Configuring O365 GCC High Monitoring
Overview of O365 GCC High monitoring Direct link to this section
This document describes how to configure Arctic Wolf monitoring of your Office 365 (O365) Government Community Cloud (GCC) High tenant, through Azure Active Directory (AD). See History of Microsoft Cloud Offerings leading to the US Sovereign Cloud in the Microsoft blog for more information about O365 and Azure government cloud services.
Caution: Arctic Wolf monitors O365 GCC High logs at a global level. Therefore, Arctic Wolf employees outside of the US and/or non-US citizens may view logs.
Requirements Direct link to this section
-
A user account with Global Administrator permissions.
-
The Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write access, so that you can assign the AD application to other roles.
-
Access to a Windows machine or virtual machine (VM) that you can run the configuration script on.
-
A Microsoft 365 E3_USGOV_GCCHIGH license. See Product names and service plan identifiers for licensing in the Microsoft documentation for more information.
Note: The Office 365 E3_USGOV_GCCHIGH license also allows Arctic Wolf to monitor your O365 GCC High environment, but does not provide full monitoring access of the Azure AD application. Arctic Wolf cannot access directory audits, risk detections, risky users, or sign-in attempts.
Configure O365 GCC High monitoring Direct link to this section
Complete these procedures in order for each O365 GCC High tenant that you want Arctic Wolf to monitor:
Download and extract the Azure AD configuration file Direct link to this section
-
Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.
-
Right-click the
awn-office365-azure-configure.zip
file, and then select Extract All. -
In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents, such as the Desktop folder.
Note: Verify that Show extracted files when complete is selected.
-
Select Extract to extract the contents of the
.zip
file to the newawn-office365-azure-configure
folder in the selected destination. -
Proceed to Configure the Azure AD application.
Configure the Azure AD application Direct link to this section
You use a PowerShell script to create an Azure AD application to access audit logs. For more information on Azure AD applications, such as PowerShell, updating an application, or deleting an application, see Azure AD Application Script.
To configure the Azure AD application:
-
Open a Powershell window as an administrator.
-
Run
Get-InstalledModule
to see a list of installed modules. -
If the Azure AD PowerShell for Graph and/or the Azure Resource Manager (AzureRM) modules are missing, run the appropriate command and follow the prompts to install the missing modules:
- Azure AD —
Install-Module AzureAD
- AzureRM —
Install-Module AzureRM
Note: If you receive an error about NuGet when installing either of these modules, similar to below, run
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
to manually set the security protocol toTls12
, and then try installing again. - Azure AD —
-
Run the batch file:
-
Open the extracted
awn-office365-azure-configure
folder. -
Right-click on the appropriate batch file, and then select Run as administrator to launch the command prompt:
- Microsoft 365 —
ad-application-configure-office365.bat
- Azure —
ad-application-configure-azure.bat
- O365 GCC High —
ad-application-configure-office-365-gcc-high.bat
- Microsoft 365 —
-
-
In the command prompt, select C to create the Azure AD application.
-
Follow the prompts to create and configure the Azure AD application. You must authenticate to your Azure tenant as a user with administrator permissions.
-
Save a copy of the transcript file to submit to your CST, for confirmation that the script ran properly.
The PowerShell configuration script automatically creates the
arcticwolf-azure-ad-<target>.zip
file in the directory that you ran the script from, where<target>
isoffice365
,azure
, orcombined
. This.zip
file includes theawn-office365-azure-ad-application-credentials.txt
file, containing the application (client) ID, directory (tenant) ID, and secret key values that serve as the credentials for the newly-created application. -
Once the PowerShell script finishes creating or updating the Azure AD application, launch the consent URI in your default browser. This looks similar to the image below:
Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The
.txt
file is namedawn-<target>-ad-application-transcript-<timestamp>.txt
, where<target>
isoffice365
,azure
, orcombined
and<timestamp>
is when the file was created. -
Sign in to your tenant as an administrator and select Accept to grant the requested permissions, which look like the images below.
Granting the permissions redirects your browser to the Arctic Wolf website.
Note: You may provide consent at a later time. However, Arctic Wolf is unable to monitor the tenant until consent is granted.
-
Proceed to Provide credentials to Arctic Wolf.
Provide credentials to Arctic Wolf Direct link to this section
To provide your application credentials to Arctic Wolf:
-
Sign in to the Arctic Wolf Portal.
-
Select Connected Accounts in the banner menu to open the Connected Accounts page.
-
Select +Add Account to open the Add Account form.
-
Select Cloud Detection and Response as the Account Type.
-
Select Office 365 from the list of cloud services, and then fill in the form:
-
Account Name — Enter a descriptive name for the credentials.
-
Application (client) ID — Enter the application ID value from the awn-office365-azure-ad-application-credentials.txt file generated in Configure the Azure AD application.
-
Directory (tenant) ID — Enter the directory ID value from the awn-office365-azure-ad-application-credentials.txt file generated in Configure the Azure AD application.
-
Client Secret — Enter the secret key value from the awn-office365-azure-ad-application-credentials.txt file generated in Configure the Azure AD application.
-
Microsoft Cloud menu — Select
gcc-high
.
-
-
Select Submit to CST.
-
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.