Managed Security Awareness Portal User Guide

Updated Sep 19, 2023

Managed Security Awareness
- Assign an MA Administrator in your organization
- How MA is delivered
Manage the MA program
Sign in to the MA Portal
Initial setup
Manage users
Monitor security awareness
Administrator Toolkit
- Access the Administrator Toolkit
- Preview and download resources
Program Maturity
User Management tool
- Access the User Management tool
See also

Managed Security Awareness

Arctic Wolf Managed Security Awareness® (MA) delivers security awareness training as a program to increase security awareness and build a strong security culture within your organization. The MA program includes:

Session or Module	Description	Supported Languages
QuickStart	The first session that employees receive at your organization and replaces the first session in the delivery schedule, after which users join the normal delivery cadence. It is a five-minute awareness session to orient users to the MA program and introduce key security awareness topics.	US English UK English Deutsch Español
Microlearning sessions	Three to five minute videos or interactive tutorials on recognizing and neutralizing social engineering attacks and avoiding security breaches that result from human error.	US English UK English Deutsch Español
Quizzes	Three to five minute test sessions that measure user uptake of security awareness training.	US English UK English Deutsch Español
Automated phishing simulations	Phishing simulation emails that measure the susceptibility of an organization to phishing-based attacks.	US English Deutsch
Role-based sessions	An exclusive feature available to customers who have purchased MA Plus (MA+). These sessions follow a similar format to microlearning sessions.	US English UK English Deutsch Español
Compliance training modules	Longer than microlearning sessions, these modules range from 15 to 60 minutes, and go beyond security awareness to support the regulatory compliance obligations of an organization. These modules are available to customers with a valid Compliance Content Pack license. This license allows you to assign compliance training in addition to security awareness training to a group of users as required.	US English

Note: MA content created prior to 1/31/2021 is available in US English only.

Assign an MA Administrator in your organization

Your organization should assign an administrator to monitor the MA Portal and maintain active users of the program. The administrator can sign in to the MA Portal using the Arctic Wolf Unified Portal (Arctic Wolf Portal) or a direct link to your organization’s MA Portal, to perform these tasks:

Configure and manage MA program settings
Review the overall success of active users for the program
Submit tickets for any needs of the program, administrators, or users
Monitor reports
Review the upcoming schedule for the MA program

How MA is delivered

MA sessions are delivered through email and users receive approximately 43 sessions over the course of a year. Each MA email contains a link to launch the session in a new browser window or tab. On a given week when an activity is scheduled, users only receive one activity for the week: a microlearning session, a quiz, or a phishing simulation email. The MA program delivers content in these ways:

Session	Delivery
QuickStart	The QuickStart session is sent once the program is active and when new users are added to the system on the selected day of delivery in place of the scheduled content in the Upcoming Sessions table in the Administration Dashboard.
Security awareness microlearning sessions and quizzes	Typically, users receive 25 unique microlearning sessions and ten quizzes over a 52-week cycle. Users receive email notifications for each training assignment. You can preview the upcoming schedule under the Administration Dashboard tab. Microlearning session previews include available language options. See Preview an upcoming session for more information.
Phishing simulations	If this option is enabled, users receive 12 phishing simulation emails each year, one a month. These emails are sent to user inboxes on a random weekday between 17:00 UTC and 22:00 UTC, or between 16:00 UTC and 21:00 UTC during daylight saving time.

Users can view their progress in the User Status Report email to see if they are behind on any sessions. You can view the current status of any or all users on the Administration Dashboard, at any time. See Administrator and User Status Reports for more information.

Manage the MA program

The MA Portal lets you manage program features, monitor user participation and performance, assess the level of security awareness that your organization has, and identify opportunities for raising the level of security awareness within your organization.

This guide is intended for administrators of the MA program in their organization.

Go to https://sat.arcticwolf.com/.
Sign in using your Arctic Wolf credentials.

For MSPs, search for the desired customer account, and then click View.

After you sign in, the MA Portal loads and your sign-in details appear in the top-right corner in this format: Your Name - Organization Name.

Tips:

Click Settings to access these options:
- Arctic Wolf Portal
- Administrator Toolkit
- Program Maturity
- User Management
- Log out
(MSPs only) Click the wrench to switch customer accounts.

Initial setup

These tasks are completed as part of the initial setup of your MA program:

MA program activation
Email templates
Customizing emails using private labeling

MA program activation

After you activate the MA program with the Concierge Security® Team (CST), this occurs:

Users receive microlearning sessions approximately every two weeks on the configured session delivery day. See Change the session delivery day to change this setting.
The first session that users receive is the QuickStart session, which is an introduction to the MA program.
Users periodically receive phishing simulation emails. To disable this feature, see Disable or enable phishing simulation emails.
The MA Portal records the progress and performance of all users for all security awareness and compliance training content that the user receives. See Monitor security awareness for more information.

