Configure Webroot monitoring

Arctic Wolf® can use Webroot® APIs to monitor Webroot logs and alert you about suspicious or malicious activity.

To implement this monitoring, you must provide this information about the Webroot Global Site Manager (GSM) console to Arctic Wolf:

• The username and password of a new administrator in your Webroot GSM console, such as monitoring@example.com
• The Client ID and Client Secret of your Webroot GSM console
• The Webroot Site Keycode and Webroot GSM Keycode for the site you that wish to monitor

Requirements

• A Webroot GSM console account with Super Administrator permissions

Steps

1. Convert your GSM console to the Managed Service Provider Console.
2. Create Webroot API client credentials.
3. Retrieve the Webroot site keycode.
4. Retrieve the Webroot GSM keycode.
5. Create a new administrator for the Arctic Wolf Sensor.
6. Provide credentials to Arctic Wolf.

Step 1: Convert your GSM console to the Managed Service Provider Console

Webroot requires that you use the Managed Service Provider (MSP) Console to access their API. Arctic Wolf uses this API to retrieve security information.

If you are already using the MSP Console, proceed to Create Webroot API client credentials. Otherwise, convert your console to the MSP Console:

1. Sign in to the Webroot admin console using the credentials of a GSM Super Administrator.

2. From the navigation bar, click Settings, and then:

   • If Advanced Settings appears — click Advanced Settings.
   • If API Access appears — You are already running the MSP console. Proceed to Create Webroot API client credentials.

3. From Advanced Settings, click Convert.

4. In the dialog, select the checkbox to indicate that you understand that this is an irreversible operation, and then click Convert Console.

5. Read through or skip the MSP Console tutorial:

   • Click Next on all pages that appear.
   • Click Skip to skip the tutorial.

Step 2: Create Webroot API client credentials

1. Sign in to the Webroot admin console.

2. From the navigation bar, click Settings, and then click the API Access tab.

3. Click New to create a new API credential.

4. Fill out the Name and Description fields, and then click Create.

5. Copy the Client ID and Client Secret values to provide to Arctic Wolf later.

   Note: The Client Secret value is only displayed once.

6. Click I Have Made Note Of The Client Secret to close the dialog.

Step 3: Retrieve the Webroot site keycode

1. Sign in to the Webroot admin console.

2. From the navigation bar, click Sites.

3. Repeat these steps for each site that you want to monitor:

   

   1. Select the Key beside the name of the site.
   2. Copy the Keycode value to provide to Arctic Wolf later.

Step 4: Retrieve the Webroot GSM keycode

The GSM keycode is also known as the Parent keycode.

1. Sign in to the Webroot admin console.
2. From the navigation bar, click Settings > Account Information.
3. Copy the Parent Keycode to provide to Arctic Wolf later.

Step 5: Create a new administrator for the Arctic Wolf Sensor

Arctic Wolf does not require the credentials of a GSM Super Administrator to obtain security information from the Webroot API. Instead, you must create a GSM Limited Administrator account with View Only site permissions for the site that you want Arctic Wolf to monitor.

1. Sign in to the Webroot admin console.

2. From the navigation bar, click Admins > Add Admin to open the Create Admin page.

3. In the Details section, enter the appropriate details for each field.

4. Set the Account Type to GSM Limited Administrator.

   Note: Do not create a Site Administrator Only account, as this account does not have GSM console access, which the Arctic Wolf Sensor requires.

5. In the Site Permissions section, select View Only for the new account.

6. Save the username and password of this account to provide to Arctic Wolf later.

   Note: Webroot imposes a maximum length of 30 characters on all passwords, although the GSM console does not consistently enforce this.

7. Click Add to create the new administrator account. The Webroot system sends a verification email to the address provided during the setup process. You must verify the email address for the account before it can be used.

Step 6: Provide credentials to Arctic Wolf

1. Sign in to the Arctic Wolf Unified Portal.

2. In the menu bar, click Telemetry Management > Connected Accounts.

3. Click Add Account +.

4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

5. From the list of cloud services, select Webroot.

6. On the Add Account page, complete these steps:

   1. Account Name — Enter a unique and descriptive name for the account.
   2. In the GGSM admin username and GSM admin password fields, enter the username and password of the GSM administrator that you created in Create a new administrator for the Arctic Wolf Sensor
   3. In the Client ID and Client secret fields, enter the values from Create Webroot API client credentials
   4. In the GSM keycode field, enter the value from Retrieve the Webroot GSM keycode.
   5. In the Site keycode field, enter the value from Retrieve the Webroot site keycode.
   6. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

7. Click Test and Submit Credentials.

   After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.