From c0a002f5820389528d36d1ffe55b32e2eb1288ea Mon Sep 17 00:00:00 2001 From: Paul Shmakov Date: Mon, 20 Apr 2026 02:48:47 +0100 Subject: [PATCH 01/22] feat(activitymonitor): add v10.0 documentation baseline Copies 9.0 content into 10.0, updates all internal doc links to point to 10.0, adds 10.0 to products.js and kb_allowlist.json, and creates the sidebar config. Generated with AI Co-Authored-By: Claude Code --- .../10.0/admin/_category_.json | 10 + .../10.0/admin/agents/_category_.json | 10 + .../10.0/admin/agents/activedirectory.md | 108 + .../10.0/admin/agents/linux.md | 138 ++ .../10.0/admin/agents/multiple.md | 144 ++ .../10.0/admin/agents/overview.md | 72 + .../admin/agents/properties/_category_.json | 10 + .../agents/properties/activedirectory.md | 83 + .../agents/properties/additionalproperties.md | 87 + .../10.0/admin/agents/properties/adusers.md | 35 + .../10.0/admin/agents/properties/apiserver.md | 66 + .../10.0/admin/agents/properties/archiving.md | 53 + .../admin/agents/properties/certificate.md | 157 ++ .../admin/agents/properties/connection.md | 119 + .../admin/agents/properties/dellceeoptions.md | 244 +++ .../10.0/admin/agents/properties/diskquota.md | 22 + .../10.0/admin/agents/properties/dns.md | 48 + .../agents/properties/inactivityalerts.md | 130 ++ .../10.0/admin/agents/properties/linux.md | 17 + .../agents/properties/netappfpolicyoptions.md | 35 + .../10.0/admin/agents/properties/network.md | 20 + .../admin/agents/properties/networkproxy.md | 32 + .../10.0/admin/agents/properties/nutanix.md | 28 + .../10.0/admin/agents/properties/overview.md | 33 + .../10.0/admin/agents/properties/panzura.md | 30 + .../10.0/admin/agents/properties/qumulo.md | 23 + .../10.0/admin/agents/single.md | 72 + .../admin/monitoreddomains/_category_.json | 10 + .../admonitoringconfiguration/_category_.json | 10 + .../authentication.md | 190 ++ .../admonitoringconfiguration/changes.md | 200 ++ .../globalfilters.md | 148 ++ .../ldapmonitor/_category_.json | 10 + .../ldapmonitor/ldapmonitor.md | 124 ++ .../ldapmonitor/ldapthreatmanager.md | 33 + .../lsassguardian.md | 101 + .../admonitoringconfiguration/overview.md | 23 + .../admonitoringconfiguration/replication.md | 89 + .../monitoreddomains/output/_category_.json | 10 + .../output/activedirectoryjson.md | 61 + .../admin/monitoreddomains/output/output.md | 89 + .../10.0/admin/monitoreddomains/overview.md | 82 + .../10.0/admin/monitoredhosts/_category_.json | 10 + .../admin/monitoredhosts/add/_category_.json | 10 + .../admin/monitoredhosts/add/azurefiles.md | 35 + .../monitoredhosts/add/dellcelerravnx.md | 229 ++ .../monitoredhosts/add/dellpowerscale.md | 273 +++ .../monitoredhosts/add/dellpowerstore.md | 197 ++ .../admin/monitoredhosts/add/dellunity.md | 229 ++ .../10.0/admin/monitoredhosts/add/entraid.md | 162 ++ .../monitoredhosts/add/exchangeonline.md | 143 ++ .../10.0/admin/monitoredhosts/add/hitachi.md | 167 ++ .../10.0/admin/monitoredhosts/add/nasuni.md | 207 ++ .../10.0/admin/monitoredhosts/add/netapp.md | 345 +++ .../10.0/admin/monitoredhosts/add/nutanix.md | 204 ++ .../10.0/admin/monitoredhosts/add/overview.md | 34 + .../10.0/admin/monitoredhosts/add/panzura.md | 203 ++ .../10.0/admin/monitoredhosts/add/qumulo.md | 167 ++ .../admin/monitoredhosts/add/sharepoint.md | 162 ++ .../monitoredhosts/add/sharepointonline.md | 179 ++ .../admin/monitoredhosts/add/sqlserver.md | 172 ++ .../10.0/admin/monitoredhosts/add/windows.md | 202 ++ .../monitoredhosts/output/_category_.json | 10 + .../admin/monitoredhosts/output/filetsv.md | 46 + .../admin/monitoredhosts/output/linuxtsv.md | 33 + .../admin/monitoredhosts/output/output.md | 54 + .../monitoredhosts/output/sharepointjson.md | 54 + .../output/sharepointonlinejson.md | 97 + .../monitoredhosts/output/sharepointtsv.md | 38 + .../monitoredhosts/output/sqlservertsv.md | 166 ++ .../10.0/admin/monitoredhosts/overview.md | 155 ++ .../monitoredhosts/properties/_category_.json | 10 + .../monitoredhosts/properties/auditing.md | 29 + .../monitoredhosts/properties/connection.md | 28 + .../admin/monitoredhosts/properties/dell.md | 16 + .../monitoredhosts/properties/fpolicy.md | 73 + .../monitoredhosts/properties/hitachinas.md | 17 + .../properties/inactivityalerts.md | 61 + .../monitoredhosts/properties/logontrigger.md | 16 + .../monitoredhosts/properties/mssqlserver.md | 27 + .../admin/monitoredhosts/properties/nasuni.md | 38 + .../admin/monitoredhosts/properties/netapp.md | 32 + .../monitoredhosts/properties/nutanix.md | 43 + .../monitoredhosts/properties/overview.md | 34 + .../monitoredhosts/properties/panzura.md | 38 + .../admin/monitoredhosts/properties/qumulo.md | 36 + .../monitoredhosts/properties/sharepoint.md | 32 + .../monitoredhosts/properties/tweakoptions.md | 12 + .../monitoredhosts/properties/unixids.md | 30 + .../monitoredhosts/properties/windows.md | 14 + .../10.0/admin/outputs/_category_.json | 10 + .../outputs/accountexclusions/_category_.json | 10 + .../accountexclusions/accountexclusions.md | 182 ++ .../specifysharepointaccount.md | 23 + .../accountexclusions/specifysqluser.md | 15 + .../accountexclusions/specifyunixaccount.md | 15 + .../specifywindowsaccount.md | 29 + .../admin/outputs/additionalproperties.md | 38 + .../outputs/gidexclusions/_category_.json | 10 + .../admin/outputs/gidexclusions/addeditgid.md | 14 + .../outputs/gidexclusions/gidexclusions.md | 35 + .../10.0/admin/outputs/logfiles.md | 261 +++ .../10.0/admin/outputs/objects.md | 21 + .../admin/outputs/operations/_category_.json | 10 + .../admin/outputs/operations/operations.md | 344 +++ .../10.0/admin/outputs/operations/suppress.md | 72 + .../10.0/admin/outputs/overview.md | 121 ++ .../outputs/pathfiltering/_category_.json | 10 + .../outputs/pathfiltering/addeditpath.md | 36 + .../outputs/pathfiltering/pathfiltering.md | 180 ++ .../outputs/processexclusions/_category_.json | 10 + .../processexclusions/addeditprocess.md | 20 + .../processexclusions/processexclusions.md | 40 + .../10.0/admin/outputs/protocols.md | 23 + .../10.0/admin/outputs/syslog/_category_.json | 10 + .../admin/outputs/syslog/messagetemplate.md | 209 ++ .../10.0/admin/outputs/syslog/syslog.md | 203 ++ .../10.0/admin/outputs/threatmanager.md | 39 + docs/activitymonitor/10.0/admin/overview.md | 36 + .../10.0/admin/search/_category_.json | 10 + .../search/activedirectory/_category_.json | 10 + .../search/activedirectory/activedirectory.md | 139 ++ .../activedirectory/activedirectory_1.md | 58 + .../10.0/admin/search/entraid/_category_.json | 10 + .../10.0/admin/search/entraid/entraid.md | 136 ++ .../10.0/admin/search/entraid/entraid_1.md | 52 + .../search/exchangeonline/_category_.json | 10 + .../search/exchangeonline/exchangeonline.md | 105 + .../search/exchangeonline/exchangeonline_1.md | 33 + .../10.0/admin/search/file/_category_.json | 10 + .../10.0/admin/search/file/file.md | 73 + .../10.0/admin/search/file/file_1.md | 78 + .../10.0/admin/search/linux/_category_.json | 10 + .../10.0/admin/search/linux/linux.md | 66 + .../10.0/admin/search/linux/linux_1.md | 43 + .../10.0/admin/search/overview.md | 99 + .../admin/search/sharepoint/_category_.json | 10 + .../admin/search/sharepoint/sharepoint.md | 162 ++ .../admin/search/sharepoint/sharepoint_1.md | 34 + .../search/sharepointonline/_category_.json | 10 + .../sharepointonline/sharepointonline.md | 148 ++ .../sharepointonline/sharepointonline_1.md | 49 + .../admin/search/sqlserver/_category_.json | 10 + .../10.0/admin/search/sqlserver/sqlserver.md | 88 + .../admin/search/sqlserver/sqlserver_1.md | 34 + docs/activitymonitor/10.0/gettingstarted.md | 57 + docs/activitymonitor/10.0/index.md | 15 + .../10.0/install/_category_.json | 10 + .../10.0/install/agents/_category_.json | 10 + .../10.0/install/agents/agents.md | 81 + .../10.0/install/agents/manual.md | 169 ++ .../10.0/install/agents/manualad.md | 166 ++ .../10.0/install/agents/manuallinux.md | 128 ++ .../10.0/install/application.md | 48 + .../10.0/install/importlicensekey.md | 48 + docs/activitymonitor/10.0/install/overview.md | 30 + .../10.0/install/upgrade/_category_.json | 10 + .../10.0/install/upgrade/removeagent.md | 18 + .../install/upgrade/updateadagentinstaller.md | 41 + .../10.0/install/upgrade/upgrade.md | 49 + .../10.0/requirements/_category_.json | 10 + .../activityagent/_category_.json | 10 + .../activityagent/activityagent.md | 233 ++ .../activityagent/activityagentports.md | 224 ++ .../activityagent/entraid-activity.md | 225 ++ .../activityagent/exchange-activity.md | 287 +++ .../nas-device-configuration/_category_.json | 6 + .../azure-files/_category_.json | 10 + .../azure-files/azurefiles-activity.md | 207 ++ .../celerra-vnx-aac/_category_.json | 10 + .../celerra-vnx-aac/celerra-vnx-activity.md | 63 + .../celerra-vnx-aac/installcee.md | 207 ++ .../celerra-vnx-aac/validate.md | 159 ++ .../ctera-activity.md | 189 ++ .../hitachi-aac/_category_.json | 10 + .../hitachi-aac/configureaccesstologs.md | 30 + .../hitachi-aac/configurelogs.md | 39 + .../hitachi-aac/hitachi-activity.md | 64 + .../isilon-powerscale-aac/_category_.json | 10 + .../isilon-powerscale-aac/installcee.md | 82 + .../isilon-powerscale-aac/isilon-activity.md | 114 + .../manualconfiguration.md | 90 + .../isilon-powerscale-aac/validate.md | 190 ++ .../nasuni-activity.md | 80 + .../nutanix-activity.md | 43 + .../ontap-cluster-aac/_category_.json | 10 + .../ontap-cluster-aac/configurefirewall.md | 191 ++ .../ontap-cluster-aac/configurefpolicy.md | 937 ++++++++ .../ontap-cluster-activity.md | 229 ++ .../ontap-cluster-aac/provisionactivity.md | 397 ++++ .../ontap7-aac/_category_.json | 10 + .../ontap7-aac/configurefpolicy.md | 177 ++ .../ontap7-aac/customizefpolicy.md | 10 + .../ontap7-aac/enablehttp.md | 35 + .../ontap7-aac/ontap7-activity.md | 108 + .../ontap7-aac/provisionactivity.md | 105 + .../panzura-activity.md | 123 ++ .../powerstore-aac/_category_.json | 10 + .../powerstore-aac/auditing.md | 124 ++ .../powerstore-aac/installcee.md | 78 + .../powerstore-aac/powerstore-activity.md | 77 + .../qumulo-activity.md | 57 + .../unity-aac/_category_.json | 10 + .../unity-aac/installcee.md | 81 + .../unity-aac/setupunisphere.md | 33 + .../unity-aac/unity-activity.md | 79 + .../unity-aac/validate.md | 159 ++ .../sharepoint-online-activity.md | 264 +++ .../sharepoint-onprem-activity.md | 50 + .../activityagent/sqlserver-activity.md | 77 + .../activityagent/windowsfs-activity.md | 55 + .../10.0/requirements/adagent/_category_.json | 10 + .../adagent/activity/_category_.json | 10 + .../requirements/adagent/activity/activity.md | 274 +++ .../adagent/activity/filearchive.md | 171 ++ .../10.0/requirements/adagent/adagent.md | 125 ++ .../requirements/adagent/threatprevention.md | 53 + .../10.0/requirements/linuxagent.md | 76 + .../10.0/requirements/overview.md | 78 + .../10.0/restapi/_category_.json | 10 + docs/activitymonitor/10.0/restapi/overview.md | 29 + .../10.0/restapi/resources/_category_.json | 10 + .../10.0/restapi/resources/agent.md | 262 +++ .../10.0/restapi/resources/domain.md | 99 + .../10.0/restapi/resources/host.md | 481 +++++ .../10.0/restapi/resources/output.md | 462 ++++ .../10.0/restapi/resources/resources.md | 1918 +++++++++++++++++ docs/activitymonitor/10.0/restapi/security.md | 84 + .../activitymonitor/10.0/siem/_category_.json | 10 + docs/activitymonitor/10.0/siem/overview.md | 22 + .../10.0/siem/qradar/_category_.json | 10 + .../10.0/siem/qradar/app/_category_.json | 10 + .../10.0/siem/qradar/app/about.md | 13 + .../10.0/siem/qradar/app/app.md | 44 + .../10.0/siem/qradar/app/deletions.md | 25 + .../10.0/siem/qradar/app/home.md | 36 + .../10.0/siem/qradar/app/hostinvestigation.md | 40 + .../10.0/siem/qradar/app/permissionchanges.md | 28 + .../10.0/siem/qradar/app/ransomware.md | 37 + .../10.0/siem/qradar/app/userinvestigation.md | 36 + .../10.0/siem/qradar/offenses.md | 19 + .../10.0/siem/qradar/overview.md | 84 + .../10.0/siem/qradar/settings.md | 15 + .../10.0/siem/splunk/_category_.json | 10 + .../10.0/siem/splunk/app/_category_.json | 10 + .../10.0/siem/splunk/app/app.md | 18 + .../10.0/siem/splunk/app/deletions.md | 20 + .../10.0/siem/splunk/app/overview.md | 25 + .../10.0/siem/splunk/app/permissionchanges.md | 20 + .../10.0/siem/splunk/app/ransomware.md | 21 + .../10.0/siem/splunk/overview.md | 87 + .../10.0/troubleshooting/_category_.json | 10 + .../troubleshooting/antivirusexclusions.md | 75 + .../backuprestore/_category_.json | 10 + .../backuprestore/agentbackup.md | 59 + .../backuprestore/agentrestore.md | 37 + .../backuprestore/consolebackup.md | 25 + .../backuprestore/consolerestore.md | 19 + .../troubleshooting/backuprestore/overview.md | 26 + .../troubleshooting/credentialpasswords.md | 84 + .../10.0/troubleshooting/overview.md | 16 + .../troubleshooting/performancemonitoring.md | 346 +++ .../10.0/troubleshooting/tracelogs.md | 45 + kb_allowlist.json | 1 + sidebars/activitymonitor/10.0.js | 8 + src/config/products.js | 10 +- 266 files changed, 23607 insertions(+), 2 deletions(-) create mode 100644 docs/activitymonitor/10.0/admin/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/agents/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/agents/activedirectory.md create mode 100644 docs/activitymonitor/10.0/admin/agents/linux.md create mode 100644 docs/activitymonitor/10.0/admin/agents/multiple.md create mode 100644 docs/activitymonitor/10.0/admin/agents/overview.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/activedirectory.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/additionalproperties.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/adusers.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/apiserver.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/archiving.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/certificate.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/connection.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/diskquota.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/dns.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/inactivityalerts.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/linux.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/netappfpolicyoptions.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/network.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/networkproxy.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/nutanix.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/overview.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/panzura.md create mode 100644 docs/activitymonitor/10.0/admin/agents/properties/qumulo.md create mode 100644 docs/activitymonitor/10.0/admin/agents/single.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/changes.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/overview.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/replication.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/output/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/output/activedirectoryjson.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md create mode 100644 docs/activitymonitor/10.0/admin/monitoreddomains/overview.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerstore.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/dellunity.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/entraid.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/hitachi.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/nasuni.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/nutanix.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/panzura.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/qumulo.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepoint.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepointonline.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/sqlserver.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/windows.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/filetsv.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/linuxtsv.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointjson.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointonlinejson.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointtsv.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/output/sqlservertsv.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/overview.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/logontrigger.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/mssqlserver.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/nasuni.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/netapp.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/panzura.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/qumulo.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/sharepoint.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/tweakoptions.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/windows.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/accountexclusions/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysharepointaccount.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysqluser.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/additionalproperties.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/gidexclusions/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/gidexclusions/addeditgid.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/gidexclusions/gidexclusions.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/logfiles.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/objects.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/operations/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/operations/operations.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/operations/suppress.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/overview.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/pathfiltering/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/processexclusions/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/processexclusions/addeditprocess.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/processexclusions/processexclusions.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/protocols.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/syslog/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md create mode 100644 docs/activitymonitor/10.0/admin/outputs/threatmanager.md create mode 100644 docs/activitymonitor/10.0/admin/overview.md create mode 100644 docs/activitymonitor/10.0/admin/search/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/activedirectory/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory.md create mode 100644 docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/entraid/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/entraid/entraid.md create mode 100644 docs/activitymonitor/10.0/admin/search/entraid/entraid_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/exchangeonline/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline.md create mode 100644 docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/file/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/file/file.md create mode 100644 docs/activitymonitor/10.0/admin/search/file/file_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/linux/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/linux/linux.md create mode 100644 docs/activitymonitor/10.0/admin/search/linux/linux_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/overview.md create mode 100644 docs/activitymonitor/10.0/admin/search/sharepoint/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint.md create mode 100644 docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/sharepointonline/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline.md create mode 100644 docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline_1.md create mode 100644 docs/activitymonitor/10.0/admin/search/sqlserver/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver.md create mode 100644 docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver_1.md create mode 100644 docs/activitymonitor/10.0/gettingstarted.md create mode 100644 docs/activitymonitor/10.0/index.md create mode 100644 docs/activitymonitor/10.0/install/_category_.json create mode 100644 docs/activitymonitor/10.0/install/agents/_category_.json create mode 100644 docs/activitymonitor/10.0/install/agents/agents.md create mode 100644 docs/activitymonitor/10.0/install/agents/manual.md create mode 100644 docs/activitymonitor/10.0/install/agents/manualad.md create mode 100644 docs/activitymonitor/10.0/install/agents/manuallinux.md create mode 100644 docs/activitymonitor/10.0/install/application.md create mode 100644 docs/activitymonitor/10.0/install/importlicensekey.md create mode 100644 docs/activitymonitor/10.0/install/overview.md create mode 100644 docs/activitymonitor/10.0/install/upgrade/_category_.json create mode 100644 docs/activitymonitor/10.0/install/upgrade/removeagent.md create mode 100644 docs/activitymonitor/10.0/install/upgrade/updateadagentinstaller.md create mode 100644 docs/activitymonitor/10.0/install/upgrade/upgrade.md create mode 100644 docs/activitymonitor/10.0/requirements/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/activityagent.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/entraid-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/exchange-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/panzura-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/sharepoint-onprem-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/windowsfs-activity.md create mode 100644 docs/activitymonitor/10.0/requirements/adagent/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/adagent/activity/_category_.json create mode 100644 docs/activitymonitor/10.0/requirements/adagent/activity/activity.md create mode 100644 docs/activitymonitor/10.0/requirements/adagent/activity/filearchive.md create mode 100644 docs/activitymonitor/10.0/requirements/adagent/adagent.md create mode 100644 docs/activitymonitor/10.0/requirements/adagent/threatprevention.md create mode 100644 docs/activitymonitor/10.0/requirements/linuxagent.md create mode 100644 docs/activitymonitor/10.0/requirements/overview.md create mode 100644 docs/activitymonitor/10.0/restapi/_category_.json create mode 100644 docs/activitymonitor/10.0/restapi/overview.md create mode 100644 docs/activitymonitor/10.0/restapi/resources/_category_.json create mode 100644 docs/activitymonitor/10.0/restapi/resources/agent.md create mode 100644 docs/activitymonitor/10.0/restapi/resources/domain.md create mode 100644 docs/activitymonitor/10.0/restapi/resources/host.md create mode 100644 docs/activitymonitor/10.0/restapi/resources/output.md create mode 100644 docs/activitymonitor/10.0/restapi/resources/resources.md create mode 100644 docs/activitymonitor/10.0/restapi/security.md create mode 100644 docs/activitymonitor/10.0/siem/_category_.json create mode 100644 docs/activitymonitor/10.0/siem/overview.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/_category_.json create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/_category_.json create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/about.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/app.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/deletions.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/home.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/hostinvestigation.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/permissionchanges.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/ransomware.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/app/userinvestigation.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/offenses.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/overview.md create mode 100644 docs/activitymonitor/10.0/siem/qradar/settings.md create mode 100644 docs/activitymonitor/10.0/siem/splunk/_category_.json create mode 100644 docs/activitymonitor/10.0/siem/splunk/app/_category_.json create mode 100644 docs/activitymonitor/10.0/siem/splunk/app/app.md create mode 100644 docs/activitymonitor/10.0/siem/splunk/app/deletions.md create mode 100644 docs/activitymonitor/10.0/siem/splunk/app/overview.md create mode 100644 docs/activitymonitor/10.0/siem/splunk/app/permissionchanges.md create mode 100644 docs/activitymonitor/10.0/siem/splunk/app/ransomware.md create mode 100644 docs/activitymonitor/10.0/siem/splunk/overview.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/_category_.json create mode 100644 docs/activitymonitor/10.0/troubleshooting/antivirusexclusions.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/backuprestore/_category_.json create mode 100644 docs/activitymonitor/10.0/troubleshooting/backuprestore/agentbackup.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/backuprestore/agentrestore.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/backuprestore/consolebackup.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/backuprestore/consolerestore.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/backuprestore/overview.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/credentialpasswords.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/overview.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/performancemonitoring.md create mode 100644 docs/activitymonitor/10.0/troubleshooting/tracelogs.md create mode 100644 sidebars/activitymonitor/10.0.js diff --git a/docs/activitymonitor/10.0/admin/_category_.json b/docs/activitymonitor/10.0/admin/_category_.json new file mode 100644 index 0000000000..51435b6e32 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Administration", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/agents/_category_.json b/docs/activitymonitor/10.0/admin/agents/_category_.json new file mode 100644 index 0000000000..a219cfb8d3 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Agents Tab", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/agents/activedirectory.md b/docs/activitymonitor/10.0/admin/agents/activedirectory.md new file mode 100644 index 0000000000..08f7ef01f1 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/activedirectory.md @@ -0,0 +1,108 @@ +--- +title: "Active Directory Agent Deployment" +description: "Active Directory Agent Deployment" +sidebar_position: 40 +--- + +# Active Directory Agent Deployment + +Before deploying the Active Directory (AD) agent, ensure all +[AD Agent Server Requirements](/docs/activitymonitor/10.0/requirements/adagent/adagent.md) have been met. To effectively +monitor Active Directory, it is necessary to deploy an AD agent to every domain controller, +including the read only domain controllers. However, it is possible to deploy the agents in batches. +Follow the steps to deploy the AD agents to the domain controllers in the target domain. + +:::note +These steps are specific to deploying AD agents for monitoring Active Directory. +::: + + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** Click on the Install agents on Active Directory domain controllers link to deploy +activity agents to multiple domain controllers. + +:::note +The Activity Monitor will validate the entered Host Name or IP Address entered in the +**Server Name** text box. +::: + + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** Specify the port that should be used by the new agent(s). + +![Agent Install Location](/images/activitymonitor/9.0/admin/agents/add/locationdefault.webp) + +**Step 4 –** Select the agent installation path. + +:::info +Use the default installation path. +::: + + +![Active Directory Connection page with blank text boxes](/images/activitymonitor/9.0/admin/agents/add/adconnectionblank.webp) + +**Step 5 –** On the Active Directory Connection page, enter the domain, and specify an account that +is a member of BUILTIN\Administrators group on the domain. Then, click **Connect**. + +![Example of a successful connection on the Active Directory Connection page](/images/activitymonitor/9.0/admin/agents/add/adconnectionsuccessful.webp) + +When the connection is successful, the Next button is enabled. Click Next to continue. + +:::note +An Administrator’s credentials are required to test the connection to the server. This is +the only way to enable the Next button. +::: + + +![Domains to Monitor page](/images/activitymonitor/9.0/admin/agents/add/domainstomonitorpage.webp) + +**Step 6 –** On the Domains To Monitor page, available domains display in a list, checked by +default. Check/uncheck the boxes as desired to identify the domains to monitor, then click Next. + +![Domain Controllers to Deploy the Agent to page](/images/activitymonitor/9.0/admin/agents/add/dcstodeploytheagenttopage.webp) + +**Step 7 –** On the Domain Controllers to deploy the Agent to page, available domain controllers +display in a list, checked by default. Check/uncheck the boxes as desired to identify the domain +controllers where the AD agent is to be deployed. + +:::note +Agents can be gradually deployed, but the AD agent needs to be installed on all domain +controllers to monitor all activity of the domain. +::: + + +![Test Connection to Domain Controller](/images/activitymonitor/9.0/admin/agents/add/dcsdeployagentconnection.webp) + +**Step 8 –** Click the **Test** button to verify the connection to the domains selected. Once the +connection is verified, click **Next** to continue. + +![Windows Agent Settings Page](/images/activitymonitor/9.0/admin/agents/add/windowsagentsettingspage.webp) + +**Step 9 –** On the Windows Agent Settings page, there are two settings to configure. + +- Add Windows file activity monitoring – Select the check box to add Windows file activity + monitoring after installing the agent. By default a new agent install monitors nothing. If + administrators want to monitor file activity on Windows servers, it is easier to enable it after + installation of the agent. Windows file activity monitoring can be enabled and configured later in + the console. +- Management Group – By default, the agent only accepts commands from members of the + BUILTIN\Administrators group. Less privilege accounts can be configured to manage the agent with + the Management Group setting. Keep in mind that only administrators can install, update and + uninstall the agent. + +**Step 10 –** Click **Finish**. The Add New Agent(s) window closes, and the activity agent is +deployed to and installed on the target host. + +During the installation process, the status will be Installing. If there are any errors, the +Activity Monitor stops the installation and lists the errors in the Agent messages box. + +![AD Agent Installed](/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp) + +When the AD agent installation is complete, the status changes to **Installed** and the agent +version populates in the AD Module column. The next step is to configure the domains to be +monitored. See the [Monitored Domains Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/overview.md) section for +additional information. diff --git a/docs/activitymonitor/10.0/admin/agents/linux.md b/docs/activitymonitor/10.0/admin/agents/linux.md new file mode 100644 index 0000000000..62aed309a3 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/linux.md @@ -0,0 +1,138 @@ +--- +title: "Linux Agent Deployment" +description: "Linux Agent Deployment" +sidebar_position: 30 +--- + +# Linux Agent Deployment + +**Understanding Linux File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Manager + +Prior to adding a Windows host to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Linux Agent Server Requirements](/docs/activitymonitor/10.0/requirements/linuxagent.md) topic +for additional information. + +## Deploy Linux Agent + +Follow the steps to deploy the agent to the Linux host. + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent page of the Add New Agent(s) Wizard](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** On the Install New Agent page, enter the server name for the Linux host. Click +**Next**. + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** On the Agent Port page, specify the port to be used by the new agent. The default port +is **4498**. Click **Next**. + +![Credentials to Connect](/images/activitymonitor/9.0/admin/agents/add/credentialsservers.webp) + +**Step 4 –** On the Credentials To Connect To The Server(s) page, connect to the Linux Server using +either a **User name** and **Password**, or a Public Key. + +The options for connecting with a Password are: + +- User name +- Password + +![Public Key Credentials](/images/activitymonitor/9.0/admin/agents/add/publickey.webp) + +The options for connecting with a Public Key are: + +- User name +- Private Key + +![Client Certificate Credentials](/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp) + +To connect with a Client Certificate, select the **Client Certificate** (for already installed +agents) option. Run the following commands on the Linux machine: + +``` +cd /usr/bin/activity-monitor-agentd/ +./activity-monitor-agentd create-client-certificate --name [name] +``` + +The Client Certificate option adds an already installed agent to the console without using SSH. + +To connect with a public key, select the **Public Key** option. Copy the following command into a +command prompt to generate ECDSA key for public key option: + +``` +ssh-keygen -m PEM -t ecdsa +``` + +Netwrix Activity Monitor requires to generate ECDSA Key with a blank passphrase + +``` +cat ~/.ssh/id_ecdsa.pub >> ~/.ssh/authorized_keys +``` + +:::note +It is required to add public key to authorized keys for Activity Monitor. By default, a +private key is generated at ~/.ssh/id_ecdsa location along with the public key (.pub file). A user +can use a different file location. Copy the following command into a command prompt to generate a +private key for Activity Monitor to use: +::: + + +``` +cat ~/.ssh/id_ecdsa +``` + +**Step 5 –** Click **Connect** to test the connection. If the connection is successful, click +**Next**. If the connection is unsuccessful, see the status message that appears for information on +the failed connection. + +![Linux Agent Options](/images/activitymonitor/9.0/admin/agents/add/linuxagentoptions.webp) + +**Step 6 –** On the Linux Agent Options page, select which user name to use to run the daemon. To +use root, leave the **Service user name** field blank. Click **Test** to test the connection. + +**Step 7 –** Click **Finish**. The Add New Agent(s) window closes, and the activity agent is +deployed to and installed on the target host. + +During the installation process, the status will be **Installing**. If there are any errors, +Activity Monitor stops the installation and lists the errors in the **Agent messages** box. + +![Linux Agent Installed](/images/activitymonitor/9.0/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp) + +When the Linux agent installation is complete, the status changes to **Installed**. The Monitored +Host is also configured, and the added Linux host is displayed in the monitored hosts table. See the +[Monitored Hosts & Services Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md) topic for additional information. + +Once a host has been added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. + +:::info +Activity Monitor Agent uses certificates to secure the connection between the Linux Agent and the Console / API Server. +By default, the Agent uses an automatically generated self-signed certificate. The Console and the API Server do not enforce +validity checks on these self-signed agent certificates. + +This self-signed certificate can be replaced with one issued by a Certification Authority. Once replaced, the Console and +the API Server will ensure the validity of the agent’s certificates. + +See the [Certificate](/docs/activitymonitor/10.0/admin/agents/properties/certificate.md) topic for additional information. +::: + +## Host Properties for Linux + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional +information. diff --git a/docs/activitymonitor/10.0/admin/agents/multiple.md b/docs/activitymonitor/10.0/admin/agents/multiple.md new file mode 100644 index 0000000000..3aeb4ef293 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/multiple.md @@ -0,0 +1,144 @@ +--- +title: "Multiple Activity Agents Deployment" +description: "Multiple Activity Agents Deployment" +sidebar_position: 20 +--- + +# Multiple Activity Agents Deployment + +Before deploying the activity agent, ensure all Prerequisites are met, including those for NAS +devices when applicable. Follow the steps to deploy the activity agent to a multiple Windows +servers. See the [Activity Agent Server Requirements](/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md) topic +for additional information. + +:::note +These steps are specific to deploying activity agents for monitoring supported target +environments. +::: + + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** On the Install new agent page, click the install agents on multiple hosts link to +deploy activity agents to multiple hosts. + +![Specify Agent Port page - specify port that should be used by new agent](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** On the Specify Agent Port page, specify the port that should be used by the new agent. +The default port is 4498. Click **Next**. + +![Install Agents on Multiple Hosts page](/images/activitymonitor/9.0/admin/agents/add/installagentsonmultiplehosts.webp) + +**Step 4 –** Windows or Linux hosts can be entered as either a name or an IP Address. The options +are: + +- Add server — Opens the Host name or IP address window. See the Manual Entry topic for additional + information. +- Remove — Removes an entered host name or IP address from the table +- Import — Opens the Import from file window. See the Import a List topic for additional + information. + +There are two methods for adding multiple hosts are: + +**Manual Entry** + +Use **Manual Entry** to manually type the host names or IP addresses of the servers to be monitored. + +![Enter Host Name or IP Address window](/images/activitymonitor/9.0/admin/agents/add/hostnameoripaddresswindow.webp) + +For Manual Entry, the options are: + +- Click Add server. The Host name or IP Address window opens. +- Enter the servers, separating the hosts with spaces, commas, or semicolons. + - (Optional) A multi-line list can be pasted into this textbox. When the servers have been + entered, click OK. The Host name or IP address window closes and the identified servers are in + the list. + +**Import a List** + +Use **Import a List** to import host names or IP addresses from an external source. + +![Import Hosts from a CSV File window](/images/activitymonitor/9.0/admin/agents/add/importhostsfromacsvfilewindow.webp) + +For Import a List: + +- Click Import. The Import from file window opens. +- Enter the file path, or use the ellipsis (…) to navigate to the file. +- Identify the Separator used on the file (Comma, Semicolon, Tab, or Space). This is set to + **Comma** for CSV format by default. +- If the first row of the file contains column headers, then check the First row contains field + names box. If there are no column headers, uncheck this box. +- A preview of the selected file displays. Select the column with the host names. +- Click OK. The Import from file window closes and the identified servers are in the list. + +The Activity Monitor will monitor the Host Names or IP Address added to the **Install Agents on +Multiple Hosts** table. Click **Next**. + +![Credentials to Connect to the Server(s) window](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 5 –** On the Credentials To Connect To The Server(s) page, connect to the server using either +a **User name** and **password**, a Public Key, or a Client Certificate. + +The options for connecting with a Password are: + +- User name +- Password + +![Credentials to Connect to the Server(s) ](/images/activitymonitor/9.0/admin/agents/add/publickey.webp) + +The options for connecting with a Public Key are: + +- User name +- Private Key + +- Use the Public Key option to install an agent using SSH + +![clientcertificate](/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp) + +To connect with a Client Certificate, select the Client Certificate (for already installed agents) +option. Copy the following command into a command prompt: + +**activity-monitor-agentd --create-client-certificate --client-name [NAME]** + +Using an existing Client Certificate installs a new agent without using SSH. + +**Step 6 –** Click **Connect** to test the connection. If the connection is successful, click +**Next**. + +The credentials are tested against each server added on the **Install Agent(s) on Multiple Hosts** +page. If the connection is unsuccessful, see the status message that appears for information on the +failed connection. Activity agents are only successfully deployed for servers where the test status +returns Ok. Failed deployments can be retried through the Connection tab of the agent’s Properties +window. When one or more of the connections are successful, click Next. + +![Agent Installation Path page](/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp) + +**Step 7 –** On the Agent Install Location page, browse to theselect the agent installation path. +The default path is `C:\Program Files\Netwrix\Activity Monitor\Agent`. Click **Next**. + +![Windows Agent Settings](/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp) + +**Step 8 –** On the Windows Agent Settings window, configure the following options: + +- Add Windows file activity monitoring after installation — Check the Add Windows file activity + monitoring after installation checkbox to enable monitoring all file system activity on the + targeted Windows server after installation. +- Management Group — By default, the agent only accepts commands from members from the + BUILTIN\Administrators group. Less privileged accounts can be used to manage the agent with the + Management group setting. Keep in mind that an administrator account must be used to install, + upgrade, or uninstall an agent. + +**Step 9 –** Click Finish. The Add New Agent(s) window closes, and the activity agent is deployed to +and installed on the target host. + +During the installation process, the status will be **Installing**. If there are any errors, the +Activity Monitor stops the installation for that host and lists the errors in the **Agent messages** +box. + +![Multiple Agents Installed](/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp) + +When the activity agent installation completes, the status changes to **Installed** and the activity +agent version populates. The next step is to add hosts to be monitored. See the +[Monitored Hosts & Services Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/agents/overview.md b/docs/activitymonitor/10.0/admin/agents/overview.md new file mode 100644 index 0000000000..3dc32240de --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/overview.md @@ -0,0 +1,72 @@ +--- +title: "Agents Tab" +description: "Agents Tab" +sidebar_position: 10 +--- + +# Agents Tab + +The **Agents** tab is used to deploy activity agents and manage settings. This is the only tab +available until an agent is installed. + +![Image of Agents Home Page](/images/activitymonitor/9.0/admin/agents/agentaddedfinalimage.webp) + +The Agents tab is comprised of a button bar, a table of servers hosting activity agents, and an +Agent Messages box. The button bar allows users to take the following actions: + +- Add Agent – Opens the Add New Agent(s) window to deploy the activity/AD agent to a single server + or to multiple servers at the same time. The following sections provide additional information: + + - [Single Activity Agent Deployment](/docs/activitymonitor/10.0/admin/agents/single.md) + - [Multiple Activity Agents Deployment](/docs/activitymonitor/10.0/admin/agents/multiple.md) + - [Active Directory Agent Deployment](/docs/activitymonitor/10.0/admin/agents/activedirectory.md) + - [Linux Agent Deployment](/docs/activitymonitor/10.0/admin/agents/linux.md) + +- Remove – Opens the Remove Agents window where users can choose to remove the hosting server + from the activity agents table or uninstalling the activity agent from the hosting server + before removing the activity agent from the table. See the + [Remove Agents](/docs/activitymonitor/10.0/install/upgrade/removeagent.md) topic for additional information. + +- Edit – Opens the selected server’s Properties window to modify the server name or credentials. See + the [Agent Properties Window](/docs/activitymonitor/10.0/admin/agents/properties/overview.md) topic for additional information. +- Start pending AD Module – Starts the Active Directory monitoring module, which is part of the Activity Monitor Agent, when the module is in a pending (not yet started) state. + + - Occasionally, a Microsoft Security Bulletin that affects LSASS can interfere with the AD module’s instrumentation, causing LSASS to shut down. + The AD module monitors for LSASS process termination shortly after a server reboot. + It can be configured to run in Safe Mode to prevent the operating system from loading the AD monitoring module if the versions of the DLLs that the module hooks into have changed since the last restart. + +- Install – Deploy or upgrade an activity agent to the selected host +- Upgrade – [When Agent Status is Outdated] Replaces outdated activity agent with current version +- Update AD Module Installer – Allows you to select the newer AD Module installer. A confirmation + window then opens and identifies the new installer version. See the + [Update AD Module Installer](/docs/activitymonitor/10.0/install/upgrade/updateadagentinstaller.md) topic for additional + information. +- Refresh all – Refresh the status of all activity agents + +The table of servers hosting activity agents provides the following information: + +- Server Name – Name or IP Address of the server hosting an activity agent +- Status – Status of the deployed activity agent(s) + + :::note + If the AD agent has been deployed, a status of “outdated” could apply to either the + activity agent or the AD agent installed on the domain controller. + ::: + + +- Version – Version of the deployed activity agent +- AD Module – Version of the deployed AD Module, used for Active Directory monitoring +- Domain – Name of the domain +- Messages – Count of the number of error and warning messages for the selected server +- Archive Location – If archiving is enabled for the activity agent, displays the archive file path +- Archive Size – If archiving is enabled for the activity agent, displays the archive size + +![Agent Messages](/images/activitymonitor/9.0/admin/agents/agentmessages.webp) + +The **Agent messages** box displays any error or warning messages from the selected activity agent. +These messages are related to deployment/installation, communication between the Console and the +Activity Agent, and upgrade of an agent. + + +For additional information on how to deploy agents manually, see the +[Agent Information](/docs/activitymonitor/10.0/install/agents/agents.md) topic. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/_category_.json b/docs/activitymonitor/10.0/admin/agents/properties/_category_.json new file mode 100644 index 0000000000..7f658621ec --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Agent Properties Window", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/agents/properties/activedirectory.md b/docs/activitymonitor/10.0/admin/agents/properties/activedirectory.md new file mode 100644 index 0000000000..fce945254a --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/activedirectory.md @@ -0,0 +1,83 @@ +--- +title: "Active Directory Tab" +description: "Active Directory Tab" +sidebar_position: 10 +--- + +# Active Directory Tab + +The Active Directory tab provides options to configure the agent settings for monitoring an Active +Directory domain controller. These settings are part of the Active Directory monitoring and can only +be enabled for agents on domain controllers. + +![Agent Properties - Active Directory Tab](/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp) + +The Agent Settings allow users to control the AD agent’s properties: + +- Harden the Agent – Protects the AD agent from being altered, stopped, or started from within the + local Service Control Manager +- Safe Mode – If selected, the AD agent checks LSASS versions upon start up. Any change in LSASS + since the previous start prevents the monitoring modules from loading. + + :::note + This is a safety measure that disables monitoring if the environment changes as in + rare cases the instrumentation may cause LSASS crashes. Should the version change occur, a + warning will be shown next to the agent on the Agents page. The **Start pending AD Module** button + allows you to force the agent to enable monitoring. + ::: + + +- Enable DNS Host Name Resolution – If selected, the AD agent looks up the missing data (a NetBIOS + name, a Fully Qualified Domain Name, or an IP Address) that is missing fromthe event + + :::note + This provides more uniform data, but may have a performance impact on the machine + where the AD agent is deployed, especially if that machine does not handle the name resolution + locally. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## Advanced Active Directory Monitoring using Threat Prevention + +More advanced Active Directory Monitoring features are available for use through Netwrix Threat Prevention. +See the following sections for additional information: + +- See the Configuring Threat Prevention to Send Active Directory Activity to the Activity Monitor + topic for additional information + +## Configuring Threat Prevention to Send Active Directory Activity to Activity Monitor + +Once the activity agent is deployed to a domain controller with an existing Threat Prevention agent, +a connection can be secured between both agents. Follow these instructions to configure the policy +used for Active Directory Activity Monitoring from the Threat Prevention Admin Console. + +**Step 1 –** Configure the File, Syslog, or Threat Manager outputs on the Monitored Domains Tab in +the Activity Monitor Console. See the +[Output for Monitored Domains](/docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md) topic for additional information. + +**Step 2 –** Within the Threat Prevention Admin Console, select the Threat Manager Event Sink +Configuration Window option under the Configuration menu, and enter `amqp://localhost:4499` within the +Threat Manager URI field on the pop-up window. Then click Save. + +**Step 3 –** Still within Threat Prevention, create a New Policy or select an existing one to send +Active Directory events data to Activity Monitor. See the Navigation Pane Right-Click Commands +section of the +[Netwrix Threat Prevention Documentation](https://docs.netwrix.com/docs/threatprevention/7_5) +for additional information. + +**Step 4 –** Enter a description within the General Tab of the New Policy Configuration page to +identify the AD Module policy settings. Click the button in front of the policy status to toggle +from Disabled to Enabled. + +**Step 5 –** On the Event Type Tab, add events and objects to monitor. Click the AD Operations to +include in the policy. + +**Step 6 –** Under the Actions Tab, check the **Send to Threat Manager** checkbox to enable sending +Active Directory Activity events data to Activity Monitor. Click Save + +See the +[Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) +for additional information on policy configurations. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/additionalproperties.md b/docs/activitymonitor/10.0/admin/agents/properties/additionalproperties.md new file mode 100644 index 0000000000..600db09f0d --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/additionalproperties.md @@ -0,0 +1,87 @@ +--- +title: "Additional Properties Tab" +description: "Additional Properties Tab" +sidebar_position: 20 +--- + +# Additional Properties Tab + +The Additional Properties Tab provides additional configuration options for the agent. The tab +varies based on the type of agent selected. + +## For Activity Agent + +The Additional Properties tab for the Activity Agent has the following configuration options: + +![Agent Additional Properties Tab](/images/activitymonitor/9.0/admin/agents/properties/additionalpropertiestab.webp) + +- Comment – Create an annotation for the agent in the **Comment** text box. Annotations entered here + will appear in the Comment column in the table on the Agents tab. +- Agent's Trace Level – Select a trace level for the agent log from the drop-down list: + + - Same Level as the Console (uses the global level selected in the console) + - Trace (the most verbose) many collection points and can slow down + + :::warning + Selecting the **Trace** option can slow down collection due to the large amount + of data points + ::: + + + - Debug + - Info (recommended) + - Warning + - Error + - Fatal + +In certain situations, the trace logs are not enough to identify issues. Collect extended debugging +data (ETW) can be useful for problems related to the following: + +- Not getting events +- Missing event attributes +- Getting unexpected events +- High RAM/CPU caused by SBTService +- Issues caused by Antivirus or Backup software + +When this is needed, enable the **Collect extended debugging data (ETW) from the Windows driver when +the Trace level is activated** option to diagnose these problems. + +:::warning +Selecting this option collects a large amount of data. Therefore, it is important to +enable it only for short periods of time. Otherwise, the trace file may overflow with data. +::: + + +In general for troubleshooting, start with trace logs. If the root cause of the problem might be a +low-level functionality the driver, then the ETW logs must be enabled. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## For Linux Agent + +The Additional Properties tab for the Linux Agent has the following configuration options: + +![Linux Agent Additional Properties Tab](/images/activitymonitor/9.0/admin/agents/properties/linuxagentadditionalpropertiestab.webp) + +- Comment – Create an annotation for the agent in the **Comment** text box. Annotations entered here + will appear in the Comment column in the table on the Agents tab. +- Agent's Trace Level – Select a trace level for the agent log from the drop-down list: + + - Same Level as the Console (uses the global level selected in the console) + - Trace (the most verbose) many collection points and can slow down + + :::warning + Selecting the **Trace** option can slow down collection due to the large amount + of data points + ::: + + + - Debug + - Info (recommended) + - Warning + - Error + - Fatal + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/adusers.md b/docs/activitymonitor/10.0/admin/agents/properties/adusers.md new file mode 100644 index 0000000000..512720dcf5 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/adusers.md @@ -0,0 +1,35 @@ +--- +title: "AD Users Tab" +description: "AD Users Tab" +sidebar_position: 30 +--- + +# AD Users Tab + +Use the AD Users tab to customize Active Directory service queries and caching behavior. + +![AD Users Tab](/images/activitymonitor/9.0/admin/agents/properties/aduserstab.webp) + +The configurable options are: + +- Domain Controllers (IPs and FQDNs) – IP addresses or FQDN of domain controllers. IP addresses or + FQDN should be entered as separate addresses with space, comma (,), semicolon (;), or a multi-line + list. Leave the box blank to use the default domain controller. +- Lookup timeout – Specify the time for look-up timeout in milliseconds. The default is 2000 + milliseconds. If a query fails to complete in the specified interval then the product reports an + empty username or a previous result from the cache. The product continues to wait for a response + in the background so that further events can use the resolution result. +- Cache TTL for successful results –Specify the caching interval (time-to-live) for successful AD + responses.The default is 10 hours. When an AD query returns a valid username or SID, the response + is cached for the specified time. It is recommended to use large TTL values as the user + information does not often change. +- Cache TTL for failed results – Specify the caching interval (time-to-live) for failed AD + responses. The default is 1 minute. When an AD query cannot resolve a SID or username, the failed + result is cached for the specified time. Caching of failed responses helps to reduce the load on + domain controllers and improve performance of event processing. Short TTL values are recommended + to make the product report accurate user information. +- Maximum cache size – Specify the maximum cache size for both successful and failed responses. The + default is 300000. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/apiserver.md b/docs/activitymonitor/10.0/admin/agents/properties/apiserver.md new file mode 100644 index 0000000000..43c5ffc223 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/apiserver.md @@ -0,0 +1,66 @@ +--- +title: "API Server Tab" +description: "API Server Tab" +sidebar_position: 40 +--- + +# API Server Tab + +The API Server Tab provides options to configure API server settings to send information about +agents, agent configuration, and agent data to applications remotely. If an application wants to +read the activity data using the API, the API Server must be enabled on each agent collecting +activity. + +![API Server Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/apiservertab.webp) + +Check the Enable API access on this agent box to utilize the options on this tab: + +- API server port (TCP): [number] (from 1000 to 65535) – Enter the API server port. The default + is 4494. +- Configure what applications have access to the API – Specifies which API servers can be included + or excluded from receiving event data. + - Add Application – Click Add Application to open the Add or edit API client window to add an + Application name to the list + - Remove – Select an Application Name and click Remove to remove an Application name from the + list + - Edit – Select an Application Name and click Edit... to open the Add or edit API client window + for that Application Name + +Grant or revoke access to the API Server by registering applications. + +![Add or Edit API Client popup window](/images/activitymonitor/9.0/admin/agents/properties/addoreditapiclient.webp) + +Click Add Application to open the Add or edit API client window. + +- Application name – Name of application to provide read-only access to +- Permissions – list of permissions for Activity Monitor  through API Server + - Access activity data – Provides a read-only access to the activity log files of the agent + hosting the API Server. The access is provided to the files stored on the agent's server or on + the archival network share. The permission also provides minimal and read-only access to + configuration of monitored hosts/domain, enough to match the monitored hosts/services to their log + files. + - Read – Provides a read-only access to the list of the agents and their configuration settings; + configuration of monitored domains; configuration of monitored hosts/services. The permission does not + provide access to the saved passwords or other secrets. + - Policy change - Provides permissions required to update the AD Monitoring domain configuration + settings + - Modify host - Provides permissions required to update the monitored hosts/services settings + - Modify agent - Provides permissions required to update the agent hosts settings +- Client ID/Generate – Generate button creates a new Client ID and Client Secret (password) + credentials for applications to access API server +- Client Secret/Copy – Copy button copies the Client ID and Client Secret (password) into its + respective textbox after the application is added or the Generate button is pressed +- Secret Expires – Displays the number of days until the Client Secret expires before activated. The + default is 3 days. + +The options below the API Application Access window are: + +- Managing console/Use this console – Use this console button enters the host name of the Activity + Monitor Console within the textbox +- IPv4 or IPv6 whitelist – IP Addresses of the remote hosts, which are allowed to connect to the API + port, can be whitelisted by entering them in the box. IP Addresses should be entered as separate + addresses with space, comma (,), semicolon (;), or a multi-line list. Leave the box blank to + accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/archiving.md b/docs/activitymonitor/10.0/admin/agents/properties/archiving.md new file mode 100644 index 0000000000..7d4d7e0f60 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/archiving.md @@ -0,0 +1,53 @@ +--- +title: "Archiving Tab" +description: "Archiving Tab" +sidebar_position: 6 +--- + +# Archiving Tab + +By default, the Activity Monitor keeps the activity logs on the servers where the activity agents +are deployed. The Archiving tab provides users with options to enable archiving for the activity +agent and move the archived files to another location on the server or to a network location. + +![Archiving Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/archiving_tab.webp) + +The Days to keep Log files option, listed under the Log Files tab within Host Properties, applies to +Archive log files. When the entered number of days entered have passed, the activity logs and +Archive log files are deleted. The path to the Archive log files is next to the Configure button, +and listed under the Archive Location column within the Agents tab. + +Check the Enable archiving for this agent box to enable the options on this tab. The archive feature +is disabled by default. + +- Disk Quota — Maximum disk space the agent is allowed to use on the server it is installed on (at + least 100MB) – Select the number of megabytes or gigabytes. The default is 5 GB. +- Archive log files on this computer – Select to archive the logs on the server hosting this + activity agent. When archiving is enabled, this is the default selection. Click Configure to open + the Configure a network share on this computer window and provide the following information: + +![Popup window for Configure a network share on this computer option](/images/activitymonitor/9.0/admin/agents/properties/archivingtabconfigure.webp) + +The options in the Configure a network share on this computer window are: + +- Directory – Click the ellipsis (…) to browse to a location on the server +- Share name – Enter the share name for the archives +- Grant read access to – Click the ellipsis (…) to specify an account or group to be granted Read + and Write access to the archive + +The options below the **Configure** button are: + +- Archive log files on an UNC path (e.g. \\host-name.domain.local\share-name) – Click the ellipsis + (…) to browse for a location and select the UNC path +- User name/User password – Specify credentials to access the network share. Leave the credentials + blank to access the share using the credentials supplied for activity agent deployment. +- Test – Click Test to ensure a successful connection to the network share + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +:::note +Linux agents move activity logs to a set local path. Remote storage can be mounted to use +this path for archiving. + +::: diff --git a/docs/activitymonitor/10.0/admin/agents/properties/certificate.md b/docs/activitymonitor/10.0/admin/agents/properties/certificate.md new file mode 100644 index 0000000000..ea5af4d73a --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/certificate.md @@ -0,0 +1,157 @@ +--- +title: "Certificate Tab" +description: "Certificate Tab" +sidebar_position: 5 +--- + +# Certificate Tab + +Activity Monitor Agent uses certificates to secure the connection between the Linux Agent and the Console / API Server; +between NAS devices and the Agent; between the Agent and REST API users. + +By default, the Agent uses an automatically generated self-signed certificate. The Console and the API Server do not enforce +validity checks on these self-signed agent certificates. + +This self-signed certificate can be replaced with one issued by a Certification Authority. Once replaced, the Console and +the API Server will ensure the validity of the agent’s certificates. + + +## Certificate Status + +The details of the current Agent certificate can be accessed via the **Certificate** page within the Agent settings. +The Console displays the Subject, Issuer, validity period, and whether it is a self-signed certificate. +The **Status** field indicates the Console’s trust in the presented certificate. + +An 'untrusted' status indicates that the agent's certificate has either been modified since the agent was initially added +to the Console or its validity period has expired. + + +:::warning +An untrusted certificate will prevent the Console and API Server from connecting to the agent. +::: + +If the change was intentional, use the **Trust this certificate** button to validate the certificate. This action will +establish trust for self-signed certificates, or for the issuing Certificate Authority in the case of CA-issued certificates. + +To replace the current certificate, use the **Manage certificates…** button. + + +:::info +Both **Trust this certificate** and **Manage certificates** functions support batch execution for multiple selected agents. +Also, when multiple agents are selected, the certificate information will only include fields with identical values across +all selected certificates, which can aid in identifying differences. +::: + +## Using CA-issued Certificates + +The **Manage certificates...** button launches a wizard to replace the current certificate of the agent or selected agents +with certificates issued by your Certification Authority. The whole process involves four steps: + + +1. **Generate CSRs** + +The wizard will guide you through the generation of Certificate Signing Request (CSR) for each agent. +This CSR file will contain the agent’s hostname, FQDN, static IP addresses, optional attributes (organization, OU, country, state, locality), and the agent’s digital signature. The generated CSR files, named after their corresponding agents, will be saved to a specified directory. + +2. **Submit CSRs to the Certification Authority** + +The CSR files generated in the previous step must be manually submitted by a user to their Certification Authority. This process must be performed manually, outside of the Activity Monitor, due to the varying workflows and policies inherent to different Certification Authorities. +This step yields a set of certificate files for the agents issued by the Certification Authority based on the CSRs. The CA certificate itself also needs to be collected. +Make sure that the agent certificates have the `Server Authentication` purpose listed in the Extended Key Usage extension and have DER or PEM encoding. + +If you are using OpenSSL’s Micro CA, you can generate a certificate from a CSR file using the `x509 -req` command. + +``` +openssl x509 -req -in AGENT01.req -CA ca.crt -CAkey ca.key -out AGENT01.crt -CAcreateserial -copy_extensions copyall +``` + +3. **Apply Certificates** + +Launch the wizard again to apply the new certificates to the agents. You will be prompted to select the CA certificate file and the directory +containing the certificate files for the agents. By using the **Verify Files** button, the product will validate the certificates, +confirming issuance by the specified CA, the correct association with the agents and their private keys, and their validity period. + +Upon successful validation, the Console will permit the immediate application of the certificates via the **Apply Certificates** button. +Failed application can be retried. + +4. **Update Other Console Instances (optional)** + +If your deployment includes multiple Console instances, each instance must be updated to trust the new certificates via the **Trust this certificate** button. + +## Using Self-Signed Certificates + +The **Manage certificates** wizard can be used to switch to automatically generated self-signed certificates. The wizard presents two options: + +1. **Use existing self-signed certificates** +2. **Generate new private key and self-signed certificate** + +The first option attempts to locate and apply a previously generated self-signed certificate, if one exists, that was in use prior +to application of a CA-issued certificate. If the certificate does not exist, a new one will be created. + +This approach may be beneficial in deployments with multiple instances of the Console or API Server that still rely on this specific +self-signed certificate, so its restoration would reinstate their operational status. + +The second option will generate a new private key and a corresponding self-signed certificate for the agent. +In the event of a suspected compromise of the agent's private key, this option should be employed. + +The **Apply Changes** button immediately applies the changes to the agents. + +If your deployment includes multiple Console instances, each instance must be updated to trust the new certificates via the **Trust this certificate** button. + + +## **Command-Line Interface** + +For automated deployments, the agent executable provides a Command-Line Interface offering equivalent functionality to the Console. +All CLI commands return a non-zero exit code upon failure and output error details in JSON format.  + +Before running any commands, open Command Prompt and change to the agent installation directory (by default _C:\Program Files\Netwrix\Activity Monitor\Agent_). Commands must be executed using the agent executable **ConfigurationAgent.Grpc.Host.exe**. + +For example: `.\ConfigurationAgent.Grpc.Host.exe ` + +### **Get current certificate** + +Command: `certificate-get` - Prints the current agent’s certificate. + +Parameters: + +* `out-file` (optional) - Path to a file where the certificate will be written. If the file exists, it will be overwritten. +If not provided, the certificate content is printed to the standard output. + +### **Generate CSR** + +Command: `certificate-create-csr` - Generates a Certificate Signing Request (CSR) for the agent. + +Parameters: + +* `out-file` (optional) - Path to a file where the CSR will be written. If the file exists, it will be overwritten. +If not provided, the CSR content is printed to the standard output. +* `common-name` (optional) - Common Name. If not specified, the server’s FQDN is used. +* `organization` (optional) - Organization name. +* `organization-unit` (optional) - Organization Unit. +* `country` (optional) - Country name. +* `state` (optional) - State name. +* `locality` (optional) - Locality name. +* `alternative-names` (optional) - A comma-separated list of Subject Alternative Names. If not specified, server’s hostname, +FQDN, and static IP addresses are added to the SAN list. + +### **Apply Certificate** + +Command: `certificate-apply` - Applies the certificate issued by a Certification Authority. + +Parameters: + +* `ca-file` - Path to the CA certificate file. +* `file` - Path to the agent's certificate file to apply. +* `what-if` (optional) - If specified, the CA and agent certificates are validated, but the new certificate is not applied. +Use this option to check the certificates before applying. + +### **Use Self-Signed Certificate** + +Command: `certificate-apply-self-signed` - Applies an automatically generated self-signed certificate. +The command will attempt to use an existing self-signed certificate, if one exists. + +Parameters: + +* `rekey` (optional) - If specified, a new private key and a new self-signed certificate will be generated. +Otherwise, the command will first attempt to use an existing self-signed certificate. If no existing certificate is found, +a new certificate will be created using the existing private key. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/connection.md b/docs/activitymonitor/10.0/admin/agents/properties/connection.md new file mode 100644 index 0000000000..3434ba242b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/connection.md @@ -0,0 +1,119 @@ +--- +title: "Connection Tab" +description: "Connection Tab" +sidebar_position: 1 +--- + +# Connection Tab + +The Connection tab allows users to modify the agent host server name and the credentials used for +installation and communication. The tab varies based on the type of agent selected. + +## For Activity Agent + +The server name can be modified in the text box. Modifying the name value does not move the activity +agent to a new server. The credentials can be updated or modified as well. + +:::tip +Remember, **Test** the credentials before clicking OK to ensure a successful connection. +::: + + +![Connection Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/connectiontab.webp) + +Agent server fields: + +- Server name – Name or IP address of the server where the agent is deployed +- Port – Port the agent uses for communication with the application + +Credential fields: + +- User name – Account provisioned for use by the agent +- Password – Password for the supplied User name + +**Permissions** + +This account must be: + +- Membership in the local Administrators group + +If the user name is not specified, the currently logged in user's account will be used. + +**Less Privileged Permissions Option** + +By default, the agent accepts commands only from members of the local Administrators group. You can +allow less privileged accounts to manage the agent with the **Management Group** option. Keep in +mind that you still need to be an administrator to install, upgrade, or uninstall the agent. The +Management Group applies to the users of the console and API servers. The Management Group does not +restrict access to the agents, but grants access to its members in addition to existing members of +the local Administrators group. + +The Specify account or group window is opened from a field where a Windows account is needed. + +![Specify Account or Group popup window](/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp) + +Follow the steps to use this window. + +**Step 1 –** Select the Domain from the drop-down menu. + +**Step 2 –** Enter the Account in the textbox. + +- Accounts can be entered in NTAccount format, UPN format, or SID format. +- Use the ellipsis (…) button to open the Select Users, Computers, Service Accounts, or Groups + window to browse for an account. + +**Step 3 –** Then click Resolve. A message displays indicating whether or not the account could be +resolved. + +**Step 4 –** If successful, click OK. + +The Specify account or group window closes, and the account is added to the field where the window +was opened. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## For Linux Agent + +The server name can be modified in the text box. Modifying the name value does not move the Linux +agent to a new server. The credentials can be updated or modified as well. + +:::tip +Remember, **Test** the credentials before clicking OK to ensure a successful connection. +::: + + +![linuxconnectiontab](/images/activitymonitor/9.0/admin/agents/properties/linuxconnectiontab.webp) + +Agent server fields: + +- Server name – Name or IP address of the server where the agent is deployed +- Port – Port the agent uses for communication with the application + +Credential fields: + +- User name – Account provisioned for use by the agent +- Password – Password for the supplied User name + +**Permissions** + +This account must be: + +- Root privileges with password (or SSH private key) + +The **Trace level** option configures the level for the agent log it includes the following levels: + +- Same Level as the Console (uses the global level selected in the console) +- Trace (the most verbose) many collection points and can slow down + + :::warning + Selecting the **Trace** option can slow down collection due to the large amount of + data points + ::: + + +- Debug +- Info (recommended) +- Warning +- Error +- Fatal diff --git a/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md b/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md new file mode 100644 index 0000000000..ee42ca935b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md @@ -0,0 +1,244 @@ +--- +title: "Dell CEE Options Tab" +description: "Dell CEE Options Tab" +sidebar_position: 70 +--- + +# Dell CEE Options Tab + +The Dell CEE Options tab provides options to configure Dell Common Event Enabler (CEE) settings for +monitoring Dell devices. File activity monitoring leverages the Dell CEE to deliver activity events +from Dell devices. + +CEE supports two protocols to deliver events to Activity Monitor: RPC and HTTP. An agent can receive +activity from several CEEs at the same time. Among them can be a local Windows CEE, remote Windows +and Linux CEEs. Windows versions of CEEs can use both RPC and HTTP protocols. Linux versions can +only support HTTP protocols. + +:::note +Dell CEE can be installed on the same host as the activity agent, or on a different host. +If it is installed on the same host, the activity agent can configure it automatically. +::: + + +![EMC CEE Options Tab](/images/activitymonitor/9.0/admin/agents/properties/emcceeoptionstab.webp) + +The options are: + +- Check CEE Status – Click the button to confirm the status of Dell CEE installed on the agent + server +- Choose the CEE event delivery mode: + + - Synchronous real-time delivery – Events are delivered immediately as they occur, one by one. + - Asynchronous bulk delivery (VCAPS) - Events are delivered in batches with a cadence based on a + time period or a number of events. As this mode provides better throughput, it is recommended + for heavily loaded servers. If selected, specify how often events are delivered by Dell CEE + using the following options: + + - Every [number] seconds (from 60 to 600) - Default is 60 seconds + - Or every [number] events (from 10 to 10000) - Default is 100 events + - The number of events and number of seconds, are used simultaneously, whichever is reached + first + +- Choose network protocols for event delivery: + + - Both – Delivers events via MS-RPC and HTTP protocol + - MS-RPC – Delivers events via the MS-RPC protocol (Windows versions of CEE only) + - HTTP – Delivers events via the HTTP protocol (Windows and Linux versions of CEE) + + - HTTP port – The port number to communicate with the agent. The default port number is + 4492, modify if needed. The agent will add the port to the firewall exclusions + automatically. + - IPv4 or IPv6 allowlist – Specify IP addresses of CEE instance that are allowed to connect + to the agent via the HTTP protocol. Leave blank to accept connections from any host. + +:::note +For Remote Windows CEE or Linux CEE, Manual Configuration is needed. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## Windows CEE Manual Configuration + +Windows CEE is configured with the windows registry and depends on the selected event delivery mode, +AUDIT or VCAPS. + +For the synchronous real-time delivery mode (AUDIT), use the following steps. + +**Step 1 –** Navigate to the following windows registry key +`HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration`. + +**Step 2 –** Set the `Enabled` parameter to 1. + +**Step 3 –** If the `EndPoint` parameter is empty, set it to the string listed below. If it is not +empty (i.e. some other 3rd party application is also receiving activity events from CEE), append the +following string to the existing `EndPoint` value, separating them with a semicolon. + +- For the RPC protocol, `StealthAUDIT@ip-address-of-the-agent` +- For the HTTP protocol, `StealthAUDIT@http://ip-address-of-the-agent:port` + +**Step 4 –** Restart the CEE Monitor service. + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key +`HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration`. + +**Step 2 –** Set the `Enabled` parameter to 1. + +**Step 3 –** If the `EndPoint` parameter is empty, set it to the string listed below. If it is not +empty (i.e. some other 3rd party application is also receiving activity events from CEE), append the +following string to the existing `EndPoint` value, separating them with a semicolon. + +- For the RPC protocol, `StealthVCAPS@ip-address-of-the-agent` +- For the HTTP protocol, `StealthVCAPS@http://ip-address-of-the-agent:port` + +**Step 4 –** Set `FeedInterval` to how often, in seconds, information is sent from CEE to the +Activity Monitor. The default is 60 seconds. The range is from 60 seconds to 600 seconds. + +**Step 5 –** Set `MaxEventsPerFeed` to how many events must occur before information is sent from +CEE to Activity Monitor. The default is 100 events. The range is from 10 events to 10,000 events. + +:::note +The `FeedInterval` and `MaxEventsPerFeed` delivery cadences are used simultaneously. +::: + + +**Step 6 –** Restart the CEE Monitor service. + +:::note +All protocol strings are case sensitive. +::: + + +## Linux CEE Manual Configuration + +CEE binaries, configuration, and log files are located in `/opt/CEEPack` directory. + +**Step 1 –** Update the configuration file `/opt/CEEPack/emc_cee_config.xml`. + +**Step 2 –** Restart CEE with `/opt/CEEPack/emc_cee_svc restart` command. + +The CEE configuration file is located at` /opt/CEEPack/emc_cee_config.xml`. You need to add an +endpoint to the `EndPoint` node. In addition to the `EndPoint` node, you need to set `Enabled` to +`1` in either `Audit` or `VCAPS` if the Activity Monitor is the only application getting events from +the CEE. If there are multiple applications, enable the delivery modes accordingly. + +The EndPoint node's format is a semicolon-separated list of applications +in` PartnerId@http://address-of-the-app:port` format. + +For the Activity Monitor use the following strings: + +- For Audit, `StealthAUDIT@http://ip-address-of-the-agent:port` +- For VCAPS, `StealthVCAPS@http://ip-address-of-the-agent:port` + +Here's an example for the synchronous delivery (Audit): + +```xml + + +**** + + + +**** + + + +**1** + +StealthAUDIT@http://[IP Address]:[Port] + +**** + + + +... + +**** + + + +**0** + +StealthVCAPS@http://[IP Address]:[Port] + +**60** + +100 + +**** + + + + +``` + +Here's an example for the asynchronous delivery (VCAPS): + +```xml + + +**** + + + +**** + + + +**0** + +StealthAUDIT@http://[IP Address]:[Port] + +**** + + + +... + +**** + + + +**1** + +StealthVCAPS@http://[IP Address]:[Port] + +**60** + +100 + +**** + + + + +``` + +Make sure to set `Enabled` to `1` only in `Audit` or `VCAPS` if Activity Monitor is the only product +receiving activity from CEE. Otherwise, enable the modes according to all product requirements. + +If you want to send activity to several 3rd party applications, separate them with semicolons. + +```xml + + +**** + +1 + +**Splunk@10.20.30.40:12345;StealthAUDIT@http://[IP Address]:[Port]** + + + + +``` + +:::note +All protocol strings are case sensitive. + +::: diff --git a/docs/activitymonitor/10.0/admin/agents/properties/diskquota.md b/docs/activitymonitor/10.0/admin/agents/properties/diskquota.md new file mode 100644 index 0000000000..695a8f4d98 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/diskquota.md @@ -0,0 +1,22 @@ +--- +title: "Disk Quota Tab" +description: "Disk Quota Tab" +sidebar_position: 7 +--- + +# Disk Quota Tab + +The **Disk Quota Tab** is used to limit the size of logs to save disk space. + +![diskquotatab](/images/activitymonitor/9.0/admin/agents/properties/diskquotatab.webp) + +The configurable options are: + +- Enable disk quota monitoring for this agent – Check the box to enable disk quota monitoring for + the agent +- Maximum disk space the agent is allowed to use on the server it is installed on (at least 100MB) – + Set the maximum disk space that is allowed to be used on the server to store log files. The + default value is **5 GB**. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/dns.md b/docs/activitymonitor/10.0/admin/agents/properties/dns.md new file mode 100644 index 0000000000..5f116d918b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/dns.md @@ -0,0 +1,48 @@ +--- +title: "DNS Tab" +description: "DNS Tab" +sidebar_position: 90 +--- + +# DNS Tab + +Use the DNS tab to customize how the agent queries and caches DNS results. + +![DNS Tab](/images/activitymonitor/9.0/admin/agents/properties/dnstab.webp) + +The configurable options are: + +- Enable local DNS cache service – Select this checkbox to enable the local DNS cache service. Leave + the option unchecked to disable the local DNS cache service. The DNS cache service proactively + updates data, keeping DNS records up to date and available for real-time event reporting. Use this + option if your DNS infrastructure cannot handle the load (requests take hundreds of milliseconds) + during peak hours. +- DNS servers (IPs) – IP addresses of the DNS servers to be used for look-ups. IP addresses should + be entered as separate addresses with space, comma (,), semicolon (;), or a multi-line list. Leave + the box blank to use the default DNS server. +- Lookup timeout – Specify the time for look-up timeout in milliseconds. The default is 1800 + milliseconds. If a DNS request fails to complete during the specified interval, the product + reports an empty host-name or a previous result from the cache. The product continues to wait for + a response in the background so that further events can use the result. +- Cache TTL for successful results – Specify the caching interval (time-to-live) for successful DNS + responses. The default is 1 hour. When a DNS query returns a valid IP address or host-name, the + response is cached for the specified time. The choice of TTL value depends on the environment: how + often IP addresses are reassigned; how much load the DNS server can handle. High TTL values reduce + the load on DNS servers but may result in stale data being reported. + If the DNS Cache service is used, the records are automatically updated when the TTL expires. +- Cache TTL for failed results – Specify the caching interval (time-to-live) for failed DNS + responses. The default is 1 minute. When a DNS query cannot resolve an IP address or host-name, + the failed result is cached for the specified time. Caching of failed responses helps to reduce + the load on DNS servers and improve performance of event processing. + If the DNS Cache service is used, the records are automatically updated when the TTL expires. +- Maximum cache size – Specify the maximum cache size. The default is 100000. +- Refresh throttle time – Specify the time interval between DNS queries that the DNS Cache service + uses to update expired records. The default is 1000 milliseconds. + If the DNS Cache service is used, the records are automatically updated when the TTL expires. This + option allows you to limit the number of DNS requests the service sends to update the cache. A + throttling period of 100 milliseconds will limit the update task to 10 requests per second. +- Parallelism – Specify how many DNS requests the DNS Cache service is allowed to send in parallel. + High values may overload DNS servers. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/inactivityalerts.md b/docs/activitymonitor/10.0/admin/agents/properties/inactivityalerts.md new file mode 100644 index 0000000000..bf22fbcd1b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/inactivityalerts.md @@ -0,0 +1,130 @@ +--- +title: "Inactivity Alerts Tab" +description: "Inactivity Alerts Tab" +sidebar_position: 100 +--- + +# Inactivity Alerts Tab + +The Inactivity Alerts tab, once enabled and configured, sends real-time alerts when the agent stops +receiving events for a specific time frame. The tab varies based on the type of agent selected. + +Check the **Enable Inactivity alerting for this agent** box to enable the options on this tab. + +![Inactivity Alerts Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/inactivityalerts.webp) + +Once enabled, set the alerting parameters: + +- Length of inactivity – Enter the number of Minutes, Hours, or Days for inactivity before an alert + is triggered. The default is 6 Hours. +- Repeat an alert every – Enter the number of Minutes, Hours, or Days for an alert to be repeated if + inactivity continues. The default is 6 Hours. + +The two tabs at the bottom are for configuring the method used to send the alert: + +- Syslog Alerts – Configure the application to send alerts to a SIEM platform +- Email Alerts – Configure the application to send alerts through an SMTP server + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## Syslog Alerts Tab + +The Syslog alert sends a notification that the activity agent has not received event data for the +configured interval. The alert is sent to the Syslog configured on the **Syslog Alerts** tab. + +![inactivityalertssyslogalerts](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalerts.webp) + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:PORT format + in the text box. The server name can be short name, fully qualified name (FQDN), or IP Address, as + long as the organization’s environment can resolve the name format used. +- Syslog protocol – Identify the **Syslog protocol** to be used for the alert. The drop-down menu + includes: + + - UDP + - TCP + - TLS + + :::note + The TCP and TLS protocols add the **Message framing** drop-down menu. **Message + framing** options include: + ::: + + + - LS (ASCII 10) delimiter + - CR (ASCII 13) delimiter + - CRLF (ASCII 13, 10) delimiter + - NUL (ASCII 0) delimiter + - Octet Count (RFC 5425) + +- Test Button – The **Test** button sends a test message to the Syslog server to check the + connection. A connection status message displays with either a green check mark or a red X + identifying the success of the sent test message. Messages vary by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + +- Syslog Message Template – Select the **Syslog message template** to be used. Click the ellipsis + (…) to open the Syslog Message Template window. The Syslog template provided is **AlienVault / + Generic Syslog**. + +![Message Template popup window for Syslog Alerts](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp) + +Custom templates can be created. Select the desired template or create a new template by modifying +an existing template within the Syslog Message Template window. The new message template is named +Custom. + +Click **OK** to apply changes and exit, or **Cancel** to exit without saving any changes. + +## Email Alerts Tab + +The email alert sends a notification that the activity agent has not received event data for the +configured interval. The alert is sent to the configured recipients on the Email Alerts tab. + +![inactivityalertsemailalerts](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalerts.webp) + +- Syslog server in SERVER[:PORT] format – Type the **SMTP server name** with a SERVER:PORT format in + the text box. The server name can be short name, fully qualified name (FQDN), or IP Address, as + long as the organization’s environment can resolve the name format used. + + - Check the Enable TLS box if an SMTP server requires TLS protocol. + +- User Name/Password – Specify credentials to send email alert. If using the current agent’s machine + account, leave these fields blank. +- From email address – Enter the Sender’s email address +- To email address – Enter the Recipient’s email address. Multiple addresses are comma separated. + +![Email Alerts - Message Subject popup window](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp) + +- Message subject – Click the ellipsis (…) to open the Message Template window to customize the + subject. Macros can be used to insert + +![Email Alerts - Message Body popup window](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp) + +- Message body – Click the ellipsis (…) to open the Message Template window to customize the body +- Test – The Test button sends a test message to the receiver’s email address to check the + connection. A connection status message displays with either a green check mark or a red X + identifying the success of the sent test message. + +Click **OK** to apply changes and exit, or **Cancel** to exit without saving any changes. + +## Macro Variables for Agents + +Macros are text strings that are replaced with actual values at run time. The following Macro +variables are available to customize the Syslog and Email message template: + +| Macro | Definition | +| --------------------------- | ------------------------------------------------------------- | +| %SYSLOG_DATE% | Date/Time of the alert (local time, Syslog format) | +| %TIME_STAMP% | Date/Time of the alert (local time) | +| %TIME_STAMP_UTC% | Date/Time of the alert (UTC) | +| %AGENT% | Agent host name | +| %PRODUCT% | Product name | +| %PRODUCT_VERSION% | Product Version | +| %INACTIVE_SERVER% | Host name of the monitored host which stopped sending events | +| %INACTIVE_SERVER_IP% | IP address of the monitored host which stopped sending events | +| %LAST_EVENT_TIME_STAMP% | Date/Time of the last received call (local time) | +| %LAST_EVENT_TIME_STAMP_UTC% | Date/Time of the last received event (UTC) | +| %INACTIVITY_PERIOD_MINUTES% | Period of inactivity in minutes | +| %INACTIVITY_PERIOD_HOURS% | Period of inactivity in hours | diff --git a/docs/activitymonitor/10.0/admin/agents/properties/linux.md b/docs/activitymonitor/10.0/admin/agents/properties/linux.md new file mode 100644 index 0000000000..bbf77a57d9 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/linux.md @@ -0,0 +1,17 @@ +--- +title: "Linux Tab" +description: "Linux Tab" +sidebar_position: 110 +--- + +# Linux Tab + +The service user name configured during agent installation can be updated on the Agent Properties +Linux Tab. + +![linuxtab](/images/activitymonitor/9.0/admin/agents/properties/linuxtab.webp) + +Enter a new service user name to run daemon and click **Test** to verify the connection. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/netappfpolicyoptions.md b/docs/activitymonitor/10.0/admin/agents/properties/netappfpolicyoptions.md new file mode 100644 index 0000000000..fca6569f53 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/netappfpolicyoptions.md @@ -0,0 +1,35 @@ +--- +title: "NetApp FPolicy Options Tab" +description: "NetApp FPolicy Options Tab" +sidebar_position: 120 +--- + +# NetApp FPolicy Options Tab + +The NetApp FPolicy Options tab provides options to configure FPolicy server settings for monitoring +a NetApp Data ONTAP Cluster-Mode device. + +![Agent Properties - NetApp FPolicy Options page](/images/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.webp) + +The available options are: + +- FPolicy server port (TCP): [number] (from 1000 to 65535) – Enter the FPolicy server port. The + default is 9999. +- FPolicy authentication – Select from the following options in the drop-down list. For TLS server + authentication, a Server certificate is required. For TLS, mutual authentication, a Server + certificate and Client certificate are required. + + - TCP, no authentication – Default setting, with no server authentication required + - TLS, server authentication – Click Server certificate to open the Server certificate window + and import a certificate + - TLS, mutual authentication – Click Server certificate to open the Server certificate window + and import a certificate, and Client certificate to open the Trusted client or CA certificate + window to import a certificate + +- IPv4 or IPv6 whitelist – IP Addresses of the Clustered Data ONTAP nodes, which are allowed to + connect to the FPolicy server, can be whitelisted by entering them in the box. IP Addresses should + be entered as separate addresses with space, comma, semicolon, or a multi-line list. Leave the box + blank to accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/network.md b/docs/activitymonitor/10.0/admin/agents/properties/network.md new file mode 100644 index 0000000000..7311fd90eb --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/network.md @@ -0,0 +1,20 @@ +--- +title: "Network Tab" +description: "Network Tab" +sidebar_position: 130 +--- + +# Network Tab + +Use the Network Tab to specify the network interface that NAS devices or API Server users use to +connect to this server. + +![Agent Properties - Network Tab](/images/activitymonitor/9.0/admin/agents/properties/networktab.webp) + +If an agent machine has multiple network adapters, network interfaces can be specified in the +Network Tab. Select a network interface option from the **Network Interface** dropdown menu. The +Network Interface is set to Auto Detect by default. **Auto Detect** will use the first network +adapter or IP address that is found. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/networkproxy.md b/docs/activitymonitor/10.0/admin/agents/properties/networkproxy.md new file mode 100644 index 0000000000..2fece877f8 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/networkproxy.md @@ -0,0 +1,32 @@ +--- +title: "Network Proxy Tab" +description: "Network Proxy Tab" +sidebar_position: 140 +--- + +# Network Proxy Tab + +Use the Network Proxy tab to set the proxy for connection to Microsoft Entra ID (formerly Azure AD) +and Office 365 monitoring. You can leave the properties blank to connect to Microsoft Entra ID +directly. + +![Agent Properties - Network Tab](/images/activitymonitor/9.0/admin/agents/properties/networkproxytab.webp) + +The configurable options are: + +- HTTP proxy server in SERVER[:PORT] format – Specify the IP address or name and the port number of + the proxy server to query Microsoft Entra ID and Office 365. You can leave this field blank to + disable HTTP proxy. +- Select one of the following checkboxes: + + - Authenticate as the agent's machine account + - Bypass the proxy server for local addresses + +- User name – Specify a user name for the proxy server +- User password – Specify a password for the user name +- Bypass list – Specify the Bypass list. This is a list of URIs that do not use the proxy server + when accessed. Multiple addresses can be entered separated by space, comma (,), semicolon (;), or + as a multi-line list. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/nutanix.md b/docs/activitymonitor/10.0/admin/agents/properties/nutanix.md new file mode 100644 index 0000000000..5d2e676f48 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/nutanix.md @@ -0,0 +1,28 @@ +--- +title: "Nutanix Tab" +description: "Nutanix Tab" +sidebar_position: 150 +--- + +# Nutanix Tab + +The Nutanix tab provides features to configure settings for monitoring Nutanix devices. + +![Agent Properties - Nutanix](/images/activitymonitor/9.0/admin/agents/properties/nutanix.webp) + +The available Agent server settings for Nutanix are: + +- Agent server port (TCP) – Enter the TCP port that Nutanix will use to connect to the agent. The + agent will add the port to the firewall exclusions automatically. The default is 4501. +- IPv4 or IPv6 allowlist – Specify the IP addresses of the Nutanix nodes, which are allowed to + connect to the agent server port. Multiple addresses can be entered separated by space, comma (,), + semicolon (;), or as a multi-line list. Leave the box blank to accept connections from any hosts. + + :::note + This setting is optional and it allows you to improve security by limiting the number + of IP addresses allowed to connect. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/overview.md b/docs/activitymonitor/10.0/admin/agents/properties/overview.md new file mode 100644 index 0000000000..3a7cf198c2 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/overview.md @@ -0,0 +1,33 @@ +--- +title: "Agent Properties Window" +description: "Agent Properties Window" +sidebar_position: 50 +--- + +# Agent Properties Window + +On the Agents tab, the Edit button opens the agent’s Properties window, which contains the following +tabs: + +- [Connection Tab](/docs/activitymonitor/10.0/admin/agents/properties/connection.md) +- [Certificate Tab](/docs/activitymonitor/10.0/admin/agents/properties/certificate.md) +- [Archiving Tab](/docs/activitymonitor/10.0/admin/agents/properties/archiving.md) +- [Disk Quota Tab](/docs/activitymonitor/10.0/admin/agents/properties/diskquota.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/agents/properties/inactivityalerts.md) +- [Active Directory Tab](/docs/activitymonitor/10.0/admin/agents/properties/activedirectory.md) – AD Agent only +- [AD Users Tab](/docs/activitymonitor/10.0/admin/agents/properties/adusers.md) +- [API Server Tab](/docs/activitymonitor/10.0/admin/agents/properties/apiserver.md) +- [Dell CEE Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md) – Activity Agent only +- [DNS Tab](/docs/activitymonitor/10.0/admin/agents/properties/dns.md) +- [Linux Tab](/docs/activitymonitor/10.0/admin/agents/properties/linux.md) – Linux Agent only +- [NetApp FPolicy Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/netappfpolicyoptions.md) – Activity Agent only +- [Network Tab](/docs/activitymonitor/10.0/admin/agents/properties/network.md) +- [Network Proxy Tab](/docs/activitymonitor/10.0/admin/agents/properties/networkproxy.md) +- [Nutanix Tab](/docs/activitymonitor/10.0/admin/agents/properties/nutanix.md) – Activity Agent only +- [Panzura Tab](/docs/activitymonitor/10.0/admin/agents/properties/panzura.md) – Activity Agent only +- [Qumulo Tab](/docs/activitymonitor/10.0/admin/agents/properties/qumulo.md) – Activity Agent only +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/agents/properties/additionalproperties.md) + +Select the desired agent and click **Edit** to open the agent’s Properties window. + +![Properties Window](/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp) diff --git a/docs/activitymonitor/10.0/admin/agents/properties/panzura.md b/docs/activitymonitor/10.0/admin/agents/properties/panzura.md new file mode 100644 index 0000000000..f20d618439 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/panzura.md @@ -0,0 +1,30 @@ +--- +title: "Panzura Tab" +description: "Panzura Tab" +sidebar_position: 160 +--- + +# Panzura Tab + +The Panzura Tab provides features to configure settings for monitoring Panzura devices. + +![Agent Properties - Panzura Tab](/images/activitymonitor/9.0/admin/agents/properties/panzuratab.webp) + +The available options are: + +- Agent server port (TCP) - Enter the agent server port. The default is 4497. +- Users can protect the port with a username and password. The credentials will be configured in + Panzura + + - User name – Enter a custom user name or click **Generate** to create a random username and + password + - Password – Enter a custom password or use the generated password. Click **Copy** to copy the + user name and password to the clipboard. + +- IPv4 or IPv6 allowlist – IP Addresses of the remote hosts, which are allowed to connect to the API + port, can be whitelisted by entering them in the box. IP Addresses should be entered as separate + addresses with space, comma (,), semicolon (;), or a multi-line list. Leave the box blank to + accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/properties/qumulo.md b/docs/activitymonitor/10.0/admin/agents/properties/qumulo.md new file mode 100644 index 0000000000..3ae93edd46 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/properties/qumulo.md @@ -0,0 +1,23 @@ +--- +title: "Qumulo Tab" +description: "Qumulo Tab" +sidebar_position: 170 +--- + +# Qumulo Tab + +The Qumulo tab provides features to configure settings for monitoring Qumulo devices. + +![Agent Properties - Qumulo](/images/activitymonitor/9.0/admin/agents/properties/qumulo.webp) + +The available options are: + +- Syslog port (TCP) – Enter the TCP port that Qumulo will use to connect to the agent. The agent + will add the port to the firewall exclusions automatically. The default is 4496. The range of + valid values is from 1000 to 65535. +- IPv4 or IPv6 allowlist – Specify the IP addresses of the Qumulo nodes, which are allowed to + connect to the agent server port. Multiple addresses can be entered separated by space, comma (,), + semicolon (;), or as a multi-line list. Leave the box blank to accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/agents/single.md b/docs/activitymonitor/10.0/admin/agents/single.md new file mode 100644 index 0000000000..11a2d675ba --- /dev/null +++ b/docs/activitymonitor/10.0/admin/agents/single.md @@ -0,0 +1,72 @@ +--- +title: "Single Activity Agent Deployment" +description: "Single Activity Agent Deployment" +sidebar_position: 10 +--- + +# Single Activity Agent Deployment + +Before deploying the activity agent, ensure all +[Activity Agent Server Requirements](/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md) have been met, +including those for NAS devices when applicable. Follow the steps to deploy the activity agent to a +single Windows server. + +:::note +These steps are specific to deploying activity agents for monitoring supported target +environments. +::: + + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent window](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** On the Install new agent page, enter the Server name (name or IP Address) to deploy to +a single server. Leave the field blank to deploy the agent on the local server. Click Next. + +![Specify Agent Port page](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** On the Specify Port page, specify the port that should be used by the new agent. The +default port is 4498. Click **Next**. + +![Credentials to Connect to the Server(s) page](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 4 –** On the Credentials To Connect To The Server(s) page, select either Windows or Linux file +monitoring. Then, enter the **User name** and **Password** to connect to the API Server. + +![Test Account Connection](/images/activitymonitor/9.0/admin/agents/add/testaccountconnection.webp) + +**Step 5 –** Click **Connect** to test the connection. If the connection is successful, click +**Next**. If the connection is unsuccessful, see the status message that appears for information on +the failed connection and correct the error to proceed. + +![agentinstalllocation](/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp) + +**Step 6 –** On the Agent Install location page, specify the **Agent installation path**. The +default path is `C:\Program Files\Netwrix\Activity Monitor\Agent`. Click **Next**. + +![Enable Windows File Activity Monitoring page](/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp) + +**Step 7 –** On the Windows Agent Settings window, configure the following options: + +- Windows Activity Monitoring — Check the Add Windows file activity monitoring after installation + checkbox to enable monitoring all file system activity on the targeted Windows server after + installation. Alternatively, the Windows monitoring can be enabled later on the Monitored Hosts & Services + tab. +- Management Group — By default, the agent only accepts commands from members from the + BUILTIN\Administrators group. Less privileged accounts can be used to manage the agent with the + Management group setting. Keep in mind that an administrator account must be used to install, + upgrade or uninstall an agent. The value must be a domain or local security group entered in the + DOMAIN\groupname format. + +**Step 8 –** Click Finish. The Add New Agent(s) window closes, and the activity agent is deployed to +and installed on the target host. + +During the installation process of the agent, the status will display Installing. If there are any +errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. + +![consolewithagent](/images/activitymonitor/9.0/install/agent/consolewithagent.webp) + +When the activity agent installation is complete, the status changes to **Installed** and the +activity agent version populates. The next step is to add hosts to be monitored. See the +[Monitored Hosts & Services Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/_category_.json b/docs/activitymonitor/10.0/admin/monitoreddomains/_category_.json new file mode 100644 index 0000000000..d6345b7c09 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Monitored Domains Tab", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json new file mode 100644 index 0000000000..0f6c7ce58f --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "AD Monitoring Configuration Window", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md new file mode 100644 index 0000000000..9e6592f894 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md @@ -0,0 +1,190 @@ +--- +title: "Authentication Tab" +description: "Authentication Tab" +sidebar_position: 30 +--- + +# Authentication Tab + +The Authentication tab on a domain’s Configuration window allows users to configure communication +with servers. + +![AD Monitoring Configuration - Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) + +After checking the Enable Authentication box, the following event filters can be modified on the +sub-tabs: + +- Forged PAC Analytic +- Host (From) +- Host (To) +- IP Addresses (From) +- IP Addresses (To) +- Operations +- Servers +- Users + +## Forged PAC Analytic + +The Forged Privilege Account Certificate (PAC) analytic type identifies Kerberos tickets with a +modified PAC. By manipulating the PAC, a field in the Kerberos ticket that contains a user’s +authorization data (in Active Directory this is group membership), an attacker is able to grant +themselves additional elevated privileges. + +![AD Monitoring Configuration - Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) + +Double-click text box to enter specific **RIDs**. Click OK. The AD agent then compares against the +PAC and user’s access token for a mismatch to trigger the incident. + +:::note +The Forged PAC analytic is monitoring for when the user is not a member of a group that is +listed in the PAC section of the user’s Kerberos ticket. This analytic can be scoped to monitor +specific groups. To reduce the number of false positives, the AD agent only checks for a mismatch of +sensitive groups as selected in the policy Settings tab. +::: + + +## Host (From) + +The Hosts (from) option is where the policy can be scoped to only monitor specific hosts as +originators of an authentication event or to exclude specific hosts from being monitored for +authentication events. + +![Host (From) Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from authentication event collection. + +## Host (To) + +The Hosts (to) option is where the policy can be scoped to only monitor specific hosts as target +hosts of an authentication event or to exclude specific hosts from being monitored as targets of +authentication events. + +![Host (To) Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostto.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the target host from +authentication event collection. + +## IP Addresses (From) + +The IP Addresses (from) option is where the policy can be scoped to only monitor specific IP +Addresses as originators of an authentication event or to exclude specific IP Addresses from being +monitored for authentication events. + +![IP Addresses (From) Tab in the Authenticatoin Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) + +Underneath each section, there is an additional Address detail: + +- Value – Must be provided in IP address format + +Double-click the text box beneath **Value** to enter the desired IP Addresses to include or exclude. +Press the Enter or Tab key to add another text box. + +## IP Addresses (To) + +The IP Addresses (to) option is where the policy can be scoped to only monitor specific IP Addresses +as target hosts of an authentication event or to exclude specific IP Addresses from being monitored +as targets of authentication events. + +![IP Addresses (To) Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp) + +Underneath each section, there is an additional Address detail: + +Value – Must be provided in IP address format + +Double-click the text box beneath **Value** to enter the desired IP Addresses to include or exclude. +Press the Enter or Tab key to add another text box. + +## Operations + +The Operations option filters for successful events, failed events, or both. + +![Operations Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) + +The **Monitor These Attempts** section is where monitoring is set to filter for successful events, +failed events, or both: + +- Success – Monitors successful events +- Failure – Monitors failed events + +The **Monitor These Protocols** section is where authentication protocols to be monitored are +selected for the policy. Check the box to select the authentication protocol(s) to be monitored: + +- All +- Kerberos +- NTLM + +:::warning +If Login Type is enabled, authentication events will be received from Domain +Controllers only. +::: + + +The Login Type options apply only to Domain Controllers. These options provide the choice to monitor +Local Interactive and/or Remote Interactive logins to the Domain Controllers: + +- All - Report all authentication activity approved by the Domain Controller which includes any + local or RDP direct connections to the DC. + + - Local - Report only local login to the Domain Controller - ignore all else + - Remote - Report only remote/RDP access to the Domain Controller - ignore all else + +- Exclude failed authentications with previously valid (N-2) password – If enabled, allows to ignore + failed authentications that failed due to use of a previously valid, but now expired, password +- Exclude failed authentications with expired password – If enabled, allows to ignore failed + authentications that failed due to use of still valid, but now expired, password + +## Servers + +The Servers option targets servers to be included or excluded when filtering for authentication. + +![Servers Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users + +The Users filter is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath **Type** to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another text box. Check the box under **Subtree** to +include or exclude child contexts. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/changes.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/changes.md new file mode 100644 index 0000000000..cbda892375 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/changes.md @@ -0,0 +1,200 @@ +--- +title: "Changes Tab" +description: "Changes Tab" +sidebar_position: 20 +--- + +# Changes Tab + +The Changes tab for AD Monitoring Configuration window provides additional options to monitor +changes made to the domain. + +![Operations Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) + +After checking the Enable AD Changes box, the following event filters can be modified on the +sub-tabs: + +- Attributes +- Classes +- Context +- Host (From) +- IP Addresses (From) +- Objects +- Operations +- Servers +- Users + +## Attributes + +The Attributes Tab is where monitoring can be scoped to include events with specific attributes +within Active Directory. Further scoping of attributes can enable monitoring to only capture events +based on the new value. + +![Attributes Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp) + +Double-click the text box beneath Name to enter the desired attribute to include or exclude. +Double-click the text box beneath Value to enter the desired attribute value to reference. Choose +the Operation to relate the Name and Value with. Press the **Enter** or **Tab** key to add another +textbox. + +:::note +Name field must contain Active Directory attribute name. +::: + + +Scoping the filter captures events when the new value matches with the supplied value. To scope the +filter based on the new value of the attribute, use the Operation drop-down menu. + +- AnyValue – No scoping applied for this attribute +- EmptyValue – Blank attribute values +- Equal – Attribute values that are identical to the Value field +- NotEqual – Attribute values that do not match the Value field +- LessThan – Attribute values below the supplied numeric value or before alphabetically +- GreaterThan – Attribute values above the supplied numeric value or after alphabetically +- Contains – Attribute values includes the user supplied string (numbers are treated as strings) +- NotContain – Attribute values do not include the user supplied string (numbers are treated as + strings) +- Startswith – Attribute values start with the user supplied string + +## Classes + +The Classes Tab is where the policy can be scoped to only monitor specific classes within Active +Directory or to exclude specific classes from being monitored. + +![Classes Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/classestab.webp) + +Double-click the text box beneath Name to enter the desired classes to include or exclude. Press the +**Enter** or **Tab** key to add another text box. + +:::note +Class must be specified in the form of `objectClass` attribute syntax but must contain +only last value of this multi-valued attribute. For example, for +`top; person; organizationalPerson; user` it must have 'user' value. +::: + + +## Context + +The Context Tab is where the policy can be scoped to only monitor specific contexts (e.g. Containers +and Organizational Units) within Active Directory or to exclude specific contexts from being +monitored. + +![Context Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp) + +Underneath each section, there are additional Context details: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Distinguished Name – Field must be specified in the form of `distinguishedName` attribute syntax, + e.g. `CN=Users,DC=Domain,DC=com` + +Double-click the text box beneath Distinguished Name to enter the desired context to include or +exclude. Press the **Enter** or **Tab** key to add another text box. Check the box under Subtree to +include or exclude child contexts. + +## Host (From) + +The Hosts (from) Tab is where the policy can be scoped to only monitor specific hosts as originators +of an authentication event or to exclude specific hosts from being monitored for authentication +events. + +![Host (From) Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details. + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. ex01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. ex01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from change event collection. + +## IP Addresses (From) + +The IP Addresses (from) Tab is where the policy can be scoped to only monitor specific IP Addresses +as originators of an authentication event or to exclude specific IP Addresses from being monitored +for authentication events. + +![IP Addresses (From) Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) + +Underneath each section, there is an additional Address detail. + +- Value – Must be provided in IP address format + +Double-click the text box beneath **Value** to enter the desired IP addresses to include or exclude. +Press **Enter** or **Tab** key to add another text box. + +## Objects + +The Objects Tab is where the policy can be scoped to only monitor specific objects within Active +Directory or to exclude specific objects from being monitored. + +![Objects Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp) + +Underneath each section, there is an additional Object detail. + +- Distinguished Name – Field must be specified in the form of `distinguishedName` attribute syntax, + e.g. `CN=Users,DC=Domain,DC=com` + +Double-click the text box beneath Distinguished Name to enter the desired objects to include or +exclude. Press the **Enter** or **Tab** key to add another text box. + +## Operations + +The Operations Tab provides additional configuration filters for AD event collection. + +![Operations Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) + +Monitor These Attempts – Filter for successful events, failed events, or both can be selected. + +- Success – Monitors successful events +- Failure – Monitors failed events + +Operations – Filter for Active Directory events to be monitored. + +- Object Added – Monitors for objects being added to Active Directory +- Object Deleted – Monitors for objects being deleted from Active Directory +- Object Modified – Monitors for objects being modified within Active Directory +- Object Moved or Renamed – Monitors for objects being moved or renamed within Active Directory + +## Servers + +The Servers Tab targets servers to be included or excluded when filtering for changes. + +![Servers Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users + +The Users Tab is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections. + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user –  Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of `distinguishedName` attribute syntax, + e.g. `CN=Users,DC=Domain,DC=com`. However, for objects with `sidType` type, it must be in the form + of WellKnownSidType Enum, e.g. `AnonymousSid` or `LocalSid`. + +Double-click the text box beneath **Distinguished Name** to enter the desired group types to include +or exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the **Enter** or **Tab** key to add another text box. Check the box under Subtree to +include or exclude child contexts. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md new file mode 100644 index 0000000000..05af6502bb --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md @@ -0,0 +1,148 @@ +--- +title: "Global Filters Tab" +description: "Global Filters Tab" +sidebar_position: 10 +--- + +# Global Filters Tab + +The Global Filters options are for excluding specific Active Directory and Authentication events +from being monitored. + +![Global Filters Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) + +The filter options are grouped by AD Global Pre-Filters, and Authentication Global Pre-Filters. +Check the boxes to activate the filters. To disable for diagnostic purposes, simply uncheck the +option(s) and click OK. All Authentication Global Pre-Filters options require configuration before +they can be enabled. + +Enable all of the AD Global Pre-Filters options as well as the Exclude Logins from Machine Accounts +option in the Authentication Global Pre-Filters section. + +When activated, the AD Agent(s) filters out the event data according to configuration defined in the +`filters.json` file located in the installation directory. + +The configurable options in the Global Filters tab are: + +- Exclude ‘Noise’ Events Option +- Exclude AD DNS Events Option +- Exclude Logins from Machine Accounts Option +- Exclude Authentication Events from Selected Hosts Option +- Exclude Authentication Events from Selected Accounts Option + +The ‘Help’ icon (**?**) opens a window that explains the type of “noise” events being filtered. + +## Exclude ‘Noise’ Events Option + +This option is enabled by default to filter out login and internal low level attributes which can be +considered ‘noise’ events. This option can be scoped to include any combination to the following +‘noise’ events: + +- Successful AD User Logins – Excludes events with the following attributes where ‘objectClass’ does + not equal computer: + + - logonCount + - lastLogon + - badPwdCount + - lastLogonTimestamp + +- AD User Logins with Bad Password – Excludes events with the following set of attributes where + ‘objectClass’ does not equal computer: + + - badPwdCount + - badPasswordTime + +- AD Computer Logins – Excludes events with the following set of attributes where ‘objectClass’ + equals computer: + + - logonCount + - lastLogon + - badPwdCount + - lastLogonTimestamp + - badPasswordTime + - badPwdCount + +- Low Level Attributes – Excludes the following attributes from event: + + - lmPwdHistory + - dBCSPwd + - ntPwdHistory + +## Exclude AD DNS Events Option + +This option is enabled by default to filter out DNS events. They must meet both of the following +conditions to be excluded: + +- objectClass = ‘dnsNode’ or ‘dnsZone’ +- Contains the ‘dnsRecord’ or ‘dNSTombstoned’ attribute + +## Exclude Logins from Machine Accounts Option + +This option is enabled by default to filter out machine logins. Click the configure link to open the +Edit Accounts window. + +![Edit Accounts window](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp) + +The Exclude Logins from Machine Accounts collection is only accessible for configuration through the +Global Filters tab. + +:::note +Only perpetrators with accounts ending in “$” are considered for this filter. Wild cards +(\*) can be used for partial matches to account names. +::: + + +All machine accounts in the textbox are either included or excluded from event data monitoring by +the AD Agent. Machine accounts not in the list have the unselected property applied. + +Repeat the process until all machine accounts to be included or excluded from Authentication event +data have been entered in the list. Then click **OK**. + +**Usage Tip** + +Windows Server 2012 introduced gMSA (Group Managed Service Accounts). The account names for gMSA +accounts include +“$” in their names so by default authentication traffic generated by these accounts is filtered out because they ‘look’ like machine accounts, which prior to Server 2012 were the only account names ending in “$”. +The ability to add a list of filter strings to the “Exclude Logins from Machine Accounts” global +filter provides a means to capture activity by gMSA type accounts as this activity is typically of +interest where as true ‘machine accounts’ is not. By supplying either an explicit list of gMSA +account names, or if a naming convention has been adopted, a set of wild card strings such as +“gMSA\*” or “svc\*”, allows capturing authentication activity from such accounts while ignoring the +noisy ‘machine accounts’. + +## Exclude Authentication Events from Selected Hosts Option + +This option is disabled by default as it requires configuration before it can be enabled. Click the +selected hosts link to open the Edit Hosts window. + +![edithostsexcludeselectedhosts](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp) + +The Exclude Authentication Events from selected hosts collection is only accessible for +configuration through the Global Filters tab. All three methods of identification for a host (IP +Address, NETBIOS host name, or DNS host name) must be known in order to effectively exclude +authentication from the host. Identify the host to be excluded in the textbox of the IP Address +column and press the Enter or Tab to add another row on the grid. Activity Monitor attempts to +discover the NETBIOS host name and the DNS host name associated with the supplied IP Address. + +Repeat the process until all hosts for which Authentication event data will not be collected have +been entered in the list. Then click **OK**. + +## Exclude Authentication Events from Selected Accounts Option + +This option is disabled by default as it requires configuration before it can be enabled. Click the +selected accounts link to open the Edit Accounts window. + +![editaccountsexcludeauthenticationselectedaccounts](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp) + +The Exclude Authentication Events from selected accounts collection is only accessible for +configuration through the Global Filtering tab. Account names [domain name\account] can also be +typed in the textbox. Wild cards (\*) can be used as part of either the domain name or account. An +asterisk (\*) appearing anywhere other than as the first character or the last character are treated +as a literal character instead of as a wild card. + +For example, \*\Service1 would exclude all Service1 accounts whether it is a domain or local +account, and Example\Service\* would exclude all accounts that start with “Service” for the Example +domain. + +Repeat the process until all accounts to be excluded from Authentication event data have been +entered in the list. Then click **OK**. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json new file mode 100644 index 0000000000..9da02d87e2 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "LDAP Monitor Tab", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ldapmonitor" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md new file mode 100644 index 0000000000..18b3805a24 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md @@ -0,0 +1,124 @@ +--- +title: "LDAP Monitor Tab" +description: "LDAP Monitor Tab" +sidebar_position: 60 +--- + +# LDAP Monitor Tab + +The LDAP Monitor tab on a domain’s Configuration window allows users to scope monitoring by adding +filters for accounts by name or type. + +![Operations Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +After checking the Enable Ldap Monitor box, the following event filters can be modified on the +sub-tabs: + +- Host (From) +- LDAP +- Operations +- Servers +- Users + +Each filter tab acts like an “AND” statement for the filter. Any filter tab left blank is treated +like an all for that filter set. + +## Host (From) + +The Hosts (from) option is where the policy can be scoped to only monitor specific hosts as +originators of an authentication event or to exclude specific hosts from being monitored for +authentication events. + +![Host (From) Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from authentication event collection. + +## LDAP + +The LDAP option is where query and result objects can be monitored by group type. + +![LDAP Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldap.webp) + +The Query section is where monitoring can be scoped to those LDAP queries that contain at least one +of the user-supplied string as a substring in BaseDN or in Query field of the LDAP Search request. +For the Query value, provide the user-supplied string in the text box. + +Double-click the text box beneath Value to enter the desired string. Press the Enter or Tab key to +add another text box. + +Example Values: + +- ‘DC=domain’ +- ‘objectClass=’ + +The Result section is where monitoring can be scoped to those LDAP query results that contain at +least one of the user-supplied string as a substring. For the Result value, provide the +user-supplied string in the text box. + +Double-click the text box beneath Value to enter the desired string. Press the Enter or Tab key to +add another text box. + +Example Value: + +- ‘CN=Domain Admins’ + +## Operations + +The Operations option filters for successful events, failed events, or both. + +![Operations Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +The Monitor These Attempts section is where monitoring is set to filter for successful events, +failed events, or both: + +- Success – Monitors successful events +- Failure – Monitors failed events + +## Servers + +The Servers option targets servers to be included or excluded when filtering for a LDAP changes. + +![Servers Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users + +The Users option is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/users.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another text box. Check the box under Subtree to include +or exclude child contexts. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md new file mode 100644 index 0000000000..b1a7554c93 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md @@ -0,0 +1,33 @@ +--- +title: "Configure LDAP Monitoring for Netwrix Threat Manager" +description: "Configure LDAP Monitoring for Netwrix Threat Manager" +sidebar_position: 10 +--- + +# Configure LDAP Monitoring for Netwrix Threat Manager + +Follow the steps to configure LDAP monitoring within Netwrix Activity Monitor for Netwrix Threat +Manager. + +:::note +LDAP Monitoring is not enabled, it must be enabled in the Monitored Domains tab. +::: + + +![Activity Monitor with SD Only](/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) + +**Step 1 –** In the Activity Monitor, click on the **Monitored Domains** tab. + +**Step 2 –** Select a domain and click **Edit**. + +![LDAP Monitoring Configuration for Threat Manager](/images/activitymonitor/9.0/admin/monitoreddomains/sdldapmonitoring.webp) + +**Step 3 –** Select the **LDAP Monitor** tab. + +**Step 4 –** Select the **LDAP** tab. + +**Step 5 –** In the “Query” section, double-click the blank line below the last filled in line. + +**Step 6 –** Paste the string copied from Threat Manager and press **Enter**. + +LDAP monitoring has been configured for Threat Manager. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md new file mode 100644 index 0000000000..f40854571c --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md @@ -0,0 +1,101 @@ +--- +title: "LSASS Guardian Tab" +description: "LSASS Guardian Tab" +sidebar_position: 50 +--- + +# LSASS Guardian Tab + +The LSASS Guardian tab allows users to modify settings that were populated with the information +entered when the host was added to prevent, monitor, or block LSASS code injections. + +![Operations Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +After checking the Enable LSASS Guardian box, the following event filters can be modified on the +sub-tabs: + +- Operations +- Processes +- Servers +- Users + +Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated +like an "ALL" for that filter set. + +:::info +Add exclusion process filters for legitimate processes that make changes to +LSASS, e.g. third-party malware applications. +::: + + +## Operations + +The Operations option filters for successful events, failed events, or both. + +![Operations Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +The Open Process Flags section is where monitoring can be scoped for requested handles that would +maliciously impact LSASS processes. + +Check the box to select the process flag(s) to be monitored: + +- PROCESS_VM_WRITE – Writes to memory in a process +- PROCESS_CREATE_THREAD – Creates a thread + +## Processes + +The Processes option is where legitimate processes, which make changes to LSASS, e.g. third-party +malware applications, can be included/excluded from being monitored by the policy. + +![Processes Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/processes.webp) + +Double-click the text box beneath Name to enter the desired processes to include or exclude. Press +the Enter or Tab key to add another text box. + +:::note +While a processes inclusion is a filter option, it is not recommended for monitoring +LSASS. Adding a process inclusion filter will limit the scope to only monitor that process. Unknown +malicious processes would not be monitored in this case. +::: + + +## Servers + +The Servers option targets servers to be included or excluded when filtering for LSASS changes. + +![Servers Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the textbox beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another textbox. + +## Users + +The Users option is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another text box. Check the box under Subtree to include +or exclude child contexts. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/overview.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/overview.md new file mode 100644 index 0000000000..edc9308eb0 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/overview.md @@ -0,0 +1,23 @@ +--- +title: "AD Monitoring Configuration Window" +description: "AD Monitoring Configuration Window" +sidebar_position: 10 +--- + +# AD Monitoring Configuration Window + +On the Monitored Domains tab, select the domain and click **Edit** to open the AD Monitoring +Configuration window. + +![AD Monitoring Configuration - Global Filters Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) + +This initially configured when the AD Agent is deployed to a domain controller. However, the +monitoring configuration can be edited after that. Use the following tabs to modify monitoring of AD +events: + +- [Global Filters Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md) +- [Changes Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/changes.md) +- [Authentication Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md) +- [Replication Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/replication.md) +- [LSASS Guardian Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md) +- [LDAP Monitor Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md) diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/replication.md b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/replication.md new file mode 100644 index 0000000000..42990b4526 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/replication.md @@ -0,0 +1,89 @@ +--- +title: "Replication Tab" +description: "Replication Tab" +sidebar_position: 40 +--- + +# Replication Tab + +The Replication tab on a domain’s Configuration window monitors domain controller syncing and +replication. + +![Servers Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +After checking the Enable Replication box, the following event filters can be modified on the +sub-tabs: + +- Host (From) +- Servers +- Users + +Each filter tab acts like an “AND” statement for the filter. Any filter tab left blank is treated +like an ALL for that filter set. + +Windows cannot detect if a sync request is coming from a legitimate domain controller. This option +is designed to monitor requests from computers that are not ‘excluded’ by the policy. Therefore, +legitimate domain controllers should be identified in the event filters. + +## Host (From) Filter + +The Hosts (From) option is where the policy can be scoped to only monitor specific hosts as +originators of an authentication event or to exclude specific hosts from being monitored for +authentication events. + +![Host (From) Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the textboxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from replication event collection. + +The Threat Manager DC Sync threat is sourced by the Activity Monitor's Replication AD monitoring +configuration. It is necessary for it to be configured to exclude domain controllers on the Host +(From) filter. + +## Servers Filter + +The Servers option targets servers to be included or excluded when filtering for replication. + +![Servers Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +In both cases, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain +name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users Filter + +The Users option is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored + +![Users Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another textbox. Check the box under Subtree to include +or exclude child contexts. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/output/_category_.json b/docs/activitymonitor/10.0/admin/monitoreddomains/output/_category_.json new file mode 100644 index 0000000000..fca4ddfb78 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/output/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Output for Monitored Domains", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "output" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/output/activedirectoryjson.md b/docs/activitymonitor/10.0/admin/monitoreddomains/output/activedirectoryjson.md new file mode 100644 index 0000000000..c5a046c00b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/output/activedirectoryjson.md @@ -0,0 +1,61 @@ +--- +title: "Active Directory JSON Log File" +description: "Active Directory JSON Log File" +sidebar_position: 10 +--- + +# Active Directory JSON Log File + +The following information lists all of the attributes generated by Active Directory Activity Monitor +into a JSON log file: + +| Attributes | Description | +| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AffectedObject | If resolved, contains DN of the object affected by operation; otherwise, some textual representation of the object | +| AffectedObjectAccountName | If resolved, contains account name of the object affected by operation | +| AffectedObjectSid | If resolved, contains Sid of the object affected by operation | +| AgentDomain | Domain where SI agent is installed | +| AgentHost | Host name where SI agent is installed | +| AgentIP | IP address where SI agent is installed. If multiple IP addresses, one of them is reported. | +| AuthenticationType | Indicates type of the authentication event. Possible values: Kerberos, NTLM. | +| AuthProtocol | Indicates authentication protocol. Possible values: Unknown, Kerberos, KerberosTgs, KerberosAS, NTLM, NTLMv1, NTLMMixed, NTLMv2. | +| Blocked | Indicates if operation was blocked by SI agent. Blocking policies are required. | +| ClassName | Affected object class | +| DesiredAccess | Security and access rights requested during OpenProcess invoke. List of possible values can be found at:  [https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights](https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights). | +| EncryptionType | Indicates encryption type used in request part of the Kerberos ticket. Possible values: des_cbc_crc, des_cbc_md4, des_cbc_md5, reserved_0x4, des3_cbc_md5, reserved_0x6, des3_cbc_sha1, dsaWithSHA1, md5WithRSAEncryption, rc2CBC, rsaEncryption, rsaES, des_ede3_cbc, des3_cbc_sha1_kd, aes128, aes256, rc4_hmac, rc4_hmac_exp, subkey_keymaterial. | +| EventResult | Result of the operation triggered current event | +| EventType | Identifies event | +| EventsCount | Number of similar events captured during consolidation period which is 1 minute by default | +| From | Contains raw representation of the machine from which event was triggered | +| FromHost | If resolved, contains host name of the machine from which event was triggered | +| FromIp | If resolved, contains the IP address of the machine from which event was triggered | +| FromMac | If resolved, contains mac address of the machine from which event was triggered | +| IsN2Password | Indicates if password that was used for authentication is a previous or one before previous | +| IsUserExist | Indicates if user exists | +| KerbAuthTime | Time at which KDC issued the initial ticket that corresponds to this ticket | +| KerbEndTime | Ticket expiration time | +| KerbRenewTill | Latest time at which renewal of ticket can be valid | +| KerbSPN | Service principal name for which ticket was requested | +| KerbStartTime | Ticket start time | +| LogonType | Contains SECURITY_LOGON_TYPE. More details at [https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type](https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type). | +| NewAttributes | Map of new attributes where key is name and value attribute value | +| NewName | New name of the AD object | +| NlpLogonType | NTLM logon type. Possible values: Unknown, Interactive, Network, Service, Generic, TransitiveInteractive, TransitiveNetwork, TransitiveService | +| OldAttributes | Map of old attributes where key is attribute name and value attribute value | +| PAC | List of RIDs extracted from ticket authorization data | +| ProcessID | Contains process ID that attempted to open LSASS process | +| ProcessName | Contains process name that attempted to open LSASS process | +| Protocol | Operation specific details | +| QueryFilter | LDAP filter used in the operation | +| QueryIsSSL | Indicates if LDAP connection is secure or not | +| QueryObjectsReturned | Number of returned objects produced by the LDAP request | +| Source | Indicates source of the operation. Currently can be: ‘Authentication’, ‘Active Directory’, ‘LSASS Guardian – Monitor’, ‘LDAP Monitor’, ‘AD Replication Monitoring’. | +| Success | Indicates if original operation completed successfully or not | +| TargetHost | Contains host name to which authentication attempt took place. In case of failed Kerberos AS, this field contains name of the domain controller. | +| TargetHostIP | If resolved, contains IP address of the target host | +| TargetProcess | Contains process name that is monitored. Currently this is only lsass.exe. | +| TgsReplyEncryptionType | Indicates encryption type used in reply part of the TGS Kerberos ticket. Possible values the same as for EncryptionType. | +| TimeLogged | UTC timestamp of the event | +| UserDN | If resolved, contains DN of the object triggered operation | +| UserName | If resolved, contains account name of the object triggered operation | +| UserSid | If resolved, contains SID of the object triggered operation | diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md b/docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md new file mode 100644 index 0000000000..6a12186d49 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md @@ -0,0 +1,89 @@ +--- +title: "Output for Monitored Domains" +description: "Output for Monitored Domains" +sidebar_position: 20 +--- + +# Output for Monitored Domains + +Once a domain is being monitored the event stream can be sent to multiple outputs. + +![Monitored Domains tab with Domain Outputs added](/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) + +Configured outputs are grouped under the domain. You can have multiple outputs configured for a +domain. The domain event outputs are: + +- File – Creates an activity log as a JSON file for every day of activity + + :::note + This is required to search event data for Active Directory within the application. + ::: + + +- Syslog – Sends activity events to the configured SIEM server +- Netwrix Threat Manager – Sends activity events to Netwrix Threat Manager or + receives Active Directory monitoring events from Netwrix Threat Prevention for integration with + Netwrix Access Analyzer + +## Add File Output + +Follow the steps to add a File output. + +**Step 1 –** On the Monitored Domains tab, select the desired domain and click **Add Output**. + +**Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. + +![Log Files configuration](/images/activitymonitor/9.0/admin/monitoreddomains/logfiles.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/10.0/admin/outputs/overview.md) topic for additional +information. + +## Add Syslog Output + +Follow the steps to add a Syslog output. + +**Step 1 –** On the Monitored Domains tab, select the desired domain and click **Add Output**. + +**Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. + +![Syslog Properties](/images/activitymonitor/9.0/admin/monitoreddomains/syslogudp.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/10.0/admin/outputs/overview.md) topic for additional +information. + +## Add Netwrix Threat Manager Output + +:::note +An App Token created by Netwrix Threat Manager is used to authenticate connection between +the applications. See the App Tokens Page topic of the +[Netwrix Threat Manager Documentation](https://docs.netwrix.com/docs/threatmanager/3_0) for +additional information. +::: + + +Follow the steps to add a Netwrix Threat Manager output. + +**Step 1 –** On the Monitored Domains tab, select the desired domain and click **Add Output**. + +**Step 2 –** Select **Netwrix Threat Manager** from the drop-down menu. The Add New +Output window opens. + +![Threat Manager Properties](/images/activitymonitor/9.0/admin/monitoreddomains/stealthdefendproperties.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/10.0/admin/outputs/overview.md) topic for additional +information. diff --git a/docs/activitymonitor/10.0/admin/monitoreddomains/overview.md b/docs/activitymonitor/10.0/admin/monitoreddomains/overview.md new file mode 100644 index 0000000000..885fb2f732 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoreddomains/overview.md @@ -0,0 +1,82 @@ +--- +title: "Monitored Domains Tab" +description: "Monitored Domains Tab" +sidebar_position: 20 +--- + +# Monitored Domains Tab + +**Understanding Active Directory Activity Monitoring** + +The Activity Monitor can be configured to monitor the following Active Directory changes: + +- Success and Failure on Object Create +- Success and Failure on Object Delete +- Success and Failure on Object Rename +- Success and Failure on Object Move +- Success and Failure on Logon +- LDAP Activity Monitoring + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Manager + +It also provides the ability to feed activity data to SIEM products. + +**Agents** + +For monitoring an Active Directory domain, the AD Agent must be installed on all domain controllers +within the domain to be monitored. + +**Tab** + +Once the AD Agent(s) installation is complete on a domain controller, the domain appear on the +Monitored Domains tab. The tab is not visible within the console until at least one AD Agent has +been deployed. + +This tab is comprised of a button bar and a table of domains being monitored. The events stream +output needs to be designated to view data after an activity search has been performed. + +## Button Bar + +The button bar allows users to take the following actions: + +![Monitored Domains Tab in the Activiy Monitor](/images/activitymonitor/9.0/admin/monitoreddomains/activtymonitorblank.webp) + +- Add Output – Select an output from the Add Output dropdown. The outputs are: File, Syslog, and + Threat Manager. See the [Output for Monitored Domains](/docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md) +- Remove – Removes the configured domain from the table of domains being monitored and end + monitoring. Confirmation of this option will be asked for. +- Edit – Opens the selected AD Monitoring Configuration window to modify monitoring settings. See + the [AD Monitoring Configuration Window](/docs/activitymonitor/10.0/admin/monitoreddomains/admonitoringconfiguration/overview.md) topic for + additional information. + +## Table + +The table of Domains being monitored provides the following information: + +![Monitored Domains Tab with Domain Outputs added](/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) + +- Domain – Name or IP Address of the domain being monitored + + :::note + The same domain can be monitored for different outputs. Each output is listed under + the domain with destination information. + ::: + + +- Master – Name or IP Address of the domain controller where the AD agent is deployed +- Last Event – Date timestamp of the last event + +## Monitoring Status + +The Error Propagation collapsible section located above the Status Bar of the Activity Monitor +provides visibility into a domain's monitoring state. Domain monitoring status is depicted in the +Monitored Domains table under the Status column. Users can expand the Error Propagation section to +view more information on various status conditions. + +![Error Propagation](/images/activitymonitor/9.0/admin/monitoreddomains/errorpropagation.webp) + +Click the **Down Arrow** to expand the Error Propagation section. The information listed is +dependent on which domain is currently selected in the Monitored Domains table. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/_category_.json b/docs/activitymonitor/10.0/admin/monitoredhosts/_category_.json new file mode 100644 index 0000000000..b5822ef440 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Monitored Hosts Tab", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/_category_.json b/docs/activitymonitor/10.0/admin/monitoredhosts/add/_category_.json new file mode 100644 index 0000000000..dfb29708e2 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Add New Host Window", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md new file mode 100644 index 0000000000..04223b9586 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md @@ -0,0 +1,35 @@ +--- +title: "Azure Files" +description: "Add Azure Files Storage Accounts" +sidebar_position: 11 +--- + +# Add Azure Files Storage Accounts + +Prior to adding Azure Files storage accounts to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Azure Files Requirements](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md) +topic for additional information. + +Follow the steps to add Azure Files storage accounts to be monitored. + +1. On the **Monitored Hosts & Services** page, select **Add Host/Service**. +2. Select the agent that will be monitoring Azure Files, and then select **Next**. +3. Select **Azure Files**, specify the tenant’s domain name, and then select **Next**. +4. On the **Connection** page, specify the Tenant ID (if it was not resolved automatically), Client ID, and Client Secret—values +copied in the previous steps during application registration. +5. Select **Connect**. +The button will verify the connection to Azure, enumerate all storage accounts, and retrieve their settings visible to the registered application. + +:::note +If the product fails to enumerate storage accounts, the RBAC roles were either assigned incorrectly or have not yet become effective. Retry later. +::: + +6. On the **Storage Accounts** page, select the storage accounts to be monitored, and then select **Next**. +7. Complete the wizard by selecting operations and output settings. + +:::tip +You can use this wizard multiple times to add newly created storage accounts—already added accounts will be ignored. +::: + +8. Check the status of the added storage accounts on the **Monitored Hosts & Services** page. +Address any audit setting misconfigurations or missing RBAC roles. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md new file mode 100644 index 0000000000..6591654504 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md @@ -0,0 +1,229 @@ +--- +title: "Dell Celerra or VNX" +description: "Dell Celerra or VNX" +sidebar_position: 12 +--- + +# Dell Celerra or VNX + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell Celerra or VNX host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell VNX/Celerra Host + +Follow the steps to add a Dell Celerra or VNX host to be monitored. + +**Step 1 –** Navigate to the Monitored Hosts & Services tab and click Add. The Add New Host window opens. + +![Choose Agent Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Dell VNX or Celerra Host](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcvnxcelerra.webp) + +**Step 3 –** On the Add Host page, select the Dell VNX/Celerra radio button and enter the **CIFS +Server NetBIOS Name** for the device. If desired, add a **Comment**. Click **Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![Protocol Monitoring Options](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp) + +**Step 4 –** On the Protocols page, select which protocols to monitor. The list of protocols that +can be monitored are All, CIFS, or NIFS. Click **Next**. + +![Configure Operations Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. Additional options include: + +:::warning +Suppress Microsoft Office operations on temporary files – Filters out events for +Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary +files are created. With this option enabled, events for these temporary files are ignored. This +feature may delay reporting of activity. +::: + + +Click **Next**. + +![Configure Basic Options Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The "Log files" +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an **Account Name** column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds 'C:\" to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to Log the Activity Page Generic](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the text box. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization's environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The + following Syslog templates have been provided: + - AlienVault / Generic Syslog + - CEF – Incorporates the CEF message format + - HP Arcsight + - LEEF – Incorporates the LEEF message format + - LogRhythm + - McAfee + - QRadar – Use this template for IBM QRadar integration + - Splunk – Use this template for Splunk integration + - Threat Manager – Use this template for Threat Manager integration. This is the only supported + template for Threat Manager. See the + [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) + for additional information. + - Custom templates can be created. Select the desired template or create a new template by + modifying an existing template within the Syslog Message Template window. The new message + template will be named Custom. +- Add C:\ to the beginning of the reported file paths – Adds 'C:\" to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- The Test button – Sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![activitymonitoremcvnxcelerra](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp) + +The added Dell Celerra or VNX host is displayed in the Monitored Hosts & Services table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Dell Celerra or VNX + +Configuration settings can be edited through the tabs in the host's Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) +- [Unix IDs Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md new file mode 100644 index 0000000000..89df1c6f54 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md @@ -0,0 +1,273 @@ +--- +title: "Dell Isilon/PowerScale" +description: "Dell Isilon/PowerScale" +sidebar_position: 20 +--- + +# Dell Isilon/PowerScale + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell Isilon/PowerScale host to the Activity Monitor, the prerequisites for the +target environment must be met. See the +[Dell Isilon/PowerScale Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell Isilon/PowerScale Host + +Follow the steps to add a Dell Isilon/PowerScale host to be monitored. + +**Step 1 –** Navigate to the Monitored Hosts & Services tab and click Add. The Add New Host window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Host page with Dell Isilon selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcisilon.webp) + +**Step 3 –** On the Add Host page, select the Dell Isilon radio button and enter both the **Server +name or address** and the **CIFS/NFS server name** for the device. The CIFS/NFS server name can be +left blank to collect activity from the Isilon cluster. If desired, add a **Comment**. Click +**Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![Isilon Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonoptions.webp) + +**Step 4 –** On the Isilon Options page, choose whether or not to automatically enable and configure +auditing on the Isilon cluster. If a manual configuration has been completed, do not enable these +options. + +Follow these steps to use this automated option: + +- Check the **Enable Protocol Access Auditing in OneFS if it is disabled** box. +- Enter the User name and User password to connect to the OneFS Platform API. + + :::note + The User name entered must be an Administrator account on the Dell Isilon device. + ::: + + +- Click Connect to test the connection. If the connection is successful, discovered access zones is + displayed in the **Available** box. +- Access Zones: + + - By default, the **Monitored** box is left empty and all available access zones are monitored. + All activity for the host is collected and placed in a single activity log file per day. + - If access zones are selected, only those access zones are monitored and the activity is placed + in a single activity log file per day. + - Use the arrow buttons to move the desired access zones to the **Monitored** box. + - (_Optional_) Activity log files can be generated for each access zone. In order to generate + one activity log file for each access zone, add only one access zone to this configuration of + the monitored host. Then, add the host again for each access zone to be monitored. When adding + an Isilon host for each access zone, the Dell device name will be the same for each + configuration, but the **CIFS/NFS server name** must have a unique value. + + :::note + Although the Isilon Options page allows multiple access zones to be placed in the + Monitored box for a single Isilon host, when generating separate activity log files for each + access zones, Access Analyzer does not support this configuration. Access Analyzer + integration requires all access zones to be monitored from a single configuration. + ::: + + +Click **Next**. + +![Protocols selection page](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp) + +**Step 5 –** On the Protocols page, select which protocol to monitor. The list of protocols that can +be monitored are All, CIFS, or NIFS. Click **Next**. + +![Configure Operations page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) + +**Step 6 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** options to be monitored. Additional options include: + +:::warning +Suppress Microsoft Office operations on temporary files – Filters out events for +Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary +files are created. With this option enabled, events for these temporary files are ignored. This +feature may delay reporting of activity. +::: + + +Click **Next**. + +![Configure Basic Options](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 7 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an **Account Name** column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to Log the Activity Page Generic](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 8 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 9 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 10 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the text box. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The + following Syslog templates have been provided: + - AlienVault / Generic Syslog + - CEF – Incorporates the CEF message format + - HP Arcsight + - LEEF – Incorporates the LEEF message format + - LogRhythm + - McAfee + - QRadar – Use this template for IBM QRadar integration + - Splunk – Use this template for Splunk integration + - Threat Manager – Use this template for Threat Manager integration. This is the only supported + template for Threat Manager. See the + [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) + for additional information. + - Custom templates can be created. Select the desired template or create a new template by + modifying an existing template within the Syslog Message Template window. The new message + template will be named Custom. +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- The Test button – Sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Dell Isilon added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcisilon.webp) + +The added Dell Isilon/PowerScale host is displayed in the monitored hosts/services table. Once a host has +been added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Dell Isilon/PowerScale + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md) +- [Auditing Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md) +- [Unix IDs Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerstore.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerstore.md new file mode 100644 index 0000000000..05c817c5b6 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerstore.md @@ -0,0 +1,197 @@ +--- +title: "Dell PowerStore" +description: "Dell PowerStore" +sidebar_position: 30 +--- + +# Dell PowerStore + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell PowerStore host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Dell PowerStore Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell PowerStore Host + +Follow the steps to add a Dell PowerStore host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. The Add New Host +window opens. + +![addagent01](/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp) + +**Step 2 –** On the **Choose Agent** page, select the Agent to monitor the file server. +Click**Next**. + +![powerstoreaddhost01](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost01.webp) + +**Step 3 –** On the Add Host page, select the Dell PowerStore radio button and enter the file server +name. Click **Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![powerstoreaddhost02](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost02.webp) + +**Step 4 –** On the Protocols page, specify the protocols to monitor. The list of protocols that can +be monitored are, All, CIFS, or NFS. Once a protocol is selected, click **Next**. + +![powerstoreaddhost03](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost03.webp) + +**Step 5 –** On the Configure Operations page, select the File Operations and Directory Operations +to be monitored. + +- Suppress reporting of File Explorer's excessive directory traversal activity – Filters out events + of excessive directory traversal in File Explorer. + +Click **Next**. + +![powerstoreaddhost04](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost04.webp) + +**Step 6 –** On the Configure Basic Operations page, choose which settings to enable. Select one of +the following options: + +- Report account names – Adds an Account Name column in the generated TSV files. +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. These columns have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second. + +Click **Next**. + +![powerstoreaddhost05](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost05.webp) + +**Step 7 –** On the Where to log the activity page, select whether to send the activity to either a +Log File or Syslog Server. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![powerstoreaddhost06](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost06.webp) + +**Step 8 –** If Log File is selected on the Where To Log The Activity page, the File Output page can +be configured. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered as the number of + days elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files + for a set amount of Minutes, Hours, or Days. This retention setting applies both to the local + files on the agent's server and to the archived files. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + :::note + While Activity Monitor can have multiple configurations for log file outputs per host, + Access Analyzer can only read one of them. + ::: + + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + + :::note + Access Analyzer does not support log files with the header. + ::: + + +Click **Next**. + +![powerstoreaddhost07](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost07.webp) + +**Step 9 –** If Syslog Server is selected on the Where To Log The Activity page, the Syslog Output +page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![powerstoreaddhost08](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost08.webp) + +The added Dell PowerStore host is displayed in the monitored hosts/services table. Once a host has been added +for monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) +topic for additional information. + +## Host Properties for Dell PowerStore + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellunity.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellunity.md new file mode 100644 index 0000000000..a226fc4eea --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellunity.md @@ -0,0 +1,229 @@ +--- +title: "Dell Unity" +description: "Dell Unity" +sidebar_position: 40 +--- + +# Dell Unity + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell Unity host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Dell Unity Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell VNX/Celerra Host + +Follow the steps to add a Dell Unity host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent window](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. + +![Add Host window with Dell Unity selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhostemcunity.webp) + +**Step 3 –** On the Add Host page, select the Dell Unity radio button and enter the **NAS Server +Name** for the device. If desired, add a **Comment**. Click **Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![Protocol Monitoring Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp) + +**Step 4 –** On the Protocols page, select which protocols to monitor. The protocols that can be +monitored are All, CIFS, or NIFS. Click **Next**. + +![Configure Operations Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. Additional options include: + +:::warning +Suppress Microsoft Office operations on temporary files – Filters out events for +Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary +files are created. With this option enabled, events for these temporary files are ignored. This +feature may delay reporting of activity. +::: + + +Click **Next**. + +![Configure Basic Options Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an **Account Name** column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the text box. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The + following Syslog templates have been provided: + - AlienVault / Generic Syslog + - CEF – Incorporates the CEF message format + - HP Arcsight + - LEEF – Incorporates the LEEF message format + - LogRhythm + - McAfee + - QRadar – Use this template for IBM QRadar integration + - Splunk – Use this template for Splunk integration + - Threat Manager – Use this template for Threat Manager integration. This is the only supported + template for Threat Manager. See the + [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) + for additional information. + - Custom templates can be created. Select the desired template or create a new template by + modifying an existing template within the Syslog Message Template window. The new message + template will be named Custom. +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- The Test button – Sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Dell Unity host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcunity.webp) + +The added Dell Unity host is displayed in the monitored hosts/service table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Dell Unity + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md) +- [Unix IDs Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/entraid.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/entraid.md new file mode 100644 index 0000000000..2337d1dc38 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/entraid.md @@ -0,0 +1,162 @@ +--- +title: "Microsoft Entra ID" +description: "Microsoft Entra ID" +sidebar_position: 70 +--- + +# Microsoft Entra ID + +**Understanding Microsoft Entra ID Activity Monitoring** + +The Activity Monitor can be configured to monitor the following Microsoft Entra ID (formerly Azure +AD) changes: + +- Report Sign-In events +- Reports over 800 audit events in different categories, including: + +| | | | +| ----------------------- | ---------------------- | -------------------- | +| Administrative Unit | Application Management | Authentication | +| Authorization | Authorization Policy | Contact | +| Device | Device Configuration | Directory Management | +| Entitlement Management | Group Management | Identity Protection | +| Kerberos Domain | Key Management | Label | +| Permission Grant Policy | Policy | Policy Management | +| Resource Management | Role Management | User Management | + +- Reports on audit events across different services, including: + +| | | | | +| ----------------------------- | -------------------------------- | --------------------- | ------------------- | +| AAD Management UX | Access Reviews | Account Provisioning | Application Proxy | +| Authentication Methods | B2C | Conditional Access | Core Directory | +| Device Registration Service | Entitlement Management | Hybrid Authentication | Identity Protection | +| Invited Users | MIM Service | MyApps | PIM | +| Self-Service Group Management | Self-service Password Management | Terms of Use | | + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding aMicrosoft Entra ID host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Microsoft Entra ID Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/entraid-activity.md) topic +for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Azure Active Directory / Entra ID Host + +Follow the steps to add a Microsoft Entra ID host to be monitored. + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Add Host - Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. + +![Add Host page](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostentraid.webp) + +**Step 3 –** On the Add Host page, select the **Azure Active Directory / Entra ID** radio button and +enter the Primary domain in the **Domain name** field. + +_(Optional)_ Enter a comment for the Microsoft Entra ID host. + +![entraidconnection](/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidconnection.webp) + +**Step 4 –** On the Azure AD / Entra ID Connection page, enter a Tenant ID, Client ID, and Client +Secret. Optional add a Region. Then click **Connect** to grant permissions to read the audit log. +Click **Open Instruction...** for steps on registering the Activity Monitor with Microsoft Entra ID. +Click **Next**. + +![Add Host - Azure AD Operations page](/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidoperations.webp) + +**Step 5 –** On the Azure AD / Entra ID Operations page, select which audit activity to monitor. +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 6 –** On the Where To Log The Activity page, select where to send the activity events: + +- Log file – Sends to a TSV or JSON file +- Syslog Server – Sends to a configured SIEM system +- Netwrix Threat Manager – Sends to Netwrix Threat Manager + +![fileoutputpage](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 7 –** If **Log Files** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. The configurable options are: + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Netwrix Access Analyzer – Enable this option to have Netwrix Access Analyzer collect this monitored + host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +Click **Next**. + +![syslogoutputpage](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Azure Active Directory in Activity Monitor](/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidadded.webp) + +The added Microsoft Entra ID host is displayed in the monitored hosts/service table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Microsoft Entra ID + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Connection Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md new file mode 100644 index 0000000000..8f4b848a9d --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md @@ -0,0 +1,143 @@ +--- +title: "Exchange Online" +description: "Exchange Online" +sidebar_position: 50 +--- + +# Exchange Online + +Prior to adding an Exchange Online host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Exchange Online Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/exchange-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Exchange Online Host + +Follow the steps to add an Exchange Online host to be monitored. + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Add Host - Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. + +![Add Host Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/addexchangeonline.webp) + +**Step 3 –** On the Add Host page, select the Exchange Online radio button and enter the domain +name. + +_(Optional)_ Enter a comment for the Exchange Online host. + +![Azure AD Connection - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/connection.webp) + +**Step 4 –** On the Azure AD / Entra ID Connection page, enter Tenant ID, Client ID, Client Secret, +and Region(optional) then click **Connect** to verify the connection.. Click **Open Instruction...** +for steps on registering the Activity Monitor with Microsoft Azure. Click **Next**. + +![operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/operations.webp) + +**Step 5 –** On the Exchange Online Operations page, configure the options found in the following +tabs: + +- Admin Activity +- Mailbox Audit +- DLP +- Other + +These options can be configured again in a Exchange Online host's properties window. See the +[Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) for additional information. Click **Next**. + +![Mailboxes to Exclude](/images/activitymonitor/9.0/admin/monitoredhosts/add/mailboxesexclude.webp) + +**Step 6 –** Click **Add Mailbox** to display the Select User dialog box. Specify the mailboxes that +will be filtered during collection. Click **Next**. + +![usersexclude](/images/activitymonitor/9.0/admin/monitoredhosts/add/usersexclude.webp) + +**Step 7 –** Click **Add User** to display the Select User dialog box. Specify the user or email +that will be filtered during collection. Click **Next**. + +![Where to log activity - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologactivity.webp) + +**Step 8 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. + +![File Output - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 9 –** If **Log Files** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. The configurable options are: + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – Enable + this option to have Netwrix Access Analyzer collect this monitored + host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple outputs per host, Netwrix Access Analyzer + can only read one of them. + +Click **Next**. + +![Syslog Output - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 10 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Exchange Online in Activity Monitor](/images/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.webp) + +The added Exchange Online host is displayed in the monitored hosts/service table. Once a host has been added +for monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) +topic for additional information. + +## Host Properties for Exchange Online + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Connection Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/hitachi.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/hitachi.md new file mode 100644 index 0000000000..fac32f537a --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/hitachi.md @@ -0,0 +1,167 @@ +--- +title: "Hitachi" +description: "Hitachi" +sidebar_position: 60 +--- + +# Hitachi + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Hitachi host to the Activity Monitor, the prerequisites for the target environment +must be met. See the +[Hitachi Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Hitachi NAS Host + +Follow the steps to add a Hitachi host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. Click +**Next**. + +![Add Host page with Hitachi NAS selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhosthitachi.webp) + +**Step 3 –** On the Add Host page, select the Hitachi NAS radio button and enter the **EVS or file +system name** for the device. If desired, add a **Comment**. Click **Next**. + +![Hitachi NAS Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/hitachinasoptions.webp) + +**Step 4 –** On the Hitachi NAS Options page, enter the **Logs path (UNC)** and the **Active Log +file name**. Then enter the credentials to access the HNAS Log files. Click Connect to validate the +connection with the Hitachi device. Click **Next**. + +![Configure Operations page for Hitachi NAS](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationshitachi.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. Click **Next**. + +![Configure Basic Options page for Hitachi NAS](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionshitachi.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where To Log The Activity](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologtheactivity.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Netwrix Access Analyzer + collect this monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Hitachi Host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorhitachi.webp) + +The added Hitachi host is displayed in the monitored hosts/service table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Hitachi + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Hitachi NAS Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/nasuni.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/nasuni.md new file mode 100644 index 0000000000..3a37be2217 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/nasuni.md @@ -0,0 +1,207 @@ +--- +title: "Nasuni" +description: "Nasuni" +sidebar_position: 80 +--- + +# Nasuni + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Nasuni Edge Appliance host to the Activity Monitor, the prerequisites for the +target environment must be met. See the +[Nasuni Edge Appliance Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md) topic +for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Nasuni Host + +Follow the steps to add a Nasuni Edge Appliance host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Host page with Nasuni selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnasuni.webp) + +**Step 3 –** On the Add Host page, select the Nasuni radio button and enter the host name or IP +Address of the Nasuni Edge Appliance in the Nasuni Filer textbox. If desired, add a **Comment**. +Click **Next**. + +![Nasuni Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/nasunioptions.webp) + +**Step 4 –** On the Nasuni Options page, enter the **API Key Name** and the **API Key Value**. Click +Connect to validate the connection with the Nasuni device. + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors +- Connect – Click to connect using the selected protocol and validate the connection with NetApp + +Click **Next**. + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate + verification during a TLS session + - Import – Click to browse for a trusted server certificate + - Remove – Click to remove the selected trusted server certificate + - Enable hostname verification – Select this checkbox to ensure that the host name the product + connects to matches the name in the certificate (CN name) +- Click OK to close the window and save the modifications. + +**Step 5 –** On the Configure Operations page, select the **File Operations, Directory Operations**, +and **Link Operations** to be monitored. Additional options include: + +:::warning +Enabling the Suppress subsequent Read operations in the same folder option can result +in Read events not being monitored. +::: + + +- Suppress subsequent Read operations in the same folder – Logs only one Read operation when + subsequent Read operations occur in the same folder. This option is provided to improve overall + performance and reduce output log volume. +- Suppress reporting of File Explorer's excessive directory traversal activity – Filters out events + of excessive directory traversal in File Explorer. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![Configure Basic Options page for Nasuni](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an Account Name column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. These columns have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to log the activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer  when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Nasuni host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornasuni.webp) + +The added Nasuni host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Nasuni + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Nasuni Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nasuni.md) +- [Unix IDs Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md new file mode 100644 index 0000000000..31596577c2 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md @@ -0,0 +1,345 @@ +--- +title: "NetApp" +description: "NetApp" +sidebar_position: 90 +--- + +# NetApp + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a NetApp Data ONTAP host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md) +topic or the +[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md) +topic in the for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add NetApp Host + +Follow the steps to add a NetApp Data ONTAP host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Add New Host - Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. Click +**Next**. + +![Add New Host - Add Host page with NetApp selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnetapp.webp) + +**Step 3 –** On the Add Host page, select the NetApp radio button. Then, in the NetApp Filer/SVM +textbox, enter the following information: + +- Cluster-Mode devices – Enter the NetApp Filer/SVM +- 7-Mode devices – Enter the NetApp DNS name. If using vFilers, then it is necessary to use the + vFiler name here. + +Click **Next**. + +![NetApp Host Connection Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappconnection.webp) + +:::warning +Cluster-Mode is case sensitive. The case of the Filer or SVM name must match exactly to +how it is in NetApp's FPolicy configuration. +::: + + +**Step 4 –** On the NetApp Connection page, enter the following: + +- NetApp Filer or SVM – Enter the name of the NetApp Filer or SVM. The name is case sensitive. +- Management LIF – _(Optional)_ If using Cluster Management LIF, a Management LIF can be specified + if SVM Management LIF is not used (Vserver Tunneling) +- User name – Enter the user name for the credentials to connect to the NetApp server +- User password – Enter the password for the credentials to connect to the NetApp server +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + - HTTP +- Connect – Click to connect using the selected protocol and validate the connection with NetApp + +Click **Next**. + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate + verification during a TLS session + - Import – Click to browse for a trusted server certificate + - Remove – Click to remove selected trusted server certificate + - Enable hostname verification – Select this checkbox to ensure that the host name the product + connects to matches the name in the certificate (CN name) + - Click OK to close the window and save the modifications. + +![NetApp FPolicy Configuration page](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyconfiguration.webp) + +**Step 5 –** On the NetApp Mode FPolicy Configuration page, choose whether or not to automatically +configure FPolicy through Activity Monitor. If that is desired, check the Configure FPolicy option. +Any additional permissions required are listed. Be sure to select the appropriate file protocol to +configure the FPolicy. + +:::warning +NetApp FPolicy Enable and Connect requires the provisioned user account to have full +permissions. For Cluster-mode devices, the credentials are identified as ‘Employing the “Configure +FPolicy” Option’. +::: + + +Additional permissions that are required if enabling **Configure FPolicy** are: + +- Command `vserver fpolicy` - Access level: `All` +- Command `security certificate install` - Access level `All `(Need for FPolicy TLS only) + +Click **Next**. + +**Important Notes** + +:::info +For NetApp Cluster-Mode, create a tailored FPolicy manually. If manually +configuring the FPolicy, do not select the ConfigureFPolicy checkbox. +::: + + +If automatic configuration is selected, proceed to the Configure Privileged Access section after +successfully adding the host. + +![NetApp FPolicy Enable and Connect window](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyenableconnect.webp) + +The options on the Configure Operations page require the provisioned user account to have, at a +minimum, the less privileged permissions. For Cluster-mode devices, the credentials are identified +as ‘Employing the “Enable and connect FPolicy” Option’. + +:::warning +On the NetApp FPolicy Enable and Connect page, choose whether or not to Enable and +connect FPolicy, which will “Ensure everything is active with periodic checks.” +::: + + +Additional permissions that are required if enabling **Enable and connect FPolicy** are: + +- Command `vserver fpolicy disable` - Access level `All` +- Command `vserver fpolicy enable` - Access level `All` +- Command `vserver fpolicy engine-connect` - Access level `All` +- Command `network interface` - Access level `readonly` + +**Important Notes** + +:::info +Enable this functionality. Without this option enabled, it is necessary to +manually connect the FPolicy every time it is disconnected for any reason. For reliable, high +availability file monitoring, use this option. +::: + + +Click **Next**. + +![protocolspage](/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp) + +**Step 6 –** On the Protocols page, select which protocols to monitor. The protocols that can be +monitored are: + +- All +- CIFS +- NFS + +Click **Next**. + +![Configure Operations window for NetApp](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsnetapp.webp) + +**Step 7 –** On the Configure Operations page, select the File Operations and Directory Operations +to be monitored. + +:::note +NetApp Data ONTAP Cluster-Mode Device folders are now readable by checking the Read / List +option listed under Directory Operations. This option is also accessible within the NetApp server’s +properties > Operations tab. +::: + + +If the Configure FPolicy option is enabled, then Activity Monitor updates the FPolicy according to +these settings. If it was not enabled, then the manually configured FPolicy must be set to monitor +these operations. Only operations being monitored by the FPolicy are available to the activity +agent. + +Additional options include: + +:::warning +Enabling the Suppress subsequent Read operations in the same folder option can result +in Read events not being monitored. +::: + + +- Suppress subsequent Read operations in the same folder – Logs only one Read operation when + subsequent Read operations occur in the same folder. This option is provided to improve overall + performance and reduce output log volume. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![Configure Basic Options page for NetApp](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp) + +**Step 8 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an Account Name column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + - Access Analyzer 8.1+ is required for this feature + +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 9 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![fileoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 10 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Netwrix Access Analyzer + collect this monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 11 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with NetApp Host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornetapp.webp) + +The added NetApp host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +:::tip +Remember, if automatic configuration of the FPolicy was selected, it is necessary to Configure +Privileged Access. +::: + + +## Configure Privileged Access + +If automatic configuration of the FPolicy is used for NetApp Data ONTAP Cluster-Mode devices, it is +necessary to configure privileged access. Follow the steps to configure privileged access. Remember, +this requires the provisioned user account to have full permissions, identified as the credentials +‘Employing the “Configure FPolicy” Option’. + +**Step 1 –** On to the Monitored Hosts & Services tab, select the desired host and click Edit. The host’s +Properties window opens. + +![NetApp Host Properties FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicytab.webp) + +**Step 2 –** On the FPolicy tab, select the **Privileged Access** tab. Select the Allow privileged +access checkbox and provide the Privileged user name in the textbox. + +:::note +This option is only available if the Configure FPolicy option is enabled. +::: + + +Privileged access must be allowed and configured with appropriate credentials to leverage Access +Analyzer permission (FSAA) scans for this NetApp device + +For information on the other options for this tab, see the [FPolicy Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md) +section. + +## Host Properties for NetApp + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [NetApp Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/netapp.md) +- [FPolicy Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md) +- [Unix IDs Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/nutanix.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/nutanix.md new file mode 100644 index 0000000000..8766a76737 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/nutanix.md @@ -0,0 +1,204 @@ +--- +title: "Nutanix" +description: "Nutanix" +sidebar_position: 100 +--- + +# Nutanix + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Nutanix files host to the Activity Monitor, the prerequisites for the target +environment must be met. See +[Nutanix Files Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md) for more +information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Network Adapter for Nutanix File Server + +Ensure that the correct network adapter is specified in the Network page for an agent before adding +a Nutanix file server to be monitored. + +![nutanixnetworkadapter](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixnetworkadapter.webp) + +The agent registers the IP address of the network adapter in the Nutanix auditing configuration for +activity delivery. Nutanix Files server connects to the agent using the TCP port 4501. See the +[Network Tab](/docs/activitymonitor/10.0/admin/agents/properties/network.md) topic for additional information. + +## Add Nutanix Host + +Follow the steps to add a Nutanix files host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the file server from the +drop-down list. Click **Next**. + +![Add Host](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost02.webp) + +**Step 3 –** On the Add Host page, select the **Nutanix Files** radio button and enter the file +server name. Click **Next**. + +![Nutanix Options](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_04.webp) + +**Step 4 –** On the Nutanix Options page, enter the user name and password. + +:::note +The credentials used on the Nutanix Options page are for the Nutanix user having REST API +access. +::: + + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors +- Connect – Click **Connect** to connect to the Nutanix device using the selected protocol and + validate the connection. + +Click **Next**. + +![Configure Operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_05.webp) + +**Step 5 –** On the Configure Operations page, select the File Operations and Directory Operations +to be monitored. + +Click **Next**. + +![Configure Operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_06.webp) + +**Step 6 –** On the Configure Basic Operations page, choose which settings to enable. The “Log +files” are the activity logs created by the activity agent on the agent's server. Select one of the +following options: + +- Report account names: Adds an Account Name column in the generated TSV files. +- Add C:\ to the beginning of the reported file paths: Adds ‘C:\” to file paths to be displayed like + a Windows file path: + - Display example if checked: C:\Folder\file.txt + - Display example if unchecked: /Folder/file.text +- Report operations with millisecond precision - Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second. + - Access Analyzer 8.1+ is required to use this feature. + +Click **Next**. + +![Where to log the activity](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +Log File or Syslog Server. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![File Output](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_08.webp) + +**Step 8 –** If Log File is selected on the Where To Log The Activity page, configure the File +Output page. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files –Log files will be deleted after the period entered as the number of days + elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. This setting applies to both the local files on the agent's + server and to the archived files. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + :::note + While Activity Monitor can have multiple configurations for log file outputs per host, + Access Analyzer can only read one of them. + ::: + + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + + :::note + Access Analyzer does not support log files with the header. + ::: + + +Click **Next**. + +![Syslog Output](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp) + +**Step 9 –** If Syslog Server is selected on the Where To Log The Activity page, configure the +Syslog Output page. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![nutanixoptions_10](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_10.webp) + +The added Nutanix host is displayed in the monitored hosts/service table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Nutanix + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Nutanix Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md new file mode 100644 index 0000000000..9d2c31b68f --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md @@ -0,0 +1,34 @@ +--- +title: "Add New Host Window" +description: "Add New Host Window" +sidebar_position: 10 +--- + +# Add New Host Window + +Once an agent has been deployed, you can configure a host to be monitored by clicking the Add Host +button on the Monitored Hosts & Services tab. + +![Add New Host window](/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhost.webp) + +The window opens for all types of hosts that can be monitored with an Activity Agent. See the +following topics for additional information: + +- [Azure Files](/docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md) +- [CTERA](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md) +- [Dell Celerra or VNX](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md) +- [Dell Isilon/PowerScale](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md) +- [Dell PowerStore](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerstore.md) +- [Dell Unity](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellunity.md) +- [Exchange Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md) +- [Hitachi](/docs/activitymonitor/10.0/admin/monitoredhosts/add/hitachi.md) +- [Microsoft Entra ID](/docs/activitymonitor/10.0/admin/monitoredhosts/add/entraid.md) +- [Nasuni](/docs/activitymonitor/10.0/admin/monitoredhosts/add/nasuni.md) +- [NetApp](/docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md) +- [Nutanix](/docs/activitymonitor/10.0/admin/monitoredhosts/add/nutanix.md) +- [Panzura](/docs/activitymonitor/10.0/admin/monitoredhosts/add/panzura.md) +- [Qumulo](/docs/activitymonitor/10.0/admin/monitoredhosts/add/qumulo.md) +- [SharePoint](/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepoint.md) +- [SharePoint Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepointonline.md) +- [SQL Server](/docs/activitymonitor/10.0/admin/monitoredhosts/add/sqlserver.md) +- [Windows](/docs/activitymonitor/10.0/admin/monitoredhosts/add/windows.md) diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/panzura.