Managed Security Awareness Portal User Guide
Updated Sep 19, 2023- Managed Security Awareness
- Manage the MA program
- Sign in to the MA Portal
- Initial setup
- Manage users
- Monitor security awareness
- Monitor program progress with the Secure Culture Dashboard
- Administration Dashboard
- Select a security awareness track
- Change the session delivery day
- Send a test email
- Disable or enable phishing simulation emails
- Change the template of the phishing simulation emails
- Preview an upcoming session
- Mute an upcoming session
- View user information
- Assign a session to an individual user
- Download the MA program session history
- View user completion for MA sessions and quizzes
- Manage incomplete session reminders
- Report Phishing
- Reports
- Administrator and User Status Reports
- Content Library
- Compliance
- Administrator Toolkit
- Program Maturity
- User Management tool
- See also
Managed Security Awareness
Arctic Wolf Managed Security Awareness® (MA) delivers security awareness training as a program to increase security awareness and build a strong security culture within your organization. The MA program includes:
Session or Module | Description | Supported Languages |
---|---|---|
QuickStart | The first session that employees receive at your organization and replaces the first session in the delivery schedule, after which users join the normal delivery cadence. It is a five-minute awareness session to orient users to the MA program and introduce key security awareness topics. |
|
Microlearning sessions | Three to five minute videos or interactive tutorials on recognizing and neutralizing social engineering attacks and avoiding security breaches that result from human error. |
|
Quizzes | Three to five minute test sessions that measure user uptake of security awareness training. |
|
Automated phishing simulations | Phishing simulation emails that measure the susceptibility of an organization to phishing-based attacks. |
|
Role-based sessions | An exclusive feature available to customers who have purchased MA Plus (MA+). These sessions follow a similar format to microlearning sessions. |
|
Compliance training modules | Longer than microlearning sessions, these modules range from 15 to 60 minutes, and go beyond security awareness to support the regulatory compliance obligations of an organization. These modules are available to customers with a valid Compliance Content Pack license. This license allows you to assign compliance training in addition to security awareness training to a group of users as required. |
|
Note: MA content created prior to 1/31/2021 is available in US English only.
Assign an MA Administrator in your organization
Your organization should assign an administrator to monitor the MA Portal and maintain active users of the program. The administrator can sign in to the MA Portal using the Arctic Wolf Unified Portal (Arctic Wolf Portal) or a direct link to your organization’s MA Portal, to perform these tasks:
- Configure and manage MA program settings
- Review the overall success of active users for the program
- Submit tickets for any needs of the program, administrators, or users
- Monitor reports
- Review the upcoming schedule for the MA program
How MA is delivered
MA sessions are delivered through email and users receive approximately 43 sessions over the course of a year. Each MA email contains a link to launch the session in a new browser window or tab. On a given week when an activity is scheduled, users only receive one activity for the week: a microlearning session, a quiz, or a phishing simulation email. The MA program delivers content in these ways:
Session | Delivery |
---|---|
QuickStart | The QuickStart session is sent once the program is active and when new users are added to the system on the selected day of delivery in place of the scheduled content in the Upcoming Sessions table in the Administration Dashboard. |
Security awareness microlearning sessions and quizzes | Typically, users receive 25 unique microlearning sessions and ten quizzes over a 52-week cycle. Users receive email notifications for each training assignment. You can preview the upcoming schedule under the Administration Dashboard tab. Microlearning session previews include available language options. See Preview an upcoming session for more information. |
Phishing simulations | If this option is enabled, users receive 12 phishing simulation emails each year, one a month. These emails are sent to user inboxes on a random weekday between 17:00 UTC and 22:00 UTC, or between 16:00 UTC and 21:00 UTC during daylight saving time. |
Users can view their progress in the User Status Report email to see if they are behind on any sessions. You can view the current status of any or all users on the Administration Dashboard, at any time. See Administrator and User Status Reports for more information.
Manage the MA program
The MA Portal lets you manage program features, monitor user participation and performance, assess the level of security awareness that your organization has, and identify opportunities for raising the level of security awareness within your organization.
This guide is intended for administrators of the MA program in their organization.
Sign in to the MA Portal
-
Go to https://sat.arcticwolf.com/.
-
Sign in using your Arctic Wolf credentials.
For MSPs, search for the desired customer account, and then click View.
After you sign in, the MA Portal loads and your sign-in details appear in the top-right corner in this format: Your Name - Organization Name
.
Tips:
- Click Settings to access these options:
- Arctic Wolf Portal
- Administrator Toolkit
- Program Maturity
- User Management
- Log out
- (MSPs only) Click the wrench to switch customer accounts.
Initial setup
These tasks are completed as part of the initial setup of your MA program:
MA program activation
After you activate the MA program with the Concierge Security® Team (CST), this occurs:
- Users receive microlearning sessions approximately every two weeks on the configured session delivery day. See Change the session delivery day to change this setting.
- The first session that users receive is the QuickStart session, which is an introduction to the MA program.
- Users periodically receive phishing simulation emails. To disable this feature, see Disable or enable phishing simulation emails.
- The MA Portal records the progress and performance of all users for all security awareness and compliance training content that the user receives. See Monitor security awareness for more information.
Email templates
MA users and program administrators receive various emails throughout the each program cycle. To view the contents of these emails:
-
In the MA Portal menu, click Administration Dashboard.
-
In the Email Templates/Private Labeling section, select an email template to view.
