Configure Microsoft Azure for Arctic Wolf monitoring manually without CloudShell

You can manually configure Microsoft Azure to send the necessary logs to Arctic Wolf for security monitoring without using CloudShell.

For information about Azure monitoring limitations and supported monitoring regions, see Microsoft Azure monitoring.

Note:

The manual configuration steps are an alternative to script configuration, and can be used to replicate the target state in environments that use Infrastructure as Code. For script configuration steps, see Microsoft Azure monitoring.

These resources are required:

  • A Microsoft Azure account with access to the Azure Portal
  • An active Azure subscription.
  • Sufficient permissions to register an application with your Azure tenant.
  • An Owner or User Access Administrator role on the subscription. This role provides you with the Microsoft.Authorization/*/Write access to assign an AD application to other roles.

These actions are required:

  • If your Azure environment contains infrastructure, for example virtual machines (VM), containers, databases, and functions, make sure that the account used in this procedure has access to the Microsoft subscriptions for that infrastructure. If no subscriptions are found, review the account access, and then contact your Concierge Security® Team (CST) at security@arcticwolf.com.

Register the application

  1. Sign in to the Microsoft Azure portal.
  2. In the portal menu, click Microsoft Entra ID.
    Note: If Microsoft Entra ID is not in your portal menu, click All services, and then click Hybrid + multicloud. Locate the entry for Microsoft Entra ID, and then click to add it as a favorite.
  3. In the navigation menu, click Manage > App registrations.
  4. Click + New registration.
  5. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Single tenant only - <your_organization_name>.
    • For all other fields, keep the default values.
  6. Click Register.
    The page for the newly registered application opens.
  7. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.
  8. In the navigation menu, in the Manage section, click Certificates & secrets.
  9. On the Client secrets tab, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select 730 days (24 months).
  10. Click Add.
  11. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

  12. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Confirm if the Log Analytics API is visible in the Azure tenant

The Log Analytics API is not displayed in the Azure tenant by default. To expose it using CloudShell, see Expose the Log Analytics API in the Azure tenant. Otherwise, to expose it manually, create a Log Analytics workspace:

Note: If you already use Log Analytics, proceed to Assign permissions to the application.
  1. Determine whether the Log Analytics API is already exposed:
    1. Go to the Microsoft Azure Portal homepage.
    2. In the navigation menu, click Microsoft Entra ID > Manage > App registrations.
    3. Select the application created in Register the application.
    4. On the application page, in the navigation menu, click Manage > API permissions > + Add a permission.
    5. In the Request API permissions pane, click the APIs my organization uses tab.
    6. In the search bar, enter log analytics API.
    7. If the Log Analytics API option appears, proceed to Assign permissions to the application.
  2. If the Log Analytics API option is not exposed, in the Microsoft Azure Portal, search for Log Analytics workspaces.
  3. Select Log Analytics workspaces from the results.
  4. Click Add.
  5. In the Suscription list, select the Azure subscription that you want to monitor.
  6. Fill in the remaining required fields.
  7. Click Review + Create > Create.
  8. On the Log Analytics workspaces page, select the newly created workspace.
  9. Click Delete.
  10. Select the Delete the workspace permanently checkbox.
    Note: These steps permanently delete the selected workspace. Make sure that you have selected the newly created, unused workspace to delete, and reviewed the data presented on this dialog to make sure that you are not deleting production data.
  11. Enter the workspace name in the Confirm delete field.
  12. Click Delete.

Assign permissions to the application

  1. Go to the Microsoft Azure Portal homepage.
  2. In the navigation menu, click Microsoft Entra ID > Manage > App registrations.
  3. Select the application created in Register the application.
  4. On the application page, in the navigation menu, click Manage > API permissions.
  5. Remove the User.Read permission for Microsoft Graph:
    1. In the Microsoft Graph section, click Menu next to the User.Read permission, and then select Remove permission.
    2. In the resulting dialog, click Yes, remove.
  6. Add Log Analytics API permissions:
    1. On the API permissions page, click + Add a permission.
    2. In the Request API permissions pane, click the APIs my organization uses tab.
    3. In the search bar, enter log analytics API, and then select Log Analytics API.
    4. Click Application Permissions.
    5. Select the Data.Read checkbox.
    6. Click Add permissions.
  7. Add Office 365 Management API permissions:
    1. On the API permissions page, click + Add a permission.
    2. In the Request API permissions pane, click Microsoft APIs.
    3. Click Office 365 Management APIs.
    4. Click Application Permissions.
    5. Select these checkboxes:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
    6. Click Add permissions.
  8. Add Microsoft Graph permissions:
    1. On the API permissions page, click + Add a permission.
    2. In the Request API permissions pane, click Microsoft APIs.
    3. On the Microsoft APIs tab, click Microsoft Graph.
    4. Click Application Permissions.
    5. Select these checkboxes:
      • AuditLog > AuditLog.Read.All
      • Directory > Directory.Read.All
      • Group > Group.Read.All
      • IdentityRiskEvent > IdentityRiskEvent.Read.All
      • IdentityRiskyUser > IdentityRiskyUser.Read.All
      • Organization > Organization.Read.All
      • User > User.Read.All
      Tip:

      You can use the search bar to find these permissions faster.

