Help Documentation

Onboarding and Self-Service

Arctic Wolf Unified Portal

Updated Sep 28, 2023

Arctic Wolf Unified Portal

The Arctic Wolf® Unified Portal provides a single point of access to your Concierge Security® Team (CST) and self-service applications for Arctic Wolf solutions, such as Managed Detection and Response (MDR) and Managed Risk (MR).

Tip: If you manage Arctic Wolf services for more than one organization, you can switch profiles by selecting the desired organization from the drop-down menu above the menu bar.

Switch service applications

Each Arctic Wolf solution includes a dashboard that allows security administrators to manage some aspects of the solution and view reports on various security metrics. The Unified Portal allows security administrators to switch between these dashboards, depending on the subscription that their organization has purchased, such as Managed Risk.

Note: The options displayed depend on purchased subscriptions.

  1. In the Unified Portal, click App Launcher, located above the menu bar.

  2. Select the desired dashboard from the list.

    The dashboard opens in a new tab.

Resource Center

View Allowlist Requirements

The Allowlist Requirements page provides a summary of allowlist and third-party integration requirements (for example, DNS hostnames, IP addresses, ports, and stack links) for Arctic Wolf services. Use this information to update your allowlist configurations, so Arctic Wolf appliances can communicate out of your network to Arctic Wolf.

Change display settings

  1. In the Unified Portal, click Settings.
  2. Change one or both of the following:
    • Display Time — Select Local or UTC.
    • Appearance — Select Light Mode or Dark Mode.

My Account resources

View your organization profile

Add a contact

  1. In the Unified Portal, click My Account > Organization Profile.

  2. Click Add a New Contact.

    Note: If you do not see the Add a New Contact option, submit a request to a primary or secondary contact in your organization to add a new contact. Alternatively, click Request an Update.

  3. Fill out the New Contact form:

    1. Select the appropriate contact type.

    2. Enter the name of the contact.

    3. Enter the email address that the contact will use to sign in to the Unified Portal.

    4. (Optional) Click + Add Email to add alternative email addresses.

    5. (Optional) Add a phone number for the contact.

    6. To associate this contact with a site, in the Site Name list, select an option.

      Tip: If the desired site is not listed, you can submit a ticket to request that a new site be added and edit the contact later.

    7. Select a timezone for the new contact.

    8. Select the time range and days of the week that comprise the business hours of the contact.

    9. Select the Arctic Wolf services that this contact should have access to.

  4. Click Add Contact.

    The system creates a ticket with a summary of the changes you made to your organization profile.

Edit a contact

  1. In the Unified Portal, click My Account > Organization Profile.

  2. Find the contact that you want to edit.

  3. Click Edit .

    Note: If you do not see the Edit option, submit a request to a primary or secondary contact in your organization to add a new contact. Alternatively, click Request an Update.

  4. Edit one or more of contact details.

  5. Click Save Changes.

    The system creates a ticket with a summary of the changes you made to your organization profile.

Delete a contact

  1. In the Unified Portal, click My Account > Organization Profile.

  2. Find the contact that you want to delete.

  3. Click Delete .

    When you click Delete , the system checks for items that are assigned to this user.

    Note: If you do not see the Delete option, submit a request to a primary or secondary contact in your organization to add a new contact. Alternatively, click Request an Update.

  4. If items are assigned to this user, in the Message field, indicate which user should be assigned to these items.

  5. Click Request to Delete Contact.

    The system creates a ticket with your request to delete the contact. This contact remains listed until your Concierge Team fulfills your request, but the system automatically edits this contact to remove access to Arctic Wolf services.

    Note: If you are not a primary contact, your Concierge Team will ask a primary contact to approve your request.

Export contact information

You can export the contacts from your organization profile if you need to share or upload the information elsewhere.

  1. In the Unified Portal, click My Account > Organization Profile.
  2. Click Export Contacts .

View log sources

If your organization subscribes to Managed Detection and Response, you can view the log sources that Arctic Wolf monitors:

  1. In the Unified Portal, click My Account > Organization Profile.
  2. In the navigation menu, click Log Sources.

Update your escalation policy

You can view and manage the rules that determine how Arctic Wolf escalates a potential security incident.

  1. In the Unified Portal, click My Account > Organization Profile.

  2. In the navigation menu, click Escalations.

  3. Review this page to see if an escalation rule exists for the security incident that you are planning for.

  4. (Optional) To filter the list of escalations, do one or both of the following:

    • In the Contacts field, enter the name of a contact.
    • In the Escalation Title field, enter a key word for an alert or event.

  5. To update your escalation policy, do one of the following:

    • To modify an existing rule, click Request an Update for the rule you want to edit.

    • To add a new rule, at the top of the page, click Request a new Escalation.

      Either action opens a new ticket.

  6. In the Message field of the ticket, describe the scenario or incident and, for each escalation level, specify who to contact and how to contact them. For example:

    • Scenario: Unusual user activity
      • Level 1: Submit a ticket to Jane Doe (username: janedoe)
      • Level 2: Phone Jane Doe at 555-0103 (work) during business hours
    • Scenario: Compromised system
      • Level 1: Email John Doe at john.doe@example.com (primary) and CC Jane Doe at jane.doe@example.com
      • Level 2: Phone John Doe at 555-0101 (work) or 555-0102 (mobile) at any time
      • Level 3: Phone Jane Doe at 555-0103 (work) or 555-0104 (mobile) at any time

  7. Click Send Message.

Export your escalation policy

The Escalations page shows the rules that determine how Arctic Wolf escalates a potential security incident. You can export the list of rules to a CSV file.

  1. In the Unified Portal, click My Account > Organization Profile.
  2. In the navigation menu, click Escalations.
  3. Click Export .

View an alert configuration rule

  1. In the Unified Portal, click My Account > Organization Profile.
  2. In the navigation menu, click Alert Configuration Rules.
  3. Click View next to an alert configuration rule to view details and a list of related entries.

Request a new alert configuration rule

  1. In the Unified Portal, click My Account > Organization Profile.
  2. In the navigation menu, click Alert Configuration Rules.
  3. Click Alert Configuration Request.
  4. Make sure the General request checkbox is selected, and use the default Subject field.
  5. (Optional) Add a related ticket.
  6. In the Message field, include a detailed description about your alert configuration rule update request. To the best of your ability, include information about the relevant application, server, host device, username, and network or system event. If applicable, specify the dates and times when this rule should be active. For example:
    • Allow cloud service sign-in from Canada.
    • Do not alert if user jane.doe@example.com assigns administrative privileges to another user in Office 365.
    • Do not alert if user john.doe@example.com signs in to a cloud service from New Zealand between August 10, 2023 and October 30, 2023.
  7. (Optional) Attach a file.
  8. Click Send Message.

Request an update to an existing alert configuration rule

  1. In the Unified Portal, click My Account > Organization Profile.
  2. In the navigation menu, click Alert Configuration Rules.
  3. Click View next to the alert configuration rule that you would like updated.
  4. Click Request Updates.
  5. Make sure the General request checkbox is selected, and use the default Subject field.
  6. (Optional) Add a related ticket.
  7. In the Message field, include a detailed description about your alert configuration rule update request. Avoid ambiguous statements and be specific. For example:
    • Remove user jane.doe@example.com.
    • Add Canada to this list.
  8. (Optional) Attach a file.
  9. Click Send Message.

