Arctic Wolf Unified Portal
Updated Sep 28, 2023- Arctic Wolf Unified Portal
- Switch service applications
- Resource Center
- View Allowlist Requirements
- Change display settings
- My Account resources
- View your organization profile
- Add a contact
- Edit a contact
- Delete a contact
- Export contact information
- View log sources
- Update your escalation policy
- Export your escalation policy
- View an alert configuration rule
- Request a new alert configuration rule
- Request an update to an existing alert configuration rule
- Security posture summary
- Telemetry Management
- Scanners
- View scanner health
- Scanner filters
- View scanners
- View scanner details
- View scanner configuration
- View a scanning schedule
- View scans that are queued
- Verify scanning health
- Check IVA Scanner connectivity
- Check the IVA Scanner rate
- Add a host identification DNS server
- Add an IP address to the denylist
- Edit a scanning schedule
- Enable or disable host identification
- Enable or disable vulnerability scanning
- Enable or disable CGI scanning
- Enable or disable brute force scanning
- Brute force scanning username checks
- Enable or disable ping only discovery
- Remove a host identification DNS server
- Remove an IP address from the denylist
- Delete a scanning schedule
- Connected Accounts
- Scan Schedules
- Scanners
- Data Exploration
- Raw Log Search
- Tickets
- Reports
- Send a malicious file to Arctic Wolf for review
Arctic Wolf Unified Portal
The Arctic Wolf® Unified Portal provides a single point of access to your Concierge Security® Team (CST) and self-service applications for Arctic Wolf solutions, such as Managed Detection and Response (MDR) and Managed Risk (MR).
Tip: If you manage Arctic Wolf services for more than one organization, you can switch profiles by selecting the desired organization from the drop-down menu above the menu bar.
Switch service applications
Each Arctic Wolf solution includes a dashboard that allows security administrators to manage some aspects of the solution and view reports on various security metrics. The Unified Portal allows security administrators to switch between these dashboards, depending on the subscription that their organization has purchased, such as Managed Risk.
Note: The options displayed depend on purchased subscriptions.
-
In the Unified Portal, click App Launcher, located above the menu bar.
-
Select the desired dashboard from the list.
The dashboard opens in a new tab.
Resource Center
-
In the Unified Portal, click Help to access the Resource Center, which has these menu options:
Menu option Description Downloads Provides access to software downloads for Arctic Wolf products. For example, Active Directory (AD) Sensor, Endpoint Agent, Sysmon Assistant, and virtual network appliances. Allowlist Requirements Displays allowlist and third-party integration requirements for Arctic Wolf services. For example, DNS hostnames, IP addresses, ports, and AWS stack links. For more information, see View Allowlist Requirements. Documentation Provides access to installation and user guides for Arctic Wolf products and configuration guides for third-party integrations. Unified Portal User Guide Opens the user guide for the Unified Portal. Open a New Ticket Opens the form for submitting a support request ticket to your CST. For more information, see Open a new ticket and Reply to a ticket.
View Allowlist Requirements
The Allowlist Requirements page provides a summary of allowlist and third-party integration requirements (for example, DNS hostnames, IP addresses, ports, and stack links) for Arctic Wolf services. Use this information to update your allowlist configurations, so Arctic Wolf appliances can communicate out of your network to Arctic Wolf.
- In the Unified Portal, click Help > Allowlist Requirements.
Change display settings
- In the Unified Portal, click Settings.
- Change one or both of the following:
- Display Time — Select Local or UTC.
- Appearance — Select Light Mode or Dark Mode.
My Account resources
-
In the Unified Portal, click My Account to access the following:
Menu option Description Onboarding Opens the onboarding form in the Arctic Wolf Portal.
Note: This is not available if onboarding is complete.Organization Profile Displays contacts within your organization, log sources, escalation paths, and alert configuration rules.
For more information, see View your organization profile.Sign Out Signs you out of the Unified Portal.
View your organization profile
-
In the Unified Portal, click My Account > Organization Profile.
Your organization profile has the following pages:
Page Description Onboarding Opens the onboarding form in the Arctic Wolf Portal.
Note: This is not available if onboarding is complete.Contacts Displays contacts from your organization that interact with Arctic Wolf. For more information, see: Log Sources If your organization subscribes to Managed Detection and Response, displays the log sources that Arctic Wolf monitors. For more information, see View log sources. Escalations Displays the rules within the escalation policy that Arctic Wolf follows if a security incident is detected. These rules tell Arctic Wolf who to contact. For more information, see: Alert Configuration Rules Displays your active alert configuration rules. These rules tell Arctic Wolf when or when not to alert you about specific security incidents. For more information, see:
Add a contact
-
In the Unified Portal, click My Account > Organization Profile.
-
Click Add a New Contact.
Note: If you do not see the Add a New Contact option, submit a request to a primary or secondary contact in your organization to add a new contact. Alternatively, click Request an Update.
-
Fill out the New Contact form:
-
Select the appropriate contact type.
-
Enter the name of the contact.
-
Enter the email address that the contact will use to sign in to the Unified Portal.
-
(Optional) Click + Add Email to add alternative email addresses.
-
(Optional) Add a phone number for the contact.
-
To associate this contact with a site, in the Site Name list, select an option.
Tip: If the desired site is not listed, you can submit a ticket to request that a new site be added and edit the contact later.
-
Select a timezone for the new contact.
-
Select the time range and days of the week that comprise the business hours of the contact.
-
Select the Arctic Wolf services that this contact should have access to.
-
-
Click Add Contact.
The system creates a ticket with a summary of the changes you made to your organization profile.
Edit a contact
-
In the Unified Portal, click My Account > Organization Profile.
-
Find the contact that you want to edit.
-
Click Edit .
Note: If you do not see the Edit option, submit a request to a primary or secondary contact in your organization to add a new contact. Alternatively, click Request an Update.
-
Edit one or more of contact details.
-
Click Save Changes.
The system creates a ticket with a summary of the changes you made to your organization profile.
Delete a contact
-
In the Unified Portal, click My Account > Organization Profile.
-
Find the contact that you want to delete.
-
Click Delete .
When you click Delete , the system checks for items that are assigned to this user.
Note: If you do not see the Delete option, submit a request to a primary or secondary contact in your organization to add a new contact. Alternatively, click Request an Update.
-
If items are assigned to this user, in the Message field, indicate which user should be assigned to these items.
-
Click Request to Delete Contact.
The system creates a ticket with your request to delete the contact. This contact remains listed until your Concierge Team fulfills your request, but the system automatically edits this contact to remove access to Arctic Wolf services.
Note: If you are not a primary contact, your Concierge Team will ask a primary contact to approve your request.
Export contact information
You can export the contacts from your organization profile if you need to share or upload the information elsewhere.
- In the Unified Portal, click My Account > Organization Profile.
- Click Export Contacts .
View log sources
If your organization subscribes to Managed Detection and Response, you can view the log sources that Arctic Wolf monitors:
- In the Unified Portal, click My Account > Organization Profile.
- In the navigation menu, click Log Sources.
Update your escalation policy
You can view and manage the rules that determine how Arctic Wolf escalates a potential security incident.
-
In the Unified Portal, click My Account > Organization Profile.
-
In the navigation menu, click Escalations.
-
Review this page to see if an escalation rule exists for the security incident that you are planning for.
-
(Optional) To filter the list of escalations, do one or both of the following:
- In the Contacts field, enter the name of a contact.
- In the Escalation Title field, enter a key word for an alert or event.
-
To update your escalation policy, do one of the following:
-
To modify an existing rule, click Request an Update for the rule you want to edit.
-
To add a new rule, at the top of the page, click Request a new Escalation.
Either action opens a new ticket.
-
-
In the Message field of the ticket, describe the scenario or incident and, for each escalation level, specify who to contact and how to contact them. For example:
- Scenario: Unusual user activity
- Level 1: Submit a ticket to Jane Doe (username: janedoe)
- Level 2: Phone Jane Doe at 555-0103 (work) during business hours
- Scenario: Compromised system
- Level 1: Email John Doe at john.doe@example.com (primary) and CC Jane Doe at jane.doe@example.com
- Level 2: Phone John Doe at 555-0101 (work) or 555-0102 (mobile) at any time
- Level 3: Phone Jane Doe at 555-0103 (work) or 555-0104 (mobile) at any time
- Scenario: Unusual user activity
-
Click Send Message.
Export your escalation policy
The Escalations page shows the rules that determine how Arctic Wolf escalates a potential security incident. You can export the list of rules to a CSV file.
- In the Unified Portal, click My Account > Organization Profile.
- In the navigation menu, click Escalations.
- Click Export .
View an alert configuration rule
- In the Unified Portal, click My Account > Organization Profile.
- In the navigation menu, click Alert Configuration Rules.
- Click View next to an alert configuration rule to view details and a list of related entries.
Request a new alert configuration rule
- In the Unified Portal, click My Account > Organization Profile.
- In the navigation menu, click Alert Configuration Rules.
- Click Alert Configuration Request.
- Make sure the General request checkbox is selected, and use the default Subject field.
- (Optional) Add a related ticket.
