Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Microsoft Azure Monitoring Configuration - Script

Updated Apr 17, 2024

Configure Microsoft Azure for Arctic Wolf monitoring using a script

You can use the Arctic Wolf® Azure PowerShell script to configure Microsoft Azure to send the necessary logs to Arctic Wolf for security monitoring. For more information about Powershell script, see Microsoft Azure PowerShell Script Details.

For information about Azure monitoring limitations and supported monitoring regions, see Microsoft Azure monitoring.

Note: Although the script configuration is recommended, you can also manually configure monitoring. See Configure Microsoft Azure AD applications for Arctic Wolf monitoring manually for more information.

Requirements

Before you begin

Steps

For each Azure tenant that you want Arctic Wolf to monitor, complete these steps:

  1. Download and extract the Azure AD configuration file.
  2. Configure the Azure AD application.
  3. Provide your Microsoft Azure credentials to Arctic Wolf.
  4. (Optional, Azure AD only) Opt in to Azure AD Trusted Traveler's Group.
  5. (Optional) Add or remove Azure subscriptions.

Step 1: Download and extract the Azure AD configuration file

  1. Download the awn-office365-azure-configure.zip file, and then move it to a folder that is easy to access on your Windows machine.

  2. Right-click the awn-office365-azure-configure.zip file, and then click Extract All.

  3. In the Extract Compressed (Zipped) Folders window, find a location to extract the zip file contents. For example, the Desktop folder.

    Note: Verify that the Show extracted files when complete checkbox is selected.

  4. Click Extract to extract the contents of the zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application

  1. Open a PowerShell window with administrator permissions.

  2. Run this command to see a list of installed modules:

    powershell Get-InstalledModule

  3. If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:

    • If the Azure AD module is missing — Run Install-Module AzureAD.
    • If the Az Accounts module is missing — Run Install-Module Az.Accounts.
    • If the Az Resources module is missing — Run Install-Module Az.Resources.

    Note: If you receive an error about NuGet when installing these modules, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing the module again.

    Module error

  4. Run the Azure PowerShell script:

    For more information about the script, see Microsoft Azure PowerShell Script Details.

    1. Open the extracted awn-office365-azure-configure folder.
    2. Right-click ad-application-configure-azure.bat, and then select Run as administrator to launch the command prompt.

    Note: You must have .NET version 4.7 or later to run the batch file.

  5. In the command prompt, press C to create the Microsoft Entra ID (formerly Azure AD) application.

  6. Follow the prompts to create and configure the Microsoft Entra ID (formerly Azure AD) application.

    Note: You must authenticate to your Azure tenant as a user with administrator permissions.

  7. (Azure only) When prompted, select the subscriptions you want Arctic Wolf to monitor.

    When the script succeeds, it outputs information about the next steps in the process, including submitting credentials for the newly-created application to Arctic Wolf.

    Note: You can add additional subscriptions after the application is successfully created. See Add or remove Azure subscriptions for more information.

  8. When the PowerShell script finishes creating or updating the Azure® application, press any key to launch the consent URI in your default browser.

    Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

    Example of expected output:

    Consent URI

  9. Sign in to your tenant with administrator permissions.

    The Permissions requested Review for your organization window appears.

    Microsoft 365 permissions

  10. Make sure the permissions are correct, and then click Accept.

    You are redirected to the Arctic Wolf website.

    Note: You can provide consent at a later time, but Arctic Wolf cannot monitor the tenant until consent is granted.

    Example of expected permissions:

    Azure permissions

Step 3: Provide your Microsoft Azure credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, click Azure Graph.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID.

    • Directory (tenant) ID — Enter the directory (tenant) ID.

    • Client Secret Value — Enter the value for the client secret.

    • Microsoft Cloud — Select the option that matches your Microsoft Cloud or Azure AD environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

Step 4: Opt in to Azure AD Trusted Traveler's Group

This step is optional. Arctic Wolf can suppress alerts for groups of Azure AD users who sign in from a restricted country. For example, if you have employees who travel frequently and trigger this alert without malicious intent.

Notes:

  • Arctic Wolf only recommend suppressing restricted country login alerts for employees who are consistently traveling to avoid missing potential security incidents.
  • This suppression is only applicable for employees who are part of 20 Azure AD groups or less.

Arctic Wolf recommends creating a new Azure AD group or using an existing Azure AD group that includes all frequent travelers. Only use this group to monitor travelers. This Azure AD group name can conform to your internal group naming policies.

To opt in, contact your CST and provide the name of the Azure AD group or groups. Make sure that case sensitivity and spelling are correct.

Arctic Wolf will suppress login alerts for all members of that group. If you have questions, contact your CST.

Step 5: Add or remove Azure subscriptions

This step is optional. When you created the Azure AD application for Azure monitoring, you specified the initial Azure subscriptions for Arctic Wolf monitoring. To configure Arctic Wolf monitoring of additional Azure subscriptions or remove previously-added subscriptions:

  1. Open a PowerShell window with administrator permissions.

  2. Run the batch file:

    1. Open the extracted awn-office365-azure-configure folder.
    2. Right-click ad-application-configure-azure.bat, and then click Run as administrator to launch the command prompt.
  3. In the command prompt, press:

    • A — To add an Azure subscription for monitoring.
    • R — To remove an Azure subscription from monitoring.
  4. When prompted, authenticate to your Azure tenant as a user with administrator permissions.

  5. Select the subscription you want to add or remove.

    The selected subscriptions are updated, and the required roles are assigned or removed.

See also