Security posture summary

Review the security posture of your organization across all applicable Arctic Wolf service subscriptions on the Dashboard page.

Note: You cannot create, edit, or customize this page. Visible homepage tiles depend on the service subscriptions that your organization has.

Coverage score

Your Coverage Score refers to the percent of your network environment that Arctic Wolf monitors as part of the MDR service. Factors that affect this score include the configurations that enable accurate alerting and detection, products and services used to monitor the network and cloud environment, routine vulnerability scanning, and incident response metrics.

More information is available on the Coverage Score page, including how your coverage score compares to all other Arctic Wolf customers, as well as others in your industry and organizations similar to your size.

The Coverage Score comprises these components:

Risk score

Your Risk Score refers to the extent to which your network environment is at risk. The risk score is a weighted average of the scores of all unmitigated vulnerabilities within your network at a particular point in time.

This score is a number between 1 and 10, with 1 representing the lowest risk level:

Risk score Risk level
1–3 Low
4–6 Medium
7–8 High
9–10 Critical

A risk score is only available with the MR and MDR services:

Tip: For more information about risk score calculations, see NIST compliance. For more information about EVA and iVA scanning, see Managed Risk Scanner FAQ.

The risk score updates automatically whenever new risks are found, existing risks are mitigated, or when the CVSS score for the existing risks change.

NIST compliance

Arctic Wolf calculates the risk score of an organization based on the Common Vulnerability Scoring System version 2 (CVSSv2), which provides an open framework for communicating the impacts of network vulnerabilities and an objective metric for prioritizing vulnerabilities so that the highest risk vulnerabilities are remediated first.

Arctic Wolf calculates risk scores like this:

  1. Each unmitigated vulnerability found in the network is scored independently.

    The CVSSv2 standard includes several metrics to calculate the base score of a vulnerability, such as:

    • Access vector — The accessibility of the exploitable vulnerability, including local access, adjacent access, and network access.
    • Access complexity — The complexity of the attack required to exploit the vulnerability once the targeted system is accessible.
    • Authentication — The number of times the attacker must authenticate for a targeted system to exploit the vulnerability.
    • Confidentiality impact — The impact on data confidentiality once a vulnerability is successfully exploited. Confidentiality refers to how data is accessed and/or disclosed, including preventing access to authorized users and disclosing data to unauthorized users.
    • Integrity impact — The impact on data integrity once a vulnerability is successfully exploited. Integrity refers to trustworthiness and the data accuracy.
    • Availability impact — The availability of data once a vulnerability is successfully exploited. Availability refers to the accessibility of the data/resource.

    For more information about CVSS base score calculations, see NIST CVSS Calculator.

  2. All unmitigated vulnerabilities are categorized, for example, as a patch exploit or a configuration issue.

  3. For each risk category, this weighted-average formula is applied to the vulnerability scores within a category:

    risk score ≔ (avg(Low) × α + avg(Med) × β + avg(High) × γ) ÷ (α + β + γ)

    Where:

    • Low ≔ {δ|0 < δ <= 3.9} 
    • Med ≔ {δ|4 <= δ <= 6.9} 
    • High ≔ {δ|7 <= δ <= 10} 
    • δ ≔ {CVSSv2} 
    • α ≔ 1
    • β ≔ 10
    • γ ≔ 50

  4. The same weighted average formula is applied to all risk category scores to determine a final score for the entire network.

Tip: NIST provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real time. Each CVE provides details about a known network vulnerability, including a CVSSv2 score.

Observation pipeline

Review Observation Pipeline data to understand the events that Arctic Wolf collected in the observation pipeline and processed into security-relevant data. The dashboard displays the number of these events at each stage of the pipeline.

Suspicious logins

Use the Suspicious Logins map to review login attempts that Arctic Wolf considers suspicious. Suspicious login attempts consist of:

Your organization typically has a list of countries that are approved for logins. Any login attempt that is not on the list of approved countries appears on this map. If you would like to update this list, contact your CST.

Click View All Logins to view the login attempts in greater detail on the Logins by Country page. For more information on the Logins by Country page, see View logins by country.

Telemetry Management

Arctic Wolf security services rely on telemetry sources in a network environment. Telemetry Management dashboards allow you to:

To review the status of one or more appliances:

  1. In the Unified Portal menu bar, click Telemetry Management > Health Overview.
  2. Select the desired telemetry dashboard, such as Sensors, to view information about specific telemetry sources.
  3. (Optional) Use the filter to isolate deployments with a particular status.
  4. Hover over the status of a telemetry appliance to see information about how to resolve health issues.

Scanners

Arctic Wolf scanners provide continuous risk monitoring and vulnerability assessments of your environment. On the Unified Portal Scanners page, you can view information about the scanners in your environment.

For more information, see:

View scanner health

Scanner filters

You can use the following filters to refine the items that appear in the Scanners table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View scanners

View scanner details

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to view, and then click Expand Row.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

    The following details display for physical or virtual scanners in your network:

    • Scanner UUID — Displays the universally unique identifier (UUID).
    • IP — Displays the IP address.
    • Netmask — Displays the subnet mask.
    • Scanner exclusion list — Displays any exclusion lists that the scanner is included on.
    • Host identification — Indicates whether host identification scanning is Enabled or Disabled.
    • Vulnerability scanning — Indicates whether vulnerability scanning is Enabled or Disabled.
    • Brute force checks — Indicates whether brute force checks are Enabled or Disabled.
    • CGI scanning — Indicates whether Common Gateway Interface (CGI) scanning is Enabled or Disabled.
    • Only ping target — Indicates whether the only ping target setting is Enabled or Disabled.
    • Host identification DNS servers — Displays a list of configured Domain Name System (DNS) resolvers that the scanner uses for host identification scanning.

View scanner configuration

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to view.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

    The following scanner configuration information is provided:

    Configuration detail Description
    Scanner Profile Displays the ID of the scanner.
    Scanner Name Displays the name of the scanner.
    IP Displays the IP address of the scanner.
    Scanner UUID Displays the universally unique identifier (UUID).
    Netmask Displays the subnet mask of the scanner.
    Product Type Displays the product type: Virtual, or Physical.
    Connection Status Displays the connection status of the scanner, including:
    • Connected — The scanner is online.
    • Disconnected — The scanner is offline.
    Version Displays the version number of the scanner.
    Status Displays the scanner status:
    • Connected — The scanner is connected to Arctic Wolf.
    • Scanning — The scanner is actively scanning.
    • Idle — The scanner is waiting for its next scheduled job.
    • Awaiting Activation — The scanner is registered, but not activated.
    • Degraded — The scanner encountered an issue while scanning.
    • Disconnected — The scanner is not visible on the network.
    Host Identification Displays whether host identification scans are enabled or disabled.

    Note: Vulnerability Scans must also be enabled for host identification scans to work. When Host Identification is disabled, Vulnerability Scanning is also disabled. For more information, see Enable or disable host identification.
    Vulnerability Scanning Displays whether IVA scans are enabled or disabled. For more information, see Enable or disable vulnerability scanning.
    CGI Scanning When turned on, Common Gateway Interface (CGI) scans search for well-known vulnerabilities in web apps and similar software. For more information, see Enable or disable CGI scanning.
    Brute Force Scanning Displays whether the scanner checks for brute force attempts in your network or not. For more information, see Enable or disable brute force scanning.
    Ping Only Discovery Displays whether the scanner only scans hosts that respond to pings or not. For more information, see Enable or disable ping only discovery.
    Host Identification DNS Servers Lists the host collection DNS servers that you have configured.

