Managed Security Awareness configuration Direct link to this section

Arctic Wolf's Managed Security Awareness® (MA) delivers security awareness and compliance training through micro-learning sessions, quizzes, automated phishing simulations, and compliance training modules. This guide explains the required initial configuration process for MA that must be completed before launching the MA program for your organization. Users in the MA program receive program communications through email only. It is important that you correctly configure your email environment so users can successfully receive assigned sessions, quizzes, and phishing simulation emails from the program.

Before you begin Direct link to this section

Get the MA IP address to allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If you are a Managed Security Awareness customer.

Steps Direct link to this section

1. Enroll users to your MA program.
2. Add MA to email gateway and spam filtering allowlists.
3. Add MA to email allowlists.
4. Configure browsers to autoplay MA sessions.
5. Notify users of the MA program.

Step 1: Enroll users to your MA Program Direct link to this section

Depending on how your users are set up in your organization, complete one of the following options to enroll users to the MA program:

• Enroll users with Azure or Microsoft 365 Active Directory
• Enroll users with a CSV file

Enroll users to your MA program with Azure or Microsoft 365 Active Directory Direct link to this section

You can enroll users to the MA program using Azure or Microsoft 365 Active Directory.

Before you begin Direct link to this section

• Make sure you have created an AD group that contains the users that you want to include in the MA program. A user is defined as a single licensed user associated with one email account. Users cannot be non-human roles.
• Make sure your AD Groups are Security Groups. Nested groups, contacts, or distribution lists cannot be used.

Steps Direct link to this section

1. If you are using:

   • Azure AD — Sign in to the Azure AD admin center, and then select Azure Active Directory.
   • Microsoft 365 — Sign in to the administration center, and then select Azure Active Directory from the navigation pane. This opens the Azure AD admin center.

2. Under Manage, select App registrations.

3. Click New registration.

4. In the Name text box, enter the name that you want displayed for your application. We recommend naming it Arctic Wolf Managed Security Awareness Integration.

5. Confirm that Supported account types is set to Accounts in this organizational directory only (Single tenant).

6. Click Register. This opens the page for the newly registered application.

7. Take note of the following values that are used in the MA Portal in a later step:

   • Application (client) ID
   • Directory (tenant) ID

8. In a new browser tab, sign in to the MA Portal.

9. Click the Gear icon, and then select User Management.

10. Enter the Application (client) ID and Directory (tenant) ID values from the Azure AD admin center in the corresponding fields in the MA Portal.

11. Return to the Azure AD admin center, and in the navigation pane under Manage, select API permissions.

12. Click Add a permission, and then select Microsoft Graph.

13. Select Application permissions.

    Note: Do not select Delegated permissions. This will not provide the API permissions required for MA setup and generates an insufficient permissions error message.

14. In the Select permissions search box, search for and select the following permissions:

    • Directory.Read.All
    • User.Read.All

15. Click Add permissions. The Configured permissions screen lists the permissions that you added. Confirm the following:

    • Ensure User.Read is selected.
    • In the Status column beside each permission, if you see a message similar to Not granted for <company name>, click Grant admin consent for <company name>.

16. In the navigation pane, under Manage, select Certificates & secrets.

17. In the Client secrets section, select + New client secret, and then create the secret:

    Note: Failure to click Grant admin consent for <company name> generates an insufficient permissions error message.

    1. Enter a meaningful description for the Client Secret, such as Arctic Wolf Secret.
    2. Set the expiry period to 24 months.
    3. Click Add.

18. Verify that your new client secret appears in the Client Secrets section, and then copy the exposed Value using the copy to clipboard button. The Value is only viewable during the application registration.

19. Return to the separate tab open to the MA Portal and paste the Client Secret value and expiry date into the corresponding fields of the User Management Tool.

20. Select Test Connection to ensure the permissions and criteria for the configuration are correct.

21. Return to the Azure Active Directory tab and select Manage > Groups. We use groups to query all users that partake in MA training. If you:

    • Have an existing group — Proceed to the next step.
    • Do not have an existing group — Click Groups > New Groups, and then enter group information and select the appropriate users for this group. We recommend naming the new group either as Arctic Wolf Managed Security Awareness, AW MSA, or AW Managed Awareness so that you can easily identify the group.

