Managed Security Awareness Portal User Guide

Updated Sep 19, 2023

Managed Security Awareness

Arctic Wolf Managed Security Awareness® (MA) delivers security awareness training as a program to increase security awareness and build a strong security culture within your organization. The MA program includes:

Session or Module Description Supported Languages
QuickStart The first session that employees receive at your organization and replaces the first session in the delivery schedule, after which users join the normal delivery cadence. It is a five-minute awareness session to orient users to the MA program and introduce key security awareness topics.
  • US English
  • UK English
  • Deutsch
  • Español
Microlearning sessions Three to five minute videos or interactive tutorials on recognizing and neutralizing social engineering attacks and avoiding security breaches that result from human error.
  • US English
  • UK English
  • Deutsch
  • Español
Quizzes Three to five minute test sessions that measure user uptake of security awareness training.
  • US English
  • UK English
  • Deutsch
  • Español
Automated phishing simulations Phishing simulation emails that measure the susceptibility of an organization to phishing-based attacks.
  • US English
  • Deutsch
Role-based sessions An exclusive feature available to customers who have purchased MA Plus (MA+). These sessions follow a similar format to microlearning sessions.
  • US English
  • UK English
  • Deutsch
  • Español
Compliance training modules Longer than microlearning sessions, these modules range from 15 to 60 minutes, and go beyond security awareness to support the regulatory compliance obligations of an organization. These modules are available to customers with a valid Compliance Content Pack license. This license allows you to assign compliance training in addition to security awareness training to a group of users as required.
  • US English

Note: MA content created prior to 1/31/2021 is available in US English only.

Assign an MA Administrator in your organization

Your organization should assign an administrator to monitor the MA Portal and maintain active users of the program. The administrator can sign in to the MA Portal using the Arctic Wolf Unified Portal (Arctic Wolf Portal) or a direct link to your organization’s MA Portal, to perform these tasks:

How MA is delivered

MA sessions are delivered through email and users receive approximately 43 sessions over the course of a year. Each MA email contains a link to launch the session in a new browser window or tab. On a given week when an activity is scheduled, users only receive one activity for the week: a microlearning session, a quiz, or a phishing simulation email. The MA program delivers content in these ways:

Session Delivery
QuickStart The QuickStart session is sent once the program is active and when new users are added to the system on the selected day of delivery in place of the scheduled content in the Upcoming Sessions table in the Administration Dashboard.
Security awareness microlearning sessions and quizzes Typically, users receive 25 unique microlearning sessions and ten quizzes over a 52-week cycle. Users receive email notifications for each training assignment. You can preview the upcoming schedule under the Administration Dashboard tab. Microlearning session previews include available language options. See Preview an upcoming session for more information.
Phishing simulations If this option is enabled, users receive 12 phishing simulation emails each year, one a month. These emails are sent to user inboxes on a random weekday between 17:00 UTC and 22:00 UTC, or between 16:00 UTC and 21:00 UTC during daylight saving time.

Users can view their progress in the User Status Report email to see if they are behind on any sessions. You can view the current status of any or all users on the Administration Dashboard, at any time. See Administrator and User Status Reports for more information.

Manage the MA program

The MA Portal lets you manage program features, monitor user participation and performance, assess the level of security awareness that your organization has, and identify opportunities for raising the level of security awareness within your organization.

This guide is intended for administrators of the MA program in their organization.

Sign in to the MA Portal

  1. Go to https://sat.arcticwolf.com/.

  2. Sign in using your Arctic Wolf credentials.

    For MSPs, search for the desired customer account, and then click View.

After you sign in, the MA Portal loads and your sign-in details appear in the top-right corner in this format: Your Name - Organization Name.

Tips:

  • Click Settings to access these options:
    • Arctic Wolf Portal
    • Administrator Toolkit
    • Program Maturity
    • User Management
    • Log out
  • (MSPs only) Click the wrench to switch customer accounts.

Initial setup

These tasks are completed as part of the initial setup of your MA program:

MA program activation

After you activate the MA program with the Concierge Security® Team (CST), this occurs:

Email templates

MA users and program administrators receive various emails throughout the each program cycle. To view the contents of these emails:

  1. In the MA Portal menu, click Administration Dashboard.

  2. In the Email Templates/Private Labeling section, select an email template to view.

    These MA email templates are available:

    Email template Description
    Awareness Session Link The email that users receive when a microlearning session or quiz is assigned.
    QuickStart Session Link The first email that users receive after the MA program is activated. The email includes a link to the QuickStart session, which is an introduction to the MA program.
    Email Test Session Link An email that your onboarding project manager sends before the MA program starts to verify that your corporate email Allowlist is configured to allow MA email notifications.
    Monthly Admin Snapshot A periodic email provides an overview of user participation in the MA program. Only MA program administrators receive this email.
    Status Update - Positive A periodic email that provides users a summary of their participation in the MA program. Users receive this email if all training assignments are complete.
    Status Update - Negative A periodic email that provides users a summary of their participation in the MA program. Users receive this email if one or more training assignments are incomplete.

