Providing Cisco Umbrella Credentials to Arctic Wolf

Configuration Guide

Overview Direct link to this section

This document describes how to retrieve the API token credentials that Arctic Wolf® needs to monitor Cisco Umbrella. After you complete this configuration, Arctic Wolf can monitor logs from your Cisco Umbrella environment.

As part of this configuration, you must provide the following information for your Cisco Umbrella environment to Arctic Wolf using the Arctic Wolf Portal:

Before you begin Direct link to this section

This process requires you to have administrator access to the Cisco Umbrella console.

Note: The legacy Cisco Umbrella monitoring setup forwards Cisco Umbrella logs to Arctic Wolf from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket. If you have this legacy setup:

Creating the Cisco Umbrella credentials Direct link to this section

To create your Cisco Umbrela credentials:

  1. Sign in to the Cisco Umbrella console as an administrator.

  2. Select Admin > API Keys from the navigation pane.

  3. Expand the Umbrella Reporting section. If you have:

    • No existing API key — Select Generate Token.

    • An existing API key — Delete the existing API key. Then, select Generate Token to create a new key.


      • You can create only one API key for Umbrella Reporting.
      • Generating a new token means that Arctic Wolf can no longer authenticate to Cisco Umbrella. Arctic Wolf cannot receive Cisco Umbrella logs until you complete rest of this procedure and the status of your new Cisco Umbrella account in the Arctic Wolf Portal changes to Connected.
  4. Copy the following values to provide to Arctic Wolf later:

    • Organization ID — This is the integer value in your Cisco Umbrella console URL. For example, if your Cisco Umbrella console URL is, then your organization ID is 1111111.

    • Key — This is the unique identifier for the API key.

    • Secret — This is a confidential string value that corresponds with the API key.


      • This secret is only displayed once during API key creation. Copy this secret to a secure location.
      • If this information is lost before you submit it to Arctic Wolf, you must generate a new token.
  5. Proceed to Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf Direct link to this section

To provide your Cisco Umbrella credentials to Arctic Wolf through the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Cisco Umbrella from the list of cloud services.

  6. Enter a descriptive name for the credentials.

  7. Paste the following values that you obtained in Creating the Cisco Umbrella credentials into the appropriate text boxes:

    • Organization ID
    • Key
    • Secret
  8. Select Submit to CST.

  9. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  10. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Removing legacy Cisco Umbrella monitoring configurations Direct link to this section

If you have a legacy Cisco Umbrella monitoring setup based on S3 log forwarding, proceed to Removing S3 Log Forwarding Configurations for Cisco Umbrella.