Overview of Managed Security Awareness configuration # Direct link to this section

Arctic Wolf's Managed Security Awareness® (MA) delivers security awareness and compliance training through micro-learning sessions, quizzes, automated phishing simulations, and compliance training modules. This guide explains the required initial configuration process for MA that must be completed before launching the MA program for your organization. Users in the MA program receive program communications through email only. Users in the MA program receive program communications through email only. It is important that you correctly configure your email environment so users can successfully receive assigned sessions, quizzes, and phishing simulation emails from the program.

Configuring MA # Direct link to this section

To configure MA for your organization, follow the instructions below:

1. Enroll users to your MA program.
2. Add MA to email allowlists.
3. Add MA to email gateway and spam filtering allowlists.
4. Configure browsers to autoplay MA sessions.
5. Notify users of the MA program.

Step 1: Enrolling users to your MA Program # Direct link to this section

Depending on how your users are set up in your organization, complete one of the following options to enroll users to the MA program:

• Enroll users using Azure Active Directory (AD) or Microsoft 365
• Enroll users using a CSV file

Enrolling users using Azure Active Directory or Microsoft 365 # Direct link to this section

To enroll users to the MA program using Azure AD or Microsoft 365:

1. If you are using:

   • Azure AD — Sign in to the Azure AD admin center, and then select Azure Active Directory.
   • Microsoft 365 — Sign in to the administration center, and then select Azure Active Directory from the navigation pane. This opens the Azure AD admin center.

2. Under Manage, select App registrations.

3. Click New registration.

4. In the Name text box, enter the name that you want displayed for your application. We recommend naming it Arctic Wolf Managed Security Awareness Integration.

5. Confirm that Supported account types is set to Accounts in this organizational directory only (Single tenant).

6. Click Register. This opens the page for the newly registered application.

7. Take note of the following values that you will share with Arctic Wolf using the Egnyte link provided to you in a later step:

   • Application (client) ID
   • Directory (tenant) ID

8. In the navigation pane under Manage, select API permissions.

9. Click Add a permission, and then select Microsoft Graph.

10. Select Application permissions.

    Note: Do not select Delegated permissions. This will not provide the API permissions required for MA setup.

11. In the Select permissions search box, search for and select the following permissions:

    • Directory.Read.All
    • User.Read.All

12. Click Add permissions. The Configured permissions screen lists the permissions that you added. Confirm the following:

    • Ensure User.Read is selected (permission selected by default).
    • In the Status column beside each permission, if you see a message similar to Not granted for <company name>, click Grant admin consent for <company name>.

13. In the navigation pane, under Manage, select Certificates & secrets.

14. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the client secret, such as Arctic Wolf Secret.
    2. Set the expiry period to 24 months.
    3. Click Add.

15. Verify that your new client secret appears in the Client Secrets section, and then copy Value to a secure location. The Value is only viewable during the application registration. Make note of the following items that you will provide using the Egnyte link provided to you in a later step:

• The Value (not the Secret ID)
• The expiry period that you selected (24 months is recommended)

  Note: If you did not copy the Value during the application registration and you no longer see it, delete the secret that you created and follow the steps above to create a new client secret to get the Value.

15. In the Azure Active Directory menu, select Manage > Groups. We use groups to query all users that partake in MA training. If you:

    • Have an existing group — Proceed to the next step.
    • Do not have an existing group — Click Groups > New Groups, and then enter group information and select the appropriate users for this group.

    Notes:

    • You cannot select a group containing other groups.
    • Arctic Wolf cannot sync more than one group.

16. Make note of the Group Name value. You must later provide this value to Arctic Wolf using the Egnyte link provided to you.

17. Provide these values for your Azure AD or Microsoft 365 environment to your Arctic Wolf Project Manager through a secure file in the Egnyte link provided to you:

    • Application (client) ID
    • Directory (tenant) ID
    • Client Secret value
    • Group Name
    • The expiry period for Client Secret

    Note: Arctic Wolf provides the Egnyte link to you before you add users to the MA program.