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/panzura.md new file mode 100644 index 0000000000..d6ac8b6044 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/panzura.md @@ -0,0 +1,203 @@ +--- +title: "Panzura" +description: "Panzura" +sidebar_position: 110 +--- + +# Panzura + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Threat Prevention +- Netwrix Threat Manager + +## Add Panzura Host + +Prior to adding a Panzura host to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Panzura CloudFS Monitoring](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/panzura-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +Follow the steps to add a Panzura host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Host](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostpanzura.webp) + +**Step 3 –** On the Add Host page, select the **Panzura** radio button and enter the **Panzura filer +name**. Click **Next**. + +![Panzura Properties](/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraoptions.webp) + +**Step 4 –** On the Panzura Options page, enter the **Username**, **Password**, and select the +**Protocol** to be used by the Panzura host. + +- The different protocols that can be selected are: + + - Auto Detect (Default) + - HTTPS + - HTTPS, ignore certificate errors + + Click **HTTPS Options** to open the Trusted server certificate window. + +Click **Next**. + +![Customize Certifiacte Verification](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate + verification during a TLS session + + - Import – Click to browse for a trusted server certificate + - Remove – Click to remove selected trusted server certificate + - Enable hostname verification – Select this checkbox to ensure that the host name the product + connects to matches the name in the certificate (CN name) + - Click OK to close the window and save the modifications + + Click **Connect** to connect to the Panzura device. Click **Next**. + +![Configure Operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraconfigureoperations.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. + +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![configurebasicoptionspanzura](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionspanzura.webp) + +**Step 6 –** On the Configure Basic Options page, choose which of the following settings to enable: + +- Add C:\ to the beginning of the reported file paths - Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths - Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision - Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second. + - Access Analyzer 8.1+ is required to use this feature. + +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![fileoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered as the number of + days elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files + for a set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![activitymonitorpanzura](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorpanzura.webp) + +The added Panzura host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Panzura + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Panzura Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/panzura.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/qumulo.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/qumulo.md new file mode 100644 index 0000000000..fbb38b496b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/qumulo.md @@ -0,0 +1,167 @@ +--- +title: "Qumulo" +description: "Qumulo" +sidebar_position: 120 +--- + +# Qumulo + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Qumulo host to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Qumulo Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Qumulo Host + +Follow the steps to add a Qumulo host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. The Add New Host +window opens. + +![addagent01](/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the file server from the +drop-down list. Click **Next**. + +![addhostqumulo01](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo01.webp) + +**Step 3 –** On the Add Host page, select the **Qumulo** radio button and enter the file server +name. Click **Next**. + +![addhostqumulo02](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo02.webp) + +**Step 4 –** On the Qumulo Options page, enter the user name and password. + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors +- Connect – Click **Connect** to connect to the Qumulo device using the selected protocol and + validate the connection. + +The following values are shown for information purposes. You can use them to configure auditing in +Qumulo. + +- Syslog Address – Address to configure Qumulo cluster. +- Port – Port to configure Qumulo cluster. + +Click **Next**. + +![nutanixoptions_07](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp) + +**Step 5 –** On the Where To Log The Activity page, select whether to send the activity to either a +Log File or Syslog Server. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![addhostqumulo04](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo04.webp) + +**Step 6 –** If Log File is selected on the Where To Log The Activity page, configure the File +Output page. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered as the number of + days elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files + for a set number of Hours or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + :::note + While Activity Monitor can have multiple configurations for log file outputs per host, + Access Analyzer can only read one of them. + ::: + + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + + :::note + Access Analyzer does not support log files with the header. + ::: + + +Click **Next**. + +![nutanixoptions_09](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp) + +**Step 7 –** If Syslog Server is selected on the Where To Log The Activity page, configure the +Syslog Output page. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![addhostqumulo06](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo06.webp) + +The added Qumulo host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Qumulo + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Qumulo Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/qumulo.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepoint.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepoint.md new file mode 100644 index 0000000000..26d6d0640a --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepoint.md @@ -0,0 +1,162 @@ +--- +title: "SharePoint" +description: "SharePoint" +sidebar_position: 130 +--- + +# SharePoint + +**Understanding SharePoint Activity Monitoring** + +The Activity Monitor can be configured to monitor the following SharePoint changes: + +- Document is checked out +- Document is checked in +- Object is deleted +- Object is updated +- Child object is deleted +- Child object is undeleted +- Child object is moved +- Search operation is performed +- Security group is created +- Security group is deleted +- Security principal is added to a security group +- Security principal is removed from a security group + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer + +Prior to adding a SharePoint host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[SharePoint On-Premise Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-onprem-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to the SharePoint Application server that hosts the +“Central Administration” component of the SharePoint farm. +::: + + +## Add SharePoint Host + +Follow the steps to add a SharePoint host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent deployed on the SharePoint Application +server that hosts the “Central Administration” component. Click **Next**. + +![Add Host page with SharePoint selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostsharepoint.webp) + +**Step 3 –** On the Add Host page, select the SharePoint radio button. If desired, add a Comment. +Click **Next**. + +![Add Host - SharePoint Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointoptions.webp) + +**Step 4 –** On the SharePoint Options page, choose to audit all sites or scope the monitoring to +specific site(s): + +- Enable auditing on selected site collections – Enabling this option will ensure that auditing is + enabled for all monitored site collections with periodic checks +- Audit all sites – Leave textbox for URLs blank + + Scope to specific sites – List URLs for sites to be monitored in the textbox. List should be + semicolon separated. + + - Examples – http://sharpoint.local/sites/marketing, + http://sharepoint.local/sites/personal/user1 + - Then enter the credentials configured as the provisioned activity monitoring account. + +- Enter valid **User Name** and **Password** for a domain account with local administrative + permissions +- Connect – Click Connect to verify the provided credentials + +Click **Next**. + +![Configure Operations page for SharePoint](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationssharepoint.webp) + +**Step 5 –** On the Configure Operations page, select the SharePoint Operations and Permissions +Operations to be monitored. Click **Next**. + +![Where to log the activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 6 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 7 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- Log file format – Select whether the log file will be saved as a JSON or TSV file +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click Finish. + +![Activity Monitor with SharePoint host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsharepoint.webp) + +The added SharePoint host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for SharePoint + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [SharePoint Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/sharepoint.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepointonline.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepointonline.md new file mode 100644 index 0000000000..ab02fafb6e --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/sharepointonline.md @@ -0,0 +1,179 @@ +--- +title: "SharePoint Online" +description: "SharePoint Online" +sidebar_position: 140 +--- + +# SharePoint Online + +**Understanding SharePoint Activity Monitoring** + +The Activity Monitor can be configured to monitor the following SharePoint changes: + +- Document is checked out +- Document is checked in +- Object is deleted +- Object is updated +- Child object is deleted +- Child object is undeleted +- Child object is moved +- Search operation is performed +- Security group is created +- Security group is deleted +- Security principal is added to a security group +- Security principal is removed from a security group + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer + +Prior to adding a SharePoint Online host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add SharePoint Online Host + +Follow the steps to add a SharePoint Online host to be monitored. + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor SharePoint Online. + +:::warning +The domain name must match the SharePoint Online host name in order to properly +integrate SharePoint Online activity monitoring with Access Analyzer. +::: + + +![Add Host page with SharePoint Online selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp) + +**Step 3 –** On the Add Host page, select the SharePoint Online radio button and enter the Microsoft +Entra ID (formerly Azure AD) domain name. Click **Next**. + +![Add New Host - Azure AD Connection for SharePoint Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/azureadconnection.webp) + +**Step 4 –** On the Azure AD / Entra ID Connection page, enter a Client ID and Client Secret, then +click **Sign-In** to grant permissions to read the auditing and directory data. Click **Open +Instruction...** for steps on registering the Activity Monitor with Microsoft Entra ID. + +- After clicking **Sign-In**, the **Sign in to your account window** opens. +- Sign-in with a Global Administrator account. +- Approve consent for the organization. + + :::note + Activity Monitor does not store credentials. The credentials are used to enable + API access using the Client ID and Secret. + ::: + + +- See the + [SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md) + topic for additional information. + +Click **Next**. + +![SharePoint Online Operations page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileandpagetab.webp) + +**Step 5 –** On the SharePoint Online Operations page, configure the options found in the following +tabs: + +- File and Page +- Folder +- List +- Sharing and Access Request +- Site Permissions +- Site Administration +- Synchronization +- DLP +- Sensitive Label +- Content Explorer +- Other + +These options can be configured again in a SharePoint Online host's properties window. See the +[Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) for additional information. Click **Next**. + +![Where to log the activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 6 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 7 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. The configurable options are: + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Netwrix Access Analyzer – Enable this option to have Access Analyzer collect this monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with SharePoint Online host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.webp) + +The added SharePoint Online host is displayed in the monitored hosts/services table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for SharePoint Online + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Connection Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/sqlserver.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/sqlserver.md new file mode 100644 index 0000000000..4e3825a655 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/sqlserver.md @@ -0,0 +1,172 @@ +--- +title: "SQL Server" +description: "SQL Server" +sidebar_position: 150 +--- + +# SQL Server + +**Understanding SQL Server Activity Monitoring** + +The Activity Monitor provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer + +Prior to adding a SQL Server host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[SQL Server Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add MS SQL Server Host + +Follow the steps to add a SQL Server host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![chooseagent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device, then +click **Next**. + +![addhost](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp) + +**Step 3 –** On the **Add Host** page, select **MS SQL Server** and enter the **Server name or +address** for the SQL Server host., then click **Next**. + +![mssqlserveroptionspage](/images/activitymonitor/9.0/admin/monitoredhosts/add/mssqlserveroptionspage.webp) + +**Step 4 –** On the MS SQL Server Options page, configure the following options: + +- Enable Audit automatically — Check the box to enable automatic auditing if it is ever disabled +- Open instruction — Opens the **How to create a SQL Login for Monitoring** page. See the SQL Server + Database section of the + [SQL Server Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md) topic for + additional information. +- User name — Enter the user name for the credentials for the SQL Server +- User password — Enter the password for the credentials for the SQL Server + +Click **Connect** to test the settings, then click **Next**. + +![configureoperations](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperations.webp) + +**Step 5 –** On the Configure Operations page, select which SQL Server events to monitor, then click +**Next**. + +![SQL Server Objects Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverobjects.webp) + +**Step 6 –** On the SQL Server Objects page, click **Refresh**. Select the SQL Server objects to be +monitored. Click **Next**. + +![sqlserverlogontriggerpage](/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp) + +**Step 7 –** On the SQL Server Logon Trigger page, copy and paste the SQL script into a New Query in +the SQL database. Execute the query to create a logon trigger. Netwrix Activity Monitor will monitor +SQL logon events and obtain IP addresses for connections. The script is: + +``` +CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as varchar(max));raiserror(@str,1,1);END +``` + +![SQL Server Logon Success](/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp) + +> Click **Check Status** to see if the trigger is configured properly, then click **Next**. + +![configurebasicoptions](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 8 –** On the Configure Basic Options page, + +- Period to keep Log files - Activity logs are deleted after the number of days entered. Default is + set to 10 days. + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +Click **Next**. + +![Where To Log The Activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 9 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File (TSV)** or **Syslog Server**, then click **Next**. + +![fileoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 10 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 11 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![activitymonitorsqlserverhost](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp) + +The added SQL Server host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for SQL Server + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [MS SQL Server Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/mssqlserver.md) +- [Logon Trigger Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/logontrigger.md) +- [Tweak Options Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/tweakoptions.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/windows.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/windows.md new file mode 100644 index 0000000000..6709876dc6 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/windows.md @@ -0,0 +1,202 @@ +--- +title: "Windows" +description: "Windows" +sidebar_position: 160 +--- + +# Windows + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Manager + +Prior to adding a Windows host to the Activity Monitor, the prerequisites for the target environment +must be met. See the +[Windows File Server Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/windowsfs-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to the server. It cannot be deployed to a proxy +server. +::: + + +## Add Agent's Windows Host + +Follow the steps to add a Windows host to be monitored, if it was not configured when the agent was +deployed. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor deployed on the Windows file +server. Click **Next**. + +![Add Host page with Windows selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostwindows.webp) + +**Step 3 –** On the Add Host page, select the Agent’s Windows host radio button. Remember, the agent +must be deployed on the Windows file server to be monitored. If desired, add a **Comment**. Click +**Next**. + +![Protocols page](/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp) + +**Step 4 –** On the Protocols page, select which protocols to monitor. The protocols that can be +monitored are: + +- All +- CIFS +- NFS + +Click **Next**. + +![Configure Operations page for Windows host](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationswindows.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations**,**Directory +Operations**, **Share Operations** and **VSS Operations** to be monitored. Users may also filter +events by operation type by selecting the radio button: + +- All – Reports both allowed and denied operations +- Allowed only – Reports only allowed operations +- Denied only – Reports only denied operations + +Additional options include: + +:::warning +Enabling the Suppress subsequent Read operations in the same folder option can result +in Read events not being monitored. +::: + + +- Suppress subsequent Read operations in the same folder – Logs only one Read operation when + subsequent Read operations occur in the same folder. This option is provided to improve overall + performance and reduce output log volume. +- Suppress reporting of File Explorer's excessive directory traversal activity – Filters out events + of excessive directory traversal in File Explorer. +- Suppress Permission Change operations with reordered ACL – Prevents tracking events where + permission updates occurred resulting in reordered ACEs (Access Control Entries) but with no other + changes in the ACL (Access Control List). For example, if a user is removed in the security + settings of a file, and then the same user is added back with the same security permissions, the + change is not logged. +- Suppress Inherited Permission Changes – Filters out events for inherited permission changes. This + option is provided to improve overall performance and reduce output activity log volume. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![Configure Basic Options page for Windows](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionswindows.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the target host. Select the desired options: + +- Report Account Names – Adds an Account Name column in the generated TSV files +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to log activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileouputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +Click **Next**. + +![Syslog Output page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Windows Host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorwindows.webp) + +The added Windows file server host is displayed in the monitored hosts/services table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Windows File Server + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Windows Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/windows.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/output/_category_.json b/docs/activitymonitor/10.0/admin/monitoredhosts/output/_category_.json new file mode 100644 index 0000000000..70c4d56051 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/output/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Output for Monitored Hosts", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "output" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/output/filetsv.md b/docs/activitymonitor/10.0/admin/monitoredhosts/output/filetsv.md new file mode 100644 index 0000000000..5845383b96 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/output/filetsv.md @@ -0,0 +1,46 @@ +--- +title: "File TSV Log File" +description: "File TSV Log File" +sidebar_position: 10 +--- + +# File TSV Log File + +The following information lists all of the columns generated by File Activity Monitor into a TSV log +file, along with descriptions. + +| Column Name(s) | Description | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option | +| Host | Host name of the monitored device | +| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID | +| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) | +| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) | +| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. | +| Rename Path | New name of the path if a rename event occurs | +| Process or IP | Indicates the source of the activity event: - For local Windows activity – Process name (e.g. notepad.exe) - For network Windows activity – IP Address of the user - For NAS device activity – IP Address for the NAS device of the user | +| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. | +| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. | +| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS | +| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \\[SERVER]\[SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt | +| Volume ID | ID of the volume where the event occurred | +| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. | +| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 | +| **File Size** | Size of File | +| **Tags** | _(Windows hosts only)_ Contains 'Copy' for read events that are probably file copies | +| Group ID | _Linux hosts only_ Unique identifier for the File System Group (GID) | +| Group Name | _Linux hosts only_ Name of the File System Group (GID) | +| Process ID | Linux hosts only Name of the File System Group (GID) | + +## Sub-Operation, Old Attributes, and New Attributes Table + +The following table lists details for Sub-Operation, Old Attributes, and New Attributes according to +File Operation. + +| File Operation | Sub-Operation | Old Attributes | New Attributes | +| ------------------------------- | ------------- | --------------------------------------------------------------------- | ---------------------------------------------- | +| Owner was changed | Own | Old owner in SDDL format | New owner in SDDL format | +| Permissions were changed (DACL) | Dac | Old DACL in SDDL format | New DACL in SDDL format | +| Audit was changed (SACL) | Sac | Old SACL in SDDL format | New SACL in SDDL format | +| File attributes were changed | Att | Old attributes as a hexadecimal number (0xNNN) | New attributes as a hexadecimal number (0xNNN) | +| File is read from a shadow copy | VSS | Shadow copy creation time in YYYYMMDDThhmmss format (20180905T123456) | | diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/output/linuxtsv.md b/docs/activitymonitor/10.0/admin/monitoredhosts/output/linuxtsv.md new file mode 100644 index 0000000000..ec8b706a86 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/output/linuxtsv.md @@ -0,0 +1,33 @@ +--- +title: "Linux TSV Log File" +description: "Linux TSV Log File" +sidebar_position: 20 +--- + +# Linux TSV Log File + +The following information lists all of the columns generated by Linux Activity Monitor into a TSV +log file, along with descriptions. + +| | | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option | +| Host | Host name of the monitored device | +| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID | +| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) | +| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) | +| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. | +| Rename Path | New name of the path if a rename event occurs | +| Process or IP | Indicates the source of the activity event: - For Local activity – Process name (e.g. notepad.exe) - For Remote network activity – IP Address of the user | +| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. | +| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. | +| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS | +| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \\[SERVER]\[SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt | +| Volume ID | ID of the volume where the event occurred | +| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. | +| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 | +| File Size | Size of File | +| Tags | Windows hosts only Contains 'Copy' for read events that are probably file copies | +| Group ID | Linux hosts only Unique identifier for the File System Group (GID). | +| Group Name | Linux hosts only Name of the File System Group (GID). | +| Process ID | Linux hosts only Name of the File System Group (GID). | diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md b/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md new file mode 100644 index 0000000000..5443e9b02d --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md @@ -0,0 +1,54 @@ +--- +title: "Output for Monitored Hosts/Services" +description: "Output for Monitored Hosts/Services" +sidebar_position: 30 +--- + +# Output for Monitored Hosts/Services + +Once a host is being monitored the event stream can be sent to multiple outputs. + +![Output Properties Overview](/images/activitymonitor/9.0/admin/monitoredhosts/outputpropertiesoverview.webp) + +Configured outputs are grouped under the host. You can have multiple outputs configured for a host. +The host event outputs are: + +- File – Creates an activity log as a TSV or JSON file for every day of activity +- Syslog – Sends activity events to the configured SIEM server or Netwrix Threat Manager, where + supported + +## Add File Output + +Follow the steps to add a File output. + +**Step 1 –** On the Monitored Hosts & Services tab, select the desired host and click **Add Output**. + +**Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. + +![addnewoutputfile](/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputfile.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/10.0/admin/outputs/overview.md) topic for additional +information. + +## Add Syslog Output + +Follow the steps to add a Syslog output. + +**Step 1 –** On the Monitored Hosts & Services tab, select the desired host and click **Add Output**. + +**Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. + +![addnewoutputsyslog](/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputsyslog.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/10.0/admin/outputs/overview.md) topic for additional +information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointjson.md b/docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointjson.md new file mode 100644 index 0000000000..212b8af530 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointjson.md @@ -0,0 +1,54 @@ +--- +title: "SharePoint JSON Log File" +description: "SharePoint JSON Log File" +sidebar_position: 30 +--- + +# SharePoint JSON Log File + +The JSON log file format is used to send SharePoint activity monitoring data to Access Analyzer +v10.0 consoles. The following information lists all of the attributes generated by SharePoint +Activity Monitor into a JSON log file: + +| Attribute Name | Description | Example | +| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | +| TimeLogged | DateTime/ string | 2019-03-14T18:13:39.00Z | +| ActivityType | Constant “SharePoint” | SharePoint | +| AgentHost | Host name where agent is installed | sphost | +| UserSid | User SID who caused the event | S-1-0-0 | +| UserName | User Name who caused the event | System Account | +| UserID | ID of the user who caused the event | 1073741823 | +| UserLogin | User Login who caused the event | SHAREPOINT\system | +| Protocol | Protocol: HTTP / HTTPS.. | HTTP | +| AbsoluteUrl | Full Url: SiteUrl + DocLocation | http://sphost/Lists/Comments/1\_.000 | +| WebApplication | Web application name | SharePoint – 80 | +| SiteId | Site Id (guid) | 7b2c8d23-a74f-4c3c-985d-2c7facb5ebae | +| SiteUrl | Site Url | http://sphost/sites/mysite | +| WebTitle | Web title | my site | +| DocLocation | Location of an audited object at the time of the audited event | Lists/Comments/1\_.000 | +| ItemId | A Guid that the object whose event is represented by the entry | 2c4174dc-322d-47bc-a420-52968fc3ba6c | +| ItemTitle | Title of the object | Welcome to my blog! | +| ItemType | Type of the object: Document / ListItem / List / Folder / Web / Site | ListItem | +| EventType | An SPAuditEventType that represents the type of event | Update | +| EventSource | A value that indicates whether the event occurred as a result of user action in the SharePoint Foundation user interface (UI) or programmatically. Values: SharePoint / ObjectModel | SharePoint | +| LocationType | Specifies the actual location of a document in a SharePoint document library: Invalid, Url, ClientLocation | Url | +| AppPrincipalId | The ID of the app principal who caused the event. If the value of EventSource is ObjectModel, thenAppPrincipalId holds the ID of the app principal whose context the code that caused the event was running. If there is no app context, the AppPrincipalId is null. | 0 | +| SourceName | The name of the application that caused the event | `` | +| RawEventData | A String that holds XML markup providing data that is specific to the type of event that the entry object represents. | `06C49477-0498-4858-900C-45B595337462 MyDocs/myfile.zip` marker for the list-like settings. Leave +the `<-Different-Values->` marker to preserve the difference in each selected object, or delete it +to remove all divergent elements. When the window closes, only changed properties are saved to all +selected objects, leaving unchanged properties untouched. + +## Table + +The monitored hosts/services table provides the following information: + +- State — State of the monitored host. The two states are Enabled and Disabled. +- Monitored Host – Name or IP Address of the host being monitored +- Report As — How the Monitored Host is being reported as. This can be customized in the host's + properties. +- Details — Displays additional details about the monitored host, such as the Platform and the Log + Path. +- Agent – Name or IP Address of the server where the activity agent is deployed +- Retention – Number of days for which the activity log files are retained +- Log Size – Size of the activity log files +- Status – Indicates the status of activity monitoring for the host. See the Error Propagation topic + for additional information. +- Received Events – Timestamp of the last event received +- Comment – Comment provided by user: + - Often this indicates the desired output, e.g. Access Analyzer. + - This can be useful if adding the same monitored host multiple times with different + configurations for different outputs. + - If a Activity Monitor Agent has been deployed to a Windows server where an activity agent is + deployed, then the Comment identifies the host as "Managed by Activity Monitor", and that + 'monitored host' is not editable. Add the host again for other outputs. + +Hosts can have more than one output. To view a host's outputs, expand the host by clicking the white +arrow to the left of the Monitored Host name. + +For integration with Netwrix Access Analyzer, only one configuration +of a 'monitored host' can be set as the Netwrix Access Analyzer +output. After a 'monitored host' has been added, use the Edit feature to identify the configuration +as being for Netwrix Access Analyzer on the Log Files tab of the +host's Properties window. See the [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md) topic for additional +information. + +## Monitoring Status + +The Status collapsible section located above the Status Bar of the Activity Monitor provides +visibility into a host's monitoring state and history of state changes. Host monitoring status is +depicted in the Monitored Hosts & Services table under the Status column. Users can expand the Status section +to view more information on various status conditions. + +![errorpropogationpopulated](/images/activitymonitor/9.0/admin/monitoredhosts/errorpropogationpopulated.webp) + +Click the **Down Arrow** to expand the Status section. The information listed is dependent on which +host or output is currently selected in the Monitored Hosts & Services table. Users can find information on the +**Current State** of a host, as well as viewing a history of changes in state. + +The possible statuses depend on the type of hosts being monitored. What is common is that the status +can help identify a problem and provide a possible workaround. The following sections provide more +information about device-specific states. + +### Linux Monitoring Status + +For file activity monitoring on Linux, Activity Monitor relies on **auditd** component of the Linux +Auditing System. One of the features of auditd is the immutable mode, which locks the audit +configuration and protects it from being changed. When the immutable mode is enabled, the only way +to change the auditing configuration is to reboot the server. + +Activity Monitor supports the immutable mode. It compares the current auditd configuration with the +desired one. If they differ and the immutable mode is enabled, the product displays a warning in the +status section that a server restart is required. After the reboot, the changes take effect and the +immutable mode is enabled. + +### Qumulo Monitoring Status + +The **No connections from Qumulo clusters** error may be displayed in the status section. This error +indicates that the Qumulo nodes have not yet connected to the agent. This can happen either because +an incorrect address or port is specified in the Audit page of the Qumulo Web Interface, or because +the port (4496 by default) is blocked by a firewall. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/_category_.json b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/_category_.json new file mode 100644 index 0000000000..f7ab5883da --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Host Properties Window", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md new file mode 100644 index 0000000000..cb8b0937ce --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md @@ -0,0 +1,29 @@ +--- +title: "Auditing Tab" +description: "Auditing Tab" +sidebar_position: 10 +--- + +# Auditing Tab + +The Auditing tab allows users to modify to modify the Isilon Options setting which was populated +with the information entered when the Dell Isilon host is added to the Monitored Hosts & Services list. + +![Auditing Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/auditingtab.webp) + +The **Enable Protocol Access Auditing in OneFS if it is disabled** box allows the activity agent to +automatically enable and configure auditing on the Isilon cluster. If a manual configuration has +been completed, do not enable these options. This option requires credentials for an Administrator +account on the Dell Isilon device and click Connect. + +If the connection is successful, discovered access zones appear in the **Available** box. By +default, all available access zones are monitored. To monitor specific access zones, use the arrow +buttons to move access zones to the **Monitored** box. All activity for this configuration for the +host is collected and placed in a single activity log file per day. This is the supported option for +integration with StealthAUDIT, which requires all access zones to be monitored from a single +configuration. + +To have one activity log file per access zone, create multiple output configurations for the Dell +Isilon device. Add one access zone to each configuration of the monitored host. When adding an +Isilon host for each access zone, the Dell device name will be the same for each configuration, but +the **CIFS/NFS server name** must have a unique value. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md new file mode 100644 index 0000000000..2a82598be2 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md @@ -0,0 +1,28 @@ +--- +title: "Connection Tab" +description: "Connection Tab" +sidebar_position: 20 +--- + +# Connection Tab + +Once a host is added to the monitored hosts/services table, the configuration settings are edited through the +tabs in the host’s Properties window. The Connection tab on a host’s Properties window is specific +to Microsoft Entra ID (formerly Azure AD), Exchange Online, and SharePoint Online hosts. + +![Conneciton Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/azure.webp) + +Configure App Registration information for a Microsoft Entra ID host in the Connection Tab of the +host's Properties window. Click **Open instructions...** for steps on registering the +Activity Monitor. Click **Sign out** to sign out of the Azure account. + +The options that can be configured on the Connection Tab are: + +- Domain +- Azure Cloud +- Tenant ID +- Client ID +- Client Secret +- Region + +Click **OK** to apply changes and exit, or **Cancel** to exit without saving any changes. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md new file mode 100644 index 0000000000..9ad6e090c6 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md @@ -0,0 +1,16 @@ +--- +title: "Dell Tab" +description: "Dell Tab" +sidebar_position: 30 +--- + +# Dell Tab + +The Dell tab on a host’s Properties window displays the Dell Celerra/VNX, Dell Isilon/PowerScale, +Dell PowerStore, or Dell Unity host to be monitored for activity and any host aliases. This tab is +populated with the information entered when the Dell host is added to the monitored hosts/services table. If +desired, specify a different device to be monitored for activity. + +![Dell Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp) + +If changes are made to these configuration options, click **OK** to save the changes. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md new file mode 100644 index 0000000000..67cd872661 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md @@ -0,0 +1,73 @@ +--- +title: "FPolicy Tab" +description: "FPolicy Tab" +sidebar_position: 40 +--- + +# FPolicy Tab + +The FPolicy tab allows users to modify FPolicy settings for NetApp devices, privileged access, and +enabling/connecting to cluster nodes. + +![FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicytab.webp) + +On the **FPolicy** tab, the agent can configure and/or enable FPolicy automatically. The recommended +setting is dependent on the type of NetApp device being targeted. The permissions required for each +option are listed. See the +[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md) +topic or the +[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md) +topic for additional information. + +At the bottom are two additional tabs with setting options. On this tab, specify the protocols to +monitor by selecting the radio buttons. + +## Privileged Access Tab + +![Privileged Access section in the FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/privilegedaccess.webp) + +The Privileged Access tab is enabled when the Configure FPolicy checkbox is selected at the top. The +Privileged Access tab must be configured if automatic configuration of the FPolicy for NetApp Data +ONTAP Cluster-Mode devices is used. See the +[Configure Privileged Access](/docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md#configure-privileged-access) topic for additional +information. + +## Enable and Connect settings Tab + +![Enable and Connect Settings - FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettings.webp) + +The Enable and Connect settings tab is enabled when the Enable and connect FPolicy checkbox is +selected. + +:::note +Adding nodes are not needed if set user is using a role that has Network Interface +permissions. +::: + + +![Add or Edit Cluster Node popup window](/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp) + +Add a list of cluster nodes to connect to FPolicy by clicking Add, which opens the Add or Edit +Cluster Node window. Enter at least one cluster node in the textbox. Separate multiple nodes with +either commas (,), semicolons (;), or spaces. Click OK and the node(s) is displayed in the **Node +name** list. + +![Connect to Cluster popup window](/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp) + +Click Discover to open the Connect to cluster window and retrieve nodes from the cluster. + +Specify the Cluster-management LIF and then enter user credentials which will be used to retrieve a +list of the cluster nodes. This credential must have at least read-only rights to run the system +node show command on the cluster. Click Get Nodes. If a successful connection is not achieved, the +message indicates the error. If a successful connection is achieved, the message indicates how many +cluster nodes were discovered. Click OK and all discovered nodes are displayed in the **Node name** +list. + +Use the Remove button to remove the selected node from the list. + +## Resources Required for NetApp Monitoring + +Each individual NetApp filer being monitored impacts local system resources and requires disk space. +These vary based on configuration settings chosen along with user activity. Average FPolicy and +associated Logging service resource consumption may be around 2% CPU usage and 10 MB of RAM. Average +disk space required per daily activity log file retained locally may be around 300 MB per filer. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md new file mode 100644 index 0000000000..b4a8669b30 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md @@ -0,0 +1,17 @@ +--- +title: "Hitachi NAS Tab" +description: "Hitachi NAS Tab" +sidebar_position: 50 +--- + +# Hitachi NAS Tab + +Once a Hitachi host is added to the monitored hosts/services table, the configuration settings are edited +through the tabs in the host’s Properties window. The Hitachi NAS tab on a host’s Properties window +is specific to Hitachi hosts. + +![Host Properties - Hitachi Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/hitachihostproperties.webp) + +The Hitachi NAS tab allows users to modify settings that were populated with the information entered +when the Hitachi host was added. Additionally, the Path pooling interval can be configured. The Path +pooling interval is set to 15 seconds by default. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md new file mode 100644 index 0000000000..58714f76cb --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md @@ -0,0 +1,61 @@ +--- +title: "Inactivity Alerts Tab" +description: "Inactivity Alerts Tab" +sidebar_position: 60 +--- + +# Inactivity Alerts Tab + +The Inactivity Alerts tab on a host's Properties window is used to configure alerts that are sent +when monitored hosts/services receive no events for a specified period of time. + +![inactivityalertstab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalertstab.webp) + +The configurable options are: + +- Customize inactivity alerting for this host. Otherwise, the agent's settings will be used – Check + this box to enable customization of alert settings for the Monitored Host/Service +- Enable inactivity alerting for this host – Check this box to enable inactivity alerts for the host. +- Length of inactivity – Specify how much time must pass before an inactivity alert is sent out. The + default is **6 hours**. +- Repeat an alert every – Specify how often an alert is sent out during periods of inactivity. The + default is **6 hours**. + +## Syslog Alerts Tab + +Configure Syslog alerts using the Syslog Alerts Tab. + +![Syslog Alerts Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/syslogalertstab.webp) + +The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. +- Syslog protocol – Identify the Syslog protocol to be used for the alerts + + - UDP + - TCP + - TLS + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. + +## Email Alerts Tab + +Configure Email alerts using the Email Alerts Tab. + +![Email Alerts Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/emailalertstab.webp) + +The configurable options are: + +- SMTP server in SERVER[:PORT] format – Enter the SMTP server for the email alerts + + - Enable TLS – Check the box to enable TLS encryption + +- User name – *(Optional)* User name for the email alert +- User password – *(Optional)* Password for the username +- From email address – Email address that the alert is sent from +- To email address – Email address that the alert is sent to +- Message subject – Subject line used for the email alert. Click the ellipses (...) to open the + **Message Template** window. +- Message body – Body of the message used for the email alert. Click the ellipses (...) to open the + **Message Template** window. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/logontrigger.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/logontrigger.md new file mode 100644 index 0000000000..88a3419986 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/logontrigger.md @@ -0,0 +1,16 @@ +--- +title: "Logon Trigger Tab" +description: "Logon Trigger Tab" +sidebar_position: 70 +--- + +# Logon Trigger Tab + +The Logon trigger tab on a SQL Server host's properties window is used to configure logon triggers +for SQL activity monitoring. + +![logontriggertab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/logontriggertab.webp) + +Copy and paste the SQL Script into a SQL query and execute to enable the Activity Monitor to obtain +IP addresses of client connections. Click **Check Status** to check if the trigger is properly +configured on the SQL server. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/mssqlserver.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/mssqlserver.md new file mode 100644 index 0000000000..024f263802 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/mssqlserver.md @@ -0,0 +1,27 @@ +--- +title: "MS SQL Server Tab" +description: "MS SQL Server Tab" +sidebar_position: 80 +--- + +# MS SQL Server Tab + +The MS SQL Server tab on SQL Server host's properties window is used to configure properties for +SQL activity monitoring on the host. + +![MS SQL Server Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlservertab.webp) + +The configurable options are: + +- Enable Trace automatically — Check the box to enable the activity monitor to enable Trace + automatically if it is disabled +- Audit polling interval — Configure the interval between audits. The default is **15 seconds**. +- Open instruction... — Click **Open Instruction...** to view steps on how to create a login for + SQL monitoring + + - Certain permissions are required to create a login for SQL monitoring. See the + +- Server name\instance — Server name\instance of the SQL Server to be monitored +- User name — User for the SQL Server +- User password — Password for the SQL Server +- Connect — Click **Connect** to test the settings diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nasuni.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nasuni.md new file mode 100644 index 0000000000..ef629472fe --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nasuni.md @@ -0,0 +1,38 @@ +--- +title: "Nasuni Tab" +description: "Nasuni Tab" +sidebar_position: 90 +--- + +# Nasuni Tab + +After a Nasuni host is added to the monitored hosts/services table, the configuration settings are edited +using the tabs in the Properties window of the host. + +![Nasuni Host Properties - Nasuni Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/nasunitab.webp) + +The **Nasuni** tab allows users to modify settings which were populated with the information entered +when the Nasuni host was added. + +The configurable options are: + +- Nasuni Filer – Enter the name of the filer +- Username – Enter the user name for the Nasuni account +- Password – Enter the password for the user name +- Protocol – Select from the following options in the drop-down list: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Nasuni + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/netapp.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/netapp.md new file mode 100644 index 0000000000..b9a2524fa0 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/netapp.md @@ -0,0 +1,32 @@ +--- +title: "NetApp Tab" +description: "NetApp Tab" +sidebar_position: 100 +--- + +# NetApp Tab + +The NetApp tab on a host’s Properties window allows users to modify settings, which are populated +with the information entered when the NetApp host is added to the monitored hosts/services table. + +![Host Properties NetApp Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/netapptab.webp) + +Modify the targeted NetApp device by specifying a NetApp device to be monitored for activity and +credentials to access it with the Data ONTAP API. + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + - HTTP +- Connect – Click to connect using the selected protocol and validate the connection with NetApp + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md new file mode 100644 index 0000000000..63fdbfdd61 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md @@ -0,0 +1,43 @@ +--- +title: "Nutanix Tab" +description: "Nutanix Tab" +sidebar_position: 110 +--- + +# Nutanix Tab + +The Nutanix tab allows users to modify settings after a Nutanix host has been configured. Once a +Nutanix host is added to the monitored hosts/services table, the configuration can be edited in the host +Properties. + +![Nutanix Host Properties](/images/activitymonitor/9.0/admin/monitoredhosts/properties/nutanixhostprop01.webp) + +The configurable options are: + +- Nutanix Filer – Enter the name of the filer +- Username – Enter the user name for the Nutanix account with REST API access +- Password – Enter the password for the user name +- Protocol – Select a protocol for the REST API access from the drop-down menu: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Nutanix + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. + +:::note +Nutanix Files does not report events for activity originating from a server where the +Activity Monitor Agent is installed. + +::: diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md new file mode 100644 index 0000000000..26b7e2352e --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md @@ -0,0 +1,34 @@ +--- +title: "Host Properties Window" +description: "Host Properties Window" +sidebar_position: 20 +--- + +# Host Properties Window + +Once a host has been added to the Monitored Hosts & Services list, the configuration settings can be modified +through the host’s Properties window. + +![Activity Monitor with Edit button identified ](/images/activitymonitor/9.0/admin/monitoredhosts/properties/hostpropertiesoverview.webp) + +On the Monitored Hosts tab, select the host and click Edit, or right-click on a host and select +**Edit Host** from the right-click menu, to open the host’s Properties window. The tabs vary based +on the type of host selected: + +- [Auditing Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md) — Dell Isilon/PowerScale devices only +- [Connection Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md) — Microsoft Entra ID, Exchange Online, and SharePoint Online only +- [Dell Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md) — Dell devices only +- [FPolicy Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md) — NetApp devices only +- [Hitachi NAS Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md) — Hitachi NAS devices only +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) +- [Logon Trigger Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/logontrigger.md) — SQL Server hosts only +- [MS SQL Server Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/mssqlserver.md) — SQL Server hosts only +- [Nasuni Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nasuni.md) — Nasuni Edge Appliances only +- [NetApp Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/netapp.md) — NetApp devices only +- [Nutanix Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md) — Nutanix devices only +- [Panzura Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/panzura.md) — Panzura devices only +- [Qumulo Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/qumulo.md) — Qumulo devices only +- [SharePoint Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/sharepoint.md) — SharePoint only +- [Tweak Options Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/tweakoptions.md) — SQL Server hosts only +- [Unix IDs Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md) — NetApp devices, Dell devices, and Nasuni Edge Appliances only +- [Windows Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/windows.md) — Windows hosts only diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/panzura.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/panzura.md new file mode 100644 index 0000000000..cd9b0d2dbc --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/panzura.md @@ -0,0 +1,38 @@ +--- +title: "Panzura Tab" +description: "Panzura Tab" +sidebar_position: 120 +--- + +# Panzura Tab + +After a Panzura host is added to the monitored hosts/services table, the configuration settings are edited +using the tabs in the Properties window of the host. + +![panzuratab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/panzuratab.webp) + +The **Panzura** tab allows users to modify settings which were populated with the information +entered when the Panzura host was added. + +The configurable options are: + +- Panzura Filer – Enter the name of the filer +- Username – Enter the user name for the Panzura account +- Password – Enter the password for the user name +- Protocol – Select from the following options in the drop-down list: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Panzura + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/qumulo.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/qumulo.md new file mode 100644 index 0000000000..abde3b5a15 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/qumulo.md @@ -0,0 +1,36 @@ +--- +title: "Qumulo Tab" +description: "Qumulo Tab" +sidebar_position: 130 +--- + +# Qumulo Tab + +The Qumulo tab allows users to modify settings after a Qumulo host has been configured. Once a +Qumulo host is added to the monitored hosts/services table, the configuration can be edited in the host +Properties. + +![Qumulo Host Properties](/images/activitymonitor/9.0/admin/monitoredhosts/properties/qumulohostproperties.webp) + +The configurable options are: + +- Cluster name – Enter the name of the filer +- Username – Enter the user name for the Qumulo user +- Password – Enter the password for the user name +- Protocol – Select one of the following protocols from the drop-down menu: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Qumulo + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/sharepoint.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/sharepoint.md new file mode 100644 index 0000000000..aba47f2739 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/sharepoint.md @@ -0,0 +1,32 @@ +--- +title: "SharePoint Tab" +description: "SharePoint Tab" +sidebar_position: 140 +--- + +# SharePoint Tab + +The SharePoint tab on a host’s Properties window allows users to modify settings that are populated +with the information entered when the SharePoint host is added. + +![SharePoint Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/sharepointtab.webp) + +The configurable options are: + +- Enable auditing on selected site collections - Check the box to enable auditing on selected site + collections. Enabling this option will ensure that auditing is enabled for all monitored site + collections with periodic checks. +- Choose to audit all sites or scope the monitoring to specific site(s): + + - Audit all sites – Leave textbox for URLs blank + - Scope to specific sites – List URLs for sites to be monitored in the textbox. List should be + semicolon separated. For example: + +**http://sharepoint.local/sites/marketing; http://sharepoint.local/sites/personal/user1** + +- Audit polling interval – Select the interval for how often the activity agent will request new + events from SharePoint. Number of seconds between polling request, set to 15 seconds by default +- User name - Enter the user name for the domain account with local admin permissions +- User password - Enter the password for the user name + +- Connect – Click Connect to validate the connection with SharePoint diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/tweakoptions.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/tweakoptions.md new file mode 100644 index 0000000000..d0ae6d2035 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/tweakoptions.md @@ -0,0 +1,12 @@ +--- +title: "Tweak Options Tab" +description: "Tweak Options Tab" +sidebar_position: 150 +--- + +# Tweak Options Tab + +The Tweak Options tab on a SQL Server host's properties window is used to configure extended events +operations for SQL activity monitoring. + +![Tweak Options Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptionstab.webp) diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md new file mode 100644 index 0000000000..2c2dfc3f86 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/unixids.md @@ -0,0 +1,30 @@ +--- +title: "Unix IDs Tab" +description: "Unix IDs Tab" +sidebar_position: 160 +--- + +# Unix IDs Tab + +The Unix IDs tab provides configuration options to translate Unix IDs (UID) to SIDs. This tab +applies to NetApp devices, Dell devices, and Nasuni Edge Appliances. + +When activity is performed on an NFS resource, UIDs are returned for that activity event. Depending +on the operating system, the UID can be mapped to Active Directory accounts using the uidNumber +attribute in Active Directory. The activity agent resolves the Active Directory SID based on the UID +from the activity event. + +![Unix ID Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/unixid.webp) + +The options are: + +- Translate Unix IDs to SIDs – Enables all controls on the page +- Search in container (DN) – Default naming context of the agent's domain +- Search scope – Select from the following radio buttons: + - This container and its descendants + - This container only +- Search - Search using the following specifications: + - by an attribute – Specify an LDAP filter. This attribute cannot be empty. + - with a custom filter – Use the %UID% macro for a Unix ID value + - Provide UID for test/Test – Test button performs a search in the specified container with the + scope and the filter, replacing %UID% with 0 for the test diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/windows.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/windows.md new file mode 100644 index 0000000000..97ff0873d2 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/windows.md @@ -0,0 +1,14 @@ +--- +title: "Windows Tab" +description: "Windows Tab" +sidebar_position: 170 +--- + +# Windows Tab + +The Windows tab on a host's Properties window is specific to Windows hosts. + +![Host Properties - Windows Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/windows.webp) + +Select whether to report the host name as either a **NETBIOS name** or a **Fully qualified domain +name**. The Host Name can be previewed to see how it appears depending on the option selected. diff --git a/docs/activitymonitor/10.0/admin/outputs/_category_.json b/docs/activitymonitor/10.0/admin/outputs/_category_.json new file mode 100644 index 0000000000..79eee1ab1e --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Output Types", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/accountexclusions/_category_.json b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/_category_.json new file mode 100644 index 0000000000..a4c6e98173 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Account Exclusions Tab", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "accountexclusions" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md new file mode 100644 index 0000000000..e1dd5785ae --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md @@ -0,0 +1,182 @@ +--- +title: "Account Exclusions Tab" +description: "Account Exclusions Tab" +sidebar_position: 10 +--- + +# Account Exclusions Tab + +The Account Exclusions tab on an output Properties window is where monitoring scope by account name +can be modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. The tab varies based on the type of host selected. + +## For Exchange Online Hosts + +The tab contains the following settings: + +![Account Exclusions tab for Exchange Online](/images/activitymonitor/9.0/admin/outputs/accountexclusions_exchangeonline.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the + [Specify Unix Account Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Linux Hosts + +The tab contains the following settings: + +![linux](/images/activitymonitor/9.0/admin/outputs/linux.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the + [Specify Unix Account Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For NAS Device Hosts + +The tab contains the following settings: + +![Account Exclusions tab for NAS Hosts](/images/activitymonitor/9.0/admin/outputs/nasdevices.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the + [Specify Unix Account Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Hosts + +The tab contains the following settings: + +![Account Exclusions tab for SharePoint hosts](/images/activitymonitor/9.0/admin/outputs/sharepoint.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add SharePoint Account – Opens the Specify account window to add an account for exclusion. See the + [Specify Account Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysharepointaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SQL Server Hosts + +The tab contains the following settings: + +![sqlhosts](/images/activitymonitor/9.0/admin/outputs/sqlhosts.webp) + +- Add Sql User – Opens the Specify Sql User name window to add an account for exclusion. See the + [Specify Sql User Name Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysqluser.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Windows File Server Hosts + +The tab contains the following settings: + +![Account Exlcusions tab for Windows Hosts](/images/activitymonitor/9.0/admin/outputs/windows.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, the Windows File Server monitoring is excluding the following +accounts: + +- NT Authority\IUSR +- NT Authority\SYSTEM +- NT Authority\LOCAL SERVICE +- NT Authority\NETWORK SERVICE + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysharepointaccount.md b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysharepointaccount.md new file mode 100644 index 0000000000..0caf42a1e7 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysharepointaccount.md @@ -0,0 +1,23 @@ +--- +title: "Specify Account Window" +description: "Specify Account Window" +sidebar_position: 10 +--- + +# Specify Account Window + +The Specify account window is opened from a field where a SharePoint account is needed. + +![Specify Account popup window](/images/activitymonitor/9.0/admin/outputs/window/sharepointspecifyaccount.webp) + +There are two options for specifying an account: + +- SharePoint System Accounts – Check the boxes for the desired system accounts: SHAREPOINT\system, + -1, S-1-0-0 (Null SID) +- Custom – Enter the account in the textbox. Multiple accounts can be added using a semicolon (;). + + - For System Service Accounts – Enter the SID for system service accounts + - For Local User Accounts – Enter either the user name or SID for the local account + +Click **OK**. The Specify account window closes, and the account is added to the field where the +window was opened. diff --git a/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysqluser.md b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysqluser.md new file mode 100644 index 0000000000..f72a6d524d --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifysqluser.md @@ -0,0 +1,15 @@ +--- +title: "Specify Sql User Name Window" +description: "Specify Sql User Name Window" +sidebar_position: 30 +--- + +# Specify Sql User Name Window + +The Specify Sql User name window is opened from a field where a SQL Server account is needed. + +![specifysqlusernamewindow](/images/activitymonitor/9.0/admin/outputs/window/specifysqlusernamewindow.webp) + +Enter the SQL Server user name into the text box. Multiple user names can be added using a semicolon +(;), a comma (,), or a space. Then click OK. The Specify Sql User name window closes, and the +account is added to the field where the window was opened. diff --git a/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md new file mode 100644 index 0000000000..7f0a42eb62 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifyunixaccount.md @@ -0,0 +1,15 @@ +--- +title: "Specify Unix Account Window" +description: "Specify Unix Account Window" +sidebar_position: 40 +--- + +# Specify Unix Account Window + +The Specify Unix Account or group window is opened from a field where a Unix account is needed. + +![Specify Unix Account popup window](/images/activitymonitor/9.0/admin/outputs/window/unixspecifyunixaccount.webp) + +Type the UID for the desired account in the textbox. Multiple UIDs can be added using a semicolon +(;), a comma (,), or a space. Then click OK. The Specify Unix Account window closes, and the account +is added to the field where the window was opened. diff --git a/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md new file mode 100644 index 0000000000..15e3fe7d08 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md @@ -0,0 +1,29 @@ +--- +title: "Specify Account or Group Window" +description: "Specify Account or Group Window" +sidebar_position: 20 +--- + +# Specify Account or Group Window + +The Specify account or group window is opened from a field where a Windows account is needed. + +![Specify Account or Group popup window](/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp) + +Follow the steps to use this window. + +**Step 1 –** Select the Domain from the drop-down menu. + +**Step 2 –** Enter the Account in the textbox. + +- Accounts can be entered in NTAccount format, UPN format, or SID format. +- Use the ellipsis (…) button to open the Select Users, Computers, Service Accounts, or Groups + window to browse for an account. + +**Step 3 –** Then click Resolve. A message displays indicating whether or not the account could be +resolved. + +**Step 4 –** If successful, click OK. + +The Specify account or group window closes, and the account is added to the field where the window +was opened. diff --git a/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md b/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md new file mode 100644 index 0000000000..aa95f6aa72 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md @@ -0,0 +1,38 @@ +--- +title: "Additional Properties Tab" +description: "Additional Properties Tab" +sidebar_position: 20 +--- + +# Additional Properties Tab + +The Additional Properties tab on an output Properties window is where comments and displayed host +name can be modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. + +![Additional Properties](/images/activitymonitor/9.0/admin/outputs/additionalpropertiestab.webp) + +The options are: + +- Report hostname as – The value entered here will customize the hostname that is reported for the + event in the activity log outputs +- Comment – The value entered here will appear in the Comments column in the Monitored Hosts & Services tab + table. + +Often, the Additional Properties Tab is used to indicate the purpose of the output, e.g. for Netwrix +Access Analyzer . This can be useful if using multiple outputs with +different configurations for different purposes. For example, a SharePoint site could be added as a +host and configured for Netwrix Access Analyzer data collection. It +can be added again with different monitoring options and be configured for SIEM notification. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +**Integration with Netwrix Threat Prevention for NAS Monitoring** + +If a Threat Prevention Agent has been deployed to the same Windows proxy server where and activity +agent is deployed to monitor NAS devices, then the **Comment** column in the monitored hosts/services table +identifies the host as being “Managed by Threat Prevention”, and that ‘monitored host’ configuration +is not editable through the Activity Monitor Console. Simply add the host again for other outputs. diff --git a/docs/activitymonitor/10.0/admin/outputs/gidexclusions/_category_.json b/docs/activitymonitor/10.0/admin/outputs/gidexclusions/_category_.json new file mode 100644 index 0000000000..7f90b35438 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/gidexclusions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "GID Exclusions Tab", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "gidexclusions" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/gidexclusions/addeditgid.md b/docs/activitymonitor/10.0/admin/outputs/gidexclusions/addeditgid.md new file mode 100644 index 0000000000..6071172afe --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/gidexclusions/addeditgid.md @@ -0,0 +1,14 @@ +--- +title: "Add or Edit GID Window" +description: "Add or Edit GID Window" +sidebar_position: 10 +--- + +# Add or Edit GID Window + +The Add or Edit GID window is opened from a field where a Linux group is needed. + +![addoreditgidwindow](/images/activitymonitor/9.0/admin/outputs/window/addoreditgidwindow.webp) + +Type the GID for the desired group in the textbox. Then click OK. The Add or Edit GID window closes, +and the group is added to the field where the window was opened. diff --git a/docs/activitymonitor/10.0/admin/outputs/gidexclusions/gidexclusions.md b/docs/activitymonitor/10.0/admin/outputs/gidexclusions/gidexclusions.md new file mode 100644 index 0000000000..70cc5fd570 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/gidexclusions/gidexclusions.md @@ -0,0 +1,35 @@ +--- +title: "GID Exclusions Tab" +description: "GID Exclusions Tab" +sidebar_position: 30 +--- + +# GID Exclusions Tab + +The GID Exclusions tab on an output Properties window is where monitoring scope by group can be +modified. These settings are initially configured when the output is added. + +Select an output for a Linux host on the Monitored Hosts & Services tab and click **Edit** to open the output +Properties window. + +![gidexclusionstab](/images/activitymonitor/9.0/admin/outputs/gidexclusionstab.webp) + +The tab contains the following settings: + +- Add – Opens the Add or Edit GID window to add a group for exclusion. See the + [Add or Edit GID Window](/docs/activitymonitor/10.0/admin/outputs/gidexclusions/addeditgid.md) topic for additional information. +- Remove – Removes the selected group from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by group, use the **Cancel** button to discard the change. + ::: + + +- Edit – Opens the Add or Edit GID window to edit a selected group for exclusion. See the + [Add or Edit GID Window](/docs/activitymonitor/10.0/admin/outputs/gidexclusions/addeditgid.md) topic for additional information. + +The table lists groups that are being excluded from monitoring, displayed in the GID column. By +default, no groups are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/logfiles.md b/docs/activitymonitor/10.0/admin/outputs/logfiles.md new file mode 100644 index 0000000000..067ac410df --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/logfiles.md @@ -0,0 +1,261 @@ +--- +title: "Log Files Tab" +description: "Log Files Tab" +sidebar_position: 40 +--- + +# Log Files Tab + +The Log Files tab on an output Properties window is where the activity log settings can be modified. +These settings are initially configured when the output is added. + +Select a File output from either the Monitored Domains tab or the Monitored Hosts & Services tab and click +**Edit** to open the output Properties window. The tab varies based on the type of domain/host +selected. + +## For Active Directory Domains + +The tab contains the following settings: + +![logfilesactivedirectory](/images/activitymonitor/9.0/admin/outputs/logfilesactivedirectory.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. The Active Directory activity log settings also affect log size by controlling the + information recorded per event. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +- Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event + reporting is enabled, which means the agent will send out status messages every five minutes to + verify whether the connection is still active. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For File Server and NAS Device Hosts + +The tab contains the following settings: + +![Log File Tab - Windows File servers and NAS devices hosts](/images/activitymonitor/9.0/admin/outputs/windowsfilenasdevices.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + + - For integration with Netwrix Access Analyzer File System + Solution, this value must be higher than the number of days between the 0.Collection > 1-FSAC + System Scans Job scans. See the + [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) + for additional information. + - For integration with Netwrix Threat Prevention NAS monitoring, this setting only controls the + log retention period for NAS devices, as Netwrix Threat Prevention does not read Windows file + server activity from Activity Monitor. + +- Report account names – Indicates if an Account Name column is added in the activity log files +- Add header to Log files – Indicates if headers are added in the activity log filesAdd header to + Log files – Indicates if headers are added in the activity log files + + :::note + This is needed to feed data into Splunk in a Syslog output. However, Netwrix Access + Analyzer does not support log files with headers. Therefore, do + not select this option for a File output designed for Netwrix Access Analyzer. + ::: + + +- Report UNC paths – Indicates if a UNC Path column and a Rename UNC Path column are added in the + activity log files. This option corresponds to the REPORT_UNC_PATH parameter in the INI file. When + the option is enabled, the added columns are populated when a file is accessed remotely through + the UNC Path. If a file is accessed locally, these columns are empty. + + - The UNC Path is in the following format: + + - For CIFS activity – The path is in `\\[HOST]\[SHARE]\[PATH]` format, e.g. + `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – The path is in `[HOST]:/[VOLUME]/[PATH] `format, e.g. + `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + + :::note + When this option is selected, a warning message might be displayed. + ::: + + +- Report operations with millisecond precision – Indicates the timestamps of events being recorded + in the activity log file has been changed for better ordering of events if multiple events occur + within the same second +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Linux Hosts + +The tab contains the following settings: + +![Log Files Tab for Linux Hosts](/images/activitymonitor/9.0/admin/outputs/linux.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- Add header to Log files – Indicates if headers are added in the activity log filesAdd header to + Log files – Indicates if headers are added in the activity log files + + :::note + This is needed to feed data into Splunk in a Syslog output. However, Netwrix Access + Analyzer does not support log files with headers. Therefore, do + not select this option for a File output designed for Netwrix Access Analyzer. + ::: + + +- Add C:\ to the beginning of the reported file paths – Adds C:\ to the beginning of the reported + file paths in the activity log file +- Report UNC paths – Indicates if a UNC Path column and a Rename UNC Path column are added in the + activity log files. This option corresponds to the REPORT_UNC_PATH parameter in the INI file. When + the option is enabled, the added columns are populated when a file is accessed remotely through + the UNC Path. If a file is accessed locally, these columns are empty. +- Report operations with millisecond precision – Indicates the timestamps of events being recorded + in the activity log file has been changed for better ordering of events if multiple events occur + within the same second +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Microsoft Entra ID, SharePoint Online, and SQL Server Hosts + +The tab contains the following settings: + +![Log File Tab - Azure Active Directory](/images/activitymonitor/9.0/admin/outputs/azuread.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Hosts + +The tab contains the following settings: + +![Log File Tab - SharePoint On-Premises hosts](/images/activitymonitor/9.0/admin/outputs/sharepointonprem.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Log file format – Indicates the file type used for the activity log. The default is JSON. See + [SharePoint JSON Log File](/docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointjson.md) topic and the + [SharePoint TSV Log File](/docs/activitymonitor/10.0/admin/monitoredhosts/output/sharepointtsv.md) topic for additional information. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/objects.md b/docs/activitymonitor/10.0/admin/outputs/objects.md new file mode 100644 index 0000000000..5893ef1b78 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/objects.md @@ -0,0 +1,21 @@ +--- +title: "Objects Tab" +description: "Objects Tab" +sidebar_position: 50 +--- + +# Objects Tab + +The Objects tab on an output Properties window is where monitoring scope by SQL Server objects can +be modified. These settings are initially configured when the output is added. + +Select an output for a SQL Server host on the Monitored Hosts & Services tab and click **Edit** to open the +output Properties window. + +![Objects Tab](/images/activitymonitor/9.0/admin/outputs/objectstab.webp) + +The **Refresh** button populates the list of SQL Server objects for the selected host. By default, +all objects are checked and will be monitored. Check and uncheck objects as desired. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/operations/_category_.json b/docs/activitymonitor/10.0/admin/outputs/operations/_category_.json new file mode 100644 index 0000000000..77005a0b76 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/operations/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Operations Tab", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "operations" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/operations/operations.md b/docs/activitymonitor/10.0/admin/outputs/operations/operations.md new file mode 100644 index 0000000000..5c8d9cb0be --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/operations/operations.md @@ -0,0 +1,344 @@ +--- +title: "Operations Tab" +description: "Operations Tab" +sidebar_position: 60 +--- + +# Operations Tab + +The Operations tab on an output Properties window is where monitoring scope by operation can be +modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. The tab varies based on the type of host selected. + +## For Linux Hosts + +The tab contains the following settings and features: + +![linux](/images/activitymonitor/9.0/admin/outputs/linux.webp) + +Use the options in the Operations tab to filter the list of available audit activities. The options +are: + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Microsoft Entra ID Hosts + +The tab contains the following settings and features: + +![Host Properties - Azure AD Operations tab](/images/activitymonitor/9.0/admin/outputs/azureadoperationstab.webp) + +- Monitor Sign-Ins activity – Indicates if user sign-ins activity is monitored +- Monitor Audit activity – Indicates if audit for all operations is monitored +- Service – Filter the table by Service using the drop-down menu +- Category – Filter the table by Category using the drop-down menu +- Operation – Filter the table by Operation using the textbox + +The table lists operations being monitored, displaying columns for Service, Category, and Operation. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Nasuni Hosts + +The tab contains the following settings and features: + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List +- Link Operations – Scope by link operation events: Add, Delete +- Suppress reporting of File Explorer's excessive directory traversal activity – When you open a + folder, Windows File Explorer tends to read all sub-folders to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read / List option for Directory Operations is + selected. +- Suppress reporting of File Explorer's excessive file read activity – When you open a folder, + Windows File Explorer tends to read files in the folder to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read option for File Operations is selected. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. +- Suppress operations on common temporary files – Filters out events for common temporary files. + With this option enabled, events for these common temporary files are ignored. +- Suppress duplicate operations for [VALUE] seconds + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Nutanix Hosts + +The tab contains the following settings and features: + +![operations](/images/activitymonitor/9.0/admin/outputs/operations.webp) + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission change + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Qumulo Hosts + +The tab contains the following settings and features: + +![qumulooutputproperties](/images/activitymonitor/9.0/admin/outputs/qumulooutputproperties.webp) + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List +- Share Operations – Scope by share operation events: Add, Delete, Update, Read / Connect +- Suppress operations on common temporary files – Filters out events for common temporary files. + With this option enabled, events for these common temporary files are ignored. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Host + +The tab contains the following settings and features: + +![Operations Tab for SharePoint](/images/activitymonitor/9.0/admin/outputs/sp.webp) + +- SharePoint operations – Scope by SharePoint operation events: Check-Out, View, Update, Child + Delete, Undelete, Copy, Audit Mask Change, Child Move, Custom, Check-In, Delete, Profile Change, + Schema Change, Workflow, Move, Search, File Fragment Write +- Permission Operations – Scope by permission operation events: Creation of a user group, Addition + of a new member to a group, creation of a new role, Changing a role, Changing the permissions of a + user or group, Turning off inheritance of security settings, Granting App Permissions, Deletion of + a group, Deletion of a member from a group, Removal of a role, Turning off inheritance of role, + Turning on inheritance of security settings, Deletion of audited events, Revoking App Permissions + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Online Host + +The tab contains a subset of tabs. Each tab has a **Select All** check box to include all events for +that tab. + +![Operations Tab for SharePoint Online Properties](/images/activitymonitor/9.0/admin/outputs/operationstab.webp) + +You can scope by the following events: + +| Tab | Event | +| -------------------------- | --------------------------------------------- | +| Content Explorer | Accessed item | +| DLP | Designated false positive | +| DLP | Matched DLP rule | +| DLP | Undone DLP action | +| File and Page | Accessed File | +| File and Page | Accessed File (ext) | +| File and Page | Changed compliance policy label | +| File and Page | Changed record status to locked | +| File and Page | Changed record status to unlocked | +| File and Page | Checked in file | +| File and Page | Checked out file | +| File and Page | Copied file | +| File and Page | Deleted file | +| File and Page | Deleted file from recycle bin | +| File and Page | Deleted file from second-stage recycle bin | +| File and Page | Deleted record compliance policy label | +| File and Page | Detected document sensitivity mismatch | +| File and Page | Detected malware in file | +| File and Page | Discarded file checkout | +| File and Page | Downloaded file | +| File and Page | Modified file | +| File and Page | Modified file (ext) | +| File and Page | Moved file | +| File and Page | Performed search query | +| File and Page | Prefetched page | +| File and Page | Previewed file | +| File and Page | Recycled all minor versions of file | +| File and Page | Recycled all versions of file | +| File and Page | Recycled version of file | +| File and Page | Renamed file | +| File and Page | Restored file | +| File and Page | Uploaded file | +| File and Page | View signaled by client | +| File and Page | Viewed page | +| File and Page | Viewed page (ext) | +| Folder | Copied folder | +| Folder | Created folder | +| Folder | Deleted folder | +| Folder | Deleted folder from recycle bin | +| Folder | Deleted folder from second-stage recycle bin | +| Folder | Modified folder | +| Folder | Moved folder | +| Folder | Renamed folder | +| Folder | Restored folder | +| List | Created list | +| List | Created list column | +| List | Created list column | +| List | Created list content type | +| List | Created list item | +| List | Created site column | +| List | Created site content type | +| List | Deleted list | +| List | Deleted list column | +| List | Deleted list content type | +| List | Deleted list item | +| List | Deleted site column | +| List | Deleted site content type | +| List | Recycled list item | +| List | Restored list | +| List | Restored list item | +| List | Updated list | +| List | Updated list column | +| List | Updated list content type | +| List | Updated list item | +| List | Updated site column | +| List | Updated site content type | +| Other | Other events | +| Sensitive Label | Applied sensitivity label to file | +| Sensitive Label | Applied sensitivity label to site | +| Sensitive Label | Changed sensitivity label applied to file | +| Sensitive Label | Removed sensitivity label from file | +| Sensitive Label | Removed sensitivity label from site | +| Sharing and Access Request | Accepted access request | +| Sharing and Access Request | Accepted sharing invitation | +| Sharing and Access Request | Added permission level to site collection | +| Sharing and Access Request | Blocked sharing invitation | +| Sharing and Access Request | Created a company shareable link | +| Sharing and Access Request | Created access request | +| Sharing and Access Request | Created an anonymous link | +| Sharing and Access Request | Created secure link | +| Sharing and Access Request | Created sharing invitation | +| Sharing and Access Request | Deleted secure link | +| Sharing and Access Request | Denied access request | +| Sharing and Access Request | Removed a company shareable link | +| Sharing and Access Request | Removed an anonymous link | +| Sharing and Access Request | Shared file, folder, or site | +| Sharing and Access Request | Unshared file, folder, or site | +| Sharing and Access Request | Updated access request | +| Sharing and Access Request | Updated an anonymous link | +| Sharing and Access Request | Updated sharing invitation | +| Sharing and Access Request | Used a company shareable link | +| Sharing and Access Request | Used an anonymous link | +| Sharing and Access Request | Used secure link | +| Sharing and Access Request | User added to secure link | +| Sharing and Access Request | User removed from secure link | +| Sharing and Access Request | Withdrew sharing invitation | +| Site Administration | Added allowed data location | +| Site Administration | Added exempt user agent | +| Site Administration | Added geo location admin | +| Site Administration | Allowed user to create groups | +| Site Administration | Canceled site geo move | +| Site Administration | Changed a sharing policy | +| Site Administration | Changed device access policy | +| Site Administration | Changed exempt user agents | +| Site Administration | Changed network access policy | +| Site Administration | Completed site geo move | +| Site Administration | Created Sent To connection | +| Site Administration | Created site collection | +| Site Administration | Deleted orphaned hub site | +| Site Administration | Deleted Sent To connection | +| Site Administration | Deleted site | +| Site Administration | Enabled document preview | +| Site Administration | Enabled legacy workflow | +| Site Administration | Enabled Office on Demand | +| Site Administration | Enabled result source for People Searches | +| Site Administration | Enabled RSS feeds | +| Site Administration | Joined site to hub site | +| Site Administration | Registered hub site | +| Site Administration | Removed allowed data location | +| Site Administration | Removed geo location admin | +| Site Administration | Renamed site | +| Site Administration | Scheduled site geo move | +| Site Administration | Set host site | +| Site Administration | Set storage quota for geo location | +| Site Administration | Unjoined site from hub site | +| Site Administration | Unregistered hub site | +| Site Permissions | Added site collection admin | +| Site Permissions | Added user or group to SharePoint group | +| Site Permissions | Broke permission level inheritance | +| Site Permissions | Broke sharing inheritance | +| Site Permissions | Created group | +| Site Permissions | Deleted group | +| Site Permissions | Modified access request setting | +| Site Permissions | Modified 'Members Can Share' setting | +| Site Permissions | Modified permissions level on site collection | +| Site Permissions | Modified site permissions | +| Site Permissions | Removed permission level from site collection | +| Site Permissions | Removed site collection admin | +| Site Permissions | Removed user or group from SharePoint group | +| Site Permissions | Requested site admin permissions | +| Site Permissions | Restored sharing inheritance | +| Site Permissions | Updated group | +| Synchronization | Allowed computer to sync files | +| Synchronization | Blocked computer from syncing files | +| Synchronization | Downloaded file changes to computer | +| Synchronization | Downloaded files to computer | +| Synchronization | Uploaded file changes to document library | +| Synchronization | Uploaded files to document library | + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SQL Server Hosts + +The tab contains the following settings and features: + +![sql](/images/activitymonitor/9.0/admin/outputs/sql.webp) + +- DML operations – Scope by DML operation events: Select, Update, Merge, Insert, Delete, Execute +- Audit operations – Scope by audit operation events: Login, Logout, Login Failed, Error +- Permission operations – Scope by permission operation events: Grant, Deny, Revoke, Alter Role +- Suppress subsequent logon/logout events from the same user in [VALUE] minutes interval + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Windows File Server Hosts + +The tab contains the following settings and features: + +![Operations Tab for File System](/images/activitymonitor/9.0/admin/outputs/fs.webp) + +- Operation Type – Scope events by operation type: + + - All – Both allowed and denied operations + - Allowed only – Only allowed operations + - Denied only – Only denied operations + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List +- Share Operations – Scope by share operation events: Add, Delete, Update, Permission change +- VSS Operations – Scope by VSS operation events: Snapshot add, Snapshot delete, Read +- Suppress reporting of File Explorer's excessive directory traversal activity – When you open a + folder, Windows File Explorer tends to read all sub-folders to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read / List option for Directory Operations is + selected. +- Suppress reporting of File Explorer's excessive file read activity – When you open a folder, + Windows File Explorer tends to read files in the folder to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read option for File Operations is selected. +- Suppress Permission Change operations with reordered ACL – Prevents tracking events where + permission updates occurred resulting in reordered ACEs, but with no other changes in the ACL +- Suppress Inherited Permissions Changes – Prevents tracking events where changes for inherited + permissions occurred. This option is provided to improve overall performance and reduce output log + volume. