Microsoft 365 Monitoring

Updated Nov 20, 2023

Configure Microsoft 365 for Arctic Wolf monitoring
- Requirements
- Steps

Configure Microsoft 365 for Arctic Wolf monitoring

You can configure Microsoft 365® to send the necessary logs to Arctic Wolf® for security monitoring.

You can use the Arctic Wolf Azure PowerShell script to configure Microsoft 365 monitoring. See Azure Active Directory Configuration Script for more information.

Notes:

Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf service and other applications running in the Azure tenant can affect timely log retrieval. See Microsoft Graph throttling guidance for more information.
Microsoft Entra ID (formerly Azure AD) sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See Azure Active Directory reporting latencies for more information.

Requirements

A user account with Global Administrator permissions.
An Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write permissions, so you can assign the AD application to other roles.
A Windows machine or virtual machine (VM) that you can run the configuration script on.
Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Cloud Service Integrations.

Steps

For each Microsoft 365 tenant that you want Arctic Wolf to monitor, complete these steps:

Download and extract the Azure AD configuration file.
Configure the Azure AD application.
Enable auditing.
Provide your Microsoft 365 credentials to Arctic Wolf.

Step 1: Download and extract the Azure AD configuration file

Download the awn-office365-azure-configure.zip file, and then move it to an easily-accessible folder on your Windows machine.
Right-click the awn-office365-azure-configure.zip file, and then click Extract All.
In the Extract Compressed (Zipped) Folders window, find a location to extract the zip file contents. For example, the Desktop folder.

Note: Verify that the Show extracted files when complete checkbox is selected.
Click Extract to extract the contents of the zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application

Use the Arctic Wolf Azure PowerShell script to configure GCC High monitoring and create an Microsoft Entra ID (formerly Azure AD) application to access audit logs. See Azure Active Directory Configuration Script for more information.

Open a PowerShell window with administrator permissions.
Run this command to see a list of installed modules:

powershell Get-InstalledModule
If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:
- If the Azure AD module is missing — Run Install-Module AzureAD.
- If the Az Accounts module is missing — Run Install-Module Az.Accounts.
- If the Az Resources module is missing — Run Install-Module Az.Resources.
Note: If you receive an error about NuGet when installing these modules, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing the module again.
Run the batch file:
1. Open the extracted awn-office365-azure-configure folder.
2. Right-click ad-application-configure-office365.bat, and then select Run as administrator to launch the command prompt.
Note: You must have .NET version 4.7 or later to run the batch file.
In the command prompt, press C to create the Microsoft Entra ID (formerly Azure AD) application.
Follow the prompts to create and configure the Microsoft Entra ID (formerly Azure AD) application.

Note: You must authenticate to your Azure tenant as a user with administrator permissions.
When the PowerShell script finishes creating or updating the Azure® application, press any key to launch the consent URI in your default browser.

Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named awn-<target>-ad-application-transcript-<timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

Example of expected output:
Sign in to your tenant with administrator permissions.

The Permissions requested Review for your organization window appears.
Verify that the permissions are correct, and then click Accept.

You are redirected to the Arctic Wolf website.

Note: You can provide consent at a later time, but Arctic Wolf is unable to monitor the tenant until consent is granted.

Step 3: Enable auditing

Audit logs record user and administrative activity within your organization. See Turn auditing on or off for more information.

Note: Mailbox auditing is enabled by default. See Manage mailbox auditing for more information.

Sign in to the Microsoft Purview compliance portal as an administrator or a user with the Audit Logs role assigned. You can verify your roles on the Permissions page in the Exchange admin center.
In the navigation menu, click Audit.
If no banner displays about turning auditing on to record user and admin activity, verify that audit logging is enabled using PowerShell:
1. Open PowerShell.
2. Run this command to install the Exchange Online module:
```
Install-Module ExchangeOnlineManagement
```
3. Run this command to connect and authenticate Exchange Online:
```
Connect-ExchangeOnline
```
4. Run this command in Exchange Online PowerShell to verify if auditing is available:
```
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
```
  Note: You cannot use Security & Compliance PowerShell to run this command.
If auditing is not enabled, click Start recording user and admin activity.

The banner updates with information about when searching is available.
(Optional) Click Search to see a list of all activities recorded within the specified time range.

Step 4: Provide your Microsoft 365 credentials to Arctic Wolf

Sign in to the Arctic Wolf Unified Portal.
In the menu bar, click Telemetry Management > Connected Accounts.
Click Add Account +.
On the Add Account page, in the Account Type list, select Cloud Detection and Response.
In the Cloud Services list, select Office 365 Graph.
On the Add Account page, configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- Application (client) ID — Enter the appropriate value.
- Directory (tenant) ID — Enter the appropriate value.
- Client Secret Value — Enter the value for the client secret.
- Microsoft Cloud list — Select either global or gcc. The value you select should match your Microsoft Cloud or Microsoft Entra ID (formerly Azure AD) environment type.
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
Click Test and submit credentials.

After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.