    Notes:

    • You cannot select a group containing other groups.
    • Arctic Wolf cannot sync more than one group.
    • If you select an existing group, make sure the group does not contain non-human users, such as fax machines, copy machines, conference rooms, or distribution email groups.

22. Review the accuracy of the values in the User Management tool:

    • Application (client) ID
    • Directory (tenant) ID
    • Client Secret value
    • Group Name
    • The Client Secret expiry date

23. Manage AD Groups and users by completing the steps in Managing users in the Managed Security Awareness Dashboard User Guide.

Enroll users to your MA program with a CSV file Direct link to this section

If you are not using Azure or Microsoft 365 Active Directory to enroll users, enroll users with a CSV file.

1. Create a CSV file with these column headers in this exact order, from left to right:
   1. FirstName
   2. LastName
   3. Email
2. Fill in the rows with corresponding information of the users that you want to add to the program.
3. Sign in to the Arctic Wolf Portal, and then do one of the following:
   • If you are an Arctic Wolf customer, proceed to the next step.
   • If you are an MSP customer, complete these additional steps:
     1. Search for the desired customer account.
     2. Select Switch Customer.
4. Submit a ticket with the CSV attachment and instructions for how to update the existing user list:
   1. From the menu, select Contact Your CST or Contact Onboarding.
   2. Enter a subject and message in the contact form with instructions for whether the users listed in the CSV file should be added to, be removed from, or overwrite the existing user list.
   3. Upload the CSV file.
   4. Click Send.

Step 2: Add MA to email gateway and spam filtering Direct link to this section

Third-party email gateway or spam filtering services typically follow the allowlisting instructions provided for your email service. To ensure that the MA IP address, email headers, and phishing domains have been allowed in their policies, submit a ticket in the Arctic Wolf Portal for assistance with configuration. You can also refer to the following third-party documentation for more information:

• Proofpoint
• Mimecast
• Barracuda
• Barracuda Intent Analysis

Step 3: Add MA to email allowlists Direct link to this section

Once you have added your users to the MA program, you can add MA's IP address to your email provider's allowlists to ensure your users can receive emails from the MA program. Follow the set of instructions below based on the email provider used in your organization:

• Microsoft 365
• Google Workspace

Configure MA allowlisting in Microsoft 365 Direct link to this section

1. Allowlist the MA IP address in Microsoft 365.
2. Configure the advanced delivery policy in Microsoft 365.
3. Determine your Microsoft Defender 365 plan.
4. Configure your allowlist in Microsoft Defender.

Step 1: Allowlist the MA IP address in Microsoft 365 Direct link to this section

In Microsoft 365, you can use mail flow rules to allow emails from trusted senders using a message header or a trusted IP address.

1. Log in to Microsoft 365 Defender.
2. Under Email & Collaboration, go to Policies & rules > Threat policies.
3. In the Policies section, select Anti-spam.
4. In the Name column, select the Connection filter policy, and click the arrow to expand the row.
5. Click Edit connection filter policy.
6. Under Always allow messages from the following IP addresses text box, enter the MA IP address.
7. Select the Turn on safe list checkbox.
8. Click Save.
9. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
   1. Sign in to your MA Portal at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

See Create safe sender lists in EOP on the Microsoft website for more information on these configuration settings.

Step 2: Configure the advanced delivery policy in Microsoft 365 Direct link to this section

Microsoft 365 filters out high confidence phishing attempts, even if an allowlist or filtering bypass has been configured. To ensure that MA phishing simulation emails are not filtered as high confidence phishing attempts, use the advanced delivery policy in Microsoft 365 Defender. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes in the Microsoft documentation for more information about the advanced delivery policy.

Before you begin Direct link to this section

• Ensure that you have the required user permissions to create and modify advanced delivery policy settings. For more information, see What do you need to know before you begin? in the Microsoft documentation.

