Managed Security Awareness Portal User Guide

Updated Feb 29, 2024

Managed Security Awareness Portal

You can use the Arctic Wolf® Managed Security Awareness® Portal to manage the MA program for your organization.

Assign an MA Administrator in your organization

Your organization should assign an administrator to monitor the MA Portal and maintain active users of the program. The administrator can sign in to the MA Portal using the Arctic Wolf Unified Portal or a direct link to your organization’s MA Portal to perform these tasks:

MA program delivery

MA sessions are delivered through email. Users receive approximately 43 sessions each year. Each MA email contains a link to launch the session in a new browser window or tab. On weeks when an MA activity is scheduled, users receive one of these tasks:

The MA program delivers content in these ways:

Session Delivery
QuickStart This session is sent instead of the scheduled content in the Upcoming Sessions table in the Administration Dashboard when the program is first active and when new users are added to the system.
Security awareness microlearning sessions and quizzes Typically, users receive 25 unique microlearning sessions and ten quizzes over a 52-week cycle. Users receive email notifications for each training assignment. You can preview the upcoming schedule on the Administration Dashboard tab. Microlearning session previews include available language options. For more information about upcoming sessions, see Preview an upcoming session.
Phishing simulations If this option is enabled, users receive 12 phishing simulation emails each year, or one each month. These emails are sent to user inboxes on a random weekday between 17:00 UTC and 22:00 UTC, or between 16:00 UTC and 21:00 UTC during daylight saving time.

Users can view their session progress in the User Status Report email. You can view the current status of any or all users in the Administration Dashboard, at any time. For more information about Administrator and User Status reports, see Administrator and User Status Reports.

Manage the MA program

The MA Portal lets you manage program features, monitor user participation and performance, assess the level of security awareness that your organization has, and identify opportunities for raising the level of security awareness within your organization.

This guide is intended for administrators of the MA program in their organization.

Sign in to the MA Portal

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

  2. If you are an MSP, search for the desired customer account, and then click View.

    After you sign in, your sign-in details appear in the top-right corner in this format: Your Name - Organization Name.

Tips:

  • Click to access these options:
    • Arctic Wolf Portal
    • Administrator Toolkit
    • Program Maturity
    • User Management
    • Log out
  • (MSPs only) Click to switch customer accounts.

Initial setup

These tasks are completed as part of the initial setup of your MA program:

Activate your MA program

After you activate the MA program with the Concierge Security® Team (CST):

View email templates

MA users and program administrators receive various emails each program cycle. To view the contents of these emails:

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. In the Email Templates/Private Labeling section, select an email template to view.

    These MA email templates are available:

    Email template Description
    Awareness Session Link The email that users receive when a microlearning session or quiz is assigned.
    QuickStart Session Link The first email that users receive after the MA program is activated. The email includes a URL to the QuickStart session, which is an introduction to the MA program.
    Email Test Session Link An email that your onboarding project manager sends before the MA program starts to verify that your corporate email allowlist is configured to allow MA email notifications.
    Monthly Admin Snapshot A periodic email provides an overview of user participation in the MA program. Only MA program administrators receive this email.
    Status Update — Positive A periodic email that provides users a summary of their participation in the MA program. Users receive this email if all training assignments are complete.
    Status Update — Negative A periodic email that provides users a summary of their participation in the MA program. Users receive this email if one or more training assignments are incomplete.

Customize emails using private labeling

You can customize the email sender name and display name by enabling private labeling within the Administration Dashboard. By default, the sender of MA emails appears as:

The session emails sent to users include the display name in the signature of session emails and in the MA Portal page header. The sender email name displays on the individual emails in an inbox. You can modify the private label in these ways:

Notes:

  • The customized name appears in the signature, but you cannot customize the body of the email signature.
  • Private labeling is optional.

Add a private label

You can customize the email sender name and display name.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the Email Templates/Private Labeling tab.
  4. Click the Use Private Labeling toggle to the on position.
  5. Edit the Display Name and Email Sender Name fields as needed.
  6. Click Save.
  7. Review the email templates to confirm that you want to keep your current settings.

Remove a private label

You can remove a custom email sender name and display name.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the Email Templates/Private Labeling tab.
  4. Click the Use Private Labeling toggle to the off position.

Change a private label

You can change the email sender name and display name.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the Email Templates/Private Labeling tab.
  4. Click the Use Private Labeling toggle to the off position, and then click it to the on position.
  5. Edit the Display Name and Email Sender Name fields as needed.
  6. Click Save.
  7. Review the email template settings.

Manage users

Users are individuals within your organization who will receive sessions, quizzes, and phishing simulations. They receive email communication and do not have sign-in credentials for the MA Portal.

You can manage MA program users the same way that you enrolled users. If you enrolled users with:

Manage users with a CSV file

Note: These instructions only apply to organizations that have not set up an AD Group to manage users with Microsoft Entra ID (formerly Azure AD) or Microsoft 365 Active Directory. Only perform these steps if your organization has always managed users with a CSV file.