Email templates

MA users and program administrators receive various emails throughout the each program cycle. To view the contents of these emails:

In the MA Portal menu, click Administration Dashboard.

In the Email Templates/Private Labeling section, select an email template to view.

These MA email templates are available:

Email template	Description
Awareness Session Link	The email that users receive when a microlearning session or quiz is assigned.
QuickStart Session Link	The first email that users receive after the MA program is activated. The email includes a link to the QuickStart session, which is an introduction to the MA program.
Email Test Session Link	An email that your onboarding project manager sends before the MA program starts to verify that your corporate email Allowlist is configured to allow MA email notifications.
Monthly Admin Snapshot	A periodic email provides an overview of user participation in the MA program. Only MA program administrators receive this email.
Status Update - Positive	A periodic email that provides users a summary of their participation in the MA program. Users receive this email if all training assignments are complete.
Status Update - Negative	A periodic email that provides users a summary of their participation in the MA program. Users receive this email if one or more training assignments are incomplete.

Customize emails using private labeling

You can customize the email sender name and display name by enabling private labeling within the Administration Dashboard. By default, the sender of MA emails appears as:

Email Sender Name: Arctic Wolf Managed Security Awareness
Company Display Name: Arctic Wolf

The session emails sent to users include the display name in the signature of session emails, as well as in the MA Portal page header. The sender email name displays on the individual emails in an inbox.

Notes:

The customized name appears in the signature, but you cannot customize the body of the email signature.
Private labeling is optional.

Add a private label

You can customize the email sender name and display name.

In the MA Portal menu, click Administration Dashboard.
Click the Email Templates/Private Labeling tab.
Click the Use Private Labeling toggle to the on position.
Edit the Display Name and Email Sender Name fields as needed.
Click Save.
Review the email templates to confirm that you want to keep your current settings.

Remove a private label

You can remove a custom email sender name and display name.

In the MA Portal menu, click Administration Dashboard.
Click the Email Templates/Private Labeling tab.
Click the Use Private Labeling toggle to the off position.

Change a private label

You can change the email sender name and display name.

In the MA Portal menu, click Administration Dashboard.
Click the Email Templates/Private Labeling tab.
Click the Use Private Labeling toggle to the off position, and then click it to the on position.
Edit the Display Name and Email Sender Name, as desired.
Click Save.
Review the email templates to confirm that you want to keep your current settings.

Manage users

Users are individuals within your organization who will receive sessions, quizzes, and phishing simulations. They receive email communication and do not have sign-in credentials for the MA Portal.

Manage MA program users the same way that you enrolled users. If you enrolled users with:

A manual CSV file — See Manage users with a CSV file.
Google Workspace® — See Manage users with Google Workspace.
Microsoft Entra ID® or Microsoft 365 Active Directory® — See Manage users with Microsoft Entra ID or Microsoft 365 Active Directory.

Manage users with Microsoft Entra ID or Microsoft 365 Active Directory

Add or remove users from the AD Group in Microsoft Entra ID or Microsoft 365 Active Directory that you selected to sync with the MA Program. See Manage a group in the Microsoft 365 admin center for more information about how to add or remove users from groups.

Note: If you do not remember the name of the AD Group that is synced to the MA program, in the MA Portal click Settings > User Management > Test Connection > Query Group. This populates the name of the AD Group.
In a new browser tab, sign in to the MA Portal.
Click Settings > User Management.

Changes are automatically synchronized in the Microsoft Entra ID.
Click Sync Now.

Note: If you do not select Sync Now, changes can take up to 24 hours to be visible in the MA Portal in the User Information tab within the Administration Dashboard.
Click Query Group.

The updated list of users in the selected group displays in a table.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users using a CSV file

Note: These instructions only apply to organizations that have not set up an AD Group to manage users with Microsoft Entra ID or Microsoft 365 Active Directory. Only perform these steps if your organization has always managed users with a CSV file.

Locate the CSV file that you created when you enrolled users in the MA program.
Update the CSV file depending on if you are adding or removing users:
- To add a new user to the MA program, add a new row and provide the user's details in the FirstName, LastName, and Email columns.
- To remove a user that is no longer participating in the MA program, delete the row for that user.
Save your changes.
Send a ticket in the Arctic Wolf Portal with the updated CSV file.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users with Google Workspace

You can add or remove users with Google Workspace. To change user groups, see Manage the third-party user group.

