Webroot Monitoring
Updated Sep 27, 2023- Configure Webroot monitoring
- Requirements
- Steps
- Step 1: Convert your GSM console to the Managed Service Provider Console
- Step 2: Create Webroot API client credentials
- Step 3: Retrieve the Webroot site keycode
- Step 4: Retrieve the Webroot GSM keycode
- Step 5: Create a new administrator for the Arctic Wolf Sensor
- Step 6: Provide credentials to Arctic Wolf
- MDR polling frequency
Configure Webroot monitoring
Arctic Wolf® can use Webroot® APIs to monitor Webroot logs and alert you about suspicious or malicious activity.
To implement this monitoring, you must provide this information about the Webroot Global Site Manager (GSM) console to Arctic Wolf:
- The username and password of a new administrator in your Webroot GSM console, such as
monitoring@example.com
- The Client ID and Client Secret of your Webroot GSM console
- The Webroot Site Keycode and Webroot GSM Keycode for the site you that wish to monitor
Requirements
- A Webroot GSM console account with Super Administrator permissions
Steps
- Convert your GSM console to the Managed Service Provider Console.
- Create Webroot API client credentials.
- Retrieve the Webroot site keycode.
- Retrieve the Webroot GSM keycode.
- Create a new administrator for the Arctic Wolf Sensor.
- Provide credentials to Arctic Wolf.
Step 1: Convert your GSM console to the Managed Service Provider Console
Webroot requires that you use the Managed Service Provider (MSP) Console to access their API. Arctic Wolf uses this API to retrieve security information.
If you are already using the MSP Console, proceed to Create Webroot API client credentials. Otherwise, convert your console to the MSP Console:
Note: You cannot undo this change. This is a limitation of the Webroot GSM console.
-
Sign in to the Webroot admin console using the credentials of a GSM Super Administrator.
-
From the navigation bar, click Settings, and then:
- If Advanced Settings appears — click Advanced Settings.
- If API Access appears — You are already running the MSP console. Proceed to Create Webroot API client credentials.
-
From Advanced Settings, click Convert.
-
In the dialog, select the checkbox to indicate that you understand that this is an irreversible operation, and then click Convert Console.
-
Read through or skip the MSP Console tutorial:
- Click Next on all pages that appear.
- Click Skip to skip the tutorial.
Step 2: Create Webroot API client credentials
-
Sign in to the Webroot admin console.
-
From the navigation bar, click Settings, and then click the API Access tab.
-
Click New to create a new API credential.
-
Fill out the Name and Description fields, and then click Create.
-
Copy the Client ID and Client Secret values to provide to Arctic Wolf later.
Note: The Client Secret value is only displayed once.
-
Click I Have Made Note Of The Client Secret to close the dialog.
Step 3: Retrieve the Webroot site keycode
-
Sign in to the Webroot admin console.
-
From the navigation bar, click Sites.
-
Repeat these steps for each site that you want to monitor:
- Select the Key beside the name of the site.
- Copy the Keycode value to provide to Arctic Wolf later.
Step 4: Retrieve the Webroot GSM keycode
The GSM keycode is also known as the Parent keycode.
Note: The GSM keycode and site keycode are similar but not the same. Both values are required for Arctic Wolf to monitor the site.
- Sign in to the Webroot admin console.
- From the navigation bar, click Settings > Account Information.
- Copy the Parent Keycode to provide to Arctic Wolf later.
Step 5: Create a new administrator for the Arctic Wolf Sensor
Arctic Wolf does not require the credentials of a GSM Super Administrator to obtain security information from the Webroot API. Instead, you must create a GSM Limited Administrator account with View Only site permissions for the site that you want Arctic Wolf to monitor.
-
Sign in to the Webroot admin console.
-
From the navigation bar, click Admins > Add Admin to open the Create Admin page.
-
In the Details section, enter the appropriate details for each field.
-
Set the Account Type to GSM Limited Administrator.
Note: Do not create a Site Administrator Only account, as this account does not have GSM console access, which the Arctic Wolf Sensor requires.
-
In the Site Permissions section, select View Only for the new account.
-
Save the username and password of this account to provide to Arctic Wolf later.
Note: Webroot imposes a maximum length of 30 characters on all passwords, although the GSM console does not consistently enforce this.
-
Click Add to create the new administrator account. The Webroot system sends a verification email to the address provided during the setup process. You must verify the email address for the account before it can be used.
Step 6: Provide credentials to Arctic Wolf
Tip: Only the Site Keycode value is unique for each site.
Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select Webroot.
-
On the Add Account page, complete these steps:
- Account Name — Enter a unique and descriptive name for the account.
- In the GGSM admin username and GSM admin password fields, enter the username and password of the GSM administrator that you created in Create a new administrator for the Arctic Wolf Sensor
- In the Client ID and Client secret fields, enter the values from Create Webroot API client credentials
- In the GSM keycode field, enter the value from Retrieve the Webroot GSM keycode.
- In the Site keycode field, enter the value from Retrieve the Webroot site keycode.
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
MDR polling frequency
Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.