    Note: If this field is blank, we attempt to auto-discover the server name.

    For more information, see Add a host identification DNS server.
    Scan Exclusion List Lists IP addresses or networks that are part of the denylist. These items are not scanned. For more information, see Add an IP address to the denylist.

View a scanning schedule

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to view.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

    The Scanning Schedule section displays the scanning schedule for the scanner. The table has the following columns:

    Column Description
    Targets Displays the host that the scanner will scan.
    Name Displays the scan schedule name.
    Description Displays a description of the scan schedule.
    Next Scan Displays the date and time that the next scan will start.
    Frequency Displays the type of schedule for this scan:
    • Continuous — The scan runs continuously.
    • Daily — The scan runs once a day, based on the time that you configure.
    • Weekly — The scan runs once a week, based on the day and time that you configure.
    • Monthly — The scan runs once a month, based on the day and time that you configure.
    Scan Window Displays the window that the scan can run within, in hours. Options include 1 hour to 24 hours.

    Notes:

    • If you schedule a large scan in a small window, the scan may never complete.
    • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
    Priority Displays the priority of the scan:
    • Low — The scan runs last, after all other scans are complete.
    • Medium — The scan runs after High priority scans but before Low priority scans.
    • High — The scan completes first before all other scans.
      • Notes:
      • When scan schedules conflict, the priority of a scan determines which scan schedule should start first. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in numerical order based on the IP address listed in the Targets column.
      • If there is a High priority scan that does not complete in the scanning time window, any Low or Medium priority scans will never run.
      • If you start a new High priority scan when a Low priority scan is in progress, the High priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
    Scanning Displays whether the scan is Enabled or Disabled.
    Actions Provides controls that allow you to modify your scan schedule:

View scans that are queued

If a scan schedule is actively running, you can view the targets that are currently being scanned and that are scheduled to be scanned.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find a scanner with a Status of Scanning that you want to view.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

    The Scanning Queue section displays all of the current and future scans for the selected scanner. The table has the following columns:

    Column Description
    Target Displays the host that the scanner will scan.
    Status Displays the status of the scan:
    • Scanning — The scan is in progress.
    • Scheduled — The scan is scheduled to run at a specified date and time.
    Last Scan Displays the date and time of the last completed scan.
    Range Displays the range of IP addresses that the scanner will scan.

Verify scanning health

On a monthly or quarterly basis, review IVA Scanner and Arctic Wolf Agent scanning health:

Check IVA Scanner connectivity

Arctic Wolf alerts you if an IVA Scanner goes offline, but you can also manually check IVA Scanner connectivity at any time.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.
  2. Find the IVA Scanner you want to check, and then look at the value in the Status column:

    • If it is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.

      See the Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

    • If it is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.

Check the IVA Scanner rate

Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8-hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are scanned weekly in an 8-hour scan window, it can take more than a month to complete a full cycle of scanning.

If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling. To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.

Add a host identification DNS server

To add DNS servers for hostname resolution, you can add a single IP address, IP address range, classless inter-domain routing (CIDR) range, or upload a CSV file that contains IP addresses.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Host Identification DNS Sensors section, do one of the following:

    • Enter an IP address, IP address range, or a CIDR address range in the field.
    • Click Upload, locate your CSV file that contains the IP addresses, IP ranges, or CIDR notation that you want to use for hostname resolution, and then click Open.

    Notes:

    • To specify multiple IP addresses, use a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.
    • To specify a CIDR range, use a comma-separated list. You can enter individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.
    • When uploading a Microsoft Excel CSV file, do not use column headings. Only populate the first column. Separate entries by row.
    • Duplicate uploads are ignored. For example, if you create a CSV file with 10 entries, upload the CSV file to the Unified Portal, add 5 more entries to your CSV file, and then upload the same CSV file to the Unified Portal again, only the 5 most recent entries are added as host identification DNS servers.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Add an IP address to the denylist

A denylist is a list of IP addresses that you specifically do not want the scanner to scan. This can be devices with non-optimally designed or implemented embedded network stacks that can behave unexpectedly when scanned. For example, printers, or consumer-grade WiFi access points can print unexpected output or reboot when scanned. This can be inconvenient, so you can choose not to scan these devices.

Tip: Work with your CST to reduce the number of devices on your denylist because threat actors can use it to compromise your network.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scan Exclusion List section, do one of the following:

    • Enter an IP address, IP address range, or a CIDR address range in the field.
    • Click Upload, locate your CSV file that contains the IP addresses, IP ranges, or CIDR notation that you want to use for hostname resolution, and then click Open.

    Notes:

    • To specify multiple IP addresses, use a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.
    • To specify a CIDR range, use a comma-separated list. You can enter individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.
    • When uploading a Microsoft Excel CSV file, do not use column headings. Only populate the first column. Separate entries by row.
    • Duplicate uploads are ignored. For example, if you create a CSV file with 10 entries, upload the CSV file to the Unified Portal, add 5 more entries to your CSV file, and then upload the same CSV file to the Unified Portal again, only the 5 most recent entries are added to the denylist.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Edit a scanning schedule

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to edit.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanning Schedule section, beside the scanning schedule you want to edit, click Edit.

  5. Modify the schedule as needed. For example, to:

    • Raise the priority of an existing scan schedule, edit the Priority.
    • Change the frequency of the scan, edit the Frequency.

  6. Click Update Scan Schedule.

Enable or disable host identification

Host identification is required for normal operation, but can disable it if you want to temporarily disable a scanner. When you disable host identification, vulnerability scanning stops working, and dashboard reporting errors will occur after 24 hours.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable host identification:

      1. Turn on the Host Identification toggle.
      2. (Optional) Turn on the Vulnerability scanning toggle.

    • To disable host identification, turn off the Host Identification toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Enable or disable vulnerability scanning

Vulnerability scanning is required for normal operation, but you can disable it if required. When disabled, no new Internal Vulnerability Assessment (IVA) scans will run until you enable it again, and dashboard reporting errors will occur after 24 hours.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable vulnerability scanning:

      1. Turn on the Vulnerability Scanning toggle.
      2. Turn on the Host Identification toggle.

    • To disable vulnerability scanning, turn off the Vulnerability Scanning toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Enable or disable CGI scanning

Note: Disabling Common Gateway Interface (CGI) scanning does not mitigate risks. It prevents lockouts, but it also removes a lot of the Webmin checks that the scanner performs because Webmin applications often use the CGI language. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts.

For example, if a typical Webmin page using CGI has a vulnerability, CGI scanning should discover this vulnerability. If the vulnerability involved threat actors that used known or default credentials to sign in to the system, there is a risk of account lockout. Disabling CGI scanning can limit the negative impact of account lockouts while you complete remediation steps to address the vulnerability.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable CGI scanning, turn on the CGI Scanning toggle.
    • To disable CGI scanning, turn off the CGI Scanning toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Enable or disable brute force scanning

Brute force scanning checks for default, known, or common usernames and passwords for various services and devices.

