Cisco Secure Endpoint Monitoring
Updated Sep 6, 2023Configure Cisco Secure Endpoint monitoring
You can configure Cisco Secure Endpoint® to send the necessary logs to Arctic Wolf® for security monitoring.
Requirements
- Administrator role for the Cisco Secure Endpoint environment that you want to monitor
Steps
Step 1: Create API client credentials
-
Sign in to the Cisco Secure Endpoint console as an administrator.
-
In the navigation menu, click Admin > API Credentials.
-
On the API Credentials page, click New API Credential.
-
In the New API Credential dialog:
- In the Application name field, enter a memorable name for the credentials.
- Under Scope, select Read-only.
- Select the Enable Command line checkbox.
- Select the Allow API access to File Repository download audit logs checkbox.
- Click Create.
-
On the API Key Details page, record the newly generated Client ID and API Key values.
You must submit these values to Arctic Wolf.
Note: Once you dismiss this page, you can no longer retrieve the API Key from the console.
Step 2: Provide credentials to Arctic Wolf
Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select Cisco Secure Endpoint.
-
On the Add Account page, do the following steps:
-
Account Name — Enter a unique and descriptive name for the account.
-
For each of these fields, paste the appropriate value from Create API client credentials:
- Client ID
- API Key
-
In the API Base URL, select the appropriate region base URL.
-
Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
MDR polling frequency
Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.