Before you begin

Steps

  1. Clear the Active Users list.
  2. Edit the CSV file.
  3. Upload the updated CSV file.
Step 1: Clear the Active Users list
  1. In a new browser tab, sign in to the MA Portal.

  2. Click Settings > User Management.

  3. On the Active Users List, click Clear.

    Note: If you click Cancel, the Active Users List will not be cleared and no changes will be made.

    The New Integration screen opens.

Step 2: Edit the CSV file
  1. Open the downloaded Active Users List or the saved CSV file.
  2. Do one of these actions:
    • To add a new user or admin to the MA program, add a new row and provide the user or admins details in the FirstName, LastName, and Email columns.
    • To remove a user or admin that is no longer participating in the MA program, remove the row for that user or admin.
  3. Save the changes.
Step 3: Upload the updated CSV file
  1. Return to the MA portal browser tab.

  2. In the New Integration section, in the Integration Type list, select CSV Upload.

  3. Click Choose File.

  4. Select the CSV file from your computer.

  5. Click Open.

    The CSV file is uploaded and populates a list of users.

  6. Review the list of users, and then click Submit.

    Note: Make sure that existing users and admins are included in the CSV file.

    The Active User List populates and shows the latest upload date and time. The Active User List can take up to 15 minutes to run. Do not close the browser tab until the list has updated.

Manage users with Google Workspace

You can add or remove users with Google Workspace. To change user groups, see Manage the third-party user group.

Steps

  1. Edit the user group.
  2. Manually synchronize the changes.
  3. Verify the changes.
Step 1: Edit the user group
  1. Sign in to the Google Workspace Admin console.

  2. Add or remove users from the user group that you selected to synchronize with the MA Program.

    Tip: To find the name of the group in the MA Portal, click Settings > User Management, and then finding the Group Name field.

    To create, update, or delete a group, see Create, update, or delete a group. Changes are automatically synchronized between Google Workspace and MA Portal within 24 hours.

Step 2: Manually synchronize the changes
  1. In a new browser tab, sign in to the MA Portal.

  2. Click Settings > User Management.

  3. Click Sync Now.

  4. Click Yes on the confirmation dialog.

    The Last Successful Sync field updates with the current date and time.

Step 3: Verify the changes
  1. Click View/Edit Group.
  2. In the Select a group list, select the user group.
  3. Click Query Group.
  4. Verify that the table of users matches the list in Google Workspace.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users with Microsoft Entra ID or Microsoft 365 Active Directory

You can add or remove users with Microsoft Entra ID (formerly Azure AD) or Microsoft 365 Active Directory. To change user groups, see Manage the third-party user group.

Steps

  1. Edit the user group.
  2. Manually synchronize the changes.
  3. Verify the changes.
Step 1: Edit the user group
Step 2: Manually synchronize the changes
  1. In a new browser tab, sign in to the MA Portal.

  2. Click Settings > User Management.

  3. Click Sync Now.

  4. Click Yes on the confirmation dialog.

    The Last Successful Sync field updates with the current date and time.

Step 3: Verify the changes
  1. Click View/Edit Group.
  2. In the Select a group list, select the user group.
  3. Click Query Group.
  4. Verify that the table of users matches the list in Microsoft Entra ID (formerly Azure AD).

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage the third-party user group

You can change the Google Workspace, Microsoft Entra ID (formerly Azure AD), or Microsoft 365 Active Directory user group that MA uses.

  1. Sign in to the MA Portal.
  2. Click Settings > User Management.
  3. Click View/Edit Group.
  4. In the Select a group list, select the user group.
  5. Click Query Group.
  6. Click Save Integration.

Monitor security awareness

The MA Portal provides these options for monitoring the level of security awareness in your organization:

Monitor program progress using the Secure Culture Dashboard

The Secure Culture Dashboard tracks user participation and measures performance in security awareness sessions, quizzes, phishing simulations, and compliance training. With administrator permissions, you can view the secure culture score of the organization at a glance or in detail on the MA Portal. You can also view the current status of all users on the Administration Dashboard, at any time.

Users do not have access to the Administration Dashboard, so they must wait for the monthly User Status Report email to see their session progress.

The Secure Culture Dashboard has these sections:

Section Description
Secure Culture Program Summary Displays these metrics, showing the extent to which security awareness and regulatory compliance are a part of your organizational culture:
  • Secure Culture Score — An aggregated metric of user engagement and knowledge assessment that describes the level of security awareness within your organization.
  • Users Assigned Sessions — The number of users assigned to sessions.
  • Sessions Sent — The number of security awareness microlearning sessions delivered within the selected timeframe. For example, within the last 30 days.
  • Phishing Simulations Sent — The number of phishing simulation emails delivered within the selected timeframe. For example, within the last 30 days.
  • Completion — The percentage of delivered sessions that active users have completed.
  • Average Quiz Score — The average score of all users who have completed security awareness quizzes.
  • Phishing Simulation Failures — The percentage of active users who failed phishing simulations. Note: Users who fail a phishing simulation automatically receive a remediation session about phishing.
  • Remediation Completion — The percentage of delivered phishing remediation sessions that users have completed.
QuickStart Status Summarizes user engagement for QuickStart sessions.
Session Statistics Summarizes user engagement for past security awareness sessions.
Quiz Statistics Summarizes user engagement and scores for past security awareness quizzes.
Simulation Statistics Summarizes user behavior in response to delivered phishing simulation emails.