- In the Message field, include a detailed description about your alert configuration rule update request. To the best of your ability, include information about the relevant application, server, host device, username, and network or system event. If applicable, specify the dates and times when this rule should be active. For example:
Allow cloud service sign-in from Canada.
Do not alert if user jane.doe@example.com assigns administrative privileges to another user in Office 365.
Do not alert if user john.doe@example.com signs in to a cloud service from New Zealand between August 10, 2023 and October 30, 2023.
- (Optional) Attach a file.
- Click Send Message.
Request an update to an existing alert configuration rule
- In the Unified Portal, click My Account > Organization Profile.
- In the navigation menu, click Alert Configuration Rules.
- Click View next to the alert configuration rule that you would like updated.
- Click Request Updates.
- Make sure the General request checkbox is selected, and use the default Subject field.
- (Optional) Add a related ticket.
- In the Message field, include a detailed description about your alert configuration rule update request. Avoid ambiguous statements and be specific. For example:
Remove user jane.doe@example.com.
Add Canada to this list.
- (Optional) Attach a file.
- Click Send Message.
Security posture summary
Review the security posture of your organization across all applicable Arctic Wolf service subscriptions on the Dashboard page.
Note: You cannot create, edit, or customize this page. Visible homepage tiles depend on the service subscriptions that your organization has.
Coverage score
Your Coverage Score refers to the percent of your network environment that Arctic Wolf monitors as part of the MDR service. Factors that affect this score include the configurations that enable accurate alerting and detection, products and services used to monitor the network and cloud environment, routine vulnerability scanning, and incident response metrics.
More information is available on the Coverage Score page, including how your coverage score compares to all other Arctic Wolf customers, as well as others in your industry and organizations similar to your size.
The Coverage Score comprises these components:
- Configuration — A list of MDR components that are configured.
- Monitoring — Cloud apps and antivirus components that monitor your environment.
- Incidents — The amount of security incidents in your environment.
- Ticketing — The number of escalation paths that are defined.
- External Scans — The number of high and critical vulnerabilities in your environment.
Risk score
Your Risk Score refers to the extent to which your network environment is at risk. The risk score is a weighted average of the scores of all unmitigated vulnerabilities within your network at a particular point in time.
This score is a number between 1 and 10, with 1 representing the lowest risk level:
Risk score | Risk level |
---|---|
1–3 | Low |
4–6 | Medium |
7–8 | High |
9–10 | Critical |
A risk score is only available with the MR and MDR services:
- If an organization subscribes to MDR only, the risk score calculation is based on scheduled External Vulnerability Assessment (EVA) scans.
- If an organization has MR, either as a standalone subscription or in addition to other Arctic Wolf services, the risk score calculation is based on EVA scans, Internal Vulnerability Assessment (iVA) scans, and endpoint monitoring.
Tip: For more information about risk score calculations, see NIST compliance. For more information about EVA and iVA scanning, see Managed Risk Scanner FAQ.
The risk score updates automatically whenever new risks are found, existing risks are mitigated, or when the CVSS score for the existing risks change.
NIST compliance
Arctic Wolf calculates the risk score of an organization based on the Common Vulnerability Scoring System version 2 (CVSSv2), which provides an open framework for communicating the impacts of network vulnerabilities and an objective metric for prioritizing vulnerabilities so that the highest risk vulnerabilities are remediated first.
Arctic Wolf calculates risk scores like this:
-
Each unmitigated vulnerability found in the network is scored independently.
The CVSSv2 standard includes several metrics to calculate the base score of a vulnerability, such as:
- Access vector — The accessibility of the exploitable vulnerability, including local access, adjacent access, and network access.
- Access complexity — The complexity of the attack required to exploit the vulnerability once the targeted system is accessible.
- Authentication — The number of times the attacker must authenticate for a targeted system to exploit the vulnerability.
- Confidentiality impact — The impact on data confidentiality once a vulnerability is successfully exploited. Confidentiality refers to how data is accessed and/or disclosed, including preventing access to authorized users and disclosing data to unauthorized users.
- Integrity impact — The impact on data integrity once a vulnerability is successfully exploited. Integrity refers to trustworthiness and the data accuracy.
- Availability impact — The availability of data once a vulnerability is successfully exploited. Availability refers to the accessibility of the data/resource.
For more information about CVSS base score calculations, see NIST CVSS Calculator.
-
All unmitigated vulnerabilities are categorized, for example, as a patch exploit or a configuration issue.
-
For each risk category, this weighted-average formula is applied to the vulnerability scores within a category:
risk score ≔ (avg(Low) × α + avg(Med) × β + avg(High) × γ) ÷ (α + β + γ)
Where:
- Low ≔ {δ|0 < δ <= 3.9}
- Med ≔ {δ|4 <= δ <= 6.9}
- High ≔ {δ|7 <= δ <= 10}
- δ ≔ {CVSSv2}
- α ≔ 1
- β ≔ 10
- γ ≔ 50
-
The same weighted average formula is applied to all risk category scores to determine a final score for the entire network.
Tip: NIST provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real time. Each CVE provides details about a known network vulnerability, including a CVSSv2 score.
Observation pipeline
Review Observation Pipeline data to understand the events that Arctic Wolf collected in the observation pipeline and processed into security-relevant data. The dashboard displays the number of these events at each stage of the pipeline.
- Analyzed Events — All events that were parsed, enriched, and analyzed for security value.
- Interesting Events — The number of events that were machine-analyzed and deemed noteworthy.
- Investigations — Potential security issues that Arctic Wolf verified.
- Escalated Alerts — Events that were escalated for you to action.
Suspicious logins
Use the Suspicious Logins map to review login attempts that Arctic Wolf considers suspicious. Suspicious login attempts consist of:
- Successful logins from a restricted country.
- Failed logins from an approved or restricted country.
Your organization typically has a list of countries that are approved for logins. Any login attempt that is not on the list of approved countries appears on this map. If you would like to update this list, contact your CST.
Click View All Logins to view the login attempts in greater detail on the Logins by Country page. For more information on the Logins by Country page, see View logins by country.
Telemetry Management
Arctic Wolf security services rely on telemetry sources in a network environment. Telemetry Management dashboards allow you to:
- Activate a newly installed telemetry appliance.
- Ensure that deployed agents, sensors, scanners, and log collectors are operational.
- Identify potentially compromised endpoint devices in containment.
To review the status of one or more appliances:
- In the Unified Portal menu bar, click Telemetry Management > Health Overview.
- Select the desired telemetry dashboard, such as Sensors, to view information about specific telemetry sources.
- (Optional) Use the filter to isolate deployments with a particular status.
- Hover over the status of a telemetry appliance to see information about how to resolve health issues.
Scanners
Arctic Wolf scanners provide continuous risk monitoring and vulnerability assessments of your environment. On the Unified Portal Scanners page, you can view information about the scanners in your environment.
For more information, see:
- View scanner health
- Scanner filters
- View scanners
- View scanner details
- View scanner configuration
- View a scanning schedule
- View scans that are queued
- Verify scanning health
- Edit a scanning schedule
- Delete a scanning schedule
View scanner health
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
The scanner health overview provides a summary of how many scanners are healthy, need attention, or are unhealthy. The following table describes the scanner statuses that are associated with each health category:
Health category Scanner status Healthy - Connected — The scanner is connected to Arctic Wolf.
- Scanning — The scanner is actively scanning your network.
- Idle — The scanner is waiting for its next scheduled job.
Needs Attention Awaiting Activation — The scanner registration complete. Open the Managed Detection and Response Dashboard to activate this scanner. Unhealthy - Degraded — The scanner is connected but not working as intended. Contact your CST for troubleshooting assistance.
- Disconnected — The scanner is not communicating with Arctic Wolf. Contact your CST for troubleshooting assistance.
Scanner filters
You can use the following filters to refine the items that appear in the Scanners table:
- Status — Filters scanners based on the scanner status. Select Disconnected, Degraded, Awaiting Activation, Scanning, Idle, Connected, or Not Available.
- Product Type — Filters the scanners by product type. Select Physical or Virtual.
Click Reset Filters at any time to remove all filters.
Click Hide Filter to hide the filters from the page or Show Filter to display the filters.
View scanners
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
The Scanners table provides information about the scanners in your environment:
Column Description Name Displays the scanner name. Status Displays the scanner status: Disconnected, Degraded, Awaiting Activation, Scanning, Idle, Connected, or Not Available. Product type Displays the type of scanner: Physical or Virtual. Version Displays the version number of the scanner. IP Address Displays the IP address of the scanner. Click Arrows next to the column heading to sort the information by that criteria. A single dark arrow indicates an active sort.
Use the filters to refine the information that displays in the table. For more information, see Scanner filters.
View scanner details
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to view, and then click Expand Row.
Tip: If desired, use filters to narrow your results. See Scanner filters for more information.
The following details display for physical or virtual scanners in your network:
- Scanner UUID — Displays the universally unique identifier (UUID).
- IP — Displays the IP address.
- Netmask — Displays the subnet mask.
- Scanner exclusion list — Displays any exclusion lists that the scanner is included on.
- Host identification — Indicates whether host identification scanning is Enabled or Disabled.
- Vulnerability scanning — Indicates whether vulnerability scanning is Enabled or Disabled.
- Brute force checks — Indicates whether brute force checks are Enabled or Disabled.
