Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Microsoft 365 Monitoring

Updated Apr 17, 2024

Configure Microsoft 365 for Arctic Wolf monitoring

You can configure Microsoft 365® to send the necessary logs to Arctic Wolf® for security monitoring.

You can use the Arctic Wolf Azure PowerShell script to configure Microsoft 365 monitoring. See Azure Active Directory Configuration Script for more information.

Notes:

  • Throttling can occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached because of a high volume of requests from multiple applications in one Azure tenant or from one application across all Azure tenants. Contention between the Arctic Wolf service and other applications running in the Azure tenant can affect timely log retrieval.

    See Microsoft Graph throttling guidance for more information.

  • Microsoft Entra ID (formerly Azure AD) sign-in and audit logs can have a reporting latency of up to eight hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze.

    See Azure Active Directory reporting latencies for more information.

Requirements

Steps

For each Microsoft 365 tenant that you want Arctic Wolf to monitor, complete these steps:

  1. Download and extract the Azure AD configuration file.
  2. Configure the Azure AD application.
  3. Enable auditing.
  4. Provide your Microsoft 365 credentials to Arctic Wolf.

Step 1: Download and extract the Azure AD configuration file

  1. Download the awn-office365-azure-configure.zip file, and then move it to a folder that is easy to access on your Windows machine.

  2. Right-click the awn-office365-azure-configure.zip file, and then click Extract All.

  3. In the Extract Compressed (Zipped) Folders window, find a location to extract the zip file contents. For example, the Desktop folder.

    Note: Verify that the Show extracted files when complete checkbox is selected.

  4. Click Extract to extract the contents of the zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application

  1. Open a PowerShell window with administrator permissions.

  2. Run this command to see a list of installed modules:

    powershell Get-InstalledModule

  3. If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:

    • If the Azure AD module is missing — Run Install-Module AzureAD.
    • If the Az Accounts module is missing — Run Install-Module Az.Accounts.
    • If the Az Resources module is missing — Run Install-Module Az.Resources.

    Note: If you receive an error about NuGet when installing these modules, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing the module again.

    Module error

  4. Run the Azure PowerShell script:

    For more information about the script, see Microsoft Azure PowerShell Script Details.

    1. Open the extracted awn-office365-azure-configure folder.
    2. Right-click ad-application-configure-office365.bat, and then select Run as administrator to launch the command prompt.

    Note: You must have .NET version 4.7 or later to run the batch file.

  5. In the command prompt, press C to create the Microsoft Entra ID (formerly Azure AD) application.

  6. Follow the prompts to create and configure the Microsoft Entra ID (formerly Azure AD) application.

    Note: You must authenticate to your Azure tenant as a user with administrator permissions.

  7. When the PowerShell script finishes creating or updating the Azure® application, press any key to launch the consent URI in your default browser.

    Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

    Example of expected output:

    Consent URI

  8. Sign in to your tenant with administrator permissions.

    The Permissions requested Review for your organization window appears.

    Microsoft 365 permissions

  9. Make sure the permissions are correct, and then click Accept.

    You are redirected to the Arctic Wolf website.

    Note: You can provide consent at a later time, but Arctic Wolf cannot monitor the tenant until consent is granted.

Step 3: Enable auditing

Audit logs record user and administrative activity within your organization. For more information, see Turn auditing on or off.

Note: By default, only users with E5/A5/G5 licenses have audit events in the Microsoft Purview compliance portal or Office 365 Management Activity API. For more information, see Manage mailbox auditing.

  1. Sign in to the Microsoft Purview compliance portal as an administrator or a user with the Audit Logs role assigned. You can verify your roles on the Permissions page in the Exchange admin center.

  2. In the navigation menu, click Audit.

  3. If no banner displays about turning auditing on to record user and admin activity, verify that audit logging is enabled using PowerShell:

    1. Open PowerShell.

    2. Run this command to install the Exchange Online module:

      Install-Module ExchangeOnlineManagement
    3. Run this command to connect and authenticate Exchange Online:

      Connect-ExchangeOnline
    4. Run this command in Exchange Online PowerShell to make sure that auditing is available:

      Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

      Note: You cannot use Security & Compliance PowerShell to run this command.

  4. If auditing is not enabled, click Start recording user and admin activity.

    The banner updates with information when searching is available.

  5. (Users without E5/A5/G5 licenses) Run the appropriate command in Exchange Online PowerShell to retrieve audit log events for current user mailboxes:

    Note: You must rerun the appropriate command to retrieve audit log events for new user mailboxes created in the future.

    • For an individual user:

      Set-Mailbox -Identity <user_mailbox> -AuditEnabled $true

      Where:

      • <user_mailbox> is the user principal name associated with the mailbox.
    • For all users:

      1. Run this command:

        Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
      2. Run this command to update the global default settings:

        Set-OrganizationConfig -AuditDisabled $false

        Users created after configuration inherit the proper auditing settings.

  6. (Optional) Click Search to see a list of all activities recorded within the specified time range.

Step 4: Provide your Microsoft 365 credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the cloud services list, click Office 365 Graph.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID value from Configure the Azure AD application.

    • Directory (tenant) ID — Enter the directory (tenant) value from Configure the Azure AD application.

    • Client Secret Value — Enter the client secret value from Configure the Azure AD application.

    • Microsoft Cloud list — Select either global or gcc. The value you select should match your Microsoft Cloud or Microsoft Entra ID (formerly Azure AD) environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.