Managed Security Awareness Troubleshooting

Updated Feb 22, 2024

Troubleshoot Managed Security Awareness

After onboarding or the initiation of AD integration, errors might persist if a customer did not correctly enter their credentials when completing the procedure. This information provides solutions for common Managed Security Awareness (MA) errors.

Client secret missing or incorrect

This error displays: Have you entered a Client Secret ID? Please enter the Client Secret Value or recreate your Client Secret and enter the Value..

Note: When the error message populates, a warning dialog appears that reads: Please correct errors in form and try again. If errors persist, please submit a ticket in your Arctic Wolf Portal..

Possible causes:

Resolution:

  1. Verify that you entered the Client Secret value into the correct field.

  2. If the Client Secret value is in the correct field, but the error message remains:

    1. Sign in to the MA Portal.

    2. In the User Management tool, in the Client Secret field, delete the value.

    3. In the Azure Admin Portal, copy the Client Secret value.

      Tip: Click Copy to clipboard to avoid leading or trailing spaces.

    4. In the User Management tool, paste the client secret value in the Client Secret field.

    5. Verify that the remaining fields are configured, and then click Test Connection.

  3. If the same error message reappears, return to the Azure AD Tenant and delete the value that was created.

  4. Create a new Client Secret value and copy it.

  5. Return to User Management in the MA Portal, and enter the credentials and the Client Secret value.

  6. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

Insufficient privileges to complete operation

This error displays: Connection Failed: Insufficient Privileges to complete the operation. Ensure the AD API Permissions have been setup correctly. Please return to the AD API permissions created for Managed Awareness and review the following: Verify the AD API Permissions for both Directory.Read.All and User.Read.All are "Application" Permissions not "Delegated" Permissions. Ensure that you have selected "Grant Admin Consent" Please refer to the Configuration Guide..

Possible cause: The API permissions in your Microsoft Entra admin center (formerly Azure AD) were incorrectly configured during app registration.

Resolution:

  1. Sign in to the Azure Admin Portal.

  2. Click App Registrations, and then select the Arctic Wolf Managed Awareness registration.

  3. Remove the fields marked Not granted for Arctic Wolf.

  4. Click Add a permission, and then select Microsoft Graph.

  5. Click Application permissions.

    Note: Do not select Delegated permissions. This will not provide the API permissions required for MA setup and generates an Insufficient permissions error message.

  6. In the Select permissions field, search for and select these permissions:

    • Directory.Read.All
    • User.Read.All
  7. Click Add permissions.

    The Configured permissions screen lists the permissions that you added.

  8. On the Configured permissions screen, verify that:

    • User.Read is selected.

    • The Type is Delegated.

      Note: Do not change the default permission and do not remove the Type from the permissions.

  9. In the Status column beside each permission, if you see a message similar to Not granted for <company_name>, click Grant admin consent for <company_name>.

  10. Sign in to the MA Portal.

  11. In the User Management tool, enter your credentials.

  12. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

The Awareness Group ID and Groups fields are empty

In the Integration box of the User Management tool, the Awareness Group ID and Groups fields are empty.

Possible cause: There is no AD Group associated with your AD integration and no users can be synced. Select, query, and save the AD Group to complete the integration. You may have:

Resolution:

  1. Sign in to the MA Portal.

  2. Click Settings > User Management.

  3. Click Test Saved Connection.

  4. In the Groups list, click the AD Group.

  5. Click Query.

    The name of the AD Group and the number of participants who will be active users of the MA program populate.

  6. Click Save.

  7. Click Sync Now.

    Tip: To confirm that the sync was successful, go to Administration Dashboard > User Information, and then compare the active user count to the synced number of users in the User Management tool.

  8. If the sync is:

Invalid client secret value expiration date

This error displays: The Client Secret Value Expiration date must not have already occurred. Please enter the correct Client Secret Expiration Date.

Possible cause: The client secret expiration date is in the past.

Resolution: Check the Client Secret expiration date. If the date:

Invalid GUID value

This error displays: Value is not a valid GUID. Please enter a valid Application (Client) ID.

Note: When the error message populates, a warning dialog appears that reads: Please correct errors in form and try again. If errors persist, please submit a ticket in your Arctic Wolf Portal.

Possible cause: You have entered a GUID that is:

Resolution:

  1. Make sure you entered the Application (Client) ID into the correct field.

  2. If the application (client) ID value is in the correct field, but the error message remains:

    1. Sign in to the MA Portal.

    2. In the User Management tool, remove the Application (Client) ID.

    3. Click Azure Admin Portal > App Registrations, and then select the Arctic Wolf Managed Awareness registration.

    4. Copy the relevant GUID.

      Tip: Click Copy to clipboard to avoid leading or trailing spaces.