Customize emails using private labeling

You can customize the email sender name and display name by enabling private labeling within the Administration Dashboard. By default, the sender of MA emails appears as:

The session emails sent to users include the display name in the signature of session emails, as well as in the MA Portal page header. The sender email name displays on the individual emails in an inbox.

Notes:

  • The customized name appears in the signature, but you cannot customize the body of the email signature.
  • Private labeling is optional.

Add a private label

You can customize the email sender name and display name.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the Email Templates/Private Labeling tab.
  3. Click the Use Private Labeling toggle to the on position.
  4. Edit the Display Name and Email Sender Name fields as needed.
  5. Click Save.
  6. Review the email templates to confirm that you want to keep your current settings.

Remove a private label

You can remove a custom email sender name and display name.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the Email Templates/Private Labeling tab.
  3. Click the Use Private Labeling toggle to the off position.

Change a private label

You can change the email sender name and display name.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the Email Templates/Private Labeling tab.
  3. Click the Use Private Labeling toggle to the off position, and then click it to the on position.
  4. Edit the Display Name and Email Sender Name, as desired.
  5. Click Save.
  6. Review the email templates to confirm that you want to keep your current settings.

Manage users

Users are individuals within your organization who will receive sessions, quizzes, and phishing simulations. They receive email communication and do not have sign-in credentials for the MA Portal.

Manage MA program users the same way that you enrolled users. If you enrolled users with:

Manage users with Microsoft Entra ID or Microsoft 365 Active Directory

  1. Add or remove users from the AD Group in Microsoft Entra ID or Microsoft 365 Active Directory that you selected to sync with the MA Program. See Manage a group in the Microsoft 365 admin center for more information about how to add or remove users from groups.

    Note: If you do not remember the name of the AD Group that is synced to the MA program, in the MA Portal click Settings > User Management > Test Connection > Query Group. This populates the name of the AD Group.

  2. In a new browser tab, sign in to the MA Portal.

  3. Click Settings > User Management.

    Changes are automatically synchronized in the Microsoft Entra ID.

  4. Click Sync Now.

    Note: If you do not select Sync Now, changes can take up to 24 hours to be visible in the MA Portal in the User Information tab within the Administration Dashboard.

  5. Click Query Group.

    The updated list of users in the selected group displays in a table.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users using a CSV file

Note: These instructions only apply to organizations that have not set up an AD Group to manage users with Microsoft Entra ID or Microsoft 365 Active Directory. Only perform these steps if your organization has always managed users with a CSV file.

  1. Locate the CSV file that you created when you enrolled users in the MA program.
  2. Update the CSV file depending on if you are adding or removing users:
    • To add a new user to the MA program, add a new row and provide the user's details in the FirstName, LastName, and Email columns.
    • To remove a user that is no longer participating in the MA program, delete the row for that user.
  3. Save your changes.
  4. Send a ticket in the Arctic Wolf Portal with the updated CSV file.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users with Google Workspace

You can add or remove users with Google Workspace. To change user groups, see Manage the third-party user group.

  1. In Google Workspace, add or remove users from the user group that you selected to sync with the MA Program.

    For more information, see Create, update, or delete a group. Changes are automatically synchronized between Google Workspace and MA Portal within 24 hours.

    Tip: You can find the name of the group in the MA Portal under Settings > User Management in the Group Name field.

  2. To manually sync the changes:

    1. In a new browser tab, sign in to the MA Portal.

    2. Click Settings > User Management.

    3. Click Sync Now.

      The Last Successful Sync field updates with the current date and time.

  3. To verify the changes:

    1. Click View/Edit Group.
    2. Click Query Group.
    3. Review the table of users to ensure it matches the list in Google Workspace.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage users with Microsoft Entra ID or Microsoft 365 Active Directory

You can add or remove users with Microsoft Entra ID or Microsoft 365 Active Directory. To change user groups, see Manage the third-party user group.

  1. In in Microsoft Entra ID or Microsoft 365 Active Directory, add or remove users from the AD Group that you selected to sync with the MA Program.

    For more information, see Manage a group in the Microsoft 365 admin center. Changes are automatically synchronized between Microsoft Entra ID or Microsoft 365 Active Directory and the MA Portal within 24 hours.