Steps Direct link to this section

1. Sign in to the Microsoft 365 Defender portal to access the Advanced delivery page.
2. Select the Phishing simulation tab. If there are:
   • Configured phishing simulations — Click Edit.
   • No configured phishing simulations — Click Add.
3. In the Edit third-party phishing simulation menu that opens, select Domain.
4. Enter the domains below, specific to the language the simulations will be sent, and select Enter after each entry:
   • All languages:
     • arcticwolf.com
   • English:
     • automated-mailsender.com
     • mail-donotreply.com
     • humanresources-mailer.com
     • internal-humanresources.com
     • helpdesk-itsupport.com
     • internalcorporate-mailer.com
     • securityalert-corporate.com
     • corporate-alert.com
     • itsupport-corporate.com
   • German:
     • mitarbeiter-helpdesk.de
     • unternehmenssicherheit-alarm.de
     • itsupport-mitarbeiter.de
     • admin-hinweis.de
5. Select Sending IP.
6. Enter the MA IP address, and then select the Enter key.
7. Select Simulation URLS to allow.
8. In the Simulation URLs to allow, enter *.arcticwolf.com/*.
9. If you are editing:
   • An existing phishing simulation — Click Save.
   • A new phishing simulation — Click Add.
10. Click Close.
11. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA Portal at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Step 3: Determine your Microsoft Defender Office 365 plan Direct link to this section

If your organization uses Microsoft Defender for Office 365, MA program emails are sent to quarantine if you have either Safe Link polices or Default Microsoft Defender policies enabled. If these policies are enabled, MA emails must be allowlisted to avoid being flagged as containing a malicious link.

1. In Microsoft Defender, go to Policies & Rules > Threat policies.
2. Under Policies, locate Safe Links. If you see text that indicates Safe Links is not available, this means that you are on Microsoft Defender Office 365 Plan 1.

Step 4: Allowlist the MA IP address in Microsoft Defender Direct link to this section

Follow the instructions below based on your Microsoft Defender Office 365 plan:

• Plan 1
• Plan 2

Allowlist the MA IP address for Microsoft Defender Office 365 Plan 1 Direct link to this section

1. Go to Microsoft Exchange or Office Admin Center.

2. Click Mail Flow.

3. Click +, and then Bypass spam filtering....

4. In the Name text box, enter a name for this rule. For example, Bypass Arctic Wolf MA URL.

5. Click More Options.

6. In the Apply this rule if... dropdown list, select The Sender..., and and then in the next dropdown that displays, select IP address is in any of these ranges or exactly matches...

   Note: If you are not able to add an IP address, follow these steps instead:

   1. In the Apply this rule if… dropdown list, select A message header, and in the next dropdown that displays, select includes any of these words.
   2. In the message header text box, enter the MA header value. This value can be found in the same area of the Arctic Wolf Portal where the MA IP address is located.

7. In the specify IP address ranges text box, enter the MA IP address, and then click Add.

8. In the Do the following... dropdown list, select Modify the message properties..., and then in the next dropdown that displays, select set a message header.

9. Under Set the message header, click Enter text.

10. In the message header text box, enter X-MS-Exchange-Organization-SkipSafeLinksProcessing, and then click Save.

11. Click Enter text.

12. In the message header text box, enter 1, and then click Save.

13. Click Save.

    Your settings should look similar to the settings displayed in the image below.

    

Allowlist the MA IP address for Microsoft Defender Office 365 Plan 2 Direct link to this section

1. Sign in to Microsoft 365 Defender or to the Microsoft 365 Admin Center and click Security Admin Center.
2. Navigate to Email & Collaboration > Policies & Rules > Threat Policies > Safe Links.
3. Click + Create to create a new Safe Links policy.

   Note: If you have an existing custom Safe Links policy, you can edit that instead. Select the policy and click Edit in each section to modify the settings as appropriate.

