis, review IVA Scanner and Arctic Wolf Agent scanning health:

Check IVA Scanner connectivity Direct link to this section

Arctic Wolf alerts you if an IVA Scanner goes offline, but you can also manually check IVA Scanner connectivity at any time.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.
  2. Find the IVA Scanner you want to check, and then look at the value in the Status column:
    • If it is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.

      See the Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

    • If it is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.

Check the IVA Scanner rate Direct link to this section

Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8-hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are scanned weekly in an 8-hour scan window, it can take more than a month to complete a full cycle of scanning.

If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling. To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.

Add a host identification DNS server Direct link to this section

To add DNS servers for hostname resolution, you can add a single IP address, IP address range, classless inter-domain routing (CIDR) range, or upload a CSV file that contains IP addresses.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Host Identification DNS Sensors section, do one of the following:

    • Enter an IP address, IP address range, or a CIDR address range in the field.
    • Click Upload, locate your CSV file that contains the IP addresses, IP ranges, or CIDR notation that you want to use for hostname resolution, and then click Open.

    Notes:

    • To specify multiple IP addresses, use a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.
    • To specify a CIDR range, use a comma-separated list. You can enter individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.
    • When uploading a Microsoft Excel CSV file, do not use column headings. Only populate the first column. Separate entries by row.
    • Duplicate uploads are ignored. For example, if you create a CSV file with 10 entries, upload the CSV file to the Unified Portal, add 5 more entries to your CSV file, and then upload the same CSV file to the Unified Portal again, only the 5 most recent entries are added as host identificaiton DNS servers.
  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Add an IP address to the denylist Direct link to this section

A denylist is a list of IP addresses that you specifically do not want the scanner to scan. This can be devices with non-optimally designed or implemented embedded network stacks that can behave unexpectedly when scanned. For example, printers, or consumer-grade WiFi access points can print unexpected output or reboot when scanned. This can be inconvenient, so you can choose not to scan these devices.

Tip: Work with your CST to reduce the number of devices on your denylist because threat actors can use it to compromise your network.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scan Exclusion List section, do one of the following:

    • Enter an IP address, IP address range, or a CIDR address range in the field.
    • Click Upload, locate your CSV file that contains the IP addresses, IP ranges, or CIDR notation that you want to use for hostname resolution, and then click Open.

    Notes:

    • To specify multiple IP addresses, use a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.
    • To specify a CIDR range, use a comma-separated list. You can enter individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.
    • When uploading a Microsoft Excel CSV file, do not use column headings. Only populate the first column. Separate entries by row.
    • Duplicate uploads are ignored. For example, if you create a CSV file with 10 entries, upload the CSV file to the Unified Portal, add 5 more entries to your CSV file, and then upload the same CSV file to the Unified Portal again, only the 5 most recent entries are added to the denylist.
  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Edit a scanning schedule Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to edit.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanning Schedule section, beside the scanning schedule you want to edit, click Edit.

  5. Modify the schedule as needed. For example, to:

    • Raise the priority of an existing scan schedule, edit the Priority.
    • Change the frequency of the scan, edit the Frequency.
  6. Click Update Scan Schedule.

Enable or disable host identification Direct link to this section

Host identification is required for normal operation, but can disable it if you want to temporarily disable a scanner. When you disable host identification, vulnerability scanning stops working, and dashboard reporting errors will occur after 24 hours.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable host identification:

      1. Turn on the Host Identification toggle.
      2. (Optional) Turn on the Vulnerability scanning toggle.
    • To disable host identification, turn off the Host Identification toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Enable or disable vulnerability scanning Direct link to this section

Vulnerability scanning is required for normal operation, but you can disable it if required. When disabled, no new Internal Vulnerability Assessment (IVA) scans will run until you enable it again, and dashboard reporting errors will occur after 24 hours.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable vulnerability scanning:

      1. Turn on the Vulnerability Scanning toggle.
      2. Turn on the Host Identification toggle.
    • To disable vulnerability scanning, turn off the Vulnerability Scanning toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Enable or disable CGI scanning Direct link to this section

Note: Disabling Common Gateway Interface (CGI) scanning does not mitigate risks. It prevents lockouts, but it also removes a lot of the Webmin checks that the scanner performs because Webmin applications often use the CGI language. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts.