    Tip: You can find the name of the AD group in the MA Portal under Settings > User Management in the Group Name field.

  2. To manually sync the changes:

    1. In a new browser tab, sign in to the MA Portal.

    2. Click Settings > User Management.

    3. Click Sync Now.

      The Last Successful Sync field updates with the current date and time.

  3. To verify the changes:

    1. Click View/Edit Group.
    2. Click Query Group.
    3. Review the table of users to ensure it matches the list in Google Workspace.

Note: QuickStart sessions are automatically sent on the next session delivery day to new users who are added to the program after activation.

Manage the third-party user group

You can change the Google Workspace, Microsoft Entra ID, or Microsoft 365 Active Directory user group that MA uses.

  1. In the MA Portal, click Settings > User Management.
  2. Click View/Edit Group.
  3. Click Query Group.
  4. In the Select a group list, select the user group.
  5. Click Save Integration.

Monitor security awareness

The MA Portal provides these options for monitoring the level of security awareness in your organization:

Monitor program progress with the Secure Culture Dashboard

The Secure Culture Dashboard tracks user participation and measures performance in security awareness sessions, quizzes, phishing simulations, and compliance training. As an administrator, you can view the Secure Culture Score of the organization at a glance or in detail on the MA Portal. You can also view the current status of any or all users on the Administration Dashboard, at any time. Users do not have access to the dashboard, so they must wait for the monthly User Status Report email to see their progress and if they are behind on any sessions.

The Secure Culture Dashboard has these sections:

Section Description
Secure Culture Program Summary Displays these metrics, indicating the extent to which security awareness and regulatory compliance are a part of your organizational culture:
  • Secure Culture Score — An aggregated metric of user engagement and knowledge assessment that describes the level of security awareness within your organization.
  • Users Assigned Sessions — The number of users assigned to sessions.
  • Sessions Sent — The number of security awareness microlearning sessions delivered within the selected timeframe. For example, within the last 30 days.
  • Phishing Simulations Sent — The number of phishing simulation emails delivered within the selected timeframe. For example, within the last 30 days.
  • Completion — The percentage of delivered sessions that active users have completed.
  • Average Quiz Score — The average score of all users who have completed security awareness quizzes.
  • Phishing Simulation Failures — The percentage of active users who failed phishing simulations.
    Note: Users who fail a phishing simulation automatically receive a remediation session about phishing.
  • Remediation Completion — The percentage of delivered phishing remediation sessions that users have completed.
QuickStart Status Summarizes user engagement for QuickStart sessions.
Session Statistics Summarizes user engagement for past security awareness sessions.
Quiz Statistics Summarizes user engagement and scores for past security awareness quizzes.
Simulation Statistics Summarizes user behavior in response to delivered phishing simulation emails.

Tip: See Reports for more information about statistics and reports.

Download Secure Culture statistics

You can download CSV files from the Secure Culture Dashboard to identify which users require additional training support. The CSV files provide this information:

Note: The data included in the CSV file reflects the selected timeframe. For example, within the last 30 days.

To download Secure Culture statistics:

  1. In the MA Portal menu, click Secure Culture Dashboard.
  2. Click Download to download the desired CSV file.

Tip: See Increase your Secure Culture Score for remediation options.

Increase your Secure Culture Score

The Secure Culture Score represents the strength of security awareness within your organization, based on the session completion, average quiz score, phishing simulation failures, and remediation completion metrics. Possible scores include:

To increase your Secure Culture Score, you can:

Administration Dashboard

You can manage security awareness microlearning sessions in these ways:

Select a security awareness track

Note: The Managed Security Awareness Plus (MA+) license is required to access this option.

The MA+ program is set to the standard track by default. However, you can select other security awareness tracks that are tailored to specific industries, for example, healthcare.

  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the Session Information tab.

  3. In the Current Awareness Track list, select the desired track.

    The list of upcoming sessions updates to reflect the awareness track that you select.

Change the session delivery day

A microlearning session is sent through email between 14:00 and 15:00 UTC on the configured session delivery day.

After changing the session delivery day, users receive the next microlearning session in the queue on the earliest possible day that corresponds with the configuration. For example, if today is Tuesday, August 10, 2021 and you change the session delivery day before 14:00 UTC from Friday to Tuesday, users receive the next microlearning session today, and future sessions are scheduled to be delivered on following Tuesdays.

Note: Changing the selected session delivery day does not affect the timing of phishing simulation emails. Phishing simulations occur on a random weekday between 16:00 UTC and 22:00 UTC.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the Session Information tab.
  3. Select the desired session delivery day.