- CGI scanning — Indicates whether Common Gateway Interface (CGI) scanning is Enabled or Disabled.
- Only ping target — Indicates whether the only ping target setting is Enabled or Disabled.
- Host identification DNS servers — Displays a list of configured Domain Name System (DNS) resolvers that the scanner uses for host identification scanning.
View scanner configuration
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to view.
Tip: If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
The following scanner configuration information is provided:
Configuration detail Description Scanner Profile Displays the ID of the scanner. Scanner Name Displays the name of the scanner. IP Displays the IP address of the scanner. Scanner UUID Displays the universally unique identifier (UUID). Netmask Displays the subnet mask of the scanner. Product Type Displays the product type: Virtual, or Physical. Connection Status Displays the connection status of the scanner, including: - Connected — The scanner is online.
- Disconnected — The scanner is offline.
Version Displays the version number of the scanner. Status Displays the scanner status: - Connected — The scanner is connected to Arctic Wolf.
- Scanning — The scanner is actively scanning.
- Idle — The scanner is waiting for its next scheduled job.
- Awaiting Activation — The scanner is registered, but not activated.
- Degraded — The scanner encountered an issue while scanning.
- Disconnected — The scanner is not visible on the network.
Host Identification Displays whether host identification scans are enabled or disabled. Note: Vulnerability Scans must also be enabled for host identification scans to work. When Host Identification is disabled, Vulnerability Scanning is also disabled. For more information, see Enable or disable host identification.
Vulnerability Scanning Displays whether IVA scans are enabled or disabled. For more information, see Enable or disable vulnerability scanning. CGI Scanning When turned on, Common Gateway Interface (CGI) scans search for well-known vulnerabilities in web apps and similar software. For more information, see Enable or disable CGI scanning. Brute Force Scanning Displays whether the scanner checks for brute force attempts in your network or not. For more information, see Enable or disable brute force scanning. Ping Only Discovery Displays whether the scanner only scans hosts that respond to pings or not. For more information, see Enable or disable ping only discovery. Host Identification DNS Servers Lists the host collection DNS servers that you have configured. Note: If this field is blank, we attempt to auto-discover the server name.
For more information, see Add a host identification DNS server.Scan Exclusion List Lists IP addresses or networks that are part of the denylist. These items are not scanned. For more information, see Add an IP address to the denylist.
View a scanning schedule
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to view.
Tip: If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
The Scanning Schedule section displays the scanning schedule for the scanner. The table has the following columns:
Column Description Targets Displays the host that the scanner will scan. Name Displays the scan schedule name. Description Displays a description of the scan schedule. Next Scan Displays the date and time that the next scan will start. Frequency Displays the type of schedule for this scan: - Continuous — The scan runs continuously.
- Daily — The scan runs once a day, based on the time that you configure.
- Weekly — The scan runs once a week, based on the day and time that you configure.
- Monthly — The scan runs once a month, based on the day and time that you configure.
Scan Window Displays the window that the scan can run within, in hours. Options include 1 hour to 24 hours. Notes:
- If you schedule a large scan in a small window, the scan may never complete.
- If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
Priority Displays the priority of the scan: - Low — The scan runs last, after all other scans are complete.
- Medium — The scan runs after High priority scans but before Low priority scans.
- High — The scan completes first before all other scans. Notes:
- When scan schedules conflict, the priority of a scan determines which scan schedule should start first. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in numerical order based on the IP address listed in the Targets column.
- If there is a High priority scan that does not complete in the scanning time window, any Low or Medium priority scans will never run.
- If you start a new High priority scan when a Low priority scan is in progress, the High priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
Scanning Displays whether the scan is Enabled or Disabled. Actions Provides controls that allow you to modify your scan schedule: - Click Edit to edit a scan schedule. For more information, see Edit a scanning schedule.
- Click Delete to delete a scan schedule. For more information, see Delete a scanning schedule.
View scans that are queued
If a scan schedule is actively running, you can view the targets that are currently being scanned and that are scheduled to be scanned.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find a scanner with a Status of Scanning that you want to view.
Tip: If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
The Scanning Queue section displays all of the current and future scans for the selected scanner. The table has the following columns:
Column Description Target Displays the host that the scanner will scan. Status Displays the status of the scan: - Scanning — The scan is in progress.
- Scheduled — The scan is scheduled to run at a specified date and time.
Last Scan Displays the date and time of the last completed scan. Range Displays the range of IP addresses that the scanner will scan.
Verify scanning health
On a monthly or quarterly basis, review IVA Scanner and Arctic Wolf Agent scanning health:
Check IVA Scanner connectivity
Arctic Wolf alerts you if an IVA Scanner goes offline, but you can also manually check IVA Scanner connectivity at any time.
- In the Unified Portal menu bar, click Telemetry Management > Scanners.
- Find the IVA Scanner you want to check, and then look at the value in the Status column:
-
If it is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.
See the Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.
-
If it is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.
-
Check the IVA Scanner rate
Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8-hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are scanned weekly in an 8-hour scan window, it can take more than a month to complete a full cycle of scanning.
If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling. To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.
Add a host identification DNS server
To add DNS servers for hostname resolution, you can add a single IP address, IP address range, classless inter-domain routing (CIDR) range, or upload a CSV file that contains IP addresses.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Host Identification DNS Sensors section, do one of the following:
- Enter an IP address, IP address range, or a CIDR address range in the field.
- Click Upload, locate your CSV file that contains the IP addresses, IP ranges, or CIDR notation that you want to use for hostname resolution, and then click Open.
Notes:
- To specify multiple IP addresses, use a - separator in one of the IP octets. For example,
10.0.0.1-3
expands to10.0.0.1
,10.0.0.2
,10.0.0.3
. - To specify a CIDR range, use a comma-separated list. You can enter individual hosts without the
/32
specification or networks in the same CIDRX.X.X.X/Y
. - When uploading a Microsoft Excel CSV file, do not use column headings. Only populate the first column. Separate entries by row.
- Duplicate uploads are ignored. For example, if you create a CSV file with 10 entries, upload the CSV file to the Unified Portal, add 5 more entries to your CSV file, and then upload the same CSV file to the Unified Portal again, only the 5 most recent entries are added as host identification DNS servers.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Add an IP address to the denylist
A denylist is a list of IP addresses that you specifically do not want the scanner to scan. This can be devices with non-optimally designed or implemented embedded network stacks that can behave unexpectedly when scanned. For example, printers, or consumer-grade WiFi access points can print unexpected output or reboot when scanned. This can be inconvenient, so you can choose not to scan these devices.
Tip: Work with your CST to reduce the number of devices on your denylist because threat actors can use it to compromise your network.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scan Exclusion List section, do one of the following:
- Enter an IP address, IP address range, or a CIDR address range in the field.
- Click Upload, locate your CSV file that contains the IP addresses, IP ranges, or CIDR notation that you want to use for hostname resolution, and then click Open.
Notes:
- To specify multiple IP addresses, use a - separator in one of the IP octets. For example,
10.0.0.1-3
expands to10.0.0.1
,10.0.0.2
,10.0.0.3
. - To specify a CIDR range, use a comma-separated list. You can enter individual hosts without the
/32
specification or networks in the same CIDRX.X.X.X/Y
. - When uploading a Microsoft Excel CSV file, do not use column headings. Only populate the first column. Separate entries by row.
- Duplicate uploads are ignored. For example, if you create a CSV file with 10 entries, upload the CSV file to the Unified Portal, add 5 more entries to your CSV file, and then upload the same CSV file to the Unified Portal again, only the 5 most recent entries are added to the denylist.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Edit a scanning schedule
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to edit.
Tip: If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanning Schedule section, beside the scanning schedule you want to edit, click Edit.
-
Modify the schedule as needed. For example, to:
- Raise the priority of an existing scan schedule, edit the Priority.
- Change the frequency of the scan, edit the Frequency.
-
Click Update Scan Schedule.
Enable or disable host identification
Host identification is required for normal operation, but can disable it if you want to temporarily disable a scanner. When you disable host identification, vulnerability scanning stops working, and dashboard reporting errors will occur after 24 hours.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanner Configuration section, do one of the following:
-
To enable host identification:
- Turn on the Host Identification toggle.
- (Optional) Turn on the Vulnerability scanning toggle.
-
To disable host identification, turn off the Host Identification toggle.
-
-
Click Update Configuration.
This button is not available if the sensor is offline.
Enable or disable vulnerability scanning
Vulnerability scanning is required for normal operation, but you can disable it if required. When disabled, no new Internal Vulnerability Assessment (IVA) scans will run until you enable it again, and dashboard reporting errors will occur after 24 hours.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanner Configuration section, do one of the following:
-
To enable vulnerability scanning:
- Turn on the Vulnerability Scanning toggle.
- Turn on the Host Identification toggle.
-
To disable vulnerability scanning, turn off the Vulnerability Scanning toggle.
-
-
Click Update Configuration.
This button is not available if the sensor is offline.
Enable or disable CGI scanning
Note: Disabling Common Gateway Interface (CGI) scanning does not mitigate risks. It prevents lockouts, but it also removes a lot of the Webmin checks that the scanner performs because Webmin applications often use the CGI language. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts.