Tip: For more information about statistics and reports, see Reports.

Download Secure Culture statistics

You can download CSV files from the Secure Culture Dashboard to identify which users require additional training support. The CSV files provide this information:

Note: The data included in the CSV file reflects the selected timeframe. For example, within the last 30 days.

To download secure culture statistics:

  1. Sign in to the MA Portal.
  2. In the menu bar, click Secure Culture Dashboard.
  3. Click Download to download the desired CSV file.

Tip: For remediation options, see Increase your Secure Culture Score.

Increase your Secure Culture Score

The Secure Culture Score represents the strength of security awareness within your organization. It is based on session completion, average quiz score, phishing simulation failures, and remediation completion metrics. Possible scores include:

To increase your Secure Culture Score, you can:

Administration Dashboard

You can manage security awareness microlearning sessions in these ways:

Select a security awareness track

The MA+ program is set to the standard track by default. But, you can select other security awareness tracks that are tailored to specific industries. For example, healthcare.

Requirements
Steps
  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the Session Information tab.

  4. In the Current Awareness Track list, select the desired track.

    The list of upcoming sessions updates to reflect the awareness track that you select.

Change the session delivery day

A microlearning session is emailed between 14:00 and 15:00 UTC on the configured session delivery day.

After changing the session delivery day, users receive the next microlearning session in the queue on the earliest possible day that corresponds with the configuration. For example, if today is Tuesday, August 10, 2021, and you change the session delivery day from Friday to Tuesday before 14:00 UTC, users receive the next microlearning session today, and future sessions are scheduled to be delivered on following Tuesdays.

Note: Changing the selected session delivery day does not affect the timing of phishing simulation emails. Phishing simulations occur on a random weekday between 16:00 UTC and 22:00 UTC.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the Session Information tab.
  4. Select the desired session delivery day.

Send a test email

Send a test email to a security administrator in your organization when:

To send a test email:

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the User Information tab.

  4. Click Send Test Email.

    Tip: To preview the test email, see Email templates.

Disable or enable phishing simulation emails

The MA program includes phishing simulations to test user responses to suspicious emails.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the Session Information tab.
  4. Click the Send Phishing Simulation Emails toggle to the off or on position as needed.

Disable or enable TruClick user detection

The MA program includes Arctic Wolf TruClick® user detection. When enabled, TruClick user detection technology eliminates false positive responses to phishing emails. For more information about TruClick, see Managed Security Awareness Program and Dashboard FAQ.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the Session Information tab.

  4. Click the TruClick User Detection toggle to the off or on position as needed.

    Note: The default toggle setting for TruClick user detection is off.

Disable or enable automatic session delivery

You can enable or disable the automatic session delivery. Disabling the automatic session delivery prevents the system from sending awareness content to users at scheduled intervals. Administrators can select and send awareness sessions from the Content Library. Enabling the automatic session delivery starts or restarts the automatic session delivery.

Requirements
Steps
  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. In the Session Information tab, do one of these actions:
    • To turn off automatic session delivery — Click the Send Awareness Sessions toggle to the off position.

      Note: The default toggle setting for active MA programs is on.

    • To turn on automatic session delivery — Click the Send Awareness Sessions toggle to the on position.

Change the template of the phishing simulation emails

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the Session Information tab.

  4. In the Upcoming Sessions section, find the phishing simulation that you want to change to an alternate template. For example, a template in a different language.

  5. In the Options column, select the list, and then click Preview/Select Phishing Email.

  6. In the Available Templates list, select the template you want to use.

    Note: Make sure you allowlisted the correct domains for the simulation email language. If you do not have the correct domains allowlisted, users might not receive the simulation. For more information about email allowlisting, see Add MA to email allowlists.

  7. Review the template preview, and then click Select This Phishing Email Template.

    The template updates in the Upcoming Sessions schedule list.

  8. To change the phishing simulation template, click Select This Phishing Email Template.

    Note: You must select the template each month, prior to the scheduled date.

    The template updates in the Session Information tab, and a preview of the template opens.

Preview an upcoming session

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the Session Information tab.

  4. In the Upcoming Sessions section, find the session you want to preview.

    Tip: Review the description to determine if the session or module includes multi-language support. For more information, see Managed Security Awareness.