    6. Click Add permissions.
  9. Click Grant admin consent for <tenant>, where <tenant> is your tenant name, and then click Yes in the resulting dialog.

Download and extract the Azure AD configuration file

  1. Download the awn-office365-azure-configure.zip file, and then move it to a folder that is easy to access on your Windows machine.
  2. Right-click the awn-office365-azure-configure.zip file, and then click Extract All.
  3. In the Extract Compressed (Zipped) Folders window, find a location to extract the zip file contents. For example, the Desktop folder.
    Note:

    Verify that the Show extracted files when complete checkbox is selected.

  4. Click Extract to extract the contents of the zip file to the new awn-office365-azure-configure folder in the selected destination.
  5. In the new awn-office365-azure-configure folder, locate these files in the Configs folder:
    • awn-network-reader.json
    • awn-storage-account-reader.json
These JSON files will be used in Create custom roles in the Azure tenant.

Optional: Create a management group that contains multiple subscriptions

This is an optional step. To more easily complete the configuration, you can create a management group that contains multiple subscriptions for Arctic Wolf to monitor. Otherwise, you must individually assign the application to each subscription.

Note: Subscriptions can only be included in one management group. For more information about management groups and subscriptions, see Manage your Azure subscriptions at scale with management groups.
  1. Sign in to the Microsoft Azure Portal.
  2. In the navigation menu, click All services > Management and governance.
  3. Click Management groups.
  4. Click + Add management group.
  5. In the Add management group window, configure these settings:
    • Select Create new.
    • Management group ID — Enter a unique ID for the group.
    • Management group display name — Enter a display name for the group.
  6. Click Save.
  7. In the navigation menu, click All services > Management and governance.
  8. Click Management groups.
  9. Click the management group that you want to configure.
  10. Click Add subscription.
  11. In the Subscription list, select the subscription that you want to add.
    You can add multiple subscriptions.
  12. Click Save.

Create custom roles in the Azure tenant

  1. On the Microsoft Azure Portal homepage, under Azure services, click one of these options:
    • Management groups — Monitor a management group that contains multiple subscriptions.
    • Subscriptions — Monitor a specific subscription.
    Tip: You can also search for Subscriptions or Management groups using the search bar.
  2. From the list, select an Azure subscription or management group that you want to monitor.
  3. In the navigation menu, click Access Control (IAM).
  4. Click + Add > Add custom role.
  5. Enter Arctic Wolf Networks Network Reader in the Custom role name field.
  6. Click Next > Next.
  7. On the Assignable scopes tab, make sure that the Assignable scope matches the subscription or management group that you selected.
  8. If you have other subscriptions that you want to monitor that are not contained in a management group:
    1. Click + Add assignable scopes.
    2. In the Type list, select Subscription.
    3. In the Select section, click the names of the other subscriptions that you want to monitor.
    4. Click Select.
  9. Click Next.
  10. Copy the actions section from the awn-network-reader.json file that you downloaded in Download and extract the Azure AD configuration file.
  11. Click Edit in the JSON window and paste the copied information into the actions section.
  12. Click Save > Next.
  13. On the Review + create tab, review your changes.
  14. Click Create.
  15. Repeat these steps to create another custom role with these settings:
    • Enter Arctic Wolf Networks Storage Reader in the Custom role name field.
    • On the JSON tab, use the actions section from the awn-storage-account-reader.json file that you downloaded in Download and extract the Azure AD configuration file.
    • Leave all other settings the same as the Arctic Wolf Networks Network Reader role.

Assign roles to the application

For each subscription that you want Arctic Wolf to monitor, complete these steps:

  1. On the Microsoft Azure Portal homepage, under Azure services, click one of these options:
    • Management groups — Monitor a management group that contains multiple subscriptions.
    • Subscriptions — Monitor a specific subscription.
    Tip: You can also search for Subscriptions or Management groups using the search bar.
  2. From the list, select the Azure subscription or management group that you want to monitor.
  3. In the navigation menu, click Access Control (IAM).
  4. Click + Add > Add role assignment.
  5. On the Add role assignment page, complete these steps:
    1. Search for and select Arctic Wolf Networks Storage Account Reader from the Role list.
    2. Click Next.
    3. Click + Select Members.
    4. Search for and select the name of the application you created in Register the application.
    5. Click Review + assign twice.
    6. Repeat this step for each of these roles:
      • Arctic Wolf Networks Network Reader
      • Log Analytics Reader
      • Monitoring Reader
      • Security Reader
  6. On the Role assignments tab, find the application that you created, and then verify these roles are listed:
    • Arctic Wolf Networks Storage Account Reader
    • Arctic Wolf Networks Network Reader
    • Log Analytics Reader
    • Monitoring Reader
    • Security Reader

Provide Microsoft Azure AD credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Azure Graph.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID.
    • Directory (tenant) ID — Enter the directory (tenant) ID.
    • Client Secret Value — Enter the value for the client secret.
    • Microsoft Cloud — Select the option that matches your Microsoft Cloud or Azure AD environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

    • To exclude polling for non-interactive user sign-in data, select the Exclude non-interactive user data checkbox.
      Note: By default, Arctic Wolf polls for all non-interactive user sign-in data. If you do not select this checkbox, we will continue to poll for all non-interactive user sign-in data.
  6. Click Test and submit credentials.