Cisco Umbrella Monitoring

Updated Sep 27, 2023

Configure Cisco Umbrella monitoring

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor Cisco Umbrella®. After you complete this configuration, Arctic Wolf can monitor logs from your Cisco Umbrella environment.

As part of this configuration, you must provide this information for your Cisco Umbrella environment to Arctic Wolf using the Arctic Wolf Portal:

Note: If you use the legacy Cisco Umbrella monitoring setup, which forwards Cisco Umbrella logs to Arctic Wolf from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket:

  • Arctic Wolf recommends completing these configuration steps to initiate your migration to an API-based Cisco Umbrella cloud sensor.
  • With the new setup, you must generate new Umbrella Reporting API credentials, after which Arctic Wolf receives no Cisco Umbrella logs from your S3 bucket until you provision these credentials to Arctic Wolf and the status of your new Cisco Umbrella account in the Arctic Wolf Portal changes to Healthy.


  1. Create the Cisco Umbrella credentials.
  2. Provide credentials to Arctic Wolf.

Step 1: Create the Cisco Umbrella credentials

  1. Sign in to the Cisco Umbrella console as an administrator.
  2. If you are:
    • An MSP customer — Open the end-customer Cisco Umbrella configuration page. Then, in the navigation pane, click Console Settings > API Keys.
    • Not an MSP customer — In the navigation pane, click Admin > API Keys.
  3. Click API Keys.
  4. Click Add.
  5. Enter a name for your API key.
  6. For the Key Scope, select the Reports checkbox.
  7. Select Read-Only from the Reports dropdown.
  8. For the Expiry Date, select Never expire.
  9. Click Create Key.
  10. Copy the API Key and Key Secret values to a secure location.

    Note: The Key Secret value is only displayed once during API key creation.

  11. Copy the Organization ID to a secure location. This is the integer value in your Cisco Umbrella console URL. For example, if your Cisco Umbrella console URL is, then your organization ID is 1111111.

Step 2: Provide credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Cisco Umbrella API V2.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. For each of these fields, paste the appropriate value from Create the Cisco Umbrella credentials:
      • Org ID
      • Key
      • Secret
    3. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

Next steps