For example, if a typical Webmin page using CGI has a vulnerability, CGI scanning should discover this vulnerability. If the vulnerability involved threat actors that used known or default credentials to sign in to the system, there is a risk of account lockout. Disabling CGI scanning can limit the negative impact of account lockouts while you complete remediation steps to address the vulnerability.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanner Configuration section, do one of the following:
- To enable CGI scanning, turn on the CGI Scanning toggle.
- To disable CGI scanning, turn off the CGI Scanning toggle.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Enable or disable brute force scanning
Brute force scanning checks for default, known, or common usernames and passwords for various services and devices.
If you have devices on your network that use the default or known usernames, brute force scanning can lead to Active Directory or standard account lockouts. We recommend that you update the device username from the known or default values to enhance your security posture and avoid account lockouts during scans. If that is not possible, you can disable brute force scanning checks. See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.
Notes:
- Arctic Wolf recommends only using these settings for troubleshooting or emergency situations.
- Brute force scanning is separate from OpenVAS scanning. OpenVAS scanning is the underlying technology used for IVA scanning. OpenVAS performs regular vulnerability checks, such as default username and password checks, regardless of whether brute force scanning is enabled or not.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanner Configuration section, do one of the following:
- To enable brute force scanning, turn on the Brute Force Scanning toggle.
- To disable brute force scanning, turn off the Brute Force Scanning toggle.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Brute force scanning username checks
When brute force scanning is enabled, the scanner checks for the following non-exhaustive list of usernames:
Note: In addition to these username checks, the scanner uses known default usernames of different devices to validate Common Vulnerabilities and Exposures (CVE).
- acc
- adfexc
- adm
- admin
- Admin
- administrator
- Administrator
- adminttd
- ADVMAIL
- alex
- anonymous
- Anonymous
- apc
- asus
- at4400
- backup
- bbsd-client
- boss
- buh
- cellit
- cgadmin
- cisco
- Cisco
- client
- cmaker
- comsco
- craft
- customer
- davox
- debug
- device
- dhs3mt
- dhs3pms
- diag
- D-Link
- DTA
- FIELD
- foo
- ftp
- ftpadmin
- ftpuser
- guest
- Guest
- halt
- HELLO
- hscroot
- install
- intel
- IntraStack
- IntraSwitch
- kermit
- login
- manager
- Manager
- manuf
- MDaemon
- mediator
- MGR
- mobile
- monitor
- msfadmin
- mtch
- mtcl
- nas
- nasadmin
- nasuser
- NETOP
- netrangr
- NETWORK
- NICONEX
- operator
- OPERATOR
- patrol
- PBX
- PCUSER
- PFCUser
- pi
- public
- rdp
- rdpamin
- rdpuser
- readonly
- recovery
- root
- Root
- RSBCMON
- rwa
- sa
- security
- setup
- skyboxview
- SPOOLMAN
- storwatch
- super
- superadmin
- superuser
- supervisor
- support
- sysadm
- SYSDBA
- TANDBERG
- tech
- Test
- user
- User
- user-1
- User1
- volition
- vt100
- work
- WP
Enable or disable ping only discovery
You can configure whether the scanner only scans hosts that respond to pings or not. Ping only discovery is less intrusive than host identification, so it can be used when the default NMAP option is not suitable.
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanner Configuration section, do one of the following:
- To enable ping only discovery, turn on the Ping Only Discovery toggle.
- To disable ping only discovery, turn off the Ping Only Discovery toggle.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Remove a host identification DNS server
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Host Identification DNS Sensors section, click the entry field.
-
In the list, click the DNS server you want to remove.
-
In the field, click x next to the DNS servers to confirm the removal.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Remove an IP address from the denylist
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to configure.
Tip: The sensor must be online for configuration changes. If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scan Exclusion List section, click the entry field.
-
In the list, click the IP addresses, IP ranges, or CIDR notation you want to remove.
-
In the field, click x next to the IP addresses, IP ranges, or CIDR notation to confirm the removal.
-
Click Update Configuration.
This button is not available if the sensor is offline.
Delete a scanning schedule
-
In the Unified Portal menu bar, click Telemetry Management > Scanners.
-
Find the scanner you want to edit.
Tip: If desired, use filters to narrow your results. See Scanner filters for more information.
-
Click Configure.
-
In the Scanning Schedule section, beside the scanning schedule you want to edit, click Delete.
-
Click Delete Schedule.
Connected Accounts
On the Unified Portal Connected Accounts page, you can view information about the cloud accounts that are connected to Arctic Wolf services.
For more information, see:
- Add a connected account
- Connected account health
- Connected account filters
- View connected accounts
- View connected account details
- Update a connected account
Add a connected account
The following onboarding tasks require the registration of one or more cloud service accounts:
- Cloud service configurations for Cloud Detection and Response (CDR)
- Cloud service configurations for Cloud Security Posture Management (CSPM)
- Virtual appliance deployment in AWS
- IT service management (ITSM) ticketing integration
When you register a cloud service account in the Unified Portal, it becomes a connected account.
- To add a connected account, see the relevant installation or configuration guide on the Arctic Wolf Documentation website.
Connected account health
-
In the Unified Portal menu bar, click Telemetry Management > Connected Accounts.
The connected account health overview provides a summary of how many connected accounts are healthy, need attention, or are unhealthy. The following table describes the connected account statuses that are associated with each health category:
Health category Connected account status Healthy - Healthy — The account is connected and sending logs to Arctic Wolf.
Needs Attention - Config Pending — Your credentials are accepted. Your CST will contact you to complete the configuration process.
- Disconnect Pending — Your request to disconnect this account is being processed.
Unhealthy - Invalid Credentials — The cloud provider rejected the credentials for this connected account. To resolve this issue, submit updated credentials. For instructions, see Update a connected account.
- Degraded — Arctic Wolf is not receiving logs from this cloud account. This status could indicate a temporary network connectivity issue or a problem with the cloud service provider. Check again later. If this status does not change, contact your CST to troubleshoot this issue.
Other - Provisioned — Some applications do not report a health status. This state is expected.
- Not Available — Health data is temporarily unavailable. Check again later. If this status does not change, contact your CST to troubleshoot this issue.
Note: Connected accounts for cloud services that provide host containment sensors do not report a health status and display a status of Not Available. To confirm that credentials are valid and containment is operational, contact your CST to test containment after you provide credentials for the cloud account.
To view information about contained devices, see the console for the relevant third-party application.
Connected account filters
You can use the following filters to refine the items that appear in the Connected Accounts table:
- Status — Filters your connected accounts based on the sensor status. Select Degraded, Invalid Credentials, Config Pending, Disconnect Pending, Healthy, Provisioned, or Not Available.
- Vendor — Filters your connected accounts by vendor. Select from the list of vendors.
Click Reset Filters at any time to remove all filters.
Click Hide Filter to hide the filters from the page or Show Filter to display the filters.
View connected accounts
-
In the Unified Portal menu bar, click Telemetry Management > Connected Accounts.
The Connected Accounts table provides information about the cloud accounts that are connected to Arctic Wolf services:
Column Description Vendor Displays the vendor name. Name Displays the name. Status Displays the status: Healthy, Invalid Credentials, or Not Available. Click Arrows next to the column heading to sort the information by that criteria. A single dark arrow indicates an active sort.
Use the filters to refine the information that displays in the table. For more information, see Connected account filters.
View connected account details
-
In the Unified Portal menu bar, click Telemetry Management > Connected Accounts.
-
Find the connected account you want to view, and then click Expand Row.
Tip: If desired, use filters to narrow your results. For more information, see Connected account filters.
The row displays vendor-dependent cloud account details. Some examples include:
- Application ID
- Client ID
- Domain ID
- Subdomain
- API Hostname
- Integration Key
- Admin username
- URL
Update a connected account
If the credentials for your cloud service account changes, you must provide the updated credentials to Arctic Wolf to prevent the disruption of an Arctic Wolf service.
-
In the Unified Portal menu bar, click Telemetry Management > Connected Accounts.
-
(Optional) To filter the list of connected accounts, do one or both of the following steps:
-
From the Status list, select a health status.
Tip: To review the definition of each health status, click Connected Account Health.
-
From the Vendor list, select a cloud service vendor.
-
-
For the account that you want to update, click View Account.
-
On the account page, click Edit Information.
-
Edit field values as desired.
-
Click Test and Submit Credentials.
Scan Schedules
On the Unified Portal Scan Schedules page, you can create and view scan schedules.
For more information, see:
- Scan schedule filters
- View scan schedules
- View scan schedule information
- Create a new scan schedule
- Edit a scan schedule
- Force a scheduled scan to rescan
- Stop a scheduled scan
- Disable a scheduled scan
- Delete a scheduled scan
Scan schedule filters
You can use the following filters to refine the tickets that appear in the Scan Schedules table:
- Search — Enter a search term to search your scan schedules. Search terms apply to all fields, such as Frequency. For more information about available fields, see View scan schedules.
- Source — Enter
IVA
,EVA
, orAgent
to filter by that source. - Status — Filters by scan schedule status. Select Scanning, Idle, or Degraded.
- Frequency — Filters by scan schedule frequency. Select Once, Continuous, Daily, Weekly, or Monthly.