For example, if a typical Webmin page using CGI has a vulnerability, CGI scanning should discover this vulnerability. If the vulnerability involved threat actors that used known or default credentials to sign in to the system, there is a risk of account lockout. Disabling CGI scanning can limit the negative impact of account lockouts while you complete remediation steps to address the vulnerability.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable CGI scanning, turn on the CGI Scanning toggle.
    • To disable CGI scanning, turn off the CGI Scanning toggle.
  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Enable or disable brute force scanning Direct link to this section

Brute force scanning checks for default, known, or common usernames and passwords for various services and devices.

If you have devices on your network that use the default or known usernames, brute force scanning can lead to Active Directory or standard account lockouts. We recommend that you update the device username from the known or default values to enhance your security posture and avoid account lockouts during scans. If that is not possible, you can disable brute force scanning checks. See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.

Notes:

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable brute force scanning, turn on the Brute Force Scanning toggle.
    • To disable brute force scanning, turn off the Brute Force Scanning toggle.
  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Brute force scanning username checks Direct link to this section

When brute force scanning is enabled, the scanner checks for the following non-exhaustive list of usernames:

Note: In addition to these username checks, the scanner uses known default usernames of different devices to validate Common Vulnerabilities and Exposures (CVE).

Enable or disable ping only discovery Direct link to this section

You can configure whether the scanner only scans hosts that respond to pings or not. Ping only discovery is less intrusive than host identification, so it can be used when the default NMAP option is not suitable.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable ping only discovery, turn on the Ping Only Discovery toggle.
    • To disable ping only discovery, turn off the Ping Only Discovery toggle.
  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Remove a host identification DNS server Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Host Identification DNS Sensors section, click the entry field.

  5. In the list, click the DNS server you want to remove.

  6. In the field, click x next to the DNS servers to confirm the removal.

  7. Click Update Configuration.

    This button is not available if the sensor is offline.

Remove an IP address from the denylist Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scan Exclusion List section, click the entry field.

  5. In the list, click the IP addresses, IP ranges, or CIDR notation you want to remove.

  6. In the field, click x next to the IP addresses, IP ranges, or CIDR notation to confirm the removal.

  7. Click Update Configuration.

    This button is not available if the sensor is offline.

Delete a scanning schedule Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to edit.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanning Schedule section, beside the scanning schedule you want to edit, click Delete.

  5. Click Delete Schedule.

Agents Direct link to this section

You can view information about the Arctic Wolf Agents in your environment on the Unified Portal Agents page.

See the following for more information:

View Agent health Direct link to this section

Agent filters Direct link to this section

You can use the following filters to refine the items that appear in the Agents table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View Agents Direct link to this section

View Agent details Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Agents.

  2. Identify the Agent you want to view, and then click Expand to view the Agent details.

    Tip: If desired, use filters to narrow your results. See Agent filters for more information.

    You can view the following details about Arctic Wolf Agents in your network:

    • Agent ID — Displays the identification number of the Agent.
    • Last Reported — Displays the date and time that the Agent last reported.
    • Username — Displays the username of the Agent.
    • Network Interfaces — Displays any network interfaces that connect to the Agent.

Cloud Sensors Direct link to this section

You can view information about the cloud sensors in your environment on the Unified Portal Cloud Sensors page.

See the following for more information:

Cloud sensor health Direct link to this section

Cloud sensor filters Direct link to this section

You can use the following filters to refine the items that appear in the Cloud Sensors table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View cloud sensors Direct link to this section

View cloud sensor details Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Cloud Sensors.

  2. Find the cloud sensor you want to view, and then click Expand Row.

    Tip: If desired, use filters to narrow your results. See Cloud sensor filters for more information.

    Vendor-dependent cloud sensor details display. Some examples include:

    • Application ID
    • Client ID
    • Domain ID
    • Subdomain
    • API Hostname
    • Integration Key
    • Admin username
    • URL

Scan Schedules Direct link to this section

You can create and view scan schedules on the Unified Portal Scan Schedules page.

See the following for more information:

Scan schedule filters Direct link to this section

You can use the following filters to refine the tickets that appear in the Scan Schedules table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View scan schedules Direct link to this section

View scan schedule information Direct link to this section

Note: You cannot view scans in EVA scan schedules.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Find the scan schedule that you want to view.