  5. In the Options column, select the list, and then select Preview Session or Preview/Select Phishing Email.

  6. If you are previewing a phishing simulation, you can select different templates that are more relevant to your organization. To select a template:

    1. Click the Available Templates list, and then select the template you want to use.
    2. Click Select This Phishing Email Template to confirm your selection.

Mute an upcoming session

You can mute an upcoming session or phishing simulation if needed. When muted, the session or phishing simulation is not delivered to users.

Notes:

  • Some weeks in the MA program cycle do not have a scheduled activity. When an activity is scheduled, users only receive one of these activities: a microlearning session, a quiz, or a phishing simulation email.
  • No alternative session, quiz, or phishing simulation is delivered in its place on the week of the muted session.
  • A muted session does not recur for the remainder of the program cycle. But, the topic may be covered in a future microlearning sessions.
  • If you unmute the session on the configured session delivery day after 15:00 UTC, or after 14:00 UTC during daylight saving time, users do not receive the session.
  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the Session Information tab.

  4. In the Upcoming Sessions section, find the session you want to mute or unmute.

  5. In the Options column, select the list, and then click Mute This Week or Unmute This Week.

    Muted sessions are highlighted orange. Sessions that are not highlighted are queued to be delivered as scheduled.

View user information

You can view the email address and session history for users within your organization. For example, you can view the quizzes and phishing simulations sent to each user, when they were sent, and when the user completed them.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the User Information tab.

Assign a session to an individual user

You can assign specific security awareness sessions to an individual user. These are delivered separately from the MA program schedule.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the User Information tab.

  4. Search for the desired user, and then select one of these options:

    • View History — Resends a session that the user has already received.
    • Assign Session — Assigns a session to the user.

      Tip: This option lets you assign sessions that are not listed in the history for that user. For example, you can use this option to assign past sessions to a new user who was added to the MA program mid-cycle. When a new user is added, the user automatically receives the QuickStart session. But, the next security awareness session that the user receives is the session that is scheduled for delivery in the current or following week.

  5. Scroll through the list or use the search field to find the session that you want to assign.

    Tip: Review the description to see if the session or module includes multi-language support. For more information, see Managed Security Awareness.

  6. Select Assign for the desired session.

    The user immediately receives an email notification about the training assignment, and the session no longer appears in the list of available sessions and phishing simulations for that user.

    Note: You cannot re-assign this session until the user completes the assignment.

Assign a session to all users

If you have disabled automatic awareness session delivery but find some awareness content you want to send to users, you can manually assign a session to them.

Requirements
Steps
  1. Sign in to the MA Portal.

  2. In the menu bar, click Content Library.

  3. Browse, search, or filter for a session that covers the desired topic.

    Tips:

    • Click All Filters to view all filters. For example, Session type. To reset your filters, click Clear.
    • Review the description to see if the session or module includes multi-language support. For more information, see Managed Security Awareness.
  4. In the row for the desired awareness session, click Assign to Group.

    The awareness session is sent to all users in your user group.

Download the MA program session history

You can review the level of engagement of your organization with the MA program by downloading the MA program session history. With this option, you can also review the history of a specific session or user.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Administration Dashboard.
  3. Click the User Information tab.
  4. Click Download Full Session History to download the CSV file.

Tip: To review the history of all past sessions and quizzes for an individual user, see View user completion for MA sessions and quizzes.

View user completion for MA sessions and quizzes

The MA Portal allows you to view a history of completed MA sessions and quizzes for each user in your organization.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the User Information tab.

  4. In the Search field, enter the name of the user.

  5. Click View History next to the user.

    The results of each assigned session or quiz displays for the selected user in the User Session History window.

Tip: To resend a session or quiz to a user, in the User Session History window, click Resend next to the applicable content.

Manage incomplete session reminders

You can adjust the frequency and the urgency language of emails that are sent to users when training is incomplete. You can configure the settings differently depending on how many incomplete sessions a user has. For example, if you have users with a high number of incomplete sessions, you can increase the frequency of email reminders to those users.

Note: These steps only apply to incomplete MA session management. If you have a valid CCP, you can manage reminders for incomplete compliance training courses from the Compliance tab within the MA Portal. For more information about incomplete compliance training, see Manage incomplete compliance training course reminders.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Administration Dashboard.

  3. Click the Incomplete Session Manager tab.

  4. For each applicable column, select one of these Frequency of Email options:

    • Monthly (1st)
    • Bi-Monthly (1st, 15th)
    • Weekly (Monday)
    • Daily
  5. For each applicable column, select one of these Urgency of Email options:

    • Low
    • Moderate
    • High

    Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.