If you have devices on your network that use the default or known usernames, brute force scanning can lead to Active Directory or standard account lockouts. We recommend that you update the device username from the known or default values to enhance your security posture and avoid account lockouts during scans. If that is not possible, you can disable brute force scanning checks. See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.

Notes:

  • Arctic Wolf recommends only using these settings for troubleshooting or emergency situations.
  • Brute force scanning is separate from OpenVAS scanning. OpenVAS scanning is the underlying technology used for IVA scanning. OpenVAS performs regular vulnerability checks, such as default username and password checks, regardless of whether brute force scanning is enabled or not.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable brute force scanning, turn on the Brute Force Scanning toggle.
    • To disable brute force scanning, turn off the Brute Force Scanning toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Brute force scanning username checks

When brute force scanning is enabled, the scanner checks for the following non-exhaustive list of usernames:

Note: In addition to these username checks, the scanner uses known default usernames of different devices to validate Common Vulnerabilities and Exposures (CVE).

Enable or disable ping only discovery

You can configure whether the scanner only scans hosts that respond to pings or not. Ping only discovery is less intrusive than host identification, so it can be used when the default NMAP option is not suitable.

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanner Configuration section, do one of the following:

    • To enable ping only discovery, turn on the Ping Only Discovery toggle.
    • To disable ping only discovery, turn off the Ping Only Discovery toggle.

  5. Click Update Configuration.

    This button is not available if the sensor is offline.

Remove a host identification DNS server

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Host Identification DNS Sensors section, click the entry field.

  5. In the list, click the DNS server you want to remove.

  6. In the field, click x next to the DNS servers to confirm the removal.

  7. Click Update Configuration.

    This button is not available if the sensor is offline.

Remove an IP address from the denylist

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to configure.

    Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scan Exclusion List section, click the entry field.

  5. In the list, click the IP addresses, IP ranges, or CIDR notation you want to remove.

  6. In the field, click x next to the IP addresses, IP ranges, or CIDR notation to confirm the removal.

  7. Click Update Configuration.

    This button is not available if the sensor is offline.

Delete a scanning schedule

  1. In the Unified Portal menu bar, click Telemetry Management > Scanners.

  2. Find the scanner you want to edit.

    Tip: If desired, use filters to narrow your results. See Scanner filters for more information.

  3. Click Configure.

  4. In the Scanning Schedule section, beside the scanning schedule you want to edit, click Delete.

  5. Click Delete Schedule.

Connected Accounts

On the Unified Portal Connected Accounts page, you can view information about the cloud accounts that are connected to Arctic Wolf services.

For more information, see:

Add a connected account

The following onboarding tasks require the registration of one or more cloud service accounts:

When you register a cloud service account in the Unified Portal, it becomes a connected account.

Connected account health

Note: Connected accounts for cloud services that provide host containment sensors do not report a health status and display a status of Not Available. To confirm that credentials are valid and containment is operational, contact your CST to test containment after you provide credentials for the cloud account.

To view information about contained devices, see the console for the relevant third-party application.

Connected account filters

You can use the following filters to refine the items that appear in the Connected Accounts table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View connected accounts

View connected account details

  1. In the Unified Portal menu bar, click Telemetry Management > Connected Accounts.

  2. Find the connected account you want to view, and then click Expand Row.

    Tip: If desired, use filters to narrow your results. For more information, see Connected account filters.

    The row displays vendor-dependent cloud account details. Some examples include:

    • Application ID
    • Client ID
    • Domain ID
    • Subdomain
    • API Hostname
    • Integration Key
    • Admin username
    • URL

Update a connected account

If the credentials for your cloud service account changes, you must provide the updated credentials to Arctic Wolf to prevent the disruption of an Arctic Wolf service.

  1. In the Unified Portal menu bar, click Telemetry Management > Connected Accounts.

  2. (Optional) To filter the list of connected accounts, do one or both of the following steps:

    • From the Status list, select a health status.

      Tip: To review the definition of each health status, click Connected Account Health.

    • From the Vendor list, select a cloud service vendor.

  3. For the account that you want to update, click View Account.

  4. On the account page, click Edit Information.

  5. Edit field values as desired.

  6. Click Test and Submit Credentials.

Scan Schedules

On the Unified Portal Scan Schedules page, you can create and view scan schedules.

For more information, see:

Scan schedule filters

You can use the following filters to refine the tickets that appear in the Scan Schedules table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View scan schedules

View scan schedule information

Note: You cannot view scans in EVA scan schedules.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Find the scan schedule that you want to view.

  3. Click Schedule Details.

    A dialog appears with the scan schedule source, name, description, scan types, schedule frequency, and targets. If the scan Schedule Frequency is:

    • Continuous — A list of scans displays, including when each scan last ran and the targets that scan covers.
    • Daily, Weekly, or Monthly — The date and time that the scans are performed displays.
    • Once — The date when the scan was last run displays.

  4. When you are finished, click Close.

Create a new scan schedule

You can create a new scan schedule for internal scanner or for Agent:

Create an IVA scan schedule

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Click Create New Scan Schedule.

  3. In the Source list, select Internal Scanner.

  4. In the Info section, enter a name and description for the schedule.

  5. In the Schedule section, do the following:

    1. In the Priority list, select one of the following:
      • Low — The scan runs last, after all other scans are complete.
      • Medium — The scan runs after High priority scans but before Low priority scans.
      • High — The scan completes first before all other scans.

        Notes:

        • The priority of a scan is used when there are conflicting scan schedules, to determine which scan schedule should be applied. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in alphabetical order.
        • If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.
        • If you start a new High priority scan when a Low priority scan is in progress, the High priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
    2. In the Frequency list, select one of the following:
      • Daily — The scan runs once a day.
      • Weekly — The scan runs once a week.
      • Monthly — The scan runs once a month.
    3. In the Scan Time list, select the time that you want the scan to start. The time is set using a 24-hour clock.
    4. In the On list, select the applicable days of the week to run the scan or select the day of the month to run the scan.

      Note: This option is not available if the Frequency is Daily.

    5. In the Scan Window list, select the scan window. The default value is 8.

      Notes:

      • If you schedule a large scan in a small window, the scan may never complete.
      • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.

  6. In the Scanner section, select the scanner to run the scan.

  7. In the Targets section, enter IP addresses or networks of the targets you want scanned.

    Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

    Tip: You can add the IP addresses in a comma-separated list or as a range.

    Note: Only entries with the CIDR format X.X.X.X/Y are accepted in this field. If you only want to add a single host, enter the host as X.X.X.X/32. We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

  8. Click Create Scan Schedule.

Create an Agent scan schedule

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Click Create New Scan Schedule.

  3. In the Source list, select Agent.

  4. In the Info section, enter a name and description for the schedule.

  5. In the Scan Type section, select one or both scan types:

    • Vulnerability — Perform a complete vulnerability scan on the scan targets.
    • Benchmark — Perform a scan on the scan targets against best practices benchmarks.

  6. In the Schedule section, do the following:

    1. In the Frequency list, select one of the following:

      • Daily — The scan runs once a day.
      • Weekly — The scan runs once a week.
      • Monthly — The scan runs once a month.

    2. In the Scan Time list, select the time that you want the scan to start. The time is set using a 24-hour clock.

    3. In the On list, select the applicable days of the week to run the scan or select the day of the month to run the scan.

      Note: This option is not available if the Frequency is Daily.

