Configure the Arctic Wolf Microsoft 365 deployment application

Using the Arctic Wolf Microsoft 365 deployment application, you can:

Configure Microsoft 365 for Arctic Wolf log monitoring using the deployment application.
Update an application for Microsoft 365 Tenant.
Delete an application for Microsoft 365 Tenant.

Configure Microsoft 365 for Arctic Wolf log monitoring using the deployment application

You can use the deployment application to configure Microsoft 365® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

Complete these steps for each tenant that you want Arctic Wolf to monitor.

These resources are required:

An Exchange Online mailbox.
A user account with Global Administrator permissions.
A Windows machine or virtual machine (VM) that you can run the configuration executables on.
Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

If you have Microsoft Defender for Office 365, complete Configure Microsoft Defender XDR with Graph API for Arctic Wolf monitoring.

Install GUI executables or scripts for Arctic Wolf monitoring

You can install the GUI executables or scripts for Microsoft 365 for Arctic Wolf monitoring.

Download awn-configure-python.zip.
On your machine, navigate to the zip file, and then extract the contents.
The awn-configure-python folder is extracted.
Based on your operating system, do one of these actions:
- Windows —
  1. Open the apps/windows folder.
  2. Double-click o365_gui_windows.exe.
- macOS —
  1. Open the apps folder.
  2. Click the mac folder that corresponds with the CPU of your machine. For example, Intel or M-series.
  3. Double-click o365_gui_mac_cpu_name.
    Note: You may receive an error message similar to: "file_name" cannot be opened because it is from an unidentified developer. To open the file, open System Settings, and click the Privacy & Security tab. In the Security section, for the appropriate error message, click Open Anyway.
The script takes 10-20 seconds to load.

Create an application for Microsoft 365 Tenant

You can create an application for Microsoft 365 Tenant using the Arctic Wolf Microsoft 365 deployment application.

Open the Arctic Wolf Microsoft 365 deployment application.
In the Select Application Type window, based on the tenant that your organization uses, select one of these options:
- Standard — If your organization uses Commercial or Government Community Cloud.
- GCC High — If your organization uses Government Community Cloud High.
In the Office 365 Standard Application Configuration window, click Create Application.

Note: If the Microsoft 365 application already exists, you receive an error message. Complete Delete an application for Microsoft 365 Tenant for the appropriate application, and then try again.
Click OK.
In your web browser, the Microsoft permissions requested page opens.
Click Accept.
Expected URL output: admin_consent=True.
Note: You may receive this error in the URL: error=access_denied. To resolve this error, copy the link provided in your terminal or complete Update an application for Microsoft O365 Tenant.
On your machine, open the applicable output folder, and then open the credentials text file.

Tip: The output folder is located in the same directory that the application was launched from. The credentials file name will be similar to application_name-creds-timestamp.
You will provide these credentials to Arctic Wolf later.

Enable auditing

Audit logs record user and administrative activity within your organization. For more information, see Turn auditing on or off.

Note:

By default, only users with E5/A5/G5 licenses have audit events in the Microsoft Purview compliance portal or Office 365 (O365) Management Activity API. For more information, see Manage mailbox auditing.
Auditing can take up to 24 hours to update in the Microsoft 365 environment.

Sign in to the Microsoft Purview compliance portal as an administrator or a user with the Audit Logs role assigned.

You can verify your roles on the Permissions page in the Exchange admin center.
In the navigation menu, click Solutions > Audit.
Do one of these actions, based on if a banner:
- Displays — Auditing is not enabled. On the banner, click Start recording user and admin activity.
- Does not display — Auditing is already enabled. If you want to confirm that it is enabled, you can use Exchange Online PowerShell:
  Note: You cannot use Security & Compliance PowerShell to run these commands.
  1. Open PowerShell.
  2. Run this command to install the Exchange Online module:
    POWERSHELL
    Install-Module ExchangeOnlineManagement
```
Install-Module ExchangeOnlineManagement
```
  3. Run this command to connect and authenticate Exchange Online:
    SHELL
    Connect-ExchangeOnline
```
Connect-ExchangeOnline
```
  4. Run this command in Exchange Online PowerShell to verify that auditing is available:
    POWERSHELL
    Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
```
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
```
    If auditing is enabled, the expected output is similar to UnifiedAuditLogIngestionEnabled: True.
  5. If auditing is not enabled, run this command:
    CODE
    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
```
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
```
    Auditing is enabled.