Click Reset Filters at any time to remove all filters.
Click Hide Filter to hide the filters from the page or Show Filter to display the filters.
View scan schedules
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
The Scan Schedules table provides information about scans that are scheduled to occur:
Column Description Source Displays the source of the scan. Possible values are IVA, EVA, and Agent. Name Displays the name of the scan schedule. Description Displays the description of the scan schedule. Scanning Displays whether the scan schedule is enabled or disabled. Status Displays the status of the scan source. Possible values are Scanning, Idle, or Degraded. Frequency Displays how often the scan is scheduled to run. Possible values are Once, Continuous, Daily, Weekly, or Monthly. Last scan Displays the date and time that the last scan occurred. Next scan Displays the date and time that the next scan is scheduled to occur. Targets Displays the targets that the scanner is configured to scan. Actions Provides controls that allow you to modify your scan schedule: - Click Schedule Details to view additional details about a scan schedule, including when each scan is scheduled to run. For more information, see View scan schedule information.
- Click Edit to edit a scan schedule. See Edit a scan schedule.
Click Arrows next to the column heading to sort the information by that criteria. A single dark arrow indicates an active sort.
Use the filters to refine the information that displays in the table. For more information, see Scan schedule filters.
View scan schedule information
Note: You cannot view scans in EVA scan schedules.
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
-
Find the scan schedule that you want to view.
-
Click Schedule Details.
A dialog appears with the scan schedule source, name, description, scan types, schedule frequency, and targets. If the scan Schedule Frequency is:
- Continuous — A list of scans displays, including when each scan last ran and the targets that scan covers.
- Daily, Weekly, or Monthly — The date and time that the scans are performed displays.
- Once — The date when the scan was last run displays.
-
When you are finished, click Close.
Create a new scan schedule
You can create a new scan schedule for internal scanner or for Agent:
Create an IVA scan schedule
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
-
Click Create New Scan Schedule.
-
In the Source list, select Internal Scanner.
-
In the Info section, enter a name and description for the schedule.
-
In the Schedule section, do the following:
- In the Priority list, select one of the following:
- Low — The scan runs last, after all other scans are complete.
- Medium — The scan runs after High priority scans but before Low priority scans.
- High — The scan completes first before all other scans.
Notes:
- The priority of a scan is used when there are conflicting scan schedules, to determine which scan schedule should be applied. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in alphabetical order.
- If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.
- If you start a new High priority scan when a Low priority scan is in progress, the High priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
- In the Frequency list, select one of the following:
- Daily — The scan runs once a day.
- Weekly — The scan runs once a week.
- Monthly — The scan runs once a month.
- In the Scan Time list, select the time that you want the scan to start. The time is set using a 24-hour clock.
- In the On list, select the applicable days of the week to run the scan or select the day of the month to run the scan.
Note: This option is not available if the Frequency is Daily.
- In the Scan Window list, select the scan window. The default value is
8
.Notes:
- If you schedule a large scan in a small window, the scan may never complete.
- If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
- In the Priority list, select one of the following:
-
In the Scanner section, select the scanner to run the scan.
-
In the Targets section, enter IP addresses or networks of the targets you want scanned.
Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.
Tip: You can add the IP addresses in a comma-separated list or as a range.
Note: Only entries with the CIDR format
X.X.X.X/Y
are accepted in this field. If you only want to add a single host, enter the host asX.X.X.X/32
. We recommend scanning subnet ranges/24
and smaller, excluding/8
,/16
, or/20
. Scanning these large subnet ranges would likely cause a timeout issue. -
Click Create Scan Schedule.
Create an Agent scan schedule
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
-
Click Create New Scan Schedule.
-
In the Source list, select Agent.
-
In the Info section, enter a name and description for the schedule.
-
In the Scan Type section, select one or both scan types:
- Vulnerability — Perform a complete vulnerability scan on the scan targets.
- Benchmark — Perform a scan on the scan targets against best practices benchmarks.
-
In the Schedule section, do the following:
-
In the Frequency list, select one of the following:
- Daily — The scan runs once a day.
- Weekly — The scan runs once a week.
- Monthly — The scan runs once a month.
-
In the Scan Time list, select the time that you want the scan to start. The time is set using a 24-hour clock.
-
In the On list, select the applicable days of the week to run the scan or select the day of the month to run the scan.
Note: This option is not available if the Frequency is Daily.
-
In the Scan Window list, select the scan window. The default value is
8
.Notes:
- If you schedule a large scan in a small window, the scan may never complete.
- If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
-
-
(Optional) If you want new Agents to be added to the schedule as they are deployed, in the Targets section, do the following:
-
Select the Auto-Enroll newly deployed clients checkbox.
-
In the Scanner section, select one or more scanners to run the scan.
Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.
-
-
Click Create Scan Schedule.
Edit a scan schedule
Note: You cannot edit EVA scan schedules.
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
-
Find the scan schedule that you want to edit.
-
Click Edit.
You can edit all of the same information that is entered when creating a scan schedule. For more information, see Create an IVA scan schedule and Create an Agent scan schedule.
Note: When editing an Agent schedule, any assets belonging to the target group are automatically selected. Select additional assets to add them to the target group.
-
Click Update Scan Schedule.
Force a scheduled scan to rescan
When you manually start a scan outside of the scan schedule, the scan resumes its regular schedule after the rescan.
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
-
In the Scan Schedules table, select the checkbox next to each scan schedule you want rescan.
-
Click Rescan.
Note: You cannot rescan EVA scan schedules.
-
Click Rescan again.
Stop a scheduled scan
When you stop a scheduled scan, the scan stops even if it is currently running. The scan will not start again until the next scheduled time.
- In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
- In the Scan Schedules table, select the checkbox next to each scan schedule you want stop.
- Click Stop Scan Schedule.
- Click Stop Scan Schedule again.
Disable a scheduled scan
When you disable a scan, you prevent the schedule from running future scans. This does not stop scans that are currently running.
- In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
- Do one of the following:
-
To disable one or more scan schedules:
- In the Scan Schedules table, select the checkbox next to each scan schedules you want disable.
- Click Disable Scan Schedule.
- Click Disable Scan Schedule again.
-
To disable one scan schedule:
- In the Scan Schedules table, beside the scanning schedule you want to disable, click Edit.
- Clear the Enabled checkbox.
- Click Update Scan Schedule.
-
Delete a scheduled scan
-
In the Unified Portal menu bar, click Telemetry Management > Scan Schedules.
-
In the Scan Schedules table, select the checkbox next to each scan schedule you want delete.
-
Click Delete Schedule.
Note: You cannot delete EVA scan schedules.
-
Click Delete Schedule again.
Data Exploration
Data Explorer is a licensed MDR add-on feature that lets you search the Arctic Wolf observation pipeline for analyzed event logs. To provide 24x7 security monitoring, the Arctic Wolf observation pipeline ingests logs from all systems that are configured to send log data to Arctic Wolf. You can use Data Explorer to:
- Monitor access to your network and cloud services.
- Gather information about user activity and system events.
Your Data Explorer search results only include enriched and analyzed observations from your security-relevant log sources. Log data that is not considered security-relevant is filtered out of the Arctic Wolf observation pipeline. Logs that are filtered out of Data Explorer can include DHCP logs, wireless access point connection information, or firewall logs that are not parsed and enriched.
For more information about searching analyzed event logs, see:
Tip: To search unparsed, raw log data, see Raw Log Search.
Run an analyzed event log search
Data Explorer allows you to search analyzed event logs from the Arctic Wolf observation pipeline. You can enter more than one search term, and you can narrow your search to specific database fields. After running a search, Data Explorer provides a consolidated view of all machine analyzed and parsed logs, across multiple log sources, that match your search expression.
-
In the Unified Portal menu bar, click Data Exploration > Data Explorer.
-
(Optional) Modify the date range to limit or expand your search. To modify the date range, repeat these steps for the start and end dates:
- Click calendar.
- In the calendar section, select a date.
- Click clock.
- In the time section, set the time.
- Click Apply.
Tip: The default range is the past 24 hours. You can search up to 10 days of event log data at a time.
-
(Optional) In the Add Search Fields section, add a search field:
- Click the Search Fields (10 maximum) field.
- (Optional) To narrow the list of search fields, enter a partial or complete search term.
- Select a search field from the list. There are two types of search fields:
- Field set — A field set allows you to search a group of related database fields. Field sets are written in title case, for example,
Event Code
, and are listed before individual database fields. - Field — You can limit your search to a specific database field. Fields are written in lower case and include periods and underscores, for example,
remote.registered_domain
.
- Field set — A field set allows you to search a group of related database fields. Field sets are written in title case, for example,
Tips:
- Repeat these steps to add more search fields.
- You can have up to 10 search fields.
- To remove a search field, click Remove Filter beside the search field that you want to remove.
- For a list of the available fields and field sets, see Data Explorer fields.
-
Enter a search term:
-
In any search field, enter a partial or complete search term.
-
Select an item from the automatically generated list.
Tips:
- Repeat these steps to add more search terms.
- Data Explorer uses this Boolean logic:
- For multiple values in the same search field, Data Explorer adds the OR operator between each value.
- For multiple search fields, Data Explorer adds the AND operator between each search field.