In Google Workspace, add or remove users from the user group that you selected to sync with the MA Program.

For more information, see Create, update, or delete a group. Changes are automatically synchronized between Google Workspace and MA Portal within 24 hours.

Tip: You can find the name of the group in the MA Portal under Settings > User Management in the Group Name field.
To manually sync the changes:
1. In a new browser tab, sign in to the MA Portal.
2. Click Settings > User Management.
3. Click Sync Now.
  
  The Last Successful Sync field updates with the current date and time.
To verify the changes:
1. Click View/Edit Group.
2. Click Query Group.
3. Review the table of users to ensure it matches the list in Google Workspace.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users with Microsoft Entra ID or Microsoft 365 Active Directory

You can add or remove users with Microsoft Entra ID or Microsoft 365 Active Directory. To change user groups, see Manage the third-party user group.

In in Microsoft Entra ID or Microsoft 365 Active Directory, add or remove users from the AD Group that you selected to sync with the MA Program.

For more information, see Manage a group in the Microsoft 365 admin center. Changes are automatically synchronized between Microsoft Entra ID or Microsoft 365 Active Directory and the MA Portal within 24 hours.

Tip: You can find the name of the AD group in the MA Portal under Settings > User Management in the Group Name field.
To manually sync the changes:
1. In a new browser tab, sign in to the MA Portal.
2. Click Settings > User Management.
3. Click Sync Now.
  
  The Last Successful Sync field updates with the current date and time.
To verify the changes:
1. Click View/Edit Group.
2. Click Query Group.
3. Review the table of users to ensure it matches the list in Google Workspace.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage the third-party user group

You can change the Google Workspace, Microsoft Entra ID, or Microsoft 365 Active Directory user group that MA uses.

In the MA Portal, click Settings > User Management.
Click View/Edit Group.
Click Query Group.
In the Select a group list, select the user group.
Click Save Integration.

Monitor security awareness

The MA Portal provides these options for monitoring the level of security awareness in your organization:

Secure Culture Dashboard
Administration Dashboard
Report Phishing
Reports

Monitor program progress with the Secure Culture Dashboard

The Secure Culture Dashboard tracks user participation and measures performance in security awareness sessions, quizzes, phishing simulations, and compliance training. As an administrator, you can view the Secure Culture Score of the organization at a glance or in detail on the MA Portal. You can also view the current status of any or all users on the Administration Dashboard, at any time. Users do not have access to the dashboard, so they must wait for the monthly User Status Report email to see their progress and if they are behind on any sessions.

The Secure Culture Dashboard has these sections:

Section	Description
Secure Culture Program Summary	Displays these metrics, indicating the extent to which security awareness and regulatory compliance are a part of your organizational culture: Secure Culture Score — An aggregated metric of user engagement and knowledge assessment that describes the level of security awareness within your organization. Users Assigned Sessions — The number of users assigned to sessions. Sessions Sent — The number of security awareness microlearning sessions delivered within the selected timeframe. For example, within the last 30 days. Phishing Simulations Sent — The number of phishing simulation emails delivered within the selected timeframe. For example, within the last 30 days. Completion — The percentage of delivered sessions that active users have completed. Average Quiz Score — The average score of all users who have completed security awareness quizzes. Phishing Simulation Failures — The percentage of active users who failed phishing simulations. Note: Users who fail a phishing simulation automatically receive a remediation session about phishing. Remediation Completion — The percentage of delivered phishing remediation sessions that users have completed.
QuickStart Status	Summarizes user engagement for QuickStart sessions.
Session Statistics	Summarizes user engagement for past security awareness sessions.
Quiz Statistics	Summarizes user engagement and scores for past security awareness quizzes.
Simulation Statistics	Summarizes user behavior in response to delivered phishing simulation emails.

Tip: See Reports for more information about statistics and reports.

Download Secure Culture statistics

You can download CSV files from the Secure Culture Dashboard to identify which users require additional training support. The CSV files provide this information:

Users with incomplete sessions
Users with low quiz scores
Users who failed phishing simulations
Users with incomplete phishing remediation sessions

Note: The data included in the CSV file reflects the selected timeframe. For example, within the last 30 days.

To download Secure Culture statistics:

In the MA Portal menu, click Secure Culture Dashboard.
Click Download to download the desired CSV file.

Tip: See Increase your Secure Culture Score for remediation options.

Increase your Secure Culture Score

The Secure Culture Score represents the strength of security awareness within your organization, based on the session completion, average quiz score, phishing simulation failures, and remediation completion metrics. Possible scores include:

Excellent — 90-100
Strong — 70-89
At-Risk — 60-69
Vulnerable — 59 or lower

To increase your Secure Culture Score, you can:

Enforce mandatory participation within your organization.
Make sure all of your users complete their sessions within 72 hours of receiving the session.
Make sure no users are more than two sessions behind schedule.

