Configuring O365 GCC High Monitoring

Configuration Guide

Updated Jan 31, 2023

Configuring O365 GCC High Monitoring

Overview of O365 GCC High monitoring Direct link to this section

This document describes how to configure Arctic Wolf monitoring of your Office 365 (O365) Government Community Cloud (GCC) High tenant, through Azure Active Directory (AD). See History of Microsoft Cloud Offerings leading to the US Sovereign Cloud in the Microsoft blog for more information about O365 and Azure government cloud services.

Caution: Arctic Wolf monitors O365 GCC High logs at a global level. Therefore, Arctic Wolf employees outside of the US and/or non-US citizens may view logs.

Requirements Direct link to this section

Configure O365 GCC High monitoring Direct link to this section

Complete these procedures in order for each O365 GCC High tenant that you want Arctic Wolf to monitor:

  1. Download and extract the Azure AD configuration file

  2. Configure the Azure AD application

  3. Provide credentials to Arctic Wolf

Download and extract the Azure AD configuration file Direct link to this section

  1. Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.

  2. Right-click the awn-office365-azure-configure.zip file, and then select Extract All.

  3. In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents, such as the Desktop folder.

    Note: Verify that Show extracted files when complete is selected.

  4. Select Extract to extract the contents of the .zip file to the new awn-office365-azure-configure folder in the selected destination.

  5. Proceed to Configure the Azure AD application.

Configure the Azure AD application Direct link to this section

You use a PowerShell script to create an Azure AD application to access audit logs. For more information on Azure AD applications, such as PowerShell, updating an application, or deleting an application, see Azure AD Application Script.

To configure the Azure AD application:

  1. Open a Powershell window as an administrator.

  2. Run Get-InstalledModule to see a list of installed modules.

  3. If the Azure AD PowerShell for Graph and/or the Azure Resource Manager (AzureRM) modules are missing, run the appropriate command and follow the prompts to install the missing modules:

    • Azure AD — Install-Module AzureAD
    • AzureRM — Install-Module AzureRM

    Note: If you receive an error about NuGet when installing either of these modules, similar to below, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing again.

    Module error

  4. Run the batch file:

    1. Open the extracted awn-office365-azure-configure folder.

    2. Right-click on the appropriate batch file, and then select Run as administrator to launch the command prompt:

      • Microsoft 365 — ad-application-configure-office365.bat
      • Azure — ad-application-configure-azure.bat
      • O365 GCC High — ad-application-configure-office-365-gcc-high.bat
  5. In the command prompt, select C to create the Azure AD application.

  6. Follow the prompts to create and configure the Azure AD application. You must authenticate to your Azure tenant as a user with administrator permissions.

  7. Save a copy of the transcript file to submit to your CST, for confirmation that the script ran properly.

    The PowerShell configuration script automatically creates the arcticwolf-azure-ad-<target>.zip file in the directory that you ran the script from, where <target> is office365, azure, or combined. This .zip file includes the awn-office365-azure-ad-application-credentials.txt file, containing the application (client) ID, directory (tenant) ID, and secret key values that serve as the credentials for the newly-created application.

  8. Once the PowerShell script finishes creating or updating the Azure AD application, launch the consent URI in your default browser. This looks similar to the image below:

    Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The .txt file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

    Consent URI

  9. Sign in to your tenant as an administrator and select Accept to grant the requested permissions, which look like the images below.

    Granting the permissions redirects your browser to the Arctic Wolf website.

    Note: You may provide consent at a later time. However, Arctic Wolf is unable to monitor the tenant until consent is granted.

    Microsoft 365 permissions

  10. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf Direct link to this section

To provide your application credentials to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Office 365 from the list of cloud services, and then fill in the form:

    • Account Name — Enter a descriptive name for the credentials.

    • Application (client) ID — Enter the application ID value from the awn-office365-azure-ad-application-credentials.txt file generated in Configure the Azure AD application.

    • Directory (tenant) ID — Enter the directory ID value from the awn-office365-azure-ad-application-credentials.txt file generated in Configure the Azure AD application.

    • Client Secret — Enter the secret key value from the awn-office365-azure-ad-application-credentials.txt file generated in Configure the Azure AD application.

    • Microsoft Cloud menu — Select gcc-high.

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.