    4. In the Scan Window list, select the scan window. The default value is 8.

      Notes:

      • If you schedule a large scan in a small window, the scan may never complete.
      • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.

  7. (Optional) If you want new Agents to be added to the schedule as they are deployed, in the Targets section, do the following:

    1. Select the Auto-Enroll newly deployed clients checkbox.

    2. In the Scanner section, select one or more scanners to run the scan.

      Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

  8. Click Create Scan Schedule.

Edit a scan schedule

Note: You cannot edit EVA scan schedules.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. Find the scan schedule that you want to edit.

  3. Click Edit.

    You can edit all of the same information that is entered when creating a scan schedule. For more information, see Create an IVA scan schedule and Create an Agent scan schedule.

    Note: When editing an Agent schedule, any assets belonging to the target group are automatically selected. Select additional assets to add them to the target group.

  4. Click Update Scan Schedule.

Force a scheduled scan to rescan

When you manually start a scan outside of the scan schedule, the scan resumes its regular schedule after the rescan.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. In the Scan Schedules table, select the checkbox next to each scan schedule you want rescan.

  3. Click Rescan.

    Note: You cannot rescan EVA scan schedules.

  4. Click Rescan again.

Stop a scheduled scan

When you stop a scheduled scan, the scan stops even if it is currently running. The scan will not start again until the next scheduled time.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
  2. In the Scan Schedules table, select the checkbox next to each scan schedule you want stop.
  3. Click Stop Scan Schedule.
  4. Click Stop Scan Schedule again.

Disable a scheduled scan

When you disable a scan, you prevent the schedule from running future scans. This does not stop scans that are currently running.

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
  2. Do one of the following:

    • To disable one or more scan schedules:

      1. In the Scan Schedules table, select the checkbox next to each scan schedules you want disable.
      2. Click Disable Scan Schedule.
      3. Click Disable Scan Schedule again.

    • To disable one scan schedule:

      1. In the Scan Schedules table, beside the scanning schedule you want to disable, click Edit.
      2. Clear the Enabled checkbox.
      3. Click Update Scan Schedule.

Delete a scheduled scan

  1. In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.

  2. In the Scan Schedules table, select the checkbox next to each scan schedule you want delete.

  3. Click Delete Schedule.

    Note: You cannot delete EVA scan schedules.

  4. Click Delete Schedule again.

Data Exploration

Data Explorer is a licensed MDR add-on feature that lets you search the Arctic Wolf observation pipeline for analyzed event logs. To provide 24x7 security monitoring, the Arctic Wolf observation pipeline ingests logs from all systems that are configured to send log data to Arctic Wolf. You can use Data Explorer to:

Your Data Explorer search results only include enriched and analyzed observations from your security-relevant log sources. Log data that is not considered security-relevant is filtered out of the Arctic Wolf observation pipeline. Logs that are filtered out of Data Explorer can include DHCP logs, wireless access point connection information, or firewall logs that are not parsed and enriched.

For more information about searching analyzed event logs, see:

Tip: To search unparsed, raw log data, see Raw Log Search.

Data Explorer allows you to search analyzed event logs from the Arctic Wolf observation pipeline. You can enter more than one search term, and you can narrow your search to specific database fields. After running a search, Data Explorer provides a consolidated view of all machine analyzed and parsed logs, across multiple log sources, that match your search expression.

  1. In the Unified Portal menu bar, click Data Exploration > Data Explorer.

  2. (Optional) Modify the date range to limit or expand your search. To modify the date range, repeat these steps for the start and end dates:

    1. Click calendar.
    2. In the calendar section, select a date.
    3. Click clock.
    4. In the time section, set the time.
    5. Click Apply.

    Tip: The default range is the past 24 hours. You can search up to 10 days of event log data at a time.

  3. (Optional) In the Add Search Fields section, add a search field:

    1. Click the Search Fields (10 maximum) field.
    2. (Optional) To narrow the list of search fields, enter a partial or complete search term.
    3. Select a search field from the list. There are two types of search fields:
      • Field set — A field set allows you to search a group of related database fields. Field sets are written in title case, for example, Event Code, and are listed before individual database fields.
      • Field — You can limit your search to a specific database field. Fields are written in lower case and include periods and underscores, for example, remote.registered_domain.

    Tips:

    • Repeat these steps to add more search fields.
    • You can have up to 10 search fields.
    • To remove a search field, click Remove Filter beside the search field that you want to remove.
    • For a list of the available fields and field sets, see Data Explorer fields.

  4. Enter a search term:

    1. In any search field, enter a partial or complete search term.

    2. Select an item from the automatically generated list.

    Tips:

    • Repeat these steps to add more search terms.
    • Data Explorer uses this Boolean logic:
      • For multiple values in the same search field, Data Explorer adds the OR operator between each value.
      • For multiple search fields, Data Explorer adds the AND operator between each search field.
    • Data Explorer search fields do not support wildcards. Instead, search for one or more values in a field set to find all event log data that contains your search term.

  5. Click Apply Filters.

    Search results appear in the Event Logs table.

  6. (Optional) For your convenience, complete any of these tasks:

Change columns in the Event Logs table

  1. Run an analyzed event log search.

  2. Click Columns.

  3. Select the checkboxes for the fields that you want to make visible in the Event Logs table.

  4. Click Apply.

    The fields that you selected are added to the Event Logs table.

Create a custom column set

  1. Run an analyzed event log search.
  2. Change columns in the Event Logs table.
  3. Click Save Columns.
  4. Review the column set.
  5. Click Save.

Apply a custom column set

If you previously created a custom column set, you can change the columns in Event Logs table to the custom column set.

  1. Run an analyzed event log search.
  2. Click Load Columns.
  3. Select a custom column set.
  4. Click Load.

Export Data Explorer search results

  1. Run an analyzed event log search.

  2. Click Export to download your search results.

    Note: You can export up to 100,000 analyzed log entries. To export a larger dataset, contact your CST.

View complete data for an event log

  1. Run an analyzed event log search.

  2. For any row in the Event Logs table, in the View Event Log column, click View More.

  3. (Optional) To copy event log data:

    1. In the Format section, make sure that Table is selected.

    2. In the table, select the checkboxes for the field values that you want to copy.

      Event log data is copied in JSON format by default.

    3. (Optional) To copy event log data in raw format, in the Format section, select Raw.

    4. Click Copy event to clipboard.

  4. (Optional) To make columns visible in the Event Logs table:

    1. In the Format section, make sure that Table is selected.

    2. In the table, select the checkboxes for the fields that you want to make visible in the Event Logs table.

    3. Click Apply Columns.

      The fields that you selected are added to the Event Logs table.

Data Explorer fields

In Data Explorer, you can narrow your search to specific database fields. In the Add Search Fields section, you can add one or more database fields or field sets:

Field sets

Tip: For a description of each field, see Fields.