Send a test email

Send a test email to a security administrator in your organization when:

To send a test email:

  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the User Information tab.

  3. Click Send Test Email.

    To preview the test email, see Email templates.

Disable or enable phishing simulation emails

The MA program includes phishing simulations to test user responses to suspicious emails.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the Session Information tab.
  3. Click the Send Phishing Simulation Emails toggle to the off or on position as needed.

Change the template of the phishing simulation emails

  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the Session Information tab.

  3. In the Upcoming Sessions section, find the phishing simulation that you want to change to an alternate template. For example, a template in a different language.

  4. In the Options column, select the list, and then click Preview/Select Phishing Email.

  5. In the Available Templates list, select the template you want to use.

    Note: Make sure you allowlisted the correct domains for the simulation email language. If you do not have the correct domains allowlisted, users might not receive the simulation. See Configure your allowlist in Configuring Managed Security Awareness for a list of domains.

  6. Review the template preview, and then click Select This Phishing Email Template.

    The template updates in the Upcoming Sessions schedule list.

  7. To change the phishing simulation template, click Select This Phishing Email Template.

    Note: You must select the template each month prior to the scheduled date.

    The template updates in the Session Information tab and previews the template.

Preview an upcoming session

  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the Session Information tab.

  3. In the Upcoming Sessions section, find the session you want to preview.

    Tip: Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.

  4. In the Options column, select the list, and then select Preview Session or Preview/Select Phishing Email.

  5. If you are previewing a phishing simulation, you can select different templates that are more relevant to your organization. To select a template:

    1. Click the Available Templates list, and then select the template you want to use.
    2. Click Select This Phishing Email Template to confirm your selection.

Mute an upcoming session

If desired, you can mute an upcoming session or phishing simulation. When muted, the session or phishing simulation is not delivered to users.

Notes:

  • Some weeks in the MA program cycle do not have a scheduled activity. When an activity is scheduled, users only receive one activity for the week: a microlearning session, a quiz, or a phishing simulation email.
  • No alternative session, quiz, or phishing simulation is delivered in its place on the week of the muted session.
  • A muted session does not recur for the remainder of the program cycle. However, the topic may be covered in a future microlearning sessions.
  • If you unmute the session on the configured session delivery day after 15:00 UTC, or after 14:00 UTC during daylight saving time, users do not receive the session.
  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the Session Information tab.

  3. In the Upcoming Sessions section, find the session you want to mute or unmute.

  4. In the Options column, select the list, and then click Mute This Week or Unmute This Week.

    Muted sessions are highlighted orange. Sessions that are not highlighted are queued to be delivered as scheduled.

View user information

You can view the email address and session history for users within your organization. For example, you can view the quizzes and phishing simulations sent to each user, when they were sent, and when the user completed them.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the User Information tab.

Assign a session to an individual user

You can assign specific security awareness sessions to an individual user, which are delivered separate from the MA program schedule.

  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the User Information tab.

  3. Search for the desired user, and then select one of these options:

    • View History — To resend a session that the user has already received.
    • Assign Session — To assign a session to the user.

      Tip: This option lets you assign sessions that are not listed in the history for that user. For example, you can use this option to assign past sessions to a new user who was added to the MA program mid-cycle. When a new user is added, the user automatically receives the QuickStart session. However, the next security awareness session that the user receives is the session that is scheduled for delivery in the current or following week.

  4. Page through the list or use the search field to find the session that you want to assign.

    Tip: Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.

  5. Select Assign for the desired session. The user immediately receives an email notification about the training assignment, and the session no longer appears in the list of available sessions and phishing simulations for that user.

    Note: You cannot re-assign this session until the user completes the assignment.

Download the MA program session history

Downloading the MA program session history is one way to review the level of engagement of your organization with the MA program. With this option, you can also review the history of a specific session or user.

  1. In the MA Portal menu, click Administration Dashboard.
  2. Click the User Information tab.
  3. Click Download Full Session History to download the CSV file.

Tip To review the history of all past sessions and quizzes for an individual user, see View user completion for MA sessions and quizzes.

View user completion for MA sessions and quizzes

The MA Portal allows you to view a history of completed MA sessions and quizzes for each user in your organization.

  1. In the MA Portal menu, click Administration Dashbaord.

  2. Click the User Information tab.

  3. In the Search field, enter the name of the user.

  4. Next to the user, click View History.

    In the User Session History window, the results of each assigned session or quiz displays for the selected user.

Tip: In the User Session History window, click Resend next to the session or quiz that you want to resend to the user.