    5. In the User Management tool, paste the GUID into the Application (Client) ID field.

    6. Verify that the remaining fields are configured, and then click Test Connection.

  3. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

GUID unavailable

This error displays: Connection Failed: <GUID> not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen is there are no active subscriptions for the tenant. Trace ID: <ID>.

Possible cause: You have entered:

Resolution:

  1. Make sure you entered the application (client) ID value into the correct field.

  2. If the application (client) ID is in the correct field, but the error message remains:

    1. Sign in to the MA Portal.

    2. In the User Management tool, clear the Application (Client) ID field.

    3. In the Azure Admin Portal, copy the application (client) ID value.

      Tip: Click Copy to clipboard to avoid leading or trailing spaces.

    4. In the User Management tool, paste application (client) ID value in the Application (Client) ID field.

    5. Verify that the remaining fields are configured, and then click Test Connection.

  3. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

Client secret value expired

This error displays: The Client Secret for your Managed Awareness Program has expired. Please refer to the Managed Awareness Configuration Guide to follow the steps for creating a new Client Secret, copy the Client Secret VALUE and re-enter the new Secret VALUE with your credentials to reinstate your AD Group Sync with Managed Awareness..

Possible cause: The Client Secret value for your AD integrated app registration has expired.

Resolution: Create a new Client Secret value with a valid expiration date:

  1. Sign in to the MS 365 Admin Center (formerly Azure Admin Portal).

  2. In the navigation menu, in the Identity section, click Applications > App registrations.

  3. Select the Arctic Wolf Managed Awareness registration.

    One of these messages will appear:

    • A certificate or secret is expiring soon. Create a new one →
    • A certificate or secret has expired. Create a new one →
  4. Click Create a new one →.

  5. On the Client secrets tab, click + New client secret.

    Note: Do not remove the expired client secret at this time.

    The Add a client secret pane opens.

  6. In the Description field, enter a description for the Client Secret value. For example, Arctic Wolf Secret.

  7. In the Expires list, select 730 days (24 months).

    Note: Arctic Wolf recommends that you select 730 days (24 months), but your organization might require a different expiration date. Select the expiration date that your organization recommends.

  8. Click Add.

  9. In the Client secrets tab, verify that the new client secret appears.

  10. For the new client secret, copy the Value value, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

    Tip: Click Copy to clipboard to avoid leading or trailing spaces.

    Note: You must copy the client secret Value immediately after creation. The Value is not accessible after you leave this page.

  11. For the expired client secret, click .

  12. In the confirmation dialog, click Yes.

  13. In a new browser tab, open the MA Portal.

  14. Click > User Management.

  15. On the Saved Credentials page, click Reset Integration.

  16. In the confirmation dialog, click Yes.

  17. On the New Integration page, configure these settings:

    • Integration Type — Select an integration type.

      Tip: The integration type is based on the error you received. For example, Entra ID, Google Workspace, or CSV.

    • Integration Nickname — Enter the description you used in the Azure Admin Portal. For example, Arctic Wolf Secret.

    • Application ID — Paste your Application ID. To find this value, go to the MS 365 Admin Center (formerly Azure Admin Portal), and then, on the App Registration page, click for the Application (client) ID.

    • Directory ID — Paste your Directory ID. To find this value, go to the MS 365 Admin Center (formerly Azure Admin Portal), and then, on the App Registration page, click for the Directory (tenant) ID.

    • Client Secret Value — Paste your client secret Value.

    • Client Secret Value Expiration Date — Enter the expiration date that you selected for the client secret in the Azure Admin Portal.

  18. Click Test Connection to make sure the permissions and criteria for the configuration are correct.

  19. In the confirmation dialog, click Acknowledge.

  20. Click Save Credentials.

  21. In the User Management tool, make sure the desired AD Group is selected and synchronized.

  22. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

Error: 500 error

Note: Error code seen in the User Management tool in the MA Portal.

Possible cause: The synchronization was not completed in the User Management tool in the MA Portal.

Resolution: Synchronize your Azure Active Directory credentials again. See Manage users with Azure or Microsoft 365 Active Directory for more information. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

Error: 0 users are populating

Possible cause: If you have completed the integration and there are no users in the MA Portal after the synchronization runs, it is likely that you configured “nested groups.” At this time, Arctic Wolf does not support nested groups.

Resolution: Add users individually to the AD group. If the error persists, submit a ticket in the Arctic Wolf Unified Portal for assistance.

