O365 GCC High Monitoring

Updated Feb 16, 2024

Configure O365 GCC High for Arctic Wolf monitoring

You can configure Office 365 (O365) Government Community Cloud (GCC) High® to send the necessary logs to Arctic Wolf® for security monitoring.

See History of Microsoft Cloud Offerings leading to the US Sovereign Cloud for more information.

Caution: Arctic Wolf monitors O365 GCC High logs at a global level. As a result, Arctic Wolf employees outside of the US and non-US citizens can view logs.

Requirements

Steps

For each O365 GCC High tenant that you want Arctic Wolf to monitor, complete these steps:

  1. Download and extract the Azure AD configuration file.
  2. Configure the Azure AD application.
  3. Provide your O365 GCC credentials to Arctic Wolf.

Step 1: Download and extract the Azure AD configuration file

  1. Download the awn-office365-azure-configure.zip file, and then move it to a folder that is easy to access on your Windows machine.

  2. Right-click the awn-office365-azure-configure.zip file, and then click Extract All.

  3. In the Extract Compressed (Zipped) Folders window, find a location to extract the zip file contents. For example, the Desktop folder.

    Note: Verify that the Show extracted files when complete checkbox is selected.

  4. Click Extract to extract the contents of the zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application

Use the Arctic Wolf Azure PowerShell script to configure GCC High monitoring and create an Microsoft Entra ID (formerly Azure AD) application to access audit logs. See Azure Active Directory Configuration Script for more information.

  1. Open a PowerShell window with administrator permissions.

  2. Run this command to see a list of installed modules:

    powershell Get-InstalledModule

  3. If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:

    • If the Azure AD module is missing — Run Install-Module AzureAD.
    • If the Az Accounts module is missing — Run Install-Module Az.Accounts.
    • If the Az Resources module is missing — Run Install-Module Az.Resources.

    Note: If you receive an error about NuGet when installing these modules, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing the module again.

    Module error

  4. Run the batch file:

    1. Open the extracted awn-office365-azure-configure folder.
    2. Right-click ad-application-configure-office-365-gcc-high.bat, and then select Run as administrator to launch the command prompt.

    Note: You must have .NET version 4.7 or later to run the batch file.

  5. In the command prompt, press C to create the Microsoft Entra ID (formerly Azure AD) application.

  6. Follow the prompts to create and configure the Microsoft Entra ID (formerly Azure AD) application.

    Note: You must authenticate to your Azure tenant as a user with administrator permissions.

  7. When the PowerShell script finishes creating or updating the Azure® application, press any key to launch the consent URI in your default browser.

    Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

    Example of expected output:

    Consent URI

  8. Sign in to your tenant with administrator permissions.

    The Permissions requested Review for your organization window appears.

    Microsoft 365 permissions

  9. Verify that the permissions are correct, and then click Accept.

    You are redirected to the Arctic Wolf website.

    Note: You can provide consent at a later time, but Arctic Wolf cannot monitor the tenant until consent is granted.

Step 3: Provide your O365 GCC credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Office 365 Graph.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application ID value from awn-office365-azure-ad-application-credentials.txt that was created in Configure the Azure AD application.

    • Directory (tenant) ID — Enter the directory ID value from awn-office365-azure-ad-application-credentials.txt that was created in Configure the Azure AD application.

    • Client Secret Value — Enter the secret key value from awn-office365-azure-ad-application-credentials.txt that was created in Configure the Azure AD application.

    • Microsoft Cloud list — Select gcc-high.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.