Enrolling users using a CSV file # Direct link to this section

If you are not using Azure AD or Microsoft 365 to enroll users, enroll users using a CSV file:

1. Create a CSV file with these column headers in this exact order, from left to right:
   1. FirstName
   2. LastName
   3. Email
2. Fill in the rows with corresponding information of the users that you want to add to the program.
3. Sign in to the Arctic Wolf Portal, and then do one of the following:
   • If you are an Arctic Wolf customer, proceed to the next step.
   • If you are an MSP customer, complete these additional steps:
     1. Search for the desired customer account.
     2. Select Switch Customer.
4. Submit a ticket with the CSV attachment and instructions for how to update the existing user list:
   1. From the menu, select Contact Your CST.
   2. Enter a subject and message in the contact form with instructions for whether the users listed in the CSV file should be added to, be removed from, or overwrite the existing user list.
   3. Upload the CSV file.
   4. Click Send to submit the ticket to your Concierge Security® Team (CST).

Step 2: Adding MA to email allowlists # Direct link to this section

Once you have added your users to the MA program, you can add MA's IP address to your email provider's allowlists to ensure your users can receive emails from the MA program. Follow the set of instructions below based on the email provider used in your organization:

• Microsoft 365
  • Microsoft 365: Configuring your allowlist
  • Microsoft 365: Configuring the advanced delivery policy
  • (Optional) Microsoft 365: Bypassing the junk
• Microsoft Exchange 2013 and 2016
  • Microsoft Exchange: Configuring your allowlist
  • (Optional) Microsoft Exchange: Bypassing clutter and spam filtering
• Microsoft Defender: Configuring your allowlist
• Google Workspace
  • Google Workspace: Configuring your allowlist
  • Google Workspace: Configuring header filtering

Microsoft 365: Configuring your allowlist # Direct link to this section

In Microsoft 365, you can use mail flow rules to allow emails from trusted senders using a message header or a trusted IP address. To allowlist the MA IP address in Microsoft 365:

1. Log in to Microsoft 365 Defender.
2. Under Email & Collaboration, go to Policies & rules > Threat policies.
3. In the Policies section, select Anti-spam.
4. In the Name column, select the Connection filter policy, and click the arrow to expand the row.
5. Click Edit connection filter policy.
6. Under Always allow messages from the following IP addresses text box, enter the MA IP address.
7. Select the Turn on safe list checkbox.
8. Click Save.
9. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
   1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

See Create safe sender lists in EOP on the Microsoft website for more information on these configuration settings.

Microsoft 365: Configuring the advanced delivery policy # Direct link to this section

Microsoft 365 filters out high confidence phishing attempts, even if an allowlist or filtering bypass has been configured. To ensure that MA phishing simulation emails are not filtered as high confidence phishing attempts, use the advanced delivery policy in Microsoft 365 Defender. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes in the Microsoft documentation for more information about the advanced delivery policy.

To configure third-party phishing simulations in the advanced delivery policy:

1. Sign in to the Microsoft 365 Defender portal to access the Advanced delivery page.
2. Select the Phishing simulation tab. If there are:
   • Configured phishing simulations — Click Edit.
   • No configured phishing simulations — Click Add.
3. In the Edit third-party phishing simulation menu that opens, select Domain.
4. Enter these domains, ensuring that you select the Enter key after each entry to continue:
   • arcticwolf.com
   • automated-mailsender.com
   • mail-donotreply.com
   • humanresources-mailer.com
   • internal-humanresources.com
   • helpdesk-itsupport.com
   • itsupport-corporate.com
   • internalcorporate-mailer.com
   • mailsender-gov.com
   • government-emailer.com
   • mailserver-edu.com
   • campus-mailserver.com
   • securityalert-corporate.com
   • corporate-alert.com
5. Select Sending IP.
6. Enter the MA IP address, and then select the Enter key.
7. Select Simulation URLS to allow.
8. In the Simulation URLs to allow, enter *.arcticwolf.com/*.
9. If you are editing:
   • An existing phishing simulation — Click Save.
   • A new phishing simulation — Click Add.
10. Click Close.
11. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

(Optional) Microsoft 365: Bypassing the Junk folder # Direct link to this section