These MA email templates are available:
Email template Description Awareness Session Link The email that users receive when a microlearning session or quiz is assigned. QuickStart Session Link The first email that users receive after the MA program is activated. The email includes a link to the QuickStart session, which is an introduction to the MA program. Email Test Session Link An email that your onboarding project manager sends before the MA program starts to verify that your corporate email Allowlist is configured to allow MA email notifications. Monthly Admin Snapshot A periodic email provides an overview of user participation in the MA program. Only MA program administrators receive this email. Status Update - Positive A periodic email that provides users a summary of their participation in the MA program. Users receive this email if all training assignments are complete. Status Update - Negative A periodic email that provides users a summary of their participation in the MA program. Users receive this email if one or more training assignments are incomplete.
Customize emails using private labeling
You can customize the email sender name and display name by enabling private labeling within the Administration Dashboard. By default, the sender of MA emails appears as:
- Email Sender Name:
Arctic Wolf Managed Security Awareness
- Company Display Name:
Arctic Wolf
The session emails sent to users include the display name in the signature of session emails, as well as in the MA Portal page header. The sender email name displays on the individual emails in an inbox.
Notes:
- The customized name appears in the signature, but you cannot customize the body of the email signature.
- Private labeling is optional.
Add a private label
You can customize the email sender name and display name.
- In the MA Portal menu, click Administration Dashboard.
- Click the Email Templates/Private Labeling tab.
- Click the Use Private Labeling toggle to the on position.
- Edit the Display Name and Email Sender Name fields as needed.
- Click Save.
- Review the email templates to confirm that you want to keep your current settings.
Remove a private label
You can remove a custom email sender name and display name.
- In the MA Portal menu, click Administration Dashboard.
- Click the Email Templates/Private Labeling tab.
- Click the Use Private Labeling toggle to the off position.
Change a private label
You can change the email sender name and display name.
- In the MA Portal menu, click Administration Dashboard.
- Click the Email Templates/Private Labeling tab.
- Click the Use Private Labeling toggle to the off position, and then click it to the on position.
- Edit the Display Name and Email Sender Name, as desired.
- Click Save.
- Review the email templates to confirm that you want to keep your current settings.
Manage users
Users are individuals within your organization who will receive sessions, quizzes, and phishing simulations. They receive email communication and do not have sign-in credentials for the MA Portal.
Manage MA program users the same way that you enrolled users. If you enrolled users with:
- A manual CSV file — See Manage users with a CSV file.
- Google Workspace® — See Manage users with Google Workspace.
- Microsoft Entra ID® or Microsoft 365 Active Directory® — See Manage users with Microsoft Entra ID or Microsoft 365 Active Directory.
Manage users with Microsoft Entra ID or Microsoft 365 Active Directory
-
Add or remove users from the AD Group in Microsoft Entra ID or Microsoft 365 Active Directory that you selected to sync with the MA Program. See Manage a group in the Microsoft 365 admin center for more information about how to add or remove users from groups.
Note: If you do not remember the name of the AD Group that is synced to the MA program, in the MA Portal click Settings > User Management > Test Connection > Query Group. This populates the name of the AD Group.
-
In a new browser tab, sign in to the MA Portal.
-
Click Settings > User Management.
Changes are automatically synchronized in the Microsoft Entra ID.
-
Click Sync Now.
Note: If you do not select Sync Now, changes can take up to 24 hours to be visible in the MA Portal in the User Information tab within the Administration Dashboard.
-
Click Query Group.
The updated list of users in the selected group displays in a table.
Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.
Manage users using a CSV file
Note: These instructions only apply to organizations that have not set up an AD Group to manage users with Microsoft Entra ID or Microsoft 365 Active Directory. Only perform these steps if your organization has always managed users with a CSV file.
- Locate the CSV file that you created when you enrolled users in the MA program.
- Update the CSV file depending on if you are adding or removing users:
- To add a new user to the MA program, add a new row and provide the user's details in the
FirstName
,LastName
, andEmail
columns. - To remove a user that is no longer participating in the MA program, delete the row for that user.
- To add a new user to the MA program, add a new row and provide the user's details in the
- Save your changes.
- Send a ticket in the Arctic Wolf Portal with the updated CSV file.
Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.
Manage users with Google Workspace
You can add or remove users with Google Workspace. To change user groups, see Manage the third-party user group.
-
In Google Workspace, add or remove users from the user group that you selected to sync with the MA Program.
For more information, see Create, update, or delete a group. Changes are automatically synchronized between Google Workspace and MA Portal within 24 hours.
Tip: You can find the name of the group in the MA Portal under Settings > User Management in the Group Name field.
-
To manually sync the changes:
-
In a new browser tab, sign in to the MA Portal.
-
Click Settings > User Management.
-
Click Sync Now.
The Last Successful Sync field updates with the current date and time.
-
-
To verify the changes:
- Click View/Edit Group.
- Click Query Group.
- Review the table of users to ensure it matches the list in Google Workspace.
Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.
Manage users with Microsoft Entra ID or Microsoft 365 Active Directory
You can add or remove users with Microsoft Entra ID or Microsoft 365 Active Directory. To change user groups, see Manage the third-party user group.
-
In in Microsoft Entra ID or Microsoft 365 Active Directory, add or remove users from the AD Group that you selected to sync with the MA Program.
