Providing Cisco Secure Endpoint credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to retrieve the credentials needed for Arctic Wolf® to monitor security information using the Cisco Secure Endpoint API.

After you complete this process, you need to provide the following information about your Cisco Secure Endpoint environment to Arctic Wolf on the Arctic Wolf Portal:

Before you begin

To complete the steps below, you must be an administrator for the Cisco Secure Endpoint environment that you wish to monitor.

Creating API Client Credentials

To create API client credentials, including the Client ID and API Key:

  1. Sign in to the Cisco Secure Endpoint console as an administrator.

  2. Select Accounts, and then select Business Settings from the menu.

  3. Under Features, select Configure API Credentials to open the API Credentials page.

  4. On the API Credentials page, select New API Credential to open the dialog box.

  5. Create the New API Credential:

    1. Enter a memorable name for the credentials as the Application name.
    2. Set the Scope to Read-only.
    3. Click Create. This opens the API Key Details page.
  6. On the API Key Details page, record the newly generated Client ID and API Key values. You will submit these values to Arctic Wolf.

    Note: Once you dismiss this page, you can no longer retrieve the API Key from the console. Therefore, keep this information safe.

Providing credentials to Arctic Wolf

To provide the API client credentials to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Cisco Secure Endpoint from the list of cloud services, and fill in the form:

    1. Enter a descriptive name for the credentials.

    2. Enter the Client ID and API key that you created as part of Creating API Client Credentials.

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your cloud account, the status of your cloud credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.