Configure Cisco Secure Endpoint for Arctic Wolf monitoring

You can configure Cisco Secure Endpoint® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • Administrator permissions for the Cisco Secure Endpoint environment that you want Arctic Wolf to monitor.

Create API client credentials

  1. Sign in to Security Cloud Sign On with administrator permissions.
  2. In the navigation menu, click Accounts > API Credentials.
  3. On the API Credentials page, click + New API Credential.
  4. In the New API Credential dialog, configure these settings:

    • Application name — Enter a name for the credentials.

    • Scope — Select Read-only.

    • Enable Command line — Select the checkbox.

    • Allow API access to File Repository download audit logs — Select the checkbox.

  5. Click Create.
  6. On the API Key Details page, save the 3rd Party API Client ID and API Key values in a safe, encrypted location to provide to Arctic Wolf later.
    Note: After you exit this page, you can no longer retrieve the API Key value.

Provide Cisco Secure Endpoint credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Cisco Secure Endpoint.
  5. Configure these settings:
  6. Click Test and submit credentials.