For more information, see Manage a group in the Microsoft 365 admin center. Changes are automatically synchronized between Microsoft Entra ID or Microsoft 365 Active Directory and the MA Portal within 24 hours.
Tip: You can find the name of the AD group in the MA Portal under Settings > User Management in the Group Name field.
-
To manually sync the changes:
-
In a new browser tab, sign in to the MA Portal.
-
Click Settings > User Management.
-
Click Sync Now.
The Last Successful Sync field updates with the current date and time.
-
-
To verify the changes:
- Click View/Edit Group.
- Click Query Group.
- Review the table of users to ensure it matches the list in Google Workspace.
Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.
Manage the third-party user group
You can change the Google Workspace, Microsoft Entra ID, or Microsoft 365 Active Directory user group that MA uses.
- In the MA Portal, click Settings > User Management.
- Click View/Edit Group.
- Click Query Group.
- In the Select a group list, select the user group.
- Click Save Integration.
Monitor security awareness
The MA Portal provides these options for monitoring the level of security awareness in your organization:
Monitor program progress with the Secure Culture Dashboard
The Secure Culture Dashboard tracks user participation and measures performance in security awareness sessions, quizzes, phishing simulations, and compliance training. As an administrator, you can view the Secure Culture Score of the organization at a glance or in detail on the MA Portal. You can also view the current status of any or all users on the Administration Dashboard, at any time. Users do not have access to the dashboard, so they must wait for the monthly User Status Report email to see their progress and if they are behind on any sessions.
The Secure Culture Dashboard has these sections:
Section | Description |
---|---|
Secure Culture Program Summary | Displays these metrics, indicating the extent to which security awareness and regulatory compliance are a part of your organizational culture:
|
QuickStart Status | Summarizes user engagement for QuickStart sessions. |
Session Statistics | Summarizes user engagement for past security awareness sessions. |
Quiz Statistics | Summarizes user engagement and scores for past security awareness quizzes. |
Simulation Statistics | Summarizes user behavior in response to delivered phishing simulation emails. |
Tip: See Reports for more information about statistics and reports.
Download Secure Culture statistics
You can download CSV files from the Secure Culture Dashboard to identify which users require additional training support. The CSV files provide this information:
- Users with incomplete sessions
- Users with low quiz scores
- Users who failed phishing simulations
- Users with incomplete phishing remediation sessions
Note: The data included in the CSV file reflects the selected timeframe. For example, within the last 30 days.
To download Secure Culture statistics:
- In the MA Portal menu, click Secure Culture Dashboard.
- Click Download to download the desired CSV file.
Tip: See Increase your Secure Culture Score for remediation options.
Increase your Secure Culture Score
The Secure Culture Score represents the strength of security awareness within your organization, based on the session completion, average quiz score, phishing simulation failures, and remediation completion metrics. Possible scores include:
- Excellent — 90-100
- Strong — 70-89
- At-Risk — 60-69
- Vulnerable — 59 or lower
To increase your Secure Culture Score, you can:
-
Enforce mandatory participation within your organization.
-
Make sure all of your users complete their sessions within 72 hours of receiving the session.
-
Make sure no users are more than two sessions behind schedule.
See Download Secure Culture statistics to identify which users are behind schedule.
-
Assign additional phishing-themed awareness sessions if your organization has a high phishing simulation failures score.
See Download Secure Culture statistics to identify which users failed phishing simulations.
Administration Dashboard
You can manage security awareness microlearning sessions in these ways:
- Select a security awareness track
- Change the session delivery day
- Disable or enable phishing simulation emails
- Preview an upcoming session
- Mute an upcoming session
- View user information
- Assign a session to an individual user
- Download the MA program session history
- Manage incomplete session reminders
Select a security awareness track
Note: The Managed Security Awareness Plus (MA+) license is required to access this option.
The MA+ program is set to the standard track by default. However, you can select other security awareness tracks that are tailored to specific industries, for example, healthcare.
-
In the MA Portal menu, click Administration Dashboard.
-
Click the Session Information tab.
-
In the Current Awareness Track list, select the desired track.
The list of upcoming sessions updates to reflect the awareness track that you select.
Change the session delivery day
A microlearning session is sent through email between 14:00 and 15:00 UTC on the configured session delivery day.
After changing the session delivery day, users receive the next microlearning session in the queue on the earliest possible day that corresponds with the configuration. For example, if today is Tuesday, August 10, 2021 and you change the session delivery day before 14:00 UTC from Friday to Tuesday, users receive the next microlearning session today, and future sessions are scheduled to be delivered on following Tuesdays.
Note: Changing the selected session delivery day does not affect the timing of phishing simulation emails. Phishing simulations occur on a random weekday between 16:00 UTC and 22:00 UTC.
- In the MA Portal menu, click Administration Dashboard.
- Click the Session Information tab.
- Select the desired session delivery day.
Send a test email
Send a test email to a security administrator in your organization when:
- You want to make sure that your corporate email allowlist allows MA program emails to be sent to users
- You want to make sure MA program emails are delivered to users after you add an inline device or third-party service to your corporate email environment.
- A user reports to you that they did not receive a session email.
To send a test email:
-
In the MA Portal menu, click Administration Dashboard.
-
Click the User Information tab.
-
Click Send Test Email.
To preview the test email, see Email templates.
Disable or enable phishing simulation emails
The MA program includes phishing simulations to test user responses to suspicious emails.
- In the MA Portal menu, click Administration Dashboard.
- Click the Session Information tab.
