Providing Webroot Credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to retrieve the credentials needed for Arctic Wolf® to monitor security information from the Webroot API.

After you complete this process, you must provide the following information about the Webroot Global Site Manager (GSM) console and site to Arctic Wolf on the Arctic Wolf Portal:

Before you begin

To complete the steps below, you must be a Super Administrator for the Webroot GSM console that you wish to monitor.

Converting your GSM console to the Managed Service Provider Console

Webroot requires that you use the Managed Service Provider (MSP) Console to access their API. Arctic Wolf uses this API to retrieve security information.

If you are already using the MSP Console, proceed to Creating Webroot API client credentials. Otherwise, you must convert your console to the MSP Console:

Note: You cannot undo the following change. This is a limitation of the Webroot GSM console.

To convert your GSM console to the MSP Console:

  1. Sign in to the Webroot admin console using the credentials of a GSM Super Administrator.

  2. From the navigation bar, select Settings, and then:

  3. From Advanced Settings, select Convert.

  4. In the dialog box, select the checkbox to indicate that you understand that this is an irreversible operation, and then select Convert Console.

  5. Read through or skip the MSP Console tutorial:

    • Select Next on all pages that appear.
    • Select Skip to skip the tutorial.
  6. Proceed to Creating Webroot API client credentials.

Creating Webroot API client credentials

To create Webroot API client credentials:

  1. Sign in to the Webroot admin console.

  2. From the navigation bar, select Settings, and then select the API Access tab.

  3. Select New to create a new API credential.

  4. Fill out the Name and Description fields, and then select Create.

  5. Copy the Client ID and Client Secret values to provide to Arctic Wolf later.

    Note: The Client Secret value is only displayed once.

  6. Select I Have Made Note Of The Client Secret to close the dialog box.

Retrieving the Webroot site keycode

To retrieve the keycode for each site that you want Arctic Wolf to monitor:

  1. Sign in to the Webroot admin console.

  2. From the navigation bar, select Sites, and then select the Key beside the site that you wish to monitor.

    Webroot dashboard with Key selected

  3. Copy the Keycode value to provide to Arctic Wolf later.

  4. Repeat step 3 for each site that you want Arctic Wolf to monitor.

Retrieving the Webroot GSM keycode

To retrieve the GSM keycode, also known as the Parent keycode:

Note: The GSM keycode and site keycode are similar but not the same. Both values are required for Arctic Wolf to monitor the site.

  1. Sign in to the Webroot admin console.

  2. From the navigation bar, select Settings, and then select Account Information.

  3. Copy the Parent Keycode to provide to Arctic Wolf later.

Creating a new administrator for the Arctic Wolf Sensor

Arctic Wolf does not require the credentials of a GSM Super Administrator to obtain security information from the Webroot API. Instead, you must create a GSM Limited Administrator account with View Only site permissions for the site that you want Arctic Wolf to monitor.

To create a new administrator account:

  1. Sign in to the Webroot admin console.

  2. From the navigation bar, select Admins and then select Add Admin to open the Create Admin page.

  3. In the Details section, enter the appropriate details for each field.

  4. Set the Account Type to GSM Limited Administrator.

    Note: Do not create a Site Administrator Only account, as this account does not have GSM console access, which the Arctic Wolf Sensor requires.

  5. In the Site Permissions section, select View Only for the new account.

  6. Save the username and password of this account to provide to Arctic Wolf later.

    Note: Webroot imposes a maximum length of 30 characters on all passwords, although the GSM console does not consistently enforce this.

  7. Select Add to create the new administrator account. The Webroot system sends a verification email to the address provided during the setup process. You must verify the email address for the account before it can be used.

Providing credentials to Arctic Wolf

To provide the administrator username and password, API credentials, and site and GSM keycodes to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Webroot from the list of cloud services and fill in the form:

    1. Enter a descriptive name for the credentials.

    2. Enter the username and password of the GSM administrator that you created in Creating a new administrator for the Arctic Wolf Sensor

    3. Enter the Client ID and Client Secret that you retrieved in Creating Webroot API client credentials

    4. Enter the GSM Keycode and Site Keycode that you retrieved in Retrieving the Webroot GSM keycode and Retrieving the Webroot site keycode, respectively.

      Webroot credentials form

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

  9. Repeat steps 3 to 9 for each site that you wish to monitor.

    Tip: Only the Site Keycode value is unique for each site.

After your Concierge Security® Team provisions security monitoring for your Webroot site(s), the status of your Webroot credentials changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.