Microsoft Azure Monitoring — Script Configuration

Updated Sep 27, 2023

Microsoft Azure monitoring

Arctic Wolf® uses Azure® logs to monitor Azure Active Directory (AD) applications and alert you about suspicious or malicious activity.

There are two ways to configure Microsoft Azure monitoring:

Supported regions for Azure monitoring

Arctic Wolf supports monitoring for all Azure regions except for regions in Azure Government. For more information, see Supported Azure Regions and Azure Geographies.

Azure monitoring limitations

Configure Microsoft Azure monitoring

You can use the Arctic Wolf Azure PowerShell script to configure Azure monitoring. For more information about how the script works, see Azure Active Directory Configuration Script.

When successfully configured, Arctic Wolf can use the Azure logs to monitor Azure AD applications and alert you about suspicious or malicious activity.

Requirements

Steps

Complete this procedure for each Azure tenant that you want Arctic Wolf to monitor, to ensure that your Concierge Security® Team (CST) has the best possible coverage of your Azure services:

  1. Download and extract the Azure AD configuration file.

  2. Configure the Azure AD application.

  3. Provide credentials to Arctic Wolf.

  4. (Optional, Azure AD only) Opt in to Azure AD Trusted Traveler's Group.

  5. (Optional) Add or remove Azure subscriptions.

Step 1: Download and extract the Azure AD configuration file

  1. Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.

  2. Right-click the awn-office365-azure-configure.zip file, and then select Extract All.

  3. In the Extract Compressed (Zipped) Folders window, find a convenient location to extract the zip file contents. For example, the Desktop folder.

    Note: Verify that Show extracted files when complete is selected.

  4. Select Extract to extract the contents of the zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application

Use the Arctic Wolf Azure PowerShell script to configure GCC High monitoring and create an Microsoft Entra ID application to access audit logs. For more information, see Azure Active Directory Configuration Script.

  1. Open a PowerShell window as an administrator.

  2. Run Get-InstalledModule to see a list of installed modules.

  3. If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:

    • If the Azure AD module is missing — Run Install-Module AzureAD.
    • If the Az Accounts module is missing — Run Install-Module Az.Accounts.
    • If the Az Resources module is missing — Run Install-Module Az.Resources.

    Note: If you receive an error about NuGet when installing these modules, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing the module again.

    Module error

  4. Run the batch file:

    1. Open the extracted awn-office365-azure-configure folder.
    2. Right-click ad-application-configure-azure.bat, and then select Run as administrator to launch the command prompt.
  5. In the command prompt, press C to create the Microsoft Entra ID application.

  6. Follow the prompts to create and configure the Microsoft Entra ID application.

    Note: You must authenticate to your Azure tenant as a user with administrator permissions.

  7. (Azure only) When prompted with a list of active Azure subscriptions in your tenant, select one as the initial subscription for Arctic Wolf to monitor, or select all to monitor all subscriptions.

    When the script succeeds, it outputs information about the next steps in the process, including submitting credentials for the newly-created application to Arctic Wolf.

    Tip: You can add additional subscriptions after the application is successfully created. See Add or remove Azure subscriptions for more information.

  8. When the PowerShell script finishes creating or updating the Microsoft Entra ID application, press any key to launch the consent URI in your default browser.

    Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

    Example of expected output:

    Consent URI

  9. Sign in to your tenant as an administrator.

    The Permissions requested Review for your organization window appears.

    Microsoft 365 permissions

  10. Verify that the permissions are correct, and then click Accept.

    You are redirected to the Arctic Wolf website.

    Note: You can provide consent at a later time, but Arctic Wolf is unable to monitor the tenant until consent is granted.

    Azure permissions

Step 3: Provide credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Azure Graph.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.

    2. For each of these fields, enter the appropriate value:

      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret
    3. From the Microsoft Cloud list, select the option that matches your Microsoft Cloud or Azure AD environment type.

    4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

Step 4: Opt in to Azure AD Trusted Traveler's Group

This is an optional step. Arctic Wolf can suppress alerts for groups of Azure AD users who sign in from a restricted country, for example if you have employees who travel frequently and trigger this alert without malicious intent.

Notes:

  • We only recommend suppressing restricted country login alerts for employees who are consistently traveling, to avoid missing potential security incidents.
  • This suppression is only applicable for employees who are part of 20 Azure AD groups or less.

We recommend creating a new or using an existing Azure AD group that includes all frequent travelers. Only use this group to track travelers. This Azure AD group name can conform to your internal group naming policies.

To opt in:

Arctic Wolf will suppress login alerts for all members of that group. If you have any questions, contact your CST.

Step 5: Add or remove Azure subscriptions

This is an optional step. When you created the Azure AD application for Azure monitoring, you specified the initial Azure subscriptions for Arctic Wolf monitoring. To configure Arctic Wolf monitoring of additional Azure subscriptions or remove previously-added subscriptions:

  1. Open a PowerShell window as an administrator.
  2. Run the batch file:
    1. Open the extracted awn-office365-azure-configure folder.
    2. Right-click ad-application-configure-azure.bat, and then select Run as administrator to launch the command prompt.
  3. In the command prompt, select:
    • A — To add an Azure subscription for monitoring.
    • R — To remove an Azure subscription from monitoring.
  4. When prompted, authenticate to your Azure tenant as a user with administrator permissions.
  5. Select the subscription you want to add or remove. The selected subscriptions are updated, and the required roles are assigned or removed.

Delete the Azure AD application

This is an optional task that is only needed if you want to end Azure monitoring. To end Azure monitoring, delete the Azure AD application. Removing subscriptions from the Azure AD application is only the recommended workflow for changing which subscriptions are monitored, not for ending Azure monitoring.

  1. Sign in to the Azure portal and navigate to the tenant registered with the Azure AD application.
  2. Select Azure Active Directory.
  3. Under Manage, select App registrations.
  4. Select the relevant Azure AD application. The application overview page opens.
  5. On the Overview page:
    1. Click Delete.
    2. Read and accept the warning.
    3. To confirm deletion, click Delete.

Tip: Instead of using the Azure portal, you can delete the Azure AD application by running the batch file ad-application-configure-azure.bat as an administrator. Select D - Delete application in the command prompt and, when prompted, authenticate to your Azure tenant as a user with administrator permissions.

See also