- Click the Send Phishing Simulation Emails toggle to the off or on position as needed.
Change the template of the phishing simulation emails
-
In the MA Portal menu, click Administration Dashboard.
-
Click the Session Information tab.
-
In the Upcoming Sessions section, find the phishing simulation that you want to change to an alternate template. For example, a template in a different language.
-
In the Options column, select the list, and then click Preview/Select Phishing Email.
-
In the Available Templates list, select the template you want to use.
Note: Make sure you allowlisted the correct domains for the simulation email language. If you do not have the correct domains allowlisted, users might not receive the simulation. See Configure your allowlist in Configuring Managed Security Awareness for a list of domains.
-
Review the template preview, and then click Select This Phishing Email Template.
The template updates in the Upcoming Sessions schedule list.
-
To change the phishing simulation template, click Select This Phishing Email Template.
Note: You must select the template each month prior to the scheduled date.
The template updates in the Session Information tab and previews the template.
Preview an upcoming session
-
In the MA Portal menu, click Administration Dashboard.
-
Click the Session Information tab.
-
In the Upcoming Sessions section, find the session you want to preview.
Tip: Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
-
In the Options column, select the list, and then select Preview Session or Preview/Select Phishing Email.
-
If you are previewing a phishing simulation, you can select different templates that are more relevant to your organization. To select a template:
- Click the Available Templates list, and then select the template you want to use.
- Click Select This Phishing Email Template to confirm your selection.
Tip: See Mute an upcoming session.
Mute an upcoming session
If desired, you can mute an upcoming session or phishing simulation. When muted, the session or phishing simulation is not delivered to users.
Notes:
- Some weeks in the MA program cycle do not have a scheduled activity. When an activity is scheduled, users only receive one activity for the week: a microlearning session, a quiz, or a phishing simulation email.
- No alternative session, quiz, or phishing simulation is delivered in its place on the week of the muted session.
- A muted session does not recur for the remainder of the program cycle. However, the topic may be covered in a future microlearning sessions.
- If you unmute the session on the configured session delivery day after 15:00 UTC, or after 14:00 UTC during daylight saving time, users do not receive the session.
-
In the MA Portal menu, click Administration Dashboard.
-
Click the Session Information tab.
-
In the Upcoming Sessions section, find the session you want to mute or unmute.
-
In the Options column, select the list, and then click Mute This Week or Unmute This Week.
Muted sessions are highlighted orange. Sessions that are not highlighted are queued to be delivered as scheduled.
View user information
You can view the email address and session history for users within your organization. For example, you can view the quizzes and phishing simulations sent to each user, when they were sent, and when the user completed them.
- In the MA Portal menu, click Administration Dashboard.
- Click the User Information tab.
Assign a session to an individual user
You can assign specific security awareness sessions to an individual user, which are delivered separate from the MA program schedule.
-
In the MA Portal menu, click Administration Dashboard.
-
Click the User Information tab.
-
Search for the desired user, and then select one of these options:
- View History — To resend a session that the user has already received.
- Assign Session — To assign a session to the user.
Tip: This option lets you assign sessions that are not listed in the history for that user. For example, you can use this option to assign past sessions to a new user who was added to the MA program mid-cycle. When a new user is added, the user automatically receives the QuickStart session. However, the next security awareness session that the user receives is the session that is scheduled for delivery in the current or following week.
-
Page through the list or use the search field to find the session that you want to assign.
Tip: Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
-
Select Assign for the desired session. The user immediately receives an email notification about the training assignment, and the session no longer appears in the list of available sessions and phishing simulations for that user.
Note: You cannot re-assign this session until the user completes the assignment.
Download the MA program session history
Downloading the MA program session history is one way to review the level of engagement of your organization with the MA program. With this option, you can also review the history of a specific session or user.
- In the MA Portal menu, click Administration Dashboard.
- Click the User Information tab.
- Click Download Full Session History to download the CSV file.
Tip To review the history of all past sessions and quizzes for an individual user, see View user completion for MA sessions and quizzes.
View user completion for MA sessions and quizzes
The MA Portal allows you to view a history of completed MA sessions and quizzes for each user in your organization.
-
In the MA Portal menu, click Administration Dashbaord.
-
Click the User Information tab.
-
In the Search field, enter the name of the user.
-
Next to the user, click View History.
In the User Session History window, the results of each assigned session or quiz displays for the selected user.
Tip: In the User Session History window, click Resend next to the session or quiz that you want to resend to the user.
Manage incomplete session reminders
You can adjust the frequency and the urgency language of emails that are sent to users when training is incomplete. You can configure the settings differently depending on how many incomplete sessions a user has. For example, if you have users with a high number of incomplete sessions, you can increase the frequency of email reminders to those users.
Note: These steps only apply to incomplete MA session management. If you have a valid CPP, you can manage reminders for incomplete compliance training courses from the Compliance tab within the MA Portal. See Manage incomplete compliance training course reminders for instructions.
-
In the MA Portal menu, click Administration Dashboard.
-
Click the Incomplete Session Manager tab.
-
For each applicable column, select the required Frequency of Email option:
- Monthly (1st)
- Bi-Monthly (1st, 15th)
- Weekly (Monday)
- Daily
-
For each applicable column, select the required Urgency of Email from the list:
- Low
- Moderate
- High
Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.
