Providing Cisco Umbrella Credentials to Arctic Wolf

Configuration Guide

Updated Nov 30, 2022

Providing Cisco Umbrella Credentials to Arctic Wolf

Overview Direct link to this section

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor Cisco Umbrella. After you complete this configuration, Arctic Wolf can monitor logs from your Cisco Umbrella environment.

As part of this configuration, you must provide the following information for your Cisco Umbrella environment to Arctic Wolf using the Arctic Wolf Portal:

Before you begin Direct link to this section

If you use the legacy Cisco Umbrella monitoring setup, which forwards Cisco Umbrella logs to Arctic Wolf from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket:

Create the Cisco Umbrella credentials Direct link to this section

Tip: See Add Umbrella Legacy API Keys in the Cisco Umbrella documentation for more information about this process.

  1. Sign in to the Cisco Umbrella console as an administrator.

  2. In the navigation pane, select Admin > API Keys.

  3. Select Legacy Keys, and then expand Umbrella Reporting.

  4. If you have an existing key for Arctic Wolf monitoring, delete it. You can only create one API key for Arctic Wolf monitoring.

    Note: Deleting an API key means that Arctic Wolf can no longer authenticate to Cisco Umbrella or receive Cisco Umbrella logs until you complete the rest of this configuration and the status of your new Cisco Umbrella account in the Arctic Wolf Portal changes to Connected.

  5. Click Generate token.

  6. Copy the Key and Secret values to a secure location. The Key value is only displayed once during API key creation.

  7. Copy the Organization ID to a secure location. This is the integer value in your Cisco Umbrella console URL. For example, if your Cisco Umbrella console URL is https://dashboard.umbrella.com/o/1111111, then your organization ID is 1111111.

  8. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your Cisco Umbrella credentials to Arctic Wolf through the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Cisco Umbrella from the list of cloud services.

  6. Enter a descriptive name for the credentials.

  7. Paste the following values that you obtained in Create the Cisco Umbrella credentials into the appropriate text boxes:

    • Organization ID
    • Key
    • Secret
  8. Select Submit to CST.

  9. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  10. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Remove legacy Cisco Umbrella monitoring configurations Direct link to this section

If you have a legacy Cisco Umbrella monitoring setup based on S3 log forwarding, proceed to Removing S3 Log Forwarding Configurations for Cisco Umbrella.