Configure Webroot for Arctic Wolf monitoring

You can configure Webroot® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • A Webroot GSM console account with Super Administrator permissions

Identify your console type

Arctic Wolf retrieves security information from the Webroot API, which is only accessible through the Managed Service Provider (MSP) console. You must identify if you are using the GSM or MSP console to determine next steps.

  1. Sign in to the Webroot admin console with GSM Super Administrator permissions.
  2. In the navigation menu, click Settings.
  3. Proceed to the appropriate task, depending on if:

Convert your GSM console to an MSP console

If necessary, convert your GSM console to an MSP console to access the Webroot API.

Note: As a limitation of the Webroot GSM console, this conversion cannot be undone.
  1. Sign in to the Webroot admin console with GSM Super Administrator permissions.
  2. In the navigation menu, click Settings > Advanced Settings.
  3. In the Advanced Settings section, click Convert.
  4. In the dialog, select the checkbox, and then click Convert Console.
  5. Optional: You can complete or skip the MSP console tutorial.

Create Webroot API client credentials

  1. Sign in to the Webroot admin console.
  2. In the navigation menu, click Settings.
  3. On the API Access tab, click New.
  4. In the Name and Description fields, enter information, and then click Create.
  5. Copy the Client ID and Client Secret values, and then save them in a safe, encrypted location to provide to Arctic Wolf later.
    Note:

    The Client Secret value is only viewable in this dialog.

  6. Click I have made note of the client secret.

Retrieve the Webroot site keycode

  1. Sign in to the Webroot admin console.
  2. In the navigation menu, click Sites.
  3. For each site that you want Arctic Wolf to monitor, complete these steps:
    1. Click the key icon beside the site name.
      Webroot dashboard with Key selected
    2. Copy the Keycode value, and then save it in a safe, encrypted location to provide to Arctic Wolf later.

Retrieve the Webroot GSM keycode

Note:

The GSM keycode, also known as the parent keycode, and site keycode are similar but not the same. Both values are required for Arctic Wolf to monitor the site.

  1. Sign in to the Webroot admin console.
  2. In the navigation menu, click Settings > Account Information.
  3. Copy the Parent Keycode, and then save it in a safe, encrypted location to provide to Arctic Wolf later.

Create a new administrator for the Arctic Wolf Sensor

  1. Sign in to the Webroot admin console.
  2. In the navigation menu, click Admins > Add Admin.
  3. On the Create Admin page, on the Details tab, configure these settings:
    • Email Address — Enter an email address for your GGSM admin account, to be the account username.
    • First Name — Enter a first name for your GGSM admin account. For example, Tester.
    • Last Name — Enter a last name for your GGSM admin account. For example, Admin.
    • Phone — Enter a phone number for your GGSM admin account.
    • Time Zone — Select a timezone for your GGSM admin account.
    • Account Type — Select GSM Limited Administrator.
      Note:

      Do not select Site Administrator Only. This account type does not have GSM console access, which the Arctic Wolf Sensor requires.

  4. On the Site Permissions tab, select View Only.
  5. Save the username and password of this account in a safe, encrypted location to provide to Arctic Wolf later.
    Note:

    Webroot imposes a maximum length of 30 characters on all passwords.

  6. Click Add.

    The Webroot system sends a verification email to the address provided during the setup process.

  7. Verify the email address for the account, using the verification email from Webroot.

Provide Webroot credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Webroot.
  5. Configure these settings:
  6. Click Test and submit credentials.