Report Phishing
The Arctic Wolf Managed Security Awareness® (MA) Report Phishing feature enables your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service and includes:
- Report Email button — Reports an email as a phishing attempt in Microsoft Office 365. This button can be found in the Outlook application toolbar or added to the Outlook web app (OWA).
- Reported Phishing menu item — Provides access to the Reported Phishing dashboard that contains analytics and information.
Tip: See Reported Phishing Dashboard for more information.
Reported Phishing Dashboard
The Reported Phishing Dashboard provides eligible Arctic Wolf customers detailed phishing information and analytics:
Feature | MA | MA+ | Description |
---|---|---|---|
Reported Emails | Yes | Yes | List of reported emails and information on the reporter and message. |
Threat Level Analytics | No | Yes | Emails reported by users will display threat level analytics:
|
Reported Simulations | No | Yes | Detailed analytics of the type and number of reported phishing attempts, date reported, and a phishing reporters list. |
Phishing Button Settings | Yes | Yes | Edit Report Email Integration settings and permissions. |
Access the Reported Phishing Dashboard
-
Sign in to the MA Portal using your Arctic Wolf credentials.
For MSPs, search for the desired customer account, and then click View.
-
Click Reported Phishing.
The Reported Phishing Dashboard opens.
Reported Simulations tab
Note: This feature is available for MA+ customers only.
The Reported Simulations tab includes:
- A graph that summarizes the percentage of emails that were:
- Ignored — Users did not click on the email or the content, and did not report as phishing.
- Reported — Users clicked the Report Email button to report the email as phishing. For a list of users who reported emails as phishing, see the Reported Emails for more information.
- Clicked — Users clicked on the phishing email or the content.
- Reported Phishing Simulation Details — A list of phishing simulation emails reported by users, including the date/time reported, title of phishing simulation, and user name.
View the Reported Phishing Simulation Details
-
Sign in to the MA Portal using your Arctic Wolf credentials.
For MSPs, search for the desired customer account, and then click View.
-
Click Reported Phishing.
The Reported Phishing Simulation Details list is below the Reported Phishing Simulations graph.
Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries.
Filter the Phishing Simulation Reporters list
- In the MA Portal menu, click Reported Phishing.
- In the Reported Phishing Simulation Details list, click the applicable column header name to sort the list by:
- Date/Time
- Phishing Simulation title
- First Name
- Last Name
Search the Reported Phishing Simulation Details list
-
In the MA Portal menu, click Reported Phishing.
-
In the Reported Phishing Simulation Details list, in the Search field, enter the first or last name of the user.
The list filters based on the entered value.
Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.
Reported Emails tab
The Reported Emails tab includes a list of emails reported as suspicious, the date and time in UTC they were reported, the user who reported the email, and an acknowledge function.
For MA+ Customers only, the Reported Emails tab also includes details on the associated threat level categorization. Emails are categorized as:
- Low — The emails do not contain any data points that indicate phishing. These items were likely reported in error.
- Medium — The emails contain one or more data points that could indicate phishing. Arctic Wolf recommends reviewing these items.
- High — The emails contain multiple data points that are a strong indicator of phishing. Arctic Wolf recommends reviewing these items immediately.
View the Reported Emails list
-
Sign in to the MA Portal using your Arctic Wolf credentials.
For MSPs, search for the desired customer account, and then click View.
-
Click Reported Phishing, and then click Reported Emails.
Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.
Filter the Reported Emails list
- In the MA Portal menu, click Reported Phishing.
- In the Reported Emails list, click the column header name to order the list. You can order the list by:
-
Date Reported — Date and time the email was reported as phishing.
-
Reporter — Email address of the user who reported the email as phishing.
-
Graph Message ID — The unique message ID of the email reported as phishing.
-
Threat level (MA+ customers only) — All emails marked as either Low, Medium, or High.
Tip: Click Low, Medium, or High to filter the list by threat level type.
-
Acknowledge — The email has been reviewed by an MA administrator in your organization. Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization protected.
Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.
-
Search the Reported Emails list
-
In the MA Portal menu, click Reported Phishing.
-
In the Reported Emails list, in the Search field, enter a parameter, for example, a specific date. The list filters based on the value.
Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.
Copy a Graph Message ID
-
In the MA Portal menu, click Reported Phishing.
-
Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
-
In the Graph Message ID section, click Copy to clipboard.
The Graph Message ID can be used for tracking suspicious emails.
-
Use your organization’s email analysis to review the Graph Message ID of the reported email.
View threat details information
Note: This feature is available for MA+ customers only.
-
In the MA Portal menu, click Reported Phishing.
-
Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
-
In the Threat Level section, click View Threat Details.
The Expanded Scoring window opens with this information:
- Date Reported — Date and time the email was reported as phishing.
- Reporter Email — Email address of the user who reported the email as phishing.
- Graph Message ID — The unique message ID of the email reported as phishing.
- Overall Score — The overall score categorization for the email. See Reported Emails tab for score categorization information.
- Sub-scores — Sub-scores breakdown the email assign it a risk score. The sub-scores together form the overall score. Sub-score sections are:
- Header Analysis — Low, Medium, or High risk.
- Content (Body Content) — Low, Medium, or High risk.
- Content (URL) — Low, Medium, or High risk.
- Attachment — Low, Medium, or High risk.
-
When finished, click X to exit the Expanded Scoring window.
Acknowledge a Reported Email
Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization safe. To review and acknowledge reported emails:
- In the MA Portal menu, click Reported Phishing.