Report phishing

The Arctic Wolf Managed Security Awareness® (MA) Report Phishing feature enables your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service. It includes:

Reported Phishing Dashboard

The Reported Phishing Dashboard provides eligible Arctic Wolf customers with this detailed phishing information and these analytics:

Feature MA MA+ Description
Reported Emails Yes Yes List of reported emails and information on the reporter and message.
Threat Level Analytics No Yes Emails reported by users will display threat level analytics:
  • Low — The emails do not contain any data points that indicate phishing. These items were likely reported in error.
  • Medium — The emails contain one or more data points that could indicate phishing. Arctic Wolf recommends reviewing these items.
  • High — The emails contain multiple data points that are a strong indicator of phishing. Arctic Wolf recommends reviewing these items immediately.
Reported Simulations No Yes Detailed analytics of the type and number of reported phishing attempts, date reported, and a phishing reporters list.
Phishing Button Settings Yes Yes Edit Report Email Integration settings and permissions.

Access the Reported Phishing Dashboard

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

  2. If you are an MSP, search for the desired customer account, and then click View.

  3. Click Reported Phishing.

    The Reported Phishing Dashboard opens.

Reported Simulations tab

Note: This feature is only available for MA+ customers.

The Reported Simulations tab includes:

View the Reported Phishing Simulation Details
  1. Sign in to the MA Portal using your Arctic Wolf credentials.

  2. If you are an MSP, search for the desired customer account, and then click View.

  3. Click Reported Phishing.

    The Reported Phishing Simulation Details list appears below the Reported Phishing Simulations graph.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries.

Filter the Phishing Simulation Reporters list
  1. Sign in to the MA Portal.
  2. In the menu bar, click Reported Phishing.
  3. In the Reported Phishing Simulation Details list, click the applicable column header name to sort the list by:
    • Date/Time
    • Phishing Simulation title
    • First Name
    • Last Name
Search the Reported Phishing Simulation Details list
  1. Sign in to the MA Portal.

  2. In the menu bar, click Reported Phishing.

  3. In the Reported Phishing Simulation Details list, in the Search field, enter the first or last name of the user.

    The list filters based on the value entered.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Reported Emails tab

The Reported Emails tab includes a list of emails reported as suspicious, the date and time in UTC they were reported, the user who reported the email, and an acknowledge function.

For MA+ Customers only, the Reported Emails tab also includes details about the associated threat level categorization. Emails are categorized as:

View the Reported Emails list
  1. Sign in to the MA Portal using your Arctic Wolf credentials.

  2. If you are an MSP, search for the desired customer account, and then click View.

  3. Click Reported Phishing.

  4. Click Reported Emails.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Filter the Reported Emails list
  1. Sign in to the MA Portal.
  2. In the menu bar, click Reported Phishing.
  3. In the Reported Emails list, click the column header name to order the list. You can order the list by:
    • Date Reported — Date and time the email was reported as phishing.
    • Reporter — Email address of the user who reported the email as phishing.
    • Graph Message ID — The unique message ID of the email reported as phishing.
    • Threat level (MA+ customers only) — All emails marked as either Low, Medium, or High.

      Tip: Click Low, Medium, or High to filter the list by threat level type.

    • Acknowledge — The email has been reviewed by an MA administrator in your organization. Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization protected.

      Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Search the Reported Emails list
  1. Sign in to the MA Portal.

  2. In the menu bar, click Reported Phishing.

  3. In the Reported Emails list, in the Search field, enter a parameter. For example, a specific date.

    The list filters based on the value.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Copy a Graph Message ID
  1. Sign in to the MA Portal.

  2. In the menu bar, click Reported Phishing.

  3. Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.

  4. In the Graph Message ID section, click Copy to clipboard.

    The Graph Message ID can be used for tracking suspicious emails.

  5. Use your organization’s email analysis to review the Graph Message ID of the reported email.

View threat details information

Note: This feature is available for MA+ customers only.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Reported Phishing.

  3. Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.

  4. In the Threat Level section, click View Threat Details.

    The Expanded Scoring window opens and displays this information:

    • Date Reported — The date and time the email was reported as phishing.

    • Reporter Email — The email address of the user who reported the email as phishing.

    • Graph Message ID — The unique message ID of the email reported as phishing.

    • Overall Score — The overall score categorization for the email.

      For more information about score categorization, see Reported Emails tab.

    • Sub-scores — Sub-scores assess the email, and then assign it a risk score. The sub-scores together form the overall score. Sub-score sections are:

      • Header AnalysisLow, Medium, or High risk.
      • Content (Body Content)Low, Medium, or High risk.
      • Content (URL)Low, Medium, or High risk.
      • AttachmentLow, Medium, or High risk.
  5. Click X to exit the Expanded Scoring window.

Acknowledge a reported email

Arctic Wolf recommends that you regularly review the Reported Emails list for patterns to keep your organization safe.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Reported Phishing.
  3. Click the Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
  4. After you review the email, in the Acknowledge section, select the checkbox.

Phishing Button Settings tab

You can use the Phishing Button Settings tab to review and change settings pertaining to the Report Phishing feature.

Test the Saved Connection
  1. Sign in to the MA Portal.