See Download Secure Culture statistics to identify which users are behind schedule.
Assign additional phishing-themed awareness sessions if your organization has a high phishing simulation failures score.

See Download Secure Culture statistics to identify which users failed phishing simulations.
Assign supplemental training to a user group.

Administration Dashboard

You can manage security awareness microlearning sessions in these ways:

Select a security awareness track
Change the session delivery day
Disable or enable phishing simulation emails
Preview an upcoming session
Mute an upcoming session
View user information
Assign a session to an individual user
Download the MA program session history
Manage incomplete session reminders

Select a security awareness track

Note: The Managed Security Awareness Plus (MA+) license is required to access this option.

The MA+ program is set to the standard track by default. However, you can select other security awareness tracks that are tailored to specific industries, for example, healthcare.

In the MA Portal menu, click Administration Dashboard.
Click the Session Information tab.
In the Current Awareness Track list, select the desired track.

The list of upcoming sessions updates to reflect the awareness track that you select.

Change the session delivery day

A microlearning session is sent through email between 14:00 and 15:00 UTC on the configured session delivery day.

After changing the session delivery day, users receive the next microlearning session in the queue on the earliest possible day that corresponds with the configuration. For example, if today is Tuesday, August 10, 2021 and you change the session delivery day before 14:00 UTC from Friday to Tuesday, users receive the next microlearning session today, and future sessions are scheduled to be delivered on following Tuesdays.

Note: Changing the selected session delivery day does not affect the timing of phishing simulation emails. Phishing simulations occur on a random weekday between 16:00 UTC and 22:00 UTC.

In the MA Portal menu, click Administration Dashboard.
Click the Session Information tab.
Select the desired session delivery day.

Send a test email

Send a test email to a security administrator in your organization when:

You want to make sure that your corporate email allowlist allows MA program emails to be sent to users
You want to make sure MA program emails are delivered to users after you add an inline device or third-party service to your corporate email environment.
A user reports to you that they did not receive a session email.

To send a test email:

In the MA Portal menu, click Administration Dashboard.
Click the User Information tab.
Click Send Test Email.

To preview the test email, see Email templates.

Disable or enable phishing simulation emails

The MA program includes phishing simulations to test user responses to suspicious emails.

In the MA Portal menu, click Administration Dashboard.
Click the Session Information tab.
Click the Send Phishing Simulation Emails toggle to the off or on position as needed.

Change the template of the phishing simulation emails

In the MA Portal menu, click Administration Dashboard.
Click the Session Information tab.
In the Upcoming Sessions section, find the phishing simulation that you want to change to an alternate template. For example, a template in a different language.
In the Options column, select the list, and then click Preview/Select Phishing Email.
In the Available Templates list, select the template you want to use.

Note: Make sure you allowlisted the correct domains for the simulation email language. If you do not have the correct domains allowlisted, users might not receive the simulation. See Configure your allowlist in Configuring Managed Security Awareness for a list of domains.
Review the template preview, and then click Select This Phishing Email Template.

The template updates in the Upcoming Sessions schedule list.
To change the phishing simulation template, click Select This Phishing Email Template.

Note: You must select the template each month prior to the scheduled date.

The template updates in the Session Information tab and previews the template.

Preview an upcoming session

In the MA Portal menu, click Administration Dashboard.
Click the Session Information tab.
In the Upcoming Sessions section, find the session you want to preview.

Tip: Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
In the Options column, select the list, and then select Preview Session or Preview/Select Phishing Email.
If you are previewing a phishing simulation, you can select different templates that are more relevant to your organization. To select a template:
1. Click the Available Templates list, and then select the template you want to use.
2. Click Select This Phishing Email Template to confirm your selection.

Tip: See Mute an upcoming session.

Mute an upcoming session

If desired, you can mute an upcoming session or phishing simulation. When muted, the session or phishing simulation is not delivered to users.

Notes:

Some weeks in the MA program cycle do not have a scheduled activity. When an activity is scheduled, users only receive one activity for the week: a microlearning session, a quiz, or a phishing simulation email.
No alternative session, quiz, or phishing simulation is delivered in its place on the week of the muted session.
A muted session does not recur for the remainder of the program cycle. However, the topic may be covered in a future microlearning sessions.
If you unmute the session on the configured session delivery day after 15:00 UTC, or after 14:00 UTC during daylight saving time, users do not receive the session.