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. +- Suppress operations on common temporary files – Filters out events for common temporary files. + With this option enabled, events for these common temporary files are ignored. +- Suppress duplicate operations for [VALUE] seconds + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +See[Suppress Windows Explorer Activity](/docs/activitymonitor/10.0/admin/outputs/operations/suppress.md) topic for more information. diff --git a/docs/activitymonitor/10.0/admin/outputs/operations/suppress.md b/docs/activitymonitor/10.0/admin/outputs/operations/suppress.md new file mode 100644 index 0000000000..d3f4f6e0f3 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/operations/suppress.md @@ -0,0 +1,72 @@ +--- +title: "Suppress Windows Explorer Activity" +description: "Suppress Windows Explorer Activity" +sidebar_position: 10 +--- + +# Suppress Windows Explorer Activity + +Not all file operations are deliberate. Operating systems and third-party software have the +capability to execute operations on files without explicit user action. While this functionality can +improve user experience, it also presents a challenge to IT teams as it generates a record of +actions that have not been explicitly triggered by users. + +One of the most prominent examples is the Windows File Explorer - the standard application for file +system browsing on the Windows family of operating systems. Over the years, File Explorer has had a +number of improvements and new features. File Explorer displays various information about files to +provide a better user experience. This allows users to view file content without having to open +them. + +File Explorer displays icons for certain file types like executable (.exe) files. Depending on the +View mode, it can display thumbnails of various file formats and meta-data with things like author, +number of pages, image dimensions, etc. Hovering a mouse cursor over a file also provides detailed +information about a file in a tool tip. When working with sub-folders, File Explorer may display a +thumbnail of the files contained within the sub-folder on top of the sub-folder icon. This +additional functionality is executed automatically, mostly without the user's explicit action or +intention. + +As an example, a user may wish to open the MySampleReport.docx document located in the +MyTestDepartment folder. The user opens the folder, locates the file and double-clicks to open it. +From the user's perspective, only two actions were performed: + +1. Open MyTestMyDepartment folder. +2. Open MySampleReport.docx. + +However, File Explorer performs a number of additional operations on behalf of the user: + +- It reads and displays icons for certain files types in MyTestMyDepartment folder. +- It reads the meta-data of the files or sub-folders under the mouse cursor while the user is + locating the document. +- It reads the meta-data and preview if the user accidentally selects an incorrect file. +- It lists the content of all sub-folders and generates thumbnails to be displayed on top of the + sub-folder icon. +- It may create or update Thumbs.db file - a cache of thumbnail images. + +None of these additional file operations, which can be called Preview Reads, are explicitly +initiated by the user. However, the audit log records all of them as originating from the user. + +Preview Reads and similar unintentional automatic operations pose a significant challenge for IT +teams and IT auditing software. At the file system level, preview reads are perceived as normal read +operations, like file copying or opening a file in an application. There exists no distinguishing +factor between explicit user activity and implicit actions by File Explorer. Whether it is a preview +read, opening the file in Notepad, or copying the file, all these operations are perceived as the +same Read operation at the file system level. Therefore, it is not possible to reliably filter +unintentional activity without the risk of suppressing genuine user actions. + +The Activity Monitor employs various techniques to minimize noise. These methods all rely on +identifying patterns in the sequence of events. However, their effectiveness is severely limited, as +research has shown that clear patterns of preview reads activity in File Explorer are lacking. For +the Windows Server, the effectiveness is slightly higher since theActivity Monitor's file system +driver can observe all the low-level details about operations. + +The product provides the following filtering options to reduce File Explorer preview reads: + +- Suppress reporting of File Explorer’s excessive directory traversal activity - This option aims to + identify and suppress preview reads of sub-folders that occur immediately after the parent folder + is opened. +- Suppress reporting of File Explorer’s excessive file read activity - This option attempts to + identify and suppress preview reads of files that occur immediately after the parent folder is + opened. + +Both filtering options prioritize the accuracy of audit data over noise reduction. In other words, +they will report a noise event rather than suppress a genuine user action. diff --git a/docs/activitymonitor/10.0/admin/outputs/overview.md b/docs/activitymonitor/10.0/admin/outputs/overview.md new file mode 100644 index 0000000000..80e92a65b7 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/overview.md @@ -0,0 +1,121 @@ +--- +title: "Output Types" +description: "Output Types" +sidebar_position: 40 +--- + +# Output Types + +Once a domain or a host/service is being monitored the event stream can be sent to multiple outputs. There +are three types of outputs: + +- File – Creates an activity log as a TSV or JSON file for every day of activity + +- Syslog – Sends activity events to the configured SIEM server. + For file servers, this option is also used to send activity events to Netwrix Threat Manager. + +- Netwrix Threat Manager – Sends Active Directory activity events to Netwrix Threat Manager + + :::note + This output type is only available for Monitored Domains + ::: + + +See the [Output for Monitored Domains](/docs/activitymonitor/10.0/admin/monitoreddomains/output/output.md) topic and the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for information on adding an output. + +Output configurations vary based on the type of domain/host selected. + +## For Active Directory Domains + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Threat Manager Tab](/docs/activitymonitor/10.0/admin/outputs/threatmanager.md), Netwrix Threat Manager output only + +## For File System Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/10.0/admin/outputs/protocols.md) +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Process Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/processexclusions/processexclusions.md), Windows only +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) + +## For Linux Hosts + +In addition to common File System tabs, Linux outputs have the following tabs: + +- [GID Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/gidexclusions/gidexclusions.md) + + +## For Exchange Online Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- Application Exclusions Tab +- Mailbox Exclusions Tab +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) + + +## For Microsoft Entra ID Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) + + +## For SharePoint Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md) +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) + +## For SharePoint Online Hosts + +Output Properties window has the following tabs: + +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only + +## For SQL Server Hosts + +Output Properties window has the following tabs: + +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Objects Tab](/docs/activitymonitor/10.0/admin/outputs/objects.md) +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only + +## For Windows File Server Hosts + +Output Properties window has the following tabs: + +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/10.0/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only diff --git a/docs/activitymonitor/10.0/admin/outputs/pathfiltering/_category_.json b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/_category_.json new file mode 100644 index 0000000000..abd798d0ab --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Path Filtering Tab", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "pathfiltering" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md new file mode 100644 index 0000000000..7150037aa5 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md @@ -0,0 +1,36 @@ +--- +title: "Add or Edit Path Window" +description: "Add or Edit Path Window" +sidebar_position: 10 +--- + +# Add or Edit Path Window + +The Add or Edit Path window is opened from the Path Filtering tab of a monitored host's output +Properties window. + +![addoreditpath](/images/activitymonitor/9.0/admin/outputs/window/addoreditpath.webp) + +- Specify a path to filter during collection – Enter a file path in the textbox or use the ellipsis + (…) to browse for a folder +- Filter Type – Indicates if the filter will be **Included** or **Excluded** + +Then click OK. The Add or Edit Path window closes, and the path is added to the filtering list for +the monitored host. + +## Special Consideration for NAS Device Hosts + +For NAS devices, the activity agent can configured to add ‘C:\’ to the beginning of the path, which +is a requirement for the output that is designated for StealthAUDIT.exe or being read by a Netwrix +Threat Prevention agent. That configuration is on the [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md). If the option +is enabled for this monitored device, start your paths with C:\. + +## Wildcard + +Wildcard filtering can be configured using the following wildcard characters: + +| Wildcard | Definition | +| -------- | ------------------------------------------------------------ | +| \* | matches zero or more characters (except for "\" or "/") | +| ? | matches any single character (except for "\" or "/") | +| \*\* | matches zero or more characters (useful for directory trees) | diff --git a/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md new file mode 100644 index 0000000000..4809d2d2ee --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md @@ -0,0 +1,180 @@ +--- +title: "Path Filtering Tab" +description: "Path Filtering Tab" +sidebar_position: 70 +--- + +# Path Filtering Tab + +The Path Filtering tab on an output Properties window is where monitoring scope by file paths can be +modified. Specified paths can be included in or excluded. These settings are initially configured +when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. The tab varies based on the type of host selected. + +## For Linux Hosts + +The tab contains the following settings and features: + +![pathfilteringtab](/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp) + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to + test whether it will be included/excluded based on the path filtering list + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear, as well as a reason for why the indicated path is included or excluded. + Additionally, the path in the list that is applied to the test will be highlight ed: green + highlight for an included path and red highlight for an excluded path. + +- Exclude extensions – Displays a space separated list of file extensions that are excluded +- Exclude streams – Displays a space separated list of streams that are excluded + +The table lists paths that are being filtered, displaying columns for Type, indicating if it is +being Included or Excluded, and Pattern. The order of the list determines what paths are included +and what paths are excluded. + +:::warning +Exclude takes precedence over the Include. For example, if the C:\OpenShare is +excluded, but the C:\OpenShare\Edward is included, the ‘OpenShare’ parent exclusion takes +precedence, and the ‘Edward’ child folder will not be monitored. +::: + + +:::note +If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +added), then all current and new discovered drives will be monitored. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For NAS Device Hosts + +The tab contains the following settings and features: + +![Host Properties - Path Filtering Tab](/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp) + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to + test whether it will be included/excluded based on the path filtering list + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear, as well as a reason for why the indicated path is included or excluded. + Additionally, the path in the list that is applied to the test will be highlight ed: green + highlight for an included path and red highlight for an excluded path. + +- Exclude extensions – Displays a space separated list of file extensions that are excluded +- Exclude streams – Displays a space separated list of streams that are excluded + +The table lists paths that are being filtered, displaying columns for Type, indicating if it is +being Included or Excluded, and Pattern. The order of the list determines what paths are included +and what paths are excluded. + +:::warning +Exclude takes precedence over the Include. For example, if the C:\OpenShare is +excluded, but the C:\OpenShare\Edward is included, the ‘OpenShare’ parent exclusion takes +precedence, and the ‘Edward’ child folder will not be monitored. +::: + + +:::note +If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +added), then all current and new discovered drives will be monitored. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Hosts + +For a SharePoint host, the Path Filtering tab is for including and excluding sites. The tab contains +the following settings and features: + +![Path Filtering Tab for SharePoint Hosts](/images/activitymonitor/9.0/admin/outputs/pathfilteringsharepointhosts.webp) + +- To audit all sites, leave the textbox blank +- To include a specific site, enter the URL +- To exclude a specific site, enter the URL but add a minus sign (-) as a prefix to the URL, for + example: + +**-http://sharepoint.local/sites/marketing** + +Use a semicolon (;) to separate multiple URLs. + +## For Windows File Server Hosts + +The tab contains the following settings and features: + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Add all local drives – Retrieves and adds all local drives to the bottom of the list with a type + of Include +- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to + test whether it will be included/excluded based on the path filtering list + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear, as well as a reason for why the indicated path is included or excluded. + Additionally, the path in the list that is applied to the test will be highlight ed: green + highlight for an included path and red highlight for an excluded path. + +- Exclude extensions – Displays a space separated list of file extensions that are excluded +- Exclude streams – Displays a space separated list of streams that are excluded + +The table lists paths that are being filtered, displaying columns for Type, indicating if it is +being Included or Excluded, and Pattern. The order of the list determines what paths are included +and what paths are excluded. + +:::warning +Exclude takes precedence over the Include. For example, if the C:\OpenShare is +excluded, but the C:\OpenShare\Edward is included, the ‘OpenShare’ parent exclusion takes +precedence, and the ‘Edward’ child folder will not be monitored. +::: + + +:::note +If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +added), then all current and new discovered drives will be monitored. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/processexclusions/_category_.json b/docs/activitymonitor/10.0/admin/outputs/processexclusions/_category_.json new file mode 100644 index 0000000000..e0e40e3721 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/processexclusions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Process Exclusions Tab", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "processexclusions" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/processexclusions/addeditprocess.md b/docs/activitymonitor/10.0/admin/outputs/processexclusions/addeditprocess.md new file mode 100644 index 0000000000..215dd6bc2f --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/processexclusions/addeditprocess.md @@ -0,0 +1,20 @@ +--- +title: "Add or Edit Process Window" +description: "Add or Edit Process Window" +sidebar_position: 10 +--- + +# Add or Edit Process Window + +The Add or Edit Process window is opened from the Process Exclusions tab of a monitored host's +output Properties window. + +![Add or Edit Process popup window](/images/activitymonitor/9.0/admin/outputs/window/addoreditprocessprocessexclusions.webp) + +- Process name – Displays the name of the process to be excluded. You can enter a process name in + the textbox or select a process from the Running processes list. +- Filter – Indicates if the filter will be for **All events** or only **Read events** +- Running Processes – Lists all processes currently running on the host + +Then click OK. The Add or Edit Path window closes, and the path is added to the filtering list for +the monitored host. diff --git a/docs/activitymonitor/10.0/admin/outputs/processexclusions/processexclusions.md b/docs/activitymonitor/10.0/admin/outputs/processexclusions/processexclusions.md new file mode 100644 index 0000000000..a4ad6d2283 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/processexclusions/processexclusions.md @@ -0,0 +1,40 @@ +--- +title: "Process Exclusions Tab" +description: "Process Exclusions Tab" +sidebar_position: 80 +--- + +# Process Exclusions Tab + +The Process Exclusions tab on an output Properties window is where monitoring scope by Windows +processes can be modified. These settings are initially configured when the output is added. + +:::note +Netwrix product processes are excluded by default from activity monitoring. +::: + + +Select an output for a Windows file server host on the Monitored Hosts & Services tab and click **Edit** to +open the output Properties window. + +![Process Exclusions Tab](/images/activitymonitor/9.0/admin/outputs/processexclusions.webp) + +The tab contains the following settings and features: + +- Add – Opens the Add or Edit Process window to add a new process to the list. See the + [Add or Edit Process Window](/docs/activitymonitor/10.0/admin/outputs/processexclusions/addeditprocess.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a process is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Edit – Opens the Add or Edit Process window to modify the selected process. See the + [Add or Edit Process Window](/docs/activitymonitor/10.0/admin/outputs/processexclusions/addeditprocess.md) topic for additional information. + +The table lists process that will be excluded, displaying columns for Process Name and Events. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/protocols.md b/docs/activitymonitor/10.0/admin/outputs/protocols.md new file mode 100644 index 0000000000..f8b18ab844 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/protocols.md @@ -0,0 +1,23 @@ +--- +title: "Protocols Tab" +description: "Protocols Tab" +sidebar_position: 90 +--- + +# Protocols Tab + +The Protocols tab on an output Properties window is where monitoring scope by protocol can be +modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. + +![Protocols Tab](/images/activitymonitor/9.0/admin/outputs/protocolstab.webp) + +The tab contains the following settings: + +- Protocols – Indicates if **All** protocols, only **CIFS** protocols, or only **NFS** protocols are + included + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/syslog/_category_.json b/docs/activitymonitor/10.0/admin/outputs/syslog/_category_.json new file mode 100644 index 0000000000..f02dff6af7 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/syslog/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Syslog Tab", + "position": 100, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "syslog" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md b/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md new file mode 100644 index 0000000000..8ae30369bb --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md @@ -0,0 +1,209 @@ +--- +title: "Message Template Window" +description: "Message Template Window" +sidebar_position: 10 +--- + +# Message Template Window + +The Message Template window is opened from the ellipsis (…) button for the Syslog Message Template +field on the Syslog tab of the output Properties window. + +![Message Template window](/images/activitymonitor/9.0/admin/outputs/window/syslogmessagetemplate.webp) + +You can select a preconfigured template from the drop-down menu or create a custom template. The +available preconfigured templates vary based on the type of domain/host selected. + +## For Monitored Domains + +Monitored Domains Syslog outputs have the following preconfigured Templates: + +- V 1.0 for AlienVault SIEM +- V 1.0 for Generic CEF SIEM – Incorporates the CEF message format +- V 1.0 for Generic LEEF SIEM – Incorporates the LEEF message format +- V 1.0 for Generic SYSLOG SIEM +- V 1.0 for HP ArcSight SIEM +- V 1.0 for LogRhythm SIEM +- V 1.0 for McAfee ESM SIEM +- V 1.0 for IBM QRadar SIEM +- V 1.0 for Splunk SIEM +- V 2.0 for IBM QRadar SIEM 7.2.4 +- V 2.0 for Splunk SIEM + +Custom templates can be created. Select the desired template or create a new template by modifying +an existing template within the Message Template window. The new message template will be named +Custom. Macro variables are also available to customize the Syslog message template. + +**Macro Variables for Monitored Domains** + +Macros are text strings that are replaced with actual values at run time. The following Macro +variables are available to customize the Syslog message template: + +| Variable | Definition | +| ------------------------------ | ------------------------------------------------------------------------------------ | +| %AFFECTED_OBJECT_ACCOUNT_NAME% | Affected Object Name | +| %AFFECTED_OBJECT_SID% | Affected Object SID | +| %ATTRIBUTE_NAME% | Attribute Name | +| %ATTRIBUTE_VALE% | New Attribute Value | +| %BLOCKED_EVENT% | True if the operation was denied, False otherwise | +| %CLASS_NAME% | Class Name | +| %COMPANY% | Company Name | +| %DN% | Distinguished Name of the Affected Object | +| %ERTYPE_ID% | Event Type ID | +| %EVENT_CODE% | Code | +| %EVENT_NAME% | Event Name | +| %EVENT_SOURCE_NAME% | Event Source Name | +| %EVENT_SOURCE_TYPE% | Event Source Type | +| %EVENTNAMETRANSLATED% | Translated Event Name | +| %EVENTS_COUNT% | Consolidated Events Count | +| %HOST% | Message Source Hostname | +| %OLD_ATTRIBUTE_VALUE% | Old Attribute Value | +| %OPERATION% | Operation Performed | +| %ORIGINATING_CLIENT% | Originating Client | +| %ORIGINATING_SERVER% | Originating Server | +| %ORIGINATING_SERVERIP% | Originating Server IP Address | +| %ORIGINATINGCLIENTHOST% | Originating Server Host Name | +| %ORIGINATINGCLIENTIP% | Originating Client IP Address | +| %ORIGINATINGCLIENTMAC% | Originating Client MAC | +| %ORIGINATINGCLIENTPROTOCOL% | Originating Client Protocol | +| %PERMISSIONS_SDDL_DESCRIPTION% | Windows only: Permission change details in readable format | +| %PERPETRATOR% | Perpetrator | +| %PERPETRATOR_NAME% | Perpetrator Name | +| %PERPETRATOR_SID% | Perpetrator SID | +| %USERNAME% | 'Username' part of the %PERPETRATOR_NAME% field if it is in 'DOMAIN\Username' format | +| %PRODUCT% | Product Name | +| %PRODUCT_VERSION% | Product Version | +| %SETTING_NAME% | Setting Name | +| %SUCCESS% | Success | +| %STATUS% | Status | +| %SYSLOG_DATE% | Current Date Time in Syslog Format | +| %SYSLOG_EVENTID% | Syslog Event ID | +| %TARGETHOST% | Target Host | +| %TARGETHOSTIP% | Target Host IP | +| %TIME_STAMP% | Date Timestamp of Event | +| %TIME_STAMP_UTC% | Date Timestamp of Event in UTC | + +## For Monitored Hosts/Services + +Monitored Hosts/Services Syslog outputs have the following preconfigured Templates: + +- AlienVault / Generic Syslog +- CEF – Incorporates the CEF message format +- HP Arcsight +- LEEF – Incorporates the LEEF message format +- LogRhythm +- McAfee +- QRadar – Use this template for IBM QRadar integration. See the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) topic for + additional information. +- Splunk – Use this template for Splunk integration. See the Configure the + [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) topic for additional + information. +- Netwrix Threat Manager (StealthDEFEND) – Use this template for Netwrix Threat Manager integration. + This is the only supported template for Threat Manager. + +Custom templates can be created. Select the desired template or create a new template by modifying +an existing template within the Message Template window. The new message template will be named +Custom. Macro variables are also available to customize the Syslog message template. + +**Macro Variables** + +Macros are text strings that are replaced with actual values at run time. Not all macro variables +are applicable to all environment types. The following Macro variables are available to customize +the Syslog message template: + +| Environment | Variable | Definition | +| ------------------------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | +| SharePoint Online | %ABSOLUTE_URL% | Absolute URL of the affected object | +| SharePoint Online | %ACCESS% | Access granted by the sharing operation | +| SharePoint | %APPPRINCIPAL_ID% | App Principal ID | +| File Servers & NAS Devices | %ATTRIBUTE_NAME% | Rename events only: Fixed string: Filename | +| File Servers & NAS Devices | %ATTRIBUTE_VALUE% | Rename events only: New file path | +| File Servers & NAS Devices SharePoint | %BLOCKED_EVENT% | True if the operation was denied, False otherwise | +| SharePoint SharePoint Online | %CLIENT_IP% | IP address of the user | +| File Servers & NAS Devices SharePoint SharePoint Online | %COMPANY% | Fixed string: Netwrix | +| SharePoint Online | %CUSTOM_EVENT% | Custom Event information | +| SharePoint Online | %DEST_FILE_EXT% | New file extension of copied or moved file | +| SharePoint Online | %DEST_FILENAME% | Name of the file that is copied or moved | +| SharePoint Online | %DEST_RELATIVE_PATH% | URL of the destination folder where a folder is copied or moved | +| SharePoint Online | %DLP_EXCEPTION% | Reasons why a policy no longer applies and any information about false positive or override | +| SharePoint Online | %DLP_POLICY% | Policy(s) that triggered the event | +| SharePoint Online | %DLP_SENSITIVE% | Indicates whether the event contains the value of the sensitive data type (true/false) | +| SharePoint SharePoint Online | %DOC_LOCATION% | A relative URL of the file or document accessed by the user | +| SharePoint SharePoint Online | %EVENT_DATA% | - For SharePoint, raw event data - Fore SharePoint Online, additional event data | +| File Servers & NAS Devices | %EVENT_NAME% | Operation type: Read/Create/Update/Delete/Access Rights Change/ Rename/ ``. The same as %OPERATION% | +| SharePoint SharePoint Online | %EVENT_SOURCE% | Originating source of the event (SharePoint or ObjectModel) | +| File Servers & NAS Devices | %EVENT_SOURCE_NAME% | Domain name | +| SharePoint SharePoint Online | %EVENT_TYPE% | Event type | +| File Servers & NAS Devices | %FILE_NAME% | File name | +| File Servers & NAS Devices | %FILE_PATH% | Full path | +| File Servers & NAS Devices | %FILE_SIZE% | Size of File | +| File Servers & NAS Devices | %FILE_TYPE% | File extension | +| SharePoint | %FULL_PATH% | Full Path | +| File Servers & NAS Devices SharePoint SharePoint Online | %HOST% | Hostname of Agent | +| SharePoint Online | %ID% | Unique ID of the audit record | +| File Servers & NAS Devices | %IO_TYPE% | Type of I/O: Filesystem/VSS | +| SharePoint | %ITEM_ID% | Item ID | +| SharePoint SharePoint Online | %ITEM_TITLE% | Item title | +| SharePoint SharePoint Online | %ITEM_TYPE% | Item type (File, Folder, Web, Site, Tenant, DocumentLibrary, Page) | +| SharePoint Online | %LIST_ID% | ID of the List | +| SharePoint Online | %LIST_ITEM_ID% | ID of the List Item | +| SharePoint Online | %LIST_NAME% | Name of the List | +| SharePoint Online | %LIST_URL% | URL of the List | +| SharePoint | %LOCATION_TYPE% | Location type of the SharePoint document location | +| SharePoint Online | %MACHINE_DOMAIN_INFO% | Information about device sync operation | +| SharePoint Online | %MACHINE_ID% | Information about device sync operation | +| SharePoint Online | %NEW_DOC_LOCATION% | A relative URL to which the object is copied or moved | +| File Servers & NAS Devices | %NEW_FILE_NAME% | Rename event only: New file name | +| File Servers & NAS Devices | %NEW_FILE_PATH% | Rename event only: New full path | +| File Servers & NAS Devices | %NEW_FILE_TYPE% | New File Extension | +| File Servers & NAS Devices | %OBJECT_TYPE% | Object type: FILE/FOLD/UNK | +| File Servers & NAS Devices | %OLD_ATTRIBUTE_VALUE% | Rename only: Old file path | +| File Servers & NAS Devices | %OPERATION% | Operation type: Read/Create/Update/Delete/Access Rights Change/Rename/Unknown | +| SharePoint Online | %ORGANIZATION_ID% | Organization tenant ID | +| File Servers & NAS Devices | %ORIGINATING_CLIENT% | IP Address of originating client or process name | +| File Servers & NAS Devices | %ORIGINATING_CLIENT_HOST% | Hostname of originating client | +| File Servers & NAS Devices | %ORIGINATING_SERVER% | Hostname of monitored host | +| File Servers & NAS Devices | %ORIGINTAING_SERVER_IP% | IP Address of monitored host | +| SharePoint | %PARAM% | Parameters that come with the event | +| SharePoint | %PATH% | Truncated path | +| File Servers & NAS Devices | %PERMISSIONS_SDDL_DESCRIPTION% | Windows events only: Permission change details in readable format | +| File Servers & NAS Devices | %PERMISSIONS_SDDL_DIFF% | Windows events only: Permission change details in SDDL format, '`` ``' | +| File Servers & NAS Devices | %PERPETRATOR% | User name | +| File Servers & NAS Devices SharePoint SharePoint Online | %PRODUCT% | Fixed string: Activity Monitor | +| File Servers & NAS Devices SharePoint SharePoint Online | %PRODUCT_VERSION% | Product Version | +| File Servers & NAS Devices SharePoint SharePoint Online | %PROTOCOL% | Protocol type: CIFS/NFS/VSS/FTP/HDFS/HTTP/HTTPS/Unknown | +| File Servers & NAS Devices | %PROTOCOL_VERSION% | NetApp Data ONTAP Cluster-Mode device events only: Protocol Version | +| File Servers & NAS Devices | %RENAMEUNCPATH% | Rename events only: New UNC path / New NFS export path | +| SharePoint Online | %RESULT_STATUS% | Succeeded, PartiallySucceeded, Failed, True, or False | +| SharePoint Online | %SCOPE% | online or onprem | +| SharePoint Online | %SHARING_ID% | Unique ID of the sharing operation | +| SharePoint SharePoint Online | %SITE_ID% | ID of the Site | +| SharePoint Online | %SITE_NAME% | Name of the Site | +| SharePoint SharePoint Online | %SITE_URL% | URL of the Site | +| SharePoint Online | %SOURCE% | Source (SharePoint, SharePointFileOperation, …) | +| SharePoint Online | %SOURCE_FILE_EXT% | File extension | +| SharePoint Online | %SOURCE_FILENAME% | File or folder name | +| SharePoint | %SOURCE_NAME% | Source Name | +| SharePoint Online | %SOURCE_RELATIVE_PATH% | URL of the folder that contains the file accessed by the user | +| File Servers & NAS Devices SharePoint SharePoint Online | %SUCCESS% | True if the operation was allowed, False otherwise | +| File Servers & NAS Devices SharePoint SharePoint Online | %SYSLOG_DATE% | Timestamp of event (server time, Syslog format: MMM dd HH:mm:ss) | +| File Servers & NAS Devices | %TAGS% | Operation Tags. Reports 'Copy' for events that are probable copies | +| SharePoint Online | %TARGET_NAME% | UPN or name of the target user or group that a resource was shared with | +| SharePoint Online | %TARGET_TYPE% | Type of target user or group that a resource was shared with (Member, Guest, Group, or Partner) | +| File Servers & NAS Devices SharePoint SharePoint Online | %TIME_STAMP% | Timestamp of event (server time, format: yyyy-MM-dd HH:mm:ss.zzz) | +| SharePoint Online | %TIME_STAMP_OFFSET% | Timestamp of event with timezone offset (server time, format: yyyy-MM-ddTHH:mm:ss.zz+HH:mm) | +| File Servers & NAS Devices SharePoint SharePoint Online | %TIME_STAMP_UTC% | Timestamp of event (UTC, format: yyyy-MM-dd HH:mm:ss.zzz) | +| SharePoint Online | %TIME_STAMP_Z% | Timestamp of event (UTC, format: yyyy-MM-ddTHH:mm:ss.zzZ) | +| File Servers & NAS Devices | %UNCPATH% | UNC path / NFS export path | +| SharePoint Online | %UPDATE_TYPE% | Added, Removed, or Updated | +| SharePoint Online | %USER_AGENT% | User client or browser | +| SharePoint SharePoint Online | %USER_ID% | - For SharePoint, ID of the SharePoint user - For SharePoint Online, UPN of the user who performed the operation | +| SharePoint SharePoint Online | %USER_LOGIN% | - For SharePoint, SharePoint User Login / Encoded Claim - For SharePoint Online, An alternative ID of the user. "DlpAgent" for DLP events. | +| SharePoint SharePoint Online | %USER_NAME% | SharePoint user name | +| File Servers & NAS Devices SharePoint | %USER_SID% | User SID or UID | +| SharePoint Online | %USER_TYPE% | Type of the user performed the operation | +| SharePoint Online | %VERSION% | New version of the document/version of deleted document | +| SharePoint | %WEB_APPLICATION_NAME% | Title of the SharePoint Web Application | +| SharePoint SharePoint Online | %WEB_TITLE% | Title of the Site Collection | +| SharePoint Online | %WORKLOAD% | Office 356 service where the activity occurred | diff --git a/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md b/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md new file mode 100644 index 0000000000..691d67283c --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md @@ -0,0 +1,203 @@ +--- +title: "Syslog Tab" +description: "Syslog Tab" +sidebar_position: 100 +--- + +# Syslog Tab + +The Syslog tab on an output Properties window is where the SIEM integration settings can be +modified. These settings are initially configured when the output is added. For a monitored hosts/services +output, this tab can also be used for integration with Netwrix Threat Manager. + +Select a Syslog output from either the Monitored Domains tab or the Monitored Hosts & Services tab and click +**Edit** to open the output Properties window. The tab varies based on the type of domain/host +selected. + +## For Active Directory Domains + +The tab contains the following settings: + +![syslogactivedirectory](/images/activitymonitor/9.0/admin/outputs/syslogactivedirectory.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event + reporting is enabled, which means the agent will send out status messages every five minutes to + verify whether the connection is still active. + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Linux Hosts + +The tab contains the following settings: + +![sysloglinux](/images/activitymonitor/9.0/admin/outputs/sysloglinux.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10001. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. + + - UPD is the only protocol supported for Threat Manager. + +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Add C:\ to the beginning of the reported file paths – Indicates a Windows-style drive path (C:\) + is added to the beginning of the NAS file paths in the activity data stream, e.g. + `C:\Folder\file.txt` + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Microsoft Entra ID, SharePoint Online, and SQL Server Hosts + +The tab contains the following settings: + +![syslogentraid](/images/activitymonitor/9.0/admin/outputs/syslogentraid.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For NAS Device Hosts + +The tab contains the following settings: + +![syslognas](/images/activitymonitor/9.0/admin/outputs/syslognas.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10000. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. + + - UPD is the only protocol supported for Threat Manager. + +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Add C:\ to the beginning of the reported file paths – Indicates a Windows-style drive path (C:\) + is added to the beginning of the NAS file paths in the activity data stream, e.g. + `C:\Folder\file.txt` +- Resolve UNC paths + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Windows File Server Hosts + +The tab contains the following settings: + +![syslogwindows](/images/activitymonitor/9.0/admin/outputs/syslogwindows.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10001. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. + + - UPD is the only protocol supported for Threat Manager. + +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/10.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Resolve UNC paths + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/outputs/threatmanager.md b/docs/activitymonitor/10.0/admin/outputs/threatmanager.md new file mode 100644 index 0000000000..6c8b71842b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/threatmanager.md @@ -0,0 +1,39 @@ +--- +title: "Threat Manager Tab" +description: "Threat Manager Tab" +sidebar_position: 110 +--- + +# Threat Manager Tab + +The Threat Manager tab on an output Properties window is where the connection between Activity +Monitor and Netwrix Threat Manager can be modified. These settings are initially configured when the +output is added. + +An App Token created by Netwrix Threat Manager is used to authenticate connection between the +applications. See the App Tokens Page topic of the +[Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) for +additional information. + +Select a Threat Manager output from the Monitored Domains tab and click **Edit** to open the output +Properties window. + +![threatmanager](/images/activitymonitor/9.0/admin/outputs/threatmanager.webp) + +The tab contains the following settings: + +- Server in SERVER:PORT format – Server name of the Netwrix Threat Manager application server and + the communication port being used between the applications. The format must be SERVER:PORT, e.g. + newyorksrv10:10001. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10001. + +- App Token – App Token generated on the App Tokens page of the Netwrix Threat Manager console. +- Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event + reporting is enabled, which means the agent will send out status messages every five minutes to + verify whether the connection is still active. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/10.0/admin/overview.md b/docs/activitymonitor/10.0/admin/overview.md new file mode 100644 index 0000000000..e4eb1c27d9 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/overview.md @@ -0,0 +1,36 @@ +--- +title: "Administration" +description: "Administration" +sidebar_position: 40 +--- + +# Administration + +The Activity Monitor Console is used to deploy and manage activity agents, configure host +monitoring, and search events within activity log files. + +![Activity Monitor with Navigation tabs identified](/images/activitymonitor/9.0/admin/activitymonitormain.webp) + +There are up to three tabs at the top left of the window: + +- Agents – Deploy activity / AD agents and manage settings. This is the only tab available until an + agent is installed. See the [Agent Information](/docs/activitymonitor/10.0/install/agents/agents.md) topic for additional + information +- Monitored Domains – Configure activity monitoring per host (appears after the first Active + Directory agent is deployed). See the [Monitored Domains Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/overview.md) topic + for additional information. +- Monitored Hosts & Services – Configure activity monitoring per host (appears after first activity agent is + deployed). See the [Monitored Hosts & Services Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md) +- Search – Magnifying glass icon used to search activity log files (appears after first activity + agent is deployed) + + - See the [Search Feature](/docs/activitymonitor/10.0/admin/search/overview.md) topic for additional information. + +In the Status bar at the bottom of the console is the following information: + +- Version – Version number for the Activity Monitor +- License information – Identifies the organization associated with the license. See the + [Install Application](/docs/activitymonitor/10.0/install/application.md) topic for additional information. +- Trace Level – Creates Trace Logs to provide troubleshooting information. See the + [Trace Logs](/docs/activitymonitor/10.0/troubleshooting/tracelogs.md) topic for additional information. +- Collect Logs – Collects Trace Logs produced by Trace level diff --git a/docs/activitymonitor/10.0/admin/search/_category_.json b/docs/activitymonitor/10.0/admin/search/_category_.json new file mode 100644 index 0000000000..2d95527c49 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Search Feature", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/activedirectory/_category_.json b/docs/activitymonitor/10.0/admin/search/activedirectory/_category_.json new file mode 100644 index 0000000000..0f8206778d --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/activedirectory/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Active Directory Search Query", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activedirectory" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory.md b/docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory.md new file mode 100644 index 0000000000..ebba9c4ec4 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory.md @@ -0,0 +1,139 @@ +--- +title: "Active Directory Search Query" +description: "Active Directory Search Query" +sidebar_position: 10 +--- + +# Active Directory Search Query + +You can search domain activity that has been monitored and recorded to a File output. When you +select **Active Directory** from the magnifying glass drop-down menu, a New Search tab opens with +the applicable query filters. + +![Search - Active Directory New Search Tab](/images/activitymonitor/9.0/admin/search/query/activedirectorynewsearchtab.webp) + +The filters are separated into the following categories: + +- General +- Object Changes +- LSASS Guardian +- LDAP Queries +- Authentication + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category addresses who, what, where, and when an object, user, host, or domain +controller is affected by the events selected in the other categories. The time frame filter must be +configured for every search query. + +![Active Directory Search - General Filter](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Event Source – Set which query categories will be used. The drop-down menu displays a checkbox + list of categories. +- Event Result – Filter the data for a specific event result: Any, Success, or Failure +- Event Block – Filter the data for a specific event result related to blocking: Any, Allowed, or + Blocked +- Agent Hosts – Filter the data for a specific agent +- Agent Domains – Filter the data for a specific domain +- Affected Object Name – Filter the data for a specific affected object name +- Affected Object Class – Filter the data for a specific affected object class +- User – Filter the data for a specific user, or perpetrator of the event + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- From Hosts – Filter the data for a specific originating host of the event +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## Object Changes Category + +The Object Changes category scopes the query by objects with change activity. + +![Object Changes Filter](/images/activitymonitor/9.0/admin/search/query/objectchangesfilters.webp) + +This section has the following filters: + +- Account Changes – Filter the data by the type of account change: All, Account Locked, Account + Unlocked, Account Disabled, Account Enabled, Password Changed +- Membership Changes – Filter the data by the type of group membership change: All, Group Members + Added, Group Members Removed, Group Members Changed +- Object Changes – Filter the data by the type of group membership change: All, Object Moved, Object + Renamed, Object Added, Object Modified, Object Deleted +- New Object Name – Filter the data for a specific new object name +- Old Object Name – Filter the data for a specific old object name +- Attribute Name – Filter the data for a specific attribute name +- Attribute Value – Filter the data for a specific attribute value + +## LSASS Guardian Category + +The LSASS Guardian category scopes the query by LSASS Guardian activity. + +![LSASS Guardian Filters](/images/activitymonitor/9.0/admin/search/query/lsassguardianfilters.webp) + +This section has the following filters: + +- Process Name – Filter the data for a specific process name +- Process ID – Filter the data for a specific process ID +- Events – Filter the data by the type of event: All, Create Handle, Duplicate Handle + +## LDAP Queries Category + +The LDAP Queries category scopes the query by LDAP query activity. + +![LDAP Queries Filter](/images/activitymonitor/9.0/admin/search/query/ldapqueriesfilters.webp) + +This section has the following filters: + +- Query – Filter the data for a specific LDAP query +- Connection – Filter the data by the type of connection : Any, Secure, Nonsecure + +## Authentication Category + +The Authentication category scopes the query by authentication activity. + +![Authentication Filters](/images/activitymonitor/9.0/admin/search/query/authenticationfilters.webp) + +This section has the following filters: + +- Target Host – Filter the data for a specific host +- Authentication – Filter the data by the type of authentication: All, Kerberos, NTLM +- NTLM Logon Type – Filter the data by the type of NTLM Logon: All, Interactive, Network, Service, + Generic, Transitive Interactive, Transitive Network, Transitive Service +- NTLM Version – Filter the data by the type of NTLM version: Any, V1, V2 +- Encryption – Filter the data for a specific encryption +- SPN – Filter the data for a specific service principal name (SPN) +- Accounts – Filter the data by the type of account: Any, Existing, Nonexistent +- Ticket Type – Filter the data by the type of ticket type: Any, AS, TGS +- Search For – Filter the data by the selected item: Previous passwords usage only, Forged PAC only diff --git a/docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory_1.md b/docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory_1.md new file mode 100644 index 0000000000..6f9d307cd3 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/activedirectory/activedirectory_1.md @@ -0,0 +1,58 @@ +--- +title: "Active Directory Search Results" +description: "Active Directory Search Results" +sidebar_position: 10 +--- + +# Active Directory Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per AD agent. +You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![Active Directory Search Results](/images/activitymonitor/9.0/admin/search/results/activedirectorysearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Server where the Agent is deployed +- Host – Target host where the event was recorded +- Host Name – Name of the target host +- Host IP – IP address of the target host +- Host MAC – Network adapter identifier +- User – Security principal of the account that triggered the event +- User SID – Security Identifier of the account used in the event +- User Name –  Name for the security principal that triggered the event +- User Class – Active Directory class of the affected object +- Blocked – Indicates the Agent blocked the event from occurring +- Success – Indicates the event completed successfully +- Event Source – Location of Monitored host where event occurred +- Event Type – Indicates the type of event +- Affected Object – Active Directory distinguished name for the affected object +- Affected Object SID – Security Identifier of the object/account affected by the event +- Affected Object Name – Name of the Affected Object +- Protocol – Protocol(s) used for the monitored operation +- Query Filter – LDAP filter used in the operation +- Secured Query – Indicates if LDAP connection is secured or not +- Query Objects – Number of returned objects produced by the LDAP request +- Process Name – Contains process name that is monitored. Currently this is only lsass.exe. +- PID – Process Identifier generated for each active process +- Old Name – Value prior to the monitored change +- New Name – Value after the monitored change +- Authentication Type – Indicates type of authentication event. Possible values: Kerberos, NTLM. +- Target Host – Name of the originating host +- Target IP – IP address of the originating host +- Authentication Protocol – Indicates authentication protocol. Possible values: Unknown, Kerberos, + KerberosTgs, KerberosAs, NTLM, NTLMv1, NTLMMixed, NTLMv2. +- NTLM Logon Type – Indicates type of protocol used to authenticate a connection between client and + server +- Ticket Encryption – Indicates encryption type used in request part of the Kerberos ticket +- PAC – RID for the group that does not have access +- SPN – Detects attempts to obtain a list of Service Principal Name values +- User Exists –  Indicates if user exists +- N2 Password – Indicates if an invalid password matches the user’s password history + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/admin/search/entraid/_category_.json b/docs/activitymonitor/10.0/admin/search/entraid/_category_.json new file mode 100644 index 0000000000..a074277bbf --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/entraid/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Microsoft Entra ID Search Query", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "entraid" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/entraid/entraid.md b/docs/activitymonitor/10.0/admin/search/entraid/entraid.md new file mode 100644 index 0000000000..882627c524 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/entraid/entraid.md @@ -0,0 +1,136 @@ +--- +title: "Microsoft Entra ID Search Query" +description: "Microsoft Entra ID Search Query" +sidebar_position: 40 +--- + +# Microsoft Entra ID Search Query + +You can search activity in Microsoft Entra ID (Azure AD) that has been monitored and recorded to a +File output. When you select **Azure AD / Entra ID** from the magnifying glass drop-down menu, a New +Search tab opens with the applicable query filters. + +![Search Query - Entra ID](/images/activitymonitor/9.0/admin/search/query/searchquery.webp) + +The filters are separated into the following categories: + +- General +- User +- Audit Events +- Target Resource +- Sign-in Events +- Location + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![Search Query - General Filter](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Source – Set which query categories will be used. The drop-down menu displays a checkbox list of + categories. +- Event Result – Filter the data for a specific event result: Any, Success, or Failure +- Reason +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![Search Query - User](/images/activitymonitor/9.0/admin/search/query/userfilters.webp) + +This section has the following filters: + +- Name or ID +- IP Address +- Client App or Browser +- Client OS + +## Audit Events Category + +The Audit Events category scopes the query by the event type of the activity. + +![Search Query - Audit Events](/images/activitymonitor/9.0/admin/search/query/auditeventsfilters.webp) + +This section has the following filters: + +- Service – Filter the data by the Microsoft Entra ID service: All, AAD Management UX, Access + Reviews, Account Provisioning, Application Proxy, Authentication Methods, B2C, Conditional Access, + Core Directory, Device Registration Service, Entitlement Management, Hybrid Authentication, + Identity Protection, Invited Users, MIM Service, MyApps, PIM, Self-service Group Management, + Self-service Password Management, Terms of Use +- Category – Filter the data by the category type of activity: All, AdministrativeUnit, + ApplicationManagement, Authentication, Authorization, AuthorizationPolicy, Contact, Device, + DeviceConfiguration, DirectoryManagement, EntitlementManagement, GroupManagement, + IdentityProtection, KerberosDomain, KeyManagement, Label, Other, PermissionGrantPolicy, Policy, + PolicyManagement, ResourceManagement, RoleManagement, UserManagement +- Type – Filter the data by the type of activity: All, Add, Delete, Update, Assign, Unassign +- Operation + +## Target Resource Category + +The Target Resource category scopes the query by the target of the activity. + +![Search Query - Target Resource](/images/activitymonitor/9.0/admin/search/query/targetresourcefilters.webp) + +This section has the following filters: + +- Target +- Property +- Modifications – Filter the data to a specific type of modification: All, No changes, Has attribute + changes + +## Sign-in Events Category + +The Sign-in Events category scopes the query by the sign-in event. + +![Search Query - Sign-in Events](/images/activitymonitor/9.0/admin/search/query/signinevents.webp) + +This section has the following filters: + +- Risk +- Conditional Access + +## Location Category + +The Location category scopes the query by the location of the user. + +![Search Query - Location](/images/activitymonitor/9.0/admin/search/query/locationfilters.webp) + +This section has the following filters: + +- City +- State +- Country diff --git a/docs/activitymonitor/10.0/admin/search/entraid/entraid_1.md b/docs/activitymonitor/10.0/admin/search/entraid/entraid_1.md new file mode 100644 index 0000000000..b69a72c8b6 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/entraid/entraid_1.md @@ -0,0 +1,52 @@ +--- +title: "Microsoft Entra ID Search Results" +description: "Microsoft Entra ID Search Results" +sidebar_position: 10 +--- + +# Microsoft Entra ID Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![Azure Active Directory - Search Results](/images/activitymonitor/9.0/admin/search/results/searchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- Result – Indicates whether the event resulted in a Success or Failure +- Result Reason – If an event resulted in a Failure, the reason for it will be listed in the Result + Reason column +- User – Indicates user account associated with the event +- IP Address – Indicates the IP Address associated with the event +- Application – Indicates the Application associated with the event +- Service – Indicates the Service associated with the event +- Category – Indicates the Category associated with the event. Categories returned from search + queries can be configured using the Category filter drop-down. +- Operation - Indicates the Operation associated with the event. Operations returned from search + queries can be configured using the Operation filter drop-down. +- Type – Indicates the Type associated with the event. Types returned from search queries can be + configured using the Type filter drop-down. +- Target(s) – Indicates the Target(s) of the event +- Modified – Indicates modifications associated with the event +- Client App – Indicates the Client App associated with the event +- OS – Indicates the OS associated with the event +- Browser – Indicates the browser associated with the event +- City – Indicates the City associated with the event +- State – Indicates the State associated with the event +- Country – Indicates the Country associated with the event +- Coordinates – Indicates the Coordinates associated with the event +- Interactive – Indicates whether the event was an Interactive event +- Risk – Indicates the level of Risk associated with events +- Conditional Access – Indicates whether Conditional Access was applied to the event +- Conditional Policy – Indicates whether a Conditional Policy was applied to the event +- Details – If applicable, provides additional information associated with the event that is not + provided by the other Results columns + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/admin/search/exchangeonline/_category_.json b/docs/activitymonitor/10.0/admin/search/exchangeonline/_category_.json new file mode 100644 index 0000000000..b1c8e07fad --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/exchangeonline/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Exchange Online Search Query", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "exchangeonline" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline.md b/docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline.md new file mode 100644 index 0000000000..37a650806f --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline.md @@ -0,0 +1,105 @@ +--- +title: "Exchange Online Search Query" +description: "Exchange Online Search Query" +sidebar_position: 50 +--- + +# Exchange Online Search Query + +You can search Exchange Online activity that has been monitored and recorded to a File output. When +you select **Exchange Online** from the magnifying glass drop-down menu, a New Search tab opens with +the applicable query filters. + +![Exchange Online - Search Quary Bar](/images/activitymonitor/9.0/admin/search/query/searchquerybar.webp) + +The filters are separated into the following categories: + +- General Category +- User Category +- Target Category +- DLP Category + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters.You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![Exchange Online - General Category](/images/activitymonitor/9.0/admin/search/query/general.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Source – Filter the data by the source type: All, Admin Audit, Mailbox Access, DLP, Sensitivity + Label, Other + + :::note + Disabling a source that is also a category will hide that category from the query + options. + ::: + + +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![Exchange Online Search - User Filter](/images/activitymonitor/9.0/admin/search/query/user.webp) + +This section has the following filters: + +- Name or UPN – Filter the data by name or User Principal Name (UPN) +- User Type – Filter the data by the type of user: All, Regular, Reserved, Admin, DcAdmin, System, + Application, ServicePrincipal, CustomPolicy, SystemPolicy, Unknown +- IP Address – Filter the data by IP address. +- Client App or Browser – Filter the data by specified client application or browser. + +## Target Category + +The Target category scopes the query by the target of the file. + +![Exchange Online Search - Target Filter](/images/activitymonitor/9.0/admin/search/query/target.webp) + +This section has the following filters: + +- Object +- Mailbox +- Accessed Mail + +## DLP Category + +The DLP category scopes the query by the DLP policy. + +![Exchange Online Search - DLP Filter](/images/activitymonitor/9.0/admin/search/query/dlp.webp) + +This section has the following filters: + +- Policy Name diff --git a/docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline_1.md b/docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline_1.md new file mode 100644 index 0000000000..cbbad32082 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/exchangeonline/exchangeonline_1.md @@ -0,0 +1,33 @@ +--- +title: "Exchange Online Search Results" +description: "Exchange Online Search Results" +sidebar_position: 10 +--- + +# Exchange Online Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![Exchange Online - Search Results](/images/activitymonitor/9.0/admin/search/results/searchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- Operation - Operation associated with event +- User – Indicates user account associated with the event +- User Type - Type of user associated with event +- External – Indicates whether external sharing is associated with the event +- IP Address – Indicates the IP Address associated with the event +- Object - Object associated with event +- Mailbox - The mailbox associated with the event +- Modified - Indicates whether a modification is associated with the event +- DLP Policy - If applicable, indicates the DLP Policy associated with the event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/admin/search/file/_category_.json b/docs/activitymonitor/10.0/admin/search/file/_category_.json new file mode 100644 index 0000000000..2d6c8a01bf --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/file/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Search Query", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "file" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/file/file.md b/docs/activitymonitor/10.0/admin/search/file/file.md new file mode 100644 index 0000000000..d6ed62bfa9 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/file/file.md @@ -0,0 +1,73 @@ +--- +title: "File Search Query" +description: "File Search Query" +sidebar_position: 20 +--- + +# File Search Query + +You can search Windows file server and NAS device activity that has been monitored and recorded to a +File output. When you select **File** from the magnifying glass drop-down menu, a New Search tab +opens with the applicable query filters. + +![Search UI Options Toolbar](/images/activitymonitor/9.0/admin/search/query/searchuitop.webp) + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## Query Filter Options + +The sections have the following filters: + +- Events time range – The time frame filter must be configured for every search query: + + - From – Set the date and timestamp for the start of the activity range. The drop-down menu + opens a calendar. + - To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. + +- File Path – Filter the data for a specific file path where activity has occurred +- Hosts – Filter the data for a specific target host of the event +- Source – Filter the data for a specific source of the activity: + + - For local Windows activity, filter by a process name like notepad.exe + - For network Windows activity, filter by the IP Address of the user + - For NAS device activity, filter by the IP Address for the NAS device of the user + +- User/Group – Filter the data for a specific user, or perpetrator of the event. You can also filter + by a group. + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- GID +- Types – Filter the data for a specific event result: All, Success, Fail +- Operations – Filter the data by the type of file operation: Read, Add, Update, Delete, Rename, + Permissions. The Operations checkbox at the top acts as select/deselect all option. +- I/O Type – Filter the data by the type of input/output: Filesystem, Shadow copy (VSS). The I/O + Type checkbox at the top acts as select/deselect all option. +- Object Type – Filter the data by the type of file object: File, Folder, Link, Share. The Object + Types checkbox at the top acts as select/deselect all option. +- Search limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. diff --git a/docs/activitymonitor/10.0/admin/search/file/file_1.md b/docs/activitymonitor/10.0/admin/search/file/file_1.md new file mode 100644 index 0000000000..7236e96399 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/file/file_1.md @@ -0,0 +1,78 @@ +--- +title: "File Search Results" +description: "File Search Results" +sidebar_position: 10 +--- + +# File Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![File Search Results UI](/images/activitymonitor/9.0/admin/search/results/filesearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Host – Monitored host where the event occurred +- Operation – Type of the activity event which was monitored +- User – User account that performed the activity event +- Object – Type of object the activity event occurred upon: + + - File + - Folder + - Unknown + +- Path – Path where the operation occurred +- New Path – For rename operation events only, the path’s new location/name +- UNC Path – UNC path employed by a remote user to access the share, folder, and/or file +- New UNC Path – For rename operation events only, the UNC path’s new location/name employed by a + remote user +- Source – Indicates the source of the activity event + + - For local Windows activity – Process name (e.g. notepad.exe) + - For network Windows activity – IP Address of the user + - For NAS device activity – IP Address for the NAS device of the user + +- Share Name – Name of share where the activity event occurred. This includes NFS. +- I/O Type – Displays the input/output type +- Protocol – Communication protocol used to access the share, folder, and/or file: + + - CIFS + - NFS + - VSS + - HTTP + +- Protocol Version – Displays the Protocol Version for NetApp Data ONTAP Cluster-Mode device. This + field is empty for all other servers/devices. +- File Size — Displays the file size +- Tags — _(Windows Only)_ Operation tags. Reports 'Copy' for events that are probably copies. +- Group — Displays the Group Name or ID (GID) + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. + +## Permissions Changes + +When the results data grid displays information about permissions changes, additional information is +made available. + +![Search Results with Permissions listed in the Operations Column](/images/activitymonitor/9.0/admin/search/results/filesearchresultspermissionsimage.webp) + +A link displays in the **Operation** column of the results data grid. Click the Permissions Change +link to open the Permissions Change Details window. + +![File Search Results Permissions link popup window](/images/activitymonitor/9.0/admin/search/results/permissionslpopupwindow.webp) + +The window displays details about the changes of the security descriptor with information from the +new line added to a DACL: + +- Change – Type of change which occurred (Added, Removed, etc.) +- Trustee – SAM account name of the affected object +- Type – Type of permission applied (Allow/Deny) +- Access Rights – Rights associated with the type of permission change +- Inheritance – Indicates how the permission change is inherited diff --git a/docs/activitymonitor/10.0/admin/search/linux/_category_.json b/docs/activitymonitor/10.0/admin/search/linux/_category_.json new file mode 100644 index 0000000000..427a7451c6 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/linux/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Linux Search Query", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "linux" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/linux/linux.md b/docs/activitymonitor/10.0/admin/search/linux/linux.md new file mode 100644 index 0000000000..c48aa45ddb --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/linux/linux.md @@ -0,0 +1,66 @@ +--- +title: "Linux Search Query" +description: "Linux Search Query" +sidebar_position: 30 +--- + +# Linux Search Query + +You can search Linux file server and NAS device activity that has been monitored and recorded to a +File output. When you select **Linux** from the magnifying glass drop-down menu, a New Search tab +opens with the applicable query filters. + +![Linux Search Query](/images/activitymonitor/9.0/admin/search/query/linuxsearchquerybar.webp) + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## Query Filter Options + +The sections have the following filters: + +- Events time range – The time frame filter must be configured for every search query: + + - From – Set the date and timestamp for the start of the activity range. The drop-down menu + opens a calendar. + - To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. + +- File Path – Filter the data for a specific file path where activity has occurred +- Hosts – Filter the data for a specific target host of the event +- Source – Filter the data for a specific source of the activity +- User/Group – Filter the data for a specific user, or perpetrator of the event. You can also filter + by a group. + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- GID +- Types – Filter the data for a specific event result: All, Success, Fail +- Operations – Filter the data by the type of file operation: Read, Add, Update, Delete, Rename, + Permissions. The Operations checkbox at the top acts as select/deselect all option. +- I/O Type – Filter the data by the type of input/output: Filesystem, Shadow copy (VSS). The I/O + Type checkbox at the top acts as select/deselect all option. +- Object Type – Filter the data by the type of file object: File, Folder, Link, Share. The Object + Types checkbox at the top acts as select/deselect all option. diff --git a/docs/activitymonitor/10.0/admin/search/linux/linux_1.md b/docs/activitymonitor/10.0/admin/search/linux/linux_1.md new file mode 100644 index 0000000000..b3c00584d8 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/linux/linux_1.md @@ -0,0 +1,43 @@ +--- +title: "Linux Search Results" +description: "Linux Search Results" +sidebar_position: 10 +--- + +# Linux Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per Linux +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![linuxsearchresults](/images/activitymonitor/9.0/admin/search/results/linuxsearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Host – Monitored host where the event occurred +- Operation – Type of the activity event which was monitored +- User – User account that performed the activity event +- Object – Type of object the activity event occurred upon: + + - File + - Folder + - Unknown + +- Path – Path where the operation occurred +- New Path – For rename operation events only, the path’s new location/name +- UNC Path – UNC path employed by a remote user to access the share, folder, and/or file +- New UNC Path – For rename operation events only, the UNC path’s new location/name employed by a + remote user +- Source – Indicates the source of the activity event +- Share Name – Name of share where the activity event occurred. This includes NFS. +- I/O Type – Displays the input/output type +- Protocol — Will be LOCAL for Linux Activity +- Protocol Version — This field is empty for Linux Activity +- GID — Group ID associated with event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/admin/search/overview.md b/docs/activitymonitor/10.0/admin/search/overview.md new file mode 100644 index 0000000000..f52d47c288 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/overview.md @@ -0,0 +1,99 @@ +--- +title: "Search Feature" +description: "Search Feature" +sidebar_position: 50 +--- + +# Search Feature + +The search feature consolidates and compartmentalizes search results based on events, time, objects, +users, hosts, etc. Search results populate based on which query filters are chosen. Results may then +be sorted, filtered, and/or exported into a CSV file or JSON file, depending on the type data. + +![Search Tab](/images/activitymonitor/9.0/admin/search/searchtab.webp) + +:::note +Search results are pulled from the File output of the monitored host or domain. +::: + + +To open the search feature, click the magnifying glass icon and select from the following options: + +- File – Search for monitored file activity on Windows servers and NAS devices. See the File Search + Query topic for additional information. +- Active Directory – Search for monitored domain activity. See the Active Directory Search Query + topic for additional information. +- Azure AD / Entra ID – Search for monitored tenant activity in Microsoft Entra ID (formerly Azure + AD). See the Microsoft Entra ID Search Query topic for additional information. +- SharePoint – Search for monitored SharePoint activity. See the SharePoint Search Query topic for + additional information. +- SharePoint Online – Search for monitored SharePoint Online activity. See the SharePoint Online + Search Query topic for additional information. +- Exchange Online – Search for monitored Exchange Online activity. See the Exchange Online Search + Query topic for additional information. +- SQL Server – Search for monitored SQL Server activity. See the SQL Server Search Query topic for + additional information. +- Linux – Search for monitored file activity on Linux servers. See the Linux Search Query topic for + additional information. + +Queries that may be useful to an organization include the following: + +- Who accessed a particular folder/file on X day or during Y date range? +- Who renamed a particular folder/file on X day or during Y date range? +- Who deleted a particular folder/file on X day or during Y date range? +- Who created a particular folder/file? +- What did user X do on day Y? +- What did user X do between days Y and Z? +- Administrator activity details? + +Follow the steps to use the search feature. + +**Step 1 –** Click the magnifying glass icon and select the source type. + +**Step 2 –** Set the desired filters and click **Search**. + +**Step 3 –** Filter and Sort the results in the table as desired. + +**Step 4 –** Export the results table if desired. + +## Filter + +The drop-down menu for a column header in the search results data grid provides the option to filter +the search results further. + +![Operations Filter Dropdown Menu](/images/activitymonitor/9.0/admin/search/operationssdropdownfiltermenu.webp) + +Choose between checking/unchecking the desired field values from the list of available values and +typing in the search textbox. The Clear filter option removes all filters from the selected column. +A filter icon appears on the header where filters have been applied. Multiple columns can be +filtered in the search results data grid. + +:::note +The columns that can be filtered will vary depending on what results are. +::: + + +## Sort + +Clicking on any column header in the search results data grid sorts the results alphanumerically for +that column, and an arrow shows next to the column name indicating the sort to be ascending or +descending order. + +![Sort Options](/images/activitymonitor/9.0/admin/search/sort.webp) + +The drop-down menu on the column header has options to Sort A to Z or Sort Z to A for the selected +column. Sorting can only occur for one column at a time. + +:::note +The columns that can be sorted will vary depending on what results are. +::: + + +## Export + +The search results data grid can be exported to a CSV/JSON file. + +![Export Button](/images/activitymonitor/9.0/admin/search/exportbutton.webp) + +Once the search results are configured as desired, click the Export button located at the top left +corner of the window. Set the name and location of the CSV/JSON file. diff --git a/docs/activitymonitor/10.0/admin/search/sharepoint/_category_.json b/docs/activitymonitor/10.0/admin/search/sharepoint/_category_.json new file mode 100644 index 0000000000..0baabb2daa --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sharepoint/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SharePoint Search Query", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sharepoint" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint.md b/docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint.md new file mode 100644 index 0000000000..358b126460 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint.md @@ -0,0 +1,162 @@ +--- +title: "SharePoint Search Query" +description: "SharePoint Search Query" +sidebar_position: 60 +--- + +# SharePoint Search Query + +You can search SharePoint activity that has been monitored and recorded to a File output. When you +select **SharePoint** from the magnifying glass drop-down menu, a New Search tab opens with the +applicable query filters. + +![SharePoint New Search Tab](/images/activitymonitor/9.0/admin/search/query/sharepointnewsearchtab.webp) + +The filters are separated into the following categories: + +- General +- Audit +- Move/Delete/Copy/Checkin +- Delete +- Search +- Permissions + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters.You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category addresses who, what, where, and when an object, user, host, or domain +controller is affected by the events selected in the other categories. The time frame filter must be +configured for every search query. + +![General Category - SharePoint](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Event Type – Filter the data by the event type: All, CheckOut, CheckIn, View, Delete, Update, + ProfileChange, ChildDelete, SchemaChange, Undelete, Workflow, Copy, Move, AuditMaskChange, Search, + ChildMove, FileFragmentWrite, SecGroupCreate, SecGroupDelete, SecGroupMemberAdd, + SecGroupMemberDel, SecRoleDefCreate, SecRoleDefDelete, SecRoleDefModify, SecRoleDefBreakInherit, + SecRoleBindUpdate, SecRoleBindInherit, SecRoleBindBreakInherit, EventsDeleted, AppPermissionGrant, + AppPermissionDelete, Custom + + :::note + Disabling an event type that is also a category will hide that category from the query + options. + ::: + + +- Item Type – Filter the data by the type of SharePoint item: All, Document, ListItem, List, Folder, + Web, Site +- Protocol – Filter the data by the protocol: Any, HTTP, HTTPS +- Agent Hosts – Filter the data for a specific agent +- Agent Domains – Filter the data for a specific domain +- Item +- Source Name +- Site – Filter the data for a specific SharePoint site +- Document Location +- Web Application – Filter the data for a specific SharePoint web application +- Web Title +- User – Filter the data for a specific user, or perpetrator of the event + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. +- Event Source – Filter the data by the source: Any, SharePoint, ObjectModel +- Location Type – Filter the data by the type of location: Any, Url, ClientLocation + +## Audit Category + +The Audit category scopes the query by audit mask activity. + +![SharePoint Search - Audit filter section](/images/activitymonitor/9.0/admin/search/query/auditmask.webp) + +This section has the following filters: + +- Audit Mask – Filter the data by the audit mask type: All, None, CheckOut, CheckIn, View, Delete, + Update, ProfileChange, ChildDelete, SchemaChange, SecurityChange, Undelete, Workflow, Copy, Move, + Search + +## Move/Delete/Copy/Checkin Category + +The Move/Delete/Copy/Checkin category scopes the query by file move and version activity. + +![SharePoint Search Query - Move/Delete/Copy/Checkin Filters](/images/activitymonitor/9.0/admin/search/query/movedeletecopycheckinfilters.webp) + +This section has the following filters: + +- Child Document Location +- New Child Document Location +- Version + +## Delete Category + +The Delete category scopes the query by type of delete activity. + +![SharePoint Search Query - Delete FIlters](/images/activitymonitor/9.0/admin/search/query/delete.webp) + +This section has the following filters: + +- Delete Type – Filter the data by the type of deletion: Any, MovedToRecycle, DeletedCompletely + +## Search Category + +The Search category scopes the query by search activity. + +![SharePoint Search Query - Search Filters](/images/activitymonitor/9.0/admin/search/query/searchfilters.webp) + +This section has the following filters: + +- Search Query +- Search Constraint + +## Permissions Category + +The Permissions category scopes the query by permission change activity. + +![SharePoint Search Query - Permissions Filters](/images/activitymonitor/9.0/admin/search/query/permissionsfilters.webp) + +This section has the following filters: + +- Group +- Trustee +- Trustee Type – Filter the data by the type of trustee: Any, Group, User +- Role +- Update Type – Filter the data by the type of update: All, Added, Removed, Updated +- Permission – Filter the data by the permission: All, EmptyMask, ViewListItems, AddListItems, + EditListItems, DeleteListItems, CancelCheckout, ManagePersonalViews, ManageLists, + AnonymousSearchAccessList, AnonymousSearchAccessWebLists, Open, ViewFormPages, ViewPages, + AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, ViewUsageData, CreateSSCSite, + ManageSubwebs, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, + UpdatePersonalWebParts, ManageWeb, FullMask, UseClientIntegration, UseRemoteAPIs, ManageAlerts, + CreateAlerts, EditMyUserInfo, EnumeratePermissions, ApproveItems, OpenItems, ViewVersions, + DeleteVersions, CreateGroups diff --git a/docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint_1.md b/docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint_1.md new file mode 100644 index 0000000000..8ca426f520 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sharepoint/sharepoint_1.md @@ -0,0 +1,34 @@ +--- +title: "SharePoint Search Results" +description: "SharePoint Search Results" +sidebar_position: 10 +--- + +# SharePoint Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![SharePoint Search - Results](/images/activitymonitor/9.0/admin/search/results/sharepointsearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent Host – Agent used to collect event information +- Event Type – Indicates the type of event +- User – User account that performed the activity event +- User Login – User login associated with the event +- Protocol – Protocol used for the monitored operation +- Absolute URL - Indicates the Absolute URL associated with the event +- Web Application – Indicates the web application associated with the event +- Site URL – Site URL associated with the event +- Web Title - If applicable, indicates the Web Title associated with the event +- Doc Location – If applicable, indicates the location of the document associated with the event +- New Doc Location – If applicable, indicates the new location of the document associated with the + event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/admin/search/sharepointonline/_category_.json b/docs/activitymonitor/10.0/admin/search/sharepointonline/_category_.json new file mode 100644 index 0000000000..4488e90a1c --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sharepointonline/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SharePoint Online Search Query", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sharepointonline" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline.md b/docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline.md new file mode 100644 index 0000000000..229032cb6c --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline.md @@ -0,0 +1,148 @@ +--- +title: "SharePoint Online Search Query" +description: "SharePoint Online Search Query" +sidebar_position: 70 +--- + +# SharePoint Online Search Query + +You can search SharePoint Online activity that has been monitored and recorded to a File output. +When you select **SharePoint Online** from the magnifying glass drop-down menu, a New Search tab +opens with the applicable query filters. + +![SharePoint Online - Search Quary Bar](/images/activitymonitor/9.0/admin/search/query/sharepointonlinesearchquerybar.webp) + +The filters are separated into the following categories: + +- General +- User +- Location +- Item +- Sharing +- DLP +- Custom + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![SharePoint Online Search - General Filters](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Source – Filter the data by the source type: All, File and Page, Folder, List, Sharing and Access + Request, Site Permissions, Site Administration, Synchronization, DLP, Sensitivity Label, Content + Explorer, Other + + :::note + Disabling a source that is also a category will hide that category from the query + options. + ::: + + +- Workload +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![SharePoint Online Search - User Filter](/images/activitymonitor/9.0/admin/search/query/user.webp) + +This section has the following filters: + +- Name or ID +- Login +- IP Address +- Client App or Browser +- User Type – Filter the data by the type of user: All, Regular, Reserved, Admin, DcAdmin, System, + Application, ServicePrincipal, CustomPolicy, SystemPolicy, Unknown + +## Location Category + +The Location category scopes the query by the location of the file. + +![SharePoint Online Search - Location Filter](/images/activitymonitor/9.0/admin/search/query/location.webp) + +This section has the following filters: + +- URL +- File Name +- File Extension + +## Item Category + +The Item category scopes the query by the item. + +![SharePoint Online Search - Item Filter](/images/activitymonitor/9.0/admin/search/query/item.webp) + +This section has the following filters: + +- Item +- Item Type – Filter the data by the type of item: All, Unknown, File, Folder, Web, Site, Tenant, + DocumentLibrary, Page +- Modifications – Filter the data by the type of item: All, No Changes, Has attribute changes + +## Sharing Category + +The Sharing category scopes the query by the type of sharing. + +![SharePoint Online Search - Sharing Filter](/images/activitymonitor/9.0/admin/search/query/sharing.webp) + +This section has the following filters: + +- Target Account +- Access +- Target Type – Filter the data by the type of target: All, Member, Guest, SharePointGroup, + SecurityGroup, Partner, Unknown + +## DLP Category + +The DLP category scopes the query by the DLP policy. + +![SharePoint Online Search - DLP Filter](/images/activitymonitor/9.0/admin/search/query/dlp.webp) + +This section has the following filters: + +- Policy Name + +## Custom Category + +The Custom category scopes the query by custom event activity. + +![SharePoint Online Search - Custom Filter](/images/activitymonitor/9.0/admin/search/query/custom.webp) + +This section has the following filters: + +- Event Data +- Custom Event diff --git a/docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline_1.md b/docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline_1.md new file mode 100644 index 0000000000..166adaae90 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sharepointonline/sharepointonline_1.md @@ -0,0 +1,49 @@ +--- +title: "SharePoint Online Search Results" +description: "SharePoint Online Search Results" +sidebar_position: 10 +--- + +# SharePoint Online Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![SharePoint Online Search Results](/images/activitymonitor/9.0/admin/search/results/sharepointonlinesearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- Operation - Operation associated with event +- User – User account that performed the activity event +- User Type - Type of user associated with event +- External – Indicates whether external sharing is associated with the event +- IP Address - IP Address associated with event +- Object Url - Object Url associated with event +- Item Type - The type of the item associated with the event +- Item Title - The title of the item associated with the event +- Modified - Indicates whether a modification is associated with the event +- Site - Site where the event occurred +- List - Indicates which list the event is associated with +- Relative URL - Indicates the Relative URL associated with the event +- File Name - The name of the file associated with the event +- Extension - If applicable, indicates the extension of the file associated with the event +- New Relative URL - If applicable, indicates the new relative URL of the file associated with the + event +- New File Name - If applicable, indicates the new name for the file associated with the event +- New Extension - If applicable, indicates the new extension of the file associated with the event +- Workload - Workload associated with the event +- Access - If applicable, indicates what level of access is associated with the event +- Target Account - If applicable, indicates the recipient of the event +- Target Type - If applicable, indicates the type of account of the recipient of the event +- DLP Policy - If applicable, indicates the DLP Policy associated with the event +- Event Data – Data associated with the event +- Custom Event - If the Custom Event filter was configured in the Query bar, it will appear here + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/admin/search/sqlserver/_category_.json b/docs/activitymonitor/10.0/admin/search/sqlserver/_category_.json new file mode 100644 index 0000000000..5588cda134 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sqlserver/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SQL Server Search Query", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sqlserver" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver.md b/docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver.md new file mode 100644 index 0000000000..65859e85e9 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver.md @@ -0,0 +1,88 @@ +--- +title: "SQL Server Search Query" +description: "SQL Server Search Query" +sidebar_position: 80 +--- + +# SQL Server Search Query + +You can search SQL Server activity that has been monitored and recorded to a File output. When you +select **SQL Server** from the magnifying glass drop-down menu, a New Search tab opens with the +applicable query filters. + +![SQL Server Search Query](/images/activitymonitor/9.0/admin/search/query/sqlsearchquerytoolbar.webp) + +The filters are separated into the following categories: + +- General +- User +- SQL + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![General Filters](/images/activitymonitor/9.0/admin/search/query/generalfilter.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Event Result – Filter the data for a specific event result: Any, Success, or Failure +- Reason +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![userfilter](/images/activitymonitor/9.0/admin/search/query/userfilter.webp) + +This section has the following filters: + +- Name or ID +- IP Address + +## SQL Category + +The SQL category scopes the query by SQL Server activity. + +![SQL Filters](/images/activitymonitor/9.0/admin/search/query/sqlfilters.webp) + +This section has the following filters: + +- Server name +- Database +- Operation – Filter the data by the type of Operation: All, Select, Insert, Update, Delete, merge, + Execute, Login, Logout, Grant, Revoke, Deny, Error, AlterRole +- Application +- Object +- SQL Text diff --git a/docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver_1.md b/docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver_1.md new file mode 100644 index 0000000000..9808e8cf89 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/sqlserver/sqlserver_1.md @@ -0,0 +1,34 @@ +--- +title: "SQL Server Search Results" +description: "SQL Server Search Results" +sidebar_position: 10 +--- + +# SQL Server Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +![SQL Server Search Results](/images/activitymonitor/9.0/admin/search/results/sqlsearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Result – Indicates whether the event type was a success +- User – User account that performed the activity event +- IP Address – IP Address of the client host associated with the event +- Client Host – Name of the client host associated with the event +- Application Name – Name of the application associated with the event +- Operation – The type of operation associated with the event +- Database – The type of database associated with the event +- SQL – The SQL Server Query text associated with the event +- Error – Indicates SQL Server Error Code associated with the event +- Message – Description of the error associated with the event +- Category – Category of the error associated with the event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/10.0/gettingstarted.md b/docs/activitymonitor/10.0/gettingstarted.md new file mode 100644 index 0000000000..2fdfa4cefc --- /dev/null +++ b/docs/activitymonitor/10.0/gettingstarted.md @@ -0,0 +1,57 @@ +--- +title: "Getting Started" +description: "Getting Started" +sidebar_position: 10 +--- + +# Getting Started + +Once Netwrix Activity Monitor is installed, the following workflow enables organizations to quickly +and easily get started with activity monitoring. + +## Requirements + +The Activity Monitor console needs to be installed on a server or workstation. After that agents are deployed to +the target environment and configured to monitor activity. It is necessary to prepare the target +environment and configure the credentials used by the agents. Each supported environment has +different requirements. See the following topics for additional information: + +- Console machine [Requirements ](/docs/activitymonitor/10.0/requirements/overview.md) +- [Activity Agent Server Requirements](/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md) for monitoring: + + - Windows File servers + - NAS devices + - Microsoft Entra ID + - SharePoint On-Premise + - SharePoint Online + - Exchange Online + - SQL Servers + +- [AD Agent Server Requirements](/docs/activitymonitor/10.0/requirements/adagent/adagent.md) for monitoring Active Directory +- [Linux Agent Server Requirements](/docs/activitymonitor/10.0/requirements/linuxagent.md) for monitoring Linux file servers + +## Install & Deploy Agents + +Once the prerequisites are accomplished, you are ready to install the application and deploy agents. +See the following topics for additional information: + +- [Install Application](/docs/activitymonitor/10.0/install/application.md) +- [Agent Information](/docs/activitymonitor/10.0/install/agents/agents.md) +- [Import License Key](/docs/activitymonitor/10.0/install/importlicensekey.md) + +## Configure Monitoring + +After the agents have been deployed, you can configure the monitoring of the target environment. For +Windows File Servers, this can be done at the same time as the agent is deployed, but for all other +target environments it is done after the agent is deployed. You will configure what will be +monitored as well as where the collected data will go (outputs). See the following topics for +additional information: + +- [Monitored Domains Tab](/docs/activitymonitor/10.0/admin/monitoreddomains/overview.md) for Active Directory monitoring +- [Monitored Hosts & Services Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md) for all other target environments. + +## Search Activity Event Data + +You can query the activity logs created by the activity agents from within the console. Using the +search feature, set filters for the query to view monitored events. See the +[Search Feature](/docs/activitymonitor/10.0/admin/search/overview.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/index.md b/docs/activitymonitor/10.0/index.md new file mode 100644 index 0000000000..c1b495c53a --- /dev/null +++ b/docs/activitymonitor/10.0/index.md @@ -0,0 +1,15 @@ +--- +title: "Netwrix Activity Monitor v10.0 Documentation" +description: "Netwrix Activity Monitor v10.0 Documentation" +sidebar_position: 1 +--- + +# Netwrix Activity Monitor v10.0 Documentation + +The Netwrix Activity Monitor deploys agents to target environments to provide real-time monitoring +of activity. It can be configured to provide the event data to other Netwrix products for reporting +and alerting purposes. The Activity Monitor also provides operational efficiencies and visibility +into a wide spectrum of human and machine data interactions with a standardized format that is used +to gain deeper visibility into activity associated with the access, use, and modification of data. + +See the [Getting Started](/docs/activitymonitor/10.0/gettingstarted.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/install/_category_.json b/docs/activitymonitor/10.0/install/_category_.json new file mode 100644 index 0000000000..f87e537fff --- /dev/null +++ b/docs/activitymonitor/10.0/install/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/install/agents/_category_.json b/docs/activitymonitor/10.0/install/agents/_category_.json new file mode 100644 index 0000000000..89391c7ce3 --- /dev/null +++ b/docs/activitymonitor/10.0/install/agents/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Agent Information", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "agents" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/install/agents/agents.md b/docs/activitymonitor/10.0/install/agents/agents.md new file mode 100644 index 0000000000..8d83e57099 --- /dev/null +++ b/docs/activitymonitor/10.0/install/agents/agents.md @@ -0,0 +1,81 @@ +--- +title: "Agent Information" +description: "Agent Information" +sidebar_position: 20 +--- + +# Agent Information + +Activity Monitor agents perform real-time monitoring of events occurring across supported systems and applications. + +A typical deployment consists of multiple agents, each monitoring either the system where it is installed or remote systems, +including in scale-out and fault-tolerant configurations. + +There are two deployment modes: + +1. **The agent monitors the server it is installed on** + +The agent must be deployed on the target system for the following event sources: + +|Event source|Additional requirements| +|------------|-----------------------| +|Windows File Server| | +|Linux File Server| | +|Active Directory domain controllers| The agent must be installed on all domain controllers of the monitored domain.| +|SharePoint On-Premise|The agent must be deployed to the server that hosts the _Central Administration_ component of the SharePoint farm.