- Data Explorer search fields do not support wildcards. Instead, search for one or more values in a field set to find all event log data that contains your search term.
-
-
Click Apply Filters.
Search results appear in the Event Logs table.
-
(Optional) For your convenience, complete any of these tasks:
Change columns in the Event Logs table
-
Click Columns.
-
Select the checkboxes for the fields that you want to make visible in the Event Logs table.
-
Click Apply.
The fields that you selected are added to the Event Logs table.
Create a custom column set
- Run an analyzed event log search.
- Change columns in the Event Logs table.
- Click Save Columns.
- Review the column set.
- Click Save.
Apply a custom column set
If you previously created a custom column set, you can change the columns in Event Logs table to the custom column set.
- Run an analyzed event log search.
- Click Load Columns.
- Select a custom column set.
- Click Load.
Export Data Explorer search results
-
Click Export to download your search results.
Note: You can export up to 100,000 analyzed log entries. To export a larger dataset, contact your CST.
View complete data for an event log
-
For any row in the Event Logs table, in the View Event Log column, click View More.
-
(Optional) To copy event log data:
-
In the Format section, make sure that Table is selected.
-
In the table, select the checkboxes for the field values that you want to copy.
Event log data is copied in JSON format by default.
-
(Optional) To copy event log data in raw format, in the Format section, select Raw.
-
Click Copy event to clipboard.
-
-
(Optional) To make columns visible in the Event Logs table:
-
In the Format section, make sure that Table is selected.
-
In the table, select the checkboxes for the fields that you want to make visible in the Event Logs table.
-
Click Apply Columns.
The fields that you selected are added to the Event Logs table.
-
Data Explorer fields
In Data Explorer, you can narrow your search to specific database fields. In the Add Search Fields section, you can add one or more database fields or field sets:
- Field set — A field set allows you to search a group of related database fields. Field sets are written in title case, for example,
Event Code
, and are listed before individual database fields. - Field — You can limit your search to a specific database field. Fields are written in lower case and include periods and underscores, for example,
remote.registered_domain
.
Field sets
Tip: For a description of each field, see Fields.
Field set | Fields included |
---|---|
Domain |
|
Event Code |
|
Hash |
|
File Name |
|
IP Address |
|
Log Source |
|
Process Name |
|
User |
|
Fields
Field | Description |
---|---|
@timestamp |
The date and time when the event occurred or, if the log data that Arctic Wolf receives does not include a date and time for the event, the date and time when Arctic Wolf received the log data. The |
@type |
If the event log is unparsed, the type of telemetry used to send event log data to Arctic Wolf. If the event log is a compound event, the type of incident or alert. Note: A compound event is a single event that contains multiple logical events. Compound events are events that the Arctic Wolf observation pipeline generates when it identifies a group of events as logically related. |
ad.event.auth.logon_type |
The Windows Event logon type. Tip: For more information, see Audit logon events. |
ad.event.code |
The Windows Event ID. Tip: For more information, see: |
ad.event.origin.username |
The name of the user or the computer that originated the event. |
ad.event.title |
The event summary associated with the Windows Event ID. Tip: For more information, see: |
auth.type |
A description of the authentication type. |
client.address |
An IP address, a domain, or a Unix socket, if available. Client addresses are sometimes ambiguous. Some event logs that originate from ambiguous client addresses include this information. |
client.as.number |
The autonomous system number (ASN) that uniquely identifies each network on the internet. |
client.bytes |
The total number of bytes sent from the client to the server during the event. |
client.domain |
The client domain. |
client.geo.city_name |
The name of the city where the client is located. |
client.geo.country_iso_code |
The ISO code for the country where the client is located. |
client.geo.country_name |
The name of the country where the client is located. |
client.ip |
The IPv4 or IPv6 address of the client. |
client.ip_classification |
The classification of the client IP address as either internal , external , or multicast . The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal . |
client.packets |
The total number of packets sent from the client to the server during the event. |
client.port |
The port used on the client. |
client.user.email |
The email address of the user. |
client.user.full_name |
The full name of the user. |
client.user.id |
The user ID. |
client.user.name |
The username that identifies a user login or a short name for the user. |
client.user.username |
The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems. |
client.whois.registrant.organization |
The person or organization who registered the domain name, according to the WHOIS database. |
cloud.client.geo.city_name |
The name of the city where the external IP address is located. |
cloud.client.geo.country_name |
The ISO code for the country where the external IP address is located. |
cloud.client.user.name |
The name of the user that completed the operation. To disambiguate this user name, check the user.id field. |
cloud.event.name |
The name that an Arctic Wolf observation pipeline assigned the event. |
cloud.resource.name |
The name of the resource that was changed or affected in the event. For example, the name of a file or user. |
cloud.resource.path |
The file path of the resource that was changed or affected in the event. For example, the file path of an executable or a configuration file. |
dns.answers.class |
The class of DNS data contained in the resource record. |
dns.answers.data |
The data describing the resource. The meaning of this data depends on the type and class of the resource record. |
dns.answers.ttl |
The number of seconds that a cache can keep the resource record before the record is discarded. A value of zero values mean that the data should not be cached. |
dns.answers.type |
The type of data contained in the resource record. |
dns.question.class |
The class of the record being queried. |
dns.question.name |
The name of the record being queried. |
dns.question.type |
The type of record being queried. |
dns.question.whois.registrant.organization |
The person or organization who registered the domain name, according to the WHOIS database. |
dns.resolved_ip |
All IP addresses found in the dns.answers.data field. Arctic Wolf extracts the IP addresses from the dns.answers.data field to index them as IP addresses, which makes them easier to search for. |
dns.response_code |
The DNS response code. |
event.action |
The summary of the action described in the event log, according to the event source. For example, group-add , process-started , or file-created . The event.action field usually provides a more detailed summary than the event.category value. |
event.category |
All categories that the event falls under. This value is an array that that enables the categorization of events that appear in more than one category. This field is closely related to event.type . The event.type values are subcategories of event.category values. |
event.code |
The identification code for this event, if one exists. Some event sources use event codes to uniquely and unambiguously identify events, regardless of any wording adjustments in the event message over time or any language translations. Possible event.code field values are Windows Event IDs and Sysmon Event IDs. Tip: For more information, see: |
event.dataset |
The name of the dataset, according to the event source. If an event source publishes more than one type of log or event, for example, access logs and error logs, you can use the event.dataset value to identify which dataset the event is a part of. |
event.duration |
The duration of the event in nanoseconds. If the event.start and event.end values are available, the event.duration value is the difference between the event.start and event.end values. |
event.end |
The date and time when the event ended or when the event source last observed the activity. |
event.kind |
A high-level summary of the type of information that the event log contains. You can use the value in this field to decide how to handle events of the same kind. Events of the same kind might need a different data retention period or different access controls. This value can also indicate if log data for this kind of event is coming in at a regular interval or not. |
event.module |
The name of the module this data is coming from, if applicable. The Arctic Wolf observation pipeline populates this field if your monitoring agent uses the concept of modules or plugins to process events from a specific source, for example, Apache logs. |
event.outcome |
Whether the event represents a success or a failure from the perspective of the entity that caused the event, if applicable. Notes:
|
event.provider |
The source of the event log. Event transports such as Syslog or the Windows Event Log usually mention the source of an event. The identified source can be any of these values:
|
event.reason |
An explanation of why the event happened. The event can be an action or an outcome. This explanation originates from the event source. |
event.severity |
The severity level of the event, expressed as a number. This severity level originates from the event source. The meaning of this value depends on the event source and the use cases for this type of event classification. Note: Make sure that the meaning of each severity level is consistent across events from the same log source. |
event.start |
The date and time when the event started or when the event source first observed the activity. |
event.type |
All applicable event types. This value is an array that that enables the categorization of events that have more than one event type. This field is closely related to event.type . The event.type values are subcategories of event.category values. |
event.uuid |
A UUID that the Arctic Wolf observation pipeline assigns to an event log. |
file.directory |
The folder where the file is located. This value includes the drive letter when appropriate. |
file.hash.md5 |
The MD5 hash of the file. |
file.hash.sha1 |
The SHA1 hash of the file. |
file.hash.sha256 |
The SHA256 hash of the file. |
file.mime_type |
The media type or MIME type of the file or stream of bytes, written as an IANA media type where possible. When more than one type is applicable, the most specific type should be used. For more information, see IANA Media Types. |
file.name |
The name of the file, including the extension but without the file path. |
file.path |
The complete path to the file, including the file name. This value includes the drive letter when appropriate. |
host.domain |
The name of the domain that the host is a member of. For example:
|
host.external_ip |
The external IP address of the host. |
host.geo.city_name |
The name of the city where the host is located. |
host.geo.country_iso_code |
The ISO code for the country where the host is located. |
host.geo.country_name |
The name of the country where the host is located. |
host.hostname |
The name of the host. This name is usually the value that the hostname command outputs on a host machine that runs on a Unix-based operating system. |
host.ip |
The IPv4 or IPv6 address of the host. |
host.name |
