This document provides the steps to configure Microsoft Azure monitoring.
- Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
- Azure Active Directory sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See the Azure Active Directory reporting latencies documentation on the Microsoft website for more information.
Complete these procedures in order for each Azure tenant that you want Arctic Wolf to monitor, to ensure that your Concierge Security® Team (CST) has the best possible coverage of your Azure services:
- Depending on your cloud firewall settings, you may need to add firewall exceptions for the Arctic Wolf IP addresses listed under If Arctic Wolf monitors your Cloud Services on the Arctic Wolf IP Addresses page in the Arctic Wolf Portal.
- You must have a custom or default Security Center-generated Log Analytics workspace to use Security Center.
- Automatically configuring an Azure Active Directory application
- Providing credentials to Arctic Wolf
Additonal recommended configuration
Arctic Wolf recommends completing this additional configuration — Configuring Data Collection
Providing credentials to Arctic Wolf
To submit your credentials to Arctic Wolf:
Sign in to the Arctic Wolf Portal.
Select Connected Accounts in the banner menu to open the Connected Accounts page.
Select + Add Account to open the Add Account form.
Select Cloud Threat Detection as the Account Type.
Select Azure from the list of cloud services, and fill in the form:
Enter a descriptive name for the credentials.
Paste these values into their respective text boxes:
- Directory ID
- Application ID
- Secret Key
Click Submit to CST.
When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your CST provisions security monitoring for your Azure enterprise, the status of your Azure credentials changes to Connected.