  3. Click Schedule Details.

    A dialog appears with the scan schedule source, name, description, scan types, schedule frequency, and targets. If the scan Schedule Frequency is:

    • Continuous — A list of scans displays, including when each scan last ran and the targets that scan covers.
    • Daily, Weekly, or Monthly — The date and time that the scans are performed displays.
    • Once — The date when the scan was last run displays.
  4. When you are finished, click Close.

Create a new scan schedule Direct link to this section

You can create a new scan schedule for internal scanner or for Agent:

Create an IVA scan schedule Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Click Create New Scan Schedule.

  3. In the Source list, select Internal Scanner.

  4. In the Info section, enter a name and description for the schedule.

  5. In the Schedule section, do the following:

    1. In the Priority list, select one of the following:
      • Low — The scan runs last, after all other scans are complete.
      • Medium — The scan runs after High priority scans but before Low priority scans.
      • High — The scan completes first before all other scans.

        Notes:

        • The priority of a scan is used when there are conflicting scan schedules, to determine which scan schedule should be applied. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in alphabetical order.
        • If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.
        • If you start a new High priority scan when a Low priority scan is in progress, the High priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
    2. In the Frequency list, select one of the following:
      • Daily — The scan runs once a day.
      • Weekly — The scan runs once a week.
      • Monthly — The scan runs once a month.
    3. In the Scan Time list, select the time that you want the scan to start. The time is set using a 24-hour clock.
    4. In the On list, select the applicable days of the week to run the scan or select the day of the month to run the scan.

      Note: This option is not available if the Frequency is Daily.

    5. In the Scan Window list, select the scan window. The default value is 8.

      Notes:

      • If you schedule a large scan in a small window, the scan may never complete.
      • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
  6. In the Scanner section, select the scanner to run the scan.

  7. In the Targets section, enter IP addresses or networks of the targets you want scanned.

    Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

    Tip: You can add the IP addresses in a comma-separated list or as a range.

    Note: Only entries with the CIDR format X.X.X.X/Y are accepted in this field. If you only want to add a single host, enter the host as X.X.X.X/32. We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

  8. Click Create Scan Schedule.

Create an Agent scan schedule Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Click Create New Scan Schedule.

  3. In the Source list, select Agent.

  4. In the Info section, enter a name and description for the schedule.

  5. In the Scan Type section, select one or both scan types:

    • Vulnerability — Perform a complete vulnerability scan on the scan targets.
    • Benchmark — Perform a scan on the scan targets against best practices benchmarks.
  6. In the Schedule section, do the following:

    1. In the Frequency list, select one of the following:

      • Daily — The scan runs once a day.
      • Weekly — The scan runs once a week.
      • Monthly — The scan runs once a month.
    2. In the Scan Time list, select the time that you want the scan to start. The time is set using a 24-hour clock.

    3. In the On list, select the applicable days of the week to run the scan or select the day of the month to run the scan.

      Note: This option is not available if the Frequency is Daily.

    4. In the Scan Window list, select the scan window. The default value is 8.

      Notes:

      • If you schedule a large scan in a small window, the scan may never complete.
      • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
  7. (Optional) If you want new Agents to be added to the schedule as they are deployed, in the Targets section, do the following:

    1. Select the Auto-Enroll newly deployed clients checkbox.

    2. In the Scanner section, select one or more scanners to run the scan.

      Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

  8. Click Create Scan Schedule.

Edit a scan schedule Direct link to this section

Note: You cannot edit EVA scan schedules.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Find the scan schdule that you want to edit.

  3. Click Edit.

    You can edit all of the same information that is entered when creating a scan schedule. See Create an IVA scan schedule and Create an Agent scan schedule for more information.

    Note: When editing an Agent schedule, any assets belonging to the target group are automatically selected. Select additional assets to add them to the target group.

  4. Click Update Scan Schedule.

Force a scheduled scan to rescan Direct link to this section

When you manually start a scan outside of the scan schedule, the scan resumes its regular schedule after the rescan.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. In the Scan Schedules table, select the checkbox next to each scan schedule you want rescan.

  3. Click Rescan.

    Note: You cannot rescan EVA scan schedules.