The name of the host, according to the event source. This name is usually one of these values:
|
host.os.family |
The operating system family of the host. For example, redhat , debian , freebsd , or windows . |
host.user.email |
The email address of the user. |
host.user.full_name |
The full name of the user. |
host.user.id |
The user ID. |
host.user.name |
The username that identifies a user login or a short name for the user. |
host.user.username |
The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems. |
http.request.headers |
The key-value pairs for all headers in the HTTP request. |
http.request.method |
The HTTP request method. |
http.request.mime_type |
The media type or MIME type of the body of the request. |
http.response.content_type |
The value of the HTTP response Content-Type header. |
http.response.headers |
The key-value pairs for all headers in the HTTP response. |
http.response.status_code |
The HTTP response status code. |
labels |
Custom key-value pairs. Examples of custom key-value pairs are docker and k8s . |
network.application |
The name of an application-level protocol. This name can be arbitrarily assigned to microservices or cloud service providers like Skype, ICQ, Facebook, and X (formerly Twitter). This field is populated if the vendor or service can be derived from information like the source or destination IP address owners, port numbers, or wire format. |
network.bytes |
The total number of bytes transferred in both directions during the event. |
network.direction |
The direction of the network traffic. |
network.packets |
The total number of packets transferred in both directions during the event. |
network.protocol |
The layer seven network protocol name. For example, http , lumberjack , or transport protocol . |
network.transport |
The name of the transport layer. For example, udp , tcp , or ipv6-icmp . |
observer.geo.city_name |
The name of the city where the event source is located. |
observer.geo.country_iso_code |
The ISO code for the country where the event source is located. |
observer.geo.country_name |
The name of the country where the event source is located. |
observer.type |
The event source type. For example, forwarder , firewall , ids , ips , proxy , poller , sensor , or APM server . |
organization.deployment.id |
The unique identifier that Arctic Wolf assigns to an Arctic Wolf appliance deployed within the organization. |
organization.id |
The unique identifier that Arctic Wolf assigns to the organization. |
organization.uuid |
An organization UUID that is specific to the Arctic Wolf Managed Risk service. This field is used for legacy data mapping. |
process.command_line |
The complete command line that started the process, including the absolute path to the executable and all command arguments. |
process.executable |
The absolute path to the process executable file. |
process.hash.md5 |
The MD5 hash of the process executable file. |
process.hash.sha1 |
The SHA1 hash of the process executable file. |
process.hash.sha256 |
The SHA256 hash of the process executable file. |
process.name |
The name of the process. |
process.parent.command_line |
The complete command line that started the parent process, including the absolute path to the executable and all command arguments. |
process.parent.executable |
The absolute path to the parent process executable file. |
process.parent.hash.md5 |
The MD5 hash of the parent process executable file. |
process.parent.hash.sha1 |
The SHA1 hash of the parent process executable file. |
process.parent.hash.sha256 |
The SHA256 hash of the parent process executable file. |
process.parent.name |
The name of the parent process. |
process.parent.pid |
The parent process ID. |
process.parent.ppid |
The grandparent process ID. |
process.parent.working_directory |
The working directory of the parent process. |
process.pid |
The process ID. |
process.ppid |
The parent process ID. |
process.working_directory |
The working directory of the process. |
related.as.number |
All autonomous system numbers (ASNs) found in the event log. Tip: A |
related.email |
All user email addresses listed in the event log. Tip: A |
related.groups |
All the groups related to users that are associated with the event. Tip: A |
related.hash |
All hashes found in the event log data. Tip: A |
related.hosts |
All hostnames or other host identifiers observed during the event. Valid values include FQDNs, domain names, workstation names, or aliases. Tip: A |
related.ip |
All IP addresses found in the event log data. Tip: A |
related.url |
All URLs found in the event log data. Tip: A |
related.user |
All usernames or other user identifiers found in the event log data. Tip: A |
related.whois.registrant.name |
For all the domain names found in the event log data, the persons or organizations who registered the domain names, according to the WHOIS database. Tip: A |
remote.address |
An IP address, a domain, or a Unix socket, if available. Remote addresses are sometimes ambiguous. Some event logs that originate from ambiguous remote addresses include this information. |
remote.domain |
The domain of the remote system. |
remote.ip |
The IPv4 or IPv6 address of the remote system. |
remote.port |
The port used on the remote system. |
remote.registered_domain |
The highest registered domain of the remote system without the subdomain. |
rule.description |
The name of the schema or set of rules that generate analyzed events logs from raw log data that enters the Arctic Wolf observation pipeline. |
rule.events.category |
How the Arctic Wolf observation pipeline categorized the analyzed event log. |
rule.events.description |
A summary of the analyzed event log. |
rule.events.identifier |
The identifier assigned to the analyzed event log if the event is escalated. |
rule.events.tags |
The tags that the Arctic Wolf observation pipeline attached to the analyzed event log. |
server.address |
An IP address, a domain, or a Unix socket, if available. Server addresses are sometimes ambiguous. Some event logs that originate from ambiguous server addresses include this information. |
server.as.number |
The autonomous system number (ASN) that uniquely identifies each network on the internet. |
server.as.organization.name |
The name of the organization associated with the server. |
server.bytes |
The total number of bytes sent from the server to the client during the event. |
server.domain |
The server domain. |
server.geo.city_name |
The name of the city where the server is located. |
server.geo.country_iso_code |
The ISO code for the country where the server is located. |
server.geo.country_name |
The name of the country where the server is located. |
server.ip |
The IPv4 or IPv6 address of the server. |
server.ip_classification |
The classification of the server IP address as either internal , external , or multicast . The classification includes special network design considerations. For example, an internal network that utilizes non-RFC 1918 IP address space can be classified as internal . |
server.packets |
The total number of packets sent from the server to the client during the event. |
server.port |
The port used on the server. |
server.user.email |
The email address of the user. |
server.user.full_name |
The full name of the user. |
server.user.id |
The user ID. |
server.user.name |
The username that identifies a user login or a short name for the user. |
server.user.username |
The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems. |
server.whois.registrant.organization |
The person or organization who registered the domain name, according to the WHOIS database. |
service.name |
The name of the service that is configured to send log data to Arctic Wolf. A user in your organization usually assigns a name to the service that they configure to forward log data. |
tags |
A list of keywords that the Arctic Wolf observation pipeline associated with the event log source. |
threat.severity |
A CVSS score, which is a number ranging from zero to 10. A score of 10 indicates a risk of the highest severity. For more information, see NIST NVD Vulnerability Metrics. |
threat.tactic.name |
The name of the tactic, according to the MITRE ATT&CK® database, that the identified threat uses. |
tls.client.hash.sha256 |
The fingerprint of the certificate that the client offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate. |
tls.server.hash.sha256 |
The fingerprint of the certificate that the server offers. The fingerprint is derived from the SHA256 digest of the DER-encoded version of the certificate. |
url.domain |
The domain of the URL, for example, https://www.arcticwolf.com . In some cases, a URL might refer to an IP address and port directly, without a domain name. |
url.full |
The complete URL. |
url.path |
The path of the request. For example, /search . |
url.whois.registrant.organization |
The person or organization who registered the domain name, according to the WHOIS database. |
user.changes.email |
What the email address of the user was changed to. |
user.changes.full_name |
What the full name of the user was changed to. |
user.changes.id |
What the user ID was changed to. |
user.changes.name |
What the username or the short name for the user was changed to. |
user.changes.username |
What the username for the user was changed to. This field is an additional field to account for legacy systems. |
user.effective.email |
The email address of the user whose role or privileges an administrator assumed. |
user.effective.full_name |
The full name of the user whose role or privileges an administrator assumed. |
user.effective.id |
The ID of the user whose role or privileges an administrator assumed. |
user.effective.name |
The username or the short name for the user whose role or privileges an administrator assumed. |
user.effective.username |
The username for the user whose role or privileges an administrator assumed. This field is an additional field to account for legacy systems. |
user.email |
The email address of the user. |
user.full_name |
The full name of the user. |
user.id |
The user ID. |
user.name |
The username that identifies a user login or a short name for the user. |
user.target.email |
The email address of the user before an administrator changed it. |
user.target.full_name |
The full name of the user before an administrator changed it. |
user.target.id |
The ID of the user before an administrator changed it. |
user.target.name |
The username or the short name for the user before an administrator changed it. |
user.target.username |
The username for the user before an administrator changed it. This field is an additional field to account for legacy systems. |
user.username |
The username that identifies a user login or a short name for the user. This field is an additional field to account for legacy systems. |
user_agent.description |
The user agent in human-readable from. |
user_agent.original |
The unparsed user-agent string. |
View login events
The Login Events page allows you to search for and review login events from the systems that Arctic Wolf monitors as part of the MDR service.
-
In the Unified Portal menu bar, click Data Exploration > Login Events.
-
(Optional) Set one or more filters to limit or expand your search results.
-
Click the Calendar to modify the date range.
-
Enter a search term in the Search field.
Note: The search function does not support wildcards, comma-separated lists, or Boolean operators like
AND
orOR
. -
Add filters to narrow search results.
-
-
If you changed one or more filter settings, click Apply Filters.
-
(Optional) View login event details.
-
For any row in the table, click on a link.
A new Data Explorer search starts.
-
In the Event Logs section, on an event log detail row, click Complete Log Data to view login event details.