  2. In the menu bar, click Reported Phishing > Phishing Button Settings.

  3. Click Test Saved Connection.

    The credentials for the Microsoft Entra ID (formerly Azure AD) app integration that were set up during configuration are tested. For more information about MA configuration, see Managed Security Awareness Configuration.

  4. In the Your saved credentials check was successful confirmation dialog, select the Acknowledge checkbox.

Manage the Report Phishing feature

You can manage users' access to the Report Email button and set parameters to automatically move phishing emails to a junk or spam folder.

Move phishing emails to junk or spam

You can automatically move phishing emails to a junk or spam folder using the Phishing Button Settings.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Reported Phishing > Phishing Button Settings.
  3. In the Grant Permissions section, click the Automatically move emails to junk toggle to the on position.

Report Email button

The Report Email button, located in the Outlook toolbar, enables you to report suspicious emails as phishing.

Report an email as phishing
  1. Open the Outlook application on your device or in a web browser.

  2. In your inbox, click the title of an email to report it as phishing.

  3. On the Outlook toolbar, do one of these actions:

    • Outlook application — Click Arctic Wolf.
    • Outlook web version — Click the Arctic Wolf logo.

      Tip: When you hover your mouse over the Arctic Wolf logo, a Report Email tooltip appears.

  4. In the confirmation message, click Yes.

    The reported email is moved to the junk or spam folder in Outlook.

Retrieve an email marked as phishing

If an email has been marked as phishing in error, you can retrieve the email.

  1. Open the Outlook application on your device or in a web browser.
  2. In the junk or spam folder, find the email, and then do one of these actions:
    • Drag and drop the email into another folder. For example, your inbox.
    • Right-click the email, select Move > Select Folder, and then select the folder to move the email to.
Review user reported emails

Arctic Wolf recommends that MA administrators regularly review the Reported Emails tab to assess any suspicious emails, as we are not notified of user reported emails.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Reported Phishing > Reported Emails.

  3. Filter or search the Reported Emails list and review the results.

    Note: Arctic Wolf recommends that MA+ customers review and action items with a Medium or High threat level categorization. For more information about threat details, see View threat details information.

  4. Investigate any suspicious items within your organization.

  5. (Optional) Submit a ticket in the Arctic Wolf Unified Portal for assistance in handling emails within your organization’s Microsoft Tools.

  6. Acknowledge any list items that do not need to be actioned.

Review user reported emails

MA admins can review emails that were reported using the Report Email button.

Before you begin
Steps
  1. Download the file.
  2. Retrieve the message.
Step 1: Download the file
  1. Navigate to the Microsoft Graph CLI download page.

  2. For the latest release of Microsoft Graph CLI, click Assets.

  3. Download the file specific to the OS that Microsoft Graph CLI will run on.

  4. Extract the files.

    A file with the filename mgc is included in the extracted content.

Step 2: Retrieve the message

Based on your environment, retrieve the message using one of these CLI options:

Retrieve the message using PowerShell
  1. Open Powershell.

  2. Run this command to set the environment variable for AZURE_CLIENT_SECRET:

    $Env:AZURE_CLIENT_SECRET = "<secret_id>"

    Where:

    • <secret_id> is your Client Secret value.
  3. Run this command to sign in to the Azure application and specify the directory (tenant) and application (client) IDs:

    ./mgc login --tenant-id <tenant_id> `
        --client-id <client_id> `
        --strategy Environment `
        --scopes .default

    Where:

    • <tenant_id> is the Directory (tenant) ID value.
    • <client_id> is the Application (client) ID value.
  4. Run one of these commands to set the email address and graph message ID:

    • If you want the output to include headers, body, and attachments, run this command:

      ./mgc users messages get `
         --user-id <user_email> `
         --message-id <message_id>=/$value

      Where:

      • <user_email> is the user email address.
      • <message_id> is the Graph Message ID.
    • If you do not want the output to include headers, body, and attachments, run this command:

      ./mgc users messages get `
         --user-id <user_email> `
         --message-id <message_id>=

      Where:

      • <user_email> is the user email address.
      • <message_id> is the Graph Message ID.
Retrieve the message using Windows Command Prompt
  1. Open Windows Command Prompt.

  2. Run this command to set the environment variable for AZURE_CLIENT_SECRET:

    set AZURE_CLIENT_SECRET=<secret_id>

    Where:

    • <secret_id> is your Client Secret value.
  3. Run this command to sign in to the Azure application and specify the directory (tenant) and application (client) IDs:

    mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default

    Where:

    • <tenant_id> is the Directory (tenant) ID value.
    • <client_id> is the Application (client) ID value.
  4. Run one of these commands to set the email address and Graph Message ID.

    • If you want the output to include headers, body, and attachments, run this command:

      mgc.exe users messages get --user-id <user_email> --message-id <message_id>=/$value

      Where:

      • <user_email> is the user email address.
      • <message_id> is the Graph Message ID.
    • If you do not want the output to include headers, body, and attachments, run this command:

      mgc.exe users messages get --user-id <user_email> --message-id <message_id>=

      Where:

      • <user_email> is the user email address.
      • <message_id> is the Graph Message ID.
Retrieve the message using the macOS or Linux CLI
  1. Open the macOS or Linux CLI.