  4. Click Rescan again.

Stop a scheduled scan Direct link to this section

When you stop a scheduled scan, the scan stops even if it is currently running. The scan will not start again until the next scheduled time.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
  2. In the Scan Schedules table, select the checkbox next to each scan schedule you want stop.
  3. Click Stop Scan Schedule.
  4. Click Stop Scan Schedule again.

Disable a scheduled scan Direct link to this section

When you disable a scan, you prevent the schedule from running future scans. This does not stop scans that are currently running.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
  2. Do one of the following:
    • To disable one or more scan schedules:

      1. In the Scan Schedules table, select the checkbox next to each scan schedules you want disable.
      2. Click Disable Scan Schedule.
      3. Click Disable Scan Schedule again.
    • To disable one scan schedule:

      1. In the Scan Schedules table, beside the scanning schedule you want to disable, click Edit.
      2. Clear the Enabled checkbox.
      3. Click Update Scan Schedule.

Delete a scheduled scan Direct link to this section

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. In the Scan Schedules table, select the checkbox next to each scan schedule you want delete.

  3. Click Delete Schedule.

    Note: You cannot delete EVA scan schedules.

  4. Click Delete Schedule again.

Data Exploration Direct link to this section

Data Exploration is a licensed MDR add-on feature that lets you query the Arctic Wolf observation pipeline for event logs that Arctic Wolf generates about your network environment for security monitoring purposes. This feature allows you to:

See the following for more information:

View event logs Direct link to this section

Data Explorer allows you to view and filter event logs for a single user, IP address, or event code for a specified date range. It provides a consolidated view of all machine analyzed and parsed logs, across multiple sources, that are related to your search category.

  1. In the Unified Portal menu bar, click Data Exploration > Data Explorer.

  2. In the Category list, select one of the following:

    • User — A specific user.
    • IP Address — A specific IP address as either the source or destination of communication.
    • Event Code — A specific event code.
  3. In the Search field, enter a partial or full search term, and then select an item from the list that auto-populates.

    Note: The search function does not support wildcards, comma-separated lists, or Boolean operators like AND or OR.

  4. (Optional) Modify the date range to limit or expand your search using one of these methods:

    • Click the Calendar to choose from preset time ranges.
    • Click a Date Range field to edit the date and time.
  5. Click Search Related Data to begin your search.

    Search results appear in one or more of these sections:

    • Top Associated Alerts — A list of tickets that include your search term in either the subject or body of the ticket.
    • Influence Graph — A map of relationships between the search term, such as a user, and other network entities.
    • Event Logs — An analysis of event logs associated with the best match for your search term.
  6. Review the Event Logs section, and then:

    1. (Optional) Apply one or more filters to limit your search results.
    2. (Optional) Change the Column Set selection to view data from a different source.
    3. (Optional) For any row in the table, scroll to the right, and then click Complete Log Data to view the details of that event log.
    4. (Optional) Click Export to download the table of event log search results.

View login events Direct link to this section

The Login Events page allows you to search for and review login events from the systems that Arctic Wolf monitors as part of the MDR service.

  1. In the Unified Portal menu bar, click Data Exploration > Login Events.

  2. (Optional) Set one or more filters to limit or expand your search results.

    • Click the Calendar to modify the date range.

    • Enter a search term in the Search field.

      Note: The search function does not support wildcards, comma-separated lists, or Boolean operators like AND or OR.

    • Add filters to narrow search results.

  3. If you changed one or more filter settings, click Apply Filters.

  4. (Optional) View login event details.

    1. For any row in the table, click on a link.

      A new Data Explorer search starts.

    2. In the Event Logs section, on an event log detail row, click Complete Log Data to view login event details.

View logins by country Direct link to this section

The Logins by Country page allows you to filter data by country, date, and status and presents the results in a map and rows.

  1. In the Unified Portal menu bar, click Data Exploration > Logins by Country.
  2. (Optional) Set one or more filters to limit or expand your search results.
    • Click the Calendar to choose from preset time ranges.
    • Add one or more values to the Login Status field.
    • Add one or more values to the Country field.
  3. If you changed one or more filter settings, click Apply Filters.
  4. (Optional) View country login results.
    • In the map, click on a colored circle to view all login events for that geographic region.
    • For any of the rows below the map, click View Logins.

