Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Cisco Umbrella Monitoring

Updated Apr 4, 2024

Configure Cisco Umbrella for Arctic Wolf monitoring

You can configure Cisco Umbrella® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: If you use the legacy Cisco Umbrella monitoring setup, which forwards Cisco Umbrella logs to Arctic Wolf from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket:

  • Arctic Wolf recommends completing these configuration steps to initiate your migration to an API-based Cisco Umbrella cloud sensor.
  • Generate new Umbrella Reporting API credentials, after which Arctic Wolf receives no Cisco Umbrella logs from your S3 bucket until you provision these credentials to Arctic Wolf and the status of your new Cisco Umbrella account in the MDR Dashboard changes to Healthy.


  1. Create your Cisco Umbrella credentials.
  2. Provide your Cisco Umbrella credentials to Arctic Wolf.

Step 1: Create your Cisco Umbrella credentials

  1. Sign in to the Cisco Umbrella console with administrator permissions.
  2. If you are:
    • An MSP customer — On the end-customer Cisco Umbrella configuration page, in the navigation menu, click Console Settings > API Keys.
    • Not an MSP customer — In the navigation menu, click Admin > API Keys.
  3. Click API Keys.
  4. Click Add, and then configure these settings:
    • Name — Enter a name for your API key.
    • Key Scope — Select the Reports checkbox.
    • Reports — Select Read-Only from the list.
    • Expiry Date — Select Never expire.
  5. Click Create Key.
  6. Copy the API Key, Key Secret, and Organization ID values and save them in a safe, encrypted location. You will provide them to Arctic Wolf later.


    • The Key Secret value is only displayed one time during API key creation and must be saved at this time.
    • The Organization ID is the integer value in your Cisco Umbrella console URL. For example, if your Cisco Umbrella console URL is https://dashboard.umbrella.com/o/1111111, then your organization ID is 1111111.

Step 2: Provide your Cisco Umbrella credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, click Cisco Umbrella API V2.

  6. On the Add Account page, configure these settings:

  7. Click Test and submit credentials.

Next steps