-
View logins by country
The Logins by Country page allows you to filter data by country, date, and status and presents the results in a map and rows.
- In the Unified Portal menu bar, click Data Exploration > Logins by Country.
- (Optional) Set one or more filters to limit or expand your search results.
- Click the Calendar to choose from preset time ranges.
- Add one or more values to the Login Status field.
- Add one or more values to the Country field.
- If you changed one or more filter settings, click Apply Filters.
- (Optional) View country login results.
- In the map, click on a colored circle to view all login events for that geographic region.
- For any of the rows below the map, click View Logins.
Raw Log Search
Raw Log Search is a licensed Managed Detection and Response (MDR) add-on feature that lets you search the Arctic Wolf platform, which stores an aggregation of raw log data from your on-premises systems and cloud services. This feature allows you to retrieve logs in raw format for operational and security-related tasks, such as validating a configuration change or investigating a security alert.
For more information, see:
Tip: You can also search the Arctic Wolf observation pipeline for parsed and analyzed event logs. See View event logs in the Arctic Wolf Unified Portal User Guide for details.
Tickets
A ticket is a record of communication between you and your CST to fulfill a support request or address a security concern. The Tickets page displays current and historical tickets. By default, this page contains tickets from the last 30 days, but you can use filters to display older tickets. For more information, see:
Ticket filters
You can use the following filters to refine the tickets that appear in the Tickets table:
- Search — Filters table rows based on the word or phrase that you enter. Adding asterisks as wildcard characters to maximize your search results is not required. The search function looks for all instances of your search phrase in the Subject, Ticket Type, To, or CC columns, even if it appears in the middle or at the end of a text string. For example, if you search for even, the table would display tickets with “Steven Doe” in the To or CC column and a ticket with the subject line “Action Required - Eleven hacking attempts.” |
- Ticket Type — Filters table rows based on ticket type, for example, Onboarding or Incident. |
- Status — Filters table rows based the current ticket state. For example, With Customer indicates that there are actions for you to take. |
- Last Updated — Filters table rows based on the date the ticket was last updated. For example, you can select Past 72 hours or Past 7 days. |
Click Reset Filters at any time to remove all filters.
Click Hide Filter to hide the filters from the page or Show Filter to display the filters.
View tickets
-
In the Unified Portal menu bar, click Tickets.
The Tickets table displays information about each ticket:
Column Description Ticket # Displays the ticket number. This is the reference number that Arctic Wolf uses to track support requests and alerts. Subject A high-level description of the communication between you and your CST. Status Displays the current ticket state, for example, With Arctic Wolf. Ticket Type Displays the ticket category, for example, Support or Information. Description Provides the ticket details. This information is different depending on the ticket type. For example, Incident tickets have detailed incident report information, but Other tickets do not. Evidence Navigator Provides a preview of any CSV files that are included in the Attachments section of the ticket. If more than one CSV file is attached to the ticket, the section includes a separate table for each. The table columns reflect the columns that Arctic Wolf set up in the CSV file before attaching it to the ticket. To refine the information that displays in a table, enter a search term in the Type to filter field. Results are based on search term matches in any column. To Displays the name of the contact who created the ticket. Unless otherwise requested, this is the primary contact for the ticket. CC Displays the names of contacts who will receive email updates when the ticket changes. This is not a required field. Created Displays the date and time that the ticket was originally created. Last Updated Displays the date and time that the ticket was last updated. Attachments Files that are related to your ticket, if available. For example, if the ticket is an alert about an unexpected event, the ticket may include observations that are related to the event in a CSV file.
Note: This is not a required field. Attachments are only available for alert tickets if Arctic Wolf has attached them to your ticket.Click Arrows next to the column heading to sort the information by that criteria. A single dark arrow indicates an active sort.
Use the filters to refine the information that displays in the table. For more information, see Ticket filters.
Open a new ticket
- In the Unified Portal menu bar, click Tickets.
- Click Open a New Ticket.
- On the Open a New Ticket page, do the following steps:
- In the What is this contact request related to? section, select the appropriate option:
- General request — Select for non-urgent requests.
- A security emergency — Select if one or more of your systems or user accounts are breached. For immediate assistance with a security emergency, call us at +1-888-272-8429.
- Technical support assistance — Select if you required support with: network issues, a service failure, troubleshooting issues, or IP address reconfiguration.
- In the Subject field, enter a short description of your request.
- (Optional) In the Related ticket field, enter the number or a related ticket.
- In the comment box, type your request and provide relevant details.
- (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
Notes:
- If attaching the file fails:
- Compress the file and try attaching the file again.
- If the file still cannot be attached, generate a ticket and ask your Concierge Team for support.
- There is a limit of 20MB for upload size.
- Click Send Message.
For more information, see Reply to a ticket.
View ticket details
You can view additional details and comments related to a ticket. The details are different depending on the type of ticket type. For example, Incident tickets have detailed incident report information, but Other tickets do not.
-
In the Unified Portal menu bar, click Tickets.
-
Identify the ticket that you want to respond to.
Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.
-
Click the subject line of the ticket or the ticket number to view ticket details.
Reply to a ticket
-
In the Unified Portal menu bar, click Tickets.
-
Identify the ticket that you want to respond to.
Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.
-
Click the subject line of the ticket or the ticket number to view ticket details.
-
Follow the appropriate steps, depending on the ticket status:
Ticket status Steps Open - Verify that Ticket Action is set to Reply.
- In the Add a Comment section, enter a comment.
- (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
- Click Add Comment.
Closed - Click Post Follow-up Ticket.
- On the Open a New Ticket page, do the following steps:
- In the What is this contact request related to? section, select the appropriate option:
- General request — Select for non-urgent requests.
- A security emergency — Select if one or more of your systems or user accounts are breached. For immediate assistance with a security emergency, call us at +1-888-272-8429.
- Technical support assistance — Select if you required support with: network issues, a service failure, troubleshooting issues, or IP address reconfiguration.
- In the comment box, type your request and provide relevant details.
- (Optional) To add supporting files, click Choose a File or click and drag one or more files to the attachment area.
- Click Send Message.
Close a ticket
Note: To close tickets that you did not create or that you are not a recipient of, you must have the required permissions. If you require a higher level of access, check your Organization Profile and ask a primary contact.
-
In the Unified Portal menu bar, click Tickets.
-
Identify the ticket that you want to respond to.
Tip: If desired, use filters to narrow your results. See Ticket filters for additional information.
-
Click the subject line of the ticket or the ticket number to view ticket details.
-
In the Ticket Action section, select one of these options from the list:
-
Close and suppress this alert
Note: This option only appears for alerts.
-
Close with a follow-up request
-
Close
-
-
If applicable, in the comment box, type your request and provide relevant details.
-
Click Close Ticket.
Reports
Arctic Wolf provides you with reports that assess your security posture. Depending on the type of report, they might be delivered daily, weekly, monthly, or quarterly.
For more information, see:
Report filters
You can use the following filters to refine the items that appear in the report tables:
- Title — Filters the reports by title. Enter any text. Asterisks are not required for wildcards. For example, if you enter
view
, the table displays any reports with view in the title, such as, Security Review or EVA view. - File Format — Filters the reports by file format. Select All, PDF, or CSV.
- Sent Date — Filters the reports by the sent timeframe. Select Anytime, Past 7 days, Past 30 days, Past 3 months, or Past 12 months.
Click Reset Filters at any time to remove all filters.
Click Hide Filter to hide the filters from the page or Show Filter to display the filters.
View past reports
-
In the Unified Portal menu bar, click Reports > Past Reports.
The Past Reports table provides information about reports that were previously sent:
Column Description Title Displays the report name. File Format Displays the file format of the report. For example, PDF or CSV format. Reporting Period Displays the date range of the data contained within the report. Sent Date Displays when the report was initially sent to you. Actions Provides controls for your reports: - Click Request Review to open a new ticket. For more information, see Open a new ticket.
- Click Download to download the report. See View a report from Arctic Wolf.
Click Arrows next to the column heading to sort the information by that criteria. A single dark arrow indicates an active sort.
Use the filters to refine the information that displays in the table. For more information, see Report filters.
View a report from Arctic Wolf
- In the Unified Portal menu bar, click Reports > Past Reports.
- Identify the report that you want to view.
Tip: If desired, use filters to narrow your results. For more information, see Report filters.
- Click Download or click the report name in the Title column.
PDF reports typically open in a new browser tab, but this can vary based on your browser settings. CSV files must be manually opened from the directory from which they are saved.
View scheduled reports
-
In the Unified Portal menu bar, click Reports > Scheduled Reports.
The Scheduled Reports table provides information about upcoming reports, including how often the report is generated, when it will be sent next, and who it will be sent to.
Send a malicious file to Arctic Wolf for review
If you have a file that you suspect is malicious, you can compress the file with password protection and send it to Arctic Wolf for review.
Note: Do not send Arctic Wolf raw suspicious files. Our email clients, file hosting clients, and ticket clients have security filtering and we will not receive the file.
- Compress the potentially malicious file into a zip file.
- Apply the password
infected
to the zip file.Tip: Some compression tools include password configuration under encryption settings.
- Send the zip file to Arctic Wolf through the Unified Portal or ask Arctic Wolf to provide an Egnyte upload link.