Configure the Arctic Wolf Azure deployment application

Using the Arctic Wolf Microsoft Azure deployment application, you can:

Configure Microsoft Azure for Arctic Wolf log monitoring using the deployment application

You can configure Microsoft Azure to send the necessary logs to Arctic Wolf for security monitoring using a GUI.

Note:

Complete these steps for each tenant that you want Arctic Wolf to monitor.

These resources are required:

  • A user account with Global Administrator permissions.
  • A Windows machine or virtual machine (VM) that you can run the configuration executables on.
  • An Owner role on the Azure subscription so that you can assign the Azure application to other roles.

  • Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

These actions are required:

  • If your Azure environment contains infrastructure, for example virtual machines (VM), containers, databases, and functions, make sure that the account used in this procedure has access to the Microsoft subscriptions for that infrastructure. If no subscriptions are found, review the account access, and then contact your Concierge Security® Team (CST) at security@arcticwolf.com.

Install GUI executables or scripts for Arctic Wolf monitoring

You can install the GUI executables or scripts for Azure for Arctic Wolf monitoring.

  1. Download awn-configure-python.zip.
  2. On your machine, navigate to the zip file, and then extract the contents.
    The awn-configure-python folder is extracted.
  3. Based on your operating system, do one of these actions:
    • Windows —
      1. Open the apps/windows folder.
      2. Double-click azure_gui_windows.exe.
    • macOS —
      1. Open the apps folder.
      2. Click the mac folder that corresponds with the CPU of your machine. For example, Intel or M-series.
      3. Double-click azure_gui_mac_cpu_name.
        Note: You may receive an error message similar to: "file_name" cannot be opened because it is from an unidentified developer. To open the file, open System Settings, and click the Privacy & Security tab. In the Security section, for the appropriate error message, click Open Anyway.
    The script takes 10-20 seconds to load.

Create an Azure application

You can create an Azure application in the Arctic Wolf Microsoft Azure deployment application.

  1. Open the Arctic Wolf Microsoft Azure deployment application.
  2. In the Azure AD Application Configuration window, select each subscription that you want Arctic Wolf to monitor.
  3. Click OK.
    Note: If the Azure application already exists, you receive an error message similar to: "azure_gui_mac_intel" cannot be opened because it is from an unidentified developer.. Complete Delete an Arctic Wolf Azure application for the appropriate application, and then try again.
    In your web browser, the Microsoft permissions requested page opens.
  4. Click Accept.
    Tip: Credentials are listed in the output/az-creds-<date>.txt file. You will provide these to Arctic Wolf later.
    The Azure application is created.

Provide Microsoft Azure AD credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Azure Graph.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID.
    • Directory (tenant) ID — Enter the directory (tenant) ID.
    • Client Secret Value — Enter the value for the client secret.
    • Microsoft Cloud — Select the option that matches your Microsoft Cloud or Azure AD environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

    • To exclude polling for non-interactive user sign-in data, select the Exclude non-interactive user data checkbox.
      Note: By default, Arctic Wolf polls for all non-interactive user sign-in data. If you do not select this checkbox, we will continue to poll for all non-interactive user sign-in data.
  6. Click Test and submit credentials.

Opt in to Azure AD Trusted Traveler's Group

This step is optional. Arctic Wolf can suppress alerts for groups of Azure AD users who sign in from a restricted country. For example, if you have employees who travel frequently and trigger this alert without malicious intent.

Note: Arctic Wolf only recommend suppressing restricted country login alerts for employees who are consistently traveling to avoid missing potential security incidents.

Arctic Wolf recommends creating a new Azure AD group or using an existing Azure AD group that includes all frequent travelers. Only use this group to monitor travelers. This Azure AD group name can conform to your internal group naming policies. Nested groups are not supported.

To opt in, contact your CST and provide the name of the Azure AD group or groups. Make sure that case sensitivity and spelling are correct.
Arctic Wolf will suppress login alerts for all members of that group. If you have questions, contact your CST.

Update an Azure application

You can update an Azure application in the Arctic Wolf Microsoft Azure deployment application.

  1. Open the Arctic Wolf Microsoft Azure deployment application.
  2. On the Azure AD Application Configuration window, click Update Application.
  3. Click OK.
    The Azure application is updated.

Delete an Arctic Wolf Azure application

If you no longer require the Azure application, you can delete it from the Arctic Wolf Microsoft Azure deployment application.

  1. Open the Arctic Wolf Microsoft Azure deployment application.
  2. On the Azure AD Application Configuration window, click Delete Application.
  3. Click OK.
    The Azure application is deleted.

Add an Azure subscription

  1. Open the Arctic Wolf Microsoft Azure deployment application.
  2. In the Azure AD Application Configuration window, click Add Subscription.
  3. In the Select Subscription dialog, select each subscription that you want Arctic Wolf to monitor.
  4. Click OK.

Remove an Azure subscription

If you no longer require an Azure subscription, you can remove it from the Azure application.

  1. Open the Arctic Wolf Microsoft Azure deployment application.
  2. In the Azure AD Application Configuration window, click Remove Subscription.
  3. Select each subscription that you want to remove.
  4. Click OK.