Raw Log Search is a licensed MDR add-on feature that lets you query the Arctic Wolf platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to build queries for operational and security-related tasks, such as validating a configuration change or investigating a security alert.

For more information, see:

Tip: You can also query the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View event logs for details.

Tickets Direct link to this section

A ticket is a record of communication between you and your CST to fulfill a support request or address a security concern. The Tickets page displays current and historical tickets. By default, this page contains tickets from the last 30 days, but you can use filters to display older tickets. For more information about tickets,

See the following for more information:

Ticket filters Direct link to this section

You can use the following filters to refine the tickets that appear in the Tickets table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View tickets Direct link to this section

Open a new ticket Direct link to this section

  1. In the Unified Portal menu bar, click Tickets.
  2. Click Open a New Ticket.
  3. Fill out the form:
    1. In the What is this contact request related to? section, select the appropriate option:
      • General request — Select for non-urgent requests.
      • A security emergency — Select if one or more of your systems or user accounts are breached. For immediate assistance with a security emergency, call us at +1-888-272-8429.
      • Technical support assistance — Select if you required support with: network issues, a service failure, troubleshooting issues, or IP address reconfiguration.
    2. In the Subject field, enter a short description of your request.
    3. (Optional) In the Related ticket field, enter the number or a related ticket.
    4. In the comment box, type your request and provide relevant details.
    5. (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
  4. Click Send Message.

See Reply to a ticket for more information.

View ticket details Direct link to this section

You can view additional details and comments related to a ticket. The details are different depending on the type of ticket type. For example, Incident tickets have detailed incident report information, but Other tickets do not.

  1. In the Unified Portal menu bar, click Tickets.

  2. Identify the ticket that you want to respond to.

    Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.

  3. Click the subject line of the ticket or the ticket number to view ticket details.

Reply to a ticket Direct link to this section

  1. In the Unified Portal menu bar, click Tickets.

  2. Identify the ticket that you want to respond to.

    Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.

  3. Click the subject line of the ticket or the ticket number to view ticket details.

  4. Follow the appropriate steps, depending on the ticket status:

    Ticket status Steps
    Open
    1. Verify that Ticket Action is set to Reply.
    2. In the Add a Comment section, enter a comment.
    3. (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
    4. Click Add Comment.
    Closed
    1. Click Post Follow-up Ticket.
    2. Fill out the form:
      1. In the What is this contact request related to? section, select the appropriate option:
        • General request — Select for non-urgent requests.
        • A security emergency — Select if one or more of your systems or user accounts are breached. For immediate assistance with a security emergency, call us at +1-888-272-8429.
        • Technical support assistance — Select if you required support with: network issues, a service failure, troubleshooting issues, or IP address reconfiguration.
      2. In the comment box, type your request and provide relevant details.
      3. (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
    3. Click Send Message.

Close a ticket Direct link to this section

Note: To close tickets that you did not create or that you are not a recipient of, you must have the required permissions. If you require a higher level of access, check your Organization Profile and ask a primary contact.

  1. In the Unified Portal menu bar, click Tickets.

  2. Identify the ticket that you want to respond to.

    Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.

  3. Click the subject line of the ticket or the ticket number to view ticket details.

  4. In the Ticket Action section, select one of these options from the list:

    • Close and suppress this alert

      Note: This option only appears for alerts.

    • Close with a follow-up request

    • Close

  5. If applicable, in the comment box, type your request and provide relevant details.

  6. Click Close Ticket.

Reports Direct link to this section

Arctic Wolf provides you with reports that assess your security posture. Depending on the type of report, they might be delivered daily, weekly, monthly, or quarterly.

See the following for more information:

Report filters Direct link to this section

You can use the following filters to refine the items that appear in the report tables:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View past reports Direct link to this section

View a report from Arctic Wolf Direct link to this section

  1. In the Unified Portal menu bar, click Reports > Past Reports.

  2. Identify the report that you want to view.

    Tip: If desired, use filters to narrow your results. See Report filters for more information.

  3. Click Download or click the report name in the Title column.
    PDF reports typically open in a new browser tab, but this can vary based on your browser settings. CSV files must be manually opened from the directory from which they are saved.

View scheduled reports Direct link to this section