Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Microsoft Azure Monitoring Configuration — Manual

Updated Apr 4, 2024

Configure Microsoft Azure AD applications for Arctic Wolf monitoring manually

You can manually configure Microsoft Azure to send the necessary logs to Arctic Wolf for security monitoring.

For information about Azure monitoring limitations and supported monitoring regions, see Microsoft Azure monitoring.

Note: The manual configuration steps are an alternative to script configuration, and can be used to replicate the target state using methods. For example, Infrastructure as Code. For script configuration steps, see Microsoft Azure monitoring for style guide alignment.

Requirements

Before you begin

Steps

  1. Check Azure AD permissions.
  2. Register the application.
  3. Expose the Log Analytics API in the Azure tenant.
  4. Assign permissions to the application.
  5. Create custom Arctic Wolf roles in the Azure tenant.
  6. Assign roles to the application in the Azure subscription.
  7. Provide your Microsoft Azure AD credentials to Arctic Wolf.

Step 1: Check Azure AD permissions

  1. Sign in to the Microsoft Entra admin center (formerly Azure AD) with your account credentials.

  2. In the navigation menu, click Identity.

  3. In the Users section, click User Settings.

  4. If Users can register applications is set to:

    • Yes — Any user in the Microsoft Entra ID (formerly Azure AD) tenant can register an application. Continue to Register the application to register the application.
    • No — Only admin users can register applications. Continue to the next step to see if your account is an admin for the Microsoft Entra ID (formerly Azure AD) tenant.
  5. In the navigation menu, click All Users.

  6. In the search bar, enter your account name, and then select it.

  7. Click Azure Role Assignments to view your assigned role in Microsoft Entra ID (formerly Azure AD).

  8. If your account is:

    • An Owner or a User Access Administrator — Complete Register the application.
    • A User — Ask your administrator to either assign you administrator permissions or enable non-admin users to register applications, before completing Register the application.

Step 2: Register the application

  1. Sign in to the Microsoft Entra admin center (formerly Azure AD).

  2. In the navigation menu, click Microsoft Entra ID (Azure AD).

  3. In the navigation menu, in the Applications section, click App registrations.

  4. Click New registration.

  5. On the Register an application page, in the Name field, enter a name for the application.

  6. In the Supported Account types section, select Accounts in this organizational directory only (<Organization-Name> only - Single Tenant).

    Note: Keep all other fields as their default.

  7. Click Register.

    The page for the newly registered application opens.

  8. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

  9. Open PowerShell in a Cloud Shell session in the Azure Portal:

    Tip: If this is your first time using Cloud Shell, it could be necessary to create a storage account.

    1. In the header panel, click >_ Cloud Shell to start a new session.

    2. Verify that PowerShell is selected.

      >_ button and PowerShell selected

  10. Run this command to create a secret and associate it with the application you created. The secret will expire 250 years from the current date:

    Connect-AzureAD
    $startDate = Get-Date
    $endDate = $startDate.AddYears(250)
    $awnId = (Get-AzAdApplication | Where-Object {$_.DisplayName -eq "<application_name>"}).Id
    $awnSecret = New-AzAdAppCredential -ObjectId $awnId -StartDate $startDate -EndDate $endDate
    $awnSecret

    Where:

    • <application_name> is the name of the application you created in an earlier step.
  11. Copy the SecretText value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

    PowerShell output with secret text

Step 3: Expose the Log Analytics API in the Azure tenant

  1. In Cloud Shell, run this command:

    Get-AzAdServicePrincipal | Where-Object {$_.DisplayName -eq "Log Analytics API"}
    1. If you see the Log Analytics API results, complete Assign permissions to the application.
    2. If do not see the Log Analytics API results, go to the next step.
  2. Run this command to create a service principal for the API and expose the Log Analytics API in this tenant:

    New-AzAdServicePrincipal -ApplicationId ca7f3f0b-7d91-482c-8e09-c5d840d0eac5

    Example of successful output:

    PowerShell code block containing the Log Analytics API display name, Id, and AppId

Step 4: Assign permissions to the application

  1. In the Entra ID navigation menu, in the Identity section, click Applications > App registrations.

  2. Click the All registrations tab, and then select the application you created in Register the application.

  3. In the navigation menu, click API permissions.

  4. Remove the User.Read permission for Microsoft Graph:

    1. In the Microsoft Graph section, click Menu next to the User.Read permission, and then select Remove permission.
    2. In the resulting dialogue, click Yes, remove.
  5. Add Log Analytics API permissions:

    1. On the API permissions page, click + Add a permission.
    2. In the Request API permissions pane, click the APIs my organization uses tab.
    3. In the search bar, enter log analytics API, and then select Log Analytics API.
    4. Click Application Permissions.
    5. Select the Data.Read checkbox.
    6. Click Add permissions.
  6. Add Microsoft Graph permissions:

    1. On the API permissions page, click + Add a permission.

    2. In the Request API permissions pane, click Microsoft APIs.

    3. On the Microsoft APIs tab, click Microsoft Graph.

    4. Click Application Permissions.

    5. Select these checkboxes:

      • AuditLog.Read.All
      • Directory.Read.All
      • Group.Read.All
      • IdentityRiskEvent.Read.All
      • IdentityRiskyUser.Read.All
      • Organization.Read.All
      • SecurityEvents.Read.All
      • User.Read.All

      Tip: You can use the search bar to find these permissions faster.