Field set Fields included
Domain
  • client.address
  • client.domain
  • host.domain
  • host.name
  • related.hosts
  • remote.address
  • remote.domain
  • remote.registered_domain
  • server.address
  • server.domain
  • url.domain
Event Code
  • ad.event.code
  • event.code
Hash
  • dll.hash.md5
  • dll.hash.sha1
  • dll.hash.sha256
  • file.hash.md5
  • file.hash.sha1
  • file.hash.sha256
  • process.hash.md5
  • process.hash.sha1
  • process.hash.sha256
  • process.parent.hash.md5
  • process.parent.hash.sha1
  • process.parent.hash.sha256
  • tls.client.hash.md5
  • tls.client.hash.sha1
  • tls.client.hash.sha256
  • tls.server.hash.md5
  • tls.server.hash.sha1
  • tls.server.hash.sha256
  • url.hash.md5
  • url.hash.sha1
  • url.hash.sha256
File Name
  • file.name
  • file.path
IP Address
  • client.address
  • client.domain
  • client.ip
  • client.nat.ip
  • host.domain
  • host.external_ip
  • host.ip
  • host.hostname
  • host.name
  • observer.ip
  • remote.ip
  • server.address
  • server.domain
  • server.ip
  • server.nat.ip
Log Source
  • event.module
  • event.provider
Process Name
  • process.command_line
  • process.executable
User
  • ad.event.origin.username
  • client.user.full_name
  • client.user.id
  • client.user.name
  • client.user.username
  • host.user.full_name
  • host.user.id
  • host.user.name
  • host.user.username
  • server.user.full_name
  • server.user.id
  • server.user.name
  • server.user.username
  • user.full_name
  • user.id
  • user.name
  • user.username

Fields

Field Description
@timestamp The date and time when the event occurred or, if the log data that Arctic Wolf receives does not include a date and time for the event, the date and time when Arctic Wolf received the log data.

The @timestamp field is mandatory for all events.
@type If the event log is unparsed, the type of telemetry used to send event log data to Arctic Wolf. If the event log is a compound event, the type of incident or alert.

Note: A compound event is a single event that contains multiple logical events. Compound events are events that the Arctic Wolf observation pipeline generates when it identifies a group of events as logically related.
ad.event.auth.logon_type The Windows Event logon type.

Tip: For more information, see Audit logon events.
ad.event.code The Windows Event ID.

Tip: For more information, see:
ad.event.origin.username The name of the user or the computer that originated the event.
ad.event.title The event summary associated with the Windows Event ID.

Tip: For more information, see:
auth.type A description of the authentication type.
client.address An IP address, a domain, or a Unix socket, if available. Client addresses are sometimes ambiguous. Some event logs that originate from ambiguous client addresses include this information.
client.as.number The autonomous system number (ASN) that uniquely identifies each network on the internet.
client.bytes The total number of bytes sent from the client to the server during the event.
client.domain The client domain.
client.geo.city_name The name of the city where the client is located.
client.geo.country_iso_code The ISO code for the country where the client is located.
client.geo.country_name The name of the country where the client is located.
client.ip The IPv4 or IPv6 address of the client.
client.ip_classification The classification of the client IP address as either internal, external, or multicast. The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal.
client.packets The total number of packets sent from the client to the server during the event.
client.port The port used on the client.
client.user.email The email address of the user.
client.user.full_name The full name of the user.
client.user.id The user ID.
client.user.name The username that identifies a user login or a short name for the user.
client.user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
client.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
cloud.client.geo.city_name The name of the city where the external IP address is located.
cloud.client.geo.country_name The ISO code for the country where the external IP address is located.
cloud.client.user.name The name of the user that completed the operation. To disambiguate this user name, check the user.id field.
cloud.event.name The name that an Arctic Wolf observation pipeline assigned the event.
cloud.resource.name The name of the resource that was changed or affected in the event. For example, the name of a file or user.
cloud.resource.path The file path of the resource that was changed or affected in the event. For example, the file path of an executable or a configuration file.
dns.answers.class The class of DNS data contained in the resource record.
dns.answers.data The data describing the resource. The meaning of this data depends on the type and class of the resource record.
dns.answers.ttl The number of seconds that a cache can keep the resource record before the record is discarded. A value of zero values mean that the data should not be cached.
dns.answers.type The type of data contained in the resource record.
dns.question.class The class of the record being queried.
dns.question.name The name of the record being queried.
dns.question.type The type of record being queried.
dns.question.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
dns.resolved_ip All IP addresses found in the dns.answers.data field. Arctic Wolf extracts the IP addresses from the dns.answers.data field to index them as IP addresses, which makes them easier to search for.
dns.response_code The DNS response code.
event.action The summary of the action described in the event log, according to the event source. For example, group-add, process-started, or file-created. The event.action field usually provides a more detailed summary than the event.category value.
event.category All categories that the event falls under. This value is an array that that enables the categorization of events that appear in more than one category. This field is closely related to event.type. The event.type values are subcategories of event.category values.
event.code The identification code for this event, if one exists. Some event sources use event codes to uniquely and unambiguously identify events, regardless of any wording adjustments in the event message over time or any language translations. Possible event.code field values are Windows Event IDs and Sysmon Event IDs.

Tip: For more information, see:
event.dataset The name of the dataset, according to the event source. If an event source publishes more than one type of log or event, for example, access logs and error logs, you can use the event.dataset value to identify which dataset the event is a part of.
event.duration The duration of the event in nanoseconds. If the event.start and event.end values are available, the event.duration value is the difference between the event.start and event.end values.
event.end The date and time when the event ended or when the event source last observed the activity.
event.kind A high-level summary of the type of information that the event log contains. You can use the value in this field to decide how to handle events of the same kind. Events of the same kind might need a different data retention period or different access controls. This value can also indicate if log data for this kind of event is coming in at a regular interval or not.
event.module The name of the module this data is coming from, if applicable. The Arctic Wolf observation pipeline populates this field if your monitoring agent uses the concept of modules or plugins to process events from a specific source, for example, Apache logs.
event.outcome Whether the event represents a success or a failure from the perspective of the entity that caused the event, if applicable.

Notes:

  • Not all events have an associated outcome.
  • In a set of correlated events, for example, a single transaction that occurs over multiple events, each event can have a different value.
  • In the case of a compound event, that is, a single event that contains multiple logical events, this field is populated with the value that best captures the overall success or failure of the series of events from the perspective of the entity that caused the series of events.
  • A compound event is not the same as a transaction that occurs over multiple events. A Data Explorer search result can include a compound event, whereas you might consider a group of separate events a transaction only after analyzing Data Explorer search results.
event.provider The source of the event log. Event transports such as Syslog or the Windows Event Log usually mention the source of an event. The identified source can be any of these values:
  • The name of the software that generated the event. For example, Sysmon or httpd.
  • The name of a subsystem of the operating system. For example, kernel or Microsoft-Windows-Security-Auditing.
event.reason An explanation of why the event happened. The event can be an action or an outcome. This explanation originates from the event source.
event.severity The severity level of the event, expressed as a number. This severity level originates from the event source. The meaning of this value depends on the event source and the use cases for this type of event classification.