Manage incomplete session reminders

You can adjust the frequency and the urgency language of emails that are sent to users when training is incomplete. You can configure the settings differently depending on how many incomplete sessions a user has. For example, if you have users with a high number of incomplete sessions, you can increase the frequency of email reminders to those users.

Note: These steps only apply to incomplete MA session management. If you have a valid CPP, you can manage reminders for incomplete compliance training courses from the Compliance tab within the MA Portal. See Manage incomplete compliance training course reminders for instructions.

  1. In the MA Portal menu, click Administration Dashboard.

  2. Click the Incomplete Session Manager tab.

  3. For each applicable column, select the required Frequency of Email option:

    • Monthly (1st)
    • Bi-Monthly (1st, 15th)
    • Weekly (Monday)
    • Daily
  4. For each applicable column, select the required Urgency of Email from the list:

    • Low
    • Moderate
    • High

    Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.

Report Phishing

The Arctic Wolf Managed Security Awareness® (MA) Report Phishing feature enables your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service and includes:

Reported Phishing Dashboard

The Reported Phishing Dashboard provides eligible Arctic Wolf customers detailed phishing information and analytics:

Feature MA MA+ Description
Reported Emails Yes Yes List of reported emails and information on the reporter and message.
Threat Level Analytics No Yes Emails reported by users will display threat level analytics:

  • Low — The emails do not contain any data points that indicate phishing. These items were likely reported in error.
  • Medium — The emails contain one or more data points that could indicate phishing. Arctic Wolf recommends reviewing these items.
  • High — The emails contain multiple data points that are a strong indicator of phishing. Arctic Wolf recommends reviewing these items immediately.

Reported Simulations No Yes Detailed analytics of the type and number of reported phishing attempts, date reported, and a phishing reporters list.
Phishing Button Settings Yes Yes Edit Report Email Integration settings and permissions.

Access the Reported Phishing Dashboard

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

    For MSPs, search for the desired customer account, and then click View.

  2. Click Reported Phishing.

    The Reported Phishing Dashboard opens.

Reported Simulations tab

Note: This feature is available for MA+ customers only.

The Reported Simulations tab includes:

View the Reported Phishing Simulation Details

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

    For MSPs, search for the desired customer account, and then click View.

  2. Click Reported Phishing.

    The Reported Phishing Simulation Details list is below the Reported Phishing Simulations graph.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries.

Filter the Phishing Simulation Reporters list

  1. In the MA Portal menu, click Reported Phishing.
  2. In the Reported Phishing Simulation Details list, click the applicable column header name to sort the list by:
    • Date/Time
    • Phishing Simulation title
    • First Name
    • Last Name

Search the Reported Phishing Simulation Details list

  1. In the MA Portal menu, click Reported Phishing.

  2. In the Reported Phishing Simulation Details list, in the Search field, enter the first or last name of the user.

    The list filters based on the entered value.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Reported Emails tab

The Reported Emails tab includes a list of emails reported as suspicious, the date and time in UTC they were reported, the user who reported the email, and an acknowledge function.

For MA+ Customers only, the Reported Emails tab also includes details on the associated threat level categorization. Emails are categorized as:

View the Reported Emails list

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

    For MSPs, search for the desired customer account, and then click View.

  2. Click Reported Phishing, and then click Reported Emails.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Filter the Reported Emails list

  1. In the MA Portal menu, click Reported Phishing.
  2. In the Reported Emails list, click the column header name to order the list. You can order the list by:
    • Date Reported — Date and time the email was reported as phishing.

    • Reporter — Email address of the user who reported the email as phishing.

    • Graph Message ID — The unique message ID of the email reported as phishing.

    • Threat level (MA+ customers only) — All emails marked as either Low, Medium, or High.

      Tip: Click Low, Medium, or High to filter the list by threat level type.

    • Acknowledge — The email has been reviewed by an MA administrator in your organization. Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization protected.

      Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Search the Reported Emails list

  1. In the MA Portal menu, click Reported Phishing.

  2. In the Reported Emails list, in the Search field, enter a parameter, for example, a specific date. The list filters based on the value.

    Tip: The default list view shows 10 entries. Select a different value from the list to change the number of listed entries. Click Next or Previous to navigate between search result pages.

Copy a Graph Message ID

  1. In the MA Portal menu, click Reported Phishing.

  2. Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.

  3. In the Graph Message ID section, click Copy to clipboard.

    The Graph Message ID can be used for tracking suspicious emails.

  4. Use your organization’s email analysis to review the Graph Message ID of the reported email.

View threat details information

Note: This feature is available for MA+ customers only.