  2. Run this command to set the environment variable for AZURE_CLIENT_SECRET:

    export AZURE_CLIENT_SECRET=<secret_id>

    Where:

    • <secret_id> is your Client Secret value.
  3. Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs:

    ./mgc login \
     --tenant-id <tenant_id> \
     --client-id <client_id> \
     --strategy Environment \
     --scopes .default

    Where:

    • <tenant_id> is the Directory (tenant) ID value.
    • <client_id> is the Application (client) ID value.
  4. Run one of these commands to set the email address and graph message ID.

    • If you want the output to include headers, body, and attachments, run this command:

      ./mgc users messages get \
       --user-id '<user_email>' \
       --message-id '<message_id>' /$value

      Where:

      • <user_email> is the user email address.
      • <message_id> is the Graph Message ID value.
    • If you do not want the output to include headers, body, and attachments, run this command:

      ./mgc users messages get \
       --user-id '<user_email>' \
       --message-id '<message_id>'

      Where:

      • <user_email> is the user email address.
      • <message_id> is the Graph Message ID value.

Reports

The Reports page displays secure culture statistics as PDF reports that you can download.

These reports are available:

For more information about the Secure Culture dashboard, see Secure Culture Dashboard.

View an MA session report

  1. Sign in to the MA Portal.
  2. In the menu bar, click Reports.
  3. Click the required tab:
    • Security Awareness Program Status
    • Security Awareness Program Trends
    • High Risk Users

For more information about viewing compliance training reports, see View a compliance training course report.

Download an MA session report

  1. Sign in to the MA Portal.

  2. In the menu bar, click Reports.

  3. Click the required tab:

    • Security Awareness Program Status
    • Security Awareness Program Trends
    • High Risk Users
  4. Click Download.

    A PDF file downloads to your device.

For more information about downloading compliance training reports, see Download a compliance training course report.

Administrator and User Status reports

These User Status Reports are sent each month:

Content Library

The Content Library feature enables you to assign supplemental training content to one or more groups of users. The Content Library contains different content depending on whether you have a Compliance Content Pack or MA+ license. If your organization has a:

Requirements

Assign supplemental training to a user group

Note: User engagement and test outcomes for supplemental training assignments, including compliance training modules, are included in secure culture statistics and reports.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Content Library.

  3. Browse, search, or filter for a training module that covers the desired topic.

    Tips:

    • Click All Filters to view all filters that you can set. There are also filters for content types. For example, Awareness Session. To reset your filters, click Clear.
    • Review the description to see if the session or module includes multi-language support. For more information, see Managed Security Awareness.
  4. Click Assign To Group.

  5. In the dialog, select the desired group.

  6. Review the list of group members to confirm your selection.

    Notes:

    • Verify that you have selected the correct group. Training assignments cannot be removed once they are assigned.
    • You cannot assign a module to a group without members. When integrated with AD, the MA Portal performs live queries of AD to retrieve users and user groups. To edit add or remove members, edit the group in AD.
  7. Click Assign <module> to <x> users.

    A confirmation message appears, and users within the selected group receive an email that grants them immediate access to the assigned module.

  8. Click X or Close to exit the dialog.

Download session content for use in a learning management system

Note: Session content can be downloaded as an mp4 or a Shareable Content Object (SCO) zip file. To generate a URL to the session content, see Create a shareable link to session content.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Content Library.

  3. Browse, search, or filter for a training module that covers the desired topic.

    Tips:

    • Click All Filters to view all filters that you can set. There are also filters for content types. For example, Awareness Session. To reset your filters, click Clear.

    • Review the description to see if the session or module includes multi-language support.

      For more information, see Managed Security Awareness.

  4. Click Download to download the desired session content.

  5. On the Content Download Options dialog, click Download in the row of the corresponding file type.

    Tip: Verify which content formats are supported in your learning management system (LMS) before you download the mp4 or zip file.

    The session content file downloads to your computer and can be uploaded into the learning management system (LMS) of your choice.

Note: To download session content for use in a learning management system (LMS), see Download session content for use in a learning management system.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Content Library.

  3. Browse, search, or filter for a training module that covers the desired topic.

    Tips:

    • Click All Filters to view all filters that you can set. There are also filters for content types. For example, Awareness Session. To reset your filters, click Clear.
    • Review the description to see if the session or module includes multi-language support. For more information, see Managed Security Awareness.
  4. Click Download to download the desired session content.

  5. On the Content Download Options dialog, in the Link row, click Copy link.

    The direct URL is copied to your clipboard and can be provided to users. For example, by email.

Compliance

Note: To access the compliance information, your organization must have a valid Compliance Content Pack (CCP).

The Compliance page helps you to comply with standards like ISO 27001 or 27002. It provides you with more visibility and control over your compliance training course information.