- Click the Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
- After you review the email, in the Acknowldge section, select the checkbox.
Phishing Button Settings tab
The Phishing Button Settings tab is used to review and change settings pertaining to the Report Phishing feature.
Test the Saved Connection
-
In the MA Portal menu, click Reported Phishing > Phishing Button Settings.
-
Click Test Saved Connection.
The credentials for the Azure app integration that were set up during configuration are tested. See Managed Security Awareness Configuration for more information.
-
In the Your saved credentials check was successful confirmation message, click Acknowledge.
Manage the Report Phishing feature
You can manage users access to the Report Email button and set parameters to automatically move phishing emails to a junk or spam folder.
Move phishing emails to junk or spam
You can move phishing emails to a junk or spam folder automatically by granting permission in Phishing Button Settings.
- In the MA Portal menu, click Reported Phishing > Phishing Button Settings.
- In the Grant Permissions section, click the Automatically move emails to junk toggle to the on position.
Report Email button
The Report Email button, located in the Outlook toolbar, enables you to report suspicious emails as phishing.
Report an email as phishing
-
In Outlook, click the title of the email to report as phishing.
-
On the Outlook toolbar, click Arctic Wolf.
Notes:
- If you are using Outlook in a web browser, the button in the toolbar is the Arctic Wolf logo.
- A tooltip appears that reads Report Email when you hover over the button.
-
In the confirmation message, click Yes.
The reported email is moved to the junk or spam folder in Outlook.
Retrieve an email marked as phishing
If an email has been marked as phishing in error, the email can be retrieved:
- In Outlook, locate the email in the junk or spam folder.
- Do one of these options:
- Drag and drop the email into another folder, for example,
Inbox
. - Right-click the email, select Move > Select Folder, and then select the folder to move the email to.
- Drag and drop the email into another folder, for example,
Review user reported emails
Arctic Wolf recommends that MA administrators regularly review the Reported Emails tab to action any suspicious emails as we are not notified of user reported emails.
-
In the MA Portal menu, click Reported Phishing > Reported Emails.
-
Filter or search the Reported Emails list and review the results.
Note: For MA+ customers, Arctic Wolf recommends reviewing and actioning items with a Medium or High threat level categorization. See View threat details information for more information.
-
Investigate any suspicious items within your organization.
-
(Optional) Submit a ticket in the Arctic Wolf Portal for assistance in handling emails within your organization’s Microsoft Tools.
-
Acknowledge any list items that do not need to be actioned.
Review user reported emails
MA admins can review emails that were reported using the Report Email button.
Before you begin
- Get the Azure app credentials used when you configured the Report Email button:
Tip: See Configure the Report Email button for Outlook. in the Managed Awareness configuration guide for more information.
- Application (client) ID
- Directory (tenant) ID
- Client Secret value
Note: This is the Client Secret value you created when configuring the Report Email button, not the Secret ID found in Azure app settings.
- Get these details of the email you want to review:
- The email address that reported the email.
- The Graph Message ID for the message. See Copy a Graph Message ID for more information.
Note: If the email is moved to another folder, the Graph Message ID changes and the ID from the Reported Emails tab is no longer valid.
Steps
Step 1: Download the file
-
Navigate to the Microsoft Graph CLI download page.
-
Click Assets under the latest release of Microsoft Graph CLI.
-
Download the file specific to the OS that Microsoft Graph CLI will run on.
-
Extract the files.
A file with the filename
mgc
is included in the extracted content.
Step 2: Retrieve the message
Retrieve the message using the appropriate CLI for your environment:
Retrieve the message using PowerShell
-
Run this command to set the environment variable for
AZURE_CLIENT_SECRET
, where <secret_id> is your Client Secret value:$Env:AZURE_CLIENT_SECRET = "<secret_id>"
-
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:
./mgc login --tenant-id <tenant_id> ` --client-id <client_id> ` --strategy Environment ` --scopes .default
-
Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:
Note: If you would like the output to include headers, body, and attachments, add
/$value
at the end of the Graph Message ID../mgc users messages get ` --user-id <user_email> ` --message-id <message_id>=
./mgc users messages get ` --user-id <user_email> ` --message-id <message_id>=/$value
Retrieve the message using Windows Command Prompt
-
Run this command to set the environment variable for
AZURE_CLIENT_SECRET
, where <secret_id> is your Client Secret value:set AZURE_CLIENT_SECRET=<secret_id>
-
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:
mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default
-
Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:
Note: If you would like the output to include headers, body, and attachments, add
/$value
at the end of the Graph Message ID.mgc.exe users messages get --user-id <user_email> --message-id <message_id>=
mgc.exe users messages get --user-id <user_email> --message-id <message_id>=/$value
Retrieve the message using the macOS or Linux CLI
-
Run this command to set the environment variable for
AZURE_CLIENT_SECRET
, where <secret_id> is your Client Secret value:export AZURE_CLIENT_SECRET=<secret_id>
-
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:
./mgc login \ --tenant-id <tenant_id> \ --client-id <client_id> \ --strategy Environment \ --scopes .default
-
Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:
Note: If you would like the output to include headers, body, and attachments, add
/$value
at the end of the Graph Message ID../mgc users messages get \ --user-id '<user_email>' \ --message-id '<message_id>'
./mgc users messages get \ --user-id '<user_email>' \ --message-id '<message_id>' /$value
Reports
The Reports page displays Secure Culture statistics as downloadable PDF reports.