  1. In the MA Portal menu, click Reported Phishing.

  2. Click Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.

  3. In the Threat Level section, click View Threat Details.

    The Expanded Scoring window opens with this information:

    • Date Reported — Date and time the email was reported as phishing.
    • Reporter Email — Email address of the user who reported the email as phishing.
    • Graph Message ID — The unique message ID of the email reported as phishing.
    • Overall Score — The overall score categorization for the email. See Reported Emails tab for score categorization information.
    • Sub-scores — Sub-scores breakdown the email assign it a risk score. The sub-scores together form the overall score. Sub-score sections are:
      • Header AnalysisLow, Medium, or High risk.
      • Content (Body Content)Low, Medium, or High risk.
      • Content (URL)Low, Medium, or High risk.
      • AttachmentLow, Medium, or High risk.
  4. When finished, click X to exit the Expanded Scoring window.

Acknowledge a Reported Email

Arctic Wolf recommends that the Reported Emails list is regularly reviewed for patterns to keep your organization safe. To review and acknowledge reported emails:

  1. In the MA Portal menu, click Reported Phishing.
  2. Click the Reported Emails list, and then search for the reporter, date, or threat level to filter the listed results.
  3. After you review the email, in the Acknowldge section, select the checkbox.

Phishing Button Settings tab

The Phishing Button Settings tab is used to review and change settings pertaining to the Report Phishing feature.

Test the Saved Connection

  1. In the MA Portal menu, click Reported Phishing > Phishing Button Settings.

  2. Click Test Saved Connection.

    The credentials for the Azure app integration that were set up during configuration are tested. See Managed Security Awareness Configuration for more information.

  3. In the Your saved credentials check was successful confirmation message, click Acknowledge.

Manage the Report Phishing feature

You can manage users access to the Report Email button and set parameters to automatically move phishing emails to a junk or spam folder.

Move phishing emails to junk or spam

You can move phishing emails to a junk or spam folder automatically by granting permission in Phishing Button Settings.

  1. In the MA Portal menu, click Reported Phishing > Phishing Button Settings.
  2. In the Grant Permissions section, click the Automatically move emails to junk toggle to the on position.

Report Email button

The Report Email button, located in the Outlook toolbar, enables you to report suspicious emails as phishing.

Report an email as phishing

  1. In Outlook, click the title of the email to report as phishing.

  2. On the Outlook toolbar, click Arctic Wolf.

    Notes:

    • If you are using Outlook in a web browser, the button in the toolbar is the Arctic Wolf logo.
    • A tooltip appears that reads Report Email when you hover over the button.
  3. In the confirmation message, click Yes.

    The reported email is moved to the junk or spam folder in Outlook.

Retrieve an email marked as phishing

If an email has been marked as phishing in error, the email can be retrieved:

  1. In Outlook, locate the email in the junk or spam folder.
  2. Do one of these options:
    • Drag and drop the email into another folder, for example, Inbox.
    • Right-click the email, select Move > Select Folder, and then select the folder to move the email to.

Review user reported emails

Arctic Wolf recommends that MA administrators regularly review the Reported Emails tab to action any suspicious emails as we are not notified of user reported emails.

  1. In the MA Portal menu, click Reported Phishing > Reported Emails.

  2. Filter or search the Reported Emails list and review the results.

    Note: For MA+ customers, Arctic Wolf recommends reviewing and actioning items with a Medium or High threat level categorization. See View threat details information for more information.

  3. Investigate any suspicious items within your organization.

  4. (Optional) Submit a ticket in the Arctic Wolf Portal for assistance in handling emails within your organization’s Microsoft Tools.

  5. Acknowledge any list items that do not need to be actioned.

Review user reported emails

MA admins can review emails that were reported using the Report Email button.

Before you begin

Steps

  1. Download the file.
  2. Retrieve the message.

Step 1: Download the file

  1. Navigate to the Microsoft Graph CLI download page.

  2. Click Assets under the latest release of Microsoft Graph CLI.

  3. Download the file specific to the OS that Microsoft Graph CLI will run on.

  4. Extract the files.

    A file with the filename mgc is included in the extracted content.

Step 2: Retrieve the message

Retrieve the message using the appropriate CLI for your environment:

Retrieve the message using PowerShell

  1. Run this command to set the environment variable for AZURE_CLIENT_SECRET, where <secret_id> is your Client Secret value:

    $Env:AZURE_CLIENT_SECRET = "<secret_id>"
  2. Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:

    ./mgc login --tenant-id <tenant_id> `
        --client-id <client_id> `
        --strategy Environment `
        --scopes .default
  3. Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:

    Note: If you would like the output to include headers, body, and attachments, add /$value at the end of the Graph Message ID.