The Compliance page includes these tabs:

To view compliance training session information, see View compliance training course information.

View compliance training course information

Note: To access the compliance information, your organization must have a valid CCP.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Compliance.

View a compliance training course report

Note: To access the compliance information, your organization must have a valid CCP.

  1. Sign in to the MA Portal.
  2. In the menu bar, click Compliance.
  3. Click the Compliance Report tab.

To view an MA session report, see View an MA session report.

Manage incomplete compliance training course reminders

Note: To access the compliance information, your organization must have a valid CCP.

You can adjust the frequency and the urgency language of emails that are sent to users when training courses are incomplete. You can configure the settings differently depending on how many incomplete training courses a user has. For example, if you have users with a high number of incomplete training courses, you can increase the frequency of email reminders to those users.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Compliance.

  3. Click the Compliance Incomplete Session Manager tab.

  4. For each applicable column, select the required Frequency of Email option:

    • Monthly (1st)
    • Bi-Monthly (1st, 15th)
    • Weekly (Monday)
    • Daily
  5. For each applicable column, select the required Urgency of Email from the list:

    • Low
    • Moderate
    • High

    Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.

To manage incomplete session reminders, see Manage incomplete session reminders .

Download a compliance training course report

Note: To access the compliance information, your organization must have a valid CCP.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Compliance.

  3. Click the Compliance Report tab.

  4. Click Download.

    A PDF file downloads to your device.

To download an MA session report, see Download an MA session report for more information.

Download compliance training course history

Note: To access the compliance information, your organization must have a valid CCP.

You can download a CSV file that includes the full compliance training course history for your users. The CSV file includes the first and last name of the user, email address, the date the compliance training was sent to the user, and the completion status.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Compliance.

  3. Click Download Full Compliance History.

    A CSV file downloads to your device.

Download a list of users with incomplete compliance training courses

Note: To access the compliance information, your organization must have a valid CCP.

You can download a CSV file that includes a list of users that have incomplete compliance training courses. The CSV file includes the first and last name of the user, email address of the user, the date the compliance training course was sent to the user, and the completion status.

  1. Sign in to the MA Portal.

  2. In the menu bar, click Compliance.

  3. Next to List of Incomplete Users, click download.

    A CSV file downloads to your device.

Administrator Toolkit

The Administrator Toolkit is a reference and resource library that you can use as a guide to run your security awareness and training programs. Common items in the library include:

Some resources in the Administrator Toolkit are available in languages other than English.

Access the Administrator Toolkit

  1. Sign in to the MA Portal.

  2. In the menu bar, click Settings > Administrator Toolkit.

    All of the Administrator Toolkit library references and resources are listed.

    Note: The Search field filters the resource list based on the criteria entered.

Preview and download resources

  1. Sign in to the MA Portal.
  2. In the menu bar, click Settings > Administrator Toolkit.
  3. Do one of the these actions:
    • To preview the file in your browser, click Preview.
    • To download the file to your computer, click Download.

Program Maturity tool

The Program Maturity tool provides MA administrators with a way to reflect on the maturity of their security awareness and training program. The tool is a self-assessment of these four core areas of your MA program:

Advantages of the Program Maturity tool

The Program Maturity tool has these advantages:

Take the Program Maturity self-assessment

  1. Sign in to the MA Portal.

  2. In the menu bar, click Settings > Program Maturity.

    A new browser tab or window opens.

  3. Click Start to begin the self-assessment.

  4. Answer each of the questions in the self-assessment.

    Tip: You can click the directional arrows below a question to return to a previous question and change your answer.

  5. At the end of the self-assessment, a confirmation of completion message is displayed. Click Submit to finish the self-assessment and send the results to your email.

You can review the results by email and forward the results to others in your organization. To view program maturity self-assessment results, see Program Maturity self-assessment results.

Program Maturity self-assessment results

After completing the Program Maturity self-assessment, you receive detailed results to your email. The results include:

Program Maturity score matrix

The Program Maturity self-assessment results contain a detailed breakdown and definition of the scores:

Number Level Definition
1 Initial The program lacks consistency and needs focus.
2 Just Started The program has a minimum level of effort. Awareness processes are not understood or defined. Efforts are unplanned and occasional.
3 Defined The program is applying well-defined awareness processes and is consistently delivering each initiative.
4 Measured The program is consistently measuring key indicators. The primary focus is on establishing and enhancing multi-channel and multi-audience engagement, as well as the measurement of performance.
5 Optimal The program is actively managed. It is successfully engaging users across multiple mediums and measuring performance. It is self-organized, adaptive planning, sustainable, continual improvement, and automation for scalability and efficiency.

User Management tool

The User Management tool enables MA administrators to manage the AD integration in these ways:

Access the User Management tool

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

  2. If you are an MSP, search for the desired customer account, and then click View.

  3. Click Settings > User Management.

    The User Management tool opens.

See also