| + + +2. **The agent monitors remote hosts or services** + +In this mode, the agent is installed on a Windows Server and configured to monitor the following event sources: + +|Event source|Additional requirements| +|------------|-----------------------| +|**File Systems**|| +|Azure Files|| +|CTERA|| +|Dell VNX/Celerra|Dell Common Event Enabler| +|Dell Isilon/PowerScale|Dell Common Event Enabler| +|Dell Unity|Dell Common Event Enabler| +|Dell PowerStore|Dell Common Event Enabler| +|Hitachi NAS|| +|Nasuni|| +|NetApp|| +|NetApp 7-mode|| +|Nutanix Files|| +|Panzura|| +|Qumulo|| +|**Identity & Access Management**|| +|Microsoft Entra ID|| +|**Communication & Messaging**|| +|Exchange Online|| +|SharePoint Online|| +|**Database Operations**|| +|Microsoft SQL Server|| + + +:::info +For file storage, the agent's server should be located close to the monitored NAS device on the network to reduce latency. +::: + +:::info +For Dell devices, the **Dell Common Event Enabler (CEE)** must be installed on the same server as the agent (recommended) or +on another Windows or Linux server. If installed remotely, the CEE must be configured manually to forward activity to the agent. +::: + +To perform centralized agent maintenance from the application console server, WMI must be enabled on the Windows server where the agent is installed. + +You will need the following information to deploy agents from the Console: + +- Server name – Name or an IP Address of the server +- Credentials + - Windows: Account must be a member of the BUILTIN\Administrators group on the target server + - Linux: Account must have permissions to deploy the agent over SSH on the target server + +See the [Agents Tab](/docs/activitymonitor/10.0/admin/agents/overview.md) topic for additional information on how to deploy agents using the Console. + +The Activity Monitor Agent may also be deployed manually. Use one of the following to manually install an agent: + +- [Manually Install the Windows Agent](/docs/activitymonitor/10.0/install/agents/manual.md) +- [Manually Install the Linux Agent](/docs/activitymonitor/10.0/install/agents/manuallinux.md) +- [Manually Install the Agent for Active Directory](/docs/activitymonitor/10.0/install/agents/manualad.md) diff --git a/docs/activitymonitor/10.0/install/agents/manual.md b/docs/activitymonitor/10.0/install/agents/manual.md new file mode 100644 index 0000000000..b7ac8d37fc --- /dev/null +++ b/docs/activitymonitor/10.0/install/agents/manual.md @@ -0,0 +1,169 @@ +--- +title: "Manually Install the Activity Agent" +description: "Manually Install the Activity Agent" +sidebar_position: 10 +--- + +# Manually Install the Activity Agent + +The Netwrix Activity Monitor Agent can be deployed via the console or manually. + +Follow the steps to manually install the agent. + +**Step 1 –** Navigate to the Activity Monitor Console installation path and locate the agent +installation package. The default location is: + +`C:\Program Files\Netwrix\Activity Monitor\Console\Agents\x64\SBFileMonAgent.msi` + +**Step 2 –** Copy the Activity Monitor agent installation package to the target server. + +**Step 3 –** Click the Activity Monitor agent installation package and the Wizard opens. + +![Activity Monitor Agent Setup Wizard - Welcome Page](/images/activitymonitor/9.0/install/agent/welcome_1.webp) + +**Step 4 –** On the welcome page click **Next**. + +![End-User License Agreement Page](/images/activitymonitor/9.0/install/agent/eula.webp) + +**Step 5 –** On the End-User License Agreement page, select the **I accept the terms in the License +Agreement** option and click **Next**. + +![Destination Folder Page](/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp) + +**Step 6 –** (Optional) On the Destination Folder page, click **Change** to change the installation +directory location. + +![Change Destination Folder Page](/images/activitymonitor/9.0/install/agent/changedestination.webp) + +**Step 7 –** Click **OK** on the Change destination folder page to return to the Destination folder +page. Click **Next**. + +![Ready to install Netwrix Activity Monitor Agent 64-bit Page](/images/activitymonitor/9.0/install/agent/readyinstall.webp) + +**Step 8 –** On the Ready to install page, click **Install**. The installation process begins. The +Setup wizard displays the installation status. + +![Completion Page](/images/activitymonitor/9.0/install/agent/complete.webp) + +**Step 9 –** When installation is complete, click Finish. + +## (Optional) Command Line Installation + +If needed, the following command line options can be used with extra logging and install options. +The Activity Monitor Agent command line has the following parameters: + +- `AGENT_PORT` + + - To specify Activity Monitor Agent port. + - Default value: `4498` + - Example: `AGENT_PORT=1234` + +- `AGENTINSTALLLOCATION` + + - To specify the Activity Monitor Agent installation path. + - Default value: `C:\Program Files\Netwrix\Activity Monitor\Agent` + - Example: `AGENTINSTALLLOCATION="D:\AMAgent"` + +- `MANAGEMENT_GROUP` + + - To specify the Activity Monitor Agent Management Group (This allows user to limit users in the + specified group to manage agents, but does not allow users in specified group to install, + upgrade, or uninstall agents). + - Default value: `BUILTIN\Administrators` + - Example: `MANAGEMENT_GROUP=CORP\ActivityMonitorGroup` + +- `/l*v` + + - To include verbose install logging. + - Example: `/l*v "C:\amagent.log"` + + :::note + If installation fails, locate the log file, and search for "Return value 3". The lines + above "Return value 3" should contain information on what caused the installation to fail. + ::: + + +- `/qn` + + - To install the agent in quiet / Unattended Mode (without UI) + +Example: + +``` +msiexec.exe /i C:\SBFileMonAgent.msi AGENT_PORT=1234 AGENTINSTALLLOCATION="D:\AMAgent" MANAGEMENT_GROUP=CORP\ActivityMonitorGroup /l*v c:\amagent.log /qn +``` + +## Add the Activity Agent to the Console + +Before deploying the Activity Monitor agent, ensure all +[Activity Agent Server Requirements](/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md) have been met, including +those for NAS devices when applicable. + +:::note +These steps are specific to deploying activity agents for monitoring file systems, +SharePoint, SQL Server, Azure and Office 365 environments. See the +[Active Directory Agent Deployment](/docs/activitymonitor/10.0/admin/agents/activedirectory.md) section for +instruction on deploying the AD agent. See the +[Linux Agent Deployment](/docs/activitymonitor/10.0/admin/agents/linux.md) topic for instructions on deploying agents +to Linux servers. +::: + + +Follow the steps to deploy the activity agent to a single Windows server. + +**Step 1 –** Open the Activity Monitor Console. + +**Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. + +![Install New Agent Page](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 3 –** Specify the server name where the agent will be deployed. To add multiple server names, +see the [Multiple Activity Agents Deployment](/docs/activitymonitor/10.0/admin/agents/multiple.md) topic for +additional information. Click **Next**. + +![Agent Port Configuration](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 4 –** Specify the port to be used for the agent. Click **Next**. + +![Credentials to connect to servers](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 5 –** On the Credentials to Connect to the Server(s) page, specify the credentials for the +server to which the agent is deployed. See the +[Single Activity Agent Deployment](/docs/activitymonitor/10.0/admin/agents/single.md) topic for additional +information on credential options. Click **Connect**. + +:::note +When clicking **Connect** while adding the Agent to the Console, the connection may fail. +When clicking Connect, the Activity Monitor verifies not only its ability to manage the agent but +the console's ability to deploy the agent as well. Errors can be ignored if the agent was manually +installed. +::: + + +**Step 6 –** Regardless of the warning messages that the agent cannot be installed or upgraded, +click **Next**. The console will automatically detect the agent as it is already installed. + +![Agent Install Location](/images/activitymonitor/9.0/install/agent/installlocation.webp) + +**Step 7 –** Specify the path of the Activity Monitor Agent, that has already been installed. Click +**Next**. + +![Windows Agent Settings](/images/activitymonitor/9.0/install/agent/windowsagent.webp) + +**Step 8 –** Specify the Activity Monitor Agent Management Group (if desired). Click Finish. + +:::note +The Activity Monitor Agent Management Group allows users in the specified group to manage +agents, but does not allow users in specified group to install, upgrade, or uninstall agents. +::: + + +The Agent is now added to the Activity Monitor. + +During the installation process of the agent, the status will display Installing. If there are any +errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. + +![Activity Monitor Agent Installed](/images/activitymonitor/9.0/install/agent/consolewithagent.webp) + +When the Activity Monitor agent installation is complete, the status changes to **Installed** and +the activity agent version populates. The next step is to add hosts to be monitored. diff --git a/docs/activitymonitor/10.0/install/agents/manualad.md b/docs/activitymonitor/10.0/install/agents/manualad.md new file mode 100644 index 0000000000..08a8f87329 --- /dev/null +++ b/docs/activitymonitor/10.0/install/agents/manualad.md @@ -0,0 +1,166 @@ +--- +title: "Manually Install the AD Module" +description: "Manually Install the AD Module" +sidebar_position: 30 +--- + +# Manually Install the AD Module + +The AD Module, powered by Threat Prevention, can only be installed on domain controllers. + +Follow the steps to manually deploy the AD Module. + +**Step 1 –** From the Activity Monitor Console machine, copy the AD Agent executable ( +`%ProgramFiles%\Netwrix\Activity Monitor\Console\Agents\SI Agent.exe`) to the domain controller where +you want to install the Agent. Then run the executable. The Netwrix Threat Prevention Windows Agent +Setup wizard opens. + +![Threat Prevention Windows Agent Setup wizard on the Welcome page](/images/activitymonitor/9.0/install/agent/welcome_1.webp) + +**Step 2 –** On the Welcome page, click **Install**. The Setup Progress page is displayed, followed +by another Welcome page. + +![Threat Prevention Windows Agent - Welcome Page](/images/activitymonitor/9.0/install/agent/welcome.webp) + +**Step 3 –** Click **Next**. + +![End-User License Agreement Page](/images/activitymonitor/9.0/install/agent/license.webp) + +**Step 4 –** On the End-User License Agreement page, check the **I accept the terms in the License +Agreement** box and click **Next**. + +![Destination Folder Page](/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp) + +**Step 5 –** _(Optional)_ On the Destination Folder page, change the installation directory +location. + +- To change the default installation directory location, click **Change…**. + +![Change Destination Folder Page](/images/activitymonitor/9.0/install/agent/changedestination.webp) + +> > - Use the Look In field to select the desired installation folder. +> > - When the Folder name is as desired, click **OK**. The wizard returns to the Destination Folder +> > page. +> > - Click **Next**. + +> To use the default installation directory location, skip the previous step and click **Next** on +> the Destination Folder page. + +![CA Certificate Configiration Page](/images/activitymonitor/9.0/install/agent/cacertconfig.webp) + +**Step 6 –** Keep the default radio button selection, Managed by Threat Prevention. + +:::note +The CA Certificate Configuration page is not applicable to the Activity Monitor. +::: + + +![Enterprise Manager Location Information Page](/images/activitymonitor/9.0/install/agent/enterprisemanageram.webp) + +**Step 7 –** On the Enterprise Manager Location Information page, select the **Option** button for a +product to enable communication with it. + +- Select the **SAM configuration file** radio button. +- In the **Address or Path** field, enter the path to the activity agent configuration file for this + host. Remember, the Activity Monitor activity agent must already be deployed on the domain + controller and enabled before installing the AD Agent. The default path is: + `%ProgramFiles%\Netwrix\Netwrix Threat Prevention\SIWindowsAgent\SAMConfig.xml` +- The port configuration only applies to the Enterprise Manager Host option. +- Configure additional Agent options as desired: + + - Safe Mode + + - The Safe Mode option prevents the **Windows AD Events** monitoring module from loading if + the LSASS DLL versions has been modified since the last time the Threat Prevention Windows + Agent service was started. + + - Start Agent Service + + - The **Start Agent Service** option starts the Threat Prevention Windows Agent service + after the installation is complete. If the Threat Prevention Windows Agent service is not + started at the time of installation, the Activity Monitor Agent will start as needed. + + - Create Windows Firewall Rules + + - The **Create Windows Firewall Rules** option creates the rules needed to open this port + during the installation process. If using a third party firewall, uncheck this option and + manually create the necessary firewall rules. + +- When the settings are configured, click **Next**. + +![Select Event Sources Page](/images/activitymonitor/9.0/install/agent/eventsourcesad.webp) + +**Step 8 –** On the Select Event Sources page, select **Windows Active Directory Events** as needed +by the Activity Monitor for the Active Directory solution. Click **Next**. + +![Windows Agent Setup wizard on the Ready page](/images/activitymonitor/9.0/install/agent/readytoinstall.webp) + +**Step 9 –** On the Ready to install Threat Prevention Windows Agent page, click **Install**. The +Setup wizard displays the installation status. + +![Windows Agent Setup wizard on the Operation successful page](/images/activitymonitor/9.0/install/agent/success.webp) + +**Step 10 –** When installation is complete, click **Close**. + +The AD Module (NTP Agent) is now installed on the server. + +## Add the AD Agent to the Console + +Follow the steps to add the Activity Monitor Windows Agent (with the AD Module) to the Console: + +**Step 1 –** Open the Activity Monitor Console. + +**Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 3 –** Click the **install agents on Active Directory domain controllers** link. + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/specifyport.webp) + +**Step 4 –** Specify the port for the Activity Monitor Agent. Click **Next**. + +![Agent Install Location](/images/activitymonitor/9.0/install/agent/installlocation.webp) + +**Step 5 –** Specify the path of the Activity Monitor Agent, that has already been installed. Click +**Next**. + +![Active Directory Connection](/images/activitymonitor/9.0/install/agent/adconnection.webp) + +**Step 6 –** On the Active Directory Connection page, specify the credentials for the domain or +domain controller(s) where the agent is installed. Click **Connect** to verify connection to the +domain. Click **Next**. + +![Domains to Monitor](/images/activitymonitor/9.0/install/agent/domains.webp) + +**Step 7 –** Select the domain of the domain controller(s) where the agent is installed. Click +**Next**. + +![Domain Controllers to Deploy Agent](/images/activitymonitor/9.0/install/agent/domaincontroller.webp) + +**Step 8 –** Select the domain controller(s) where the agent is installed. Click **Test**. + +:::note +When clicking Test while adding the Agent to the Console, the connection may fail. When +clicking Test, the Activity Monitor verifies not only its ability to manage the agent but the +console's ability to deploy the agent as well. Errors can be ignored if the agent was manually +installed. +::: + + +**Step 9 –** Ignore the warning messages that the agent cannot be installed or upgraded and click +**Next**. + +![Windows Agent Settings](/images/activitymonitor/9.0/install/agent/windowsagent.webp) + +**Step 10 –** Specify the Activity Monitor Agent Management Group (if desired). Click **Finish**. + +:::note +The Activity Monitor Agent Management Group allows users in the specified group to manage +agents, but does not allow users in specified group to install, upgrade, or uninstall agents. +::: + + +The console will automatically detect the agent as it is already installed. + +The Agent is now added to the Activity Monitor Console. diff --git a/docs/activitymonitor/10.0/install/agents/manuallinux.md b/docs/activitymonitor/10.0/install/agents/manuallinux.md new file mode 100644 index 0000000000..201322e2c4 --- /dev/null +++ b/docs/activitymonitor/10.0/install/agents/manuallinux.md @@ -0,0 +1,128 @@ +--- +title: "Manually Install the Linux Agent" +description: "Manually Install the Linux Agent" +sidebar_position: 20 +--- + +# Manually Install the Linux Agent + +Follow the steps to manually install the agent. + +**Step 1 –** Transfer the rpm package to the Linux server. + +For example, following is a pscp command: + +``` +pscp.exe -P 22 -p -v "C:\Program Files\Netwrix\Activity +Monitor\Console\Agents\activity-monitor-agentd-10.0.0-400.rhel.x86_64.rpm" +root@123.456.789.123:/tmp/ +``` + +![pscp Command](/images/activitymonitor/9.0/install/agent/screen1.webp) + +**Step 2 –** Install the Activity Monitor Linux Agent RPM Package on the Linux server. + +For example, the following command can be used: + +``` +sudo yum localinstall activity-monitor-agentd-10.0.0-400.rhel.x86_64.rpm +``` + +![Install Linux Agent RPM Package on the Linux server](/images/activitymonitor/9.0/install/agent/screen2.webp) + +**Step 3 –** Add firewall rules to the Linux server, and restart firewall service. + +:::note +This should be the same port number specified in the Activity Monitor console for the +Linux agent. Default port is 4498. +::: + + +For example, the following commands can be used: + +``` +sudo firewall-cmd --zone=public --add-port=4498/tcp --permanent +sudo systemctl restart firewalld +sudo firewall-cmd --list-all +``` + +**Step 4 –** Generate the Activity Monitor Agent client certificate on Linux server from the +Activity Monitor Agent install directory. + +The following commands can be used: + +``` +cd /usr/bin/activity-monitor-agentd/ +sudo ./activity-monitor-agentd create-client-certificate --name amagent +``` + +![Generate the Activity Monitor Agent Client Certificate](/images/activitymonitor/9.0/install/agent/screen3.webp) + +**Step 5 –** Copy full certificate output from previous command on the Linux server. + +:::note +This will be needed to add the agent to the console. +::: + + +## Add the Linux Agent to the Console + +Before deploying the Activity agent in a Linux environment, ensure all Prerequisites have been met. +To effectively monitor activity on a Linux host, it is necessary to deploy an agent to the host. +Follow the steps to deploy the agent to the Linux host. See the +[Linux Agent Server Requirements](/docs/activitymonitor/10.0/requirements/linuxagent.md) topic for additional +information. + +Follow the steps to add the agent to the console. + +**Step 1 –** Open the Activity Monitor Console. + +**Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 3 –** Specify the server name or IP Address that already has the Linux agent installed. To +add multiple server names, see the Multiple Activity Agents Deployment topic for additional +information. Click **Next**. + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/specifyagentport.webp) + +**Step 4 –** Specify the port to be used for the agent. Click **Next**. + +![Credentials to Connect to Server.](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 5 –** In Activity Monitor console add the Linux agent using the client certificate option, +and paste the full output of the client certificate information (from Step 3 of ‘Manually Installing +Activity Monitor Linux Agent’) into the client certificate field. Click **Connect**. Then click +**Next**. + +:::note +When clicking Connect while adding the Agent to the Console, the connection may fail. When +clicking Connect, the Activity Monitor verifies not only its ability to manage the agent but the +console's ability to deploy the agent as well. Errors can be ignored if the agent was manually +installed. +::: + + +![Linux Agent Options](/images/activitymonitor/9.0/install/agent/linuxagentoptions.webp) + +**Step 6 –** On the Linux Agent Options page, select which user name to use to run the daemon. To +use root, leave the **Service user name** field blank. Click **Test** to test the connection. + +**Step 7 –** Click **Finish**. The Add New Agent(s) window closes, and the activity agent is +deployed to and installed on the target host. + +:::note +The console will automatically detect the agent as it is already installed. +::: + + +The Agent is now added to the Activity Monitor Console. + +**Step 8 –** On the Agents tab of the console, select the newly added agent. Click **Edit** to view +Agent Properties. + +![Server Properties](/images/activitymonitor/9.0/install/agent/properties.webp) + +**Step 9 –** Specify Linux account credentials (to be able to install, upgrade, and uninstall +agent). Click **Test** to verify. Then press **OK** to save changes. diff --git a/docs/activitymonitor/10.0/install/application.md b/docs/activitymonitor/10.0/install/application.md new file mode 100644 index 0000000000..198a9c1965 --- /dev/null +++ b/docs/activitymonitor/10.0/install/application.md @@ -0,0 +1,48 @@ +--- +title: "Install Application" +description: "Install Application" +sidebar_position: 10 +--- + +# Install Application + +Netwrix Activity Monitor comes with a 10-day trial license to start. If an organization's license +key has been acquired already, which should be provided by a Netwrix Representative, the file should +be saved in the same location where the Activity Monitor will be installed. + +Follow the steps to install the Netwrix Activity Monitor Console. + +**Step 1 –** Run the NetwrixActivityMonitorSetup.msi executable to open the Netwrix Activity Monitor +Setup wizard. + +![Activty Monitor Setup Wizard - Welcome Page](/images/activitymonitor/9.0/install/welcome.webp) + +**Step 2 –** On the Activity Monitor Setup Wizard welcome page, click **Next** . + +![End-User License Agreement Page](/images/activitymonitor/9.0/install/eula.webp) + +**Step 3 –** On the End User License Agreement page, check the I accept the terms in the License +Agreement box and click Next. + +![Destination Folder Page](/images/activitymonitor/9.0/install/destinationfolder.webp) + +**Step 4 –** On the Destination Folder page, select a destination folder for Activity Monitor. The +default destination folder is `C:\Program Files\Netwrix\Activity Monitor\Console\`. Click **Next**. + +![Ready to Install Netwrix Activity Monitor Page](/images/activitymonitor/9.0/install/ready.webp) + +**Step 5 –** Click **Install** to begin installation. + + +**Step 6 –** The installer displays a status page during the installation process. Wait for the next +window to appear when the status is complete. + +![Installation Complete Page](/images/activitymonitor/9.0/install/complete.webp) + +**Step 7 –** Once installation is complete, click Finish. + +The setup wizard closes and the Activity Monitor Console opens. + +The Activity Monitor Console installs with a 10-day, 1-host license key. After completing the +installation, see the [Import License Key](/docs/activitymonitor/10.0/install/importlicensekey.md) topic for instructions on importing +an organization’s license key. diff --git a/docs/activitymonitor/10.0/install/importlicensekey.md b/docs/activitymonitor/10.0/install/importlicensekey.md new file mode 100644 index 0000000000..95b19452f0 --- /dev/null +++ b/docs/activitymonitor/10.0/install/importlicensekey.md @@ -0,0 +1,48 @@ +--- +title: "Import License Key" +description: "Import License Key" +sidebar_position: 40 +--- + +# Import License Key + +The Activity Monitor comes with a temporary 10-day license. Uploading a new license key or importing +a Access Analyzer key can be done from the Activity Monitor Console. If the Activity Monitor Console +is installed on a server where Access Analyzer has already been installed, it reads the license +information from the Access Analyzer installation directory. + +Follow the steps to import a license key file. + +![Activity Monitor Installation with Trial License](/images/activitymonitor/9.0/install/triallicense.webp) + +**Step 1 –** Click the `__Licensed to: __` hyperlink in the lower-left corner of the +Console. Alternatively, click the **View License** link in the yellow warning bar at the top. The +License Information window opens. + +![Trial License Information](/images/activitymonitor/9.0/install/triallicenseinfo.webp) + +**Step 2 –** Click Load New License File and navigate to where the key is located. A Windows file +explorer opens. + +![Open Dialog Box to load New License File](/images/activitymonitor/9.0/install/loadlicense.webp) + +**Step 3 –** Select the `.lic` file and click Open. The selected license key is then read. + +![Activity Monitor License Information](/images/activitymonitor/9.0/install/licenseinfo.webp) + +**Step 4 –** In the License Information window, click **Apply** to import the License Key. + +![Activity Monitor with License](/images/activitymonitor/9.0/install/licenseadded.webp) + +**Step 5 –** The organization's license key is now imported into the Activity Monitor. The Console +returns to the Agents tab and is ready to deploy activity agents. + +:::note +License keys are crafted for companies based on their preference for Active Directory, +Microsoft Entra ID (formerly Azure AD), File System, SharePoint, and SharePoint Online monitoring. +Any environment that is omitted from the license has its corresponding features disabled. +::: + + +Once a key has expired, the Console displays an Open License File… option for importing a new key. +Once a new key is loaded, the Console returns to the Agents tab. diff --git a/docs/activitymonitor/10.0/install/overview.md b/docs/activitymonitor/10.0/install/overview.md new file mode 100644 index 0000000000..d0548e4774 --- /dev/null +++ b/docs/activitymonitor/10.0/install/overview.md @@ -0,0 +1,30 @@ +--- +title: "Installation" +description: "Installation" +sidebar_position: 30 +--- + +# Installation + +This topic describes the console installation and agent deployment the process for Activity Monitor. +Prior to installing the application, ensure that all requirements have been met. See the +[Requirements ](/docs/activitymonitor/10.0/requirements/overview.md) topic for additional information. + +## Software Compatibility & Versions + +For proper integration between the Activity Monitor and other Netwrix products, it is necessary for +the versions to be compatible. + +| Component | Version | +| ----------------------------------------------------- | ------- | +| Netwrix Activity Monitor | 10.0.x | +| Netwrix Access Analyzer | 12.0.x or 2601 | +| Netwrix Threat Prevention | 8.0.x | +| Netwrix Threat Manager | 3.0.x | + +## Software Download + +Current customers can log in to the Netwrix Customer Portal to download software binaries and +license keys for purchased products. See the +[Customer Portal Access](https://helpcenter.netwrix.com/bundle/NetwrixCustomerPortalAccess/page/Customer_Portal_Access.html) +topic for information on how to register for a Customer Portal account. diff --git a/docs/activitymonitor/10.0/install/upgrade/_category_.json b/docs/activitymonitor/10.0/install/upgrade/_category_.json new file mode 100644 index 0000000000..f79fb801b7 --- /dev/null +++ b/docs/activitymonitor/10.0/install/upgrade/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Upgrade Procedure", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "upgrade" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/install/upgrade/removeagent.md b/docs/activitymonitor/10.0/install/upgrade/removeagent.md new file mode 100644 index 0000000000..29ce1b0320 --- /dev/null +++ b/docs/activitymonitor/10.0/install/upgrade/removeagent.md @@ -0,0 +1,18 @@ +--- +title: "Remove Agents" +description: "Remove Agents" +sidebar_position: 20 +--- + +# Remove Agents + +On the Agents tab of the Activity Monitor Console, the Remove button allows users to remove the +selected activity agent from the Agents list and/or uninstall the activity agent from the hosting +server. + +![Remove Agents Popup Window](/images/activitymonitor/9.0/install/removeagents.webp) + +To only remove the server from the Agents list, click Remove. To also uninstall the activity agent +from the server, click Uninstall and remove. During the uninstall process, the status will be +Uninstalling. If there are any errors, the list of errors appears in the **Agent messages** box. +When the activity agent uninstall is complete, it is removed from the Agents list. diff --git a/docs/activitymonitor/10.0/install/upgrade/updateadagentinstaller.md b/docs/activitymonitor/10.0/install/upgrade/updateadagentinstaller.md new file mode 100644 index 0000000000..7cf2efcca3 --- /dev/null +++ b/docs/activitymonitor/10.0/install/upgrade/updateadagentinstaller.md @@ -0,0 +1,41 @@ +--- +title: "Update AD Module Installer" +description: "Update AD Module Installer" +sidebar_position: 10 +--- + +# Update AD Module Installer + +Netwrix periodically releases updated AD Module installation packages. Typically these updates are +associated with Microsoft KB’s (hotfixes) which alter the LSASS components interfering with AD +Module instrumentation. + +:::note +The **AD Module** is the same component as the **Netwrix Threat Prevention Agent** used in the Netwrix Threat Prevention product. +::: + +Current customers can log in to the Netwrix Customer Portal to download software binaries and +license keys for purchased products. See the +[Customer Portal Access](https://helpcenter.netwrix.com/bundle/NetwrixCustomerPortalAccess/page/Customer_Portal_Access.html) +topic for information on how to register for a Customer Portal account. Navigate to the Netwrix +Threat Prevention Download section for the 7.5. Download the Threat Prevention Agent binary. + +Then follow the steps to update the AD Module installer used by the Activity Monitor Console. + +**Step 1 –** On the Agents tab, select **Update AD Module Installer**. The Select AD Module +installer package (SI Agent.exe) window opens. + +![Update AD Module Installer](/images/activitymonitor/9.0/install/updateagentinstaller.webp) + +**Step 2 –** Navigate to the location of the latest AD Module / Threat Prevention Agent installation package. Select the +installer and click **Open**. + +![Confirmation Window](/images/activitymonitor/9.0/install/updateagentinstallerpopup.webp) + +**Step 3 –** A confirmation window opens displaying the version information for the selected +installer. Click **Yes** to update to this version or **No** to cancel the operation. A confirmation +window opens displaying the version information for the selected installer. Click **Yes** to update +to this version or **No** to cancel the operation. + +The AD Module installer is update. Use the Install button on the Agents tab to upgrade the deployed +agents that are monitoring Active Directory to the new version. diff --git a/docs/activitymonitor/10.0/install/upgrade/upgrade.md b/docs/activitymonitor/10.0/install/upgrade/upgrade.md new file mode 100644 index 0000000000..b3663f8c8b --- /dev/null +++ b/docs/activitymonitor/10.0/install/upgrade/upgrade.md @@ -0,0 +1,49 @@ +--- +title: "Upgrade Procedure" +description: "Upgrade Procedure" +sidebar_position: 30 +--- + +# Upgrade Procedure + +The purpose of this chapter is to provide the basic steps needed for upgrading Activity Monitor. See +the [Software Compatibility & Versions](/docs/activitymonitor/10.0/install/overview.md) section for information on integration with +other Netwrix products. + +## Considerations + +While it is strongly recommended to match the versions of both the console and the activity agent, +activity agent(s) V9.0+ can be managed by Activity Monitor Console V10.0+. Older versions of activity +agents will be limited in monitoring capability until upgraded. + +The installation and configuration paths for Netwrix Activity Monitor have been updated from +Activity Monitor 7.1. See the +[Netwrix Activity Monitor Paths](/docs/kb/activitymonitor/agent-configuration-and-management/netwrix_activity_monitor_7.0_paths) knowledge base article +for additional information. + +## Activity Monitor Upgrade Procedure + +Follow the steps to upgrade from an older version of Netwrix Activity Monitor to Netwrix Activity Monitor 10.0. + +:::info +Uninstall of the existing Activity Monitor Console is not required. +::: + +**Step 1 –** Install the Activity Monitor 10.0 on the same machine where the older console resides +following the instructions in the [Install Application](/docs/activitymonitor/10.0/install/application.md) section. +Launch the Activity Monitor Console and navigate to the Agents tab. + + +**Step 2 –** Select the activity agent(s) to be upgraded. The Windows Ctrl-select option can be used +to select multiple activity agents. Then click Upgrade. + +:::info +Update the activity agents in batches to ensure continuity of monitoring. +::: + + +The selected activity agents are updated to V10.0. If a Netwrix Threat Prevention Agent is also installed on +the Windows server for monitoring file systems, the Monitored Hosts & Services tab identifies the host as being +“Managed by Threat Prevention”, and that ‘monitored host’ is not editable. However, multiple outputs +can be configured for hosts. Add the Windows host to the Monitored Hosts & Services tab to monitor file system +for outputs to Access Analyzer, Threat Manager, and/or SIEM products. diff --git a/docs/activitymonitor/10.0/requirements/_category_.json b/docs/activitymonitor/10.0/requirements/_category_.json new file mode 100644 index 0000000000..8a00596580 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Requirements", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/_category_.json new file mode 100644 index 0000000000..f16db16af6 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Activity Agent Server Requirements", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activityagent" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md b/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md new file mode 100644 index 0000000000..a3109024dd --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md @@ -0,0 +1,233 @@ +--- +title: "Activity Agent Server Requirements" +description: "Activity Agent Server Requirements" +sidebar_position: 10 +--- + +# Activity Agent Server Requirements + +The Activity Agent is installed on Windows servers to monitor Microsoft Entra ID, Network Attached +Storage (NAS) devices, SharePoint farms, SharePoint Online, SQL Server, and Windows file servers. +The server where the agent is deployed can be physical or virtual. The supported operating systems +are: + +- Windows Server 2025 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 + +**RAM, Processor, and Disk Space** + +- RAM – 4 GB minimum +- Processor – x64. 4+ cores recommended; 2 cores minimum +- Disk Space – 1 GB minimum plus additional space needed for activity log files +- Network – a fast low-latency connection to the monitored platforms (file servers, SQL Server), + preferably the same data center + +:::note +Disk usage depends on the monitoring scope, user activity, types of client applications, +and the retention settings. Number of events per user per day may vary from tens to millions. A +single file system event is roughly 300 bytes. +::: + + +Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the +server to a network share. See the [Archiving Tab](/docs/activitymonitor/10.0/admin/agents/properties/archiving.md) topic +for additional information. + +**Additional Server Requirements** + +The following are additional requirements for the agent server: + +- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft + [.NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) + article +- WMI enabled on the machine, which is optional but required for centralized Agent maintenance +- Remote Registry Service enabled +- For monitoring Dell devices, Dell CEE (Common Event Enabler) installed + +**Permissions for Installation** + +The following permission is required to install and manage the agent: + +- Membership in the local Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +**Activity Agent Ports** + +See the [Activity Agent Ports](/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md) topic for firewall port requirements. + +## Supported File Storage Platforms + +The Activity Monitor provides the ability to monitor Windows and various NAS file servers. + +:::note +For monitoring NAS devices, the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment. +::: + + +**Supported Windows File Servers Platforms** + +The Activity Monitor provides the ability to monitor Windows file servers: + +:::note +To monitor a Windows file server, the Activity Agent must be deployed on the server being monitored. +::: + + +- Windows Server 2025 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +See the [Windows File Server Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/windowsfs-activity.md) +topic for target environment requirements. + + + +**Azure Files** + + +See [Azure Files Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md) topic for target +environment requirements. + + + +**CTERA Edge Filter** + +- CTERA Portal 7.5.x+ +- CTERA Edge Filer 7.5.x+ + +See the [CTERA Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md) topic for target +environment requirements. + +**Dell Celerra® & VNX** + +- Celerra 6.0+ +- VNX 7.1 +- VNX 8.1 + +See the +[Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md) +topic for target environment requirements. + +**Dell Isilon/PowerScale** + +- 7.0+ + +See the +[Dell Isilon/PowerScale Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md) +topic for target environment requirements. + +**Dell PowerStore®** + +See the [Dell PowerStore Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md) +topic for target environment requirements. + +**Dell Unity** + +See the [Dell Unity Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md) topic for +target environment requirements. + +**Hitachi** + +- 11.2+ + +See the [Hitachi Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md) topic for target +environment requirements. + +**Nasuni Nasuni Edge Appliances** + +- 8.0+ + +See the [Nasuni Edge Appliance Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md) +topic for target environment requirements. + +**NetApp Data ONTAP** + +- Data ONTAP 8.2+ +- 7-Mode Data ONTAP 7.3+ + +See the following topics for target environment requirements: + +- [NetApp Data ONTAP Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md) +- [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md) + +**Nutanix** + +See the [Nutanix Files Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md) topic for +target environment requirements. + +**Panzura** + +See the [Panzura CloudFS Monitoring](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/panzura-activity.md) topic for target environment +requirements. + +**Qumulo** + +- Qumulo Core 5.0.0.1B+ + +See the [Qumulo Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md) topic for target +environment requirements. + +## Supported Microsoft Entra ID + +The Activity Monitor provides the ability to monitor Microsoft Entra ID: + +See the [Microsoft Entra ID Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/entraid-activity.md) topic +for target environment requirements. + + +## Supported Exchange Online + +The Activity Monitor provides the ability to monitor Exchange Online: + +See the [Exchange Online Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/exchange-activity.md) +topic for target environment requirements. + + +## Supported SharePoint Online + +The Activity Monitor provides the ability to monitor SharePoint Online: + +See the +[SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md) topic +for target environment requirements. + +## Supported SharePoint On-Premise Platforms + +The Activity Monitor provides the ability to monitor SharePoint On-Premise farms: + +:::note +For monitoring a SharePoint farm, the Activity Agent must be deployed to the SharePoint +Application server that hosts the "Central Administration" component of the SharePoint farm. +::: + +- SharePoint® Server Subscription Edition +- SharePoint® 2019 +- SharePoint® 2016 +- SharePoint® 2013 + +See the [SharePoint On-Premise Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-onprem-activity.md) +topic for target environment requirements. + + +## Supported SQL Server Platforms + +The Activity Monitor provides the ability to monitor SQL Server: + +:::note +For monitoring SQL Server, it is recommended to install the Activity Agent must be +deployed to a Windows server that acts as a proxy for monitoring the target environment. +::: + + +- SQL Server 2022 +- SQL Server 2019 +- SQL Server 2017 +- SQL Server 2016 + +See the [SQL Server Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md) topic for +target environment requirements. + diff --git a/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md b/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md new file mode 100644 index 0000000000..ea3f5e93ba --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md @@ -0,0 +1,224 @@ +--- +title: "Activity Agent Ports" +description: "Activity Agent Ports" +sidebar_position: 10 +--- + +# Activity Agent Ports + +Firewall settings depend on the type of environment being targeted. The following firewall settings +are required for communication between the Agent server and the Netwrix Activity Monitor Console: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------- | -------- | ----- | ------------------- | +| Activity Monitor to Agent Server | TCP | 4498 | Agent Communication | + +The Windows firewall rules need to be configured on the Windows server, which require certain +inbound rules be created if the scans are running in applet mode. These scans operate over a default +port range, which cannot be specified via an inbound rule. For more information, see the Microsoft +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) +article. + +There might be a need for additional ports for the target environment. + +## CTERA Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Agent +and the CTERA Portal. + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------- | -------- | ----- | --------------------- | +| Agent Server to CTERA Portal | HTTPS | 443 | CTERA Portal API | +| CTERA Portal to Agent Server | TCP/TLS | 4488 | CTERA Event Reporting | + +## Dell Celerra & Dell VNX Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Dell Isilon/PowerScale Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell Isilon/PowerScale device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Dell PowerStore Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Dell Unity Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Exchange Online Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API | + +## Microsoft Entra ID Tenant Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API | + +## Nasuni Edge Appliance Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Nasuni Edge Appliance: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | ------------- | ----- | ---------------------- | +| Agent Server to Nasuni | HTTPS | 8443 | Nasuni API calls | +| Nasuni to Activity Agent Server | AMQP over TCP | 5671 | Nasuni event reporting | + +## NetApp Data ONTAP 7-Mode Device Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target NetApp Data ONTAP 7-Mode device: + +| Communication Direction | Protocol | Ports | Description | +| --------------------------------- | ---------------- | ------------------------------------ | ----------- | +| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI | +| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI | +| Activity Agent Server to NetApp | TCP | 135, 139 Dynamic Range (49152-65535) | RPC | +| Activity Agent Server to NetApp | TCP | 445 | SMB | +| Activity Agent Server to NetApp | UDP | 137, 138 | RPC | +| NetApp to Activity Agent Server | TCP | 135, 139 Dynamic Range (49152-65535) | RPC | +| NetApp to Activity Agent Server | TCP | 445 | SMB | +| NetApp to Activity Agent Server | UDP | 137, 138 | RPC | + +\*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in +Activity Monitor. + +:::note +If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode +device must be configured manually. Also, the External Engine will not reconnect automatically in +the case of a server reboot or service restart. +::: + + +## NetApp Data ONTAP Cluster-Mode Device Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target NetApp Data ONTAP Cluster-Mode device: + +| Communication Direction | Protocol | Ports | Description | +| --------------------------------- | ---------------- | ----- | -------------- | +| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI | +| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI | +| NetApp to Activity Agent Server | TCP | 9999 | FPolicy events | + +\*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in +Activity Monitor. + +:::note +If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode +device must be configured manually. Also, the External Engine will not reconnect automatically in +the case of a server reboot or service restart. +::: + + +## Nutanix Devices Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Nutanix device: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------- | -------- | ----- | ----------------------- | +| Activity Agent Server to Nutanix | TCP | 9440 | Nutanix API | +| Nutanix to Activity Agent Server | TCP | 4501 | Nutanix Event Reporting | + +Protect the port with a username and password. The credentials will be configured in Nutanix. + +## Panzura Devices Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Panzura device: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------------------ | ------------- | ----- | ----------------------- | +| Activity Agent Server to Panzura | HTTPS | 443 | Panzura API | +| Panzura filers to to Activity Agent Server | AMQP over TCP | 4497 | Panzura Event Reporting | + +Protect the port with a username and password. The credentials will be configured in Panzura. + +## Qumulo Devices Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Qumulo device: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | -------- | ----- | ---------------------- | +| Activity Agent Server to Qumulo | TCP | 8000 | Qumulo API | +| Qumulo to Activity Agent Server | TCP | 4496 | Qumulo Event Reporting | + +Protect the port with a username and password. The credentials will be configured in Qumulo. + +## Azure Files Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Blob Storage | + + +## SharePoint Online Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API | + +## SQL Server Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target SQL Server: + +| Communication Direction | Protocol | Ports | Description | +| ----------------------------------- | -------- | ----- | ----------------------- | +| SQL Server to Activity Agent Server | TCP | 1433 | Default SQL Server Port | + +If the Activity Monitor cannot connect to the SQL Server, ensure that SQL Server Browsing state is +**Running**. + +## Integration with Netwrix Access Analyzer Additional Firewall Rules + +Firewall settings are dependent upon the type of environment being targeted. The following firewall +settings are required for communication between the agent server and the Access Analyzer Console: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | -------- | ---------- | ------------------------------ | +| Access Analyzer to Agent Server | TCP | 445 | SMB, used for Agent Deployment | +| Access Analyzer to Agent Server | TCP | Predefined | WMI, used for Agent Deployment | diff --git a/docs/activitymonitor/10.0/requirements/activityagent/entraid-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/entraid-activity.md new file mode 100644 index 0000000000..17e5aa1972 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/entraid-activity.md @@ -0,0 +1,225 @@ +--- +title: "Microsoft Entra ID Activity Auditing Configuration" +description: "Microsoft Entra ID Activity Auditing Configuration" +sidebar_position: 30 +--- + +# Microsoft Entra ID Activity Auditing Configuration + +It is necessary to register Activity Monitor as a web application to the targeted Microsoft Entra ID +(formerly Azure AD), in order for Activity Monitor to monitor the environment. This generates the +Client ID and Client Secret needed by the Activity Agent. See +[Microsoft Support](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-prerequisites-azure-portal) +for assistance in configuring the Microsoft Entra ID web application. + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant once you have registered the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It is not possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +## Permissions + +The following permissions are required: + +- Microsoft Graph API + + - Application Permissions: + + - AuditLog.Read.All – Read all audit log data + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +## Register a Microsoft Entra ID Application + +Follow the steps to register Activity Monitor with Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click App +registrations. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information in the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + Entra ID +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the drop + down menu. In the text box, enter the following: + +**Urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. Review the newly created registered +application. Now that the application has been registered, permissions need to be granted to it. + +## Grant Permissions to the Registered Application + +Follow the steps to set up permissions to enable the Activity Monitor to monitor data and collect +logs from Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 3 –** In the top toolbar, click **Add a permission**. + +**Step 4 –** On the Request API permissions blade, select **Microsoft Graph** on the Microsoft APIs +tab. Select the following permissions: + +- Under Application Permissions, select: + + - AuditLog.Read.All – Read all audit log data + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +**Step 5 –** At the bottom of the page, click **Add Permissions**. + +**Step 6 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +Now that the permissions have been granted to it, the settings required for Activity Monitor need to +be collected. + +## Identify the Client ID + +Follow the steps to find the registered application's Client ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** Copy the **Application (client) ID** value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID host in the Activity Monitor. Next identify the +Tenant ID. + +## Identify the Tenant ID + +The Tenant ID is available in two locations within Microsoft Entra ID. + +**Registered Application Overview Blade** + +You can copy the Tenant ID from the same page where you just copied the Client ID. Follow the steps +to copy the Tenant ID from the registered application Overview blade. + +**Step 1 –** Copy the Directory (tenant) ID value. + +**Step 2 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +**Overview Page** + +Follow the steps to find the tenant name where the registered application resides. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** Copy the Tenant ID value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +## Generate the Client Secret Key + +Follow the steps to find the registered application's Client Secret, create a new key, and save its +value when saving the new key. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +:::warning +It is not possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 3 –** In the top toolbar, click **New client secret**. + +**Step 4 –** On the Add a client secret blade, complete the following: + +- Description – Enter a unique description for this secret +- Expires – Select the duration. + + :::note + Setting the duration on the key to expire requires reconfiguration at the time of + expiration. It is best to configure it to expire in 1 or 2 years. + ::: + + +**Step 5 –** Click **Add** to generate the key. + +:::warning +If this page is left before the key is copied, then the key is not retrievable, and +this process will have to be repeated. +::: + + +**Step 6 –** The Client Secret will be displayed in the Value column of the table. You can use the +Copy to clipboard button to copy the Client Secret. + +**Step 7 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID in the Activity Monitor. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/exchange-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/exchange-activity.md new file mode 100644 index 0000000000..e6e51d8d34 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/exchange-activity.md @@ -0,0 +1,287 @@ +--- +title: "Exchange Online Activity Auditing Configuration" +description: "Exchange Online Activity Auditing Configuration" +sidebar_position: 10 +--- + +# Exchange Online Activity Auditing Configuration + +In order to collect logs and monitor Exchange Online activity using the Netwrix Activity Monitor, it +needs to be registered with Microsoft® Entra ID® (formerly Azure AD). + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Additional Requirement** + +In addition to registering the application with Microsoft Entra ID, the following is required: + +- Enable Auditing for Exchange Online + +See the Enable Auditing for Exchange Online topic for additional information. + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant once you have registered the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It is not possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +**Permissions for Microsoft Graph API** + +- Application: + + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +**Permissions for Office 365 Management APIs** + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +## Register a Microsoft Entra ID Application + +Follow the steps to register Activity Monitor with Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click App +registrations. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information in the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + for Exchange +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the drop + down menu. In the text box, enter the following: + +**urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. Review the newly created registered +application. Now that the application has been registered, permissions need to be granted to it. + +## Grant Permissions to the Registered Application + +Follow the steps to grant permissions to the registered application. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 3 –** In the top toolbar, click **Add a permission**. + +**Step 4 –** On the Request API permissions blade, select **Microsoft Graph** on the Microsoft APIs +tab. Select the following permissions: + +- Application: + + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +**Step 5 –** At the bottom of the page, click **Add Permissions**. + +**Step 6 –** In the top toolbar, click **Add a permission**. + +**Step 7 –** On the Request API permissions blade, select Office 365 Management APIs on the +Microsoft APIs tab. Select the following permissions: + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +**Step 8 –** At the bottom of the page, click **Add Permissions**. + +**Step 9 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +Now that the permissions have been granted to it, the settings required for Activity Monitor need to +be collected. + +## Identify the Client ID + +Follow the steps to find the registered application's Client ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** Copy the **Application (client) ID** value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. Next identify the Tenant ID. + +## Identify the Tenant ID + +The Tenant ID is available in two locations within Microsoft Entra ID. + +**Registered Application Overview Blade** + +You can copy the Tenant ID from the same page where you just copied the Client ID. Follow the steps +to copy the Tenant ID from the registered application Overview blade. + +**Step 1 –** Copy the Directory (tenant) ID value. + +**Step 2 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. Next identify the Tenant ID. Next generate the application’s Client Secret +Key. + +**Overview Page** + +Follow the steps to find the tenant name where the registered application resides. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** Copy the Tenant ID value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. Next identify the Tenant ID. Next generate the application’s Client Secret +Key. + +## Generate the Client Secret Key + +Follow the steps to find the registered application's Client Secret, create a new key, and save its +value when saving the new key. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +:::warning +It is not possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 3 –** In the top toolbar, click **New client secret**. + +**Step 4 –** On the Add a client secret blade, complete the following: + +- Description – Enter a unique description for this secret +- Expires – Select the duration. + + :::note + Setting the duration on the key to expire requires reconfiguration at the time of + expiration. It is best to configure it to expire in 1 or 2 years. + ::: + + +**Step 5 –** Click **Add** to generate the key. + +:::warning +If this page is left before the key is copied, then the key is not retrievable, and +this process will have to be repeated. +::: + + +**Step 6 –** The Client Secret will be displayed in the Value column of the table. You can use the +Copy to clipboard button to copy the Client Secret. + +**Step 7 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. + +## Enable Auditing for Exchange Online + +Follow the steps to enable auditing for Exchange Online so the Activity Monitor can receive events. + +**Step 1 –** In the Microsoft Purview compliance portal at +[https://compliance.microsoft.com](https://compliance.microsoft.com/), go to **Solutions** > +**Audit**. Or, to go directly to the Audit page at +[https://compliance.microsoft.com/auditlogsearch](https://compliance.microsoft.com/auditlogsearch). + +**Step 2 –** If auditing is not turned on for your organization, a banner is displayed prompting you +start recording user and admin activity. + +**Step 3 –** Select the **Start recording** user and **admin activity** banner. + +It may take several hours before events appear in the application. The Activity Monitor now has +Exchange Online auditing enabled as needed to receive events. See the Microsoft +[Turn auditing on or off](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide) +article for additional information on enabling or disabling auditing. + +**Alternative Verification Method** + +Use the following command in Exchange Online PowerShell to verify auditing has been enabled: + +``` +Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled +``` + +A value of **True** for the `UnifiedAuditLogIngestionEnabled` property indicates that auditing is +turned on. + +If auditing is turned off, use either the button on the Audit page or the following command: + +``` +Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true +``` + +Auditing is now enabled. You can rerun the previous command to verify this. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/_category_.json new file mode 100644 index 0000000000..56d8e89ce6 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "NAS Device Configuration", + "position": 40, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json new file mode 100644 index 0000000000..99bd0e8259 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Azure Files Activity Auditing Configuration", + "position": 5, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "azurefiles-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md new file mode 100644 index 0000000000..535265481b --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md @@ -0,0 +1,207 @@ +--- +title: "Azure Files Activity Auditing Configuration" +description: "Azure Files Activity Auditing Configuration" +sidebar_position: 5 +--- + +# Azure Files Activity Auditing Configuration +Activity Monitor can monitor CIFS activity on Azure Files shares. + +The product uses the native auditing capability of Azure Files, which writes audit data to a separate storage account. +This feature requires manual configuration. + +There are several steps in preparing Azure Files for monitoring: + +1. Enable auditing for storage accounts. +2. Register an application in Azure. +3. Assign permissions and RBAC roles. +4. Configure Activity Monitor. + +## Enable auditing for storage accounts + +Auditing in Azure Files is disabled by default. It must be enabled for each storage account to be monitored. + +![Azure Files auditing](/images/activitymonitor/9.0/config/azure-files/azure-files-audit.webp) + +### Logs storage account +You must provide a storage account for audit data. The audit data is written as blobs named `insight-logs` to that storage account. +It must be a different storage account — it cannot be the same account that hosts Azure Files. + +It is recommended to share such a *logs storage account* among multiple *files storage accounts*. +A single account can store nearly unlimited blobs and up to 5 PB of data, which is more than enough for audit logs. +A shared account also helps stay within the Azure limit of 250–500 accounts per region per subscription. + +However, for security reasons, you may choose to use separate *logs storage accounts* so that activity from different accounts is not mixed in the same blob storage. + +The *logs storage account* must be in the same Azure region as the monitored Azure Files storage account, but it does not need +to be in the same resource group or subscription. + +Because the product does not require historical logs, it is recommended to configure an **Azure Lifecycle Management rule** for this storage account +to control storage volume and cost (not documented here). Otherwise, the data will be stored indefinitely. + +### Diagnostic setting + +To enable auditing, you must enable the Diagnostic Setting for each Azure Files storage account to be monitored. + +This can be done for each storage account individually or in bulk using Azure Policy to set Diagnostic Settings +at the management group, subscription, or resource group scope (not documented here). + +1. Open the storage account in the Microsoft Azure portal. + Navigate to **Monitoring > Diagnostic settings > File**. + +2. Click **Add diagnostic setting** to create a new auditing configuration or open an existing one. + +3. Under the **Logs** section, select **audit**, **StorageRead**, **StorageWrite**, and **StorageDelete**. + You can adjust these categories based on your needs; for example, unselect **StorageRead** if you are not interested in read activity. + +4. Under the **Destination details** section, select **Archive to a storage account**, then choose the storage account prepared in Step 1. + +5. Click **Save** to apply the diagnostic changes. + +:::note +It may take up to 90 minutes for the changes to take effect. +::: + +## Register an application in Azure + +Monitoring of Azure Files requires an application to be registered in the Azure portal, assigning it permissions to access the Graph API and +RBAC roles to access storage accounts. + +:::note +A user account with the **Global Administrator** role is required to register an app and grant admin consent in Microsoft Azure. +::: + +If you already have an application registered for Activity Monitor for Entra ID, SharePoint Online, or Exchange Online, you can reuse that +registration for Azure Files by assigning additional RBAC roles. + +Follow these steps to register the application in Azure. + +### Open Microsoft Azure portal + +- Azure Public – https://portal.azure.com/ +- Azure for US Government GCC – https://portal.azure.com/ +- Azure for US Government GCC High – https://portal.azure.us/ +- Azure for US Government DoD – https://portal.azure.us/ +- Azure Germany – https://portal.microsoftazure.de/ +- Azure China by 21Vianet – https://portal.azure.cn/ + +Use the search box to locate the **App registrations** page, then select **New registration**. + +### Register an application + +1. Specify **Netwrix Activity Monitor** as the application name. +2. Choose **Accounts in this organizational directory only**. +3. Change the type of Redirect URI to **Public client/native (mobile & desktop)**. +4. Specify `urn:ietf:wg:oauth:2.0:oob` as the value. +5. Click **Register**. + +### Copy Application (client) ID and Tenant (directory) ID + +On the **Overview** page, copy the **Application (client) ID** and **Directory (tenant) ID** values and save them for later. + +### Create a new client secret + +1. Open the **Manage > Certificates & secrets** page. +2. Select **New client secret**. +3. Specify a description and an expiration period. +4. On the **Certificates & secrets** page, copy the **Value** of the created secret and save it for later. + +:::note +Be aware of the client secret's expiration date. You'll need to generate a new one before it expires to ensure uninterrupted monitoring. +::: + +:::warning +Make sure you copy the **Value**, not the **Secret ID**. +::: + +### Grant API permissions + +Activity Monitor requires the `User.Read.All` permission to resolve user SIDs in activity events to user names. + +1. Open the **API permissions** page. +2. Select **Add a permission** and add the following to the existing **User.Read**: + **Microsoft Graph** + Type: **Application permissions** + Permission: `User.Read.All` +3. Click **Grant admin consent for [tenant name]**, then confirm when prompted. + This action requires a Global Administrator. + +## Assign Azure RBAC roles for storage accounts + +The registered application requires Azure RBAC role assignments to list storage accounts and read audit data. + +Assign the following roles to the registered application: + +- `Reader` – the management plane role. + Allows enumeration of storage accounts and reading of their settings. + +- `Storage Blob Data Reader` – the data plane role. + Allows reading of audit data from the logs storage account(s). + +You can assign these roles at different levels, which grant access to all storage accounts within the selected scope: + +- **Management group** – grants access to all storage accounts under the management group. +- **Subscription** – grants access to all storage accounts under the subscription. +- **Resource group** – grants access to all storage accounts under the resource group. +- **Storage account** – grants access to the specified storage account only. + +![RBAC Roles Scopes](/images/activitymonitor/9.0/config/azure-files/rbac-roles-scopes.webp) + +Choose the appropriate scope, and then follow these steps: + +1. In the Azure portal, open the target scope resource (management group, subscription, resource group, or storage account). +2. Open the **Access control (IAM)** page. +3. Select **Add > Add role assignment**. +4. Select `Reader` on the **Role** page, and then select **Next**. +5. Select the registered application on the **Members** page, and then select **Review + assign**. +6. Select **Add > Add role assignment** again. +7. Select `Storage Blob Data Reader` on the **Role** page, and then select **Next**. +8. Select the registered application on the **Members** page, and then select **Next**. +9. _(Optional)_ Select **Add condition** on the **Conditions** page, change the editor type to **Code**, and enter the following: + + +``` +( + ( + !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) + ) + OR + ( + @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringStartsWith 'insights-logs-' + ) +) +``` + +This condition grants access only to blob containers that store audit data. Access to all other containers is denied. + +10. Select **Review + assign**. + +:::warning +It may take some time for the RBAC assignments to become effective. +::: + +## Configure Activity Monitor + +The last step is adding the Azure Files storage account to Activity Monitor. + +1. On the **Monitored Hosts & Services** page, select **Add Host/Service**. +2. Select the agent that will be monitoring Azure Files, and then select **Next**. +3. Select **Azure Files**, specify the tenant’s domain name, and then select **Next**. +4. On the **Connection** page, specify the Tenant ID (if it was not resolved automatically), Client ID, and Client Secret—values +copied in the previous steps during application registration. +5. Select **Connect**. +The button will verify the connection to Azure, enumerate all storage accounts, and retrieve their settings visible to the registered application. + +:::note +If the product fails to enumerate storage accounts, the RBAC roles were either assigned incorrectly or have not yet become effective. Retry later. +::: + +6. On the **Storage Accounts** page, select the storage accounts to be monitored, and then select **Next**. +7. Complete the wizard by selecting operations and output settings. + +:::info +You can use this wizard multiple times to add newly created storage accounts—already added accounts will be ignored. +::: + +8. Check the status of the added storage accounts on the **Monitored Hosts & Services** page. +Address any audit setting misconfigurations or missing RBAC roles. \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json new file mode 100644 index 0000000000..6f60d370f4 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell Celerra & Dell VNX Activity Auditing Configuration", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "celerra-vnx-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md new file mode 100644 index 0000000000..53551322d8 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md @@ -0,0 +1,63 @@ +--- +title: "Dell Celerra & Dell VNX Activity Auditing Configuration" +description: "Dell Celerra & Dell VNX Activity Auditing Configuration" +sidebar_position: 20 +--- + +# Dell Celerra & Dell VNX Activity Auditing Configuration + +An Dell Celerra or VNX device can be configured to audit Server Message Block (SMB) protocol access +events. All audit data can be forwarded to the Dell Common Event Enabler (CEE). The Activity Monitor +listens for all events coming through the Dell CEE and translates all relevant information into +entries in the Log files or syslog messages. + +Complete the following checklist prior to configuring the Activity Monitor to monitor the host. +Instructions for each item of the checklist are detailed within the following sections. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment, gather the following: + + - DNS name of Celerra or VNX CIFS share(s) to be monitored + - Data Mover or Virtual Data Mover hosting the share(s) to be monitored + - Account with access to the CLI + - Download the Dell CEE from: + + - [https://www.dell.com/support](https://www.dell.com/support) + +**Checklist Item 2: Install Dell CEE** + +- Dell CEE can be installed on the same Windows server as the Activity Agent, or on a different + server. If it is installed on the same host, the activity agent can configure it automatically. + + :::info + The latest version of Dell CEE is the recommended version to use with the + asynchronous bulk delivery (VCAPS) feature. + ::: + + +- Important: + + - Open MS-RPC ports between the Dell device and the Windows proxy server(s) where the Dell CEE + is installed + - Dell CEE 8.4.2 through Dell CEE 8.6.1 are not supported for use with the VCAPS feature + - Dell CEE requires .NET Framework 3.5 to be installed on the Windows proxy server + +- See the [Install & Configure Dell CEE](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md) topic for instructions. + +**Checklist Item 3: Dell Device Configuration** + +- Configure the `cepp.conf` file on the Celerra VNX Cluster +- See the + [Connect Data Movers to the Dell CEE Server](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md#connect-data-movers-to-the-dell-cee-server) + topic for instructions. + +**Checklist Item 4: Activity Monitor Configuration** + +- Deploy the Activity Monitor Activity Agent, preferably on the same server where Dell CEE is + installed + + - After activity agent deployment, configure the Dell CEE Options tab of the agent's Properties + window within the Activity Monitor Console + +Checklist Item 5: Configure Dell CEE to Forward Events to the Activity Agent diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md new file mode 100644 index 0000000000..1e26acd973 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md @@ -0,0 +1,207 @@ +--- +title: "Install & Configure Dell CEE" +description: "Install & Configure Dell CEE" +sidebar_position: 10 +--- + +# Install & Configure Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +See the [CEE Debug Logs](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md#cee-debug-logs) section for information on +troubleshooting issues related to Dell CEE. + +After Dell CEE installation is complete, it is necessary to Connect Data Movers to the Dell CEE +Server. + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. + +## Connect Data Movers to the Dell CEE Server + +The `cepp.conf` file contains information that is necessary to connect the Data Movers to the Dell +CEE server. An administrator must create a configuration file which contains at least one event, one +pool, and one server. All other parameters are optional. The `cepp.conf` file resides on the Data +Mover. + +**Step 1 –** Log into the Dell Celerra or VNX server with an administrator account. The +administrative account should have a $ character in the terminal. + +:::note +Do not use a # charter. +::: + + +**Step 2 –** Create or retrieve the `cepp.conf` file. + +If there is not a `cepp.conf` file on the Data Mover(s), use a text editor to create a new blank +file in the home directory named `cepp.conf`. The following is an example command if using the text +editor 'vi' to create a new blank file: + +**$ vi cepp.conf** + +> If a `cepp.conf` file already exists, it can be retrieved from the Data Movers for modification +> with the following command: + +**$ server_file [DATA_MOVER_NAME] -get cepp.conf cepp.conf** + +**Step 3 –** Configure the `cepp.conf` file. For information on the `cepp.conf` file, see the Dell +[Using the Common Event Enabler for Windows Platforms](https://www.dellemc.com/en-us/collaterals/unauth/technical-guides-support-information/products/storage-3/docu48055.pdf) +guide instructions on how to add parameters or edit the values or existing parameters. + +:::note +The information can be added to the file on one line or separate lines by using a space +and a "\"" at the end of each line, except for the last line and the lines that contain global +options: `cifsserver`, `surveytime`, `ft`, and `msrpcuser`. +::: + + +The Activity Monitor requires the following parameters to be set in the `cepp.conf` file: + +- `pool name= ` + - This should equal the name assigned to the configuration container. This container is composed + of the server(s) IP Address or FQDN where the Dell CEE is installed and where the list of + events to be monitored is located. It can be named as desired but must be a pool name. +- `servers= ` + - This should equal the IP Address or FQDN of the Windows server where the Dell CEE is + installed. If several servers are specified, separate them with the vertical bar (|) or a + colon (:). +- `postevents= ` + - The following events are required (separated with the vertical bar): + `CloseModified|CloseUnmodified|CreateDir|CreateFile|DeleteDir|DeleteFile|RenameDir|RenameFile|SetAclDir|SetAclFile ` + - If "Directory Read/List" operations are needed, append `OpenDir` to the list. +- `msrpcuser= ` + + - This should equal the domain account used to run the Dell CEE Monitor and Dell CAVA services + on the Windows server. This parameter is a security measure used to ensure events are only + sent to the appropriate servers. + + All unspecified parameters use the default setting. For most configurations, the default + setting is sufficient. + + Example cepp.conf file format: + +**msrpcuser=[DOMAIN\DOMAINUSER]** + + pool name=[POOL_NAME] \ + +**servers=[IP_ADDRESS1]|[IP_ADDRESS2]|... \** + + postevents=[EVENT1]|[EVENT2]|... + + Example cepp.conf file format for the Activity Monitor: + +**msrpcuser=[DOMAIN\DOMAINUSER running CEE services]** + + pool name=[POOL_NAME for configuration container] \ + +**servers=[IP_ADDRESS where CEE is installed]|... \** + + postevents=[EVENT1]|[EVENT2]|... + + Example of a completed cepp.conf file for the Activity Monitor: + +**msrpcuser=example\user1** + + pool name=pool \ + +**servers=192.168.30.15 \** + + postevents=CloseModified|CloseUnmodified|CreateDir|CreateFile|DeleteDir|DeleteFile|RenameDir|RenameFile|SetAclDir|SetAclFile + +**Step 4 –** Move the `cepp.conf` file to the Data Mover(s) root file system. Run the following +command: + +**$ server_file [DATA_MOVER_NAME]-put cepp.conf cepp.conf** + +:::note +Each Data Mover which runs Celerra Event Publishing Agent (CEPA) must have a `cepp.conf` +file, but each configuration file can specify different events. +::: + + +**Step 5 –** (This step is required only if using the `msrpcuser` parameter) Register the MSRPC user +(see Step 3 for additional information on this parameter). Before starting CEPA for the first time, +the administrator must issue the following command from the Control Station and follow the prompts +for entering information: + +**/nas/sbin/server_user server_2 -add -md5 -passwd [DOMAIN\DOMAINUSER for msrpcuser]** + +**Step 6 –** Start the CEPA facility on the Data Mover. Use the following command: + +**server_cepp [DATA_MOVER_NAME] -service –start** + +Then verify the CEPA status using the following command: + +**server_cepp [DATA_MOVER_NAME] -service –status** + +Once the `cepp.config` file has been configured, it is time to configure and enable monitoring with +the Activity Monitor. See the +[Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) +for additional information. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md new file mode 100644 index 0000000000..cb72c8dacc --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md @@ -0,0 +1,159 @@ +--- +title: "Validate Setup" +description: "Validate Setup" +sidebar_position: 20 +--- + +# Validate Setup + +Once the Activity Monitor agent is configured to monitor the Dell device, the automated +configuration must be validated to ensure events are being monitored. + +## Validate Dell CEE Registry Key Settings + +:::note +See the +[Configure Dell Registry Key Settings](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md#configure-dell-registry-key-settings) +topic for information on manually setting the registry key. +::: + + +After the Activity Monitor activity agent has been configured to monitor the Dell device, it will +configure the Dell CEE automatically if it is installed on the same server as the agent. This needs +to be set manually in the rare situations where it is necessary for the Dell CEE to be installed on +a different server than the Windows proxy server(s) where the Activity Monitor activity agent is +deployed. + +If the monitoring agent is not registering events, validate that the EndPoint is accurately set. +Open the Registry Editor (run regedit). For the synchronous real-time delivery mode (AUDIT), use the +following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration** + +![registryeditorendpoint](/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp) + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthAUDIT@'ip-address-of-the-agent'` + +- For the HTTP protocol,` StealthAUDIT@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** If you changed any of the settings, restart the CEE Monitor service. + +**For Asynchronous Bulk Delivery Mode** + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration** + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthVCAPS@'ip-address-of-the-agent'` +- For the HTTP protocol, `StealthVCAPS@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** Ensure that the FeedInterval parameter is set to a value between 60 and 600; the +MaxEventsPerFeed - between 10 and 10000. + +**Step 5 –** If you changed any of the settings, restart the CEE Monitor service. + +Set the following values under the Data column: + +- Enabled – 1 +- EndPoint – StealthAUDIT + +If this is configured correctly, validate that the Dell CEE services are running. See the Validate +Dell CEE Services are Running topic for additional information. + +## Validate Dell CEE Services are Running + +After the Activity Monitor Activity Agent has been configured to monitor the Dell device, the Dell +CEE services should be running. If the Activity Agent is not registering events and the EndPoint is +set accurately, validate that the Dell CEE services are running. Open the Services (run +`services.msc`). + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +The following services laid down by the Dell CEE installer should have Running as their status: + +- Dell CAVA +- Dell CEE Monitor + +## Dell CEE Debug Logs + +If an issue arises with communication between the Dell CEE and the Activity Monitor, the debug logs +need to be enabled for troubleshooting purposes. Follow the steps. + +**Step 6 –** In the Activity Monitor Console, change the **Trace level** value in the lower right +corner to Trace. + +**Step 7 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Disable monitoring. + +**Step 8 –** Download and install the Debug View tool from Microsoft on the CEE server: + +**> [https://docs.microsoft.com/en-us/sysinternals/downloads/debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview)** + +**Step 9 –** Open the Registry Editor (run regedit). Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration** + +**Step 10 –** Right-click on **Debug** and select Modify. The Edit DWORD Value window opens. In the +Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Debug DWORD Value does not exist, it needs to be added. +::: + + +**Step 11 –** Right-click on **Verbose** and select Modify. The Edit DWORD Value window opens. In +the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Verbose DWORD Value does not exist, it needs to be added. +::: + + +**Step 12 –** Run the Debug View tool (from Microsoft). In the Capture menu, select the following: + +- Capture Win32 +- Capture Global Win32 +- Capture Events + +**Step 13 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Enable monitoring. + +**Step 14 –** Generate some file activity on the Dell device. Save the Debug View Log to a file. + +**Step 15 –** Send the following logs to [Netwrix Support](https://www.netwrix.com/support.html): + +- Debug View Log (from Dell Debug View tool) +- Use the **Collect Logs** button to collect debug logs from the activity agent + +:::info +After the logs have been gathered and sent to Netwrix Support, reset these +configurations. + +::: diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md new file mode 100644 index 0000000000..e3adc627c7 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md @@ -0,0 +1,189 @@ +--- +title: "CTERA Activity Auditing Configuration" +description: "CTERA Activity Auditing Configuration" +sidebar_position: 10 +--- + +# CTERA Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor file system activity on CTERA Edge Filer +appliances. + +The monitoring process relies on the SMB auditing feature of the CTERA Edge Filer. A local audit log +file is generated by each Edge Filer and audit events from these files are collected by the CTERA +Portal. The CTERA Portal forwards the events from the Edge Filers to the Activity Monitor Agent +through the Messaging and Syslog services. + +![Monitoring Process -CTERA Portal](/images/activitymonitor/9.0/config/ctera/cterasyslogmsg.webp) + +To prepare CTERA for monitoring: + +- Provision an account. +- Enable auditing on the CTERA Edge Filer. +- Enable Messaging and Edge Filer Syslog services on the CTERA Portal. + +## Provision Account + +Netwrix Activity Monitor uses the CTERA Portal API to retrieve information about portals, Edge +Filers, their auditing configurations, and optionally to enable syslog forwarding automatically. To +access the API, Activity Monitor requires an account in the CTERA Portal with the **Read Only +Administrator** role. + +**Step 1 –** Log in to the CTERA Portal web interface. In the global administration view, select +**Users** > **Administrators**. + +**Step 2 –** Click New Admin, specify a username, password, email, and the **Read Only +Administrator** role. + +This credential will then be used when configuring the Activity Monitor Agent to monitor the CTERA +portal. + +## Enable Auditing on CTERA Edge Filer + +The CTERA Edge Filer can generate audit log events for the SMB access. Audit events are stored in a +local file and then forwarded to the CTERA Portal for further processing. The audit log is disabled +by default and must be enabled. + +Follow the steps to enable SMB audit logs. + +**Step 1 –** Log in to the Edge Filer web interface. In the Configuration view, select **Logs** > +**Audit Logs**. + +**Step 2 –** Select the **Enable CIFS/SMB Audit Logs** option. + +**Step 3 –** Specify a share to save the audit logs in the Save log files option. If a share does +not exist, create a new one first. + +:::note +CTERA recommends that SMB Audit logging is saved to a folder that is local on the Edge +Filer and not synced to the cloud. For example, in the root of vol1, which can then be used to +create a share. +::: + + +**Step 4 –** Adjust the **Keep closed files for** parameter. Otherwise, use the default value. + +**Step 5 –** Check all events except the **Read Extended Attributes** event in Events to log list. +If you do not require monitoring of _Directory Read/List_ operations, which typically generate a +high volume of data, uncheck the **List Folder Read Data** event. + +**Step 6 –** Make sure that **Log permission changes in human readable format** is unchecked. + +**Step 7 –** Click **Save**. + +To verify that the auditing is enabled, generate some file activity and check the share specified in +**Step 3**. An audit log should be created in `audit.log.dir/audit.log`. + +See the [Auditing SMB File Access](https://kb.ctera.com/docs/auditing-smb-file-access-5) article in +the CTERA Edge Filer Administrator Guide for additional information. + +## Enable Services on CTERA Portal + +The following services must be enabled and configured on the CTERA Portal: + +- CTERA Messaging Service -– Enables sending notifications to various consumers, including the + Edge Filer Syslog service. +- CTERA Edge Filer Syslog Service – Consolidates audit events from Edge Filers and sends them to the + Activity Monitor Agent and other consumers. + +Both services are disabled by default and must be enabled. The Messaging service must be enabled +first. + +### Enable the Messaging Service + +See the +[Managing the CTERA Messaging Service](https://kb.ctera.com/docs/managing-the-ctera-messaging-service-2) +article in the CTERA Portal Global Administrator Guide for additional information on requirements +and recommendations for production and POC environments. + +**Step 1 –** Before setting up the Messaging Service in the web interface, first initialize the +messaging components with the following CLI command: + +**set /settings/platformServicesSetting/enabled true** + +Initialization takes a few minutes. + +**Step 2 –** Log in to the CTERA Portal web interface. In the global administration view, select +**Services** > **Messaging**. + +**Step 3 –** To add a new messaging server, click **Add Messaging Servers**. Select the servers to +use as messaging servers. Click **Save**. + +:::note +In a production environment, designate three servers as messaging servers. In a small or +test environment, CTERA supports using a single messaging server, typically the main database +server. However, in all other cases, exactly three servers must be assigned as messaging servers. +See the +[Managing the CTERA Messaging Service](https://kb.ctera.com/docs/managing-the-ctera-messaging-service-2) +article for additional information. +::: + + +**Step 4 –** Deploying the messaging service takes a few minutes. The status will change to STARTING +and then to ACTIVE. Wait until the status is ACTIVE before proceeding to the next step. + +:::note +If the status does not change to ACTIVE, the log files need to be collected from +`/usr/local/lib/ctera/work/logs/services` directory. +See the +[CTERA Messaging Service Logs](https://kb.ctera.com/docs/setting-up-the-ctera-messaging-service-2#ctera-messaging-service-logs) +article for additional information. +::: + + +### Enable the Edge Filer Syslog Service + +Ensure the Enable the Messaging Service section is completed before proceeding to enable the Syslog +Service. + +The Edge Filer Syslog Service can be configured in two ways: + +- Automatically by the Activity Monitor using the API from CTERA Portal. +- Manually using the CTERA Portal web interface. + +It is recommended to configure the service automatically. With automatic configuration, the Activity +Monitor Agent will apply the settings and perform periodic checks to ensure correctness. To enable +automatic configuration, use the **Enable Edge Filer Syslog auditing** option in the host properties +and specify credentials to access the CTERA Portal API. + +Follow the steps to configure the Edge Filer Syslog Service manually. + +**Step 1 –** Configure monitoring of the CTERA Portal in the Activity Monitor Console. + +**Step 2 –** Add a CTERA host on the Monitored Hosts & Services tab and specify the portal host name, +username, password, and complete the wizard. + +**Step 3 –** Enable the newly added host. + +**Step 4 –** Copy a TLS certificate file, `certca.pem`, from +`%ProgramData%\Netwrix\Activity Monitor\Agent\Data` folder on the agent's server. + +**Step 5 –** Log in to the CTERA Portal web interface. In the global administration view, select +**Services** > **Edge Filer Syslog**. + +**Step 6 –** Click **Add a Server**. + +**Step 7 –** Specify the **FQDN of the agent** or **IP address** in the Addressfield. + +**Step 8 –** Specify 4488 in the Port field. + +:::note +The default port can be changed in the properties of the agent on the CTERA page. +::: + + +**Step 9 –** Change the protocol to **TCP/TLS**. + +**Step 10 –** Click **Server Certificate** > **Select File** to upload the file collected at Step 2. + +**Step 11 –** Click **Save**. + +**Step 12 –** Click **Enable** in the status bar. + +The status will change to STARTING. If the CTERA Portal manages to connect to the Activity Monitor +Agent, the status changes to ACTIVE. If not, review the error message and check **Logs & Alerts** > +**System Log** for details. + +See the +[Managing the Edge Filer Syslog Service](https://kb.ctera.com/docs/managing-the-edge-filer-syslong-service) +article in the CTERA Portal Global Administrator Guide for additional information. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json new file mode 100644 index 0000000000..c328bb831d --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Hitachi Activity Auditing Configuration", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "hitachi-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md new file mode 100644 index 0000000000..deade0c148 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md @@ -0,0 +1,30 @@ +--- +title: "Configure Access to HNAS Audit Logs on Activity Agent Server" +description: "Configure Access to HNAS Audit Logs on Activity Agent Server" +sidebar_position: 20 +--- + +# Configure Access to HNAS Audit Logs on Activity Agent Server + +Follow the steps to configure access to the HNAS audit logs on the Windows server hosting the +Activity Monitor activity agent. + +**Step 1 –** On the Windows computer, go to Run and type `compmgmt.msc`. + +**Step 2 –** In the right-hand panel, select More Actions > Connect to another computer. + +**Step 3 –** In the Select Computer dialog box, enter the IP Address for EVS for HNAS and then click +OK. + +**Step 4 –** In the Computer Management window, go to Computer Management > System tools > Shared +Folders > Shares. + +**Step 5 –** Select the Security tab and click Advanced. + +**Step 6 –** In the Advanced Security Settings dialog box, select the Audit tab. Click Add or Edit +to select the users and groups to be audited and add the desired user or group. + +**Step 7 –** Select All for Type, and Full Control for Basic permissions. + +Once access has been configured on both the Hitachi device and the Activity Agent server, it is time +to configure and enable monitoring with the Activity Monitor Console. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md new file mode 100644 index 0000000000..58f7a555eb --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md @@ -0,0 +1,39 @@ +--- +title: "Configure Audit Logs on HNAS" +description: "Configure Audit Logs on HNAS" +sidebar_position: 10 +--- + +# Configure Audit Logs on HNAS + +Follow the steps to configure access to the HNAS audit logs on the Hitachi device. + +**Step 1 –** Open a browser and enter the IP Address for HNAS in the address bar to launch the +Hitachi Storage Navigator (SN). Enter the username and password. + +**Step 2 –** At the Storage Navigator home page, click File Services. + +**Step 3 –** On the File Services screen, click Enable File Service. + +**Step 4 –** On the Enable File Services screen, verify that the CIFS/Windows service is selected. + +**Step 5 –** On the File Services screen, click File System Security. + +**Step 6 –** Click Switch Mode and set the default file system security mode to Mixed (Windows and +UNIX) for all virtual file systems. + +**Step 7 –** Configure the Hitachi NAS Platform audit policy by returning to the File Services page. + +**Step 8 –** Click File System Audit Policies. + +**Step 9 –** Select the correct EVS and click details for the file system to enable auditing. + +**Step 10 –** In the Access via Unsupported Protocols section, select Allow Access (without +auditing). In the Audit Log section, set the maximum log file size to a value of at least 8 MB. It +is recommended to set it to 16 MB. In the Log roll over policy section, select New. The product does +not support the Wrap policy. Click OK to close. + +Once access has been configured on the Hitachi device, it is necessary to configure access to the +HNAS audit logs on the Windows server. See the +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md) topic for +additional information. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md new file mode 100644 index 0000000000..57c227b08d --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md @@ -0,0 +1,64 @@ +--- +title: "Hitachi Activity Auditing Configuration" +description: "Hitachi Activity Auditing Configuration" +sidebar_position: 60 +--- + +# Hitachi Activity Auditing Configuration + +The Hitachi NAS (HNAS) server can host multiple Enterprise Virtual Servers (EVS). Each EVS has +multiple file systems. Auditing is enabled and configured per file system. This guide explains how +to enable auditing on an HNAS and to configure the Activity Monitor to monitor activity coming from +the Hitachi device auditing. + +The Activity Monitor does not use the EVS or file system name to connect to HNAS. Therefore, all +that is required of the user for HNAS activity collection is the following: + +- Logs path (UNC) + + - Active Log file name – Active Log File name needs with an `.evt` extension, and it should be + the same as in the HNAS configuration. This is usually `audit.evt`. + +- Credentials to access the HNAS log files + + - The only requirement for the credentials is the ability to read files from the `logs` + directory. + +- A polling interval between log collections (15 seconds by default) + + - The Activity Monitor minimizes IO by remembering a file offset where it stopped reading and + continuing from that offset next time. + +:::warning +The following disclaimer is provided by Hitachi: +::: + + +“Because CIFS defines open and close operations, auditing file system object access performed by +clients using other protocols would be costly in terms of system performance, because each I/O +operation would have to be audited as an open operation. **Therefore, when file system auditing is +enabled, by default, only clients connecting through the CIFS protocol are allowed access to the +file system.** Access by clients using other protocols, like NFS, can, however, be allowed. When +such access is allowed, access to file system objects through these protocols is not audited.” + +:::note +File system auditing can be configured to deny access to clients connecting with protocols +that cannot be audited (NFS). Please see the Hitachi +[Server and Cluster Administration Guide](https://support.hds.com/download/epcra/hnas0106.pdf) for +additional information. +::: + + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Hitachi devices. +Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: [Configure Audit Logs on HNAS](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md)** + +Checklist Item 2: +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md) + +**Checklist Item 3: Activity Monitor Configuration** + +- Deploy the Activity Monitor Activity Agent to a Windows proxy server diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json new file mode 100644 index 0000000000..0e292bab7c --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell Isilon/PowerScale Activity Auditing Configuration", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "isilon-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md new file mode 100644 index 0000000000..39bfb11e36 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md @@ -0,0 +1,82 @@ +--- +title: "Install Dell CEE" +description: "Install Dell CEE" +sidebar_position: 10 +--- + +# Install Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +After installation, open MS-RPC ports between the Dell device and the Dell CEE server. See the +[Dell CEE Debug Logs](validate.md#dell-cee-debug-logs) section for information on troubleshooting +issues related to Dell CEE. + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md new file mode 100644 index 0000000000..75ad3013eb --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md @@ -0,0 +1,114 @@ +--- +title: "Dell Isilon/PowerScale Activity Auditing Configuration" +description: "Dell Isilon/PowerScale Activity Auditing Configuration" +sidebar_position: 30 +--- + +# Dell Isilon/PowerScale Activity Auditing Configuration + +Dell Isilon/PowerScale can be configured to audit Server Message Block (SMB) and NFS protocol access +events on the Dell Isilon/PowerScale cluster. All audit data can be forwarded to the Dell Common +Event Enabler (CEE). The Activity Monitor listens for all events coming through the Dell CEE and +translates all relevant information into entries in the log files or syslog messages. + +Protocol auditing must be enabled and then configured on a per-access zone basis. For example, all +SMB protocol events on a particular access zone can be audited, while only attempts to delete files +on a different access zone can be audited. + +The audit events are logged and stored on the individual OneFS nodes where the SMB/NFS client +initiated the activity. The stored events are then forwarded by the node to the Dell CEE instance or +concurrently to several instances. At this point, Dell CEE forwards the audit event to a defined +endpoint, such as Activity Monitor agent. + +Complete the following checklist prior to configuring Activity Monitor to monitor the host. +Instructions for each item of the checklist are detailed within the following sections. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment, gather the following: + + - DNS name of Isilon/PowerScale CIFS share(s) to be monitored + - Access Zone(s) containing the CIFS shares to be monitored + - Account with access to the OneFS UI or CLI + - Download the Dell CEE from: + + - [https://www.dell.com/support/home/en-us/](https://www.dell.com/support/home/en-us/) + +:::info +You can achieve higher throughput and fault tolerance by monitoring the +Isilon/PowerScale cluster with more than one pair of Dell CEE and Activity Monitor Agent. The +activity will be evenly distributed between the pairs. +::: + + +**Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md)** + +- Dell CEE should be installed on a Windows or a Linux server. + + :::info + Dell CEE can be installed on the same server as the Activity Agent, or on a + different Windows or Linux server. If CEE is installed on the same server, the Activity Agent + can configure it automatically. + ::: + + +- Important: + + - Dell CEE 8.8 is the minimum supported version. It is recommended to use the latest available + version. + - Dell CEE requires .NET Framework 3.5 to be installed on the Windows server + +Checklist Item 3: Configure Auditing on the Dell Isilon/PowerScale Cluster + +- Select method: + + - **_RECOMMENDED:_** Allow the Activity Monitor to configure auditing automatically. + + - Automation completed while the Activity Monitor is configured to monitor the + Isilon/PowerScale device + - Automatically sets CEE Server with the IP Address of the server where CEE is installed + - Automatically sets Storage Cluster Name to exactly match the name known to the Activity + Monitor + - Choose between monitoring all Access Zones or scoping to specific Access Zones + + - [Manually Configure Auditing in OneFS](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md) + + - After configuration, add the Isilon/PowerScale device to be monitored by the Activity + Monitor + +- Important: + + - Value of the **Storage Cluster Name** field must exactly match the name entered for the + monitored host in the Activity Monitor Console. If the Storage Cluster Name cannot be modified + (for example, another 3rd party depends on it), you need to set the Host Aliases parameter in + the Activity Monitor Console. Otherwise, if for some reason the Storage Cluster Name must be + left empty, one can list OneFS cluster node names in the Host Aliases. + + - If the Storage Cluster Name is not empty, set the Host Aliases parameter to its value + - If the Storage Cluster Name is empty, set the Host Aliases to a semicolon-separated list + of OneFS node names + + - Include all Access Zones to be monitored in the auditing configuration + - As soon as the first CEE is installed, Isilon/PowerScale will start to send all activity, + including all previous audit events, to the agent. The start time can be modified to exclude + previously recorded audit events to prevent the agent from becoming overloaded with data. It + can be done using OneFS CLI only with isi audit modify command to edit the start time. + + - Start time command: + + ``` + isi audit settings global modify --cee-log-time [Protocol@2021-04-23 14:00:00] + ``` + + - View progress: + + ``` + isi_for_array isi audit progress view + ``` + + - See the Audit log time adjustment section of the Dell + [File System Auditing with Dell PowerScale and Dell Common Event Enabler](https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h12428-wp-best-practice-guide-isilon-file-system-auditing.pdf) + documentation for additional information. + +Checklist Item 4: Configure Dell CEE to Forward Events to the Activity Agent. See the +[Validate Setup](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md) topic for additional information. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md new file mode 100644 index 0000000000..e9006d0363 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md @@ -0,0 +1,90 @@ +--- +title: "Manually Configure Auditing in OneFS" +description: "Manually Configure Auditing in OneFS" +sidebar_position: 20 +--- + +# Manually Configure Auditing in OneFS + +Manual configuration for auditing is optional for newer versions as the Activity Agent can configure +the auditing automatically using the OneFS API. Follow the steps through the OneFS Storage +Administration Console. + +**Step 1 –** Navigate to the **Cluster Management** tab, and select **Auditing**. + +![settings](/images/activitymonitor/9.0/config/dellpowerscale/settings.webp) + +**Step 2 –** In the Settings section, check the Enable Protocol Access Auditing box. + +**Step 3 –** In the Audited Zones section, add at least one zone to be audited. The **System** zone +is typically used. If the CIFS or NFS shares are accessible through different zones on the OneFS +cluster, include all relevant zones. + +Ensure that OneFS collects only events you are interested in. By default, OneFS may monitor things +like directory reads, which can take up a large amount of space. Configuring the OneFS events that +need monitoring is not done through the Activity Monitor console. Configure OneFS event monitoring +using OneFS CLI with the isi audit modify command for each access zone. Enabling monitoring for only +what is needed for the environment will reduce the data load to the agent. + +Activity Monitor monitors the following events: `close_file_modified`, `close_file_unmodified`, +`create_file`, `create_directory`, `delete_file`, `delete_directory`, `rename_file`, +`rename_directory`, `set_security_file`, `set_security_directory`, and `open_directory` (if you want +to monitor Directory List/Read events). + +For each monitored access zone: + +- Use isi audit settings view `isi --zone ZONENAME` to check current settings. +- Disable reporting of failure and syslog audit events with: + +**isi audit settings modify --zone ZONENAME --clear-audit-failure --clear-syslog-audit-events** + +- Set the success audit events with: + + isi audit settings modify --zone ZONENAME + --audit-success=close_file_modified,close_file_unmodified,create_file,create_directory,delete_file,delete_directory,rename_file,rename_directory,set_security_file,set_security_directory + +![eventforwarding](/images/activitymonitor/9.0/config/dellpowerscale/eventforwarding.webp) + +**Step 4 –** In the Event Forwarding section, add the CEE Server URI value for the Windows or Linux +server hosting CEE. Use either of the following format: + +- `http://[IP ADDRESS]:[PORT]/cee` + +- `http://[SERVER Name]:[PORT]/cee` + + +:::info +When deploying multiple Dell CEE instances at scale, it is recommended that an +accommodating agent must be configured with each CEE instance. If multiple CEE instances send events +to just one agent, it may create an overflow of data and overload the agent. Distributing the +activity stream into pairs will be the most efficient way of monitoring large data sets at scale. +::: + + +**Step 5 –** Also in the Event Forwarding section, set the **Storage Cluster Name** value. It must +be an exact match to the name which is entered in the Activity Monitor for the **Monitored Host** +list. + +This name is used as a ‘tag’ on all events coming through the CEE. This name must exactly match what +is in the Activity Monitor or it does not recognize the events. + +:::info +Use the CIFS DNS name for Dell OneFS. +::: + + +:::note +To use the Activity Monitor with Access Analyzer for Activity Auditing (FSAC) scans, the +name entered here must exactly match what is used for Access Analyzer as a target host. +::: + + +If the Storage Cluster Name cannot be modified (for example, another third-party depends on it), you +need to set the Host Aliases parameter in the Activity Monitor Console: + +- If the Storage Cluster Name is not empty, set the Host Aliases parameter to its value +- If the Storage Cluster Name is empty, set the Host Aliases to a semicolon-separated list of OneFS + node names + +Next, it is time to configure the monitoring agent on the Windows server to monitor the +Isilon/PowerScale device. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md new file mode 100644 index 0000000000..2bd4def69e --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md @@ -0,0 +1,190 @@ +--- +title: "Validate Setup" +description: "Validate Setup" +sidebar_position: 30 +--- + +# Validate Setup + +Once the Activity Monitor agent is configured to monitor the Dell device, the automated +configuration must be validated to ensure events are being monitored. + +## Validate Dell CEE Registry Key Settings + +After the Activity Monitor activity agent has been configured to monitor the Dell device, it will +configure the Dell CEE automatically if it is installed on the same server as the agent. This needs +to be set manually in the rare situations where it is necessary for the Dell CEE to be installed on +a different server than the Windows proxy server(s) where the Activity Monitor activity agent is +deployed. + +If the monitoring agent is not registering events, validate that the EndPoint is accurately set. +Open the Registry Editor (run regedit). For the synchronous real-time delivery mode (AUDIT), use the +following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration** + +![registryeditorendpoint](/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp) + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthAUDIT@'ip-address-of-the-agent'` + +- For the HTTP protocol,` StealthAUDIT@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** If you changed any of the settings, restart the CEE Monitor service. + +**For Asynchronous Bulk Delivery Mode** + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration** + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthVCAPS@'ip-address-of-the-agent'` +- For the HTTP protocol, `StealthVCAPS@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** Ensure that the FeedInterval parameter is set to a value between 60 and 600; the +MaxEventsPerFeed - between 10 and 10000. + +**Step 5 –** If you changed any of the settings, restart the CEE Monitor service. + +Set the following values under the Data column: + +- Enabled – 1 +- EndPoint – StealthAUDIT + +If this is configured correctly, validate that the Dell CEE services are running. See the Validate +Dell CEE Services are Running topic for additional information. + +## Validate Dell CEE Services are Running + +After the Activity Monitor Activity Agent has been configured to monitor the Dell device, the Dell +CEE services should be running. If the Activity Agent is not registering events and the EndPoint is +set accurately, validate that the Dell CEE services are running. Open the Services (run +`services.msc`). + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +The following services laid down by the Dell CEE installer should have Running as their status: + +- Dell CAVA +- Dell CEE Monitor + +## Dell CEE Debug Logs + +If an issue arises with communication between the Dell CEE and the Activity Monitor, the debug logs +need to be enabled for troubleshooting purposes. Follow the steps. + +**Step 6 –** In the Activity Monitor Console, change the **Trace level** value in the lower right +corner to Trace. + +**Step 7 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Disable monitoring. + +**Step 8 –** Download and install the Debug View tool from Microsoft on the CEE server: + +**> [https://docs.microsoft.com/en-us/sysinternals/downloads/debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview)** + +**Step 9 –** Open the Registry Editor (run regedit). Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration** + +**Step 10 –** Right-click on **Debug** and select Modify. The Edit DWORD Value window opens. In the +Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Debug DWORD Value does not exist, it needs to be added. +::: + + +**Step 11 –** Right-click on **Verbose** and select Modify. The Edit DWORD Value window opens. In +the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Verbose DWORD Value does not exist, it needs to be added. +::: + + +**Step 12 –** Run the Debug View tool (from Microsoft). In the Capture menu, select the following: + +- Capture Win32 +- Capture Global Win32 +- Capture Events + +**Step 13 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Enable monitoring. + +**Step 14 –** Generate some file activity on the Dell device. Save the Debug View Log to a file. + +**Step 15 –** Send the following logs to [Netwrix Support](https://www.netwrix.com/support.html): + +- Debug View Log (from Dell Debug View tool) +- Use the **Collect Logs** button to collect debug logs from the activity agent + +:::info +After the logs have been gathered and sent to Netwrix Support, reset these +configurations. +::: + + +## Linux CEE Debug Log + +The debug log is stored in `/opt/CEEPack/emc_cee_svc.log` file. To enable verbose logging set Debug +and Verbose parameters under **Configuration** to 255 and restart the CEE. + +:::note +Debug logs should only be used for troubleshooting purposes. It's recommended to have +Debug Logs disabled by default. +::: + + +... + +```xml + + +100 +255 +10 +10 +20 +255 +12228 + +2 +5 +86400 + + +/opt/CEEPack/ +100 + + + + +__NOTE:__ All protocol strings are case sensitive. +``` diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md new file mode 100644 index 0000000000..a74a220d97 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md @@ -0,0 +1,80 @@ +--- +title: "Nasuni Edge Appliance Activity Auditing Configuration" +description: "Nasuni Edge Appliance Activity Auditing Configuration" +sidebar_position: 70 +--- + +# Nasuni Edge Appliance Activity Auditing Configuration + +Generation of an API Access Key is required for Nasuni activity monitoring. The Nasuni Edge +Appliance generates its own audit trail. An API Access Key is used by the Activity Monitor to form a +network connection to the appliance. Nasuni will then stream event data to the activity agent. See +[Nasuni Support Documentation](https://www.nasuni.com/support/) for additional information. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Nasuni Edge Appliances. +Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: Generate Nasuni API Access Key** + +- Generate an API Access Key for each Nasuni Edge Appliance to be monitored through one of the + following: + + - Nasuni Filer Management Interface + - Nasuni Management Console + +**Checklist Item 2: Activity Monitor Configuration** + +- Deploy the Activity Monitor activity agent to a Windows proxy server + +## Nasuni Filer Management Interface + +Follow the steps to generate a Nasuni API Access Key in the Nasuni Filer Management Interface. + +**Step 1 –** Within the **Configuration** menu, under **USERS & SECURITY**, select API Access Keys. +The API Access Keys page opens. + +**Step 2 –** Click Add API Key button. The Add API Key window opens. + +**Step 3 –** Enter a Name for thekey; for example, the name of the application. + +**Step 4 –** Click Create Key. + +**Step 5 –** In the Successfully Generated API Key window, copy the Key Passcode. + +Both the Key Name and the Key Passcode are required by the Activity Monitor in order to connect to +the Nasuni Edge Appliance. Once the API Key has been generated, it is time to configure and enable +monitoring with the Activity Monitor console. + +:::note +Nasuni API key names are case sensitive. When providing them, ensure they are entered in +the exact same case as generated. +::: + + +## Nasuni Management Console + +Follow the steps to generate a Nasuni API Access Key in the Nasuni Management Console. + +**Step 1 –** Click Filers and select API Keys from the menu on the left. The Filer API Access Key +Settings page opens. + +**Step 2 –** Click New API Key button. The Add API Access Key window opens. + +**Step 3 –** From the Filer drop-down menu, select the desired Nasuni Edge Appliance. Then enter a +Name for the key; for example, the name of the application. + +**Step 4 –** Click Add API Key. + +**Step 5 –** A message appears which includes the Key Passcode; copy the Key Passcode. + +Both the Key Name and the Key Passcode are required by the Activity Monitor in order to connect to +the Nasuni Edge Appliance. Once the API Key has been generated, it is time to configure and enable +monitoring with the Activity Monitor console. + +:::note +Nasuni API key names are case sensitive. When providing them, ensure they are entered in +the exact same case as generated. + +::: diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md new file mode 100644 index 0000000000..eff70052ec --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md @@ -0,0 +1,43 @@ +--- +title: "Nutanix Files Activity Auditing Configuration" +description: "Nutanix Files Activity Auditing Configuration" +sidebar_position: 100 +--- + +# Nutanix Files Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor file activity on Nutanix Files devices. + +A user having REST API access must be created on the Nutanix Files server to monitor the files +server using Activity Monitor. Additional configurations are done automatically by Activity Monitor +using the Nutanix API with the help of this user. + +Follow the steps to create a new user account with Nutanix Prism: + +**Step 1 –** Open Nutanix Prism web portal. + +**Step 2 –** Select **File Server** category. In the list of servers, select the server you want to +audit. + +**Step 3 –** Click **Manage roles**. + +**Step 4 –** In the Manage roles dialog box locate the REST API access user section and click **+New +user**. + +![Manage Roles - File Server](/images/activitymonitor/9.0/config/nutanix/activitynutanix.webp) + +**Step 5 –** Enter local user account name and password, then click **Save** to save the settings. + +**Step 6 –** Click **Close** to close the Manage roles dialog box. + +:::note +The user credentials created here are used when adding a Nutanix file server in Activity +Monitor. +::: + + +:::note +Nutanix Files does not report events for activity originating from a server where the +Activity Monitor Agent is installed. + +::: diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json new file mode 100644 index 0000000000..1496020c88 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration", + "position": 90, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ontap-cluster-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md new file mode 100644 index 0000000000..6926d8d108 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md @@ -0,0 +1,191 @@ +--- +title: "Configure Network" +description: "Configure Network" +sidebar_position: 20 +--- + +# Configure Network + +Activity Monitor requires two communication channels for ONTAP monitoring: + +1. ONTAP API – Activity Monitor Agent connects to ONTAP on port 80 (http) or 443 (https) for access + to ONTAP API (ONTAPI/ZAPI or REST API). +2. FPolicy – Data LIFs of the SVM connect to Activity Monitor Agent on port 9999 for FPolicy + notifications. + +The following sections discuss network configuration required to enable API and FPolicy +communication. + +## ONTAP API + +The ONTAP API access is mandatory; without the API access the agent will not be able to receive and +translate events from FPolicy. The agent uses the API to retrieve information about the SVM: CIFS +settings, list of volumes, list of LIFs. Depending on the configuration, the agent can also retrieve +the state of FPolicy to ensure it is enabled; configure FPolicy and register or unregister itself. + +The API access is needed either through the SVM's LIF or through the cluster management LIF with +_vserver tunneling_ feature. If you want to use the vserver tunneling feature, specify the cluster +management LIF's address in the "Management LIF" parameter in the host's settings in the Activity +Monitor. + +Both classic ONTAPI/ZAPI and the new REST API are supported. Starting with ONTAP 9.13.1, the product +uses REST API by default if it is available. HTTP and HTTPS protocols are supported. For HTTPS, two +modes are supported: strict and ignore errors. For the strict mode, the product allows you to +disable the host name validation in case the agent cannot resolve the FQDN of the LIF. + +Enabling the API access varies depending on ONTAP version. The following sections list common steps +on enabling the API access. Please refer to the NetApp documentation for more details. + +### Management-http Service + +Starting with ONTAP 9.6, data LIFs used for HTTPS communication with the Activity Monitor are +required to use a service policy that includes the `management-https` service. This service enables +HTTPS access to the LIF. + +The following examples offer guidance for managing service policies, but may vary depending on the +NetApp environment’s specific configuration and needs. + +**Step 1** – Display LIFs of the SVM. Take note of the _service policy_ name used by the LIF you +want to be used for API access. + +``` +network interface show -vserver [SVM] -instance +``` + +**Step 2** – Check the services included in the SVM service policy + +``` +network interface service-policy show -policy [POLICY_NAME] +``` + +**Step 3** – Add the `management-https` service if it is missing + +``` +set -privilege advanced +network interface service-policy add-service -service management-https -policy [POLICY_NAME] -vserver [SVM] +``` + +Example: + +``` +set -privilege advanced +network interface service-policy add-service -service management-https -policy default-data-files -vserver testserver +``` + +### Firewall Policy + +For ONTAP 9.5 and older, the following commands can be used to either create a new firewall policy +or modify an existing policy if ONTAPI is blocked. + +#### Create New Firewall HTTP Policy + +Use the following commands with the Cluster Management LIF to create a new firewall HTTP policy: + +``` +system services firewall policy clone -policy data -vserver [ADMIN_SVM_NAME] -destination-policy [FIREWALL_POLICY_NAME] -destination-vserver [SVM_NAME] +system services firewall policy create -vserver [SVM_NAME] -policy [FIREWALL_POLICY_NAME] -service http -allow-list [IP_ADDRESS]/[NETMASK], [IP_ADDRESS]/[NETMASK] +``` + +Example: + +``` +system services firewall policy clone -policy data -vserver myontap -destination-policy enterpriseauditorfirewall -destination-vserver testserver +system services firewall policy create -vserver testserver -policy enterpriseauditorfirewall -service http -allow-list 192.168.30.15/32 +``` + +#### Create New Firewall HTTPS Policy + +Use the following commands with the Cluster Management LIF to create a new firewall HTTPS policy: + +``` +system services firewall policy clone -policy data -vserver [ADMIN_SVM_NAME] -destination-policy [FIREWALL_POLICY_NAME] -destination-vserver [SVM_NAME] +system services firewall policy create -vserver [SVM_NAME] -policy [FIREWALL_POLICY_NAME] -service https -allow-list [IP_ADDRESS]/[NETMASK], [IP_ADDRESS]/[NETMASK] +``` + +Example: + +``` +system services firewall policy clone -policy data -vserver myontap -destination-policy enterpriseauditorfirewall -destination-vserver testserver +system services firewall policy create -vserver testserver -policy enterpriseauditorfirewall -service https -allow-list 192.168.30.15/32 +``` + +#### Apply Firewall Policy to SVM Data LIF + +Use the following command to modify an existing firewall policy: + +``` +network interface modify -vserver [SVM_NAME] -lif [DATA LIF NAME] -firewall-policy [FIREWALL_POLICY_NAME] +``` + +Example: + +``` +network interface modify -vserver testserver -lif datal -firewall-policy enterpriseauditorfirewall +``` + +For more information about creating a firewall policy and assigning it to a LIF, read the +[Configure firewall policies for LIFs](https://docs.netapp.com/us-en/ontap/networking/configure_firewall_policies_for_lifs.html)[ ](https://docs.netapp.com/us-en/ontap/networking/configure_firewall_policies_for_lifs.html) +article. + +#### Validate Firewall Policy + +Run the following command to validate the firewall policy: + +``` +system services firewall policy show -policy [FIREWALL_POLICY_NAME] -service [HTTP_HTTPS] +``` + +Example: + +``` +system services firewall policy show -policy enterpriseauditorfirewall -service http +``` + +Verify that the output is displayed as follows: + +![validatefirewall](/images/activitymonitor/9.0/config/netappcmode/validatefirewall.webp) + +## FPolicy + +The FPolicy framework enables the collection of audit events on the ONTAP side and their transfer to +the agent(s) via the designated Data LIFs. Each LIF establishes its own connection with one or +several agents and sends notifications as soon as the file transaction occurs. The FPolicy +connection is asynchronous and buffered; both ONTAP and Activity Monitor have techniques in place to +make sure that connections are alive and working. The connection can be secured using TLS with +server or mutual authentication. + +ONTAP cluster nodes connect to the agent on port 9999 by default. The port can be changed in the +agent's settings. The agent adds this port to Windows Firewall exclusions automatically. Please +ensure the port is not blocked by other firewalls between ONTAP and the agent. + +### Data-fpolicy-client Service + +Starting with ONTAP 9.8, each data LIF of the SVM must have the **data-fpolicy-client** service +included in its service-policy configuration. This service enables the FPolicy protocol for the LIF. +Use the following commands to ensure that the service is included. + +**Step 1** – Display LIFs of the SVM. Take note of the _service policy_ name used by the data LIFs. + +``` +network interface show -vserver [SVM] -instance +``` + +**Step 2** – Check the services included in the SVM service policy + +``` +network interface service-policy show -policy [POLICY_NAME] +``` + +**Step 3** – Add the **data-fpolicy-client** service if it is missing + +``` +set -privilege advanced +network interface service-policy add-service -service data-fpolicy-client -policy [POLICY_NAME] -vserver [SVM] +``` + +Example: + +``` +set -privilege advanced +network interface service-policy add-service -service data-fpolicy-client -policy default-data-files -vserver testserver +``` diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md new file mode 100644 index 0000000000..b0ba05a883 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md @@ -0,0 +1,937 @@ +--- +title: "Configure FPolicy" +description: "Configure FPolicy" +sidebar_position: 30 +--- + +# Configure FPolicy + +Activity Monitor relies on the NetApp FPolicy framework for monitoring of file access events on +Storage Virtual Machines (SVM). FPolicy needs to be configured for each SVM. + +There are two ways to configure FPolicy: + +- Activity Monitor agent can facilitate the Automatic Configuration of FPolicy for the monitored SVM + using the ONTAP API. This mode is simple, but does not allow you to exclude certain volumes or + shares of the SVM from being monitored. It also requires additional permissions to create and + modify FPolicy. +- Another option is to Manually Configure FPolicy for each SVM. This mode allows you to fine tune + FPolicy by excluding certain volumes or shares from being monitored. It also reduces product + permissions. + +Regardless of the chosen approach for FPolicy configuration, one also needs to perform extra steps +if the FPolicy communication has to be secured with TLS. + +## TLS Authentication Options + +There are two TLS FPolicy Authentication options that can be used: + +- TLS, server authentication – Server only authentication + + - A certificate (Server Certificate) for the Agent server needs to be generated and copied to a + PEM file. The Server Certificate PEM file needs to be saved locally on the Activity Monitor + Console server. + - For manual FPolicy configuration, the Server Certificate needs to be installed on the SVM, and + then server-authentication set. + - For automatic FPolicy configuration, the Activity Monitor manages installation of the Server + Certificate. + +- TLS, mutual authentication – Mutual authentication + + - A certificate (Server Certificate) for the Agent server needs to be generated and copied to a + PEM file. The Server Certificate PEM file needs to be saved locally on the Activity Monitor + Console server. + - A certificate (Client Certificate) for the SVM needs to be copied to a PEM file and saved + locally on the Activity Monitor Console server. + - For manual FPolicy configuration, the Server Certificate needs to be installed on the SVM and + then mutual-authentication set. + - For automatic FPolicy configuration, mutual-authentication set before the configuration + process. The Activity Monitor manages installation of both certificates. + +### Generate Server Certificate + +A certificate (Server Certificate) for the Agent server needs to be generated and copied to a PEM +file. This is required for both of the TLS authentication options. + +The PEM file must contain both Public Key and Private Key parts. A certificate may be self-signed or +issued by a certification authority. Below are the steps for generation of a self-signed certificate +using OpenSSL toolkit. + +Use the following command on the agent server to create the Server Certificate and copy it to a .pem +file: + +``` +openssl.exe req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=[ACTIVITY_AGENT_SERVER_NAME]"  +copy cert.pem+key.pem [CERTIFICATE_FILE_NAME.pem] +del cert.pem key.pem .rnd +``` + +Example: + +``` +openssl.exe req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=testagentserver"  +copy cert.pem+key.pem agentkey.pem +del cert.pem key.pem .rnd +``` + +In this example ` agentkey.pem` would be used as the Server Certificate. Save the Server Certificate +locally on the Activity Monitor Console server. + +### Create PEM File for Client Certificate + +A certificate (Client Certificate) for the SVM needs to be copied to a PEM file. This is required +for the TLS, mutual authentication option. Follow the steps to create the PEM file for the Client +Certificate. + +**Step 1 –** On the SVM , use the following command to show the security certificate details: + +``` +security certificate show -vserver [SVM_NAME] -type server instance +``` + +Example: + +``` +security certificate show -vserver testserver -type server instance +``` + +**Step 2 –** Copy the security certificate details into a text file and copy the public key to a PEM +file. The following variables from security details will be needed to set mutual-authentication +during Part 6 of manual configuration and prior to automatic configuration: + +- SVM +- Common Name +- Certificate Serial +- Public Key Certificate + +**Step 3 –** Copy the value of Public Key Certificate field to a PEM file. The value spans multiple +lines, starts with "`----BEGIN CERTIFICATE-----`" and ends with "`-----END CERTIFICATE-----`". + +The Client Certificate PEM file has been created. + +## Persistent Store + +For ONTAP 9.15.1 and later, enabling the Persistent Store feature is recommended regardless of the +chosen FPolicy configuration approach. The Persistent Store provides resilience and predictable +latency in scenarios such as network delays or bursts of activity events. The feature uses a +dedicated volume for each SVM as a staging buffer before events are sent to the agent. + +Persistent Store requires the following parameters: + +- Volume name – If the volume does not exist, it will be created automatically (recommended). +- Initial volume size – Specifies the starting size of the volume. +- Autosize mode – Options include Off, Grow, or Grow/Shrink. + +The size depends on the time duration for which you want to persist the events and the rate of +events. For example, if you want 30 minutes of events to persist in an SVM with a capacity of 5000 +events per second and the average event record size of 0.6 KB, the required volume size is +`5000 * 30 * 60 * 0.6 KB = 5400000 KB ≈ 5 GB`. + +:::note +To find the approximate event rate, use the FPolicy counter `requests_dispatched_rate`. +::: + + +:::note +For the Persistent Store to automatically create a volume, the SVM must have at least one +local tier (aggregate) assigned. +::: + + +To check that the SVM has assigned local tiers, use the following command: + +**vserver show -vserver [SVM_NAME] -fields aggr-list** + +The command shows currently local tiers. If no tiers are assigned, "-" is displayed. + +To assign local tiers to the SVM use the following command: + +**vserver add-aggregates -vserver [SVM_NAME] -aggregates [AGGREGATE_LIST]** + +Example: + +**vserver add-aggregates -vserver testserver -aggregates aggr1,aggr2** + +:::note +This command is available to cluster administrators at the admin privilege level. +::: + + +It is recommended to allow the volume to be created automatically. In this case, the FPolicy +subsystem manages the volume, maintains the directory structure, and protects it from accidental +deletion by marking it as not mountable. + +If you choose to create the volume manually, ensure the following: + +- The volume is not mounted and has no junction point. +- The snapshot policy for the volume is set to none. + +For additional and up-to-date recommendations on volumes for the Persistent Store, refer to the +NetApp documentation. + +## Manually Configure FPolicy + +This section describes how to manually configure FPolicy. Manual configuration of the FPolicy is +recommended if the policy needs to be scoped to monitor select volumes or shares. It is necessary to +create several FPolicy components and then enable the FPolicy. See the sections corresponding to +each part of this list: + +- Part 1: Install Server Certificate on the SVM (only if using TLS authentication) + + - This is only needed if using either of the TLS, … authentication options. + +- Part 2: Create External Engine + + - The External Engine defines how FPolicy makes and manages connections to external FPolicy + servers like Activity Monitor Agent. + +- Part 3: Create FPolicy Events + + - An FPolicy event defines which protocol(s) to monitor and which file access events to monitor. + +- Part 4: Create Persistent Store (only if Persistent Store is used. RECOMMENDED) + + - A Persistent Store is used as a temporary on-disk storage before the events are sent to + Activity Monitor Agent. + +- Part 5: Create FPolicy Policy + + - The FPolicy policy associates the other three FPolicy components and allows for the + designation of a privileged FPolicy user + - If running the Access Auditing (FSAA), Activity Auditing (FSAC), and/or Sensitive Data + Discovery Auditing scans, then this is the user account credential to be added to the Access + Analyzer Connection Profile. + +- Part 6: Create FPolicy Scope + + - The FPolicy scope creates the filters necessary to perform scans on specific shares or + volumes. + +- Part 7: Set TLS Authentication (optional) + + - This is only needed if using either of the TLS authentication options. + +- Part 8: Enable the FPolicy + + - Once the FPolicy is enabled, the Activity Monitor Agent can be configured to monitor the SVM. + +- Part 9: Connect FPolicy Server / Agent to Cluster Node (optional) + + - This is only needed if there is an issue with connection to the Cluster node or for + troubleshooting a disconnection issue. + +### Part 1: Install Server Certificate on the SVM + +If using the TLS authentication options, it is necessary to install the Server Certificate on the +SVM. + +Use the following command to install the Server Certificate: + +``` +security certificate install type client-ca -vserver [SVM_NAME] +``` + +Example: + +``` +security certificate install type client-ca -vserver testserver +``` + +The command will ask you to provide a public certificate. Copy the public key from the Server +Certificate PEM file, i.e. the block starting with "`-----BEGIN CERTIFICATE-----`" and ending with +"`-----END CERTIFICATE-----`". Paste the block to the terminal window. + +#### Validate Part 1: Server Certificate Install + +Run the following command to validate the Server Certificate is installed: + +``` +security certificate show -vserver [SVM_NAME] -commonname [ACTIVITY_AGENT_SERVER_NAME] -type client-ca instance +``` + +Example: + +``` +security certificate show -vserver testserver -commonname testagentserver -type client-ca instance +``` + +### Part 2: Create External Engine + +The External Engine defines how FPolicy makes and manages connections to external FPolicy servers. + +IMPORTANT: + +- The `-primary-servers` must be the server or servers hosting the Activity Monitor Agent. +- If intending to use the Activity Monitor with Access Analyzer, then the primary server must also + be the proxy server from which the Access Analyzer Access Auditing (FSAC) scans are running, e.g. + the Access Analyzer Console server for local mode or the proxy server if running in any of the + proxy mode options. +- The following values are required: + + - `engine-name StealthAUDITEngine`, the names of the external engine object can be customized + (see below). + - `port 9999`, Port number can be customized, but it is recommended to use 9999. + - `extern-engine-type asynchronous` + - `ssl-option no-auth` + - `send-buffer-size 6291456`, for ONTAP 9.10+ use `send-buffer-size 8388608` + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the external engine: + +``` +set -privilege advanced +vserver fpolicy policy external-engine create -vserver [SVM_NAME] -engine-name StealthAUDITEngine -primary-servers [IP_ADDRESS,…] -port 9999 -extern-engine-type asynchronous -ssl-option no-auth -send-buffer-size 6291456 +``` + +Example: + +``` +set -privilege advanced +vserver fpolicy policy external-engine create -vserver testserver -engine-name StealthAUDITEngine -primary-servers 192.168.30.15 -port 9999 -extern-engine-type asynchronous -ssl-option no-auth -send-buffer-size 6291456 +``` + +#### Validate Part 2: External Engine Creation + +Run the following command to validate the creation of the external engine: + +``` +fpolicy policy external-engine show -vserver [SVM_NAME] -engine-name StealthAUDITEngine -instance +``` + +Verify that the output is displayed as follows: + +``` +Ontap915::> fpolicy policy external-engine show -vserver svm0 -engine-name StealthAUDITEngine -instance +  (vserver fpolicy policy external-engine show) +                                Vserver: svm0 +                                 Engine: StealthAUDITEngine +                Primary FPolicy Servers: 192.168.11.35 +         Port Number of FPolicy Service: 9999 +              Secondary FPolicy Servers: - +                   External Engine Type: asynchronous +  SSL Option for External Communication: no-auth +             FQDN or Custom Common Name: - +           Serial Number of Certificate: - +                  Certificate Authority: - +          Is Resiliency Feature Enabled: false +Maximum Notification Retention Duration: 3m +     Directory for Notification Storage: - +                 External Engine Format: xml +``` + +Relevant NetApp Documentation: To learn more about creating an external engine, please visit the +NetApp website and read the +[vserver fpolicy policy external-engine create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-external-engine-create.html) +article. + +### Part 3: Create FPolicy Event + +An event defines which protocol to monitor and which file access events to monitor. + +IMPORTANT: + +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. +- Access Analyzer and the Activity Monitor are capable of monitoring both NFS and CIFS. However, it + is necessary to create separate events for each protocol. +- The following values are required: + + - `event-name` + + - For CIFS shares – ` StealthAUDITScreeningCifs` for successful events; + `StealthAUDITScreeningFailedCifs` for failed events. + - For NFS shares – `StealthAUDITScreeningNfsV3, StealthAUDITScreeningNfsV4` for successful + events; `StealthAUDITScreeningFailedNfsV3, StealthAUDITScreeningFailedNfsV4` for failed + events. + The names of the event objects can be customized (see Customization of FPolicy Object + Names). + + - `volume-operation true` + - `protocol` – one of the following `cifs`, `nfsv3`, `nfsv4` + - `monitor-fileop-failure` – `true `or `false`, indicates whether failed file operations are + reported. + +- Limiting the file operations to be monitored is an excellent way to limit the performance impact + the FPolicy will have on the NetApp device. The file operations from which to choose are below + with additional filter options: + + - `create` – File create operations + - `create_dir` – Directory create operations + - `close` – File close operations + + - Enable this operation for NFSv4 to capture all read operations + + - `delete` – File delete operations + - `delete_dir` – Directory delete operations + - `link` – Link operations + - `open` – File open operations for CIFS protocol + + - `open-with-delete-intent` – Limits notification to only when an attempt is made to open a + file with the intent to delete it, according to the `FILE_DELETE_ON_CLOSE` flag + specification + + :::note + File open operations are only supported with the `open-with-delete-intent` + filter applied. + ::: + + + - `read` – File read operations + + - `first-read` – Limits notification to only first read operations for CIFS protocol. For + ONTAP 9.2+, this filter can be used for both CIFS and NFS protocols. + + - `rename`– File rename operations + - `rename_dir`– Directory rename operations + - `setattr` – Set attribute operations and permission changes. The following filters are + available for ONTAP 9.0+ to limit events to permission changes only: + + - CIFS: + + - `setattr-with-owner-change` + - `setattr-with-group-change` + - `setattr-with-sacl-change` + - `setattr-with-dacl-change` + + - NFSv3: + + - `setattr-with-owner-change` + - `setattr-with-group-change` + - `setattr-with-mode-change` + + - NFSv4: + + - `setattr-with-owner-change` + - `setattr-with-group-change` + - `setattr-with-mode-change` + - `setattr-with-sacl-change` + - `setattr-with-dacl-change` + + - `symlink` – Symbolic link operations + - `write` – File write operations + + - `first-write` – Limits notification to only first write operations for CIFS protocol. For + ONTAP 9.2+, this filter can be used for both CIFS and NFS protocols. + +- For failed/denied events, the list of supported file operations is limited to the following + values: + + - CIFS: `open` + - NFSv3: + `create, create_dir, read, write, delete, delete_dir, rename, rename_dir, setattr, link` + - NFSv4: + `open, create, create_dir, read, write, delete, delete_dir, rename, rename_dir, setattr, link` + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the FPolicy event for CIFS protocols: + +``` +vserver fpolicy policy event create -vserver [SVM_NAME] -event-name StealthAUDITScreeningCifs -volume-operation true -protocol cifs -file-operations [COMMA_SEPARATED_FILE_OPERATIONS] -filters [COMMA_SEPARATED_FILTERS] +``` + +Example: + +``` +vserver fpolicy policy event create -vserver testserver -event-name StealthAUDITScreeningCifs -volume-operation true -protocol cifs -file-operations create,create_dir,delete,delete_dir,open,read,write,rename,rename_dir,setattr -filters first-read,first-write,open-with-delete-intent,setattr-with-owner-change,setattr-with-group-change,setattr-with-sacl-change,setattr-with-dacl-change +``` + +Use the following command to create the FPolicy event for NFSv3 protocols: + +``` +vserver fpolicy policy event create -vserver [SVM_NAME] -event-name StealthAUDITScreeningNfsV3 -volume-operation true -protocol nfsv3 -file-operations [COMMA_SEPARATED_FILE_OPERATIONS] -filters [COMMA_SEPARATED_FILTERS] +``` + +Example: + +``` +vserver fpolicy policy event create -vserver testserver -event-name StealthAUDITScreeningNfsV3 -volume-operation true -protocol nfsv3 -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,link,symlink -filters first-read,first-write,setattr-with-owner-change,setattr-with-group-change,setattr-with-mode-change +``` + +Use the following command to create the FPolicy event for NFSv4 protocols: + +``` +vserver fpolicy policy event create -vserver [SVM_NAME] -event-name StealthAUDITScreeningNfsV4 -volume-operation true -protocol nfsv4 -file-operations [COMMA_SEPARATED_FILE_OPERATIONS] -filters [COMMA_SEPARATED_FILTERS] +``` + +Example: + +``` +vserver fpolicy policy event create -vserver testserver -event-name StealthAUDITScreeningNfsV4 -volume-operation true -protocol nfsv4 -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,link,symlink,close -filters setattr-with-group-change,setattr-with-mode-change,setattr-with-sacl-change,setattr-with-dacl-change +``` + +#### Validate Part 3: FPolicy Event Creation + +Run the following command to validate the creation of the FPolicy event: + +``` +fpolicy policy event show -vserver [SVM_NAME] -event-name [StealthAUDITScreeningCifs or StealthAUDITScreeningNfsV3 or StealthAUDITScreeningNfsV4 or ...] -instance +``` + +Example: + +``` +fpolicy policy event show -vserver [SVM_NAME] -event-name StealthAUDITScreeningCifs -instance +``` + +Verify that the output is displayed as follows: + +``` +Ontap915::> fpolicy policy event show -vserver svm0 -event-name StealthAUDITScreeningCifs +  (vserver fpolicy policy event show) +                                 Vserver: svm0 +                                   Event: StealthAUDITScreeningCifs +                                Protocol: cifs +                         File Operations: create, create_dir, delete, +                                          delete_dir, open, read, write, +                                          rename, rename_dir, setattr +                                 Filters: first-read, first-write, +                                          open-with-delete-intent, +                                          setattr-with-owner-change, +                                          setattr-with-group-change, +                                          setattr-with-sacl-change, +                                          setattr-with-dacl-change, +                                          setattr-with-mode-change +     Send Volume Operation Notifications: true +Send Failed File Operation Notifications: false +``` + +Relevant NetApp Documentation: To learn more about creating an event, please visit the NetApp +website and read the +[vserver fpolicy policy event create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-event-create.html) +article. + +### Part 4: Create Persistent Store + +The Persistent Store provides a temporary on-disk storage for activity events before they are sent +to Activity Monitor Agent. The Persistent Store is optional but recommended for ONTAP 9.15.1 and +later versions. + +IMPORTANT: + +- Persistent Store is supported for ONTAP 9.15.1 and later versions. +- The SVM used must be the one hosting the CIFS or NFS shares to be monitored. +- There is no need to use an existing volume. A new volume will be created automatically and managed + by the FPolicy subsystem. +- The volume size depends on the duration for which the events persist and the event rate. For + example, if you want 30 minutes of events to persist in an SVM with a capacity of 5000 + events/second and the average event record size of 0.6 KB, the required volume size is + `5000 * 30 * 60 * 0.6 KB = 5400000 KB ≈ 5 GB`. +- For the Persistent Store to create a volume automatically, at least one local tier (aggregate) + must be assigned to the SVM. Use `vserver add-aggregates` to assign local tiers. + + The following values are required: + + - `vserver` – The name of the SVM where you want to create the Persistent Store. + - `persistent-store` – The name of the Persistent Store object. + + - The default name is `StealthAUDITPersistentStore`. + The names of the event objects can be customized (see Customization of FPolicy Object + Names). + + - `volume` – The name of the volume used for event storage. + + - If the volume does not exist, it will be automatically created on an assigned local tier. + This is recommended. + + - `size` – The initial size of the volume. The format is `[KB|MB|GB]`. + + The following values are optional: + + - `autosize-mode` – Specifies the auto size behavior for the volume. Options include `off` + (default), `grow`, or `grow_shrink`. + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the Persistent Store: + +vserver fpolicy persistent-store create -vserver [SVM_NAME] -persistent-store [STORE_NAME] -volume +[VOLUME_NAME] -size [SIZE] -autosize-mode [AUTOSIZE] + +Example: + +vserver fpolicy persistent-store create -vserver testserver -persistent-store +StealthAUDITPersistentStore -volume testserver_ps_vol -size 5GB -autosize-mode grow_shrink + +#### Validate Part 4: Create Persistent Store + +Run the following command to validate the creation of the Persistent Store: + +vserver fpolicy persistent-store show -vserver [SVM_NAME] -persistent-store +StealthAUDITPersistentStore -instance + +Ensure that the output is displayed as follows: + +cluster1::> vserver fpolicy persistent-store show -vserver testserver -persistent-store +StealthAUDITPersistentStore -instance + Vserver: testserver + Persistent Store Name: StealthAUDITPersistentStore + Volume name of the Persistent store: testserver_ps_vol + Size of the Persistent Store: 5GB + Autosize Mode for the Volume: grow_shrink + +Visit the NetApp website and see the +[vserver fpolicy persistent store create](https://docs.netapp.com/us-en/ontap-cli/vserver-fpolicy-persistent-store-create.html) +article for additional information about creating a Persistent Store. + +### Part 5: Create FPolicy Policy + +The FPolicy policy associates the other three FPolicy components and allows for the designation of a +privileged FPolicy user, or the provisioned FPolicy account. If running the Access Auditing (FSAA), +Activity Auditing (FSAC), and/or Sensitive Data Discovery Auditing scans in Access Analyzer, then +this is also the user account credential to be added to the Access Analyzer Connection Profile. + +IMPORTANT: + +- To monitor both CIFS and NFS protocols, two FPolicy Event were created. Multiple events can be + included in the FPolicy policy. +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. +- The External Engine, FPolicy Event, Persistent Store used in this command must be configuration + objects created in the preceding steps. + + The following values are required: + + - `vserver` – The name of SVM. + - `policy-name StealthAUDIT` – The name of the policy object can be customized (see + Customization of FPolicy Object Names). + - `engine` – The name of the External Engine created in Part 2: Create External Engine. + - `events` – A list of FPolicy Event objects created in Part 3: Create FPolicy Event. + - `persistent-store` – The name of the Persistent Store created in Part 4: Create Persistent + Store. Required only if the Persistent Store is used. + + The following values are required for Access Analyzer integration: + + - `privileged-user-name` – Must be a provisioned FPolicy account. + - `allow-privileged-access` – Set to yes. + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the FPolicy policy to monitor both CIFS and NFS protocols: + +``` +vserver fpolicy policy create -vserver [SVM_NAME] -policy-name StealthAUDIT -events StealthAUDITScreeningCifs,StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +vserver fpolicy policy create -vserver testserver -policy-name StealthAUDIT -events StealthAUDITScreeningCifs,StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name example\user1 +``` + +Use the following command to create the FPolicy policy to monitor only CIFS protocols: + +``` +vserver fpolicy policy create -vserver [SVM_NAME] -policy-name StealthAUDIT -events StealthAUDITScreeningCifs -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +vserver fpolicy policy create -vserver testserver -policy-name StealthAUDIT -events StealthAUDITScreeningCifs -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name example\user1 +``` + +Use the following command to create the FPolicy policy to monitor only NFS protocols: + +``` +vserver fpolicy policy create -vserver [SVM_NAME] -policy-name StealthAUDIT -events StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +vserver fpolicy policy create -vserver testserver -policy-name StealthAUDIT -events StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name example\user1 +``` + +#### Validate Part 5: FPolicy Policy Creation + +Run the following command to validate the creation of the FPolicy policy: + +``` +fpolicy policy show -vserver [SVM_NAME] -policy-name StealthAUDIT -instance +``` + +``` +Ontap915::> fpolicy policy show -instance +  (vserver fpolicy policy show) +                        Vserver: svm0 +                         Policy: StealthAUDIT +              Events to Monitor: StealthAUDITScreeningCifs, +                                 StealthAUDITScreeningFailedCifs, +                                 StealthAUDITScreeningNfsV3, +                                 StealthAUDITScreeningFailedNfsV3, +                                 StealthAUDITScreeningNfsV4, +                                 StealthAUDITScreeningFailedNfsV4 +                 FPolicy Engine: StealthAUDITEngine +Is Mandatory Screening Required: false +        Allow Privileged Access: no +User Name for Privileged Access: - +    Is Passthrough Read Enabled: false +          Persistent Store Name: - +``` + +Relevant NetApp Documentation: To learn more about creating a policy, please visit the NetApp +website and read the +[vserver fpolicy policy create](https://docs.netapp.com/us-en/ontap-cli/vserver-fpolicy-policy-create.html) +article. + +### Part 6: Create FPolicy Scope + +The FPolicy scope creates the filters necessary to perform scans on specific shares or volumes. It +is possible to set the scope to monitor all volumes or all shares by replacing the volume/share name +variable [SVM_NAME] in the command with an asterisk (\*). + +IMPORTANT: + +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. +- It is not necessary to specify both volumes and shares. One or the other is sufficient. +- If you want to monitor everything, set the "`volumes-to-include`" value to "`*`". + +Use the following command to create the FPolicy scope by specifying volume(s): + +``` +vserver fpolicy policy scope create -vserver [SVM_NAME] -policy-name StealthAUDIT -volumes-to-include [VOLUME_NAME],[VOLUME_NAME] +``` + +Example: + +``` +vserver fpolicy policy scope create -vserver testserver -policy-name StealthAUDIT -volumes-to-include samplevolume1,samplevolume2 +``` + +Use the following command to create the FPolicy scope by specifying share(s): + +``` +vserver fpolicy policy scope create -vserver [SVM_NAME] -policy-name StealthAUDIT -shares-to-include [SHARE_NAME],[SHARE_NAME] +``` + +Example: + +``` +vserver fpolicy policy scope create -vserver testserver -policy-name StealthAUDIT -shares-to-include sampleshare1,sampleshare2 +``` + +#### Validate Part 6: FPolicy Scope Creation + +Run the following command to validate the FPolicy scope creation: + +``` +fpolicy policy scope show -instance +``` + +``` +Ontap915::> fpolicy policy scope show -instance +  (vserver fpolicy policy scope show) +                   Vserver: svm0 +                    Policy: StealthAUDIT +         Shares to Include: * +         Shares to Exclude: - +        Volumes to Include: * +        Volumes to Exclude: - +Export Policies to Include: * +Export Policies to Exclude: - +File Extensions to Include: - +File Extensions to Exclude: - +``` + +Relevant NetApp Documentation: To learn more about creating scope, please visit the NetApp website +and read the +[vserver fpolicy policy scope create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-scope-create.html) +article. + +### Part 7: Set TLS Authentication + +If using the TLS authentication options, it is necessary to set authentication for the type of +authentication. + +#### Set Server-Authentication + +Use the following command to set server-authentication: + +``` +vserver fpolicy policy externalengine modify -vserver [SVM_NAME] -engine-name StealthAUDITEngine -ssl-option server-auth +``` + +Example: + +``` +vserver fpolicy policy externalengine modify -vserver testserver -engine-name StealthAUDITEngine -ssl-option server-auth +``` + +#### Set Mutual-Authentication + +Use the following command to set mutual-authentication: + +``` +vserver fpolicy policy external-engine modify -vserver [SVM_NAME] -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name [COMMON_NAME] -certificate-serial [CERTIFICATE_SERIAL] -certificate-ca [CERTIFICATE_AUTHORITY] +``` + +Example: + +``` +vserver fpolicy policy external-engine modify -vserver testserver -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name testserver -certificate-serial 461AC46521B31321330EBBE4321AC51D -certificate-ca "VeriSign Universal Root Certification Authority" +``` + +#### Validate Mutual-Authentication Is Set + +Run the following command to confirm mutual-authentication is set: + +``` +vserver fpolicy policy external-engine show -fields ssl-option +``` + +### Part 8: Enable the FPolicy + +The FPolicy must be enabled before the Activity Monitor Agent can be configured to monitor the SVM. + +IMPORTANT: + +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. + +Use the following command to enable the FPolicy: + +``` +vserver fpolicy enable -vserver [SVM_NAME] -policy-name StealthAUDIT -sequence-number [INTEGER] +``` + +Example: + +``` +vserver fpolicy enable -vserver testserver -policy-name StealthAUDIT -sequence-number 10 +``` + +#### Validate Part 8: FPolicy Enabled + +Run the following command to validate the FPolicy scope creation: + +``` +vserver fpolicy show +``` + +``` +Ontap915::> fpolicy show +    show                             show-enabled +    show-engine                      show-passthrough-read-connection +Ontap915::> fpolicy show +  (vserver fpolicy show) +                                      Sequence +Vserver       Policy Name               Number  Status   Engine +------------- ----------------------- --------  -------- --------- +svm0          StealthAUDIT                  10  on       StealthAU +                                                         DITEngine +``` + +Relevant NetApp Documentation: To learn more about enabling a policy, please visit the NetApp +website and read the +[vserver fpolicy enable](https://docs.netapp.com/us-en/ontap-cli-9121//vserver-fpolicy-enable.html) +article. + +### Part 9: Connect FPolicy Server / Agent to Cluster Node + +Manually connecting the FPolicy server (or Agent server) to the Cluster Node is only needed if there +is an issue with connection to the Cluster Node or for troubleshooting a disconnection issue. + +Use the following command to connect the `StealthAUDITEngine` that belongs to the `StealthAUDIT` +policy to all Cluster Nodes: + +``` +policy engine-connect -vserver [SVM_NAME] -policy-name StealthAUDIT -node * +``` + +Example: + +``` +policy engine-connect -vserver testserver -policy-name StealthAUDIT -node * +``` + +#### Validate Part 9: Connection to Cluster Node + +Run the following command to validate connection to the Cluster Node: + +``` +fpolicy show-engine -vserver [SVM_NAME] -policy-name StealthAUDIT -node * +``` + +``` +Ontap915::> fpolicy show-engine -vserver svm0 -policy-name StealthAUDIT -node * +  (vserver fpolicy show-engine) +                                   FPolicy           Server         Server +Vserver Policy Name   Node         Server            Status         Type +------- ------------- ------------ ----------------- -------------- ----------- +svm0    StealthAUDIT  Ontap915-01  192.168.11.35     disconnected   primary +``` + +## Automatic Configuration of FPolicy + +The Activity Monitor can automatically configure FPolicy on the targeted SVM. The FPolicy created +will monitor file system activity from all volumes and shares of the SVM. This feature can be +enabled using the **Configure FPolicy. Create or modify FPolicy objects if needed** checkbox on the +FPolicy page in the monitored host's properties in the Activity Monitor. + +Starting ONTAP 9.15.1 and later versions, it is recommended to enable the Persistent Store feature +that stores events on disk before they are sent to the Activity Monitor Agent. This reduces +client-side latency and increases resilience during network delays or bursts of activity. To enable +the Persistent Store, specify a volume name and size on the Persistent Store tab of the FPolicy page +in the monitored host properties. The volume will be automatically created if it does not already +exist. See the Persistent Store topic for additional information on the recommended volume size. + +If using the TLS, mutual authentication option, you will need to create the PEM file for the Client +Certification, which is needed during the monitored host configuration in the Activity Monitor. It +will also be necessary to set mutual authentication on the SVM. + +### Set TLS Mutual-Authentication + +If using the TLS, mutual authentication options, it is necessary to set authentication. + +Use the following command to set mutual-authentication: + +``` +vserver fpolicy policy external-engine modify -vserver [SVM_NAME] -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name [COMMON_NAME] -certificate-serial [CERTIFICATE_SERIAL] -certificate-ca [CERTIFICATE_AUTHORITY] +``` + +Example: + +``` +vserver fpolicy policy external-engine modify -vserver testserver -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name testserver -certificate-serial 461AC46521B31321330EBBE4321AC51D -certificate-ca "VeriSign Universal Root Certification Authority" +``` + +#### Validate: Mutual-Authentication + +Run the following command to confirm mutual-authentication is set: + +``` +vserver fpolicy policy external-engine show -fields ssl-option +``` + +## Customization of FPolicy Object Names + +Activity Monitor uses the following FPolicy object names by default: + +- Policy name – `StealthAUDIT` +- External Engine name – `StealthAUDITEngine` +- CIFS Event name – `StealthAUDITScreeningCifs` +- NFS v3 Event name – `StealthAUDITScreeningNfsV3` +- NFS v4 Event name – `StealthAUDITScreeningNfsV4` +- Failed CIFS Event name – `StealthAUDITScreeningFailedCifs` +- Failed NFS v3 Event name – `StealthAUDITScreeningFailedNfsV3` +- Failed NFS v4 Event name – `StealthAUDITScreeningFailedNfsV4` +- Persistent Store name – `StealthAUDITPersistentStore` + +These names can be customized in the monitored host's settings in the Activity Monitor. It can be +useful in two scenarios: + +- You want the names to match the company policies; +- You want to configure FPolicy manually using your custom names, but also want to leverage the + "Enable and Connect FPolicy" feature of the Activity Monitor, so that the product ensures that + FPolicy stays enabled and connected at all times. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md new file mode 100644 index 0000000000..d81005b60f --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md @@ -0,0 +1,229 @@ +--- +title: "NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration" +description: "NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration" +sidebar_position: 90 +--- + +# NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration + +The Activity Monitor agent employed to monitor NetApp leverages NetApp ONTAP API, and the NetApp +FPolicy framework to monitor file system events. This includes both NetApp 7-Mode and Cluster-Mode +configurations. For more information about FPolicy read the +[What are the two parts of the FPolicy solution ](https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-54FE1A84-6CF0-447E-9AAE-F43B61CA2138.html) +article. + +Activity Monitor requires two communication channels for ONTAP monitoring: + +1. Activity Monitor Agent connects to ONTAP on port 80 or 443 for access to ONTAP API (ONTAPI/ZAPI + or REST API). +2. Data LIFs of the SVM connect to Activity Monitor Agent on port 9999 for FPolicy notifications. + +The ONTAP API access is mandatory; without the API access the agent will not be able to receive and +translate events from FPolicy. Both classic ONTAPI/ZAPI and the new REST API are supported. The +agent uses the API to retrieve information about the storage virtual machines (SVM): CIFS settings, +list of volumes, list of LIFs. Depending on the configuration, the agent can also retrieve the state +of FPolicy to ensure it is enabled; configure FPolicy and register or unregister itself. + +The FPolicy framework enables the collection of audit events on the ONTAP side and their transfer to +the agent(s) via the designated Data LIFs. Each LIF establishes its own connection with one or +several agents and sends notifications as soon as the file transaction occurs. The FPolicy +connection is asynchronous and buffered; both ONTAP and Activity Monitor have techniques in place to +make sure that connections are alive and working. The connection can be secured using TLS with +server or mutual authentication. + +FPolicy may have a significant impact on file system throughput, and it is always a best practice to +monitor performance when enabling FPolicy. + +:::info +Create a tailored FPolicy which only collects the desired activity from the +environment to limit the scope and impact. +::: + + +For scale-out and fault tolerance purposes, the product supports a range of deployment options. A +single agent can receive events from multiple SVMs. Or events from a single SVM can be distributed +among multiple agents. Or a set of SVMs can distribute events among a set of agents. The choice +depends on the fault tolerance requirements and the expected event flow. As a rule of thumb, the +_average_ load on a single agent should not exceed 5000 events per second. + +Starting with ONTAP 9.15.1, the FPolicy Persistent Store provides resilience and predictable latency +during scenarios such as network delays or bursts of activity. The feature uses a dedicated volume +for each SVM as a staging buffer before events are sent to the agent. FPolicy will automatically +create a volume if one does not already exist. + +:::info +Enable the Persistent Store feature and allow it to create a volume +automatically. +::: + + +## Configuration Checklist + +Complete the following checklist prior to configuring the activity monitoring of NetApp Data ONTAP +Cluster-Mode devices. Instructions for each item of the checklist are detailed within the following +sections. + +**Checklist Item 1: Plan Deployment** + +- Gather the following information: + + - Names of the SVM(s) to be monitored + + - FPolicy is configured for each SVM separately + - This should be the SVM(s) hosting the CIFS or NFS shares(s) to be monitored + + - Credentials to access ONTAP to provision a role and account. + - Desired functionality level: + + - _Manual_. A user configures FPolicy manually and ensures it stays enabled. + - _Enable and Connect FPolicy_. The product ensures that FPolicy stays enabled and connected + all the time. RECOMMENDED. + - _Configure FPolicy_. The product configures FPolicy automatically and ensures it stays + enabled and connected all the time. RECOMMENDED. + + - Volumes or shares on each SVM to be monitored + + - Limiting the FPolicy to select volumes or shares is an effective way to limit the + performance impact of FPolicy + + - Successful/failed file operations to be monitored + + - Limiting the FPolicy to specific file operations is an effective way to limit the + performance impact of FPolicy + + - IP Address of the server(s) where the Activity Monitor Agent is deployed + - API enabled in ONTAP: the classic ONTAPI/ZAPI or the new REST API + + - The product supports the REST API for ONTAP 9.13.1 and above. + - Volume names and sizes to be used as a Persistent Store for each SVM. This is recommended. + - The product supports the Persistent Store feature for ONTAP 9.15.1 and later. + - At least one local tier (aggregate) is assigned to the SVM. + + - Encryption and Authentication protocol for FPolicy connection + + - No Authentication (default) + - TLS, server authentication (the SVM authenticates the agent) + - TLS, mutual authentication (both the SVM and the agent authenticate each other) + +Persistent Store provides resilience and predictable latency in scenarios such as network delays or +bursts of activity events. + +It uses a dedicated volume for each SVM as a staging buffer before the events are sent to Activity +Monitor Agent. + +**Checklist Item 2: [Provision ONTAP Account](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md)** + +- Permission names depend on the API used, ONTAPI/ZAPI or REST API. +- The case of domain and username created during the account provisioning process must match exactly + to the credentials provided to the activity agent for authentication to work. +- The credential associated with the FPolicy used to monitor activity must be provisioned with + access to (at minimum) the following CLI or API commands, according to the level of collection + desired: + + - Manual, Collect Activity Events Only (Least Privilege) + + - ONTAPI/ZAPI + + - `version` – Readonly access + - `volume` – Readonly access + - `vserver` – Readonly access + + - REST API + + - `/api/cluster` – Readonly access + - `/api/protocols/cifs/services` – Readonly access + - `/api/storage/volumes` – Readonly access + - `/api/svm/svms` – Readonly access + + - Employ the “Enable and connect FPolicy” Option (Less Privilege) – RECOMMENDED + + - ONTAPI/ZAPI + + - `version` – Readonly access + - `volume` – Readonly access + - `vserver` – Readonly access + - `network interface` – Readonly access + - `vserver fpolicy disable` – All access + - `vserver fpolicy enable` – All access + - `vserver fpolicy engine-connect` – All access + + - REST API + + - `/api/cluster` – Readonly access + - `/api/protocols/cifs/services` – Readonly access + - `/api/storage/volumes` – Readonly access + - `/api/svm/svms` – Readonly access + - `/api/network/ip/interfaces` – Readonly access + - `/api/protocols/fpolicy` – All access + + - Employ the “Configure FPolicy” Option (Automatic Configuration of FPolicy) – RECOMMENDED + + - ONTAPI/ZAPI + + - `version` – Readonly access + - `volume` – Readonly access + - `vserver` – Readonly access + - `network interface` – Readonly access + - `vserver fpolicy` – All access + - `security certificate install` – All access (only if FPolicy uses a TLS connection) + + - REST API + + - `/api/cluster` – Readonly access + - `/api/protocols/cifs/services` – Readonly access + - `/api/storage/volumes` – Readonly access + - `/api/svm/svms` – Readonly access + - `/api/network/ip/interfaces` – Readonly access + - `/api/protocols/fpolicy` – All access + - `/api/security/certificates` – All access (only if FPolicy uses a TLS connection) + + - Access Analyzer Integration requires the addition of the following CLI command: + + - `security login role show-ontapi` – Readonly access + +**Checklist Item 3: [Configure Network](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md)** + +- Agent must be able to connect to ONTAP API via a management LIF on ports HTTP (80) or HTTPS (443) + + - NetApp firewall policy may need to be modified. + - LIF's service policy may need to be modified to include `management-https` or + `management-http` services. + - Either of these ports is required. Activity Monitor requires ONTAP API access. + +- ONTAP cluster nodes, which serve the SVM, must be able to connect to the agent on port 9999. + + - LIFs' service policy may need to be modified to include `data-fpolicy-client` service. + - Each data serving node should have its own LIF with the `data-fpolicy-client` service. + - The default port 9999 can be changed in the agent's settings. + +**Checklist Item 4: [Configure FPolicy](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md)** + +- Remember: all FPolicy objects and SVM names are case sensitive. +- FPolicy must be configured for each SVM to be monitored. +- If using TLS, … authentication options, generate needed certificates and PEM files +- Select method: + + - Configure FPolicy Manually – If you want to exclude certain volumes or shares; a tailored + FPolicy decreases the impact on NetApp. + + - Required when the FPolicy account is provisioned for either Least Privileged or Less + Privilege permission model + - If using TLS, … authentication options, set authentication + + - Allow the Activity Monitor to create an FPolicy automatically + + - If using TLS, … authentication options, set authentication + - This option is enabled using the **Configure FPolicy. Create or modify FPolicy objects if + needed** checkbox for each monitored SVM. + - It monitors file system activity on all volumes and shares of the SVM. + - FPolicy configuration is automatically updated to reflect the Activity Monitor + configuration. + - Requires a Privileged Access credential be provided. + +- Enable the Persistent Store to increase the resilience and control the latency in case of network + outages or bursts of activity + +**Checklist Item 5: Activity Monitor Configuration** + +- Deploy the Activity Monitor Agent to a Windows server. +- Configure the Agent to monitor the SVM. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md new file mode 100644 index 0000000000..4942af7276 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md @@ -0,0 +1,397 @@ +--- +title: "Provision ONTAP Account" +description: "Provision ONTAP Account" +sidebar_position: 10 +--- + +# Provision ONTAP Account + +This topic describes the steps needed to create a user account with the privileges required to +connect the Activity Monitor Agent to ONTAP API and to execute the API calls required for activity +monitoring and configuration. + +Provisioning this account is a two part process: + +- Part 1: Create Security Role +- Part 2: Create Security Login + +## Part 1: Create Security Role + +This section provides instructions for creating an access-control role. An access-control role +consists of a role name and a set of commands or API endpoints to which the role has access. It also +includes an access level (none, read-only, or all) and a query that applies to the specified command +or API endpoint. + +The permissions needed depends on the functionality level: + +- Least Privileged: ONLY Collect Events – This is the minimal functionality level. A user manually + configures FPolicy and ensures that it stays enabled and connected. The product only collects + events. This functionality level is not recommended as it requires an additional solution that + tracks the state of FPolicy and fixes the problem should ONTAP disconnect or should the policy + become disabled. +- **_RECOMMENDED:_** Less Privileged: Enable/Connect Policy & Collect Events – With this level, the + user still performs the initial FPolicy configuration manually. The product tracks the state of + FPolicy with periodic checks to ensure it stays enabled and connected all the time. +- **_RECOMMENDED:_** Automatically Configure the FPolicy – With this full-blown level, no manual + configuration is needed. The product performs the initial FPolicy configuration; updates FPolicy + to reflect configuration changes; ensures that FPolicy stays enabled and connected all the time. + +No matter which set of permissions you provision, validate the configuration before continuing to +Part 2. See the Validate Part 1: Security Role Configuration topic for additional information. + +If the FPolicy is to be used for both the Activity Monitor and Access Analyzer, the account also +needs to be provisioned with an additional permission. See the Access Analyzer Integration topic for +additional information. + +The commands to create a role and names of permissions depend on the ONTAP API used. The product +supports both the classic ONTAPI/ZAPI and the new REST API. For ONTAPI/ZAPI you need to use +`security login role create` command to create a RBAC access control role. The required commands are +listed in the `cmddirname` parameter. For REST API, use `security login rest-role create` command to +create a REST access control role. The required API endpoint is specified in the `api` parameter. +The following sections provide instructions for both API modes. + +### Least Privileged: ONLY Collect Events + +If the desire is for a least privileged model, the Activity Monitor requires the following +permissions to collect events. + +#### ONTAPI/ZAPI + +- `version` – Readonly access +- `volume` – Readonly access +- `vserver` – Readonly access + +Use the following commands to provision read-only access to all required commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "version" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "volume" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver" -access readonly -query "" -vserver [SVM_NAME]     +``` + +Example: + +``` +security login role create -role enterpriseauditor -cmddirname "version" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditor -cmddirname "volume" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditor -cmddirname "vserver" -access readonly -query "" -vserver testserver +``` + +#### REST API + +- `/api/cluster` – Readonly access +- `/api/protocols/cifs/services` – Readonly access +- `/api/storage/volumes` – Readonly access +- `/api/svm/svms` – Readonly access + +Use the following commands to provision read-only access to all required API endpoints: + +``` +security login rest-role create -role [ROLE_NAME] -api "/api/cluster" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/cifs/services" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/storage/volumes" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/svm/svms" -access readonly -vserver [SVM_NAME] +``` + +Example: + +``` +security login rest-role create -role enterpriseauditorrest -api "/api/cluster" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/cifs/services" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/storage/volumes" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" -access readonly -vserver testserver +``` + +:::note +If the FPolicy account is configured with these permissions, it is necessary to manually +configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md) topic for additional +information. +::: + + +### Less Privileged: Enable/Connect FPolicy & Collect Events + +If the desire is for a less privileged model, the Activity Monitor requires the following +permissions to collect events: + +#### ONTAPI/ZAPI + +- `version` – Readonly access +- `volume` – Readonly access +- `vserver` – Readonly access + + `network interface` – Readonly access + +- `vserver fpolicy disable` – All access +- `vserver fpolicy enable` – All access + + :::tip + Remember, this permission permits the Activity Monitor to enable the FPolicy. If the “Enable + and connect FPolicy” option is employed but the permission is not provided, the agent will + encounter “Failed to enable policy” errors, but it will still be able to connect to the FPolicy. + Since this permission model requires a manual configuration of the FPolicy, then the need to + manually enable the FPolicy will be met. + ::: + + +- `vserver fpolicy engine-connect` – All access + +Use the following command to provision access to all required commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "version" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "volume" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "network interface" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy disable" -access all -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy enable" -access all -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy engine-connect" -access all -query "" -vserver [SVM_NAME] +``` + +Example: + +``` +security login role create -role enterpriseauditorrest -cmddirname "version" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "volume" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "network interface" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy disable" -access all -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy enable" -access all -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy engine-connect" -access all -query "" -vserver testserver +``` + +#### REST API + +- `/api/cluster` – Readonly access +- `/api/protocols/cifs/services` – Readonly access +- `/api/storage/volumes` – Readonly access +- `/api/svm/svms` – Readonly access +- `/api/network/ip/interfaces` – Readonly access +- `/api/protocols/fpolicy` – All access + +Use the following commands to provision read-only access to all required API endpoints: + +``` +security login rest-role create -role [ROLE_NAME] -api "/api/cluster" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/cifs/services" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/storage/volumes" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/svm/svms" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/network/ip/interfaces" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/fpolicy" -access all -vserver [SVM_NAME] +``` + +Example: + +``` +security login rest-role create -role enterpriseauditorrest -api "/api/cluster" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/cifs/services" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/storage/volumes" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/network/ip/interfaces" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/fpolicy" -access all -vserver testserver +``` + +:::note +If the FPolicy account is configured with these permissions, it is necessary to manually +configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md) topic for additional +information. +::: + + +### Automatically Configure the FPolicy + +If the desire is for the Activity Monitor to automatically configure the FPolicy, the security role +requires the following permissions: + +#### ONTAPI/ZAPI + +- `version` – Readonly access +- `volume` – Readonly access +- `vserver` – Readonly access + + `network interface` – Readonly access + +- `vserver fpolicy` – All access +- `security certificate install` – All access + + :::tip + Remember, this permission is only needed for FPolicy TLS connections. + ::: + + +Use the following command to provision access to all required commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "version" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "volume" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "network interface" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy" -access all -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "security certificate install" -access all -query "" -vserver [SVM_NAME] +``` + +Example: + +``` +security login role create -role enterpriseauditorrest -cmddirname "version" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "volume" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "network interface" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy" -access all -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "security certificate install" -access all -query "" -vserver testserver +``` + +#### REST API + +- `/api/cluster` – Readonly access +- `/api/protocols/cifs/services` – Readonly access +- `/api/storage/volumes` – Readonly access +- `/api/svm/svms` – Readonly access +- `/api/network/ip/interfaces` – Readonly access +- `/api/protocols/fpolicy` – All access +- `/api/security/certificates` – All access + + Remember, this permission is only needed for FPolicy TLS connections. + +Use the following commands to provision access to all required API endpoints: + +``` +security login rest-role create -role [ROLE_NAME] -api "/api/cluster" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/cifs/services" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/storage/volumes" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/svm/svms" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/network/ip/interfaces" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/fpolicy" -access all -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/security/certificates" -access all -vserver [SVM_NAME] +``` + +Example: + +``` +security login rest-role create -role enterpriseauditorrest -api "/api/cluster" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/cifs/services" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/storage/volumes" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/network/ip/interfaces" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/fpolicy" -access all -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/security/certificates" -access all -vserver testserver +``` + +:::note +If the FPolicy account is configured with these permissions, the Activity Monitor can +automatically configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md) topic for +additional information. +::: + + +### Access Analyzer Integration + +If the desire is for FPolicy to be used with both the Activity Monitor and Access Analyzer, then the +following permission is also required: + +- `security login role show-ontapi` – Readonly access + +Use the following command to provision read-only access to security login role show-ontapi commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "security login role show-ontapi" -access readonly -query "" -vserver [SVM_NAME] +``` + +Example: + +``` +security login role create -role enterpriseauditor -cmddirname "security login role show-ontapi" -access readonly -query "" -vserver testserver +``` + +### Validate Part 1: Security Role Configuration + +For ONTAPI, run the following command to validate the RBAC security role configuration: + +``` +security login role show [ROLE_NAME] +``` + +Example: + +``` +security login role show enterpriseauditor +``` + +Relevant NetApp Documentation: For more information about creating RBAC access control roles, read +the +[security login role create](https://docs.netapp.com/us-en/ontap-cli-9141//security-login-role-create.html) +article. + +For REST API, run the following command to validate the REST security role configuration: + +``` +security login rest-role show [ROLE_NAME] +``` + +Example: + +``` +security login rest-role show enterpriseauditorrest +``` + +For more information about creating REST access control roles, read the +[security login rest-role create](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-rest-role-create.html) +article. + +## Part 2: Create Security Login + +Once the access control role has been created, apply it to a domain account. Ensure the following +requirements are met: + +- The SVM used in the following command must be the same SVM used when creating the access control + role in Part 1. +- All parameters are case sensitive. +- It is recommended to use lowercase for both domain and username. The case of domain and username + created during the account provisioning process must match exactly to the credentials provided to + the Activity Monitor activity agent for authentication to work. +- In the `application` parameter, use `ontapi` for the ONTAPI/ZAPI and `http` for the REST API. + +Use the following command to create the security login for the security role created in Part 1: + +#### ONTAPI/ZAPI +``` +security login create -user-or-group-name [DOMAIN\DOMAINUSER] -application ontapi -authentication-method [DOMAIN_OR_PASSWORD_AUTH] -role [ROLE_NAME] -vserver [SVM_NAME] +``` + +Example: +``` +security login create -user-or-group-name example\user1 -application ontapi -authentication-method domain -role enterpriseauditor -vserver testserver +``` + +#### REST API +``` +security login create -user-or-group-name [DOMAIN\DOMAINUSER] -application http -authentication-method [DOMAIN_OR_PASSWORD_AUTH] -role [ROLE_NAME] -vserver [SVM_NAME] +``` +Example: +``` +security login create -user-or-group-name example\user1 -application http -authentication-method domain -role enterpriseauditor -vserver testserver +``` + +Validate this security login was created. + +### Validate Part 2: Security Login Creation + +Run the following command to validate security login: + +``` +security login show [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +security login show example\user1 +``` + +Verify that the output is displayed as follows: + +![validatesecuritylogincreation](/images/activitymonitor/9.0/config/netappcmode/validatesecuritylogincreation.webp) + +For more information about creating security logins, read the +[security login create](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html) +article. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json new file mode 100644 index 0000000000..2ccca62bc8 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "NetApp Data ONTAP 7-Mode Activity Auditing Configuration", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ontap7-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md new file mode 100644 index 0000000000..459c4dd6bc --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md @@ -0,0 +1,177 @@ +--- +title: "Configure FPolicy" +description: "Configure FPolicy" +sidebar_position: 30 +--- + +# Configure FPolicy + +Select a method to configure the FPolicy for NetApp Data ONTAP 7-Mode devices: + +:::info +Manually Configure FPolicy (Recommended Option) – A tailored FPolicy +::: + + +- If using vFilers the FPolicy must be created on the vFiler, and the Activity Monitor must target + the vFiler. This is because FPolicy operates on the affected vFiler. Therefore, when executing + these commands on a vFiler, the commands must be run from a vFiler context (e.g. via the vFiler + run command). +- Allow the Activity Monitor to create an FPolicy automatically. See the Automatic Configuration of + FPolicy topic for additional information. + + - This option is enabled when the Activity Monitor Activity Agent is configured to monitor the + NetApp device on the NetApp FPolicy Configuration page of the Add New Hosts window. + - It monitors all file system activity. + +## Manually Configure FPolicy (Recommended Option) + +This section describes how to manually configure FPolicy. Manual configuration of the FPolicy is +recommended so that the policy can be scoped. It is necessary to create six FPolicy components and +then enable the FPolicy. See the sections corresponding to each part of this list: + +- Part 1: Create FPolicy +- Part 2: Set FPolicy Required to Off +- Part 3: Set FPolicy to Collect Permission Changes +- Part 4: Set FPolicy to Monitor Alternate Data Streams +- Part 5: Set FPolicy to Monitor Disconnected Sessions +- Part 6: Scope FPolicy for Specific Volumes +- Part 7: Enable FPolicy + +If using vFilers the FPolicy must be created on the vFiler, and the Activity Monitor must target the +vFiler. This is because FPolicy operates on the affected vFiler. Therefore, when executing these +commands on a vFiler, the commands must be run from a vFiler context (e.g. via the vFiler run +command). + +Relevant NetApp Documentation: To learn more about configuring file policies, please visit the +NetApp website and read +[na_fpolicy – configure file policies](https://library.netapp.com/ecmdocs/ECMP1196890/html/man1/na_fpolicy.1.html) +article. + +### Part 1: Create FPolicy + +Create the FPolicy on the vFiler. + +IMPORTANT: + +- The policy should be named "StealthAUDIT" +- The only supported policy type is "screen" for file screening. + +Use the following command to create the FPolicy: + +``` +fpolicy create StealthAUDIT screen +``` + +### Part 2: Set FPolicy Required to Off + +If the `FPolicy Required` value is set to on, user requests are denied if an FPolicy server is not +available to implement the policy. If it is set to off, user requests are allowed when it is not +possible to apply the policy to the file because no FPolicy server is available. + +IMPORTANT: + +- The `FPolicy Required` value should be set to **off** + +Use the following command to set the `FPolicy Required` value to off: + +``` +fpolicy options StealthAUDIT required off +``` + +### Part 3: Set FPolicy to Collect Permission Changes + +The cifs_setattr value must be set to on in order for CIFS requests to change file security +descriptors to be screened by the policy. + +IMPORTANT: + +- The `cifs_setattr` value must be set to **on** + +Use the following command to enable the FPolicy to collect permission changes: + +``` +fpolicy options StealthAUDIT cifs_setattr on +``` + +### Part 4: Set FPolicy to Monitor Alternate Data Streams + +The monitor_ads value must be set to on in order for CIFS requests for alternate data streams (ADS) +to be monitored by the policy. + +IMPORTANT: + +- The `monitor_ads` value must be set to **on** + +Use the following command to enable the FPolicy to monitor ADS: + +``` +fpolicy options StealthAUDIT monitor_ads on +``` + +### Part 5: Set FPolicy to Monitor Disconnected Sessions + +The cifs_disconnect_check value must be set to on in order for CIFS requests associated with +disconnected sessions to be monitored by the policy. + +IMPORTANT: + +- The `cifs_disconnect_check` value must be set to **on** + +Use the following command to enable the FPolicy to monitor disconnected sessions: + +``` +fpolicy options StealthAUDIT cifs_disconnect_check on +``` + +### Part 6: Scope FPolicy for Specific Volumes + +The FPolicy can be scoped either to monitor only specified volumes (inclusion) or to not monitor +specific volumes (exclusion). + +IMPORTANT: + +- Choose to scope by including or excluding volumes + +Use the following command to scope the FPolicy by volume: + +``` +fpolicy -volume [INCLUDE OR EXCLUSION] -add StealthAUDIT [VOLUME_NAME],[VOLUME_NAME] +``` + +Inclusion Example: + +``` +fpolicy -volume include -add StealthAUDIT samplevolume1,samplevolume2 +``` + +Exclusion Example: + +``` +fpolicy -volume exclusion -add StealthAUDIT samplevolume1,samplevolume2 +``` + +### Part 7: Enable FPolicy + +The FPolicy must be enabled before the Activity Monitor Activity Agent can be configured to monitor +the NetApp device. + +IMPORTANT: + +- The Activity Monitor must register with the NetApp device as an FPolicy server. By default, it + looks for a policy named `StealthAUDIT`. See the + [Customize FPolicy Policy Name](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md) section for information on using a different + policy name. + +Use the following command to enable the FPolicy to monitor disconnected sessions: + +``` +fpolicy enable StealthAUDIT +``` + +## Automatic Configuration of FPolicy + +The Activity Monitor can automatically configure FPolicy on the targeted NetApp Data ONTAP 7-Mode +device. The FPolicy created monitors all file system activity. This is done when the NetApp device +is assigned to the agent for monitoring. This option is enabled on the NetApp FPolicy Configuration +page of the Add New Host window. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md new file mode 100644 index 0000000000..52ede5e022 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md @@ -0,0 +1,10 @@ +--- +title: "Customize FPolicy Policy Name" +description: "Customize FPolicy Policy Name" +sidebar_position: 40 +--- + +# Customize FPolicy Policy Name + +There may be situations when FPolicy needs to be named something other than StealthAUDIT. +Use **Host properties > FPolicy > Customize FPolicy** page to change the FPolicy object names. \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md new file mode 100644 index 0000000000..2cdbc8a4ce --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md @@ -0,0 +1,35 @@ +--- +title: "Enable HTTP or HTTPS" +description: "Enable HTTP or HTTPS" +sidebar_position: 20 +--- + +# Enable HTTP or HTTPS + +The Activity Monitor Activity Agent must be able to send ONTAPI calls to the vFiler’s data LIF over +HTTP or HTTPS. The following commands will enable the HTTP or HTTPS communication between the vFiler +and the Activity Monitor. + +Use the following command to enable HTTP: + +``` +options httpd.admin.enable on +``` + +Check HTTP Status: + +``` +options httpd.admin.enable +``` + +Use the following command to enable HTTPS: + +``` +options httpd.admin.ssl.enable on +``` + +Check HTTP Status: + +``` +options httpd.admin.ssl.enable +``` diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md new file mode 100644 index 0000000000..50b6f54b21 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md @@ -0,0 +1,108 @@ +--- +title: "NetApp Data ONTAP 7-Mode Activity Auditing Configuration" +description: "NetApp Data ONTAP 7-Mode Activity Auditing Configuration" +sidebar_position: 80 +--- + +# NetApp Data ONTAP 7-Mode Activity Auditing Configuration + +The Activity Monitor agent employed to monitor NetApp leverages 128-bit encrypted Remote Procedure +Calls (RPC), NetApp ONTAP-API, and NetApp FPolicy to monitor file system events. This includes both +NetApp 7-Mode and Cluster-Mode configurations. To learn more about FPolicy please visit the NetApp +website and read the +[What FPolicy is](https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-54FE1A84-6CF0-447E-9AAE-F43B61CA2138.html) +article. + +If the activity agent is stopped, a notification will be sent to the NetApp device to disconnect and +disable the associated FPolicy policy, but it will not be removed. + +If the network connection is lost between the activity agent and the NetApp device, the NetApp +device is configured with a default timeout to wait for a response. If a response is not received +from the Activity Agent within the timeout, then the NetApp device will disconnect and disable the +FPolicy policy. The Activity Agent will check every minute by default to see if the FPolicy policy +has been disabled and will enable it (if the auto-enable functionality is enabled for the agent). +The default setting to check every minute is configurable. + +The NetApp FPolicy uses a “push” mechanism such that notification will only be sent to the activity +agent when a transaction occurs. Daily activity log files are created only if activity is performed. +No activity log file will be created if there is no activity for the day. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of NetApp Data ONTAP +7-Mode devices. Instructions for each item of the checklist are detailed within the following +topics. + +**Checklist Item 1: Plan Deployment** + +- Gather the following information: + - Names of the vFiler™(s) to be monitored + - DNS name of the CIFS shares(s) to be monitored + +**Checklist Item 2: [Provision FPolicy Account](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md)** + +- Group membership with a role granting access to the following commands: + + ``` + login-http-admin + api-system-api-list + api-system-get-version + api-cifs-share-list-iter-* + api-volume-list-info-iter-* + ``` + +- For Automatic FPolicy creation (Checklist Item 4), group membership with a role granting access to + the following command: + + ``` + api-fpolicy* + ``` + +- To use the “Enable and connect FPolicy” option within the Activity Monitor, group membership with + a role granting access to the following command: + + ``` + cli-fpolicy* + ``` + +- Group membership in: + + - ONTAP Power Users + - ONTAP Backup Operators + +**Checklist Item 3: Firewall Configuration** + +- HTTP (80) or HTTPS (443) +- HTTP or HTTPS protocols need to be enabled on the NetApp filer +- TCP 135 +- TCP 445 +- Dynamic port range: TCP/UDP 137-139 +- See the [Enable HTTP or HTTPS](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md) topic for instructions. + +**Checklist Item 4: [Configure FPolicy](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md)** + +- If using vFilers: + + - FPolicy operates on the vFiler so the FPolicy must be created on the vFiler + + :::note + Activity Monitor must target the vFiler + ::: + + +- Select method: + + :::info + Configure FPolicy Manually – A tailored FPolicy + ::: + + + - Allow the Activity Monitor to create an FPolicy automatically + - This option is enabled when the Activity Monitor agent is configured to monitor the NetApp + device on the NetApp FPolicy Configuration page of the Add New Hosts window. + - It monitors all file system activity. + +**Checklist Item 5: Activity Monitor Configuration** + +- Deploy the Activity Monitor Activity Agent to a Windows proxy server +- Configure the Activity Agent to monitor the NetApp device diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md new file mode 100644 index 0000000000..f334e6dce4 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md @@ -0,0 +1,105 @@ +--- +title: "Provision FPolicy Account" +description: "Provision FPolicy Account" +sidebar_position: 10 +--- + +# Provision FPolicy Account + +This topic describes the steps needed to create a user account with the privileges required to +connect the Activity Monitor Activity Agent to the FPolicy engine and to execute the NetApp API +calls required for activity monitoring and configuration. + +Provisioning this account is a three part process: + +- Part 1: Create Role with API/CLI Access +- Part 2: Create a Group & Assign Role +- Part 3: Add User to Group + +Relevant NetApp Documentation: To learn more about node access controls, please visit the NetApp +website and read the +[na_useradmin – Administers node access controls](https://library.netapp.com/ecmdocs/ECMP1511537/html/man1/na_useradmin.1.html) +article. + +## Part 1: Create Role with API/CLI Access + +This section provides instructions for creating a role with access to the following commands: + +``` +login-http-admin +api-system-api-list +api-system-get-version +api-cifs-share-list-iter-* +api-volume-list-info-iter-* +api-fpolicy* +cli-fpolicy* +``` + +:::note +The `api-fpolicy*` command is required for automatic configuration of FPolicy. The +`cli-fpolicy*` command is required to use the “Enable and connect FPolicy” option for a Monitored +Host configuration. +::: + + +The following command needs to be run to create the role. + +Run the following command when provisioning an account for manual configuration of FPolicy; it +includes the "Enable and connect FPolicy" option requirement: + +``` +useradmin role -add [ROLE_NAME] -c "[ROLE_DESCRIPTION]" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,cli-fpolicy* +``` + +Example: + +``` +useradmin role -add activitymonitor -c "Role for Activity Monitor" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,cli-fpolicy* +``` + +Run the following command when provisioning an account for automatic configuration of FPolicy; it +includes the "Enable and connect FPolicy" option requirement: + +``` +useradmin role -add [ROLE_NAME] -c "[ROLE_DESCRIPTION]" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,api-fpolicy*,cli-fpolicy* +``` + +Example: + +``` +useradmin role -add activitymonitor -c "Role for Activity Monitor" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,api-fpolicy*,cli-fpolicy* +``` + +After the role is created, complete Part 2: Create a Group & Assign Role. + +## Part 2: Create a Group & Assign Role + +Once the role has been created, it must be attached to a group. The following command needs to be +run to create a group and assign the role to it. + +``` +useradmin group -add [GROUP_NAME] -r [ROLE_NAME] +``` + +Example: + +``` +useradmin group -add nwxgroup -r enterpriseauditor +``` + +After the group is created and the role is assigned, complete Part 3: Add User to Group. + +## Part 3: Add User to Group + +The final step is to add the domain user to the new group, Backup Operators group, and Power Users +group. The following command needs to be run to add the user to all three groups. + +``` +useradmin domainuser -add [DOMAIN\USER] -g [GROUP_NAME, WITHIN " MARKS IF MULTIPLE WORDS],"Backup Operators","Power Users" +``` + +Example: + +``` +useradmin domainuser -add example\user1 -g nwxgroup,"Backup Operators","Power Users" +``` diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/panzura-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/panzura-activity.md new file mode 100644 index 0000000000..9495688395 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/panzura-activity.md @@ -0,0 +1,123 @@ +--- +title: "Panzura CloudFS Monitoring" +description: "Panzura CloudFS Monitoring" +sidebar_position: 110 +--- + +# Panzura CloudFS Monitoring + +Netwrix Activity Monitor can be configured to monitor file system activity on Panzura CloudFS +file-based storage. + +The monitoring process is based on two technologies: + +- Third Party Vendor Support auditing feature – Delivers audit events to Activity Monitor Agents +- CloudFS API – Used to register Activity Monitor as a consumer of audit events to query and update + auditing settings + +Auditing must be enabled on the master Panzura node and optionally overridden on the subordinate +nodes to support different deployment scenarios depending on the expected load and network latency. +A single agent monitors several Panzura nodes. + +![panzurasingleagntmonitor](/images/activitymonitor/9.0/config/panzura/panzurasingleagntmonitor.webp) + +Audit events are distributed between two agents. Audit settings are overridden on one Panzura node. + +![auditeventstwoagnt_panzura](/images/activitymonitor/9.0/config/panzura/auditeventstwoagnt_panzura.webp) + +The monitoring process relies on the Third Party Vendor Support auditing feature of the Panzura +CloudFS platform, which uses the AMQP protocol for event delivery. Unlike typical uses of the AMQP +protocol that require messaging middleware, the Panzura master and subordinate nodes connect +directly to the Netwrix Activity Monitor Agent, eliminating the need for middleware. + +Netwrix Activity Monitor uses Panzura API to register itself as a consumer of auditing events. It +also uses the API to perform periodic checks to ensure the auditing settings in Panzura are correct. +The credentials to access the API must be specified when a Panzura host is added to Activity Monitor +for monitoring. Additionally, the IP address of the port is 4497 by default and can be customized in +the properties for the Agent. + +:::note +See the [Panzura](/docs/activitymonitor/10.0/admin/monitoredhosts/add/panzura.md) topic for +additional information on Panzura Host. +::: + + +To prepare Panzura CloudFS for monitoring, auditing must be enabled. + +## Enable Auditing in CloudFS + +Auditing in CloudFS can be enabled either automatically or manually. + +:::info +Using the automatic option using the CloudFS API streamlines the configuration +process and ensures that auditing remains enabled and accurate. +::: + + +## Automatic Configuration + +Netwrix Activity Monitor uses the CloudFS API to configure Third Party Vendor Support auditing +option. + +If a master node is targeted, the product will configure the global audit settings and assign to be +pushed to subordinate nodes. If a subordinate node is targeted, the product will configure the local +audit settings to override the global ones. + +The product will also ensure the settings are correct with periodic checks. + +## Manual Configuration + +Follow these steps to enable auditing. + +**Step 1 –** Navigate to **Audit Settings** > **Third Party Support**. + +**Step 2 –** Enable the **Generate Third Party Logs** option. + +**Step 3 –** Enable the **Push to Subordinate(s)** option. + +**Step 4 –** Enter **other** as the Vendor Name. + +**Step 5 –** Under Actions, specify close, create, delete, delxattr, mkdir, move, open, read, +remove, rename, rlclaim, rmdir, setxattr, and writeUnder . + +If you require monitoring of Directory Read/List operations, which typically generate a high volume +of data, also include readdir to the list. + +**Step 6 –** Specify \* in Include Files. + +**Step 7 –** Specify - in Exclude Files. + +**Step 8 –** Finally, add the Panzura host to be monitored in the Activity Monitor Console. + +Auditing is now enabled. + +## Network Configuration + +Activity Monitor agents register themselves as consumers of audit data via the CloudFS API. The +agents pass their IP address and port along with other AMQP parameters. Panzura nodes use this +information to establish connections with the Activity Monitor agents. + +:::note +The address and port used for registration can be found or modified in the agent’s +settings. +::: + + +Follow the steps for network configuration. + +**Step 1 –** Open Activity Monitor Console. + +**Step 2 –** On the Agents tab, select an agent and click **Edit**. + +**Step 3 –** Use the Network tab to select the network interface that will be used for registration. + +**Step 4 –** Use the Panzura tab to modify the port. The default port is 4497. + +The agent will configure the Windows Firewall to allow incoming connections to the specified port +automatically. Use the following table to configure the firewall. + +| Communication Direction | Protocol | Ports | Description | +| --------------------------------------------------- | --------- | ----- | ------------------- | +| Activity Monitor Console to Activity Monitor Agents | TCP | 4498 | Agent communication | +| Activity Monitor Agent to Panzura nodes | TCP/HTTPS | 443 | CloudFS API | +| Panzura nodes to Activity Monitor Agent | TCP/AMQP | 4497 | Audit events | diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json new file mode 100644 index 0000000000..e8053ec6a3 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell PowerStore Activity Auditing Configuration", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "powerstore-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md new file mode 100644 index 0000000000..b873219695 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md @@ -0,0 +1,124 @@ +--- +title: "Enable Auditing for Dell PowerStore" +description: "Enable Auditing for Dell PowerStore" +sidebar_position: 20 +--- + +# Enable Auditing for Dell PowerStore + +Follow the steps to enable auditing on Dell PowerStore. + +- Create an Event Publishing Pool +- Create an Event Publisher +- Enable Event Publishing for the NAS Server OR Enable or Disable Event Publishing for File System + +See the +[Dell PowerStore - File Capabilities](https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h18155-dell-powerstore-file-capabilities.pdf) +white paper for additional information. + +## Create an Event Publishing Pool + +Follow the steps tTo create a new event publishing pool.: + +**Step 1 –** Select **Storage** > **NAS Servers** > **NAS Settings** > **Publishing Pools**. + +**Step 2 –** Click **Create** and specify the name of the pool. + +**Step 3 –** Specify CEE's address or addresses. + +![Create Event Publishing Pool](/images/activitymonitor/9.0/config/dellpowerstore/eventpublishingpool.webp) + +- For SMB shares monitoring (CIFS) enable following Post-Events: – + + - CloseModified + - CloseUnmodified + - CreateDir + - CreateFile + - DeleteDir + - DeleteFile + - OpenFileNoAccess + - RenameDir + - RenameFile + - SetAclDir + - SetAclFile + +- For NFS exports monitoring enable following Post-Events: – + + - CloseModified, + - CloseUnmodified + - CreateDir + - CreateFile + - DeleteDir + - DeleteFile + - FileRead + - FileWrite + - OpenFileNoAccess + - RenameDir + - RenameFile + - SetAclDir + - SetAclFile + - SetSecDir + - SetSecFile + +**Step 4 –** Click **Apply**. + +## Create an Event Publisher + +Follow the steps tTo create a an event publisher.: + +**Step 1 –** Select **Storage** > **NAS Servers** > **NAS Settings** > **Events Publishers**. + +![Events Publishing](/images/activitymonitor/9.0/config/dellpowerstore/nasservers.webp) + +**Step 2 –** Click **Create**. + +![publishingpools](/images/activitymonitor/9.0/config/dellpowerstore/publishingpools.webp) + +**Step 3 –** Specify the name of the publisher. + +**Step 4 –** Select the pool and click **Next**. + +![configeventpublisher](/images/activitymonitor/9.0/config/dellpowerstore/configeventpublisher.webp) + +**Step 5 –** Specify Pre-Events Failure Policy as "Ignore - Consider pre-event acknowledged when +CEPA servers are offline". + +**Step 6 –** Specify Post-Events Failure Policy as "Accumulate - Continue and persist lost events in +an internal circular buffer". + +**Step 7 –** Click **Create Events Publisher**. + +The events publisher is created. + +## Enable Event Publishing for the NAS Server + +Follow the steps tTo enable or disable event publishing for the NAS Server.: + +**Step 1 –** Select **Storage** > **NAS Servers**. + +![NAS Servers](/images/activitymonitor/9.0/config/dellpowerstore/nasserver.webp) + +**Step 2 –** Go to **[NAS SERVER]** > **Security & Events** > **Events Publishing**. + +**Step 3 –** Enable and select the publisher. + +![nasserver1](/images/activitymonitor/9.0/config/dellpowerstore/nasserver1.webp) + +**Step 4 –** You can enable the event publishing for all file systems on the NAS by checking the box +and selecting protocols. + +Dell PowerStore is enabled for auditing. + +## Enable or Disable Event Publishing for File System + +Follow the steps toYou can enable or disable the feature for each file system individually. using +the following: + +**Step 1 –** Select **Storage** > **File Systems** > **[FILE SYSTEM]** > **Security & Events** > +**Events Publishing**. + +![Event Publising Option for File System](/images/activitymonitor/9.0/config/dellpowerstore/fseventpublishing.webp) + +**Step 2 –** Enable and select protocols needed. + +Dell PowerStore is enabled for auditing. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md new file mode 100644 index 0000000000..1a44db4585 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md @@ -0,0 +1,78 @@ +--- +title: "Install Dell CEE" +description: "Install Dell CEE" +sidebar_position: 10 +--- + +# Install Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md new file mode 100644 index 0000000000..f22fcd23ad --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md @@ -0,0 +1,77 @@ +--- +title: "Dell PowerStore Activity Auditing Configuration" +description: "Dell PowerStore Activity Auditing Configuration" +sidebar_position: 40 +--- + +# Dell PowerStore Activity Auditing Configuration + +A Dell PowerStore device can be configured to audit Server Message Block (SMB) protocol access +events. All audit data can be forwarded to the Dell Common Event Enabler (CEE). The Netwrix Activity +Monitor listens for all events coming through the Dell CEE and translates all relevant information +into entries in the TSV files or syslog messages. + +If the service is turned off, a notification will be sent to the Dell CEE framework to turn off the +associated Activity Monitor filter, but the policy will not be removed. + +The Dell CEE Framework uses a “push” mechanism so a notification is sent only to the activity agent +when a transaction occurs. Daily activity log files are created only if activity is performed. No +activity log file is created if there is no activity for the day. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Dell PowerStore +devices. Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment + + - See the + [Dell PowerStore: File Capabilities](https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h18155-dell-powerstore-file-capabilities.pdf) + white paper for additional information. + - Download the Dell CEE from: + + - [https://support.emc.com](https://support.emc.com/) + +**Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md)** + +- Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity + agent will be deployed + + :::info + The latest version of Dell CEE is the recommended version to use with the + asynchronous bulk delivery (VCAPS) feature. + ::: + + +- Important: + + Open MS-RPC ports between the Dell device and the Windows proxy server(s) where the Dell CEE is + installed + +**Checklist Item 3: Dell PowerStore Device Configuration** + +- Enable auditing on the PowerStore device + + - See the [Enable Auditing for Dell PowerStore](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md) topic for additional information. + +**Checklist Item 4: Activity Monitor Configuration** + +- Deploy the Activity Monitor activity agent to a Windows proxy server where Dell CEE was installed + + - After activity agent deployment, configure the Dell CEE Options tab of the agent’s Properties + window within the Activity Monitor Console + + - Automatically sets the Dell registry key settings + +Checklist Item 5: Configure Dell CEE to Forward Events to the Activity Agent + +:::note +When Dell CEE is installed on Windows proxy server(s) where the Activity Monitor activity +agent will be deployed, the following steps are not needed. +::: + + +- Ensure the Dell CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. +- Ensure the Dell CAVA service and the Dell CEE Monitor service are running. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md new file mode 100644 index 0000000000..e99c8b54a8 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md @@ -0,0 +1,57 @@ +--- +title: "Qumulo Activity Auditing Configuration" +description: "Qumulo Activity Auditing Configuration" +sidebar_position: 120 +--- + +# Qumulo Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor activity on Qumulo devices. To prepare +Qumulo to be monitored, an account needs to be provisioned and the audit event format may need to be +modified. + +## Provision Account + +Activity Monitor requires an account with the Observers role to monitor a Qumulo cluster. Follow the +steps to create a new account in the Qumulo web user interface with the Observers role. + +**Step 1 –** Create a new user in **Cluster** > **Local Users & Groups**. + +**Step 2 –** Assign the Observers role to the user using **Cluster** > **Role Management**. + +This credential will then be used when configuring the Activity Agent to monitor the Qumulo device. + +## Verify Audit Event Format + +Qumulo reports audit events in one of two formats: CSV and JSON. While the Netwrix Activity Monitor +supports both, the JSON format is recommended as it provides more detail. In particular, it allows +the product to distinguish between permission change events and attribute change events, presents +granular information for permission changes, and includes user SIDs instead of just usernames. The +advanced filtering of Microsoft Office activity also requires the JSON format. + +The JSON format for audit events was introduced in Qumulo Core 6.0.1. The new format can be enabled +via an SSH session to the Qumulo cluster. + +Follow the steps to verify that audit event format and change the format, if needed. + +**Step 1 –** Connect to the Qumulo cluster with SSH. + +**Step 2 –** Execute the following command to log in: + +```bash +qq --host login -u + +The command will ask for the password. + +__Step 3 –__ Execute the following command to check current format: + +**qq audit_get_syslog_config** + +The format will be shown in the __format__ field. The old format is __csv__; the new format is __json__. + +__Step 4 –__ Execute the following command to change the format, if needed: + +**qq audit_set_syslog_config --json** + +The change willshould be reflected in the __format__ field. +``` diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json new file mode 100644 index 0000000000..41f04f5b3e --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell Unity Activity Auditing Configuration", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "unity-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md new file mode 100644 index 0000000000..85e20d4141 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md @@ -0,0 +1,81 @@ +--- +title: "Install Dell CEE" +description: "Install Dell CEE" +sidebar_position: 10 +--- + +# Install Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +After Dell CEE installation is complete, it is necessary to complete the +[Unity Initial Setup with Unisphere](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md). + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md new file mode 100644 index 0000000000..9845a39663 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md @@ -0,0 +1,33 @@ +--- +title: "Unity Initial Setup with Unisphere" +description: "Unity Initial Setup with Unisphere" +sidebar_position: 20 +--- + +# Unity Initial Setup with Unisphere + +Follow the steps to configure the initial setup for a Unity device with Unisphere. + +**Step 1 –** Edit the NAS Server > Protection and Events > Events Publishing > Select Pool settings: + +- Add CEPA server – This is the server where CEE is installed. It is recommended that this is also + the server were the Activity Monitor activity agent is deployed. +- Enable the following events for Post Events. + +Required Unity events needed for CIFS Activity: + +![NAM Required Events For CIFS](/images/activitymonitor/9.0/config/dellunity/eventscifs.webp) + +Required Unity events needed for NFS Activity: + +![NAM Required Events For NFS](/images/activitymonitor/9.0/config/dellunity/eventsnfs.webp) + +**Step 2 –** Enable Events Publishing: + +- Edit the FileSystem > Advanced settings: + + - NFS Events Publishing – Enabled (required for NFS protocol monitoring) + - SMB Events publishing – Enabled (required for SMB / CIFS protocol monitoring) + +Once Unity setup is complete, it is time to configure and enable monitoring with the Activity +Monitor. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md new file mode 100644 index 0000000000..b30aacd471 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md @@ -0,0 +1,79 @@ +--- +title: "Dell Unity Activity Auditing Configuration" +description: "Dell Unity Activity Auditing Configuration" +sidebar_position: 50 +--- + +# Dell Unity Activity Auditing Configuration + +A Dell Unity device can be configured to audit Server Message Block (SMB) protocol access events. +All audit data can be forwarded to the Dell Common Event Enabler (CEE). The Netwrix Activity Monitor +listens for all events coming through the Dell CEE and translates all relevant information into +entries in the TSV files or syslog messages. + +If the service is turned off, a notification will be sent to the Dell CEE framework to turn off the +associated Activity Monitor filter, but the policy will not be removed. + +The Dell CEE Framework uses a "push" mechanism so a notification is sent only to the activity agent +when a transaction occurs. Daily activity log files are created only if activity is performed. No +activity log file is created if there is no activity for the day. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Dell Unity devices. +Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment, gather the following: + + - Data Mover or Virtual Data Mover hosting the share(s) to be monitored + - Account with access to the CLI + - Download the Dell CEE from: + + - [https://support.emc.com](https://support.emc.com/) + +**Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md)** + +- Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity + agent will be deployed + + :::info + The latest version of Dell CEE is the recommended version to use with the + asynchronous bulk delivery (VCAPS) feature. + ::: + + +- Important: + + - Open MS-RPC ports between the Dell device and the Windows proxy server(s) where the Dell CEE + is installed + - Dell CEE 8.4.2 through Dell CEE 8.6.1 are not supported for use with the VCAPS feature + - Dell CEE requires .NET Framework 3.5 to be installed on the Windows proxy server + +**Checklist Item 3: Dell Unity Device Configuration** + +- Configure initial setup for a Unity device + + - [Unity Initial Setup with Unisphere](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md) + +**Checklist Item 4: Activity Monitor Configuration** + +- Deploy the Activity Monitor activity agent to a Windows proxy server where Dell CEE was installed + + - After activity agent deployment, configure the Dell CEE Options tab of the agent's Properties + window within the Activity Monitor Console + + - Automatically sets the Dell registry key settings + +Checklist Item 5: Configure Dell CEE to Forward Events to the Activity Agent + +:::note +When Dell CEE is installed on Windows proxy server(s) where the Activity Monitor activity +agent will be deployed, the following steps are not needed. +::: + + +- Ensure the Dell CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. +- Ensure the Dell CAVA service and the Dell CEE Monitor service are running. +- See the [Validate Setup](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md) topic for instructions. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md new file mode 100644 index 0000000000..a7bbfb476b --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md @@ -0,0 +1,159 @@ +--- +title: "Validate Setup" +description: "Validate Setup" +sidebar_position: 30 +--- + +# Validate Setup + +Once the Activity Monitor agent is configured to monitor the Dell device, the automated +configuration must be validated to ensure events are being monitored. + +## Validate CEE Registry Key Settings + +:::note +See the +[Configure Dell Registry Key Settings](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md#configure-dell-registry-key-settings) +topic for information on manually setting the registry key. +::: + + +After the Activity Monitor activity agent has been configured to monitor the Dell device, it will +configure the Dell CEE automatically if it is installed on the same server as the agent. This needs +to be set manually in the rare situations where it is necessary for the Dell CEE to be installed on +a different server than the Windows proxy server(s) where the Activity Monitor activity agent is +deployed. + +If the monitoring agent is not registering events, validate that the EndPoint is accurately set. +Open the Registry Editor (run regedit). For the synchronous real-time delivery mode (AUDIT), use the +following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration** + +![registryeditorendpoint](/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp) + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthAUDIT@'ip-address-of-the-agent'` + +- For the HTTP protocol,` StealthAUDIT@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** If you changed any of the settings, restart the CEE Monitor service. + +**For Asynchronous Bulk Delivery Mode** + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration** + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthVCAPS@'ip-address-of-the-agent'` +- For the HTTP protocol, `StealthVCAPS@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** Ensure that the FeedInterval parameter is set to a value between 60 and 600; the +MaxEventsPerFeed - between 10 and 10000. + +**Step 5 –** If you changed any of the settings, restart the CEE Monitor service. + +Set the following values under the Data column: + +- Enabled – 1 +- EndPoint – StealthAUDIT + +If this is configured correctly, validate that the Dell CEE services are running. See the Validate +Dell CEE Services are Running topic for additional information. + +## Validate Dell CEE Services are Running + +After the Activity Monitor Activity Agent has been configured to monitor the Dell device, the Dell +CEE services should be running. If the Activity Agent is not registering events and the EndPoint is +set accurately, validate that the Dell CEE services are running. Open the Services (run +`services.msc`). + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +The following services laid down by the Dell CEE installer should have Running as their status: + +- Dell CAVA +- Dell CEE Monitor + +## CEE Debug Logs + +If an issue arises with communication between the Dell CEE and the Activity Monitor, the debug logs +need to be enabled for troubleshooting purposes. Follow the steps. + +**Step 6 –** In the Activity Monitor Console, change the **Trace level** value in the lower right +corner to Trace. + +**Step 7 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Disable monitoring. + +**Step 8 –** Download and install the Debug View tool from Microsoft on the CEE server: + +**> [https://docs.microsoft.com/en-us/sysinternals/downloads/debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview)** + +**Step 9 –** Open the Registry Editor (run regedit). Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration** + +**Step 10 –** Right-click on **Debug** and select Modify. The Edit DWORD Value window opens. In the +Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Debug DWORD Value does not exist, it needs to be added. +::: + + +**Step 11 –** Right-click on **Verbose** and select Modify. The Edit DWORD Value window opens. In +the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Verbose DWORD Value does not exist, it needs to be added. +::: + + +**Step 12 –** Run the Debug View tool (from Microsoft). In the Capture menu, select the following: + +- Capture Win32 +- Capture Global Win32 +- Capture Events + +**Step 13 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Enable monitoring. + +**Step 14 –** Generate some file activity on the Dell device. Save the Debug View Log to a file. + +**Step 15 –** Send the following logs to [Netwrix Support](https://www.netwrix.com/support.html): + +- Debug View Log (from Dell Debug View tool) +- Use the **Collect Logs** button to collect debug logs from the activity agent + +:::info +After the logs have been gathered and sent to Netwrix Support, reset these +configurations. + +::: diff --git a/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md new file mode 100644 index 0000000000..655a7680c6 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-online-activity.md @@ -0,0 +1,264 @@ +--- +title: "SharePoint Online Activity Auditing Configuration" +description: "SharePoint Online Activity Auditing Configuration" +sidebar_position: 60 +--- + +# SharePoint Online Activity Auditing Configuration + +In order to collect logs and monitor SharePoint Online activity using the Netwrix Activity Monitor, +it needs to be registered with Microsoft® Entra ID® (formerly Azure AD). + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Additional Requirement** + +In addition to registering the application with Microsoft Entra ID, the following is required: + +- Enable Auditing for SharePoint Online + +See the Enable Auditing for SharePoint Online topic for additional information. + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant once you have registered the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It is not possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +**Permissions for Microsoft Graph API** + +- Application: + + - Directory.Read.All – Read directory data + - Sites.Read.All – Read items in all site collections + - User.Read.All – Read all users' full profiles + +**Permissions for Office 365 Management APIs** + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +## Register a Microsoft Entra ID Application + +Follow the steps to register Activity Monitor with Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click App +registrations. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information in the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + for SharePoint +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the drop + down menu. In the text box, enter the following: + +**Urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. Review the newly created registered +application. Now that the application has been registered, permissions need to be granted to it. + +## Grant Permissions to the Registered Application + +Follow the steps to grant permissions to the registered application. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 3 –** In the top toolbar, click **Add a permission**. + +**Step 4 –** On the Request API permissions blade, select **Microsoft Graph** on the Microsoft APIs +tab. Select the following permissions: + +- Application: + + - Directory.Read.All – Read directory data + - Sites.Read.All – Read items in all site collections + - User.Read.All – Read all users' full profiles + +**Step 5 –** At the bottom of the page, click **Add Permissions**. + +**Step 6 –** In the top toolbar, click **Add a permission**. + +**Step 7 –** On the Request API permissions blade, select **Office 365 Management APIs** on the +Microsoft APIs tab. Select the following permissions: + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +**Step 8 –** At the bottom of the page, click **Add Permissions**. + +**Step 9 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +Now that the permissions have been granted to it, the settings required for Activity Monitor need to +be collected. + +## Identify the Client ID + +Follow the steps to find the registered application's Client ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** Copy the **Application (client) ID** value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. Next identify the Tenant +ID. + +## Identify the Tenant ID + +The Tenant ID is available in two locations within Microsoft Entra ID. + +**Registered Application Overview Blade** + +You can copy the Tenant ID from the same page where you just copied the Client ID. Follow the steps +to copy the Tenant ID from the registered application Overview blade. + +**Step 1 –** Copy the Directory (tenant) ID value. + +**Step 2 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +**Overview Page** + +Follow the steps to find the tenant name where the registered application resides. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** Copy the Tenant ID value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +## Generate the Client Secret Key + +Follow the steps to find the registered application's Client Secret, create a new key, and save its +value when saving the new key. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +:::warning +It is not possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 3 –** In the top toolbar, click **New client secret**. + +**Step 4 –** On the Add a client secret blade, complete the following: + +- Description – Enter a unique description for this secret +- Expires – Select the duration. + + :::note + Setting the duration on the key to expire requires reconfiguration at the time of + expiration. It is best to configure it to expire in 1 or 2 years. + ::: + + +**Step 5 –** Click **Add** to generate the key. + +:::warning +If this page is left before the key is copied, then the key is not retrievable, and +this process will have to be repeated. +::: + + +**Step 6 –** The Client Secret will be displayed in the Value column of the table. You can use the +Copy to clipboard button to copy the Client Secret. + +**Step 7 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. + +## Enable Auditing for SharePoint Online + +Follow the steps to enable auditing for SharePoint Online so the Activity Monitor can receive +events. + +**Step 1 –** In the Microsoft Purview compliance portal at +[https://compliance.microsoft.com](https://compliance.microsoft.com/), go to **Solutions** > +**Audit**. Or, to go directly to the Audit page at +[https://compliance.microsoft.com/auditlogsearch](https://compliance.microsoft.com/auditlogsearch). + +**Step 2 –** If auditing is not turned on for your organization, a banner is displayed prompting you +start recording user and admin activity. + +**Step 3 –** Select the **Start recording** user and **admin activity** banner. + +It may take up to 60 minutes for the change to take effect. The Activity Monitor now has SharePoint +Online auditing enabled as needed to receive events. See the Microsoft +[Turn auditing on or off](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide) +article for additional information on enabling or disabling auditing. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-onprem-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-onprem-activity.md new file mode 100644 index 0000000000..fecb0fa571 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/sharepoint-onprem-activity.md @@ -0,0 +1,50 @@ +--- +title: "SharePoint On-Premise Activity Auditing Configuration" +description: "SharePoint On-Premise Activity Auditing Configuration" +sidebar_position: 50 +--- + +# SharePoint On-Premise Activity Auditing Configuration + +SharePoint Event Auditing must be enabled for each site collection to be monitored by the Netwrix +Activity Monitor and/or audited by Netwrix Access Analyzer. + +## User Requirements + +Following are the SharePoint On-Premise user requirements: + +- Local Administrator on SharePoint server (that hosts Central Administration) +- SharePoint SQL server, which includes login on SharePoint Admin, Config, and all content + databases, with the following role permissions: + + - SharePoint 2013+ + + - SPDataAccess + + - SharePoint 2010 + + - db_owner + +## Enable Event Auditing + +Follow the steps for each site collection within a SharePoint 2013 through SharePoint 2019 farm. + +**Step 1 –** Select Settings > Site settings. + +**Step 2 –** Under Site Collection Administration, click Go to top level site settings. + +**Step 3 –** On the Site Settings page, under Site Collection Administration, select Site collection +audit settings. + +**Step 4 –** On the Configure Audit Settings page, in the Documents and Items section select the +events to be audited. + +**Step 5 –** Still on the Configure Audit Settings page, in the List, Libraries, and Site section +select the events to be audited. + +**Step 6 –** Click OK to save the changes. + +SharePoint will create the audit logs to be monitored by the Netwrix Activity Monitor and/or audited +by Access Analyzer. See the Microsoft +[Configure audit settings for a site collection (SharePoint 2013/2016/2019)](https://support.office.com/en-us/article/Configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2) +article for additional information. diff --git a/docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md new file mode 100644 index 0000000000..f735298b95 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/sqlserver-activity.md @@ -0,0 +1,77 @@ +--- +title: "SQL Server Activity Auditing Configuration" +description: "SQL Server Activity Auditing Configuration" +sidebar_position: 70 +--- + +# SQL Server Activity Auditing Configuration + +In order for the Netwrix Activity Monitor to monitor SQL Server activity, a SQL login with certain +server permissions, and must be mapped to user databases. + +## SQL Database Server Permissions + +- ALTER ANY EVENT SESSION + + - Allows agent to start or stop an event session or change an event session configuration. + +- VIEW ANY DEFINITION + + - Allows agent to view the SQL Server object definitions. + +- VIEW SERVER STATE + + - Allows agent to access dynamic management views. + +## Windows Authentication + +Use the following command to create a new login: + +``` +create login [DOMAIN\USER] from WINDOWS +``` + +Use the following command to grant server permissions: + +``` +grant alter any event session to [DOMAIN\USER] +grant view any definition to [DOMAIN\USER] +grant view server state to [DOMAIN\USER] +``` + +Use the following command to create a user in each database: + +``` +declare @s varchar(max)='';select @s=@s+(case when @s<>'' then char(13)+char(10) else '' end)+'use ['+name+'];create user [DOMAIN\USER] for login [DOMAIN\USER];' from sys.databases;exec(@s) +``` + +## SQL Authentication + +Use the following command to create a new login: + +``` +create login [USER] with password='[PUT_PASSWORD_HERE]' +``` + +Use the following command to grant server permissions: + +``` +grant alter any event session to [USER] +grant view any definition to [USER] +grant view server state to [USER] +``` + +Use the following command to create a user in each database: + +``` +declare @s varchar(max)='';select @s=@s+(case when @s<>'' then char(13)+char(10) else '' end)+'use ['+name+'];create user [USER] for login [USER];' from sys.databases;exec(@s) +``` + +## Logon Trigger (Optional) + +The logon trigger is required to obtain IP Addresses of client connections. Run the following script +in order to allow the Activity Monitor to report client IP Addresses. + +``` +CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as varchar(max));raiserror(@str,1,1);END +``` diff --git a/docs/activitymonitor/10.0/requirements/activityagent/windowsfs-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/windowsfs-activity.md new file mode 100644 index 0000000000..eb33a09a0b --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/windowsfs-activity.md @@ -0,0 +1,55 @@ +--- +title: "Windows File Server Activity Auditing Configuration" +description: "Windows File Server Activity Auditing Configuration" +sidebar_position: 80 +--- + +# Windows File Server Activity Auditing Configuration + +In order for the Netwrix Activity Monitor to monitor Windows file server activity, an Activity Agent must be deployed to the server. It cannot be deployed to a proxy server. However, additional considerations are needed when targeting a Windows File System Clusters. + +## Windows File System Clusters + +In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all nodes that comprise the Windows File System Cluster. The credential used to deploy the Activity Agent must have the following permissions on the server: + +- Membership in the local Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +It is also necessary to enable the Remote Registry Service on the Activity Agent server. + +For integration between the Activity Monitor and Access Analyzer, the credential used by Access Analyzer to read the activity log files must have also have this permission. + +### Single Role (Basic) Setup + +![Single Role Cluster Overview](/images/activitymonitor/9.0/requirements/WinCluster1.webp) + +1. Install an Activity Monitor agent on all nodes in the cluster. +2. Configure a Monitored Host with event source type of “Agent’s Windows host” for each node. + +![Single Role WinCluster Agents](/images/activitymonitor/9.0/requirements/WinCluster2.webp) + +![Single Role WinCluster Monitored Hosts](/images/activitymonitor/9.0/requirements/WinCluster3.webp) + +### Multi-Role (Advanced) Setup + +![Multi Role Cluster Overview](/images/activitymonitor/9.0/requirements/WinCluster4.webp) + + +1. Install an Activity Monitor agent on all nodes in the cluster. +2. Configure a Monitored Host with event source type of “Agent’s Windows host” for each node. +3. On the Additional Properties tab of each file output, set the *Report hostname as* value to match the Role Server it will be scoped for. +4. On the Path Filtering tab of each file output, scope the log to only look at the shares for their respective role servers. + +:::note Example + The cluster contains **RoleServerA** and **RoleServerB**. RoleServerA contains two shares: Share1 & Share2. RoleServerB contains two shares: Share3 & Share4. + 1. There should be two File Outputs under Node1 & Node2 to match the two Role Servers. + 2. The first file output should contain scoping that includes Share1 & Share2, but excludes all others. + 3. The second file output should contain scoping that includes Share3 & Share4, but excludes all others. + +![Multi Role WinCluster Agents](/images/activitymonitor/9.0/requirements/WinCluster5.webp) + +![Multi Role WinCluster Monitored Hosts](/images/activitymonitor/9.0/requirements/WinCluster6.webp) + +![Multi Role WinCluster Output Properties](/images/activitymonitor/9.0/requirements/WinCluster7.webp) +::: + diff --git a/docs/activitymonitor/10.0/requirements/adagent/_category_.json b/docs/activitymonitor/10.0/requirements/adagent/_category_.json new file mode 100644 index 0000000000..c84f42629d --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/adagent/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "AD Agent Server Requirements", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "adagent" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/adagent/activity/_category_.json b/docs/activitymonitor/10.0/requirements/adagent/activity/_category_.json new file mode 100644 index 0000000000..05cf87c439 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/adagent/activity/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Active Directory Activity Auditing Configuration", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/requirements/adagent/activity/activity.md b/docs/activitymonitor/10.0/requirements/adagent/activity/activity.md new file mode 100644 index 0000000000..a3a2137c43 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/adagent/activity/activity.md @@ -0,0 +1,274 @@ +--- +title: "Active Directory Activity Auditing Configuration" +description: "Active Directory Activity Auditing Configuration" +sidebar_position: 10 +--- + +# Active Directory Activity Auditing Configuration + +There are two methods to configure Activity Monitor to provide Active Directory domain activity to +Access Analyzer: + +- API Server +- File Archive Repository + +See the [File Archive Repository Option](/docs/activitymonitor/10.0/requirements/adagent/activity/filearchive.md) topic for additional information on that +option. + +## API Server Option + +In this method, you will be deploying two agents: + +- First, deploy an Activity Agent to a Windows server that will act as the API server. This is a + non-domain controller server. + + :::info + Deploy the API Server to the same server where the Activity Monitor Console + resides. + ::: + + +- Next, deploy the AD Agent to all domain controllers in the target domain. + +Follow the steps to setup integration between Activity Monitor and Access Analyzer through an API +server. + +**Step 1 –** Deploy the Activity Agent to the API server. + +**Step 2 –** Deploy the AD Agent to each domain controller in the target domain. + +The next step is to configure the agent deployed to the API server. + +## Configure API Server Agent + +Follow the steps to configure the agent deployed to the API server. + +**Step 1 –** On the Agents tab of the Activity Monitor Console, select the agent deployed to the +API server. + +**Step 2 –** Click **Edit**. The Agent properties window opens. + +**Step 3 –** Select the **API Server** tab and configure the following: + +- Select the **Enable API access on this agent** checkbox. +- The default **API server port (TCP)** is 4494, but it can be modified if desired. Ensure the + modified port is also used by Access Analyzer. +- Click **Add Application**. The Add or edit API client window opens. +- Configure the following: + + - Provide a descriptive and unique **Application name**, for example `Access Analyzer`. + - Select the **Read** checkbox to grant this permission to this application. + - Click **Generate** to generate the Client ID and Client Secret. + - Copy the Client ID value to a text file. + - Click **Copy** and save the Client Secret value to a text file. + + :::warning + It is not possible to retrieve the value after closing the Add or edit + API client window. It must be copied first. + ::: + + + - By default, the **Secret Expires** in 3 days. That means it must be used in the Access + Analyzer Connection Profile within 72 hours or a new secret will need to be generated. Modify + if desired. + - Click **OK** to save the configuration and close the Add or edit API client window. + +- If the Activity Monitor Console server is not the API Server, then click **Use this console** to + grant the Activity Monitor the ability to manage the API server. +- The IPv4 or IPv6 allowlist allows you to limit access to the API server data to specific hosts. + +**Step 4 –** Click **OK** to save the configuration and close the Agent properties window. + +The next step is to configure the agents deployed to the domain controllers. + +## Configure Domain Controller Agent + +Follow the steps to configure the agent deployed to the domain controller. + +**Step 1 –** On the Agents tab of the Activity Monitor Console, select an agent deployed to domain +controller. + +**Step 2 –** Click **Edit**. The Agent properties window opens. + +**Step 3 –** Select the **Archiving** tab and configure the following: + +- Select the **Enable Archiving for this agent** checkbox. +- Select the **Archive log files on a UNC path** option. Click the **...** button and navigate to + the desired network share on the API server. +- The **User name** and **User password** fields only need to be filled in if the account used to + install the agent does not have access to this share. + + :::tip + Remember, The account used to install the agent on a domain controller is a Domain + Administrator account. + ::: + + +- Click **Test** to ensure a successful connection to the network share. + +**Step 4 –** Click **OK** to save the configuration and close the Agent properties window. + +**Step 5 –** Repeat Steps 1-4 for each agent deployed to domain controller. + +These agent are configured to save the Archive logs to the selected share. + +## Configure Monitored Domain Output + +Follow the steps configure the monitored domain output for Netwrix Access Analyzer. + +**Step 1 –** Select the **Monitored Domains** tab. + +**Step 2 –** Select the desired domain and click **Add Output**. The Add New Ouptut window opens. + +**Step 3 –** Configure the following: + +- Configure the desired number of days for the **Period to keep Log files**. This is the number of + days the log files are kept on the API server configured in the sections above. This needs to be + set to a greater value than the days between Access Analyzer scans. + + - For example, if Access Analyzer runs the **AD_ActivityCollection** Job once a week (every 7 + days), then the Activity Monitor output should be configured to retain at least 10 days of log + files. + +- Check the **This log file is for StealthAUDIT** box. +- Optionally select the **Enable periodic AD Status Check event reporting** checkbox. When enabled, + the agent will send out status messages every five minutes to verify whether the connection is + still active. + +**Step 4 –** Click **Add Output** to save and close the Add New Output window. + +Access Analyzer now has access to the agent log files for this domain. + +## Configure Connection Profile + +Follow the steps to configure the Connection Profile in Access Analyzer. + +:::tip +Remember, the Client ID and Client Secret were generated by the API server and copied to a text +file. If the secret expired before the Connection Profile is configured, it will need to be +re-generated. +::: + + +**Step 1 –** On the **Settings** > **Connection** node of the Access Analyzer Console, select the +Connection Profile for the Active Directory solution. If you haven't yet created a Connection +Profile or desire a specific one for AD Activity, create a new one and provide a unique descriptive +name. + +**Step 2 –** Click **Add User credential**. The User Credentials window opens. + +**Step 3 –** Configure the following: + +- Select Account Type – Select **Web Services (JWT)** +- User name – Enter the Client ID generated by the Activity Monitor API Server +- Access Token – Enter the Client Secret generated by the Activity Monitor API Server + +**Step 4 –** Click **OK** to save and close the User Credentials window. + +**Step 5 –** Click **Save** and then **OK** to confirm the changes to the Connection Profile. + +**Step 6 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** Job +Group. Select the **Settings > Connection** node. + +**Step 7 –** Select the **Select one of the following user defined profiles** option. Expand the +drop-down menu and select the Connection Profile with this credential. + +**Step 8 –** Click **Save** and then **OK** to confirm the changes to the job group settings. + +The Connection Profile will now be used for AD Activity collection. + +## Configure the AD_ActivityCollection Job + +The Access Analyzer requires additional configurations in order to collect domain activity data. +Follow the steps to configure the **AD_ActivityCollection** Job. + +:::note +Ensure that the **.Active Directory Inventory** Job Group has been successfully run +against the target domain. +::: + + +**Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > +**AD_ActivityCollection** Job. Select the **Configure** > **Queries** node. + +**Step 2 –** Click **Query Properties**. The Query Properties window displays. + +**Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard +opens. + +![Active Directory Activity DC wizard Category page](/images/activitymonitor/9.0/config/activedirectory/categoryimportfromnam.webp) + +**Step 4 –** On the Category page, choose **Import from SAM** option and click **Next**. + +![Active Directory Activity DC wizard SAM connection settings page](/images/activitymonitor/9.0/config/activedirectory/namconnection.webp) + +**Step 5 –** On the SAM connection page, the **Port** is set to the default 4494. This needs to +match the port configured for the Activity Monitor API Server agent. + +**Step 6 –** In the **Test SAM host** textbox, enter the Activity Monitor API Server name using +fully qualified domain format. For example, `NEWYORKSRV30.NWXTech.com`. Click **Connect**. + +**Step 7 –** If connection is successful, the archive location displays along with a Refresh token. +Copy the **Refresh token**. This will replace the Client Secret in the Connection Profile in the +last step. + +**Step 8 –** Click **Next**. + +![Active Directory Activity DC wizard Scoping and Retention page](/images/activitymonitor/9.0/config/activedirectory/scope.webp) + +**Step 9 –** On the Scope page, set the Timespan as desired. There are two options: + +- Relative Timespan – Set the number of days of activity logs to collect when the scan is run +- Absolute Timespan – Set the date range for activity logs to collect when the scan is run + +:::info +The threshold should be set to ensure the logs are collected before the Activity +Monitor domain output log retention expires. For example, if Access Analyzer runs the +**AD_ActivityCollection** Job once a week (every 7 days), then the Activity Monitor output should be +configured to retain at least 10 days of log files. +::: + + +**Step 10 –** Set the Retention period as desired. This is the number of days Access Analyzer keeps +the collected data in the SQL Server database. + +**Step 11 –** Click **Next** and then **Finish** to save the changes and close the wizard. + +**Step 12 –** Click **OK** to save the changes and close the Query Properties page. + +**Step 13 –** Navigate to the global **Settings** > **Connection** node to update the User +Credential with the Refresh token: + +- Select the Connection Profile assigned to the **6.Activity** > **0.Collection** Job Group. +- Select the Web Services (JWT) User Credential and click **Edit**. +- Replace the Access Token with the Refresh token generated by the data collector in Step 7. +- Click **OK** to save and close the User Credentials window. +- Click **Save** and then **OK** to confirm the changes to the Connection Profile. + +The query is now configured to target the Activity Monitor API Server to collect domain activity +logs. + +### (Optional) Configure Import of AD Activity into Netwrix Access Information Center + +AD Activity data can be imported into Netwrix Access Information Center by the +**AD_ActivityCollection** Job. However, this is disabled by default. Follow the steps to enable the +importing of AD activity data into the Access Information Center. + +**Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > +**AD_ActivityCollection** Job. + +**Step 2 –** On the job's Overview page, enable the import of AD Events. + +- Click on the **Enable to import AD events into the AIC** parameter. +- On the Parameter Configuration window, select the **Enabled** checkbox and click **Save**. + +**Step 3 –** On the job's Overview page, enable the import of authentication Events. + +- Click on the **Enable to import authentication events into the AIC** parameter. +- On the Parameter Configuration window, select the **Enabled** checkbox and click **Save**. + +**Step 4 –** Optionally, modify the **List of attributes to track for Object Modified changes** and +**Number of days to retain activity data in the AIC** parameters. + +The **AD_ActivityCollection** Job is now configured to import both AD events and authentication +events into the Netwrix Access Information Center. diff --git a/docs/activitymonitor/10.0/requirements/adagent/activity/filearchive.md b/docs/activitymonitor/10.0/requirements/adagent/activity/filearchive.md new file mode 100644 index 0000000000..235cdfabfc --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/adagent/activity/filearchive.md @@ -0,0 +1,171 @@ +--- +title: "File Archive Repository Option" +description: "File Archive Repository Option" +sidebar_position: 10 +--- + +# File Archive Repository Option + +As an alternative to using an API Server, Netwrix Activity Monitor can be configured to store all +archived logs to a network share. This option requires all of the domain logs to be stored in the +same share location in order for Access Analyzer to collect the AD Activity data. + +**Prerequisite** + +Deploy the AD Agent to each domain controller in the target domain. + +## Configure Domain Controller Agent + +Follow the steps to configure the agent deployed to the domain controller. + +:::note +These steps assume the network share where the activity log files will be archived already +exists. +::: + + +**Step 1 –** On the Agents tab of the Activity Monitor Console, select an agent deployed to domain +controller. + +**Step 2 –** Click Edit. The Agent properties window opens. + +**Step 3 –** Select the Archiving tab and configure the following: + +- Check the Enable Archiving for this agent box. +- Select the **Archive log files on a UNC path** option. Click the ... button and navigate to the + desired network share. +- The **User name** and **User password** fields only need to be filled in if the account used to + install the agent does not have access to this share. + + :::tip + Remember, The account used to install the agent on a domain controller is a Domain + Administrator account. This is typically the credential that will be used in the Netwrix Access + Analyzer Connection Profile. However, a least privilege option is + a domain user account with Read access to this share. + ::: + + +- Click **Test** to ensure a successful connection to the network share. + +**Step 4 –** Click OK to save the configuration and close the Agent properties window. + +**Step 5 –** Repeat Steps 1-4 for each agent deployed to domain controller pointing to the same +network share in Step 3 for each agent. + +These agent are configured to save the Archive logs to the selected share. + +## Configure Monitored Domain Output + +Follow the steps configure the monitored domain output for Netwrix Access Analyzer. + +**Step 1 –** Select the **Monitored Domains** tab. + +**Step 2 –** Select the desired domain and click **Add Output**. The Add New Ouptut window opens. + +**Step 3 –** Configure the following: + +- Configure the desired number of days for the **Period to keep Log files**. This is the number of + days the log files are kept on the API server configured in the sections above. This needs to be + set to a greater value than the days between Access Analyzer scans. + + - For example, if Access Analyzer runs the **AD_ActivityCollection** Job once a week (every 7 + days), then the Activity Monitor output should be configured to retain at least 10 days of log + files. + +- Check the **This log file is for Access Analyzer** box. +- Optionally select the **Enable periodic AD Status Check event reporting** checkbox. When enabled, + the agent will send out status messages every five minutes to verify whether the connection is + still active. + +**Step 4 –** Click **Add Output** to save and close the Add New Output window. + +Access Analyzer now has access to the agent log files for this domain. + +## Configure Connection Profile + +Follow the steps to configure the Connection Profile in Access Analyzer. + +**Step 1 –** On the Settings > Connection node of the Access Analyzer Console, select the Connection +Profile for the Active Directory solution. If you haven't yet created a Connection Profile or desire +a specific one for AD Activity, create a new one and provide a unique descriptive name. + +**Step 2 –** Click Add User credential. The User Credentials window opens. + +**Step 3 –** Configure the following: + +- Select Account Type – Select **Active Directory Account** +- Domain – Select the domain where the network share resides +- User name – Enter the account with Read access to the network share +- Provide the account password: + + - Password Storage – Select the password storage location, if it is being stored in a vault, + like CyberArk + - Password / Confirm – Enter the account password in both fields + +**Step 4 –** Click OK to save and close the User Credentials window. + +**Step 5 –** Click **Save** and then **OK** to confirm the changes to the Connection Profile. + +**Step 6 –** Navigate to the Jobs > Active Directory > 6.Activity > 0.Collection Job Group. Select +the **Settings > Connection** node. + +**Step 7 –** Select the **Select one of the following user defined profiles** option. Expand the +drop-down menu and select the Connection Profile with this credential. + +**Step 8 –** Click **Save** and then **OK** to confirm the changes to the job group settings. + +The Connection Profile will now be used for AD Activity collection. + +## Configure the AD_ActivityCollection Job + +Access Analyzer requires additional configurations in order to collect domain activity data. Follow +the steps to configure the **AD_ActivityCollection** Job. + +:::note +Ensure that the .Active Directory Inventory Job Group has been successfully run against +the target domain. +::: + + +**Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > +**AD_ActivityCollection** Job. Select the **Configure** > **Queries** node. + +**Step 2 –** Click **Query Properties**. The Query Properties window displays. + +**Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard +opens. + +![Active Directory Activity DC wizard Category page](/images/activitymonitor/9.0/config/activedirectory/categoryimportfromshare.webp) + +**Step 4 –** On the Category page, choose **Import from Share** option and click **Next**. + +![Active Directory Activity DC wizard Share settings page](/images/activitymonitor/9.0/config/activedirectory/share.webp) + +**Step 5 –** On the Share page, provide the UNC path to the AD Activity share archive location. If +there are multiple archives in the same network share, check the **Include Sub-Directories** box. +Click **Next**. + +![Active Directory Activity DC wizard Scoping and Retention page](/images/activitymonitor/9.0/config/activedirectory/scope.webp) + +**Step 6 –** On the Scope page, set the Timespan as desired. There are two options: + +- Relative Timespan – Set the number of days of activity logs to collect when the scan is run +- Absolute Timespan – Set the date range for activity logs to collect when the scan is run + +:::info +The threshold should be set to ensure the logs are collected before the Activity +Monitor domain output log retention expires. For example, if Access Analyzer runs the +**AD_ActivityCollection** Job once a week (every 7 days), then the Activity Monitor output should be +configured to retain at least 10 days of log files. +::: + + +**Step 7 –** Set the Retention period as desired. This is the number of days Access Analyzer keeps +the collected data in the SQL Server database. + +**Step 8 –** Click **Next** and then **Finish** to save the changes and close the wizard. + +**Step 9 –** Click **OK** to save the changes and close the Query Properties page. + +The query is now configured to target the network share where the Activity Monitor domain activity +logs are archived. diff --git a/docs/activitymonitor/10.0/requirements/adagent/adagent.md b/docs/activitymonitor/10.0/requirements/adagent/adagent.md new file mode 100644 index 0000000000..0ec31eb9a1 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/adagent/adagent.md @@ -0,0 +1,125 @@ +--- +title: "AD Agent Server Requirements" +description: "AD Agent Server Requirements" +sidebar_position: 20 +--- + +# AD Agent Server Requirements + +Active Directory (AD) monitoring can be accomplished through two primary methods: + +- Activity Monitor Agents with the AD Module +- Retrieving activity data from Netwrix Threat Prevention + +Both approaches require the installation of agents on each domain controller within the monitored +domain and are compatible with Netwrix Access Analyzer and Netwrix +Threat Manager, feeding them AD activity data. + +Activity Monitor Agents: This option focuses solely on monitoring AD activity, providing basic +visibility into AD events without additional features. + +![nam_admodule](/images/activitymonitor/9.0/requirements/nam_admodule.webp) + +Netwrix Threat Prevention: Offers a more comprehensive and flexible monitoring experience, including +advanced features like operation blocking and enhanced monitoring capabilities. + +![ntp](/images/activitymonitor/9.0/requirements/ntp.webp) + +These methods provide organizations with a choice between basic AD activity monitoring and a more +versatile, security-enhanced option. + +**Activity Monitor and Threat Prevention Compatibility Matrix** + +| Activity Monitor Version | Threat Prevention (formerly Stealth Intercept) Version | Threat Prevention Version | +| ------------------------ | ------------------------------------------------------ | ------------------------- | +| 7.1 | 7.3 | 7.4 | +| 7.0 | 7.3 | | + +## Requirements + +The AD Agent is deployed to every domain controllers to monitor Active Directory domains. The server +can be physical or virtual. The supported operating systems are: + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +**RAM, Cores, and Disk Space** + +These depend on the amount of activity expected: + +| Environment | Recommended | Minimum | +| ----------- | ----------- | ------- | +| RAM | 8+ GB | 4+ GB | +| Cores | 4+ CPU | 2 CPU | +| Disk Space | 50 GB | 50 GB | + +The disk space requirement covers the following: + +- Agent Size – 150 MB +- Agent Queues – In the event of a network outage, the agent will cache up to 40 GB of event data +- Diagnostic Logging – 1 GB + +Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the +server to a network share. See the [Archiving Tab](/docs/activitymonitor/10.0/admin/agents/properties/archiving.md) topic +for additional information. + +**Additional Server Requirements** + +The following are additional requirements for the agent server: + +- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft + [.NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) + article +- WMI enabled on the machine, which is optional but required for centralized Agent maintenance + +**Permissions for Installation** + +The following permission is required to install and manage the agent: + +- Membership in the Domain Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +## Supported Active Directory Platforms + +The Activity Monitor provides the ability to monitor Active Directory: + +:::note +For monitoring an Active Directory domain, the AD Agent must be installed on all domain +controllers within the domain to be monitored. +::: + + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +See the [Active Directory Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/adagent/activity/activity.md) +topic for target environment requirements. + +## AD Agent Compatibility with Non-Netwrix Security Products + +The following products conflict with the agent: + +:::warning +Do not install these products on a server where an agent is deployed. Do NOT install an +agent on a server where these products are installed. +::: + + +- Quest Change Auditor (aka Dell ChangeAuditor) +- PowerBroker Auditor for Active Directory by BeyondTrust + +The following products, which protect LSASS, may prevent the agent from injecting into LSASS, and +thereby prevent monitoring Active Directory events: + +- Cisco AMP for Endpoints Connector +- Avast Business Antivirus + + - Specifically the “Avast self-defense module” + +:::note +These products and other similar products can be configured via a whitelist to allow the +agent to operate. + +::: diff --git a/docs/activitymonitor/10.0/requirements/adagent/threatprevention.md b/docs/activitymonitor/10.0/requirements/adagent/threatprevention.md new file mode 100644 index 0000000000..9cc890344e --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/adagent/threatprevention.md @@ -0,0 +1,53 @@ +--- +title: "Getting Data from NTP for AD Activity Reporting" +description: "Getting Data from NTP for AD Activity Reporting" +sidebar_position: 20 +--- + +# Getting Data from NTP for AD Activity Reporting + +When Netwrix Threat Prevention is configured to monitor a domain, the event data collected by the +policies can be provided to Netwrix Access Analyzer for Active +Directory Activity reporting. This is accomplished by configuring Threat Prevention to send data to +Netwrix Activity Monitor, which in turn creates the activity log files that Access Analyzer +collects. + +:::note +Threat Prevention can only be configured to send event data to one Netwrix application, +either Netwrix Activity Monitor or Netwrix Threat Manager but not both. However, the Activity +Monitor can be configured with outputs for Access Analyzer and Threat Manager +::: + + +Follow these steps to configure this integration. + +:::info +It is a best practice to use the API Server option of the Activity Monitor for +this integration between Threat Prevention and Access Analyzer. +::: + + +**Step 1 –** In the Threat Prevention Administration Console, click **Configuration** > **Netwrix +Threat Manager Configuration** on the menu. The Netwrix Threat Manager Configuration window opens. + +**Step 2 –** On the Event Sink tab, configure the following: + +- Netwrix Threat Manager URI – Enter the name of the Activity Monitor agent host and port, which is + 4499 by default, in the following format: + + `amqp://localhost:4499` + + You must use localhost, even if Activity Monitor and Threat Prevention are installed on + different servers. + +- App Token – Leave this field blank for integration with Activity Monitor +- Policies – The table displays all policies created in Threat Prevention along with a State icon + indicating if the policy is active. Check the **Send** box for the desired policies monitoring the + target domain activity. + +**Step 3 –** Click **Save**. + +All real-time event data from the selected policies are now being sent to Activity Monitor. +Additional policies can be added to this data stream through the Netwrix Threat Manager +Configuration window or by selecting the **Send to Netwrix Threat Manager** option on the Actions +tab of the policy. diff --git a/docs/activitymonitor/10.0/requirements/linuxagent.md b/docs/activitymonitor/10.0/requirements/linuxagent.md new file mode 100644 index 0000000000..3a77bb74e3 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/linuxagent.md @@ -0,0 +1,76 @@ +--- +title: "Linux Agent Server Requirements" +description: "Linux Agent Server Requirements" +sidebar_position: 30 +--- + +# Linux Agent Server Requirements + +The server where the agent is deployed can be physical or virtual. The supported operating systems +are: + +- Red Hat Enterprise Linux + + - V 9.x + - V 8.x + +- Activity Monitor supports RHEL kernels in FIPS mode compliant with FIPS 140-2 and FIPS 140-3. + +## Target Requirements + +:::note +For monitoring a Linux file server, the The Linux Agent is deployed to Linux servers to be +monitored. It cannot be deployed to a proxy server. +::: + + +## Supported Protocols + +The following protocols are supported for the Linux agent: + +- Local +- Common Internet File System (CIFS) / Server Message Block (SMB) +- Network File System (Mounted Client-Side) + +:::note +Server-Side NFS protocol is not supported. +::: + + +## Permissions for Installation + +The following permission is required by the account used to install and manage the agent: + +- Root privileges with password (or SSH private key) + +For integration between the Activity Monitor and Access Analyzer, the credential used by Access +Analyzer to read the activity log files must have also have this permission. + +:::info +Activity Monitor Agent uses certificates to secure the connection between the Linux Agent and the Console / API Server. +By default, the Agent uses an automatically generated self-signed certificate. The Console and the API Server do not enforce +validity checks on these self-signed agent certificates. + +This self-signed certificate can be replaced with one issued by a Certification Authority. Once replaced, the Console and +the API Server will ensure the validity of the agent’s certificates. + +See the [Certificate](/docs/activitymonitor/10.0/admin/agents/properties/certificate.md) topic for additional information. +::: + + +## Immutable Mode + +For file activity monitoring on Linux, Activity Monitor relies on **auditd** component of the Linux +Auditing System. One of the features of auditd is the **immutable mode** or `-e 2` command, which +locks the audit configuration and protects it from being changed. When the immutable mode is +enabled, the only way to change the auditing configuration is to reboot the server. + +To check if the immutable mode is enabled, use the `auditctl -s` command. If the immutable mode is +active, the command will print `enabled 2`. Alternatively, check for the `-e 2` line in the +`/etc/audit/rules.d/audit.rules` file. + +Activity Monitor supports the immutable mode. It compares the current auditd configuration with the +desired one. If they differ and the immutable mode is enabled, the product displays a warning that a +server restart is required in the status section of the **Monitored Hosts & Services** tab. After the reboot, +the changes take effect and the immutable mode is enabled. + diff --git a/docs/activitymonitor/10.0/requirements/overview.md b/docs/activitymonitor/10.0/requirements/overview.md new file mode 100644 index 0000000000..2707562f3b --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/overview.md @@ -0,0 +1,78 @@ +--- +title: "Requirements" +description: "Requirements" +sidebar_position: 20 +--- + +# Requirements + +This topic describes the recommended configuration of the servers needed to install the application +in a production environment. Depending on the size of the organization, it is recommended to review +your environment and requirements with a Netwrix engineer prior to deployment to ensure all +exceptions are covered. + +## Architecture Overview + +The following servers are required for installation of the application: + +**Core Components** + +- **Activity Monitor Console** Machine – This is where the management console is installed. + The Console can be installed on several machines to manage the same set of agents. + + :::note + The Activity Monitor Console can be hosted on the same machine as other Netwrix + products. + ::: + + +- **Agents** – There are three deployment scenarios that that differ in their requirements: + + - Activity monitoring of Windows file servers, Network Attached Storage (NAS) devices, Azure Files, Microsoft Entra ID, SharePoint On-premise, + SharePoint Online, Exchange Online, and SQL Server. The agent is deployed on a Windows Server. + See the [Activity Agent Server Requirements](/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md) topic + for additional information. + - Active Directory monitoring – the agent is deployed to every domain controllers to monitor Active Directory + domains. See the [AD Agent Server Requirements](/docs/activitymonitor/10.0/requirements/adagent/adagent.md) topic for additional information. + - Linux monitoring – the agent is deployed to Linux servers to be monitored. See the + [Linux Agent Server Requirements](/docs/activitymonitor/10.0/requirements/linuxagent.md) topic for additional information. + +**Target Environment Considerations** + +The target environment encompasses all servers, devices, or infrastructure to be monitored by +Activity Monitor. Most solutions have additional target requirements. + +## Activity Monitor Console Machine Requirements + +The machine can be a Windows Server or desktop, as well as physical or virtual. The Console can be installed on serveral machines to manage the same agents. +The following Windows Server operating systems are supported: + +- Windows Server 2025 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +The following Windows desktop operating systems are supported: + +- Windows 11 +- Windows 10 + +**RAM, Processor, and Disk Space** + +- RAM – 4 GB minimum +- Processor – x64 +- Disk Space – 1 GB minimum + +**Additional Machine Requirements** + +The following are additional requirements for the Console machine: + +- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft + [.NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) + article + +**Permissions for Installation** + +The following permission is required to install and use the application: + +- Membership in the local Administrators group for the Activity Monitor Console machine diff --git a/docs/activitymonitor/10.0/restapi/_category_.json b/docs/activitymonitor/10.0/restapi/_category_.json new file mode 100644 index 0000000000..37dc66e9c5 --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "REST API", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/restapi/overview.md b/docs/activitymonitor/10.0/restapi/overview.md new file mode 100644 index 0000000000..f5bc010c6e --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/overview.md @@ -0,0 +1,29 @@ +--- +title: "REST API" +description: "REST API" +sidebar_position: 60 +--- + +# REST API + +## Overview + +Netwrix Activity Monitor API gives you access to the most information and functionality available in +the console. You can manage agents, monitored hosts and services, AD monitoring using API. + +The REST-style API is provided by the API Server feature which is a component of the Activity +Monitor Agent (Windows only). It is pre-installed with the Agent, disabled by default. + +Like the console, a single API Server can manage many agents. A single API Server can manage the +whole organization. However, one capability requires running the API Server on each and every +Activity Monitor Agent and is the HTTPS access to the log files. + +See the following topics for additional information: + +- [Security and Access Control](/docs/activitymonitor/10.0/restapi/security.md) +- [Schema and Resources](/docs/activitymonitor/10.0/restapi/resources/resources.md) + + - [Agent](/docs/activitymonitor/10.0/restapi/resources/agent.md) + - [Domain](/docs/activitymonitor/10.0/restapi/resources/domain.md) + - [Host](/docs/activitymonitor/10.0/restapi/resources/host.md) + - [Output](/docs/activitymonitor/10.0/restapi/resources/output.md) diff --git a/docs/activitymonitor/10.0/restapi/resources/_category_.json b/docs/activitymonitor/10.0/restapi/resources/_category_.json new file mode 100644 index 0000000000..9a2c4705c7 --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/resources/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Schema and Resources", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "resources" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/restapi/resources/agent.md b/docs/activitymonitor/10.0/restapi/resources/agent.md new file mode 100644 index 0000000000..30ef470331 --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/resources/agent.md @@ -0,0 +1,262 @@ +--- +title: "Agent" +description: "Agent" +sidebar_position: 10 +--- + +# Agent + +| Attribute | Type | Detailed Only | Description | +| ---------------------------------------- | -------- | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| id | string | | Agent ID | +| platformId | string | | Platform of the agent: Windows , Linux | +| url | string | | Self URL | +| host | string | | Host name/address as specified by user | +| netbiosName | string | | NETBIOS name | +| authenticationMethod | string | | The authentication method for connecting to the agent: Password, PublicKey | +| agentPort | int | | The port that is used by the agent. Default: 4498. | +| userName | string | | Account for connecting to the agent. | +| password | string | X | Account password for connecting to the agent. Password is not exposed. | +| privateKey | string | | The private key used when PublicKey authentication method is used. The private key is not exposed. | +| clientCertificate | string | | The agent's client certificate. | +| protocol | string | | The protocol used for connecting to the agent: GRPC | +| domain | string | | Domain name of the agent | +| machineSid | string | | The Machine SID of the Agent Server. | +| osVersion | string | | OS version or version servicepack | +| isDC | bool | | Is Agent a domain controller | +| errorMessage | string | | Description of the failure condition | +| installState | string | | State of Activity Monitor agent: `NotInstalled`, `Unknown`, `Installed`, `Installing`, `Upgrading`, `Uninstalling`, `Outdated`, `Failed`, `ManagedBySI` (last one for Threat Prevention agents) | +| version | string | | Activity Monitor agent version | +| siInstallState | string | | State of Threat Prevention agent: `NotInstalled`, `Unknown`, `Installed`, `Installing`, `Upgrading`, `Uninstalling`, `Outdated`, `Failed`, `ManagedBySI` (last one for Threat Prevention agents) | +| siVersion | string | | Threat Prevention agent version | +| managedBySI | bool | | True if the Threat Prevention Agent configuration is managed by Threat Prevention. Otherwise Activity Monitor managed the Threat Prevention Agent | +| configVersion | string | | A hash of the config file | +| monitoredHostsUrl | string | | URL to the list of agent's hosts | +| monitoredDomainUrl | string | | URL to the domain monitored by the agent, if any | +| warnings | string[] | X | Array of errors/warnings if any | +| ad.safeModeStatus | string | X | `pending`, `approved`. If `pending`, the AD Module is in the safe (not yet loaded) mode. | +| ad.safeModeMessage | string | X | If in the safe mode, contains a reason why the agent switched to the mode. | +| ad.hardeningIsEnabled | bool | X | AD Module hardening is enabled or disabled. | +| ad.safeModeIsEnabled | bool | X | AD Module safe mode is enabled or disabled. | +| ad.dnsResolveIsEnabled | bool | X | AD Module DNS hostname resolution is enabled or disabled. | +| ad.siIpWhitelist | string[] | X | Whitelist of IPs allowed to connect to the AD Module port. | +| archive.IsEnabled | bool | X | Whether the archiving feature is enabled | +| archive.path | string | X | UNC path of the archival location | +| archive.userName | string | X | An account to access the archival location. | +| archive.password | string | X | User password to access the archival location. Password is not exposed. | +| archive.maxLocalSize | string | X | Maximum space the agent is allowed to use on the local drives. | +| fpolicy.port | int | X | NetApp c-mode fpolicy port | +| fpolicy.auth | string | X | `NoAuth`, `Server`, `Mutual` | +| fpolicy.ipWhitelist | string[] | X | IP whitelist | +| fpolicy.clientCertificate | string | X | The Client or CA certificate that is currently set. | +| fpolicy.serverCertificate | string | X | The FPolicy Server certificate that is currently set. Server Certificate is not exposed. | +| minLocalFreeSpace | string | X | Free disk threshold after which the agent stops writing data to the log files | +| cee.vcapsIsEnabled | bool | X | CEE Asynchronous bulk delivery (VCAPS) is enabled or disabled. | +| cee.vcapsInterval | int | X | Interval in seconds on how often events are delivered by CEE. | +| cee.vcapsEvents | int | X | Interval in number of events on how often events are delivered by CEE. | +| cee.httpEnabled | bool | X | CEE HTTP protocol is enabled or disabled | +| cee.rpcEnabled | bool | X | CEE RPC protocol is enabled or disabled | +| cee.ipWhitelist | string[] | X | Whitelist of IPs that are allowed to connect to the agent via http protocol. If blank the agent will accept connections from any host. | +| inactivityAlerts.isEnabled | bool | X | Whether Inactivity Alerting is enabled | +| inactivityAlerts.inactivityInterval | int | X | The time interval to elapse after the Monitored Host stops receiving events. | +| inactivityAlerts.replayInterval | int | X | How often to repeat an alert if the inactivity period is long lasting. | +| inactivityAlerts.inactivityCheckInterval | int | X | The time interval to check the Monitored Host for new events. | +| inactivityAlerts.syslog.server | string | X | The syslog server that is sent inactivity alerts. | +| inactivityAlerts.syslog.protocol | string | X | The syslog server protocol that is used: "UDP" , "TCP" , "TLS" | +| inactivityAlerts.syslog.separator | string | X | The syslog server separator / message framing that is used: "LF ASCII 10" , "CR ASCII 13" , "CRLF ASCII 13, 10" , "NUL ASCII 0" , "Octet Count RFC 5425". Only used for TCP and TLS protocols. | +| inactivityAlerts.syslog.template | string | X | The syslog server template text that is used. | +| inactivityAlerts.email.server | string | X | The email SMTP server that is sent inactivity alerts. | +| inactivityAlerts.email.ssl | bool | X | Email SMTP Server SSL / TLS is enabled or disabled. | +| inactivityAlerts.email.userName | string | X | Email SMTP Server Username. | +| inactivityAlerts.email.password | string | X | Email SMTP Server Password. Password is not exposed. | +| inactivityAlerts.email.from | string | X | Email address of where the inactivity alert is from. | +| inactivityAlerts.email.to | string | X | Email address of where the inactivity alert is sent to. | +| inactivityAlerts.email.subject | string | X | Email message subject of the inactivity alert. | +| inactivityAlerts.email.body | string | X | Email message body of the inactivity alert. | +| apiServerIsEnabled | bool | | API Server is enabled or disabled | +| apiServerPort | int | | API Server TCP/IP port | +| apiServerIpWhitelist | string[] | X | Whitelist of IPs allowed to connect to the API Server port. | +| apiServerMgmtConsole | string | X | NETBIOS name of the Console machine that manages the agent list of the API Server (only available for agent(s) that are running the api server) | +| traceLevel | string | X | The logging trace level of the agent. | +| externalNicName | string | X | The selected network interface that is used for connections. If blank, the agent will auto-detect the network interface to use. | +| comment | string | | The agent's set comment. | +| etwLogEnabled | bool | | If true or enabled the windows agent will produce extended debugging data (ETW) logs from the windows driver when Trace logging is enabled for the agent. | +| linux.serviceUsername | string | X | The linux agent's service username that is used to run the agent service / daemon. If blank, root user is used. | +| networkProxy.address | string | X | HTTP Proxy Server set in SERVER[:PORT] format. If blank HTTP Proxy is disabled. | +| networkProxy.useDefaultCredentials | bool | X | If enabled the proxy server authenticates as the agent's machine account. | +| networkProxy.bypassProxyOnLocal | bool | X | If enabled the agent will bypass the proxy server for local addresses. | +| networkProxy.userName | string | X | The Proxy Server Username | +| networkProxy.password | string | X | The Proxy Server Password. Password is not exposed. | +| networkProxy.bypassList | string[] | X | List of regular expressions that describe URIs that do not use the proxy server when accessed. | +| dns.isEnabled | bool | X | Local DNS caching service is enabled or disabled. | +| dns.listenPort | int | X | Port used by the DNS caching service. | +| dns.parallelism | int | X | Parallelism level to use while processing DNS requests. | +| dns.perfStatsTimeDebug | TimeSpan | X | Period to dump performance statistics on debug level. | +| dns.perfStatsTimeInfo | TimeSpan | X | Period to dump performance statistics on info level. | +| dns.forwardDnsServer | string[] | X | List of DNS servers specified to be used for lookups. If blank, the default DNS servers of the agent are used. | +| dns.cacheFile | string | X | The DNS cache buffer filename that is used. | +| dns.successTtl | TimeSpan | X | How long to cache successful lookup results before attempting the search again. | +| dns.failedTtl | TimeSpan | X | How long to cache a failed lookup result before attempting the search again. | +| dns.clientWaitTimeout | TimeSpan | X | The amount of the DNS service is allowed to process a request before sending a not found response. If no results are received the lookup operation continues in the background. | +| dns.refreshThreshold | TimeSpan | X | An interval between expired items in the cache check. | +| dns.maxCacheSize | int | X | The max size of the dns service buffer file. | +| dns.uselessAge | TimeSpan | X | The DNS service does not resolve names for events older then the set time period. | +| dns.maxAttemptsToResolve | int | X | Maximum attempts that the DNS service will use to resolve addresses. If 0 is set, the DNS service will resolve addresses infinitely. | +| dns.suffix | string | X | The DNS suffix identifies the domain name that is appended to an unqualified host name to obtain a fully qualified domain name (FQDN) suitable for a dns name query. | +| adUsers.domainControllers | string[] | X | List of Domain Controllers to be used for user lookups. If blank, the default behavior is used. | +| adUsers.lookupTimeout | TimeSpan | X | The amount of time the agent will wait for the query results. If no results are received , the agent reports an empty username in the events, but continues the lookup operation in the background. | +| adUsers.successCacheTtl | TimeSpan | X | How long to cache successful lookup results before attempting the lookup from Active Directory again. | +| adUsers.failedCacheTtl | TimeSpan | X | How long to cache failed lookup results before attempting the lookup from Active Directory again. | +| adUsers.maxCacheSize | int | X | The max size of the cache buffer file. | +| panzura.port | int | X | Agent port used for Panzura. | +| panzura.useCredentials | bool | X | Protection of Panzura port is enabled or disabled. | +| panzura.username | string | X | Panzura's MQ username used for port protection. | +| panzura.password | string | X | Panzura's MQ password used for port protection. Password is not exposed. | +| panzura.ipWhitelist | string[] | X | Whitelist of IP addresses of Panzura nodes that are allowed to connect to the Agent's Panzura port. If blank, connections from any host are accepted. | +| nutanix.port | int | X | Agent port used for Nutanix. | +| nutanix.ipWhitelist | string[] | X | Whitelist of IP addresses of Nutanix nodes that are allowed to connect to the Agent's Nutanix port. If blank, connections from any host are accepted. | +| qumulo.port | int | X | Agent port used for Qumulo. | +| qumulo.ipWhitelist | string[] | X | Whitelist of IP addresses of Qumulo nodes that are allowed to connect to the Agent's Qumulo port. If blank, connections from any host are accepted. | +| ctera.port | int | X | Agent port used for Ctera. | +| ctera.ipWhitelist | string[] | X | Whitelist of IP addresses of CTERA portals that are allowed to connect to the Agent's CTERA port. If blank, connections from any host are accepted. | + +**Response Example** + +``` +{ +    "warnings": [], +    "archive": { +        "isEnabled": false, +        "path": "\\\\KDVM01\\SBACTIVITYLOGS", +        "userName": "", +        "maxLocalSize": "5GB" +    }, +    "cee": { +        "vcapsIsEnabled": false, +        "vcapsInterval": 60, +        "vcapsEvents": 100, +        "httpEnabled": false, +        "rpcEnabled": true, +        "ipWhitelist": [] +    }, +    "ad": { +        "safeModeStatus": null, +        "safeModeMessage": null, +        "hardeningIsEnabled": false, +        "safeModeIsEnabled": true, +        "dnsResolveIsEnabled": true, +        "siIpWhitelist": [] +    }, +    "minLocalFreeSpace": "64MB", +    "fpolicy": { +        "port": 9999, +        "auth": "NoAuth", +        "ipWhitelist": [], +        "clientCertificate": "", +        "serverCertificate": "" +    }, +    "inactivityAlerts": { +        "isEnabled": false, +        "inactivityInterval": 360, +        "replayInterval": 360, +        "inactivityCheckInterval": 1, +        "syslog": { +            "server": "", +            "protocol": "UDP", +            "separator": "Lf", +            "template": "<14>1 %TIME_STAMP_UTC% %AGENT% %PRODUCT% - NO_DATA - [origin ip=\"%INACTIVE_SERVER_IP%\"][noactivity@33334 host=\"%INACTIVE_SERVER%\" lastEvent=\"%LAST_EVENT_TIME_STAMP_UTC%\" activityType=\"%ACTIVITY_TYPE%\"] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours." +        }, +        "email": { +            "server": "", +            "ssl": false, +            "userName": "", +            "from": "", +            "to": "", +            "subject": "[Activity Monitor] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours", +            "body": "There were no activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours.\n  \nHost:                 %INACTIVE_SERVER%\n  Activity Type: %ACTIVITY_TYPE%\n  Period of inactivity: %INACTIVITY_PERIOD_HOURS% hours / %INACTIVITY_PERIOD_MINUTES% minutes\n  Last event received:  %LAST_EVENT_TIME_STAMP_UTC% (UTC)\n  Last event received:  %LAST_EVENT_TIME_STAMP% (agent time)\n  Agent:                %AGENT%\n  \n  \n  %PRODUCT% %PRODUCT_VERSION%\n" +        } +    }, +    "panzura": { +        "port": 4497, +        "useCredentials": false, +        "username": "guest", +        "ipWhitelist": [] +    }, +    "nutanix": { +        "port": 4501, +        "ipWhitelist": [] +    }, +    "qumulo": { +        "port": 4496, +        "ipWhitelist": [] +    }, +    "ctera": { +        "port": 4499, +        "ipWhitelist": [] +    }, +    "linux": { +        "serviceUsername": "" +    }, +    "apiServerIpWhitelist": [], +    "apiServerMgmtConsole": "KDVM01", +    "traceLevel": "Info", +    "externalNicName": "", +    "dns": { +        "isEnabled": false, +        "listenPort": 4503, +        "parallelism": 4, +        "perfStatsTimeDebug": "00:01:00", +        "perfStatsTimeInfo": "00:10:00", +        "forwardDnsServer": [], +        "cacheFile": "dns.cache", +        "successTtl": "01:00:00", +        "failedTtl": "00:01:00", +        "clientWaitTimeout": "00:00:01.8000000", +        "refreshThreshold": "00:00:01", +        "maxCacheSize": 1000000, +        "uselessAge": "1.00:00:00", +        "maxAttemptsToResolve": 30, +        "suffix": "" +    }, +    "adUsers": { +        "domainControllers": [], +        "lookupTimeout": "00:00:02", +        "successCacheTtl": "10:00:00", +        "failedCacheTtl": "00:01:00", +        "maxCacheSize": 300000 +    }, +    "networkProxy": { +        "address": "", +        "useDefaultCredentials": false, +        "bypassProxyOnLocal": false, +        "userName": "", +        "bypassList": [] +    }, +    "id": "AGENT0", +    "platformId": "windows", +    "url": "https://127.0.0.1:4494/api/v1/agents/AGENT0", +    "host": "KDVM01", +    "netbiosName": "KDVM01", +    "authenticationMethod": "Password", +    "userName": "KDUD1\\Administrator", +    "clientCertificate": "", +    "protocol": "GRPC", +    "domain": "KDUD1", +    "machineSid": "S-1-5-21-3126412784-2087258618-1984987930-1105", +    "osVersion": "10.0.14393.0", +    "isDC": false, +    "errorMessage": "", +    "installState": "Installed", +    "version": "7.1.164", +    "siInstallState": "NotInstalled", +    "siVersion": "", +    "managedBySI": false, +    "configVersion": "xVdvRQnWGvifzQ8Q9rpfVj227Jo=", +    "monitoredHostsUrl": "https://127.0.0.1:4494/api/v1/agents/AGENT0/hosts", +    "monitoredDomainUrl": "https://127.0.0.1:4494/api/v1/agents/AGENT0/domain", +    "apiServerIsEnabled": true, +    "apiServerPort": 4494, +    "comment": "", +    "agentPort": 4498 +} +``` diff --git a/docs/activitymonitor/10.0/restapi/resources/domain.md b/docs/activitymonitor/10.0/restapi/resources/domain.md new file mode 100644 index 0000000000..ecf67dfcca --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/resources/domain.md @@ -0,0 +1,99 @@ +--- +title: "Domain" +description: "Domain" +sidebar_position: 20 +--- + +# Domain + +| Attribute | Type | Detailed Only | Description | +| -------------- | -------- | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| id | string | | Domain ID | +| url | string | | Self URL | +| name | string | | Domain NETBIOS name | +| managedBySI | bool | | Whether the monitoring configuration is managed by Threat Prevention or Activity Monitor | +| outputs | output[] | | Domain outputs. Domain outputs are common for all the domain controllers. However, there are several agent-specific settings, like `archivePath`. Do get agent-specific outputs use `api/v1/agents/«agentId»/domain`. | +| outputsUrl | string | | URL to domain outputs | +| agentsUrl | string | | URL to domain controllers | +| masterAgentId | string | | ID of the Master agent - the one whose configuration is considered the master one. | +| masterAgentUrl | string | | URL to the Master agent. | +| policies | policy[] | | Domain Policies. The list of policies for the domain. | + +**Response Example** + +``` +{ +    "id": "KDUD1", +    "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +    "name": "KDUD1", +    "managedBySI": false, +    "outputs": [ +        { +            "id": "69cce1100fce406192d1d8553083af43", +            "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs/69cce1100fce406192d1d8553083af43", +            "domainId": "KDUD1", +            "domainUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +            "agentsIds": [], +            "isEnabled": true, +            "type": "LogFile", +            "logFile": { +                "format": "Json", +                "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\KDUD1_Log_.json", +                "archivePath": "\\\\KDVM01\\SBACTIVITYLOGS\\KDDC01\\KDUD1_69cce110-0fce-4061-92d1-d8553083af43\\KDUD1_Log_.json", +                "periodToRetainLog": 10, +                "reportUserName": false, +                "reportUncPath": false, +                "addCToPath": true, +                "reportMilliseconds": true, +                "stealthAudit": true +            }, +            "comment": "", +            "managedBy": "", +            "altHost": "" +        }, +        { +            "id": "cd34eb7a0c1d40c097b56056af2afd73", +            "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs/cd34eb7a0c1d40c097b56056af2afd73", +            "domainId": "KDUD1", +            "domainUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +            "agentsIds": [], +            "isEnabled": true, +            "type": "Syslog", +            "syslog": { +                "reportUncPath": false, +                "addCToPath": true, +                "server": "1.2.3.4:514", +                "protocol": "UDP", +                "separator": "Lf", +                "template": "%SYSLOG_DATE% %HOST% LEEF:1.0|%COMPANY%|%PRODUCT%|%PRODUCT_VERSION%|%EVENT_SOURCE_TYPE%%CLASS_NAME%%EVENTNAMETRANSLATED%%SUCCESS%%BLOCKED_EVENT%|cat=%EVENTNAMETRANSLATED%\tdevTimeFormat=yyyy-MM-dd HH:mm:ss.SSS\tdevTime=%TIME_STAMP%\tSettingName=%SETTING_NAME%\tdomain=%EVENT_SOURCE_NAME%\tusrName=%PERPETRATOR_NAME%\tsrc=%ORIGINATINGCLIENTIP%\tdst=%ORIGINATING_SERVERIP%\tDistinguishedName=%DN%\tAffectedObject=%AFFECTED_OBJECT_ACCOUNT_NAME%\tClassName=%CLASS_NAME%\tOrigServer=%ORIGINATING_SERVER%\tSuccess=%SUCCESS%\tBlocked=%BLOCKED_EVENT%\tAttrName=%ATTRIBUTE_NAME%\tAttrNewValue=%ATTRIBUTE_VALUE%\tAttrOldValue=%OLD_ATTRIBUTE_VALUE%\tOperation=%OPERATION%" +            }, +            "comment": "", +            "managedBy": "", +            "altHost": "" +        }, +        { +            "id": "bee61b424f214f7583e9cece222b8f41", +            "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs/bee61b424f214f7583e9cece222b8f41", +            "domainId": "KDUD1", +            "domainUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +            "agentsIds": [], +            "isEnabled": true, +            "type": "Amqp", +            "amqp": { +                "server": "5.6.7.8:10001", +                "userName": "StealthINTERCEPT", +                "queue": "", +                "exchange": "StealthINTERCEPT", +                "vhost": "" +            }, +            "comment": "", +            "managedBy": "", +            "altHost": "" +        } +    ], +    "outputsUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs", +    "agentsUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1/agents", +    "masterAgentId": "AGENT1", +    "masterAgentUrl": "https://127.0.0.1:4494/api/v1/agents/AGENT1" +} +``` diff --git a/docs/activitymonitor/10.0/restapi/resources/host.md b/docs/activitymonitor/10.0/restapi/resources/host.md new file mode 100644 index 0000000000..55a187f7e5 --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/resources/host.md @@ -0,0 +1,481 @@ +--- +title: "Host" +description: "Host" +sidebar_position: 30 +--- + +# Host + +| Attribute | Type | Detailed Only | Description | +| ---------------------------------------- | -------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| id | string | | ID of the host. | +| url | string | | Self URL | +| host | string | | Host name/Address as specified by a user | +| type | string | | `Windows`,`NetApp`,`Celerra`,`Isilon`,`Hitachi`,`SharePoint`,`Unity`,`Nasuni`, `Panzura`, `SharePointOnline`, `AzureAD`, `Linux`, `SqlServer` | +| userName | string | | An account to connect the host to | +| password | string | X | Account password to connect the host to. Password is not exposed. | +| autoConfigureAuditing | bool | | Automatically enable the auditing on the device, if supported | +| monitorAuditingStatus | bool | | Constantly verify that the auditing is enabled, fix if needed | +| hostAliases | string[] | | List of server names for NAS if they are different from the set name of the host. | +| outputs | output[] | | Array of host's outputs | +| inactivityAlerts.isEnabled | bool | | Whether Inactivity Alerting is enabled | +| inactivityAlerts.useCustomSettings | bool | | Whether to use custom host settings, or inherit from agent settings. | +| inactivityAlerts.inactivityInterval | int | | The time interval to elapse after the Monitored Host stops receiving events. | +| inactivityAlerts.replayInterval | int | | How often to repeat an alert if the inactivity period is long lasting. | +| inactivityAlerts.inactivityCheckInterval | int | | The time interval to check the Monitored Host for new events. | +| inactivityAlerts.syslog.server | string | | The syslog server that is sent inactivity alerts. | +| inactivityAlerts.syslog.protocol | string | | The syslog protocol that is used: "UDP" , "TCP" , "TLS" | +| inactivityAlerts.syslog.separator | string | | The syslog server separator / message framing that is used: "LF ASCII 10" , "CR ASCII 13" , "CRLF ASCII 13, 10" , "NUL ASCII 0" , "Octet Count RFC 5425". Only used for TCP and TLS protocols. | +| inactivityAlerts.syslog.template | string | | The syslog message template text. | +| inactivityAlerts.email.server | string | | The email or SMTP server or IP that is used to send host inactivity alerts. | +| inactivityAlerts.email.ssl | bool | | Email SMTP Server SSL / TLS is enabled or disabled. | +| inactivityAlerts.email.userName | string | | The email or SMTP server user name. | +| inactivityAlerts.email.password | string | X | The email or SMTP server password. Password is not exposed. | +| inactivityAlerts.email.from | string | | Email address of where the inactivity alert is from. | +| inactivityAlerts.email.to | string | | Email address of where the inactivity alert is sent to. | +| inactivityAlerts.email.subject | string | | Email message subject of the inactivity alert. | +| inactivityAlerts.email.body | string | | Email message body of the inactivity alert. | +| uidTranslate.isEnabled | bool | | NFS UID translation to Windows SID is enabled or disabled. | +| uidTranslate.domainController | string | | The name of the forest or a Domain Controller. Used for Active Directory searches. | +| uidTranslate.port | int | | The port used for Active Directory searches. | +| uidTranslate.options | string | | The set options used for Active Directory searches. | +| uidTranslate.container | string | | The Active Directory container set to be searched. | +| uidTranslate.scope | string | | The scope of the Active Directory search. | +| uidTranslate.filter | string | | The filter of the Active Directory search. | +| hitachi.uncLogPath | string | | The path of the hitachi audit event log file. | +| hitachi.logFileName | string | | The filename of the hitachi audit event log. | +| hitachi.pollingInterval | TimeSpan | | The interval of polling the log for new events. | +| api.protocol | string | | The API Protocol being used: "AutoDetect", "HTTPS", "HTTPSIgnoreErrors", "HTTP". | +| api.certificate | string | | The text output of the HTTPS certificate. | +| api.hostNameVerification | bool | | If certificate hostname verification is enabled or disabled. | +| api.channel | string | | The communication method being used: "AutoDetect", "ONTAPI", "REST" (only used for netapp hosts) | +| netapp.managementLif | string | | The Management LIF of the netapp host. Disabled / Empty by default. | +| netapp.nfs3EventName | string | | The fpolicy Event Name for successful NFSv3 Events. Default: "StealthAUDITScreeningNfsV3" | +| netapp.nfs3FailedEventName | string | | The fpolicy Event Name for failed NFSv3 Events. Default: "StealthAUDITScreeningFailedNfsV3" | +| netapp.nfs4FailedEventName | string | | The fpolicy Event Name for failed NFSv4 Events. Deafult: "StealthAUDITScreeningFailedNfsV4" | +| netapp.nfs4EventName | string | | The fpolicy Event Name for successful NFSv4 Events. Default: "StealthAUDITScreeningNfsV4" | +| netapp.cifsEventName | string | | The fpolicy Event Name for successful CIFS Events. Default: "StealthAUDITScreeningCifs" | +| netapp.cifsFailedEventName | string | | The fpolicy Event Name for failed CIFS Events. Default: "StealthAUDITScreeningCifs" | +| netapp.policyName | string | | Deprecated, use `policyNames`. The name used to create/update FPolicy policy (if `autoConfigureAuditing` is enabled) and monitor its state (if `monitorAuditingStatus` is enabled). Default: "StealthAUDIT"| +| netapp.policyNames | string[] | | The fpolicy Policy names. The first policy will be created/updated if `autoConfigureAuditing` is enabled; all listed policies will be monitored if `monitorAuditingStatus` is enabled. Default: [ "StealthAUDIT" ]| +| netapp.externalEngineName | string | | The fpolicy External Engine Name used for the Activity Monitor. Default: "StealthAUDITEngine" | +| netapp.persistentStore.volume | string | | Name of the volume to use for the Persistent Store feature.