In the MA Portal menu, click Administration Dashboard.
Click the Session Information tab.
In the Upcoming Sessions section, find the session you want to mute or unmute.
In the Options column, select the list, and then click Mute This Week or Unmute This Week.

Muted sessions are highlighted orange. Sessions that are not highlighted are queued to be delivered as scheduled.

View user information

You can view the email address and session history for users within your organization. For example, you can view the quizzes and phishing simulations sent to each user, when they were sent, and when the user completed them.

In the MA Portal menu, click Administration Dashboard.
Click the User Information tab.

Assign a session to an individual user

You can assign specific security awareness sessions to an individual user, which are delivered separate from the MA program schedule.

In the MA Portal menu, click Administration Dashboard.
Click the User Information tab.
Search for the desired user, and then select one of these options:
- View History — To resend a session that the user has already received.
- Assign Session — To assign a session to the user.
  
  Tip: This option lets you assign sessions that are not listed in the history for that user. For example, you can use this option to assign past sessions to a new user who was added to the MA program mid-cycle. When a new user is added, the user automatically receives the QuickStart session. However, the next security awareness session that the user receives is the session that is scheduled for delivery in the current or following week.
Page through the list or use the search field to find the session that you want to assign.

Tip: Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
Select Assign for the desired session. The user immediately receives an email notification about the training assignment, and the session no longer appears in the list of available sessions and phishing simulations for that user.

Note: You cannot re-assign this session until the user completes the assignment.

Tip: See Assign supplemental training to a user group.

Download the MA program session history

Downloading the MA program session history is one way to review the level of engagement of your organization with the MA program. With this option, you can also review the history of a specific session or user.

In the MA Portal menu, click Administration Dashboard.
Click the User Information tab.
Click Download Full Session History to download the CSV file.

Tip To review the history of all past sessions and quizzes for an individual user, see View user completion for MA sessions and quizzes.

View user completion for MA sessions and quizzes

The MA Portal allows you to view a history of completed MA sessions and quizzes for each user in your organization.

In the MA Portal menu, click Administration Dashbaord.
Click the User Information tab.
In the Search field, enter the name of the user.
Next to the user, click View History.

In the User Session History window, the results of each assigned session or quiz displays for the selected user.

Tip: In the User Session History window, click Resend next to the session or quiz that you want to resend to the user.

Manage incomplete session reminders

You can adjust the frequency and the urgency language of emails that are sent to users when training is incomplete. You can configure the settings differently depending on how many incomplete sessions a user has. For example, if you have users with a high number of incomplete sessions, you can increase the frequency of email reminders to those users.

Note: These steps only apply to incomplete MA session management. If you have a valid CPP, you can manage reminders for incomplete compliance training courses from the Compliance tab within the MA Portal. See Manage incomplete compliance training course reminders for instructions.

In the MA Portal menu, click Administration Dashboard.
Click the Incomplete Session Manager tab.
For each applicable column, select the required Frequency of Email option:
- Monthly (1st)
- Bi-Monthly (1st, 15th)
- Weekly (Monday)
- Daily
For each applicable column, select the required Urgency of Email from the list:
- Low
- Moderate
- High
Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.

Report Phishing

The Arctic Wolf Managed Security Awareness® (MA) Report Phishing feature enables your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service and includes:

Report Email button — Reports an email as a phishing attempt in Microsoft Office 365. This button can be found in the Outlook application toolbar or added to the Outlook web app (OWA).
Reported Phishing menu item — Provides access to the Reported Phishing dashboard that contains analytics and information.

Tip: See Reported Phishing Dashboard for more information.

Reported Phishing Dashboard

The Reported Phishing Dashboard provides eligible Arctic Wolf customers detailed phishing information and analytics:

Feature	MA	MA+	Description
Reported Emails	Yes	Yes	List of reported emails and information on the reporter and message.
Threat Level Analytics	No	Yes	Emails reported by users will display threat level analytics: Low — The emails do not contain any data points that indicate phishing. These items were likely reported in error. Medium — The emails contain one or more data points that could indicate phishing. Arctic Wolf recommends reviewing these items. High — The emails contain multiple data points that are a strong indicator of phishing. Arctic Wolf recommends reviewing these items immediately.
Reported Simulations	No	Yes	Detailed analytics of the type and number of reported phishing attempts, date reported, and a phishing reporters list.
Phishing Button Settings	Yes	Yes	Edit Report Email Integration settings and permissions.

Access the Reported Phishing Dashboard

Sign in to the MA Portal using your Arctic Wolf credentials.

For MSPs, search for the desired customer account, and then click View.
Click Reported Phishing.

The Reported Phishing Dashboard opens.

Reported Simulations tab

Note: This feature is available for MA+ customers only.

