Providing Cisco Umbrella Credentials to Arctic Wolf
Overview Direct link to this section
This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor Cisco Umbrella. After you complete this configuration, Arctic Wolf can monitor logs from your Cisco Umbrella environment.
As part of this configuration, you must provide the following information for your Cisco Umbrella environment to Arctic Wolf using the Arctic Wolf Portal:
- Organization ID
- API key
- API secret
Before you begin Direct link to this section
If you use the legacy Cisco Umbrella monitoring setup, which forwards Cisco Umbrella logs to Arctic Wolf from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket:
- Arctic Wolf recommends Removing S3 Log Forwarding Configurations for Cisco Umbrella to initiate your migration to an API-based Cisco Umbrella cloud sensor.
- With the new setup, you must generate new Umbrella Reporting API credentials, after which Arctic Wolf receives no Cisco Umbrella logs from your S3 bucket until you provision these credentials to Arctic Wolf and the status of your new Cisco Umbrella account in the Arctic Wolf Portal changes to Connected.
Create the Cisco Umbrella credentials Direct link to this section
Tip: See Add Umbrella Legacy API Keys in the Cisco Umbrella documentation for more information about this process.
Sign in to the Cisco Umbrella console as an administrator.
In the navigation pane, select Admin > API Keys.
Select Legacy Keys, and then expand Umbrella Reporting.
If you have an existing key for Arctic Wolf monitoring, delete it. You can only create one API key for Arctic Wolf monitoring.
Note: Deleting an API key means that Arctic Wolf can no longer authenticate to Cisco Umbrella or receive Cisco Umbrella logs until you complete the rest of this configuration and the status of your new Cisco Umbrella account in the Arctic Wolf Portal changes to Connected.
Click Generate token.
Copy the Key and Secret values to a secure location. The Key value is only displayed once during API key creation.
Copy the Organization ID to a secure location. This is the integer value in your Cisco Umbrella console URL. For example, if your Cisco Umbrella console URL is
https://dashboard.umbrella.com/o/1111111, then your organization ID is
Proceed to Provide credentials to Arctic Wolf.
Provide credentials to Arctic Wolf Direct link to this section
To provide your Cisco Umbrella credentials to Arctic Wolf through the Arctic Wolf Portal:
Sign in to the Arctic Wolf Portal.
Select Connected Accounts in the banner menu to open the Connected Accounts page.
Select +Add Account to open the Add Account form.
Select Cloud Detection and Response as the Account Type.
Select Cisco Umbrella from the list of cloud services.
Enter a descriptive name for the credentials.
Paste the following values that you obtained in Create the Cisco Umbrella credentials into the appropriate text boxes:
- Organization ID
Select Submit to CST.
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.
Remove legacy Cisco Umbrella monitoring configurations Direct link to this section
If you have a legacy Cisco Umbrella monitoring setup based on S3 log forwarding, proceed to Removing S3 Log Forwarding Configurations for Cisco Umbrella.