Configure Microsoft Azure monitoring manually

Arctic Wolf® uses Azure® logs to monitor the Azure environment and alert you about suspicious or malicious activity. This procedure describes how to manually access Azure logs and assign the required permissions to the application through the Azure portal.

To implement this monitoring, you must provide this information the Arctic Wolf:

• Directory ID
• Application ID
• Application-generated Secret Key

Supported regions for Azure monitoring

Arctic Wolf supports monitoring for all Azure regions except for regions in Azure Government. For more information, see Supported Azure Regions and Azure Geographies.

Azure monitoring limitations

• Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
• Azure Active Directory sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See the Azure Active Directory reporting latencies documentation on the Microsoft website for more information.

Configure an Azure Active Directory application

Once Azure monitoring is successfully configured, Arctic Wolf can use the Azure logs to monitor Azure AD applications and alert you about suspicious or malicious activity.

Requirements

• A Microsoft Azure account with access to the Azure Portal
• An active Azure subscription.
• Sufficient permissions to register an application with your Azure tenant.
• An Owner or User Access Administrator role on the subscription. This role provides you with the Microsoft.Authorization/*/Write access to assign an AD application to other roles.

Steps

1. Check Azure AD permissions.
2. Register the application.
3. Expose the Log Analytics API in the Azure tenant.
4. Assign permissions for the application.
5. Create custom roles in the Azure tenant.
6. Assign roles to the application in the Azure subscription.
7. Provide credentials to Arctic Wolf.

Step 1: Check Azure AD permissions

1. Sign in to the Azure portal using your Azure account credentials.

2. Open the navigation menu, and then select Azure Active Directory.

3. Select Users > User Settings from the navigation pane.

4. If App registrations is set to:

   • Yes — Any user in the Azure AD tenant can register an application. Proceed to the next section to register the application.

   • No — Only admin users can register applications. Proceed to the next step to check if your account is an admin for the Azure AD tenant.

5. In the navigation pane, select All Users.

6. In the search bar, search for your account, and then select it to open it.

7. Select Azure Role Assignments to view your assigned role in Azure AD.

8. If your account is a:

   • Owner or User Access Administrator — Proceed to the next section.

   • User — Ask your administrator to either assign you to an administrator role or enable non-admin users to register applications, before proceeding to the next section.

Step 2: Register the application

1. Sign in to the Microsoft Azure Portal console, if you have not already done so.

2. Open the navigation menu, and then select Azure Active Directory.

3. Select App registrations from the navigation pane.

4. Select New registration.

5. On the Register an application page, enter a memorable name for the application in the Name text box.

6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

   Note: You can leave all other fields as their default.

7. Click Register.

   This opens the page for the newly registered application.

8. Make note of the following values. You need to provide these values to Arctic Wolf later.

   • Application (client) ID
   • Directory (tenant) ID

9. Open PowerShell in a Cloud Shell session in the Azure portal:

   You may need to create a storage account if this is your first time using Cloud Shell.

   1. In the header panel, click >_ Cloud Shell to start a new session.

   2. Verify that PowerShell is selected.

   

10. Run the following command, replacing <application_name> with the name of the application you created in an earlier step:

    Connect-AzureAD
    $startDate = Get-Date
    $endDate = $startDate.AddYears(250)
    $awnId = (Get-AzAdApplication | Where-Object {$_.DisplayName -eq "<application_name>"}).Id
    $awnSecret = New-AzAdAppCredential -ObjectId $awnId -StartDate $startDate -EndDate $endDate
    $awnSecret

    This block will create a secret and associate it with the application you created. The secret will expire 250 years from the current date.

11. Copy the SecretText value to a secure location. You need this value when you provide credentials to Arctic Wolf.

    

Step 3: Expose the Log Analytics API in the Azure tenant

One of the API permissions needed for the newly-created application is not displayed by default in the list of APIs available through the Azure portal. You must manually add it to the Azure tenant.

1. From Cloud Shell, run this command:

   Get-AzAdServicePrincipal | Where-Object {$_.DisplayName -eq "Log Analytics API"}

   1. If you see the Log Analytics API results, proceed to Assign permissions to the application.
   2. If not, proceed to the next step.

2. From Cloud Shell, run this command to create a service principal for the API and expose the Log Analytics API in this tenant:

   New-AzAdServicePrincipal -ApplicationId ca7f3f0b-7d91-482c-8e09-c5d840d0eac5

   Successful output:

   

Step 4: Assign permissions for the application

1. Open the Azure Portal navigation menu, and then select Azure Active Directory > App registrations.

2. Select the application you created in Register the application..

3. In the navigation pane, click API permissions.

4. Remove the User.Read permission for Microsoft Graph:

   1. Click Menu next to the User.Read permission under Microsoft Graph and select Remove permission.
   2. Click Yes, remove on the resulting dialog.

5. Add Log Analytics API permissions:

   1. On the API permissions page, CLick + Add a permission.
   2. In the Request API permissions pane, click the APIs my organization uses tab.
   3. Search for and select Log Analytics API.
   4. Click Application Permissions.
   5. Select the checkbox for Data.Read.
   6. Click Add permissions.

