Configuring Microsoft 365 Monitoring
Overview Direct link to this section
This document provides the steps to configure Microsoft 365 monitoring.
Notes:
- Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
- Azure Active Directory sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See the Azure Active Directory reporting latencies documentation on the Microsoft website for more information.
Requirements Direct link to this section
-
A user account with Global Administrator permissions.
-
The Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write access, so that you can assign the AD application to other roles.
-
Access to a Windows machine or virtual machine (VM) that you can run the configuration script on.
Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If Arctic Wolf monitors your Cloud Services.
Configure Microsoft 365 monitoring Direct link to this section
Complete these procedures in order for each Microsoft 365 tenant that you want Arctic Wolf to monitor:
Step 1: Download and extract the Azure AD configuration file Direct link to this section
-
Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.
-
Right-click the
awn-office365-azure-configure.zip
file, and then select Extract All. -
In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents, such as the Desktop folder.
Note: Verify that Show extracted files when complete is selected.
-
Select Extract to extract the contents of the
.zip
file to the newawn-office365-azure-configure
folder in the selected destination.
Step 2: Configure the Azure AD application Direct link to this section
You use a PowerShell script to create an Azure AD application to access audit logs. For more information on Azure AD applications, such as PowerShell, updating an application, or deleting an application, see Azure AD Application Script.
To configure the Azure AD application:
-
Open a Powershell window as an administrator.
-
Run
Get-InstalledModule
to see a list of installed modules. -
If the Azure AD PowerShell for Graph and/or the Azure Resource Manager (AzureRM) modules are missing, run the appropriate command and follow the prompts to install the missing modules:
- Azure AD —
Install-Module AzureAD
- AzureRM —
Install-Module AzureRM
Note: If you receive an error about NuGet when installing either of these modules, similar to below, run
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
to manually set the security protocol toTls12
, and then try installing again. - Azure AD —
-
Run the batch file:
-
Open the extracted
awn-office365-azure-configure
folder. -
Right-click on the appropriate batch file, and then select Run as administrator to launch the command prompt:
- Microsoft 365 —
ad-application-configure-office365.bat
- Azure —
ad-application-configure-azure.bat
- O365 GCC High —
ad-application-configure-office-365-gcc-high.bat
- Microsoft 365 —
-
-
In the command prompt, select C to create the Azure AD application.
-
Follow the prompts to create and configure the Azure AD application. You must authenticate to your Azure tenant as a user with administrator permissions.
-
Save a copy of the transcript file to submit to your CST, for confirmation that the script ran properly.
The PowerShell configuration script automatically creates the
arcticwolf-azure-ad-<target>.zip
file in the directory that you ran the script from, where<target>
isoffice365
,azure
, orcombined
. This.zip
file includes theawn-office365-azure-ad-application-credentials.txt
file, containing the application (client) ID, directory (tenant) ID, and secret key values that serve as the credentials for the newly-created application. -
Once the PowerShell script finishes creating or updating the Azure AD application, launch the consent URI in your default browser. This looks similar to the image below:
Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The
.txt
file is namedawn-<target>-ad-application-transcript-<timestamp>.txt
, where<target>
isoffice365
,azure
, orcombined
and<timestamp>
is when the file was created. -
Sign in to your tenant as an administrator and select Accept to grant the requested permissions, which look like the images below.
Granting the permissions redirects your browser to the Arctic Wolf website.
Note: You may provide consent at a later time. However, Arctic Wolf is unable to monitor the tenant until consent is granted.
Step 3: Enable auditing Direct link to this section
Audit logs record user and administrative activity within your organization. For more information, see Turn auditing on or off in the Microsoft documentation.
Tip: In general, mailbox auditing is enabled by default.
-
Sign in to Microsoft 365 Compliance Portal as an administrator or a user with the Audit Logs role assigned. You can verify your roles on the Permissions page in the Exchange admin center.
-
In the navigation pane, click Audit.
-
If no banner displays about turning auditing on to record user and admin activity, verify that audit logging is enabled using PowerShell:
-
Open PowerShell.
-
Run this PowerShell command to install the Exchange Online module:
Install-Module ExchangeOnlineManagement
-
Run this PowerShell command to connect and authenticate Exchange Online:
Connect-ExchangeOnline -UserPrincipalName <UPN> [-UseRPSSession] [-ExchangeEnvironmentName <Value>] [-ShowBanner:$false] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
-
Run this command in Exchange Online PowerShell to verify if auditing is available:
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
Note: You cannot use Security & Compliance PowerShell to run this command.
-
-
If auditing is not enabled, click Start recording user and admin activity.
The banner updates with information about when searching is available.
-
(Optional) Click Search to see a list of all activites recorded within the specified time range.
Step 4: Provide credentials to Arctic Wolf Direct link to this section
-
Sign in to the Arctic Wolf Portal.
-
Select Connected Accounts in the banner menu to open the Connected Accounts page.
-
Select +Add Account to open the Add Account form.
-
Select Cloud Detection and Response as the Account Type.
-
Select Microsoft 365 from the list of cloud services, and then fill in the form:
-
Enter a descriptive name for the credentials.
-
Paste these values into their respective text boxes:
- Application ID
- Directory ID
- Client Secret
-
In the Microsoft Cloud menu, select the type of Microsoft Cloud/Azure AD environment. The default is
global
.
-
-
Select Submit to CST.
-
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.