Configure Cisco Umbrella for Arctic Wolf monitoring

You can configure Cisco Umbrella® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

If you use the legacy Cisco Umbrella monitoring setup, which forwards Cisco Umbrella logs to Arctic Wolf from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket:

Arctic Wolf recommends completing these configuration steps to initiate your migration to an API-based Cisco Umbrella cloud sensor.
Generate new Umbrella Reporting API credentials, after which Arctic Wolf receives no Cisco Umbrella logs from your S3 bucket until you provision these credentials to Arctic Wolf and the status of your new Cisco Umbrella account in the MDR Dashboard changes to Healthy.

If you have a legacy Cisco Umbrella monitoring setup based on S3 log forwarding, complete Remove Cisco Umbrella from your AWS environment.

Create your Cisco Umbrella credentials

Sign in to the Cisco Umbrella console with administrator permissions.
In the navigation menu, click Admin > Log Management.
In the Data Storage section, note the region for the data storage.

You will provide this value to Arctic Wolf later.
If you are:
- An MSP customer — On the end-customer Cisco Umbrella configuration page, in the navigation menu, click Console Settings > API Keys.
- Not an MSP customer — In the navigation menu, click Admin > API Keys.
Click API Keys.
Click Add, and then configure these settings:
- Name — Enter a name for your API key.
- Key Scope — Select the Reports checkbox.
- Reports — Select Read-Only from the list.
- Expiry Date — Select an expiry date that aligns with your needs.
Click Create Key.
Copy the API Key, Key Secret, and Organization ID values, and then save them in a safe, encrypted location.
You will provide these values to Arctic Wolf later.
Note:
- The Key Secret value is only displayed one time during API key creation and must be saved at this time.
- The Organization ID is the integer value in your Cisco Umbrella console URL. For example, if your Cisco Umbrella console URL is https://dashboard.umbrella.com/o/1111111, then your organization ID is 1111111.

Provide Cisco Umbrella credentials to Arctic Wolf

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Data Collection > Cloud Sensors.
Click Add Account +.
On the Add Account page, click Cisco Umbrella API V2.
Configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- Org ID — Enter the organization ID from Create your Cisco Umbrella credentials.
- Key — Enter the API secret from Create your Cisco Umbrella credentials.
- Secret — Enter the key secret from Create your Cisco Umbrella credentials.
- Storage Region — Select the most appropriate option based on the storage region from Create your Cisco Umbrella credentials.
- Credential Expiry — (Optional) Enter the credential expiration date, if applicable.
Click Test and submit credentials.

Active Response, Log Forwarding, and Security Monitoring

Active Response, Log Forwarding, and Security Monitoring

Configure Cisco Umbrella for Arctic Wolf monitoring

Create your Cisco Umbrella credentials

Provide Cisco Umbrella credentials to Arctic Wolf

目次