O365 GCC High Monitoring
Updated Sep 27, 2023Configure O365 GCC High tenant for Arctic Wolf monitoring
Arctic Wolf can monitor your Office 365 (O365) Government Community Cloud (GCC) High® tenant through Microsoft Entra ID (formerly Azure AD). See History of Microsoft Cloud Offerings leading to the US Sovereign Cloud for more information.
When successfully configured, Arctic Wolf can monitor your O365 GCC High tenant and alert you about suspicious or malicious activity.
Caution: Arctic Wolf monitors O365 GCC High logs at a global level. As a result, Arctic Wolf employees outside of the US and non-US citizens can view logs.
Requirements
-
A user account with Global Administrator permissions.
-
The Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write permissions, so you can assign the AD application to other roles.
-
Access to a Windows machine or virtual machine (VM) that you can run the configuration script on.
-
One of these licenses:
-
A Microsoft 365 E3_USGOV_GCCHIGH license.
-
A Microsoft 365 ENTERPRISEPACK_USGOV_GCCHIGH license and Azure AD Premium P1.
Note: An E3_USGOV_GCCHIGH license includes full monitoring access for Microsoft Entra ID. To monitor Microsoft Entra ID with an ENTERPRISEPACK_USGOV_GCCHIGH license, you also need Azure AD Premium P1. Access to Microsoft Entra ID allows Arctic Wolf to monitor directory audits, risk detections, risky users, and sign-in attempts.
See Product names and service plan identifiers for licensing for more information.
-
Steps
For each O365 GCC High tenant that you want Arctic Wolf to monitor, complete these steps:
- Download and extract the Azure AD configuration file.
- Configure the Azure AD application.
- Provide your O365 GCC credentials to Arctic Wolf.
Step 1: Download and extract the Azure AD configuration file
-
Download the awn-office365-azure-configure.zip file and move it to an easily-accessible folder on your Windows machine.
-
Right-click the
awn-office365-azure-configure.zip
file, and then select Extract All. -
In the Extract Compressed (Zipped) Folders window, find a convenient location to extract the zip file contents. For example, the Desktop folder.
Note: Verify that Show extracted files when complete is selected.
-
Select Extract to extract the contents of the zip file to the new
awn-office365-azure-configure
folder in the selected destination.
Step 2: Configure the Azure AD application
Use the Arctic Wolf Azure PowerShell script to configure GCC High monitoring and create an Microsoft Entra ID application to access audit logs. For more information, see Azure Active Directory Configuration Script.
-
Open a PowerShell window as an administrator.
-
Run
Get-InstalledModule
to see a list of installed modules. -
If any of these modules are missing, run the associated command, and then follow the prompts to install the missing modules:
- If the Azure AD module is missing — Run
Install-Module AzureAD
. - If the Az Accounts module is missing — Run
Install-Module Az.Accounts
. - If the Az Resources module is missing — Run
Install-Module Az.Resources
.
Note: If you receive an error about NuGet when installing these modules, run
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
to manually set the security protocol toTls12
, and then try installing the module again. - If the Azure AD module is missing — Run
-
Run the batch file:
- Open the extracted
awn-office365-azure-configure
folder. - Right-click
ad-application-configure-office-365-gcc-high.bat
, and then select Run as administrator to launch the command prompt.
- Open the extracted
-
In the command prompt, press C to create the Microsoft Entra ID application.
-
Follow the prompts to create and configure the Microsoft Entra ID application.
Note: You must authenticate to your Azure tenant as a user with administrator permissions.
-
When the PowerShell script finishes creating or updating the Microsoft Entra ID application, press any key to launch the consent URI in your default browser.
Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The TXT file is named
awn-<target>-ad-application-transcript-<timestamp>.txt
, where<target>
isoffice365
,azure
, orcombined
and<timestamp>
is when the file was created.Example of expected output:
-
Sign in to your tenant as an administrator.
The Permissions requested Review for your organization window appears.
-
Verify that the permissions are correct, and then click Accept.
You are redirected to the Arctic Wolf website.
Note: You can provide consent at a later time, but Arctic Wolf is unable to monitor the tenant until consent is granted.
Step 3: Provide your O365 GCC credentials to Arctic Wolf
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select Office 365 Graph.
-
On the Add Account page, configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- Application (client) ID — Enter the application ID value from
awn-office365-azure-ad-application-credentials.txt
that was created in Configure the Azure AD application. - Directory (tenant) ID — Enter the directory ID value from
awn-office365-azure-ad-application-credentials.txt
that was created in Configure the Azure AD application. - Client Secret — Enter the secret key value from
awn-office365-azure-ad-application-credentials.txt
that was created in Configure the Azure AD application. - Microsoft Cloud list — Select gcc-high.
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.