Microsoft Azure Monitoring — Script Configuration
Updated Sep 27, 2023Microsoft Azure monitoring
Arctic Wolf® uses Azure® logs to monitor Azure Active Directory (AD) applications and alert you about suspicious or malicious activity.
There are two ways to configure Microsoft Azure monitoring:
- Script configuration — See Configure Azure Monitoring.
- Manual configuration — See Microsoft Azure Monitoring - Manual Configuration.
Note: The manual configuration steps are an alternative to script configuration, and can be used to replicate the target state using methods such as Infrastructure as Code.
Supported regions for Azure monitoring
Arctic Wolf supports monitoring for all Azure regions except for regions in Azure Government. For more information, see Supported Azure Regions and Azure Geographies.
Azure monitoring limitations
- Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
- Azure Active Directory sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See the Azure Active Directory reporting latencies documentation on the Microsoft website for more information.
Configure Microsoft Azure monitoring
You can use the Arctic Wolf Azure PowerShell script to configure Azure monitoring. For more information about how the script works, see Azure Active Directory Configuration Script.
When successfully configured, Arctic Wolf can use the Azure logs to monitor Azure AD applications and alert you about suspicious or malicious activity.
Requirements
- A user account with Global Administrator permissions.
- The Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write permissions, so you can assign the AD application to other roles.
- Access to a Windows machine or virtual machine (VM) that you can run the configuration script on.
-
The default Defender for Cloud-generated Log Analytics workspace.
Note: Arctic Wolf does not ingest logs from custom Log Analytics workspaces.
-
Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Cloud Service Integrations.
Steps
Complete this procedure for each Azure tenant that you want Arctic Wolf to monitor, to ensure that your Concierge Security® Team (CST) has the best possible coverage of your Azure services:
Step 1: Download and extract the Azure AD configuration file
-
Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.
-
Right-click the
awn-office365-azure-configure.zip
file, and then select Extract All. -
In the Extract Compressed (Zipped) Folders window, find a convenient location to extract the zip file contents. For example, the Desktop folder.
Note: Verify that Show extracted files when complete is selected.
-
Select Extract to extract the contents of the zip file to the new
awn-office365-azure-configure
folder in the selected destination.
Step 2: Configure the Azure AD application
Use the Arctic Wolf Azure PowerShell script to configure GCC High monitoring and create an Microsoft Entra ID application to access audit logs. For more information, see Azure Active Directory Configuration Script.
-
Open a PowerShell window as an administrator.
-
Run
Get-InstalledModule
to see a list of installed modules. -
If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:
- If the Azure AD module is missing — Run
Install-Module AzureAD
. - If the Az Accounts module is missing — Run
Install-Module Az.Accounts
. - If the Az Resources module is missing — Run
Install-Module Az.Resources
.
Note: If you receive an error about NuGet when installing these modules, run
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
to manually set the security protocol toTls12
, and then try installing the module again. - If the Azure AD module is missing — Run
-
Run the batch file:
- Open the extracted
awn-office365-azure-configure
folder. - Right-click
ad-application-configure-azure.bat
, and then select Run as administrator to launch the command prompt.
- Open the extracted
-
In the command prompt, press C to create the Microsoft Entra ID application.
-
Follow the prompts to create and configure the Microsoft Entra ID application.
Note: You must authenticate to your Azure tenant as a user with administrator permissions.
-
(Azure only) When prompted with a list of active Azure subscriptions in your tenant, select one as the initial subscription for Arctic Wolf to monitor, or select all to monitor all subscriptions.
When the script succeeds, it outputs information about the next steps in the process, including submitting credentials for the newly-created application to Arctic Wolf.
Tip: You can add additional subscriptions after the application is successfully created. See Add or remove Azure subscriptions for more information.
-
When the PowerShell script finishes creating or updating the Microsoft Entra ID application, press any key to launch the consent URI in your default browser.
Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named
awn-<target>-ad-application-transcript-<timestamp>.txt
, where<target>
isoffice365
,azure
, orcombined
and<timestamp>
is when the file was created.Example of expected output:
-
Sign in to your tenant as an administrator.
The Permissions requested Review for your organization window appears.
-
Verify that the permissions are correct, and then click Accept.
You are redirected to the Arctic Wolf website.
Note: You can provide consent at a later time, but Arctic Wolf is unable to monitor the tenant until consent is granted.
Step 3: Provide credentials to Arctic Wolf
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select Azure Graph.
-
On the Add Account page, complete these steps:
-
Account Name — Enter a unique and descriptive name for the account.
-
For each of these fields, enter the appropriate value:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
-
From the Microsoft Cloud list, select the option that matches your Microsoft Cloud or Azure AD environment type.
-
Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
Step 4: Opt in to Azure AD Trusted Traveler's Group
This is an optional step. Arctic Wolf can suppress alerts for groups of Azure AD users who sign in from a restricted country, for example if you have employees who travel frequently and trigger this alert without malicious intent.
Notes:
- We only recommend suppressing restricted country login alerts for employees who are consistently traveling, to avoid missing potential security incidents.
- This suppression is only applicable for employees who are part of 20 Azure AD groups or less.
We recommend creating a new or using an existing Azure AD group that includes all frequent travelers. Only use this group to track travelers. This Azure AD group name can conform to your internal group naming policies.
To opt in:
- Contact your CST and provide the name of the Azure AD group or groups, ensuring that case sensitivity and spelling are correct.
Arctic Wolf will suppress login alerts for all members of that group. If you have any questions, contact your CST.
Step 5: Add or remove Azure subscriptions
This is an optional step. When you created the Azure AD application for Azure monitoring, you specified the initial Azure subscriptions for Arctic Wolf monitoring. To configure Arctic Wolf monitoring of additional Azure subscriptions or remove previously-added subscriptions:
- Open a PowerShell window as an administrator.
- Run the batch file:
- Open the extracted
awn-office365-azure-configure
folder. - Right-click
ad-application-configure-azure.bat
, and then select Run as administrator to launch the command prompt.
- Open the extracted
- In the command prompt, select:
- A — To add an Azure subscription for monitoring.
- R — To remove an Azure subscription from monitoring.
- When prompted, authenticate to your Azure tenant as a user with administrator permissions.
- Select the subscription you want to add or remove. The selected subscriptions are updated, and the required roles are assigned or removed.
Delete the Azure AD application
This is an optional task that is only needed if you want to end Azure monitoring. To end Azure monitoring, delete the Azure AD application. Removing subscriptions from the Azure AD application is only the recommended workflow for changing which subscriptions are monitored, not for ending Azure monitoring.
- Sign in to the Azure portal and navigate to the tenant registered with the Azure AD application.
- Select Azure Active Directory.
- Under Manage, select App registrations.
- Select the relevant Azure AD application. The application overview page opens.
- On the Overview page:
- Click Delete.
- Read and accept the warning.
- To confirm deletion, click Delete.
Tip: Instead of using the Azure portal, you can delete the Azure AD application by running the batch file ad-application-configure-azure.bat
as an administrator. Select D - Delete application
in the command prompt and, when prompted, authenticate to your Azure tenant as a user with administrator permissions.