Note: Make sure that the meaning of each severity level is consistent across events from the same log source.
event.start The date and time when the event started or when the event source first observed the activity.
event.type All applicable event types. This value is an array that that enables the categorization of events that have more than one event type. This field is closely related to event.type. The event.type values are subcategories of event.category values.
event.uuid A UUID that the Arctic Wolf observation pipeline assigns to an event log.
file.directory The folder where the file is located. This value includes the drive letter when appropriate.
file.hash.md5 The MD5 hash of the file.
file.hash.sha1 The SHA1 hash of the file.
file.hash.sha256 The SHA256 hash of the file.
file.mime_type The media type or MIME type of the file or stream of bytes, written as an IANA media type where possible. When more than one type is applicable, the most specific type should be used. For more information, see IANA Media Types.
file.name The name of the file, including the extension but without the file path.
file.path The complete path to the file, including the file name. This value includes the drive letter when appropriate.
host.domain The name of the domain that the host is a member of. For example:
  • For a Windows machine, this name could be the Active Directory domain or NetBIOS domain name.
  • For a Linux machine, this name could be the domain of the LDAP provider.
host.external_ip The external IP address of the host.
host.geo.city_name The name of the city where the host is located.
host.geo.country_iso_code The ISO code for the country where the host is located.
host.geo.country_name The name of the country where the host is located.
host.hostname The name of the host. This name is usually the value that the hostname command outputs on a host machine that runs on a Unix-based operating system.
host.ip The IPv4 or IPv6 address of the host.
host.name The name of the host, according to the event source. This name is usually one of these values:
  • The value that the hostname command outputs on a host machine that runs on a Unix-based operating system.
  • The fully qualified domain name.
  • A name specified by the user.
host.os.family The operating system family of the host. For example, redhat, debian, freebsd, or windows.
host.user.email The email address of the user.
host.user.full_name The full name of the user.
host.user.id The user ID.
host.user.name The username that identifies a user login or a short name for the user.
host.user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
http.request.headers The key-value pairs for all headers in the HTTP request.
http.request.method The HTTP request method.
http.request.mime_type The media type or MIME type of the body of the request.
http.response.content_type The value of the HTTP response Content-Type header.
http.response.headers The key-value pairs for all headers in the HTTP response.
http.response.status_code The HTTP response status code.
labels Custom key-value pairs. Examples of custom key-value pairs are docker and k8s.
network.application The name of an application-level protocol. This name can be arbitrarily assigned to microservices or cloud service providers like Skype, ICQ, Facebook, and X (formerly Twitter). This field is populated if the vendor or service can be derived from information like the source or destination IP address owners, port numbers, or wire format.
network.bytes The total number of bytes transferred in both directions during the event.
network.direction The direction of the network traffic.
network.packets The total number of packets transferred in both directions during the event.
network.protocol The layer seven network protocol name. For example, http, lumberjack, or transport protocol.
network.transport The name of the transport layer. For example, udp, tcp, or ipv6-icmp.
observer.geo.city_name The name of the city where the event source is located.
observer.geo.country_iso_code The ISO code for the country where the event source is located.
observer.geo.country_name The name of the country where the event source is located.
observer.type The event source type. For example, forwarder, firewall, ids, ips, proxy, poller, sensor, or APM server.
organization.deployment.id The unique identifier that Arctic Wolf assigns to an Arctic Wolf appliance deployed within the organization.
organization.id The unique identifier that Arctic Wolf assigns to the organization.
organization.uuid An organization UUID that is specific to the Arctic Wolf Managed Risk service. This field is used for legacy data mapping.
process.command_line The complete command line that started the process, including the absolute path to the executable and all command arguments.
process.executable The absolute path to the process executable file.
process.hash.md5 The MD5 hash of the process executable file.
process.hash.sha1 The SHA1 hash of the process executable file.
process.hash.sha256 The SHA256 hash of the process executable file.
process.name The name of the process.
process.parent.command_line The complete command line that started the parent process, including the absolute path to the executable and all command arguments.
process.parent.executable The absolute path to the parent process executable file.
process.parent.hash.md5 The MD5 hash of the parent process executable file.
process.parent.hash.sha1 The SHA1 hash of the parent process executable file.
process.parent.hash.sha256 The SHA256 hash of the parent process executable file.
process.parent.name The name of the parent process.
process.parent.pid The parent process ID.
process.parent.ppid The grandparent process ID.
process.parent.working_directory The working directory of the parent process.
process.pid The process ID.
process.ppid The parent process ID.
process.working_directory The working directory of the process.
related.as.number All autonomous system numbers (ASNs) found in the event log.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.email All user email addresses listed in the event log.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.groups All the groups related to users that are associated with the event.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.hash All hashes found in the event log data.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.hosts All hostnames or other host identifiers observed during the event. Valid values include FQDNs, domain names, workstation names, or aliases.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.ip All IP addresses found in the event log data.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.url All URLs found in the event log data.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.user All usernames or other user identifiers found in the event log data.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

related.whois.registrant.name For all the domain names found in the event log data, the persons or organizations who registered the domain names, according to the WHOIS database.

Tip: A related field allows you to search all database fields that might contain your search term. Examples of related fields are related.ip and related.user. Search a related field if you don't know the name of the database field that contains your search term.

remote.address An IP address, a domain, or a Unix socket, if available. Remote addresses are sometimes ambiguous. Some event logs that originate from ambiguous remote addresses include this information.
remote.domain The domain of the remote system.
remote.ip The IPv4 or IPv6 address of the remote system.
remote.port The port used on the remote system.
remote.registered_domain The highest registered domain of the remote system without the subdomain.
rule.description The name of the schema or set of rules that generate analyzed events logs from raw log data that enters the Arctic Wolf observation pipeline.
rule.events.category How the Arctic Wolf observation pipeline categorized the analyzed event log.
rule.events.description A summary of the analyzed event log.
rule.events.identifier The identifier assigned to the analyzed event log if the event is escalated.
rule.events.tags The tags that the Arctic Wolf observation pipeline attached to the analyzed event log.
server.address An IP address, a domain, or a Unix socket, if available. Server addresses are sometimes ambiguous. Some event logs that originate from ambiguous server addresses include this information.
server.as.number The autonomous system number (ASN) that uniquely identifies each network on the internet.
server.as.organization.name The name of the organization associated with the server.
server.bytes The total number of bytes sent from the server to the client during the event.
server.domain The server domain.
server.geo.city_name The name of the city where the server is located.
server.geo.country_iso_code The ISO code for the country where the server is located.
server.geo.country_name The name of the country where the server is located.
server.ip The IPv4 or IPv6 address of the server.
server.ip_classification The classification of the server IP address as either internal, external, or multicast. The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal.
server.packets The total number of packets sent from the server to the client during the event.
server.port The port used on the server.
server.user.email The email address of the user.
server.user.full_name The full name of the user.
server.user.id The user ID.
server.user.name The username that identifies a user login or a short name for the user.
server.user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
server.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
service.name The name of the service that is configured to send log data to Arctic Wolf. A user in your organization usually assigns a name to the service that they configure to forward log data.
tags A list of keywords that the Arctic Wolf observation pipeline associated with the event log source.
threat.severity A CVSS score, which is a number ranging from zero to 10. A score of 10 indicates a risk of the highest severity. For more information, see NIST NVD Vulnerability Metrics.
threat.tactic.name The name of the tactic, according to the MITRE ATT&CK® database, that the identified threat uses.
tls.client.hash.sha256 The fingerprint of the certificate that the client offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate.
tls.server.hash.sha256 The fingerprint of the certificate that the server offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate.
url.domain The domain of the URL, for example, https://www.arcticwolf.com. In some cases, a URL might refer to an IP address and port directly, without a domain name.
url.full The complete URL.
url.path The path of the request. For example, /search.
url.whois.registrant.organization The person or organization who registered the domain name, according to the WHOIS database.
user.changes.email What the email address of the user was changed to.
user.changes.full_name What the full name of the user was changed to.
user.changes.id What the user ID was changed to.
user.changes.name What the username or the short name for the user was changed to.
user.changes.username What the username for the user was changed to. This field is an additional field to account for legacy systems.
user.effective.email The email address of the user whose role or privileges an administrator assumed.
user.effective.full_name The full name of the user whose role or privileges an administrator assumed.
user.effective.id The ID of the user whose role or privileges an administrator assumed.
user.effective.name The username or the short name for the user whose role or privileges an administrator assumed.
user.effective.username The username for the user whose role or privileges an administrator assumed. This field is an additional field to account for legacy systems.
user.email The email address of the user.
user.full_name The full name of the user.
user.id The user ID.
user.name The username that identifies a user login or a short name for the user.
user.target.email The email address of the user before an administrator changed it.
user.target.full_name The full name of the user before an administrator changed it.
user.target.id The ID of the user before an administrator changed it.
user.target.name The username or the short name for the user before an administrator changed it.
user.target.username The username for the user before an administrator changed it. This field is an additional field to account for legacy systems.
user.username The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems.
user_agent.description The user agent in human-readable from.
user_agent.original The unparsed user-agent string.