6. Add Microsoft Graph permissions:

   1. On the API permissions page, click + Add a permission.

   2. In the Request API permissions pane, navigate to Microsoft APIs tab.

   3. Click Microsoft Graph.

   4. Click Application Permissions.

   5. Select the checkboxes for these permissions:

      • AuditLog.Read.All
      • Directory.Read.All
      • Group.Read.All
      • IdentityRiskEvent.Read.All
      • IdentityRiskyUser.Read.All
      • Organization.Read.All
      • SecurityEvents.Read.All
      • User.Read.All

      Tip: You can use the search bar to find these permissions faster.

   6. Click Add permissions.

7. Add Office 365 Management API permissions:

   1. On the API permissions page, click + Add a permission.

   2. In the Request API permissions pane, navigate to Microsoft APIs.

   3. Click Office 365 Management APIs.

   4. Click Application Permissions.

   5. Select the checkboxes for these permissions:

      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read

   6. Click Add permissions.

8. Click Grant admin consent for , and then click Yes on the resulting dialog.

Step 5: Create custom roles in the Azure tenant

To access resources in your subscription, you must assign these custom read-only Azure roles to the application in addition to the built-in roles:

• Arctic Wolf Storage Account Reader
• Arctic Wolf Network Reader

1. Return to PowerShell in the Cloud Shell session.

2. Find the IDs of all of the subscriptions that the application will monitor:

   1. Run this command to get the list of all of the subscriptions in the current tenant.

      Get-AzSubscription

   2. Save the ID value for each of the subscriptions that you want to monitor. You need to provide these values in a later step.

      

3. Run this command to download the awn-office365-azure-configure.zip file:

   Invoke-WebRequest -Uri https://docs.arcticwolf.com/resources/awn-office365-azure-configure.zip -OutFile awn-office365-azure-configure.zip

4. Run this command to extract the contents of the awn-office365-azure-configure.zip file into a directory, where <zip_filepath> is the full filepath of the awn-office365-azure-configure.zip file and <destination_filepath> is the full filepath of the destination for the extracted contents:

    Expand-Archive <zip_filepath> -DestinationPath <destination_filepath>

5. Select { } Open Editor in Cloud Shell for each of these text files:

   • awn-office365-azure-configure > Configs > awn-network-reader.json
   • awn-office365-azure-configure > Configs > awn-storage-account-reader.json

6. Under AssignableScopes, add the full path of the subscription IDs from a previous step.

   For example:

   "AssignableScopes": [
   "/subscriptions/21680904-e637-4eb8-834d-77f757ef1bf7"
   ]

7. Save the changes.

8. Upload each file:

   1. In the Azure Cloud Shell session, click Upload/Download files > Upload.
   2. Navigate to and select the JSON file.

9. Run this command to create the custom Arctic Wolf Network Reader custom role:

   New-AzRoleDefinition -InputFile ./awn-network-reader.json

   If successful, the role definition displays in the Cloud Shell session.

10. Run this command to create the custom Arctic Wolf Storage Account Reader custom role:

    New-AzRoleDefinition -InputFile ./awn-storage-account-reader.json

    If successful, the role definition displays in the Cloud Shell session.

If the custom role definitions are not successful, restart the procedure. Ensure that the subscription IDs have been entered correctly and that both files have been uploaded. If issues persist, contact your Concierge Security® Team.

Step 6: Assign roles to the application in the Azure subscription

If you have multiple subscriptions, repeat this procedure for each subscription that you want monitored.

1. In the Azure portal, in the navigation pane, click All Services > Subscriptions.

   Tip: You can also search for subscriptions.

2. Select the Azure subscription that you want to monitor.

3. In the subscription information panel that opens, click Access Control (IAM).

4. Click + Add > Add role assignment.

5. On the Add role assignment page, complete these steps:

   1. Search for and select Arctic Wolf Networks Storage Account Reader from the Role list.

   2. Click Next.

   3. Choose + Select Members.

   4. Search for and select the name of the application you created in Register the application..

   5. Click Review + assign twice.

   6. Repeat for the remaining roles:

      • Arctic Wolf Networks Network Reader
      • Log Analytics Reader
      • Monitoring Reader
      • Security Reader

6. To validate, select the Role assignments tab and search for Azure Sensor. Verify that all five roles are listed:

   • Arctic Wolf Networks Storage Account Reader
   • Arctic Wolf Networks Network Reader
   • Log Analytics Reader
   • Monitoring Reader
   • Security Reader

Step 7: Provide credentials to Arctic Wolf

1. Sign in to the Arctic Wolf Unified Portal.

2. In the menu bar, click Telemetry Management > Connected Accounts.

3. Click Add Account +.

4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

5. From the list of cloud services, select Azure Graph.

6. On the Add Account page, complete these steps:

   1. Account Name — Enter a unique and descriptive name for the account.

   2. For each of these fields, enter the appropriate value:

      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret

   3. From the Microsoft Cloud list, select the option that matches your Microsoft Cloud or Azure AD environment type.

   4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

7. Click Test and Submit Credentials.

   After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also

• Microsoft Azure Monitoring - Script Configuration
• Supported Azure Regions
• Check access for a user to Azure resources
• Register an application with the Microsoft identity platform
• Azure custom roles
• Assign Azure roles using the Azure portal