    ./mgc users messages get `
       --user-id <user_email> `
       --message-id <message_id>=
    ./mgc users messages get `
       --user-id <user_email> `
       --message-id <message_id>=/$value

Retrieve the message using Windows Command Prompt

  1. Run this command to set the environment variable for AZURE_CLIENT_SECRET, where <secret_id> is your Client Secret value:

    set AZURE_CLIENT_SECRET=<secret_id>
  2. Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:

    mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default
  3. Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:

    Note: If you would like the output to include headers, body, and attachments, add /$value at the end of the Graph Message ID.

    mgc.exe users messages get --user-id <user_email> --message-id <message_id>=
    mgc.exe users messages get --user-id <user_email> --message-id <message_id>=/$value

Retrieve the message using the macOS or Linux CLI

  1. Run this command to set the environment variable for AZURE_CLIENT_SECRET, where <secret_id> is your Client Secret value:

    export AZURE_CLIENT_SECRET=<secret_id>
  2. Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs, where <tenant_id> is the directory (tenant) ID and <client_id> is the application (client) ID:

    ./mgc login \
     --tenant-id <tenant_id> \
     --client-id <client_id> \
     --strategy Environment \
     --scopes .default
  3. Run one of these commands to set the email address and Graph Message ID, where <user_email> is the user email address and <message_id> is the Graph Message ID:

    Note: If you would like the output to include headers, body, and attachments, add /$value at the end of the Graph Message ID.

    ./mgc users messages get \
     --user-id '<user_email>' \
     --message-id '<message_id>'
    ./mgc users messages get \
     --user-id '<user_email>' \
     --message-id '<message_id>' /$value

Reports

The Reports page displays Secure Culture statistics as downloadable PDF reports.

These reports are available:

Section Description
Security Awareness Program Status A progress report that shows the completion of microlearning sessions and quizzes, the results of phishing simulations, and the completion of phishing remediation sessions.
Security Awareness Program Trends A report that shows trends in user performance.
High Risk Users A report that identifies users with a low level of engagement with the MA program and users who have performed poorly in quizzes and phishing simulations.
Phishing Simulations A detailed report of phishing simulation results and the completion of phishing remediation sessions.

Tip: See Secure Culture Dashboard for more information about available statistics.

View an MA session report

  1. In the MA Portal menu, click Reports.
  2. Click the required tab:
    • Security Awareness Program Status
    • Security Awareness Program Trends
    • High Risk Users

See View a compliance training course report for compliance report instructions.

Download an MA session report

  1. In the MA Portal menu, click Reports.

  2. Click the required tab:

    • Security Awareness Program Status
    • Security Awareness Program Trends
    • High Risk Users
  3. Click Download.

    A PDF file downloads to your device.

See Download a compliance training course report for compliance report instructions.

Administrator and User Status Reports

These User Status Reports are sent each month:

Content Library

The Content Library feature lets you assign supplemental training content to one or more groups of users.

Note: To access the Content Library feature, your organization must:

  • Have a valid Compliance Content Pack or MA+ license
  • Use Microsoft Entra ID for identity and access management

The Content Library contains different content depending on whether you have a Compliance Content Pack or MA+ license. If your organization has a:

Assign supplemental training to a user group

Note: User engagement and test outcomes for supplemental training assignments, including compliance training modules, are included in secure culture statistics and reports.

  1. In the MA Portal menu, click Content Library.

  2. Browse, search, or filter for a training module that covers the desired topic.

    Tips:

    • Click All Filters to view all filters that you can set. There are also filters for content types available, such as Awareness Session. To reset your filters, click Clear.
    • Check the description to see if the session or module includes multi-language support. See Managed Security Awareness for more information.
  3. Click Assign To Group.

  4. In the dialog, select the desired group.

  5. Review the list of group members to confirm your selection.

    Notes:

    • Verify that you have selected the correct group. Training assignments cannot be removed once they are assigned.
    • You cannot assign a module to a group without members. When integrated with AD, the MA Portal performs live queries of AD to retrieve users and user groups. To edit add or remove members, edit the group in AD.
  6. Click Assign <module> to <x> users.

    A confirmation message appears, and users within the selected group receive an email that grants them immediate access to the assigned module.

  7. Click x or Close to exit the dialog.

Compliance

Note: To access the Compliance information, your organization must have a valid Compliance Content Pack (CPP).

The Compliance page helps you to comply with standards like ISO 27001 or 27002 because it provides you with more visibility and control over your compliance training course information.

The page includes these tabs:

See View compliance training course information for more information.

View compliance training course information

Note: To access the Compliance information, your organization must have a valid CPP.