If you want to configure MA emails to bypass the junk folder and ensure your users receive them in their inbox, configure the following rule:

1. Sign in to your Microsoft Outlook administrative portal.
2. Under Apps, click Admin.
3. In the navigation pane, under Admin centers, click Exchange.
4. In the sidebar, select mail flow.
5. In the rules tab, click + to expand the menu, and then click Bypass spam filtering.
6. Enter a name such as Arctic Wolf junk filter into the Name text box.
7. In the Apply this rule if menu, select The Sender > IP address is any of these ranges or exactly matches.
8. Enter the MA IP address in the text box, and then click OK.
9. In the Do the following menu, select Modify the message properties > set a message header.
10. Click Enter text to set the message header, and then enter X-ArcticWolf.
11. Click OK.
12. After to the value, click Enter text to set the value, and then enter Arctic Wolf.
13. Click OK.
14. Click Save.
15. Under Properties of this rule, set the Priority value.
16. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
    2. From the menu bar, select Adminisitration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Microsoft Exchange: Configuring your allowlist # Direct link to this section

To allowlist the MA IP address in Microsoft Exchange:

1. Sign in to your Microsoft Outlook administrative portal.
2. Under Apps, click Admin.
3. In the navigation pane, under Admin centers click Exchange.
4. Under protection, click connection filter.
5. Select the pencil to edit the default connection filter policy.
6. In the sidebar, click connection filtering.
7. Under IP Allow list, click +.
8. On the Add allowed IP address page, enter the MA IP address.
9. Click OK, and then click Save.
10. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

(Optional) Microsoft Exchange: Bypassing clutter and spam filtering # Direct link to this section

To configure MA emails to bypass clutter and spam filtering in Microsoft Exchange:

1. Sign in to your Microsoft Outlook administrative portal.
2. Under Apps, click Admin.
3. In the navigation pane, under Admin centers click Exchange.
4. In the sidebar, select mail flow.
5. In the rules tab, click + to expand the menu, and then click Bypass spam filtering.
6. Enter a name such as Bypass clutter and spam filtering by IP address into the Name text box.
7. In the Apply this rule if menu, select The sender > IP address is any of these ranges or exactly matches.
8. Enter the MA IP address in the text box, and then click OK.
9. In the Do the following menu, select Modify the message properties > set a message header.
10. Click Enter text to set the message header, and then enter X-ArcticWolf.

    Tip: This field is case-sensitive.

11. Click OK.
12. After to the value, click Enter text to set the value, and then enter Arctic Wolf.
13. Click OK.
14. Click add action.
15. In the Do the following menu, select Modify the message properties > Set the spam confidence level (SCL) to > Bypass spam filtering.
16. Click Save.
17. Verify your settings are working correctly by sending an MA program test email to yourself or admins.
    1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Microsoft Defender: Configuring your allowlist # Direct link to this section

If your organization uses Microsoft Defender, MA program emails are sent to quarantine if you have either Safe Link polices or Default Microsoft Defender policies enabled. If these policies are enabled, MA emails must be allowlisted to avoid being flagged as containing a malicious link.

To allowlist the MA IP address for Safe Links in Microsoft Defender:

1. Sign in to Microsoft 365 Defender or to the Microsoft 365 Admin Center and click Security Admin Center.
2. Navigate to Email & Collaboration > Policies & Rules > Threat Policies > Safe Links.
3. Click + Create to create a new Safe Links policy.

   Note: If you have an existing custom Safe Links policy, you can edit that instead. Select the policy and click Edit in each section to modify the settings as appropriate.

4. Enter a name for the policy. We recommend an easily identifiable name, such as AW MSA Safe Links Policy.
5. Click Next.
6. On the Users and domains page, enter the users, groups, and domains for the policy to apply to.
7. Click Next.
8. On the URL & click protection settings page, for Action on potentially malicious URLs within Emails, select On.
9. Under Do not rewrite the following URLs in email, click Manage <number> URLs, where <number> is the number of URLs that are not rewritten.
10. Click + Add URLs, add the URL https://satcontent.arcticwolf.com.
11. Click Save.
12. Leave the remaining default settings and click Next.
13. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Google Workspace: Configuring your allowlist # Direct link to this section

To allowlist the MA IP address in Google Workspace:

1. Sign in to the Google admin console.
2. Click Apps, and then click Google Workspace from the list.
3. Click Gmail.
4. Click Spam, Phishing and Malware.
5. On the left pane, select your organization's domain.
6. On the Spam, phishing and malware tab, scroll to the Email whitelist setting or, in the search field, enter Email whitelist.
7. Enter the MA IP address into the Email Allow List text box.
8. Click Save.

