Microsoft Azure Monitoring — Script Configuration

Microsoft Azure monitoring Direct link to this section

Arctic Wolf® uses Azure logs to monitor Azure Active Directory (AD) applications and alert you about suspicious or malicious activty. This document describes how to configure Microsoft Azure monitoring with a script. For manual steps, see Microsoft Azure Monitoring - Manual Configuration.

Supported regions for Azure monitoring Direct link to this section

Arctic Wolf supports monitoring for all Azure regions except for regions in Azure Government. For more information, see Supported Azure Regions and Azure Geographies.

Azure monitoring limitations Direct link to this section

• Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
• Azure Active Directory sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See the Azure Active Directory reporting latencies documentation on the Microsoft website for more information.

Requirements Direct link to this section

• A user account with Global Administrator permissions.

• The Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write access, so that you can assign the AD application to other roles.

• Access to a Windows machine or virtual machine (VM) that you can run the configuration script on.

• The default Security Center-generated Log Analytics workspace.

  Note: A custom Log Analytics workspace is not supported.

Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If Arctic Wolf monitors your Cloud Services.

Configure Azure Monitoring Direct link to this section

Complete these procedures in order for each Azure tenant that you want Arctic Wolf to monitor, to ensure that your Concierge Security® Team (CST) has the best possible coverage of your Azure services:

1. Download and extract the Azure AD configuration file

2. Configure the Azure AD application

3. Provide credentials to Arctic Wolf

4. (Optional, Azure AD only) Opt in to Azure AD Trusted Traveler's Group

Step 1: Download and extract the Azure AD configuration file Direct link to this section

1. Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.

2. Right-click the awn-office365-azure-configure.zip file, and then select Extract All.

3. In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents, such as the Desktop folder.

   Note: Verify that Show extracted files when complete is selected.

4. Select Extract to extract the contents of the .zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application Direct link to this section

You use a PowerShell script to create an Azure AD application to access audit logs. For more information on Azure AD applications, such as PowerShell, updating an application, or deleting an application, see Azure AD Application Script.

To configure the Azure AD application:

1. Open a Powershell window as an administrator.

2. Run Get-InstalledModule to see a list of installed modules.

3. If the Azure AD PowerShell for Graph and/or the Azure Resource Manager (AzureRM) modules are missing, run the appropriate command and follow the prompts to install the missing modules:

   • Azure AD — Install-Module AzureAD
   • AzureRM — Install-Module AzureRM

   Note: If you receive an error about NuGet when installing either of these modules, similar to below, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing again.

   

4. Run the batch file:

   1. Open the extracted awn-office365-azure-configure folder.

   2. Right-click on the appropriate batch file, and then select Run as administrator to launch the command prompt:

      • Microsoft 365 — ad-application-configure-office365.bat
      • Azure — ad-application-configure-azure.bat
      • O365 GCC High — ad-application-configure-office-365-gcc-high.bat

5. In the command prompt, select C to create the Azure AD application.

6. Follow the prompts to create and configure the Azure AD application. You must authenticate to your Azure tenant as a user with administrator permissions.

7. Save a copy of the transcript file to submit to your CST, for confirmation that the script ran properly.

   The PowerShell configuration script automatically creates the arcticwolf-azure-ad-<target>.zip file in the directory that you ran the script from, where <target> is office365, azure, or combined. This .zip file includes the awn-office365-azure-ad-application-credentials.txt file, containing the application (client) ID, directory (tenant) ID, and secret key values that serve as the credentials for the newly-created application.

8. (Azure only) When prompted with a list of active Azure subscriptions in your tenant, select one as the initial subscription for Arctic Wolf to monitor.

   When the script succeeds, it outputs information about the next steps in the process, including submitting credentials for the newly-created application to the Arctic Wolf Portal.

   Tip: You can add additional subscriptions after the application is successfully created. See Add or remove Azure subscriptions for more information.

9. Once the PowerShell script finishes creating or updating the Azure AD application, launch the consent URI in your default browser. This looks similar to the image below:

   Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The .txt file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

   

10. Sign in to your tenant as an administrator and select Accept to grant the requested permissions, which look like the images below.

    Granting the permissions redirects your browser to the Arctic Wolf website.

    Note: You may provide consent at a later time. However, Arctic Wolf is unable to monitor the tenant until consent is granted.

    

Step 3: Provide credentials to Arctic Wolf Direct link to this section

To submit your credentials to Arctic Wolf:

1. Sign in to the Arctic Wolf Portal.

2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

   

3. Select +Add Account to open the Add Account form.

4. Select Cloud Detection and Response as the Account Type.

5. Select Azure from the list of cloud services, and fill in the form:

   1. Enter a descriptive name for the credentials.

   2. Paste these values into their respective text boxes:

      • Directory ID
      • Application ID
      • Secret Key

6. Select Submit to CST.

7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Optional step: Opt in to Azure AD Trusted Traveler's Group Direct link to this section

Arctic Wolf can optionally suppress alerts for groups of Azure AD users who log in from a restricted country, for example if you have employees who travel frequently and trigger this alert without malicious intent.

We recommend creating a new or using an existing Azure AD group that includes all frequent travelers. Only use this group to track travelers. This Azure AD group name can conform to your internal group naming policies.

To opt in:

• Contact your CST and provide the name of the Azure AD group or groups, ensuring that case sensitivity and spelling are correct.

Arctic Wolf will suppress login alerts for all members of that group. If you have any questions, contact your CST.

Add or remove Azure subscriptions Direct link to this section

When you created the Azure AD application for Azure monitoring, you specified an initial Azure subscription for Arctic Wolf monitoring. To configure Arctic Wolf monitoring of additional Azure subscriptions or remove previously-added subscriptions:

1. Open a Powershell window as an administrator.

2. Run Get-InstalledModule to see a list of installed modules.

3. If the Azure AD PowerShell for Graph and/or the Azure Resource Manager (AzureRM) modules are missing, run the appropriate command and follow the prompts to install the missing modules:

   • Azure AD — Install-Module AzureAD
   • AzureRM — Install-Module AzureRM

   Note: If you receive an error about NuGet when installing either of these modules, similar to below, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing again.

   

4. Open the extracted awn-office365-azure-configure folder, right-click on the appropriate batch file, and then select Run as administrator to launch the command prompt:

   • Azure — ad-application-configure-azure.bat
   • Combined — ad-application-configure-combined.bat

5. In the command prompt, select:

   • A — To add an Azure subscription for monitoring.
   • R — To remove an Azure subscription from monitoring.

6. Follow the prompts to create and configure the Azure AD application. You must authenticate to your Azure tenant as a user with administrator permissions.

7. Save a copy of the transcript file to submit to your CST, for confirmation that the script ran properly.

8. (Remove only) Remove the registration for the Azure AD application.

   Tip: See the Remove an application registered with the Microsoft identity platform instructions in the Microsoft documentation for more information about this process.

   1. Sign in to the Azure portal and navigate to the tenant registered with the Azure AD application.
   2. Select Azure Active Directory.
   3. Under Manage, select App registrations, and then select the relevant Azure AD application to open the application Overview page.
   4. On the Overview page, select Delete, read and accept the warning, and then select Delete again to confirm that you want to delete the Azure AD application.

See also Direct link to this section

• Microsoft Azure Monitoring - Manual Configuration
• Azure AD Application Script
• Supported Azure Regions
• Remove an application with the Microsoft identity platform