4. Enter a name for the policy. We recommend an easily identifiable name, such as AW MSA Safe Links Policy.
5. Click Next.
6. On the Users and domains page, enter the users, groups, and domains for the policy to apply to.
7. Click Next.
8. On the URL & click protection settings page, for Action on potentially malicious URLs within Emails, select On.
9. Under Do not rewrite the following URLs in email, click Manage <number> URLs, where <number> is the number of URLs that are not rewritten.
10. Click + Add URLs to add this URL: *.arcticwolf.com/*.
11. In the Click protection settings section:
    1. Make sure the Track user clicks checkbox is selected.
    2. Select the Let users click through to the original URL checkbox.
12. Click Save.
13. Leave the remaining default settings and click Next.
14. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA Portal at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

See Microsoft's documentation Safe Links in Microsoft Defender for Office 365 for more information on setting up Safe Links policies.

Configure MA allowlisting in Google Workspace Direct link to this section

1. Allowlist the MA IP address
2. Configure header filtering

Step 1: Allowlist the MA IP address in Google Workspace Direct link to this section

1. Sign in to the Google admin console.
2. Click Apps, and then click Google Workspace from the list.
3. Click Gmail.
4. Click Spam, Phishing and Malware.
5. On the left pane, select your organization's domain.
6. On the Spam, phishing and malware tab, scroll to the Email whitelist setting or, in the search field, enter Email whitelist.
7. Enter the MA IP address into the Email Allow List text box.
8. Click Save.

   Note: It can take up to 24 hours for your changes to take effect.

Step 2: Configure header filtering in Google Workspace Direct link to this section

1. Sign in to the Google admin console.
2. Click Apps, and then click Google Workspace from the list.
3. Click Gmail.
4. Click Compliance to expand it.
5. Under Objectionable Content, click Configure.
6. Select Name the content > Inbound > Add custom headers.
7. Enter the header values for MA.
8. Select Bypass spam filter for this message
9. Click Save.

   Note: It can take up to 24 hours for your changes to take effect.

10. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA Portal at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Step 4: Configure browsers to autoplay MA sessions Direct link to this section

To ensure that the MA sessions play automatically in a browser, your users should configure their browsers to automatically play video content based on their browser and operating system:

• macOS
• Windows

Configure browsers to autoplay MA sessions in macOS Direct link to this section

• Firefox
• Microsoft Edge
• Safari

Configure Firefox to autoplay MA sessions in macOS Direct link to this section

1. In a new browser tab, select Firefox > Preferences.
2. In the navigation pane, select Privacy & Security.
3. In the Permissions section, locate the Autoplay row, and then select Settings.
4. Set the value for Default for all websites to Allow Audio and Video.
5. Select Save Changes.

Configure Microsoft Edge to autoplay MA sessions in macOS Direct link to this section

1. In a new browser tab, select Microsoft Edge > Preferences.
2. From the navigation pane, select Cookies and Site Permissions.
3. Select Media Autoplay.
4. Select Allow from the list.

Configure Safari to autoplay MA sessions in macOS Direct link to this section

1. Open a Managed Security Awareness session in a new browser tab.
2. From the Apple menu bar, select Safari > Settings for this website.
3. Set the value for Auto-Play to Allow all Auto-Play.

Configure browsers to autoplay MA sessions in Windows Direct link to this section

• Firefox
• Microsoft Edge

Configure Firefox to autoplay MA sessions in Windows Direct link to this section

1. In a new browser tab, select the kebab menu, which is three vertically stacked dots, and then select Settings.
2. From the navigation pane, select Privacy & Security.
3. In the Permissions section, locate the Autoplay row, and then select Settings.
4. Set the value for Default for all websites to Allow Audio and Video.
5. Select Save Changes.

Configure Microsoft Edge to autoplay MA sessions in Windows Direct link to this section

1. In a new browser tab, select the hamburger menu, which is three stacked horizontal lines, and then select Settings.
2. From the navigation pane, select Cookies and Site Permissions.
3. Select Media Autoplay.
4. Select Allow from the list.

Step 5: Notify users of the MA program Direct link to this section

Now that you have configured your environment to receive the MA program emails, we recommend that you notify your users about the upcoming start of your MA program before the go live date. The timing of this notification is important and should be coordinated with your Arctic Wolf Project Manager. The notification should be sent to your users approximately one to two weeks before the go live date.

Administrators can use the User Welcome Message Template found in the Administrator Toolkit.