Webroot Monitoring
- Webroot monitoring
- Requirements
- Configure Webroot monitoring
- Step 1: Convert your GSM console to the Managed Service Provider Console
- Step 2: Create Webroot API client credentials
- Step 3: Retrieve the Webroot site keycode
- Step 4: Retrieve the Webroot GSM keycode
- Step 5: Create a new administrator for the Arctic Wolf Sensor
- Step 6: Provide credentials to Arctic Wolf
Webroot monitoring Direct link to this section
Arctic Wolf® can use Webroot APIs to monitor Webroot logs and alert you about suspicious or malicious activity.
To implement this monitoring, you must provide the following information about the Webroot Global Site Manager (GSM) console to Arctic Wolf:
- The username and password of a new administrator in your Webroot GSM console, such as
monitoring@example.com
- The Client ID and Client Secret of your Webroot GSM console
- The Webroot Site Keycode and Webroot GSM Keycode for the site you that wish to monitor
Requirements Direct link to this section
- A Webroot GSM console account with Super Administrator permissions
Configure Webroot monitoring Direct link to this section
- Convert your GSM console to the Managed Service Provider Console.
- Create Webroot API client credentials.
- Retrieve the Webroot site keycode.
- Retrieve the Webroot GSM keycode.
- Create a new administrator for the Arctic Wolf Sensor.
- Provide credentials to Arctic Wolf.
Step 1: Convert your GSM console to the Managed Service Provider Console Direct link to this section
Webroot requires that you use the Managed Service Provider (MSP) Console to access their API. Arctic Wolf uses this API to retrieve security information.
If you are already using the MSP Console, proceed to Create Webroot API client credentials. Otherwise, convert your console to the MSP Console:
Note: You cannot undo the following change. This is a limitation of the Webroot GSM console.
-
Sign in to the Webroot admin console using the credentials of a GSM Super Administrator.
-
From the navigation bar, select Settings, and then:
- If Advanced Settings appears — Select Advanced Settings.
- If API Access appears — You are already running the MSP console. Proceed to Create Webroot API client credentials.
-
From Advanced Settings, select Convert.
-
In the dialog box, select the checkbox to indicate that you understand that this is an irreversible operation, and then select Convert Console.
-
Read through or skip the MSP Console tutorial:
- Select Next on all pages that appear.
- Select Skip to skip the tutorial.
Step 2: Create Webroot API client credentials Direct link to this section
-
Sign in to the Webroot admin console.
-
From the navigation bar, select Settings, and then select the API Access tab.
-
Select New to create a new API credential.
-
Fill out the Name and Description fields, and then select Create.
-
Copy the Client ID and Client Secret values to provide to Arctic Wolf later.
Note: The Client Secret value is only displayed once.
-
Select I Have Made Note Of The Client Secret to close the dialog box.
Step 3: Retrieve the Webroot site keycode Direct link to this section
-
Sign in to the Webroot admin console.
-
From the navigation bar, select Sites, and then do the following for each site that you want to monitor:
-
Select the Key beside the name of the site.
-
Copy the Keycode value to provide to Arctic Wolf later.
-
Step 4: Retrieve the Webroot GSM keycode Direct link to this section
The GSM keycode is also known as the Parent keycode.
Note: The GSM keycode and site keycode are similar but not the same. Both values are required for Arctic Wolf to monitor the site.
-
Sign in to the Webroot admin console.
-
From the navigation bar, select Settings, and then select Account Information.
-
Copy the Parent Keycode to provide to Arctic Wolf later.
Step 5: Create a new administrator for the Arctic Wolf Sensor Direct link to this section
Arctic Wolf does not require the credentials of a GSM Super Administrator to obtain security information from the Webroot API. Instead, you must create a GSM Limited Administrator account with View Only site permissions for the site that you want Arctic Wolf to monitor.
-
Sign in to the Webroot admin console.
-
From the navigation bar, select Admins and then select Add Admin to open the Create Admin page.
-
In the Details section, enter the appropriate details for each field.
-
Set the Account Type to GSM Limited Administrator.
Note: Do not create a Site Administrator Only account, as this account does not have GSM console access, which the Arctic Wolf Sensor requires.
-
In the Site Permissions section, select View Only for the new account.
-
Save the username and password of this account to provide to Arctic Wolf later.
Note: Webroot imposes a maximum length of 30 characters on all passwords, although the GSM console does not consistently enforce this.
-
Select Add to create the new administrator account. The Webroot system sends a verification email to the address provided during the setup process. You must verify the email address for the account before it can be used.
Step 6: Provide credentials to Arctic Wolf Direct link to this section
Complete the following steps for each site that you want Arctic Wolf to monitor.
Tip: Only the Site Keycode value is unique for each site.
-
Sign in to the Arctic Wolf Portal.
-
Select Connected Accounts in the banner menu to open the Connected Accounts page.
-
Select +Add Account to open the Add Account form.
-
Select Cloud Detection and Response as the Account Type.
-
Select Webroot from the list of cloud services and fill in the form:
- Enter a descriptive name for the credentials.
- Enter the username and password of the GSM administrator that you created in Create a new administrator for the Arctic Wolf Sensor
- Enter the Client ID and Client Secret that you retrieved in Create Webroot API client credentials
- Enter the GSM Keycode and Site Keycode that you retrieved in Retrieve the Webroot GSM keycode and Retrieve the Webroot site keycode, respectively.
-
Select Submit to CST.
-
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.
Note: All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.
If credentials fail, for example, due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.