False-positive phishing simulation clicks or alerts

Possible cause: If you are using Microsoft Defender for your Office 365 mail environment and experience false clicks, link processing rules in Defender for Office 365 are causing issues.

Note: If you are unsure whether you use Microsoft Defender, see Microsoft Feature Matrix for more information.

Resolution: Set up additional mail flow rules that allow you to bypass safe links:

  1. In the Microsoft Defender menu, click Policies & Rules > Threat policies.

  2. In the Policies section, find the Safe Links subsection.

    If you see text that indicates Safe Links is a premium-only feature or otherwise not available, you have the Microsoft Defender Office 365 Plan 1.

    Based on your Microsoft Defender Office 365 plan, allowlist the MA IP address using one or both of these actions:

    Note: If you use both plans, configure your allowlist for both plans.

Allowlist the MA IP address for Microsoft Defender Office 365 Plan 1

  1. Open Microsoft Exchange or Office Admin Center.

  2. Click Mail Flow > Rules.

  3. Click + Add a rule > Create a new rule.

  4. In the Set rule conditions pane, configure these settings:

    • Name — Enter a name for this rule. For example, Bypass Arctic Wolf MA URL.

    • Apply this rule if — Select The Sender, and then select IP address is in any of these ranges or exactly matches in the list that appears. When the specify IP address ranges pane opens, enter the MA IP address, and then click Add.

      Note: If you are not able to add an IP address, complete these steps:

      1. In the Apply this rule if list, select A message header.
      2. In the new list that appears, select includes any of these words.
      3. In the message header field, enter the MA header value. This value can be found in the same area of the MDR Dashboard where the MA IP address is located.
    • Do the following — Complete these steps:

      1. Select Modify the message properties.
      2. Select set a message header in the list that appears.
      3. Click the first Enter text link.
      4. In the message header pane, enter X-MS-Exchange-Organization-SkipSafeLinksProcessing.
      5. Click Save.
      6. Click the second Enter text link.
      7. In the message header pane, enter 1.
      8. Click Save.
    • Except if — Keep this field empty.

    Your settings should look similar to this:

    Completed settings for bypassing the Arctic Wolf MA URL

  5. Click Next.

  6. Keep the default rule settings.

  7. Click Next.

  8. Click Finish.

  9. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

  10. In the MA Portal menu, click Administration Dashboard.

  11. Click the User Information tab.

  12. In the Search field, enter the name of an MA administrator, and then press Enter.

  13. Find the user in the list, and then click Assign Session.

  14. On the Assign Session page, in the Search field, enter Phishing simulation.

  15. In the list of search results, select a phishing simulation to use for testing, and then click Assign.

    Tip: For this test, Arctic Wolf recommends assigning the Customer Complaint or Commonwealth Games Viewing Parties phishing simulation.

  16. Make sure the test MA phishing simulation email is in your inbox. If the email is:

    • In your inbox — Your settings are correct. Continue with the next procedure.

      Tip: In the Phishing Simulation section, if the Secure Culture Dashboard percentage is 0%, you can also use this to verify that there are no false positives.

    • Not in your inbox — Create a ticket in the Arctic Wolf Unified Portal for assistance.

Allowlist the MA IP address for Microsoft Defender Office 365 Plan 2

  1. Sign in to Microsoft 365 Defender or to the Microsoft 365 Admin Center.

  2. Click Security Admin Center.

  3. Click Email & Collaboration > Policies & Rules > Threat Policies > Safe Links.

  4. Click + Create.

    Note: If you have an existing custom Safe Links policy, you can edit that instead. Select the policy, and then click Edit in each section to modify the settings as appropriate.

  5. In the Name field, enter a name for the policy. Arctic Wolf recommends an easily identifiable name. For example, AW MSA Safe Links Policy.

  6. Click Next.

  7. On the Users and domains page, enter the users, groups, and domains that you want the policy to apply to.

  8. Click Next.

  9. On the URL & click protection settings page, for On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default, select On.

  10. For the Do not rewrite the following URLs in email setting, click Manage <number> URLs, where <number> is the number of URLs that are not rewritten.

  11. In the Manage URLs to not rewrite menu, click + Add URLs.

  12. Click Simulation URLS to allow.

  13. In the Simulation URLs to allow field, complete these steps:

    1. Enter *.arcticwolf.com/*, and then press Enter.

    2. Based on the language that you want the phishing simulations to be sent in, enter one or more of these domain lists, and press Enter after each entry:

      Note: The Simulation URLs to allow field must include the same domains entered in the Domains field to make sure that the simulations send.