   Note: It can take up to 24 hours for your changes to take effect.

Google Workspace: Configuring header filtering # Direct link to this section

To configure Google Workspace to allow MA headers:

1. Sign in to the Google admin console.
2. Click Apps, and then click Google Workspace from the list.
3. Click Gmail.
4. Click Compliance to expand it.
5. Under Objectionable Content, click Configure.
6. Select Name the content > Inbound > Add custom headers.
7. Enter the header values for MA.
8. Select Bypass spam filter for this message
9. Click Save.

   Note: It can take up to 24 hours for your changes to take effect.

10. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
    1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
    2. From the menu bar, select Administration Dashboard.
    3. Click the User Information tab.
    4. Click Send Test Email.

    Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Step 3: Adding MA to email gateway and spam filtering # Direct link to this section

If you have a third-party email gateway or spam filtering service in your organization, follow the instructions below based on the provider:

• Proofpoint: Configuring your allowlist
• Mimecast: Configuring your allowlist
• Barracuda
  • Barracuda: Configuring your allowlist
  • Barracuda Intent Analysis: Configuring your allowlist
  • Barracuda Advanced Threat Protection: Configuring your allowlist

Proofpoint: Configuring your allowlist # Direct link to this section

To allowlist the MA IP address in Proofpoint:

1. Sign in to your Proofpoint administrative portal.
2. Navigate to Security Settings > Email > Sender Lists.
3. Enter the MA IP address in the Safe Senders text box.
4. Click Save.
5. Verify your settings are working correctly by sending an MA program test email to yourself or admins:
   1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Mimecast: Configuring a Mimecast Permitted Sender policy # Direct link to this section

To allowlist the MA IP address in Mimecast:

1. Sign in to the Mimecast Administration Console.
2. Click Administration in the toolbar, and then select Gateway > Policies.
3. From the list, select Permitted Senders.
4. Click New Policy, and then configure these settings for the policy:
   • Enter a name for the policy, such as Arctic Wolf Managed Awareness.
   • Select Permit sender for the permitted sender policy.
   • In the Addresses Based On list, select The Return Address (Email Envelope Form).
   • In the Applies From list, select Everyone.
   • In the Specifically text box, enter Applies to Everyone.
   • In the Enable / Disable list, select Enable.
   • In the Set policy as perpetual list, select Always On.
   • In the Date Range list, select All Time.
   • Verify that Policy Override is selected.
   • Do not select Bi Directional.
   • In the Source IP Ranges text box, enter the MA IP address.
5. Save the policy.
6. Verify your settings are working correctly by sending an MA program test email to yourself or admins.
   1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

For more information about Mimecast policy options, see the Mimecast Knowledge Base.

Barracuda: Configuring your allowlist # Direct link to this section

To allowlist the MA IP address in Barracuda:

1. Sign in to your Barracuda Cloud Control.
2. If you are using:
   • Barracuda Cloud:
     1. Navigate to Email Security > Inbound Settings > IP Address Policies.
     2. In the IP Blocking / Exemption section, enter the MA IP address.
   • Barracuda On Premises:
     1. Navigate to BLOCK/ACCEPT > IP Filters.
     2. In the Allowed IP/Range section, enter the MA IP address.
3. In the Netmask text box, enter 255.255.255.255.
4. In the Policy dropdown list, select Exempt.
5. Click Add.
6. Verify your settings are working correctly by sending an MA program test email to yourself or admins.
   1. Sign in to your MA dashboard at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Barracuda Intent Analysis: Configuring your allowlist # Direct link to this section

To prevent the URLs sent from MA sessions from being modified, you may need to allowlist MA's IP address in Barracuda's Intent Analysis feature. See Intent Analysis - Inbound Mail in Barracuda's Documentation for more information.