The Reported Simulations tab includes:

A graph that summarizes the percentage of emails that were:
- Ignored — Users did not click on the email or the content, and did not report as phishing.
- Reported — Users clicked the Report Email button to report the email as phishing. For a list of users who reported emails as phishing, see the Reported Emails for more information.
- Clicked — Users clicked on the phishing email or the content.
Reported Phishing Simulation Details — A list of phishing simulation emails reported by users, including the date/time reported, title of phishing simulation, and user name.

View the Reported Phishing Simulation Details

Sign in to the MA Portal using your Arctic Wolf credentials.

For MSPs, search for the desired customer account, and then click View.
Click Reported Phishing.

The Reported Phishing Simulation Details list is below the Reported Phishing Simulations graph.

Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries.

Filter the Phishing Simulation Reporters list

In the MA Portal menu, click Reported Phishing.
In the Reported Phishing Simulation Details list, click the applicable column header name to sort the list by:
- Date/Time
- Phishing Simulation title
- First Name
- Last Name

Search the Reported Phishing Simulation Details list

In the MA Portal menu, click Reported Phishing.
In the Reported Phishing Simulation Details list, in the Search field, enter the first or last name of the user.

The list filters based on the entered value.

Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Reported Emails tab

The Reported Emails tab includes a list of emails reported as suspicious, the date and time in UTC they were reported, the user who reported the email, and an acknowledge function.

For MA+ Customers only, the Reported Emails tab also includes details on the associated threat level categorization. Emails are categorized as:

Low — The emails do not contain any data points that indicate phishing. These items were likely reported in error.
Medium — The emails contain one or more data points that could indicate phishing. Arctic Wolf recommends reviewing these items.
High — The emails contain multiple data points that are a strong indicator of phishing. Arctic Wolf recommends reviewing these items immediately.

View the Reported Emails list

Sign in to the MA Portal using your Arctic Wolf credentials.

For MSPs, search for the desired customer account, and then click View.
Click Reported Phishing, and then click Reported Emails.

Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Filter the Reported Emails list

In the MA Portal menu, click Reported Phishing.
In the Reported Emails list, click the column header name to order the list. You can order the list by:
- Date Reported — Date and time the email was reported as phishing.
- Reporter — Email address of the user who reported the email as phishing.
- Graph Message ID — The unique message ID of the email reported as phishing.
- Threat level (MA+ customers only) — All emails marked as either Low, Medium, or High.
  
  Tip: Click Low, Medium, or High to filter the list by threat level type.
- Acknowledge — The email has been reviewed by an MA administrator in your organization. Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization protected.
  
  Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Search the Reported Emails list

In the MA Portal menu, click Reported Phishing.
In the Reported Emails list, in the Search field, enter a parameter, for example, a specific date. The list filters based on the value.

Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Copy a Graph Message ID

In the MA Portal menu, click Reported Phishing.
Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
In the Graph Message ID section, click Copy to clipboard.

The Graph Message ID can be used for tracking suspicious emails.
Use your organization’s email analysis to review the Graph Message ID of the reported email.

View threat details information

Note: This feature is available for MA+ customers only.

In the MA Portal menu, click Reported Phishing.
Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
In the Threat Level section, click View Threat Details.

The Expanded Scoring window opens with this information:
- Date Reported — Date and time the email was reported as phishing.
- Reporter Email — Email address of the user who reported the email as phishing.
- Graph Message ID — The unique message ID of the email reported as phishing.
- Overall Score — The overall score categorization for the email. See Reported Emails tab for score categorization information.
- Sub-scores — Sub-scores breakdown the email assign it a risk score. The sub-scores together form the overall score. Sub-score sections are:
  - Header Analysis — Low, Medium, or High risk.
  - Content (Body Content) — Low, Medium, or High risk.
  - Content (URL) — Low, Medium, or High risk.
  - Attachment — Low, Medium, or High risk.
When finished, click X to exit the Expanded Scoring window.

Acknowledge a Reported Email

Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization safe. To review and acknowledge reported emails:

In the MA Portal menu, click Reported Phishing.
Click the Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
After you review the email, in the Acknowldge section, select the checkbox.

Phishing Button Settings tab

The Phishing Button Settings tab is used to review and change settings pertaining to the Report Phishing feature.

Test the Saved Connection

In the MA Portal menu, click Reported Phishing > Phishing Button Settings.
Click Test Saved Connection.

The credentials for the Azure app integration that were set up during configuration are tested. See Managed Security Awareness Configuration for more information.
In the Your saved credentials check was successful confirmation message, click Acknowledge.

Manage the Report Phishing feature

You can manage users access to the Report Email button and set parameters to automatically move phishing emails to a junk or spam folder.