View login events

The Login Events page allows you to search for and review login events from the systems that Arctic Wolf monitors as part of the MDR service.

  1. In the Unified Portal menu bar, click Data Exploration > Login Events.

  2. (Optional) Set one or more filters to limit or expand your search results.

    • Click the Calendar to modify the date range.

    • Enter a search term in the Search field.

      Note: The search function does not support wildcards, comma-separated lists, or Boolean operators like AND or OR.

    • Add filters to narrow search results.

  3. If you changed one or more filter settings, click Apply Filters.

  4. (Optional) View login event details.

    1. For any row in the table, click on a link.

      A new Data Explorer search starts.

    2. In the Event Logs section, on an event log detail row, click Complete Log Data to view login event details.

View logins by country

The Logins by Country page allows you to filter data by country, date, and status and presents the results in a map and rows.

  1. In the Unified Portal menu bar, click Data Exploration > Logins by Country.
  2. (Optional) Set one or more filters to limit or expand your search results.
    • Click the Calendar to choose from preset time ranges.
    • Add one or more values to the Login Status field.
    • Add one or more values to the Country field.
  3. If you changed one or more filter settings, click Apply Filters.
  4. (Optional) View country login results.
    • In the map, click on a colored circle to view all login events for that geographic region.
    • For any of the rows below the map, click View Logins.

Raw Log Search

Raw Log Search is a licensed Managed Detection and Response (MDR) add-on feature that lets you search the Arctic Wolf platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to retrieve logs in raw format for operational and security-related tasks, such as validating a configuration change or investigating a security alert.

For more information, see:

Tip: You can also search the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View event logs in the Arctic Wolf Unified Portal User Guide for details.

Tickets

A ticket is a record of communication between you and your CST to fulfill a support request or address a security concern. The Tickets page displays current and historical tickets. By default, this page contains tickets from the last 30 days, but you can use filters to display older tickets. For more information, see:

Ticket filters

You can use the following filters to refine the tickets that appear in the Tickets table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View tickets

Open a new ticket

  1. In the Unified Portal menu bar, click Tickets.
  2. Click Open a New Ticket.
  3. On the Open a New Ticket page, do the following steps:
    1. In the What is this contact request related to? section, select the appropriate option:
      • General request — Select for non-urgent requests.
      • A security emergency — Select if one or more of your systems or user accounts are breached. For immediate assistance with a security emergency, call us at +1-888-272-8429.
      • Technical support assistance — Select if you required support with: network issues, a service failure, troubleshooting issues, or IP address reconfiguration.
    2. In the Subject field, enter a short description of your request.
    3. (Optional) In the Related ticket field, enter the number or a related ticket.
    4. In the comment box, type your request and provide relevant details.
    5. (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.

    Notes:

    • If attaching the file fails:
      1. Compress the file and try attaching the file again.
      2. If the file still cannot be attached, generate a ticket and ask your Concierge Team for support.
    • There is a limit of 20MB for upload size.
  4. Click Send Message.

For more information, see Reply to a ticket.

View ticket details

You can view additional details and comments related to a ticket. The details are different depending on the type of ticket type. For example, Incident tickets have detailed incident report information, but Other tickets do not.

  1. In the Unified Portal menu bar, click Tickets.

  2. Identify the ticket that you want to respond to.

    Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.

  3. Click the subject line of the ticket or the ticket number to view ticket details.

Reply to a ticket

  1. In the Unified Portal menu bar, click Tickets.

  2. Identify the ticket that you want to respond to.

    Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.

  3. Click the subject line of the ticket or the ticket number to view ticket details.

  4. Follow the appropriate steps, depending on the ticket status:

    Ticket status Steps
    Open
    1. Verify that Ticket Action is set to Reply.
    2. In the Add a Comment section, enter a comment.
    3. (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
    4. Click Add Comment.
    Closed
    1. Click Post Follow-up Ticket.
    2. On the Open a New Ticket page, do the following steps:
      1. In the What is this contact request related to? section, select the appropriate option:
        • General request — Select for non-urgent requests.
        • A security emergency — Select if one or more of your systems or user accounts are breached. For immediate assistance with a security emergency, call us at +1-888-272-8429.
        • Technical support assistance — Select if you required support with: network issues, a service failure, troubleshooting issues, or IP address reconfiguration.
      2. In the comment box, type your request and provide relevant details.
      3. (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
    3. Click Send Message.

Close a ticket

Note: To close tickets that you did not create or that you are not a recipient of, you must have the required permissions. If you require a higher level of access, check your Organization Profile and ask a primary contact.

  1. In the Unified Portal menu bar, click Tickets.

  2. Identify the ticket that you want to respond to.

    Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.

  3. Click the subject line of the ticket or the ticket number to view ticket details.

  4. In the Ticket Action section, select one of these options from the list:

    • Close and suppress this alert

      Note: This option only appears for alerts.

    • Close with a follow-up request

    • Close

  5. If applicable, in the comment box, type your request and provide relevant details.

  6. Click Close Ticket.

Reports

Arctic Wolf provides you with reports that assess your security posture. Depending on the type of report, they might be delivered daily, weekly, monthly, or quarterly.

For more information, see:

Report filters

You can use the following filters to refine the items that appear in the report tables:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View past reports

View a report from Arctic Wolf

  1. In the Unified Portal menu bar, click Reports > Past Reports.
  2. Identify the report that you want to view.

    Tip: If desired, use filters to narrow your results. For more information, see Report filters.

  3. Click Download or click the report name in the Title column.
    PDF reports typically open in a new browser tab, but this can vary based on your browser settings. CSV files must be manually opened from the directory from which they are saved.

View scheduled reports

Send a malicious file to Arctic Wolf for review

If you have a file that you suspect is malicious, you can compress the file with password protection and send it to Arctic Wolf for review.

Note: Do not send Arctic Wolf raw suspicious files. Our email clients, file hosting clients, and ticket clients have security filtering and we will not receive the file.

  1. Compress the potentially malicious file into a zip file.
  2. Apply the password infected to the zip file.

    Tip: Some compression tools include password configuration under encryption settings.

  3. Send the zip file to Arctic Wolf through the Unified Portal or ask Arctic Wolf to provide an Egnyte upload link.