View a compliance training course report

Note: To access the Compliance information, your organization must have a valid CPP.

  1. In the MA Portal menu, click Compliance.
  2. Click the Compliance Report tab.

See View an MA session report for MA report instructions.

Manage incomplete compliance training course reminders

Note: To access the Compliance information, your organization must have a valid CPP.

You can adjust the frequency and the urgency language of emails that are sent to users when training courses are incomplete. You can configure the settings differently depending on how many incomplete training courses a user has. For example, if you have users with a high number of incomplete training courses, you can increase the frequency of email reminders to those users.

  1. In the MA Portal menu, click Compliance.

  2. Click the Compliance Incomplete Session Manager tab.

  3. For each applicable column, select the required Frequency of Email option:

    • Monthly (1st)
    • Bi-Monthly (1st, 15th)
    • Weekly (Monday)
    • Daily
  4. For each applicable column, select the required Urgency of Email from the list:

    • Low
    • Moderate
    • High

    Tip: Click the Low Urgency Email, Moderate Urgency Email, or High Urgency Email tab to preview the email that is sent depending on the Urgency of Email setting.

See Manage incomplete session reminders for instructions on managing incomplete session reminders.

Download a compliance training course report

Note: To access the Compliance information, your organization must have a valid CPP.

  1. In the MA Portal menu, click Compliance.

  2. Click the Compliance Report tab.

  3. Click Download.

    A PDF file downloads to your device.

See Download an MA session report for MA report instructions.

Download compliance training course history

Note: To access the Compliance information, your organization must have a valid CPP.

You can download a CSV file that includes the full compliance training course history for your users. The CSV file includes the first and last name of the user, email address, the date the compliance training was sent to the user, and the completion status.

  1. In the MA Portal menu, click Compliance.

  2. Click Download Full Compliance History.

    A CSV file downloads to your device.

Download a list of users with incomplete compliance training courses

Note: To access the Compliance information, your organization must have a valid CPP.

You can download a CSV file that includes a list of users that have incomplete compliance training courses. The CSV file includes the first and last name of the user, email address, the date the compliance training course was sent to the user, and the completion status.

  1. In the MA Portal menu, click Compliance.

  2. Next to List of Incomplete Users, click download.

    A CSV file downloads to your device.

Administrator Toolkit

The Administrator Toolkit is a reference and resource library that you can use as a guide to run your security awareness and training programs. Common items in the library include:

Some resources in the Administrator Toolkit are available in languages other than English.

Access the Administrator Toolkit

Preview and download resources

  1. In the MA Portal menu, click Settings > Administrator Toolkit.
  2. Do one of the these options:
    • To preview the file in your browser, click Preview.
    • To download the file to your computer, click Download.

Program Maturity

The Program Maturity tool provides MA administrators with a way to reflect on the maturity of their security awareness and training program. The tool is a self-assessment of four core areas of your MA program:

Advantages of the Program Maturity tool

Take the Program Maturity self-assessment

  1. In the MA Portal menu, click Settings > Program Maturity.

    A new browser tab or window opens.

  2. Click Start to begin the self-assessment.

  3. Answer each of the questions in the self-assessment.

    Note: You can click the directional arrows below a question to return to a previous question and change your answer.

  4. At the end of the self-assessment, a confirmation of completion message is displayed. Click Submit to finish the self-assessment and send the results to your email.

You can review the results by email and forward the results to others in your organization. For additional information on the self-assessment results, see Program Maturity self-assessment results.

Program Maturity self-assessment results

After completing the Program Maturity self-assessment, you receive detailed results to your email. The results include:

Program Maturity score matrix

The Program Maturity self-assessment results contain a detailed breakdown and definition of the scores:

Number Level Definition
1 Initial The program lacks consistency and needs focus.
2 Just Started The program has a minimum level of effort. Awareness processes are not understood or defined. Efforts are unplanned and occasional.
3 Defined The program is applying well-defined awareness processes and is consistently delivering each initiative.
4 Measured The program is consistently measuring key indicators. The primary focus is on establishing and enhancing multi-channel and multi-audience engagement, as well as the measurement of performance.
5 Optimal The program is actively managed. It is successfully engaging users across multiple mediums and measuring performance. It is self-organized, adaptive planning, sustainable, continual improvement, and automation for scalability and efficiency.

User Management tool

The User Management tool enables MA administrators to manage the AD integration, for example:

Access the User Management tool

  1. Sign in to the MA Portal using your Arctic Wolf credentials.

    For MSPs, search for the desired customer account, and then click View.

  2. Click Settings > User Management.

    The User Management tool opens.

See also