These reports are available:
Section | Description |
---|---|
Security Awareness Program Status | A progress report that shows the completion of microlearning sessions and quizzes, the results of phishing simulations, and the completion of phishing remediation sessions. |
Security Awareness Program Trends | A report that shows trends in user performance. |
High Risk Users | A report that identifies users with a low level of engagement with the MA program and users who have performed poorly in quizzes and phishing simulations. |
Phishing Simulations | A detailed report of phishing simulation results and the completion of phishing remediation sessions. |
Tip: See Secure Culture Dashboard for more information about available statistics.
View an MA session report
- In the MA Portal menu, click Reports.
- Click the required tab:
- Security Awareness Program Status
- Security Awareness Program Trends
- High Risk Users
See View a compliance training course report for compliance report instructions.
Download an MA session report
-
In the MA Portal menu, click Reports.
-
Click the required tab:
- Security Awareness Program Status
- Security Awareness Program Trends
- High Risk Users
-
Click Download.
A PDF file downloads to your device.
See Download a compliance training course report for compliance report instructions.
Administrator and User Status Reports
These User Status Reports are sent each month:
- Administrators receive a User Status Report on the second day of each month. It contains a snapshot of the statistics available in the MA Portal. This summary format allows you to quickly review the security culture of the organization.
- By default, users receive a short email on the first day of the month to confirm what sessions they are caught up on or if they are behind on any sessions. If you have configured incomplete session reminders through the Incomplete Session Manager, users will receive a User Status Report based on what was configured, resulting in more frequent reminders and/or urgent tone for the email. For more information, see Manage incomplete session reminders.
Content Library
The Content Library feature lets you assign supplemental training content to one or more groups of users.
Note: To access the Content Library feature, your organization must:
- Have a valid Compliance Content Pack or MA+ license
- Use Microsoft Entra ID for identity and access management
The Content Library contains different content depending on whether you have a Compliance Content Pack or MA+ license. If your organization has a:
-
MA+ license — You can assign any microlearning session or quiz, including those from security awareness tracks that your program is not currently set to. See Select a security awareness track for more information. You also have access to role-based security awareness microlearning sessions. To view the roles that are available, click All Filters > Role.
Tip: If your organization uses AD, we recommend creating different AD user groups to better control which users you assign role-based training modules to. See the See also section for documentation about managing Microsoft users. :::
-
Compliance Content Pack license — You can assign compliance training modules. Compliance training modules are courses, ranging from 15 to 60 minutes long, that explain the laws, regulations, and policies that are relevant to the responsibilities of employers and employees, For example, anti-discrimination laws, sexual harassment awareness, safety regulations, and rules that govern the protection of personal information.
Assign supplemental training to a user group
Note: User engagement and test outcomes for supplemental training assignments, including compliance training modules, are included in secure culture statistics and reports.
-
In the MA Portal menu, click Content Library.
-
Browse, search, or filter for a training module that covers the desired topic.
Tips:
- Click All Filters to view all filters that you can set. There are also filters for content types available, such as Awareness Session. To reset your filters, click Clear.
- Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
-
Click Assign To Group.
-
In the dialog, select the desired group.
-
Review the list of group members to confirm your selection.
Notes:
- Verify that you have selected the correct group. Training assignments cannot be removed once they are assigned.
- You cannot assign a module to a group without members. When integrated with AD, the MA Portal performs live queries of AD to retrieve users and user groups. To edit add or remove members, edit the group in AD.
-
Click Assign <module> to <x> users.
A confirmation message appears, and users within the selected group receive an email that grants them immediate access to the assigned module.
-
Click x or Close to exit the dialog.
Compliance
Note: To access the Compliance information, your organization must have a valid Compliance Content Pack (CPP).
The Compliance page helps you to comply with standards like ISO 27001 or 27002 because it provides you with more visibility and control over your compliance training course information.
The page includes these tabs:
-
Compliance Dashboard — Displays live compliance training course statistics. It also allows you to search for specific compliance training course data, download the history of compliance training courses, and download a list of users that have incomplete compliance training courses.
See Download compliance training course history, and Download a list of users with incomplete compliance training courses for more information.
-
Compliance Incomplete Session Manger — Allows you to configure the frequency and the urgency language of emails that are sent to users when training courses are incomplete.
See Manage incomplete compliance training course reminders for more information.
-
Compliance Report — Displays a compliance report that you can download or print. The report replicates the data on the Compliance Dashboard tab.
See View a compliance training course report, and Download a compliance traning course report for more information.
See View compliance training course information for more information.
View compliance training course information
Note: To access the Compliance information, your organization must have a valid CPP.
- In the MA Portal menu, click Compliance.
View a compliance training course report
Note: To access the Compliance information, your organization must have a valid CPP.
- In the MA Portal menu, click Compliance.
- Click the Compliance Report tab.
See View an MA session report for MA report instructions.
Manage incomplete compliance training course reminders
Note: To access the Compliance information, your organization must have a valid CPP.
You can adjust the frequency and the urgency language of emails that are sent to users when training courses are incomplete. You can configure the settings differently depending on how many incomplete training courses a user has. For example, if you have users with a high number of incomplete training courses, you can increase the frequency of email reminders to those users.
-
In the MA Portal menu, click Compliance.
-
Click the Compliance Incomplete Session Manager tab.