(Users without E5/A5/G5 licenses) Run the appropriate command in Exchange Online PowerShell to retrieve audit log events for current user mailboxes:

Note: You must rerun the appropriate command to retrieve audit log events for new user mailboxes created in the future.

Option Description

Option	Description
For an individual user	Run this command: POWERSHELL Set-Mailbox -Identity <user_mailbox> -AuditEnabled $true `Set-Mailbox -Identity <user_mailbox> -AuditEnabled $true` Where: `user_mailbox` is the user principal name associated with the mailbox.
For all users	Run this command: POWERSHELL Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} \| Set-Mailbox -AuditEnabled $true `Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} \| Set-Mailbox -AuditEnabled $true` Run this command to update the global default settings: POWERSHELL Set-OrganizationConfig -AuditDisabled $false `Set-OrganizationConfig -AuditDisabled $false` Users created after this configuration inherit the proper auditing settings.

For an individual user

Run this command:

POWERSHELL

Set-Mailbox -Identity <user_mailbox> -AuditEnabled $true

Set-Mailbox -Identity <user_mailbox> -AuditEnabled $true

Where:

user_mailbox is the user principal name associated with the mailbox.

For all users

Run this command:
POWERSHELL
Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
```
Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
```
Run this command to update the global default settings:
POWERSHELL
Set-OrganizationConfig -AuditDisabled $false
```
Set-OrganizationConfig -AuditDisabled $false
```
Users created after this configuration inherit the proper auditing settings.

Optional: Click Search to see a list of all activities recorded within the specified time range.

Provide Microsoft 365 credentials to Arctic Wolf

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Data Collection > Cloud Sensors.
Click Add Account +.
On the Add Account page, click Office 365 Graph.
Configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- Application (client) ID — Enter the application ID from Create an application for Microsoft 365 Tenant.
- Directory (tenant) ID — Enter the directory ID from Create an application for Microsoft 365 Tenant.
- Client Secret Value — Enter the client secret from Create an application for Microsoft 365 Tenant.
- Microsoft Cloud list — Select either global or gcc. The value you select should match your Microsoft Cloud or Microsoft Entra ID environment type.
- Credential Expiry — (Optional) Enter the credential expiration date, if applicable.
- To exclude polling for non-interactive user sign-in data, select the Exclude non-interactive user data checkbox.
  Note: By default, Arctic Wolf polls for all non-interactive user sign-in data. If you do not select this checkbox, we will continue to poll for all non-interactive user sign-in data.
Click Test and submit credentials.

Update an application for Microsoft 365 Tenant

You can update an application for Microsoft 365 Tenant using the Arctic Wolf Microsoft 365 deployment application.

Open the Arctic Wolf Microsoft 365 deployment application.
In the Select Application Type window, based on the tenant that your organization uses, select one of these options:
- Standard — If your organization uses Commercial or Government Community Cloud.
- GCC — If your organization uses Government Community Cloud High.
On the Office 365 Standard Application Configuration window, click Update Application.
Click OK.
The Microsoft 365 application is updated.

Delete an application for Microsoft 365 Tenant

If you no longer require an application for Microsoft 365 Tenant, you can delete it from the Microsoft 365 Portal using the Arctic Wolf Microsoft 365 deployment application.

Open the Arctic Wolf Microsoft 365 deployment application.
In the Select Application Type window, based on the tenant that your organization uses, select one of these options:
- Standard — If your organization uses Commercial or Government Community Cloud.
- GCC — If your organization uses Government Community Cloud High.
On the Office 365 Standard Application Configuration window, click Delete Application.
Click OK.
The Microsoft 365 application is deleted.

Active Response, Log Forwarding, and Security Monitoring