Move phishing emails to junk or spam

You can move phishing emails to a junk or spam folder automatically by granting permission in Phishing Button Settings.

In the MA Portal menu, click Reported Phishing > Phishing Button Settings.
In the Grant Permissions section, click the Automatically move emails to junk toggle to the on position.

Report Email button

The Report Email button, located in the Outlook toolbar, enables you to report suspicious emails as phishing.

Report an email as phishing

In Outlook, click the title of the email to report as phishing.
On the Outlook toolbar, click Arctic Wolf.
Notes:
- If you are using Outlook in a web browser, the button in the toolbar is the Arctic Wolf logo.
- A tooltip appears that reads Report Email when you hover over the button.
In the confirmation message, click Yes.

The reported email is moved to the junk or spam folder in Outlook.

Retrieve an email marked as phishing

If an email has been marked as phishing in error, the email can be retrieved:

In Outlook, locate the email in the junk or spam folder.
Do one of these options:
- Drag and drop the email into another folder, for example, Inbox.
- Right-click the email, select Move > Select Folder, and then select the folder to move the email to.

Review user reported emails

Arctic Wolf recommends that MA administrators regularly review the Reported Emails tab to action any suspicious emails as we are not notified of user reported emails.

In the MA Portal menu, click Reported Phishing > Reported Emails.
Filter or search the Reported Emails list and review the results.

Note: For MA+ customers, Arctic Wolf recommends reviewing and actioning items with a Medium or High threat level categorization. See View threat details information for more information.
Investigate any suspicious items within your organization.
(Optional) Submit a ticket in the Arctic Wolf Portal for assistance in handling emails within your organization’s Microsoft Tools.
Acknowledge any list items that do not need to be actioned.

Review user reported emails

MA admins can review emails that were reported using the Report Email button.

Before you begin

Get the Azure app credentials used when you configured the Report Email button:

Tip: See Configure the Report Email button for Outlook. in the Managed Awareness configuration guide for more information.
- Application (client) ID
- Directory (tenant) ID
- Client Secret value
  
  Note: This is the Client Secret value you created when configuring the Report Email button, not the Secret ID found in Azure app settings.
Get these details of the email you want to review:
- The email address that reported the email.
- The Graph Message ID for the message. See Copy a Graph Message ID for more information.
Note: If the email is moved to another folder, the Graph Message ID changes and the ID from the Reported Emails tab is no longer valid.

Step 1: Download the file

Navigate to the Microsoft Graph CLI download page.
Click Assets under the latest release of Microsoft Graph CLI.
Download the file specific to the OS that Microsoft Graph CLI will run on.
Extract the files.

A file with the filename mgc is included in the extracted content.

Step 2: Retrieve the message

Retrieve the message using the appropriate CLI for your environment:

PowerShell
Windows Command Prompt
Linux or macOS CLI

Retrieve the message using PowerShell

Run this command to set the environment variable for AZURE_CLIENT_SECRET, where <secret_id> is your Client Secret value:
```
$Env:AZURE_CLIENT_SECRET = "<secret_id>"
```
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:
```
./mgc login --tenant-id <tenant_id> `
    --client-id <client_id> `
    --strategy Environment `
    --scopes .default
```
Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:

Note: If you would like the output to include headers, body, and attachments, add /$value at the end of the Graph Message ID.
```
./mgc users messages get `
   --user-id <user_email> `
   --message-id <message_id>=
```
```
./mgc users messages get `
   --user-id <user_email> `
   --message-id <message_id>=/$value
```

Retrieve the message using Windows Command Prompt

Run this command to set the environment variable for AZURE_CLIENT_SECRET, where <secret_id> is your Client Secret value:
```
set AZURE_CLIENT_SECRET=<secret_id>
```
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:
```
mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default
```
Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:

Note: If you would like the output to include headers, body, and attachments, add /$value at the end of the Graph Message ID.
```
mgc.exe users messages get --user-id <user_email> --message-id <message_id>=
```
```
mgc.exe users messages get --user-id <user_email> --message-id <message_id>=/$value
```

Retrieve the message using the macOS or Linux CLI

Run this command to set the environment variable for AZURE_CLIENT_SECRET, where <secret_id> is your Client Secret value:
```
export AZURE_CLIENT_SECRET=<secret_id>
```
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:
```
./mgc login \
 --tenant-id <tenant_id> \
 --client-id <client_id> \
 --strategy Environment \
 --scopes .default
```
Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:

Note: If you would like the output to include headers, body, and attachments, add /$value at the end of the Graph Message ID.
```
./mgc users messages get \
 --user-id '<user_email>' \
 --message-id '<message_id>'
```
```
./mgc users messages get \
 --user-id '<user_email>' \
 --message-id '<message_id>' /$value
```

Reports

The Reports page displays Secure Culture statistics as downloadable PDF reports.