-
For each applicable column, select the required Frequency of Email option:
- Monthly (1st)
- Bi-Monthly (1st, 15th)
- Weekly (Monday)
- Daily
-
For each applicable column, select the required Urgency of Email from the list:
- Low
- Moderate
- High
Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.
See Manage incomplete session reminders for instructions on managing incomplete session reminders.
Download a compliance training course report
Note: To access the Compliance information, your organization must have a valid CPP.
-
In the MA Portal menu, click Compliance.
-
Click the Compliance Report tab.
-
Click Download.
A PDF file downloads to your device.
See Download an MA session report for MA report instructions.
Download compliance training course history
Note: To access the Compliance information, your organization must have a valid CPP.
You can download a CSV file that includes the full compliance training course history for your users. The CSV file includes the first and last name of the user, email address, the date the compliance training was sent to the user, and the completion status.
-
In the MA Portal menu, click Compliance.
-
Click Download Full Compliance History.
A CSV file downloads to your device.
Download a list of users with incomplete compliance training courses
Note: To access the Compliance information, your organization must have a valid CPP.
You can download a CSV file that includes a list of users that have incomplete compliance training courses. The CSV file includes the first and last name of the user, email address, the date the compliance training course was sent to the user, and the completion status.
-
In the MA Portal menu, click Compliance.
-
Next to List of Incomplete Users, click download.
A CSV file downloads to your device.
Administrator Toolkit
The Administrator Toolkit is a reference and resource library that you can use as a guide to run your security awareness and training programs. Common items in the library include:
- Planning documents
- Email templates
- Posters
- Background images
- Onboarding videos
- MA Portal and program how-to videos
Some resources in the Administrator Toolkit are available in languages other than English.
Access the Administrator Toolkit
-
In the MA Portal menu, click Settings > Administrator Toolkit.
All of the Administrator Toolkit library references and resources are listed.
Note: The Search field filters the resource list based on the criteria entered.
Preview and download resources
- In the MA Portal menu, click Settings > Administrator Toolkit.
- Do one of the these options:
- To preview the file in your browser, click Preview.
- To download the file to your computer, click Download.
Program Maturity
The Program Maturity tool provides MA administrators with a way to reflect on the maturity of their security awareness and training program. The tool is a self-assessment of four core areas of your MA program:
- Training — Includes annual organization-wide, executive level, new hire, role-based, and instructor-led training.
- Engagement — Measures engagement with video content, newsletters, blogs, CSAM and Privacy Week events, and ambassador programs.
- Assessment — Includes knowledge checks, phishing simulations, password protection, and awareness of peripheral security. For example, unlocked laptops or unsecured mobile phones.
- Management — Evaluates strategy, security posture, metrics, and culture surveys.
Advantages of the Program Maturity tool
- The self-assessment takes less than three minutes to complete.
- Can be taken at anytime by an MA administrator, and a copy of the results are sent to the administrator's email.
- Provides detailed results, target maturity scores, and information about each core area that can be used to identify areas of improvement for your MA program.
Take the Program Maturity self-assessment
-
In the MA Portal menu, click Settings > Program Maturity.
A new browser tab or window opens.
-
Click Start to begin the self-assessment.
-
Answer each of the questions in the self-assessment.
Note: You can click the directional arrows below a question to return to a previous question and change your answer.
-
At the end of the self-assessment, a confirmation of completion message is displayed. Click Submit to finish the self-assessment and send the results to your email.
You can review the results by email and forward the results to others in your organization. For additional information on the self-assessment results, see Program Maturity self-assessment results.
Program Maturity self-assessment results
After completing the Program Maturity self-assessment, you receive detailed results to your email. The results include:
-
The Program Maturity score matrix
-
The name of your organization and date the self-assessment was taken
-
A radial graph of your current Program Maturity scores
-
A radial graph of the Target Maturity scores
-
Your current maturity scores by area
Note: Items with * are included as part of your Managed Security Awareness Plus with Compliance Content Pack program. :::
-
Target maturity scores, by area
Note: Target maturity scores are the minimum score that Arctic Wolf recommends you achieve for your MA program. :::
-
An average of the overall Program Maturity score
-
An average of the overall Target Maturity score
Program Maturity score matrix
The Program Maturity self-assessment results contain a detailed breakdown and definition of the scores:
Number | Level | Definition |
---|---|---|
1 | Initial | The program lacks consistency and needs focus. |
2 | Just Started | The program has a minimum level of effort. Awareness processes are not understood or defined. Efforts are unplanned and occasional. |
3 | Defined | The program is applying well-defined awareness processes and is consistently delivering each initiative. |
4 | Measured | The program is consistently measuring key indicators. The primary focus is on establishing and enhancing multi-channel and multi-audience engagement, as well as the measurement of performance. |
5 | Optimal | The program is actively managed. It is successfully engaging users across multiple mediums and measuring performance. It is self-organized, adaptive planning, sustainable, continual improvement, and automation for scalability and efficiency. |
User Management tool
The User Management tool enables MA administrators to manage the AD integration, for example:
- Set up or modify your AD integration.
- Sync your AD Group.
- Change from a CSV managed MA program to AD user enrollment.
- Change from a user managed to a CSV managed MA program.
- View and update the Client Secret.
- View and update the Client Secret expiration date.
- Modify the AD integration tenant.
Access the User Management tool
-
Sign in to the MA Portal using your Arctic Wolf credentials.
For MSPs, search for the desired customer account, and then click View.
-
Click Settings > User Management.
The User Management tool opens.