    6. Click Add permissions.

  7. Add Office 365 Management API permissions:

    1. On the API permissions page, click + Add a permission.

    2. In the Request API permissions pane, click Microsoft APIs.

    3. Click Office 365 Management APIs.

    4. Click Application Permissions.

    5. Select these checkboxes:

      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
    6. Click Add permissions.

  8. Click Grant admin consent for [tenant], where tenant is your tenant name, and then click Yes in the resulting dialog.

Step 5: Create custom Arctic Wolf roles in the Azure tenant

  1. In the PowerShell Cloud Shell session, find the IDs of all the subscriptions that the application will monitor:

    1. Run this command to get the list of all the subscriptions in the current tenant:

      Get-AzSubscription
    2. Copy the ID value for each of the subscriptions that you want to monitor, and then save them in a safe, encrypted location. You will provide them to Arctic Wolf later.

      Subscription Id outlined in Cloud Shell

  2. Run this command to download the awn-office365-azure-configure.zip file:

    Invoke-WebRequest -Uri https://docs.arcticwolf.com/resources/awn-office365-azure-configure.zip -OutFile awn-office365-azure-configure.zip
  3. Run this command to extract the contents of the awn-office365-azure-configure.zip file into a directory:

     Expand-Archive <zip_filepath> -DestinationPath <destination_filepath>

    Where:

    • <zip_filepath> is the full filepath of the awn-office365-azure-configure.zip file.
    • <destination_filepath> is the full filepath of the destination for the extracted contents.
  4. In Cloud Shell, select { } Open Editor for each of these text files:

    • awn-office365-azure-configure > Configs > awn-network-reader.json
    • awn-office365-azure-configure > Configs > awn-storage-account-reader.json
  5. In the AssignableScopes section, add the full path of the subscription IDs from a previous step.

    For example:

    "AssignableScopes": [
    "/subscriptions/21680904-e637-4eb8-834d-77f757ef1bf7"
    ]
  6. Save the changes.

  7. On your device, navigate to the awn-office365-azure-configure/Configs directory.

  8. In the directory, run this command to create the custom Arctic Wolf Network Reader custom role:

    New-AzRoleDefinition -InputFile ./awn-network-reader.json

    If successful, the role definition displays in the Cloud Shell session.

  9. Run this command to create the custom Arctic Wolf Storage Account Reader custom role:

    New-AzRoleDefinition -InputFile ./awn-storage-account-reader.json

    If successful, the role definition displays in the Cloud Shell session.

If the custom role definitions are not successful, restart the procedure. Make sure that the subscription IDs are entered correctly and that both files are uploaded. If issues persist, contact your Concierge Security® Team at security@arcticwolf.com.

Step 6: Assign roles to the application in the Azure subscription

For each subscription that you want Arctic Wolf to monitor, complete these steps:

  1. In the Azure portal, in the navigation menu, in the All Services section, click Subscriptions.

    Tip: You can also search for subscriptions in the search bar.

  2. Select the Azure subscription you want to monitor.

  3. In the subscription information panel that opens, click Access Control (IAM).

  4. Click + Add > Add role assignment.

  5. On the Add role assignment page, complete these steps:

    1. Search for and select Arctic Wolf Networks Storage Account Reader from the Role list.
    2. Click Next.
    3. Click + Select Members.
    4. Search for and select the name of the application you created in Register the application.
    5. Click Review + assign twice.
    6. Repeat this step for each of these roles:
      • Arctic Wolf Networks Network Reader
      • Log Analytics Reader
      • Monitoring Reader
      • Security Reader
  6. On the Role assignments tab, find Azure Sensor, and then verify these roles are listed:

    • Arctic Wolf Networks Storage Account Reader
    • Arctic Wolf Networks Network Reader
    • Log Analytics Reader
    • Monitoring Reader
    • Security Reader

Step 7: Provide your Microsoft Azure AD credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, click Azure Graph.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID.

    • Directory (tenant) ID — Enter the directory (tenant) ID.

    • Client Secret Value — Enter the value for the client secret.

    • Microsoft Cloud — Select the option that matches your Microsoft Cloud or Azure AD environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

See also