These reports are available:

Section	Description
Security Awareness Program Status	A progress report that shows the completion of microlearning sessions and quizzes, the results of phishing simulations, and the completion of phishing remediation sessions.
Security Awareness Program Trends	A report that shows trends in user performance.
High Risk Users	A report that identifies users with a low level of engagement with the MA program and users who have performed poorly in quizzes and phishing simulations.
Phishing Simulations	A detailed report of phishing simulation results and the completion of phishing remediation sessions.

Tip: See Secure Culture Dashboard for more information about available statistics.

View an MA session report

In the MA Portal menu, click Reports.
Click the required tab:
- Security Awareness Program Status
- Security Awareness Program Trends
- High Risk Users

See View a compliance training course report for compliance report instructions.

Download an MA session report

In the MA Portal menu, click Reports.
Click the required tab:
- Security Awareness Program Status
- Security Awareness Program Trends
- High Risk Users
Click Download.

A PDF file downloads to your device.

See Download a compliance training course report for compliance report instructions.

Administrator and User Status Reports

These User Status Reports are sent each month:

Administrators receive a User Status Report on the second day of each month. It contains a snapshot of the statistics available in the MA Portal. This summary format allows you to quickly review the security culture of the organization.
By default, users receive a short email on the first day of the month to confirm what sessions they are caught up on or if they are behind on any sessions. If you have configured incomplete session reminders through the Incomplete Session Manager, users will receive a User Status Report based on what was configured, resulting in more frequent reminders and/or urgent tone for the email. For more information, see Manage incomplete session reminders.

Content Library

The Content Library feature lets you assign supplemental training content to one or more groups of users.

Note: To access the Content Library feature, your organization must:

Have a valid Compliance Content Pack or MA+ license
Use Microsoft Entra ID for identity and access management

The Content Library contains different content depending on whether you have a Compliance Content Pack or MA+ license. If your organization has a:

MA+ license — You can assign any microlearning session or quiz, including those from security awareness tracks that your program is not currently set to. See Select a security awareness track for more information. You also have access to role-based security awareness microlearning sessions. To view the roles that are available, click All Filters > Role.

Tip: If your organization uses AD, we recommend creating different AD user groups to better control which users you assign role-based training modules to. See the See also section for documentation about managing Microsoft users. :::
Compliance Content Pack license — You can assign compliance training modules. Compliance training modules are courses, ranging from 15 to 60 minutes long, that explain the laws, regulations, and policies that are relevant to the responsibilities of employers and employees, For example, anti-discrimination laws, sexual harassment awareness, safety regulations, and rules that govern the protection of personal information.

Assign supplemental training to a user group

Note: User engagement and test outcomes for supplemental training assignments, including compliance training modules, are included in secure culture statistics and reports.

In the MA Portal menu, click Content Library.
Browse, search, or filter for a training module that covers the desired topic.
Tips:
- Click All Filters to view all filters that you can set. There are also filters for content types available, such as Awareness Session. To reset your filters, click Clear.
- Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
Click Assign To Group.
In the dialog, select the desired group.
Review the list of group members to confirm your selection.
Notes:
- Verify that you have selected the correct group. Training assignments cannot be removed once they are assigned.
- You cannot assign a module to a group without members. When integrated with AD, the MA Portal performs live queries of AD to retrieve users and user groups. To edit add or remove members, edit the group in AD.
Click Assign <module> to <x> users.

A confirmation message appears, and users within the selected group receive an email that grants them immediate access to the assigned module.
Click x or Close to exit the dialog.

Compliance

Note: To access the Compliance information, your organization must have a valid Compliance Content Pack (CPP).

The Compliance page helps you to comply with standards like ISO 27001 or 27002 because it provides you with more visibility and control over your compliance training course information.

The page includes these tabs:

Compliance Dashboard — Displays live compliance training course statistics. It also allows you to search for specific compliance training course data, download the history of compliance training courses, and download a list of users that have incomplete compliance training courses.

See Download compliance training course history, and Download a list of users with incomplete compliance training courses for more information.
Compliance Incomplete Session Manger — Allows you to configure the frequency and the urgency language of emails that are sent to users when training courses are incomplete.

See Manage incomplete compliance training course reminders for more information.
Compliance Report — Displays a compliance report that you can download or print. The report replicates the data on the Compliance Dashboard tab.

See View a compliance training course report, and Download a compliance traning course report for more information.

See View compliance training course information for more information.