      • English:
        • automated-mailsender.com/*
        • mail-donotreply.com/*
        • humanresources-mailer.com/*
        • internal-humanresources.com/*
        • helpdesk-itsupport.com/*
        • internalcorporate-mailer.com/*
        • securityalert-corporate.com/*
        • corporate-alert.com/*
      • Deutsch:
        • mitarbeiter-helpdesk.de/*
        • unternehmenssicherheit-alarm.de/*
        • itsupport-mitarbeiter.de/*
        • admin-hinweis.de/*
  14. Click Save.

  15. In the Click protection settings section:

    1. Make sure the Track user clicks checkbox is selected.
    2. Select the Let users click through to the original URL checkbox.
  16. Click Save.

  17. Keep the remaining default settings, and then click Next.

  18. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

  19. In the MA Portal menu, click Administration Dashboard.

  20. Click the User Information tab.

  21. In the Search field, enter the name of an MA administrator, and then press Enter.

  22. Find the user in the list, and then click Assign Session.

  23. On the Assign Session page, in the Search field, enter Phishing simulation.

  24. In the list of search results, select a phishing simulation to use for testing, and then click Assign.

    Tip: For this test, Arctic Wolf recommends assigning the Customer Complaint or Commonwealth Games Viewing Parties phishing simulation.

  25. Make sure the test MA phishing simulation email is in your inbox. If the email is:

    • In your inbox — Your settings are correct. Continue with the next procedure.

      Tip: In the Phishing Simulation section, if the Secure Culture Dashboard percentage is 0%, you can also use this to verify that there are no false positives.

    • Not in your inbox — Create a ticket in the Arctic Wolf Unified Portal for assistance.

    See Microsoft's documentation Safe Links in Microsoft Defender for Office 365 for more information on setting up Safe Links policies.

Unable to submit a JSON file

This error displays when submitting a JSON file: If the error persists, please submit a request in the Arctic Wolf Portal..

Possible cause: The JSON file may be invalid, or there may be another issue with the Google Workspace service account creation and necessary permissions.

Resolution:

  1. Check your JSON syntax for errors.
  2. Review the steps from Enroll users in MA with Google Workspace.
  3. If the error persists, submit a request in the Arctic Wolf Unified Portal.

Your file contains formatting errors

This error displays: The file contains (<number>) formatting errors. Please fix the errors to continue..

Possible cause: The CSV file contains empty cells or missing fields.

Resolution:

  1. Click X to close the error message.
  2. Review the CSV file for empty cells or fields. For example, a missing email address is missing.
  3. Fix any errors, and then save the CSV file.
  4. Refresh your MA portal browser tab.
  5. Upload the CSV file to the MA portal.
  6. Click Submit.
  7. If the error persist, contact your CST at security@arcticwolf.com.

CSV file contains invalid email addresses

This error displays: The file contains (<number>) invalid email addresses. Please fix the errors to continue..

Possible cause: The CSV file contains an incomplete email address.

Resolution:

  1. Click X to close the error message.
  2. Review the CSV file for incomplete email addresses. For example, an addressing missing an @ symbol.
  3. Fix any errors, and then save the CSV file.
  4. Refresh your MA portal browser tab.
  5. Upload the CSV file to the MA portal.
  6. Click Submit.
  7. If the error persist, contact your CST at security@arcticwolf.com.

CSV file contains duplicate email addresses

This error displays: The file contains (<number>) duplicate email addresses. Please fix the errors to continue.

Possible cause: The CSV file contains a duplicate email address.

Resolution:

  1. Click X to close the error message.
  2. Review the CSV file for duplicate email addresses.
  3. Fix any errors, and then save the CSV file.
  4. Refresh your MA portal browser tab.
  5. Upload the CSV file to the MA portal.
  6. Click Submit.
  7. If the error persist, contact your CST at security@arcticwolf.com.

CSV file contains formatting errors

This error displays: The file contains (<number>) formatting errors. The file contains (<number>) invalid email addresses. The file contains (<number>) duplicate email addresses. Please fix the errors to continue.

Possible cause: The CSV file contains multiple errors.

Resolution:

  1. Click X to close the error message.

  2. Review the CSV file for:

    • Empty cells
    • Missing fields. For example, user last name
    • Incomplete email addresses
    • Duplicate email addresses
  3. Fix any errors, and then save the CSV file.

  4. Refresh your MA portal browser tab.

  5. Upload the CSV file to the MA portal.

  6. Click Submit.

  7. If the error persist, contact your CST at security@arcticwolf.com.