1. If you are using:
   • Barracuda Cloud Control:
     1. Navigate to Email Security > Inbound Settings > Sender Authentication.
     2. In the Use Sender Policy Framework center, in the SPF exemptions table, add the MA IP address.
   • Barracuda Email Security Gateway web interface:
     1. Navigate to Email Security, and then click the Block/Accept tab.
     2. Click Sender Authentication.
     3. Under Sender Policy Framework (SPF) Configuration section, select Yes.
     4. In the exemption list, add the MA IP addresses.
2. Verify your settings are working correctly by sending an MA program test email to yourself or admins.
   1. Sign in to your MA dashbhoard at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Barracuda Advanced Threat Protection: Configuring your allowlist # Direct link to this section

If you are using Barracuda's Advanced Threat Protection (ATP), you can set up exemptions to bypass PDF scanning for email sessions from MA's IP address.

1. Log in to your Barracuda Email Security Gateway web interface.
2. Click the ATP Settings tab.
3. Enter the MA IP address and Subnet Mask.
4. Click Add.
5. Verify your settings are working correctly by sending an MA program test email to yourself or admins.
   1. Sign in to your MA dashhoard at https://sat.arcticwolf.com/.
   2. From the menu bar, select Administration Dashboard.
   3. Click the User Information tab.
   4. Click Send Test Email.

   Note: See Sending a test email for more information. If your test email is not received, verify the steps above and send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

Step 4: Configuring browsers to autoplay MA sessions # Direct link to this section

To ensure that the MA sessions play automatically in a browser, your users should configure their browsers to automatically play video content based on their browser and operating system:

• macOS
  • Firefox
  • Microsoft Edge
  • Safari
• Windows
  • Firefox
  • Microsoft Edge

macOS for Firefox: Configuring autoplay # Direct link to this section

To configure Firefox on macOS to autoplay MA sessions:

1. In a new browser tab, select Firefox > Preferences.
2. In the navigation pane, select Privacy & Security.
3. In the Permissions section, locate the Autoplay row, and then select Settings.
4. Set the value for Default for all websites to Allow Audio and Video.
5. Select Save Changes.

Windows for Firefox: Configuring autoplay # Direct link to this section

To configure Firefox on Windows to autoplay the MA sessions:

1. In a new browser tab, select the kebab menu, which is three vertically stacked dots, and then select Settings.
2. From the navigation pane, select Privacy & Security.
3. In the Permissions section, locate the Autoplay row, and then select Settings.
4. Set the value for Default for all websites to Allow Audio and Video.
5. Select Save Changes.

macOS for Microsoft Edge: Configuring autoplay # Direct link to this section

To configure Microsoft Edge to autoplay MA sessions:

1. In a new browser tab, select Microsoft Edge > Preferences.
2. From the navigation pane, select Cookies and Site Permissions.
3. Select Media Autoplay.
4. Select Allow from the list.

Windows for Microsoft Edge: Configuring autoplay # Direct link to this section

To configure Microsoft Edge on Windows to autoplay the MA sessions:

1. In a new browser tab, select the hamburger menu, which is three stacked horizontal lines, and then select Settings.
2. From the navigation pane, select Cookies and Site Permissions.
3. Select Media Autoplay.
4. Select Allow from the list.

macOS for Safari: Configuring autoplay # Direct link to this section

To configure Safari on macOS to autoplay the MA sessions:

1. Open a Managed Security Awareness session in a new browser tab.
2. From the Apple menu bar, select Safari > Settings for this website.
3. Set the value for Auto-Play to Allow all Auto-Play.

Step 5: Notifying users of the MA program # Direct link to this section

Now that you have configured your environment to receive the MA program emails, we recommend that you notify your users about the upcoming start of your MA program before the go live date. The timing of this notification is important and should be coordinated with your Arctic Wolf Project Manager. The notification should be sent to your users approximately one to two weeks before the go live date.

Administrators can use the User Welcome Message Template found in the Administrator Toolkit.