| +| netapp.persistentStore.size | long | | Initial size of the volume for the Persistent Store feature.| +| netapp.persistentStore.autoSize | string | | `off` (default), `grow`, or `grow_shrink`.| +| sharePoint.pollingInterval | TimeSpan | | The polling interval set for sharepoint on premise hosts. | +| spo.azure.domain | string | | The Azure Active Directory domain being monitored for SharePoint Online. | +| spo.azure.azureCloud | string | | The selected Azure Cloud being used: "Azure", "Azure for US Government GCC", "Azure for Government GCC High", "Azure for US Government DoD", "Azure Germany", "Azure China by 21Vianet" | +| spo.azure.tenantId | string | | The azure Tenant ID | +| spo.azure.tenantName | string | | The azure Tenant Name | +| spo.azure.clientId | string | | The azure Tenant Client ID. | +| spo.azure.clientSecret | string | X | The azure Client Secret. Client Secret is not exposed. | +| spo.azure.region | string | | The azure Region. | +| azureAd.azure.domain | string | | The Azure Active Directory domain being monitored. | +| azureAd.azure.azureCloud | string | | The selected Azure Cloud being used: "Azure", "Azure for US Government GCC", "Azure for Government GCC High", "Azure for US Government DoD", "Azure Germany", "Azure China by 21Vianet" | +| azureAd.azure.tenantId | string | | The azure Tenant ID | +| azureAd.azure.tenantName | string | | The azure Tenant Name | +| azureAd.azure.clientId | string | | The azure Tenant Client ID. | +| azureAd.azure.clientSecret | string | X | The azure Client Secret. Client Secret is not exposed. | +| azureAd.azure.region | string | | The azure Region. | +| exchangeOnline.azure.domain | string | | The Azure Active Directory domain being monitored for Exchange Online. | +| exchangeOnline.azure.azureCloud | string | | The selected Azure Cloud being used: "Azure", "Azure for US Government GCC", "Azure for Government GCC High", "Azure for US Government DoD", "Azure Germany", "Azure China by 21Vianet" | +| exchangeOnline.azure.tenantId | string | | The azure Tenant ID | +| exchangeOnline.azure.tenantName | string | | The azure Tenant Name | +| exchangeOnline.azure.clientId | string | | The azure Tenant Client ID. | +| exchangeOnline.azure.clientSecret | string | X | The azure Client Secret. Client Secret is not exposed. | +| exchangeOnline.azure.region | string | | The azure Region. | +| sql.pollingInterval | string | | The interval for polling SQL log for new events. | +| sql.tweakOptions | string[] | | Extended Events tweaking options for SQL hosts. | +| outputsUrl | string | | URL to the host's outputs | +| agentsUrl | string | | URL to the agents that are monitoring the host | +| status.updatedAt | DateTime | | A timestamp when the status has changed to this value. | +| status.type | string | | OK, Error, or Warning - indicates a type of the status. | +| status.summary | string | | A user-friendly summary string of the status. May be empty for the OK type, non-empty otherwise. | +| status.details | string | | A user-friendly message that describes the status. May be empty. | +| status.helpUrl | string | | A URL to a documentation or KB article about the issue. May be empty. | +| statusHistoryUrl | string | | URL to the status history of the host. | +| stats.receivedAt | DateTime | | Timestamp indicating the last time the Agent received something from the Host. | +| stats.receivedCount | long | | Total number of events received by the agent for the Host. | +| stats.lastEventTime | DateTime | | The most recent timestamp among all recent events received for the Host. File servers and other event sources can deliver events out of order. For example, each node of PowerScale cluster has its log and delivery cadence. This field shows the MAX(timestamp) for recent events. | + +**Response Example** + +``` +{ +    "autoConfigureAuditing": false, +    "monitorAuditingStatus": false, +    "hostAliases": [], +    "inactivityAlerts": { +        "isEnabled": false, +        "useCustomSettings": false, +        "inactivityInterval": 360, +        "replayInterval": 360, +        "inactivityCheckInterval": 1, +        "syslog": { +            "server": "", +            "protocol": "UDP", +            "separator": "Lf", +            "template": "<14>1 %TIME_STAMP_UTC% %AGENT% %PRODUCT% - NO_DATA - [origin ip=\"%INACTIVE_SERVER_IP%\"][noactivity@33334 host=\"%INACTIVE_SERVER%\" lastEvent=\"%LAST_EVENT_TIME_STAMP_UTC%\" activityType=\"%ACTIVITY_TYPE%\"] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours." +        }, +        "email": { +            "server": "", +            "ssl": false, +            "userName": "", +            "from": "", +            "to": "", +            "subject": "[Activity Monitor] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours", +            "body": "There were no activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours.\n  \nHost:                 %INACTIVE_SERVER%\n  Activity Type: %ACTIVITY_TYPE%\n  Period of inactivity: %INACTIVITY_PERIOD_HOURS% hours / %INACTIVITY_PERIOD_MINUTES% minutes\n  Last event received:  %LAST_EVENT_TIME_STAMP_UTC% (UTC)\n  Last event received:  %LAST_EVENT_TIME_STAMP% (agent time)\n  Agent:                %AGENT%\n  \n  \n  %PRODUCT% %PRODUCT_VERSION%\n" +        } +    }, +    "id": "Windows-kdvm01", +    "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01", +    "host": "KDVM01", +    "type": "Windows", +    "userName": "", +    "outputs": [ +        { +            "id": "b08e3c84905b4aed8718f42d2ecc523d", +            "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/b08e3c84905b4aed8718f42d2ecc523d", +            "hostId": "Windows-kdvm01", +            "hostUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01", +            "agentsIds": [ +                "AGENT0" +            ], +            "logsUrl": "https://127.0.0.1:4494/api/v1/logs/b08e3c84905b4aed8718f42d2ecc523d", +            "isEnabled": true, +            "type": "LogFile", +            "logFile": { +                "format": "Tsv", +                "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\KDVM01_Log_.tsv", +                "archivePath": "", +                "periodToRetainLog": 10, +                "reportUserName": false, +                "reportUncPath": false, +                "addCToPath": true, +                "reportMilliseconds": true, +                "stealthAudit": true +            }, +            "fileFilter": { +                "allowed": true, +                "denied": true, +                "cifs": true, +                "nfs": true, +                "read": true, +                "dirRead": false, +                "create": true, +                "dirCreate": true, +                "rename": true, +                "dirRename": true, +                "delete": true, +                "dirDelete": true, +                "update": true, +                "permission": true, +                "dirPermission": true, +                "attribute": true, +                "dirAttribute": true, +                "readOptimize": false, +                "shareAdd": false, +                "shareDelete": false, +                "shareUpdate": false, +                "sharePermission": false, +                "streamRead": true, +                "streamUpdate": true, +                "streamDelete": true, +                "streamAdd": true, +                "includePaths": [], +                "excludePaths": [], +                "excludeExtensions": [ +                    ".TMP", +                    ".RCV", +                    ".DS_STORE", +                    ".POLICY", +                    ".MANIFEST", +                    ".LACCDB", +                    ".LDB" +                ], +                "excludeProcesses": [ +                    "SBTService.exe", +                    "FPolicyServerSvc.exe", +                    "CelerraServerSvc.exe", +                    "FSACLoggingSvc.exe", +                    "HitachiService.exe", +                    "SIWindowsAgent.exe", +                    "SIGPOAgent.exe", +                    "LogProcessorSrv.exe", +                    "SearchIndexer.exe", +                    "WindowsSearch.exe", +                    "StealthAUDIT", +                    "MonitorService35.exe", +                    "MonitorService40.exe", +                    "MonitorService45.exe", +                    "Configuration.exe", +                    "ConfigurationAgent.exe", +                    "ConfigurationAgent.Grpc.Host.exe" +                ], +                "excludeReadProcesses": [], +                "excludeAccounts": [ +                    "S-1-5-17", +                    "S-1-5-18", +                    "S-1-5-19", +                    "S-1-5-20" +                ], +                "filterGroups": false, +                "officeFiltering": false, +                "pathFilters": [ +                    "-**\\~$*.DOC", +                    "-**\\~$*.DOCX", +                    "-**\\~$*.ODT", +                    "-**\\~$*.PPT", +                    "-**\\~$*.PPTX", +                    "-**\\~$*.PUB", +                    "-**\\~$*.RTF", +                    "-**\\~$*.TXT", +                    "-**\\~$*.WPS", +                    "-**\\~$*.XLSX", +                    "-**\\~$*.XSN", +                    "-**\\~$*.XML", +                    "-**\\~$*.DOCM", +                    "-**\\~$*.DOTX", +                    "-**\\~$*.DOTM", +                    "-**\\~$*.DOT", +                    "-**\\~$*.MHT", +                    "-**\\~$*.HTM", +                    "-**\\~$*.XLSM", +                    "-**\\~$*.XLSB", +                    "-**\\~$*.XLTX", +                    "-**\\~$*.XLTM", +                    "-**\\~$*.XLAM", +                    "-**\\~$*.ODS", +                    "-**\\~$*.PPTM", +                    "-**\\~$*.POTX", +                    "-**\\~$*.POTM", +                    "-**\\~$*.POT", +                    "-**\\~$*.THMX", +                    "-**\\~$*.PPSX", +                    "-**\\~$*.PPSM", +                    "-**\\~$*.PPS", +                    "-**\\~$*.ODP", +                    "-**\\~$*.PDF", +                    "-**\\~$*.XPS", +                    "-**\\.TEMPORARYITEMS\\**", +                    "-**\\~SNAPSHOT\\**", +                    "-**\\WATSONRC.DAT", +                    "-**\\DESKTOP.INI", +                    "-C:\\Windows\\**", +                    "-C:\\Program Files\\**", +                    "-C:\\Program Files (x86)\\**", +                    "-C:\\ProgramData\\**", +                    "-C:\\Documents and Settings\\**", +                    "-C:\\Users\\**" +                ], +                "discardPreviewSubfolderReads": true, +                "discardPreviewSubfolderReadsInterval": 10, +                "discardPreviewFileReads": false, +                "discardPreviewFileReadsInterval": 60, +                "discardPreviewFileReadsFilenames": [ +                    "*.exe", +                    "*.url", +                    "*.lnk" +                ], +                "duplicateReadsInterval": 60 +            }, +            "comment": "", +            "managedBy": "", +            "windows": { +                "vssCreation": true, +                "vssDeletion": true, +                "vssActivity": true, +                "discardReorderedAcl": true, +                "discardInheritedAcl": false +            }, +            "status": { +                "updatedAt": "2024-09-16T17:32:24.9987211Z", +                "type": "OK" +            }, +            "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/b08e3c84905b4aed8718f42d2ecc523d/statusHistory", +            "altHost": "", +            "stats": { +                "reportedAt": "2024-09-16T16:33:13.803Z", +                "reportedCount": 0, +                "lastEventTime": "2024-09-16T16:33:13.803Z", +                "filesCount": 2, +                "filesSize": 1440, +                "archiveFilesCount": 0, +                "archiveFilesSize": 0 +            } +        }, +        { +            "id": "f20aa0a8b7de4961b8ea9016b0d5d579", +            "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/f20aa0a8b7de4961b8ea9016b0d5d579", +            "hostId": "Windows-kdvm01", +            "hostUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01", +            "agentsIds": [ +                "AGENT0" +            ], +            "isEnabled": true, +            "type": "Syslog", +            "syslog": { +                "reportUncPath": false, +                "addCToPath": true, +                "server": "192.168.2.1:514", +                "protocol": "UDP", +                "separator": "Lf", +                "template": "%SYSLOG_DATE% %HOST% LEEF:1.0|%COMPANY%|%PRODUCT%|%PRODUCT_VERSION%|%EVENT_SOURCE_TYPE%%CLASS_NAME%%EVENT_NAME%%SUCCESS%%BLOCKED_EVENT%|cat=%EVENT_NAME%\tdevTimeFormat=yyyy-MM-dd HH:mm:ss.SSS\tdevTime=%TIME_STAMP%\tSettingName=%SETTING_NAME%\tdomain=%EVENT_SOURCE_NAME%\tusrName=%PERPETRATOR%\tsrc=%ORIGINATING_CLIENT_IP%\tdst=%ORIGINATING_SERVER_IP%\tDistinguishedName=%FILE_PATH%\tAffectedObject=\tClassName=%CLASS_NAME%\tOrigServer=%ORIGINATING_SERVER%\tSuccess=%SUCCESS%\tBlocked=%BLOCKED_EVENT%\tAttrName=%ATTRIBUTE_NAME%\tAttrNewValue=%ATTRIBUTE_VALUE%\tAttrOldValue=%OLD_ATTRIBUTE_VALUE%\tOperation=%OPERATION%" +            }, +            "fileFilter": { +                "allowed": true, +                "denied": true, +                "cifs": true, +                "nfs": true, +                "read": true, +                "dirRead": false, +                "create": true, +                "dirCreate": true, +                "rename": true, +                "dirRename": true, +                "delete": true, +                "dirDelete": true, +                "update": true, +                "permission": true, +                "dirPermission": true, +                "attribute": true, +                "dirAttribute": true, +                "readOptimize": false, +                "shareAdd": false, +                "shareDelete": false, +                "shareUpdate": false, +                "sharePermission": false, +                "streamRead": true, +                "streamUpdate": true, +                "streamDelete": true, +                "streamAdd": true, +                "includePaths": [], +                "excludePaths": [], +                "excludeExtensions": [ +                    ".TMP", +                    ".RCV", +                    ".DS_STORE", +                    ".POLICY", +                    ".MANIFEST", +                    ".LACCDB", +                    ".LDB" +                ], +                "excludeProcesses": [ +                    "SBTService.exe", +                    "FPolicyServerSvc.exe", +                    "CelerraServerSvc.exe", +                    "FSACLoggingSvc.exe", +                    "HitachiService.exe", +                    "SIWindowsAgent.exe", +                    "SIGPOAgent.exe", +                    "LogProcessorSrv.exe", +                    "SearchIndexer.exe", +                    "WindowsSearch.exe", +                    "StealthAUDIT", +                    "MonitorService35.exe", +                    "MonitorService40.exe", +                    "MonitorService45.exe", +                    "Configuration.exe", +                    "ConfigurationAgent.exe", +                    "ConfigurationAgent.Grpc.Host.exe" +                ], +                "excludeReadProcesses": [], +                "excludeAccounts": [ +                    "S-1-5-17", +                    "S-1-5-18", +                    "S-1-5-19", +                    "S-1-5-20" +                ], +                "filterGroups": false, +                "officeFiltering": false, +                "pathFilters": [ +                    "-**\\~$*.DOC", +                    "-**\\~$*.DOCX", +                    "-**\\~$*.ODT", +                    "-**\\~$*.PPT", +                    "-**\\~$*.PPTX", +                    "-**\\~$*.PUB", +                    "-**\\~$*.RTF", +                    "-**\\~$*.TXT", +                    "-**\\~$*.WPS", +                    "-**\\~$*.XLSX", +                    "-**\\~$*.XSN", +                    "-**\\~$*.XML", +                    "-**\\~$*.DOCM", +                    "-**\\~$*.DOTX", +                    "-**\\~$*.DOTM", +                    "-**\\~$*.DOT", +                    "-**\\~$*.MHT", +                    "-**\\~$*.HTM", +                    "-**\\~$*.XLSM", +                    "-**\\~$*.XLSB", +                    "-**\\~$*.XLTX", +                    "-**\\~$*.XLTM", +                    "-**\\~$*.XLAM", +                    "-**\\~$*.ODS", +                    "-**\\~$*.PPTM", +                    "-**\\~$*.POTX", +                    "-**\\~$*.POTM", +                    "-**\\~$*.POT", +                    "-**\\~$*.THMX", +                    "-**\\~$*.PPSX", +                    "-**\\~$*.PPSM", +                    "-**\\~$*.PPS", +                    "-**\\~$*.ODP", +                    "-**\\~$*.PDF", +                    "-**\\~$*.XPS", +                    "-**\\.TEMPORARYITEMS\\**", +                    "-**\\~SNAPSHOT\\**", +                    "-**\\WATSONRC.DAT", +                    "-**\\DESKTOP.INI", +                    "-C:\\Windows\\**", +                    "-C:\\Program Files\\**", +                    "-C:\\Program Files (x86)\\**", +                    "-C:\\ProgramData\\**", +                    "-C:\\Documents and Settings\\**", +                    "-C:\\Users\\**" +                ], +                "discardPreviewSubfolderReads": true, +                "discardPreviewSubfolderReadsInterval": 10, +                "discardPreviewFileReads": false, +                "discardPreviewFileReadsInterval": 60, +                "discardPreviewFileReadsFilenames": [ +                    "*.exe", +                    "*.url", +                    "*.lnk" +                ], +                "duplicateReadsInterval": 60 +            }, +            "comment": "", +            "managedBy": "", +            "windows": { +                "vssCreation": true, +                "vssDeletion": true, +                "vssActivity": true, +                "discardReorderedAcl": true, +                "discardInheritedAcl": false +            }, +            "status": { +                "updatedAt": "2024-09-16T17:32:24.9987211Z", +                "type": "OK" +            }, +            "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/f20aa0a8b7de4961b8ea9016b0d5d579/statusHistory", +            "altHost": "", +            "stats": { +                "reportedCount": 0 +            } +        } +    ], +    "outputsUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs", +    "agentsUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/agents", +    "status": { +        "updatedAt": "2024-09-16T17:32:24.9987211Z", +        "type": "OK" +    }, +    "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/statusHistory", +    "stats": { +        "receivedCount": 0, +        "lastEventTime": "2024-09-16T16:33:13.803Z" +    } +} +``` diff --git a/docs/activitymonitor/10.0/restapi/resources/output.md b/docs/activitymonitor/10.0/restapi/resources/output.md new file mode 100644 index 0000000000..5d881c9d1b --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/resources/output.md @@ -0,0 +1,462 @@ +--- +title: "Output" +description: "Output" +sidebar_position: 40 +--- + +# Output + +| Attribute | Type | Detailed Only | Description | +| -------------------------- | ---------------- | ------------- | -------------------------------------------------------------------------------------------------------- | +| id | string | | ID of the output. | +| url | string | | Self URL | +| hostId | string | | ID of the host that owns the output. | +| hostUrl | string | | URL of the host that owns the output. | +| agentsIds | string[] | | List of Agent IDs of the agents managing the output. | +| domainId | string | | AD only: ID of the owning domain | +| domainUrl | string | | AD only: Link to the owning domain | +| logsUrl | string | | Link to the file output log files (for the local agent only, that has the API Server running) | +| isEnabled | bool | | Whether or not the output is enabled. If disabled, no activity is forwarded to it. | +| type | string | | `LogFile`,`Syslog`,`Amqp` | +| logFile | FileOutput | | Log file settings | +| syslog | SyslogOutput | | Syslog settings | +| amqp | AmqpOutput | | AMQP/DEFEND settings | +| fileFilter | FileFilter | | Filtering settings for file activity | +| sharePointFilter | SharePointFilter | | Filtering settings for SharePoint | +| comment | string | | User's comment | +| managedBy | string | | Name of a product that manages this output, if not self managed by NAM Agent. Values: `Threat Prevention`| +| windows | WindowsOptions | | Windows filtering settings | +| status.updatedAt | DateTime | | A timestamp when the status has changed to this value. | +| status.type | string | | OK, Error, or Warning - indicates a type of the status. | +| status.summary | string | | A user-friendly summary string of the status. May be empty for the OK type, non-empty otherwise. | +| status.details | string | | A user-friendly message that describes the status. May be empty. | +| statusHistoryUrl | string | | URL of the output's status history. | +| altHost | string | | A hostname that is reported in the activity events instead of the real hostname. | +| stats.reportedAt | DateTime | | Timestamp indicating the last time when an event was reported to the Output. | +| stats.reportedCount | long | | Total number of events reported to the Output. | +| stats.lastEventTime | DateTime | | The most recent timestamp among all reported events to the Output. | +| stats.filesCount | int | | Number of log files on the agent's server. | +| stats.filesSize | long | | Total size of log files on the agent's server. | +| stats.archiveFilesCount | int | | Number of log files in the archival location. | +| stats.archiveFilesSize | long | | Total size of log files in the archival location. | +| stats.archiveLastEventTime | DateTime | | The most recent timestamp in the recently archived log file. | + +## FileOutput + +| Attribute | Type | Detailed Only | Description | +| ------------------ | ------ | ------------- | ------------------------------------------------------------------------------------- | +| format | string | | `Tsv`, `Json` | +| path | string | | Log file path on the agent's drive. Timestamp is added before the extension. | +| archivePath | string | | Log file path in the archival location (UNC path) | +| periodToRetainLog | int | | Number of days to keep the log files alive both on the local drive and in the archive | +| reportUserName | bool | | Resolve and report user name | +| reportUncPath | bool | | Report UNC paths in addition to local/native paths | +| addCToPath | bool | | Prepend the path `C:\` and change the forward slashes to backslashes. | +| reportMilliseconds | bool | | Report events' time with milliseconds | +| stealthAudit | bool | | The file was marked for consumption by Access Analyzer | + +## SyslogOutput + +| Attribute | Type | Detailed Only | Description | +| ------------- | ------ | ------------- | --------------------------------------------------------------------- | +| server | string | | Hostname/address of the syslog server in the format HOST:PORT. | +| protocol | string | | `UDP`, `TCP`, `TLS` | +| separator | string | | `Lf`,Cr, `CrLf`, `Nul`, `Rfc5425` | +| reportUncPath | bool | | Report UNC paths in addition to local/native paths | +| addCToPath | bool | | Prepend the path `C:\` and change the forward slashes to backslashes. | +| template | string | | Text of the syslog template that is currently set to be used. | + +## AmqpOutput + +| Attribute | Type | Detailed Only | Description | +| --------- | ------ | ------------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| server | string | | Hostname/address of the AMQP server or the Threat Manager server and the port in the SERVER:PORT format | +| userName | string | | User name for the AMQP connection, if needed. ForThreat Managerintegration, use an empty string. | +| password | string | | Password / App Token for the AMQP connection. Password / App Token is not exposed. | +| queue | string | | Message queue name to post events to. ForThreat Manager integration, use an empty string. | +| exchange | string | | Exchange name to post events to. For Threat Manager integration, use "StealthINTERCEPT" for domain outputs or "AM" for host outputs. | +| vhost | string | | Virtual Host name, if needed. ForThreat Managerintegration, use an empty string. | +| caCertificate| string | | Certificate Autority certificate to validate the TLS connection. | +| protocol | string | | `TCP` (default) or `TLS`. | +| hostNameVerification | bool | | Whether or not verify the hostname during the TLS handshake. | + +## FileFilter + +| Attribute | Type | Detailed Only | Description | +| ------------------------------------ | -------- | ------------- | ------------------------------------------------------------------------------- | +| allowed | bool | | | +| denied | bool | | | +| cifs | bool | | | +| nfs | bool | | | +| read | bool | | | +| dirRead | bool | | | +| create | bool | | | +| dirCreate | bool | | | +| rename | bool | | | +| dirRename | bool | | | +| delete | bool | | | +| dirDelete | bool | | | +| update | bool | | | +| permission | bool | | | +| dirPermission | bool | | | +| attribute | bool | | | +| dirAttribute | bool | | | +| readOptimize | bool | | Suppress subsequent read operations in the same folder, by the same user. | +| shareAdd | bool | | | +| shareDelete | bool | | | +| shareUpdate | bool | | | +| sharePermission | bool | | | +| streamRead | bool | | Reads of Alternate Data Streams. | +| streamUpdate | bool | | Updates of Alternate Data Streams. | +| streamDelete | bool | | Deletes of Alternate Data Streams. | +| streamAdd | bool | | Adds of Alternate Data Streams. | +| includePaths | string[] | | Depreciated. This has been replaced by 'pathFilters'. | +| excludePaths | string[] | | Depreciated. This has been replaced by 'pathFilters'. | +| excludeExtensions | string[] | | | +| excludeProcesses | string[] | | | +| excludeReadProccesses | string[] | | | +| excludeAccounts | string[] | | | +| filterGroups | bool | | Process group membership when filtering. | +| officeFiltering | bool | | Suppress Microsoft Office and other applications operations on temporary files. | +| pathFilters | string[] | | List of paths to include and exclude. | +| discardPreviewSubfolderReads | bool | | | +| discardPreviewSubfolderReadsInterval | int | | | +| discardPreviewFileReads | bool | | | +| discardPreviewFileReadsInterval | int | | | +| discardPreviewFileReadsFilenames | string[] | | | +| duplicateReadsInterval | int | | | + +## SharePointFilter + +| Attribute | Type | Detailed Only | Description | +| --------------- | -------- | ------------- | ----------- | +| operations | string[] | | | +| includeUrls | string[] | | | +| excludeUrls | string[] | | | +| excludeAccounts | string[] | | | + +## WindowsOptions + +| Attribute | Type | Detailed Only | Description | +| ------------------- | ---- | ------------- | ----------- | +| vssCreation | bool | | | +| vssDeletion | bool | | | +| vssActivity | bool | | | +| discardReorderedAcl | bool | | | +| discardInheritedAcl | bool | | | + +**Response Example** + +``` +{ +    "id": "fcf4ad5d951548f0af10a8909c9cc284", +    "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm02/outputs/fcf4ad5d951548f0af10a8909c9cc284", +    "hostId": "Windows-kdvm02", +    "hostUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm02", +    "agentsIds": [ +        "AGENT2" +    ], +    "isEnabled": false, +    "type": "LogFile", +    "logFile": { +        "format": "Tsv", +        "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\KDVM02_Log_.tsv", +        "archivePath": "", +        "periodToRetainLog": 10, +        "reportUserName": false, +        "reportUncPath": false, +        "addCToPath": true, +        "reportMilliseconds": true, +        "stealthAudit": true +    }, +    "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": true, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "attribute": true, +        "dirAttribute": true, +        "readOptimize": false, +        "shareAdd": false, +        "shareDelete": false, +        "shareUpdate": false, +        "sharePermission": false, +        "streamRead": true, +        "streamUpdate": true, +        "streamDelete": true, +        "streamAdd": true, +        "includePaths": [], +        "excludePaths": [], +        "excludeExtensions": [ +            ".TMP", +            ".RCV", +            ".DS_STORE", +            ".POLICY", +            ".MANIFEST", +            ".LACCDB", +            ".LDB" +        ], +        "excludeProcesses": [ +            "SBTService.exe", +            "FPolicyServerSvc.exe", +            "CelerraServerSvc.exe", +            "FSACLoggingSvc.exe", +            "HitachiService.exe", +            "SIWindowsAgent.exe", +            "SIGPOAgent.exe", +            "LogProcessorSrv.exe", +            "SearchIndexer.exe", +            "WindowsSearch.exe", +            "StealthAUDIT", +            "MonitorService35.exe", +            "MonitorService40.exe", +            "MonitorService45.exe", +            "Configuration.exe", +            "ConfigurationAgent.exe", +            "ConfigurationAgent.Grpc.Host.exe" +        ], +        "excludeReadProcesses": [], +        "excludeAccounts": [ +            "S-1-5-17", +            "S-1-5-18", +            "S-1-5-19", +            "S-1-5-20" +        ], +        "filterGroups": false, +        "officeFiltering": false, +        "pathFilters": [ +            "-**\\~$*.DOC", +            "-**\\~$*.DOCX", +            "-**\\~$*.ODT", +            "-**\\~$*.PPT", +            "-**\\~$*.PPTX", +            "-**\\~$*.PUB", +            "-**\\~$*.RTF", +            "-**\\~$*.TXT", +            "-**\\~$*.WPS", +            "-**\\~$*.XLSX", +            "-**\\~$*.XSN", +            "-**\\~$*.XML", +            "-**\\~$*.DOCM", +            "-**\\~$*.DOTX", +            "-**\\~$*.DOTM", +            "-**\\~$*.DOT", +            "-**\\~$*.MHT", +            "-**\\~$*.HTM", +            "-**\\~$*.XLSM", +            "-**\\~$*.XLSB", +            "-**\\~$*.XLTX", +            "-**\\~$*.XLTM", +            "-**\\~$*.XLAM", +            "-**\\~$*.ODS", +            "-**\\~$*.PPTM", +            "-**\\~$*.POTX", +            "-**\\~$*.POTM", +            "-**\\~$*.POT", +            "-**\\~$*.THMX", +            "-**\\~$*.PPSX", +            "-**\\~$*.PPSM", +            "-**\\~$*.PPS", +            "-**\\~$*.ODP", +            "-**\\~$*.PDF", +            "-**\\~$*.XPS", +            "-**\\.TEMPORARYITEMS\\**", +            "-**\\~SNAPSHOT\\**", +            "-**\\WATSONRC.DAT", +            "-**\\DESKTOP.INI", +            "-C:\\Windows\\**", +            "-C:\\Program Files\\**", +            "-C:\\Program Files (x86)\\**", +            "-C:\\ProgramData\\**", +            "-C:\\Documents and Settings\\**", +            "-C:\\Users\\**" +        ], +        "discardPreviewSubfolderReads": true, +        "discardPreviewSubfolderReadsInterval": 10, +        "discardPreviewFileReads": false, +        "discardPreviewFileReadsInterval": 60, +        "discardPreviewFileReadsFilenames": [ +            "*.exe", +            "*.url", +            "*.lnk" +        ], +        "duplicateReadsInterval": 60 +    }, +    "comment": "", +    "managedBy": "", +    "windows": { +        "vssCreation": true, +        "vssDeletion": true, +        "vssActivity": true, +        "discardReorderedAcl": true, +        "discardInheritedAcl": false +    }, +    "status": { +        "updatedAt": "2024-10-01T18:46:00.6768171Z", +        "type": "OK", +        "summary": "OK", +        "details": "OK" +    }, +    "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm02/outputs/fcf4ad5d951548f0af10a8909c9cc284/statusHistory", +    "altHost": "", +    "stats": { +        "reportedAt": "2024-09-30T18:49:12.282Z", +        "reportedCount": 12, +        "lastEventTime": "2024-09-30T18:49:12.282Z", +        "filesCount": 1, +        "filesSize": 2204, +        "archiveFilesCount": 0, +        "archiveFilesSize": 0 +    } +} +``` + +## File + +| Attribute | Type | Detailed Only | Description | +| ------------ | -------- | ------------- | ----------------------------------------------------------------------------------------------- | +| id | string | | Activity Log File ID. | +| size | int | | File size in bytes | +| localPath | string | | File path on the local disk | +| isZip | bool | | Is it a Zip archive | +| isArchived | bool | | Determines whether the file is on a local drive of the agent or moved to the archival location. | +| type | string | | `Tsv`, `Json` | +| updatedAt | DateTime | | Last time the file was updated | +| activityFrom | DateTime | | Activity events in the file are not younger than the date. | +| activityTo | DateTime | | Activity events in the file are not older than the date. | +| outputId | string | | ID of the output that produced the file. | +| contentUrl | string | | Link to the file content. MIME type `application/x-msdownload` | + +**Response Example** + +``` +[ +    { +        "id": "localhost_Log_20190410_000000.tsv", +        "size": 81658576, +        "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190410_000000.tsv", +        "isZip": false, +        "isArchived": false, +        "type": "Tsv", +        "updatedAt": "2019-04-10T17:45:07.2211753Z", +        "activityFrom": "2019-04-05T18:16:57", +        "activityTo": "2019-04-10T17:45:07", +        "outputId": "9c90791891774715bdb3415823790d7c", +        "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190410_000000.tsv" +    }, +    { +        "id": "localhost_Log_20190401_000000.tsv.zip", +        "size": 11, +        "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190401_000000.tsv.zip", +        "isZip": true, +        "isArchived": false, +        "type": "Tsv", +        "updatedAt": "2019-04-10T02:03:48.8899252Z", +        "activityFrom": "0001-01-01T00:00:00", +        "activityTo": "2019-04-10T02:03:48.8879242Z", +        "outputId": "9c90791891774715bdb3415823790d7c", +        "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190401_000000.tsv.zip" +    }, +  { +    "id": "localhost_Log_20190405.tsv.zip", +    "size": 295102, +    "localPath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_9c907918-9177-4715-bdb3-415823790d7c\\localhost_Log_20190405.tsv.zip", +    "isZip": true, +    "isArchived": true, +    "type": "Tsv", +    "updatedAt": "2019-04-05T20:59:55.1462518Z", +    "activityFrom": "2019-04-05T18:16:57", +    "activityTo": "2019-04-05T20:59:55", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/archive/get/WRKST0100/WRKST0100_9c907918-9177-4715-bdb3-415823790d7c/localhost_Log_20190405.tsv.zip" +  } +] + +``` + +## Policy + +| Attribute | Type | Detailed Only | Read-Only | Description | +| ----------- | -------- | ------------- | --------- | ------------------------------------------------------------------------------------- | +| id | string | | X | Policy ID. | +| url | string | | X | Self URL. | +| name | string | | | Policy name. | +| description | string | | | Policy description. | +| path | string | | | Policy location. | +| guid | string | | X | Policy GUID. | +| isEnabled | bool | | | Whether the policy is enabled. | +| updatedAt | DateTime | | X | When the policy was last modified. | +| xml | string | | | Policy body in XML format. It's the same format used by Threat Prevention Powershell. | + +**Response Example** + +``` +[ +    { +        "id": "1000", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1000", +        "name": "SAM AD Changes", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "56abcb01-0248-4f9c-8e61-aaeb8a30b5ff", +        "isEnabled": true, +        "updatedAt": "2024-08-22T19:05:31.22", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n        Object Added\r\n        Object Modified\r\n        Object Deleted\r\n        Object Moved/Renamed\r\n      \r\n    \r\n    \r\n      \r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1001", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1001", +        "name": "SAM Authentication", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "b3d5397b-ef67-4d72-860c-4efa311ad37f", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n        \r\n        \r\n        \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1002", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1002", +        "name": "SAM Ldap Monitor", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "b119a08c-5304-45b1-b981-22023a113690", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n      \r\n    \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      false\r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1003", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1003", +        "name": "SAM LSASS Guardian", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "409b77be-f0c2-4ba9-9fb9-d17d2c19084a", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n        MsMpEng.exe\r\n        svchost.exe\r\n        VsTskMgr.exe\r\n        WmiPrvSE.exe\r\n        scan64.exe\r\n        mcshield.exe\r\n      \r\n    \r\n    3\r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1004", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1004", +        "name": "SAM Replication", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "e6feb176-8a14-4a61-914b-6c864babd55a", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    } +] +``` diff --git a/docs/activitymonitor/10.0/restapi/resources/resources.md b/docs/activitymonitor/10.0/restapi/resources/resources.md new file mode 100644 index 0000000000..ba10f8fcc7 --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/resources/resources.md @@ -0,0 +1,1918 @@ +--- +title: "Schema and Resources" +description: "Schema and Resources" +sidebar_position: 20 +--- + +# Schema and Resources + +The 10.0 API model consists of the following resources: + +- Agent – Represents an Activity Monitor Agent. API allows you to view existing agents and their + status, register, modify, or remove agents. You can list all the agents or the agents of a domain + (AD-monitoring agents on the domain controllers). + Children: Host, Domain + See the [Agent](/docs/activitymonitor/10.0/restapi/resources/agent.md) topic for additional information. + +- Host – Represents a host or service monitored by the product (Windows, NetApp, SharePoint, SQL + Server, etc.). It is a Monitored Host/Service in the Console. You can list all the hosts of the agent, or + just all the hosts. The API Provides access to the settings of the host and its status; allows you + to create new hosts, modify, enable/disable, or delete existing. Typical properties include a + hostname, credentials to access API, connection settings. A Host is associated with at least one + Output. Each Host can have multiple child Outputs, and each Output has its own unique filter + settings. + Children: Output + See the [Host](/docs/activitymonitor/10.0/restapi/resources/host.md) topic for additional information. + +- Domain – It is a Monitored Domain in the Console. The API provides summary information about each + monitored domain. Similar to host, the domain also has one or more output. These outputs are + common for all AD-monitoring agents of the domain. Each domain controller has the same log file + settings, syslog, and AMQP. + Children: Output, Agent + See the [Domain](/docs/activitymonitor/10.0/restapi/resources/domain.md) topic for additional information. + +- Output – A log file or Syslog or AMQP destination for the activity data. Typical + properties of the **Output** include log file settings (path, retention etc.), syslog settings + (server, UDP/TCP, message template etc.), path filtering (include C:, exclude C:\temp), operations + (Write File, Create File, Delete File, Create Share etc.), account filtering (exclude + DOMAIN\service-account1), protocol (CIFS, NFS), etc. + Children: File + See the [Output](/docs/activitymonitor/10.0/restapi/resources/output.md) topic for additional information. + +- File - Represents a log file created by a File Output - an actual .tsv, .json, or .zip file stored on + the agent or on a network share. A file can be downloaded. + +- Policy - Represents an Active Directory nonitoring policy. The API allows you to create new + policies, list, modify, and delete existing. + + + +Data is transmitted as JSON objects or as JSON Merge Patch for PATCH requests. Dates are formatted +in UTC using the `YYYY-MM-DDTHH:MM:SS` DateTime format. Security-sensitive data like passwords, +certificates, and access tokens are not returned by the GET requests but can be set using POST and +PATCH requests. + +## API + +The API supports the following: + +- GET – Returns a single resource or a list of resources. Additional parameters can be included in + the URL. A successful response returns a `200 OK `status. +- POST – Creates a new resource. The request body contains a JSON object, content type + `application/json`. A successful response returns a `201 Created` status. +- PATCH – Modifies a subset of attributes of the resource. The request body contains the change in + the JSON Merge Patch format + ([https://tools.ietf.org/html/rfc7396](https://tools.ietf.org/html/rfc7396)), content type + `application/merge-patch+json`. A successful response returns a `200 OK` status. +- DELETE – Deletes the resource. A successful response returns a `204 No Content status.` + +**GET /api/v1/agents** + +Lists all the agents managed by the API server. If the client has no `Read` permission, returns only +the current agent. + +- Permission – Read or Access activity data +- Response – Array of Agent + +**Permission: Read or Access activity data** + +Response: Array of Agent + +Response Example: + +``` +[ +  { +    "warnings": [], +    "safeModeStatus": "", +    "safeModeMessage": "", +    "archiveIsEnabled": false, +    "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS", +    "archiveUserName": "", +    "archiveMaxLocalSize": "5GB", +    "fpolicyPort": 9999, +    "fpolicyAuth": "NoAuth", +    "fpolicyIpWhitelist": [], +    "minLocalFreeSpace": "64MB", +    "ceeVcapsIsEnabled": false, +    "ceeVcapsInterval": 60, +    "ceeVcapsEvents": 100, +    "alertsIsEnabled": false, +    "alertsInactivityInterval": 360, +    "alertsReplayInterval": 360, +    "alertsInactivityCheckInterval": 10, +    "alertsSyslog": { +      "server": "", +      "protocol": "UDP", +      "separator": null +    }, +    "alertsEmail": { +      "server": "", +      "ssl": false, +      "userName": "", +      "from": "", +      "to": "", +      "subject": "" +    }, +    "hardeningIsEnabled": false, +    "safeModeIsEnabled": true, +    "dnsResolveIsEnabled": false, +    "siIpWhitelist": [], +    "apiServerIpWhitelist": [], +    "apiServerMgmtConsole": "WRKST0100", +    "id": "AGENT0", +    "url": "https://localhost:4494/api/v1/agents/AGENT0", +    "host": "192.168.1.124", +    "netbiosName": "VAGRANT-2016", +    "userName": "test01\\administrator", +    "domain": "TEST01", +    "machineSid": "S-1-5-21-1367674131-2422966069-737923105-1001", +    "osVersion": "6.2.9200.0", +    "isDC": false, +    "errorMessage": "", +    "installState": "Installed", +    "version": "4.1.119", +    "siInstallState": "Installed", +    "siVersion": "6.0.0.388", +    "managedBySI": false, +    "configVersion": "UFZXT9Fijt5mZ6GNOaoclaVMRy4=", +    "monitoredHostsUrl": "https://localhost:4494/api/v1/agents/AGENT0/hosts", +    "monitoredDomainUrl": "https://localhost:4494/api/v1/agents/AGENT0/domain", +    "apiServerIsEnabled": false, +    "apiServerPort": 4494 +  }, +  { +    "warnings": [], +    "safeModeStatus": null, +    "safeModeMessage": null, +    "archiveIsEnabled": false, +    "archivePath": "", +    "archiveUserName": "", +    "archiveMaxLocalSize": "5GB", +    "fpolicyPort": 9999, +    "fpolicyAuth": "NoAuth", +    "fpolicyIpWhitelist": [], +    "minLocalFreeSpace": "64MB", +    "ceeVcapsIsEnabled": false, +    "ceeVcapsInterval": 60, + "ceeVcapsEvents": 100, +    "alertsIsEnabled": false, +    "alertsInactivityInterval": 360, +    "alertsReplayInterval": 360, +    "alertsInactivityCheckInterval": 10, +    "alertsSyslog": { +      "server": "", +      "protocol": "UDP", +      "separator": null +    }, +    "alertsEmail": { +      "server": null, +      "ssl": false, +      "userName": null, +      "from": null, +      "to": null, +      "subject": "" +    }, +    "hardeningIsEnabled": false, +    "safeModeIsEnabled": true, +    "dnsResolveIsEnabled": false, +    "siIpWhitelist": [ +      "127.0.0.1", +      "::1" +    ], +    "apiServerIpWhitelist": null, +    "apiServerMgmtConsole": null, +    "id": "AGENT1", +    "url": "https://localhost:4494/api/v1/agents/AGENT1", +    "host": "nonexistent", +    "netbiosName": "nonexistent", +    "userName": "", +    "domain": "", +    "machineSid": "", +    "osVersion": "", +    "isDC": false, +    "errorMessage": "Cannot detect if an agent is installed. The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)", +    "installState": "Failed", +    "version": null, +    "siInstallState": "Failed", +    "siVersion": "", +    "managedBySI": false, +    "configVersion": null, +    "monitoredHostsUrl": "https://localhost:4494/api/v1/agents/AGENT1/hosts", +    "monitoredDomainUrl": "https://localhost:4494/api/v1/agents/AGENT1/domain", +    "apiServerIsEnabled": false, +    "apiServerPort": 4494 +  }, +  { +    "warnings": [], +    "safeModeStatus": "", +    "safeModeMessage": "", +    "archiveIsEnabled": false, +    "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS", +    "archiveUserName": "wrkst0100\\testuser", +    "archiveMaxLocalSize": "5GB", +    "fpolicyPort": 9999, +    "fpolicyAuth": "Server", +    "fpolicyIpWhitelist": [], +    "minLocalFreeSpace": "64MB", +    "ceeVcapsIsEnabled": false, +    "ceeVcapsInterval": 60, +    "ceeVcapsEvents": 100, +    "alertsIsEnabled": true, +    "alertsInactivityInterval": 360, +    "alertsReplayInterval": 360, +    "alertsInactivityCheckInterval": 10, +    "alertsSyslog": { +      "server": "12", +      "protocol": "UDP", +      "separator": null +    }, +    "alertsEmail": { +      "server": "", +      "ssl": false, +      "userName": "", +      "from": "", +      "to": "", +      "subject": "" +    }, +    "hardeningIsEnabled": false, +    "safeModeIsEnabled": true, +    "dnsResolveIsEnabled": false, +    "siIpWhitelist": [ +      "127.0.0.1", +      "::1" +    ], +    "apiServerIpWhitelist": [], +    "apiServerMgmtConsole": "WRKST0100", +    "id": "AGENT3", +    "url": "https://localhost:4494/api/v1/agents/AGENT3", +    "host": "WRKST0100", +    "netbiosName": "WRKST0100", +    "userName": "", +    "domain": "LOGIC-LAB", +    "machineSid": "", +    "osVersion": "6.2.9200.0", +    "isDC": false, +    "errorMessage": "", +    "installState": "Installed", +    "version": "4.1.119", +    "siInstallState": "NotInstalled", +    "siVersion": "", +    "managedBySI": false, +    "configVersion": "efkL3mKD8BJF/LtD/SC+ClS/xuE=", +    "monitoredHostsUrl": "https://localhost:4494/api/v1/agents/AGENT3/hosts", +    "monitoredDomainUrl": "https://localhost:4494/api/v1/agents/AGENT3/domain", +    "apiServerIsEnabled": false, +    "apiServerPort": 4494 +  } +] + +``` + +**POST /api/v1/agents** + +Adds a new agent but does not install it. The host attribute must be unique. + +- Permission – Modify agents +- Response Body – Agent +- Response – 201, Agent + +**Permission: Modify agents** + +Response Body: Agent + +**Response: 201, Agent** + +Required attributes: + +- host +- platformId + + - Values: + + - windows + - rhel8 (Redhat Enterprise Linux version 8 and 9 use the same "rhel8" platformId) + +- authenticationMethod + + - Values: + + - Password + - PublicKey + +- userName +- password +- privateKey (only required if PublicKey authenticationMethod is used) + +Request Body Example: + +``` +{ +    "host" : "SBNJQASAMDEV04", +    "platformId" : "windows", +    "authenticationMethod" : "Password", +    "userName" : "TESTDOMAIN\\TestUser1", +    "password" : "password123$" +} +``` + +**POST /api/v1/agents/«agentId»/deploy** + +Installs, upgrades, or uninstalls a single agent that is already added to the console. + +- Permission – `Modify agents` +- Response – 200 +- Required attributes: + + - operation + +Permission: `Modify agents` + +**Response: 200** + +Required attributes: + +**operation** + +The following attributes can be set: + +- operation + + - Values + + - install + - uninstall + +- install.adModule + + - Default – False + +- install.upgrade + + - Default – True + +- install.installPath +- install.managementGroup +- uninstall.remove + + - Default – False + +Request Body Structure: + +``` +{ +    "operation" : "string", +    "install" : { +        "adModule" : bool, +        "upgrade" : bool, +        "installPath" : "string", +        "managementGroup" : "string" +    }, +    "uninstall" : { +        "remove" : bool +    } +} +``` + +**POST /api/v1/agents/deploy** + +Installs, upgrades, or uninstalls a set of agents that are already added to the console. + +- Permission – Modify agents +- Response – 200 + +**Permission: Modify agents** + +Response: 200 + +**Required attributes** + +- operation +- agentsIds + +The following attributes can be set: + +- operation + + - Values + + - install + - uninstall + +- agentsIds +- install.adModule + + - Default – False + +- install.upgrade + + - Default – True + +- install.installPath +- install.managementGroup +- uninstall.remove + + - Default – False + +Request Body Structure: + +``` +{ +    "operation" : "string",  +    "agentsIds" : [ "string",  "string", "string", ... ], +    "install" : { +        "adModule" : bool, +        "upgrade" : bool, +        "installPath" : "string", +        "managementGroup" : "string" +    }, +    "uninstall" : { +        "remove" : bool +    } +} +``` + +**GET /api/v1/agents/«agentId»** + +Returns the agent by ID. If not found or no rights - 404. + +- Permission – Read or Access activity data +- Response – Agent (with or without details) + +**Permission: Read or Access activity data** + +Response: Agent (with or without details) + +**PATCH /api/v1/agents/«agentId»** + +Modifies a subset of attributes of the specified agent. + +- Permission – Modify agents +- Body: Content type – `application/merge-patch+json`, changes to the Agent in the JSON Merge Patch + format +- Response – 200, Agent + +**Permission: Modify agents** + +Body: Content type: `application/merge-patch+json`, changes to the Agent in the JSON Merge Patch +format + +**Response: 200, Agent** + +The following attributes can be modified: + +- `archive.isEnabled` +- `archive.path` +- `archive.password` +- `archive.userName` +- `archive.maxLocalSize` – Expected format: number of bytes +- `fpolicy.port` +- `fpolicy.auth` - `NoAuth` (default), `Server`, or `Mutual`. +- `fpolicy.ipWhitelist` +- `fpolicy.clientCertificate` +- `fpolicy.serverCertificate` – Must include a private key. +- `minLocalFreeSpace` – Expected format: number of bytes +- `cee.vcapsIsEnabled` +- `cee.vcapsInterval` +- `cee.vcapsEvents` +- `cee.httpEnabled` +- `cee.rpcEnabled` +- `cee.ipWhitelist` +- `inactivityAlerts.isEnabled` +- `inactivityAlerts.inactivityInterval` +- `inactivityAlerts.replayInterval` +- `inactivityAlerts.inactivityCheckInterval` +- `inactivityAlerts.syslog.server` – Must be a valid hostname of ip4/ip6 address. +- `inactivityAlerts.syslog.protocol` – `UDP` (default), `TCP`, or `TLS`. +- `inactivityAlerts.syslog.separator` – `Lf` (default), `Cr`, `CrLf`, `Nul`, or `Rfc5425`. +- `inactivityAlerts.syslog.template` +- `inactivityAlerts.email.server` – Must be a valid hostname of ip4/ip6 address. +- `inactivityAlerts.email.ssl` +- `inactivityAlerts.email.userName` +- `inactivityAlerts.email.password` +- `inactivityAlerts.email.from` +- `inactivityAlerts.email.to` +- `inactivityAlerts.email.subject` +- `inactivityAlerts.email.body` +- `ad.hardeningIsEnabled` +- `ad.safeModeIsEnabled` +- `ad.dnsResolveIsEnabled` +- `ad.siIpWhitelist` +- `panzura.port` +- `panzura.useCredentials` +- `panzura.username` +- `panzura.password` +- `panzura.ipWhitelist` +- `nutanix.port` +- `nutanix.ipWhitelist` +- `qumulo.port` +- `qumulo.ipWhitelist` +- `ctera.port` +- `ctera.ipWhitelist` +- `linux.serviceUsername` +- `dns.isEnabled` +- `dns.listenPort` +- `dns.parallelism` +- `dns.perfStatsTimeDebug` +- `dns.perfStatsTimeInfo` +- `dns.forwardDnsServer` +- `dns.cacheFile` +- `dns.successTtl` +- `dns.failedTtl` +- `dns.clientWaitTimeout` +- `dns.refreshThreshold` +- `dns.maxCacheSize` +- `dns.uselessAge` +- `dns.maxAttemptsToResolve` +- `dns.suffix` +- `adUsers.domainControllers` +- `adUsers.lookupTimeout` +- `adUsers.successCacheTtl` +- `adUsers.failedCacheTtl` +- `adUsers.maxCacheSize` +- `networkProxy.address` +- `networkProxy.useDefaultCredentials` +- `networkProxy.bypassProxyOnLocal` +- `networkProxy.userName` +- `networkProxy.password` +- `networkProxy.bypassList` +- `apiServerIpWhitelist` +- `apiServerMgmtConsole` +- `host` – Must be a unique and valid hostname or ip4/ip6 address. +- `userName` +- `password` +- `privateKey` +- `comment` +- `etwLogEnabled` +- `agentPort` +- `traceLevel` – `Trace`, `Debug`, `Info`, `Warning`, or `Error` +- `externaNicName` – Must be a valid NIC name of the agent. Use an empty string for auto detect. + +**DELETE /api/v1/agents/«AgentId»** + +Removes the agent without uninstalling it. + +- Permission – Modify agents +- Response – 204 + +**Permission: Modify agents** + +Response: 204 + +**GET /api/v1/domains** + +Returns an array of monitored domains, or only the current domain if the client has no `Read` +permission. + +- Permission – Read or Access activity data +- Response – Array of Domain + +**Permission: Read or Access activity data** + +Response: Array of Domain + +Response Example: + +``` +[ +  { +    "id": "TEST01", +    "url": "https://localhost:4494/api/v1/domains/TEST01", +    "name": "TEST01", +    "managedBySI": false, +    "outputs": [ +      { +        "id": "657eaa95f0804608acef581e728868e2", +        "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/657eaa95f0804608acef581e728868e2", +        "domainId": "TEST01", +        "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +        "agentsIds": [], +        "isEnabled": true, +        "type": "LogFile", +        "logFile": { +          "format": "Json", +          "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\192.168.1.124_Log_.json", +          "archivePath": "", +          "daysToRetain": 10, +          "reportUserName": false, +          "reportUncPath": false, +          "addCToPath": true, +          "reportMilliseconds": false, +          "stealthAudit": true +        }, +        "syslog": null, +        "amqp": null, +        "fileFilter": null, +        "sharePointFilter": null, +        "comment": "", +        "managedBy": "", +        "windows": null +      }, +      { +        "id": "fe9eb58ef02e40b8ab4a3e02e51a9d95", +        "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/fe9eb58ef02e40b8ab4a3e02e51a9d95", +        "domainId": "TEST01", +        "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +        "agentsIds": [], +        "isEnabled": true, +        "type": "Amqp", +        "logFile": null, +        "syslog": null, +        "amqp": { +          "server": "127.0.0.1:10001", +          "userName": "StealthINTERCEPT", +          "queue": "StealthINTERCEPT", +          "vhost": "" +        }, +        "fileFilter": null, + "sharePointFilter": null, +        "comment": "", +        "managedBy": "", +        "windows": null +      } +    ], +    "outputsUrl": "https://localhost:4494/api/v1/domains/TEST01/outputs", +    "agentsUrl": "https://localhost:4494/api/v1/domains/TEST01/agents", +    "masterAgentId": "AGENT0", +    "masterAgentUrl": "https://localhost:4494/api/v1/agents/AGENT0" +  } +] + +``` + +**GET /api/v1/domains/«domainId»** + +Returns the domain by its ID, or a 404 error if it is not found or the client lacks sufficient +permissions. + +- Permission – Read or Access activity data +- Response – Domain + +**Permission: Read or Access activity data** + +Response: Domain + +**GET /api/v1/agents/«agentId»/domain** + +Returns a domain monitored by the specified agent, or a 404 error if the domain is not found, the +client lacks the necessary permissions, or the agent is not monitoring AD activity. + +This endpoint is useful to get `Output` settings specific to the agent. Domain outputs are logical, +they are described once and used by all the domain controllers to create actual files/syslog/amqp +messages. However, there are some output fields that are different on each agent. For example, the +`archivePath`. If you need such agent-specific fields, use this endpoint. + +- Permission – Read or Access activity data +- Response – Domain + +**Permission: Read or Access activity data** + +Response: Domain + +**GET /api/v1/domains/«domainId»/agents** + +Returns the domain controllers (agents) monitoring the specified domain, or a 404 error if the +domain is not found or the client lacks the necessary permissions. + +- Permission – Read or Access activity data +- Response – Array of Agent + +**Permission: Read or Access activity data** + +Response: Array of Agent + +**GET /api/v1/domains/«domainId»/outputs** + +Returns the configured outputs for the specified domain, or 404 if no rights for the domain or the +domain was not found. + +- Permission – Read or Access activity data +- Response – Array of Output + +**Permission: Read or Access activity data** + +Response: Array of Output + +Response Example: + +``` +[ +  { +    "id": "657eaa95f0804608acef581e728868e2", +    "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/657eaa95f0804608acef581e728868e2", +    "domainId": "TEST01", +    "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +    "agentsIds": [], +    "isEnabled": true, +    "type": "LogFile", +    "logFile": { +      "format": "Json", +      "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\192.168.1.124_Log_.json", +      "archivePath": "", +      "daysToRetain": 10, +      "reportUserName": false, +      "reportUncPath": false, +      "addCToPath": true, +      "reportMilliseconds": false, +      "stealthAudit": true +    }, +    "syslog": null, +    "amqp": null, +    "fileFilter": null, +    "sharePointFilter": null, +    "comment": "", +    "managedBy": "", +    "windows": null +  }, +  { +    "id": "fe9eb58ef02e40b8ab4a3e02e51a9d95", +    "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/fe9eb58ef02e40b8ab4a3e02e51a9d95", +    "domainId": "TEST01", +    "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +    "agentsIds": [], +    "isEnabled": true, +    "type": "Amqp", +    "logFile": null, + "syslog": null, +    "amqp": { +      "server": "127.0.0.1:10001", +      "userName": "StealthINTERCEPT", +      "queue": "StealthINTERCEPT", +      "vhost": "" +    }, +    "fileFilter": null, +    "sharePointFilter": null, +    "comment": "", +    "managedBy": "", +    "windows": null +  } +] + +``` + +**GET /api/v1/domains/«domainId»/outputs/«outputId»** + +Returns the output for the specified domain, or a 404 error if the domain is not found or the client +lacks the necessary permissions. + +- Permission –Read or Access activity data +- Response – Output + +**Permission: Read or Access activity data** + +Response: Output + +Response Example: + +``` +{ +  "id": "657eaa95f0804608acef581e728868e2", +  "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/657eaa95f0804608acef581e728868e2", +  "domainId": "TEST01", +  "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +  "agentsIds": [], +  "isEnabled": true, +  "type": "LogFile", +  "logFile": { +    "format": "Json", +    "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\192.168.1.124_Log_.json", +    "archivePath": "", +    "daysToRetain": 10, +    "reportUserName": false, +    "reportUncPath": false, +    "addCToPath": true, +    "reportMilliseconds": false, +    "stealthAudit": true +  }, +  "syslog": null, +  "amqp": null, +  "fileFilter": null, +  "sharePointFilter": null, +  "comment": "", +  "managedBy": "", +  "windows": null +} + +``` + +**POST /api/v1/domains/«domainId»/outputs** + +Adds a new output for the specified domain. + +- Permission – Modify hosts +- Response – 201, Output + +**Permission: Modify hosts** + +Response: 201, Output + +Required attributes: + +- type + - Values (Case Sensitive) + - LogFile + - Syslog + - Amqp +- syslog.server (Required only if Syslog is set to type) +- amqp.server (Required only if Amqp is set to type) + +Request Body Structure: + +``` +{           +    "type" : "string", +    "syslog" : { +        "server" : "string" +    }, +    "amqp" : { +        "server" : "string" +    } +} +``` + +**GET /api/v1/hosts** + +Returns a combined list of hosts monitored by all agents. If the client lacks Read permission, only +the hosts of the current agent are returned. + +- Permission – Read or Access activity data +- Response – Array of Host + +**Permission: Read or Access activity data** + +Response: Array of Host + +**GET /api/v1/hosts/«hostId»** + +Returns the specified host. If not found or no rights - 404. + +- Permission – Read or Access activity data +- Response – Host + +**Permission: Read or Access activity data** + +Response: Host + +Response Example: + +``` +{ +  "autoConfigureAuditing": false, +  "monitorAuditingStatus": false, +  "id": "Windows-wrkst0100", +  "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +  "host": "WRKST0100", +  "type": "Windows", +  "altHost": "", +  "userName": "", +  "outputs": [ +    { +      "id": "9c90791891774715bdb3415823790d7c", +      "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/9c90791891774715bdb3415823790d7c", +      "hostId": "Windows-wrkst0100", +      "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +      "agentsIds": [ +        "AGENT3" +      ], +      "logsUrl": "https://localhost:4494/api/v1/logs/9c90791891774715bdb3415823790d7c", +      "isEnabled": false, +      "type": "LogFile", +      "logFile": { +        "format": "Tsv", +        "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_.tsv", +        "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_9c907918-9177-4715-bdb3-415823790d7c\\localhost_Log_.tsv", +        "daysToRetain": 11111, +        "reportUserName": false, +        "reportUncPath": false, +        "addCToPath": true, +        "reportMilliseconds": false, +        "stealthAudit": true +      }, +      "syslog": null, +      "amqp": null, +      "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": true, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "readOptimize": false, +        "includePaths": [ +          "C:" +        ], +        "excludePaths": [], +        "excludeExtensions": [], +        "excludeProcesses": [], +        "excludeReadProccesses": [], +        "excludeAccounts": [], +        "filterGroups": false, +        "officeFiltering": true +      }, +      "sharePointFilter": null, +      "comment": "", +      "managedBy": "", +      "windows": { +        "vssCreation": true, +        "vssActivity": true, + "discardReorderedAcl": true, +        "discardInheritedAcl": false +      } +    }, +    { +      "id": "a556d7c3666d46babe895f2b9ce1316b", +      "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/a556d7c3666d46babe895f2b9ce1316b", +      "hostId": "Windows-wrkst0100", +      "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +      "agentsIds": [ +        "AGENT3" +      ], +      "logsUrl": "https://localhost:4494/api/v1/logs/a556d7c3666d46babe895f2b9ce1316b", +      "isEnabled": false, +      "type": "LogFile", +      "logFile": { +        "format": "Tsv", +        "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\WRKST0100_E_Activity_Log_.Tsv", +        "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_a556d7c3-666d-46ba-be89-5f2b9ce1316b\\WRKST0100_E_Activity_Log_.Tsv", +        "daysToRetain": 3, +        "reportUserName": false, +        "reportUncPath": false, +        "addCToPath": true, +        "reportMilliseconds": false, +        "stealthAudit": false +      }, +      "syslog": null, +      "amqp": null, +      "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": false, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "readOptimize": false, +        "includePaths": [ +          "E:" +        ], +        "excludePaths": [], +        "excludeExtensions": [], +        "excludeProcesses": [ +          "SBTService.exe", +          "FSAC", +          "FPolicyServerSvc.exe", +          "CelerraServerSvc.exe", +          "FSACLoggingSvc.exe", +          "HitachiService.exe", +          "SIWindowsAgent.exe", +          "SIGPOAgent.exe", +          "SIWorkstationAgent.exe", +          "StealthAUDIT", +          "LogProcessorSrv.exe", +          "SearchIndexer.exe", +          "WindowsSearch.exe" +        ], +        "excludeReadProccesses": [], +        "excludeAccounts": [ +          "S-1-5-17", +          "S-1-5-18", +          "S-1-5-19", +          "S-1-5-20" +        ], +        "filterGroups": false, +        "officeFiltering": false +      }, +      "sharePointFilter": null, +      "comment": "Updates on E:", +      "managedBy": "", +      "windows": { +        "vssCreation": true, +        "vssActivity": true, +        "discardReorderedAcl": true, +        "discardInheritedAcl": true +      } +    }, +    { +      "id": "e7c98bc9e96a41d0813b35858a0475bd", +      "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/e7c98bc9e96a41d0813b35858a0475bd", +      "hostId": "Windows-wrkst0100", +      "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +      "agentsIds": [ +        "AGENT3" +      ], +      "logsUrl": "https://localhost:4494/api/v1/logs/e7c98bc9e96a41d0813b35858a0475bd", +      "isEnabled": false, +      "type": "Syslog", +      "logFile": null, +      "syslog": { +        "reportUncPath": false, +        "addCToPath": true, +        "server": "192.168.1.1", +        "protocol": "UDP", +        "separator": "Lf" +      }, +      "amqp": null, +      "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": false, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "readOptimize": false, +        "includePaths": [ +          "O:" +        ], +        "excludePaths": [], +        "excludeExtensions": [], +        "excludeProcesses": [ +          "SBTService.exe", +          "FSAC", +          "FPolicyServerSvc.exe", +          "CelerraServerSvc.exe", +          "FSACLoggingSvc.exe", +          "HitachiService.exe", +          "SIWindowsAgent.exe", +          "SIGPOAgent.exe", +          "SIWorkstationAgent.exe", +          "StealthAUDIT", +          "LogProcessorSrv.exe", +          "SearchIndexer.exe", +          "WindowsSearch.exe" +        ], +        "excludeReadProccesses": [], +        "excludeAccounts": [ +          "S-1-5-17", +          "S-1-5-18", +          "S-1-5-19", +          "S-1-5-20" +        ], +        "filterGroups": false, +        "officeFiltering": false +      }, +      "sharePointFilter": null, +      "comment": "SIEM feed", +      "managedBy": "", +      "windows": { +        "vssCreation": false, +        "vssActivity": false, +        "discardReorderedAcl": true, +        "discardInheritedAcl": false +      } +    } +  ], +  "outputsUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs", +  "agentsUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/agents" +} + +``` + +**GET /api/v1/hosts/«hostId»/statusHistory** + +Returns a journal of status changes for the host, ordered by time in descending order. + +- Permission – Read +- Response – Array of Status + +**Permission: Read** + +Response: Array of Status + +**GET /api/v1/agents/«agentId»/hosts** + +Returns a list of hosts for the specified agent. If the agent is not found or the client lacks the +necessary permissions, a 404 error is returned. + +- Permission – Read or Access activity data +- Response – Array of Host + +**Permission: Read or Access activity data** + +Response: Array of Host + +**POST /api/v1/agents/«agentId»/hosts** + +Adds a new Host to be monitored by the specified agent. A host is added with at least one output. + +- Permission – Modify hosts +- Response Body – Host +- Response – 201, Host + +**Permission: Modify hosts** + +Response Body: Host + +**Response: 201, Host** + +Required Attributes: + +- type + - Values (Case Sensitive): + - AzureAD + - Celerra + - Ctera + - ExchangeOnline + - Hitachi + - Isilon + - Nasuni + - NetApp + - Nutanix + - Panzura + - PowerStore + - Qumulo + - SharePoint + - SharePointOnline + - SqlServer + - Unity + - Windows + - Linux +- host +- outputs + +Request Body Example: + +``` +{ +    "type" : "Windows", +    "host" : "SBNJQASAMDEV03", +    "outputs" : [ +        { +            "type" : "LogFile" +        } +    ] +} +``` + +**PATCH /api/v1/hosts/«hostId»** + +Modifies the host on all the agents that monitor the host. + +- Permission – Modify hosts +- Body – Content type: `application/merge-patch+json`, changes to the Host resource in the JSON + Merge Patch format +- Response – 200, Host + +**Permission: Modify hosts** + +Body: Content type: `application/merge-patch+json`, changes to the Host resource in the JSON Merge +Patch format + +**Response: 200, Host** + +The following attributes can be modified: + +- `host` ¬ must be a valid hostname or ip4/ip6 address +- `autoConfigureAuditing` +- `monitorAuditingStatus` +- `hostAliases` +- `userName` +- `password` +- `inactivityAlerts.isEnabled` +- `inactivityAlerts.useCustomSettings` +- `inactivityAlerts.inactivityInterval` +- `inactivityAlerts.replayInterval` +- `inactivityAlerts.inactivityCheckInterval` +- `inactivityAlerts.syslog.server` +- `inactivityAlerts.syslog.protocol` +- `inactivityAlerts.syslog.separator` +- `inactivityAlerts.syslog.template` +- `inactivityAlerts.email.server` +- `inactivityAlerts.email.ssl` +- `inactivityAlerts.email.userName` +- `inactivityAlerts.email.password` +- `inactivityAlerts.email.from` +- `inactivityAlerts.email.to` +- `inactivityAlerts.email.subject` +- `inactivityAlerts.email.body` +- `uidTranslate.isEnabled` +- `uidTranslate.domainController` +- `uidTranslate.port` +- `uidTranslate.options` +- `uidTranslate.container` +- `uidTranslate.scope` +- `uidTranslate.filter` +- `hitachi.uncLogPath` +- `hitachi.logFileName` +- `hitachi.pollingInterval` +- `spo.azure.domain` +- `spo.azure.azureCloud` +- `spo.azure.tenantId` +- `spo.azure.tenantName` +- `spo.azure.clientId` +- `spo.azure.clientSecret` +- `spo.azure.region` +- `azureAd.azure.domain` +- `azureAd.azure.azureCloud` +- `azureAd.azure.tenantId` +- `azureAd.azure.tenantName` +- `azureAd.azure.clientId` +- `azureAd.azure.clientSecret` +- `azureAd.azure.region` +- `exchangeOnline.azure.domain` +- `exchangeOnline.azure.azureCloud` +- `exchangeOnline.azure.tenantId` +- `exchangeOnline.azure.tenantName` +- `exchangeOnline.azure.clientId` +- `exchangeOnline.azure.clientSecret` +- `exchangeOnline.azure.region` +- `sharePoint.pollingInterval` +- `api.protocol` +- `api.certificate` +- `api.hostNameVerification` +- `api.channel` +- `sql.pollingInterval` +- `sql.tweakOptions` +- `netapp.nfs3EventName` +- `netapp.nfs3FailedEventName` +- `netapp.nfs4FailedEventName` +- `netapp.nfs4EventName` +- `netapp.cifsEventName` +- `netapp.cifsFailedEventName` +- `netapp.policyName` +- `netapp.externalEngineName` + +**PATCH /api/v1/agents/«agentId»/hosts/«hostId»** + +Modifies the host on the specified agent only. The method is useful to set agent-specific settings. + +- Permission – Modify hosts +- Body – Content type: `application/merge-patch+json`, changes to the Host resource in the JSON + Merge Patch format +- Response – 200, Host + +**Permission: Modify hosts** + +Body: Content type: `application/merge-patch+json`, changes to the Host resource in the JSON Merge +Patch format + +**Response: 200, Host** + +The following attributes can be modified: + +- `host` - must be a valid hostname or ip4/ip6 address +- `autoConfigureAuditing` +- `monitorAuditingStatus` +- hostAliases +- `userName` +- `password` +- `inactivityAlerts.isEnabled` +- `inactivityAlerts.useCustomSettings` +- `inactivityAlerts.inactivityInterval` +- `inactivityAlerts.replayInterval` +- `inactivityAlerts.inactivityCheckInterval` +- `inactivityAlerts.syslog.server` +- `inactivityAlerts.syslog.protocol` +- `inactivityAlerts.syslog.separator` +- `inactivityAlerts.syslog.template` +- `inactivityAlerts.email.server` +- `inactivityAlerts.email.ssl` +- `inactivityAlerts.email.userName` +- `inactivityAlerts.email.password` +- `inactivityAlerts.email.from` +- `inactivityAlerts.email.to` +- `inactivityAlerts.email.subject` +- `inactivityAlerts.email.body` +- `uidTranslate.isEnabled` +- `uidTranslate.domainController` +- `uidTranslate.port` +- `uidTranslate.options` +- `uidTranslate.container` +- `uidTranslate.scope` +- `uidTranslate.filter` +- `hitachi.uncLogPath` +- `hitachi.logFileName` +- `hitachi.pollingInterval` +- `spo.azure.domain` +- `spo.azure.azureCloud` +- `spo.azure.tenantId` +- `spo.azure.tenantName` +- `spo.azure.clientId` +- `spo.azure.clientSecret` +- `spo.azure.region` +- `azureAd.azure.domain` +- `azureAd.azure.azureCloud` +- `azureAd.azure.tenantId` +- `azureAd.azure.tenantName` +- `azureAd.azure.clientId` +- `azureAd.azure.clientSecret` +- `azureAd.azure.region` +- `exchangeOnline.azure.domain` +- `exchangeOnline.azure.azureCloud` +- `exchangeOnline.azure.tenantId` +- `exchangeOnline.azure.tenantName` +- `exchangeOnline.azure.clientId` +- `exchangeOnline.azure.clientSecret` +- `exchangeOnline.azure.region` +- `sharePoint.pollingInterval` +- `api.protocol` +- `api.certificate` +- `api.hostNameVerification` +- `api.channel` +- `sql.pollingInterval` +- `sql.tweakOptions` +- `netapp.nfs3EventName` +- `netapp.nfs3FailedEventName` +- `netapp.nfs4FailedEventName` +- `netapp.nfs4EventName` +- `netapp.cifsEventName` +- `netapp.cifsFailedEventName` +- `netapp.policyName` +- `netapp.externalEngineName` + +**DELETE /api/v1/hosts/«hostId»** + +Removes the host from being monitored from all the agents. + +- Permission – Modify hosts +- Response – 204 + +**Permission: Modify hosts** + +Response: 204 + +**DELETE /api/v1/agents/«agentId»/hosts/«hostId»** + +Removes the host from being monitored from the specified agent. + +- Permission – Modify hosts +- Response – 204 + +**Permission: Modify hosts** + +Response: 204 + +**GET /api/v1/hosts/«hostId»/outputs** + +Returns a list of outputs for the specified host. If the host is not found or the client lacks the +necessary permissions, a 404 error is returned. + +- Permission – Read or Access activity data +- Response – Array of Output + +**Permission: Read or Access activity data** + +Response: Array of Output + +**POST /api/v1/hosts/«hostId»/outputs** + +Adds a new output for the specified host on all agents that monitor the host. + +- Permission – Modify hosts +- Response – 201, Output + +**Permission: Modify hosts** + +Response: 201, Output + +Required Attributes: + +- type + - Values (Case Sensitive) + - LogFile + - Syslog + - Amqp +- syslog.server (Required only if Syslog is set to type) +- amqp.server (Required only if Amqp is set to type) + +Request Body Structure: + +``` +{           +    "type" : "string", +    "syslog" : { +        "server" : "string" +    }, +    "amqp" : { +        "server" : "string" +    } +} +``` + +**POST /api/v1/agents/«agentId»/hosts/«hostId»/outputs** + +Adds a new output for the specified host on the specified agent only. The method may be useful to +have agent-specific outputs but is not recommended. + +- Permission – Modify hosts +- Response – 201, Output + +**Permission: Modify hosts** + +Response: 201, Output + +Required attributes: + +- type + - Values (Case Sensitive) + - LogFile + - Syslog + - Amqp +- syslog.server (Required only if Syslog is set to type) +- amqp.server (Required only if Amqp is set to type) + +Request Body Structure: + +``` +{           +    "type" : "string", +    "syslog" : { +        "server" : "string" +    }, +    "amqp" : { +        "server" : "string" +    } +} +``` + +**GET /api/v1/hosts/«hostId»/outputs/«outputId»** + +Returns the specified output of the host. If the host or output is not found, or the client lacks +the necessary permissions, a 404 error is returned. + +- Permission – Read or Access activity data +- Response – Output + +**Permission: Read or Access activity data** + +Response: Output + +Response Example: + +``` +{ +  "id": "a556d7c3666d46babe895f2b9ce1316b", +  "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/a556d7c3666d46babe895f2b9ce1316b", +  "hostId": "Windows-wrkst0100", +  "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +  "agentsIds": [ +    "AGENT3" +  ], +  "logsUrl": "https://localhost:4494/api/v1/logs/a556d7c3666d46babe895f2b9ce1316b", +  "isEnabled": false, +  "type": "LogFile", +  "logFile": { +    "format": "Tsv", +    "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\WRKST0100_E_Activity_Log_.Tsv", +    "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_a556d7c3-666d-46ba-be89-5f2b9ce1316b\\WRKST0100_E_Activity_Log_.Tsv", +    "daysToRetain": 3, +    "reportUserName": false, +    "reportUncPath": false, +    "addCToPath": true, +    "reportMilliseconds": false, +    "stealthAudit": false +  }, +  "syslog": null, +  "amqp": null, +  "fileFilter": { +    "allowed": true, +    "denied": true, +    "cifs": true, +    "nfs": true, +    "read": false, +    "dirRead": false, +    "create": true, +    "dirCreate": true, +    "rename": true, +    "dirRename": true, +    "delete": true, +    "dirDelete": true, +    "update": true, +    "permission": true, +    "dirPermission": true, +    "readOptimize": false, +    "includePaths": [ +      "E:" +    ], +    "excludePaths": [], +    "excludeExtensions": [], +    "excludeProcesses": [ +      "SBTService.exe", +      "FSAC", +      "FPolicyServerSvc.exe", +      "CelerraServerSvc.exe", +      "FSACLoggingSvc.exe", +      "HitachiService.exe", +      "SIWindowsAgent.exe", +      "SIGPOAgent.exe", +      "SIWorkstationAgent.exe", +      "StealthAUDIT", +      "LogProcessorSrv.exe", +      "SearchIndexer.exe", +      "WindowsSearch.exe" +    ], +    "excludeReadProccesses": [], +    "excludeAccounts": [ +      "S-1-5-17", +      "S-1-5-18", +      "S-1-5-19", +      "S-1-5-20" +    ], +    "filterGroups": false, +    "officeFiltering": false +  }, +  "sharePointFilter": null, +  "comment": "Updates on E:", +  "managedBy": "", +  "windows": { +    "vssCreation": true, +    "vssActivity": true, +    "discardReorderedAcl": true, +    "discardInheritedAcl": true +  } +} + +``` + +**GET /api/v1/hosts/«hostId»/outputs/«outputId»/statusHistory** + +Returns a journal of status changes for the output, ordered by time in descending order. + +- Permission – Read +- Response – Array of Status + +**Permission: Read** + +Response: Array of Status + +**PATCH /api/v1/hosts/«hostId»/outputs/«outputId»** + +Modifies the specified output on all the agents that monitor the host. + +- Permission – Modify hosts +- Body – content type: `application/merge-patch+json`, changes to the Output resource in the JSON + Merge Patch format + +**Permission: Modify hosts** + +Body: content type: `application/merge-patch+json`, changes to the Output resource in the JSON Merge +Patch format + +**Response: 200, Output** + +The following attributes can be modified: + +- `comment` +- `isEnabled` +- `managedBy` +- `type` ¬ for `LogFile`, the `logFile` attribute must be set; for `Syslog` ¬ the `syslog` + attribute; for `Amqp` ¬ the `amqp` attribute. +- `windows.discardInheritedAcl` +- `windows.discardReorderedAcl` +- `windows.vssActivity` +- `windows.vssCreation` +- `amqp.server` - must be a a vaild hostname or ip4/ip6 address. +- `amqp.userName` +- `amqp.password` +- `amqp.vhost` +- `amqp.queue` +- `fileFilter.cifs` +- `fileFilter.nfs` +- `fileFilter.create` +- `fileFilter.delete` +- `fileFilter.dirCreate` +- `fileFilter.dirDelete` +- `fileFilter.dirPermission` +- `fileFilter.dirRead` +- `fileFilter.dirRename` +- `fileFilter.excludeExtensions` +- `fileFilter.excludeProcesses` +- `fileFilter.excludeReadProccesses` +- `fileFilter.filterGroups` +- `fileFilter.officeFiltering` +- `fileFilter.permission` +- `fileFilter.read` +- `fileFilter.readOptimize` +- `fileFilter.rename` +- `fileFilter.update` +- `logFile.addCToPath` +- `logFile.archivePath` +- `logFile.daysToRetain` +- `logFile.format` - `Tsv` or `Json` +- `logFile.path` +- `logFile.reportMilliseconds` +- `logFile.reportUncPath` +- `logFile.reportUserName` +- `logFile.stealthAudit` +- `syslog.protocol` - `UDP` (default), `TCP`, `TLS` +- `syslog.addCToPath` +- `syslog.reportUncPath` +- `syslog.separator` - `Lf` (default), `Cr`, `CrLf`, `Nul`, or `Rfc5425` +- `syslog.server` - must be a vaild hostname or ip4/ip6 address. + +For File System hosts: + +- `fileFilter.excludeAccounts` +- `fileFilter.includePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.excludePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.pathFilters` ¬ An ordered array of strings where each element has `{+/-}path` format. + `+` means include path, `-` means exclude path. `?`, `*`, and `**` wildcards are supported. + Example: `['+c:/windows/**', '-c:/temp/**']` + +For SharePoint hosts: + +- `sharePointFilter.excludeAccounts` +- `sharePointFilter.excludeUrls` +- `sharePointFilter.includeUrls` +- `sharePointFilter.operations` - `CheckOut`, `CheckIn`, `View`, `Delete`, `Update`, + `ProfileChange`, `ChildDelete`, `SchemaChange`, `Undelete`, `Workflow`, `Copy`, `Move`, + `AuditMaskChange`, `Search`, `ChildMove`, `FileFragmentWrite`, `SecGroupCreate`, `SecGroupDelete`, + `SecGroupMemberAdd`, `SecGroupMemberDel`, `SecRoleDefCreate`, `SecRoleDefDelete`, + `SecRoleDefModify`, `SecRoleDefBreakInherit`, `SecRoleBindUpdate`, `SecRoleBindInherit`, + `SecRoleBindBreakInherit`, `EventsDeleted`, `AppPermissionGrant`, `AppPermissionDelete`, `Custom` + +**PATCH /api/v1/agents/«agentId»/hosts/«hostId»/outputs/«outputId»** + +Modifies the specified output on the specified agent only. The method may be useful to set +agent-specific attributes. + +- Permission – Modify hosts +- Body – content type: `application/merge-patch+json`, changes to the Output resource in the JSON + Merge Patch format +- Response – 200, Output + +**Permission: Modify hosts** + +Body: content type: `application/merge-patch+json`, changes to the Output resource in the JSON Merge +Patch format + +**Response: 200, Output** + +The following attributes can be modified: + +- `comment` +- `isEnabled` +- `managedBy` +- `type` - for `LogFile`, the `logFile` attribute must be set; for `Syslog` ¬ the `syslog` + attribute; for `Amqp` ¬ the `amqp` attribute. +- `windows.discardInheritedAcl` +- `windows.discardReorderedAcl` +- `windows.vssActivity` +- `windows.vssCreation` +- `amqp.server` ¬ must be a a vaild hostname or ip4/ip6 address. +- `amqp.userName` +- amqp.password +- `amqp.vhost` +- `amqp.queue` +- `fileFilter.cifs` +- `fileFilter.nfs` +- `fileFilter.create` +- `fileFilter.delete` +- `fileFilter.dirCreate` +- `fileFilter.dirDelete` +- `fileFilter.dirPermission` +- `fileFilter.dirRead` +- `fileFilter.dirRename` +- `fileFilter.excludeExtensions` +- `fileFilter.excludeProcesses` +- `fileFilter.excludeReadProccesses` +- `fileFilter.filterGroups` +- `fileFilter.officeFiltering` +- `fileFilter.permission` +- `fileFilter.read` +- `fileFilter.readOptimize` +- `fileFilter.rename` +- `fileFilter.update` +- `logFile.addCToPath` +- `logFile.archivePath` +- `logFile.daysToRetain` +- `logFile.format` - `Tsv` or `Json` +- `logFile.path` +- `logFile.reportMilliseconds` +- `logFile.reportUncPath` +- `logFile.reportUserName` +- `logFile.stealthAudit` +- `syslog.protocol` - `UDP` (default), `TCP`, `TLS` +- `syslog.addCToPath` +- `syslog.reportUncPath` +- `syslog.separator` - `Lf` (default), `Cr`, `CrLf`, `Nul`, or `Rfc5425` +- `syslog.server` - must be a vaild hostname or ip4/ip6 address. + +For File System hosts: + +- `fileFilter.excludeAccounts` +- `fileFilter.includePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.excludePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.pathFilters` ¬ an ordered array of strings where each element has `{+/-}path` format. + `+` means include path, `-` means exclude path. `?`, `*`, and `**` wildcards are supported. + Example: `['+c:/windows/**', '-c:/temp/**']` + +For SharePoint hosts: + +- `sharePointFilter.excludeAccounts` +- `sharePointFilter.excludeUrls` +- `sharePointFilter.includeUrls` +- `sharePointFilter.operations` - `CheckOut`, `CheckIn`, `View`, `Delete`, `Update`, + `ProfileChange`, `ChildDelete`, `SchemaChange`, `Undelete`, `Workflow`, `Copy`, `Move`, + `AuditMaskChange`, `Search`, `ChildMove`, `FileFragmentWrite`, `SecGroupCreate`, `SecGroupDelete`, + `SecGroupMemberAdd`, `SecGroupMemberDel`, `SecRoleDefCreate`, `SecRoleDefDelete`, + `SecRoleDefModify`, `SecRoleDefBreakInherit`, `SecRoleBindUpdate`, `SecRoleBindInherit`, + `SecRoleBindBreakInherit`, `EventsDeleted`, `AppPermissionGrant`, `AppPermissionDelete`, `Custom` + +**GET /api/v1/hosts/«hostId»/agents** + +Returns a list of agents monitoring the specified host. + +- Permission – Read or Access activity data +- Response – Array of Agent + +**Permission: Read or Access activity data** + +Response: Array of Agent + +**GET /api/v1/logs/«outputId»?includeLocal=true&includeArchived=false** + +Returns a list of files produced by the specified output. + +**Parameters:** + +| Name | Type | Default | Description | +| --------------- | ---- | ------- | ---------------------------------------------- | +| includeLocal | bool | true | Return log files on a local drive of the agent | +| includeArchived | bool | false | Return log files in the archival location | + +- Permission – Read or Access activity data +- Response – Array of File + +**Permission: Read or Access activity data** + +Response: Array of File + +Response Example: + +``` +[ +  { +    "id": "localhost_Log_20190419.tsv", +    "size": 20619226, +    "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190419.tsv", +    "isZip": false, +    "isArchived": false, + "type": "Tsv", +    "updatedAt": "2019-04-19T10:17:32.0546644Z", +    "activityFrom": "2019-04-15T14:30:51", +    "activityTo": "2019-04-19T10:17:32", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190419.tsv" +  }, +  { +    "id": "localhost_Log_20190419.tsv.zip", +    "size": 1413338, +    "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190419.tsv.zip", +    "isZip": true, +    "isArchived": false, +    "type": "Tsv", +    "updatedAt": "2019-04-19T10:17:32.0546644Z", +    "activityFrom": "2019-04-15T14:30:51", +    "activityTo": "2019-04-19T10:17:32", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190419.tsv.zip" +  }, +  { +    "id": "localhost_Log_20290410.tsv.zip", +    "size": 16861634, +    "localPath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_9c907918-9177-4715-bdb3-415823790d7c\\localhost_Log_20290410.tsv.zip", +    "isZip": true, +    "isArchived": true, +    "type": "Tsv", +    "updatedAt": "2019-04-10T02:01:42.4996667Z", +    "activityFrom": "2019-04-05T18:16:57", +    "activityTo": "2019-04-10T02:01:45", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/archive/get/WRKST0100/WRKST0100_9c907918-9177-4715-bdb3-415823790d7c/localhost_Log_20290410.tsv.zip" +  } +] + +``` + +**GET /api/v1/domains/«domainId»/policies** + +Returns an array of existing policies for the specified domain. + +- Permission – Read +- Response – Array of Policies + +**Permission: Read** + +Response: Array of Policies + +Response Example: + +``` +[ +  { +    "id": "10013", +    "url": "https://localhost:4494/api/v1/domains/TEST01/policies/10013", +    "name": "LDAP Monitor", +    "description": "", +    "path": "Policies\\Auditing", +    "guid": "8f5e4870-6d28-4f32-af18-2e6e6ed623ce", +    "isEnabled": true, +    "updatedAt": "2019-04-19T10:17:32.0546644Z" +  }, +  { +    "id": "10014", +    "url": "https://localhost:4494/api/v1/domains/TEST01/policies/10014", +    "name": "Authentication Monitor", +    "description": "", +    "path": "Policies\\Auditing", +    "guid": "8f5e4870-6d28-4f32-af18-2e6e6ed623cf", +    "isEnabled": true, +    "updatedAt": "2019-04-19T10:17:32.0546644Z" +  } + ] + +``` + +**POST /api/v1/domains/«domainId»/policies** + +Creates a new policy for the specified domain using the provided XML. ID and GUID attributes in the +XML are ignored, and new values are assigned. + +**Permission: Policy change** + +Input: + +- Content type ¬ application/json, Body: Policy, `xml` is required. Other fields, if set, replace + values in XML. +- Content type ¬ application/xml, Body: XML of the policy to be created + +**Response: 201, Policy** + +Required attributes: + +- xml + +**PATCH /api/v1/domains/«domainId»/policies/«policyId»** + +Modifies attributes of the policy. If XML is updated, ID and GUID attributes in the XML are ignored, +and existing values are preserved. + +**Permission: Policy change** + +Input: + +- Content type: application/merge-patch+json, Body: JSON Merge Patch of Policy. + +**Response: 200, Policy** + +Response Example: + +``` +  { +    "id": "10014", +    "url": "https://localhost:4494/api/v1/domains/TEST01/policies/10014", +    "name": "Authentication Monitor", +    "description": "", +    "path": "Policies\\Auditing", +    "guid": "8f5e4870-6d28-4f32-af18-2e6e6ed623cf", +    "isEnabled": false, +    "updatedAt": "2019-06-19T10:11:12Z" +    "xml": "......" +  } + +``` + +Request body example: + +``` +{ +  "isEnabled": false +} +``` + +**DELETE /api/v1/domains/«domainId»/policies/«policyId»** + +Deletes the specified policy. + +- Permission – Policy change +- Response – 204 + +**Permission: Policy change** + +Response: 204 diff --git a/docs/activitymonitor/10.0/restapi/security.md b/docs/activitymonitor/10.0/restapi/security.md new file mode 100644 index 0000000000..9697f539df --- /dev/null +++ b/docs/activitymonitor/10.0/restapi/security.md @@ -0,0 +1,84 @@ +--- +title: "Security and Access Control" +description: "Security and Access Control" +sidebar_position: 10 +--- + +# Security and Access Control + +## Security + +The REST-style API is exposed via TLS v1.2, with a self-signed certificate by default. The port is +customizable, 4494 by default. The IP whitelist can be used to restrict access to the port. + +You can use the Activity Monitor Console to allow applications to access the API, change +permissions, or revoke access. The console generates unique Client ID and Secret for each +application. + +### Authentication + +OAuth 2.0 client-credentials grant is used for authentication. A pair of Client ID and Secret are +used to obtain an access token from the access token URL: `https://localhost:4494/api/v1/token`. +Token expiration intervals are not configurable. + +| Type | Expires in | +| ------------- | ---------- | +| Client Secret | 72 hours | +| Access Token | 7 days | +| Refresh Token | never | + +It is considered a best practice to use short expiration periods for OAuth 2.0 tokens, like 1 hour +for the access token. A shorter period allows you to revoke the access quicker if needed. In case of +Activity Monitor, the Agent is both the authentication server and the resource server. Therefore, it +can validate the token on each and every access to a resource. So, for Activity Monitor long +expiration periods do not make the protocol less secure. + +A client is expected to pass the access token in the `Authorization` request header. + +:::note +**Use a client library that is secure and fully implements the OAuth 2.0 protocol.** The +sample below shows just a piece of OAuth 2 interaction. +::: + + +``` +curl -X POST -d "client_id=&client_secret=&grant_type=client_credentials" https://:4494/api/v1/token --insecure +{"access_token":"AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAZpRDOzeUzUikVK9ydmsV1QAAAAACAAAAAAAQZgAAAAEAACAAAAAFzYG4Tasvowq939pou5ADE883Ns2DV-X6_S20RMDcwAAAAAAOgAAAAAIAACAAAAB1IcZrZavgp2Ab63P +8kbCr7NwopOsfz0SeSaXjKVhVC-AAAACix_0klwXoiwiqTZTlaUXCqn9MkquZC84ew9E0-E_vu6FNJ6NDLj7MGCPR-mCi4MRmwr6TYtZ_XfAXRtSh66gbABv-gTnmimruLRWxN2is5twUl563kGpHqnbKydqPNgOy4gXxgR_V08kFut2qPxZ +LsN14yK8Prp1paaQy4-mhONaFIrVx7bOmVIdfVnjEYjwIRdd9QjQEY3wJtnDIEBWi2s-6uYo8tcCEztPiraBpLJC3Tib8NQYu_YxwbzeRun_h2KZOMewLzkfZGS2h9SvvnlxECQ0G5PEfslnAEwC7VEAAAAAxZTm06tyRQNMbw_bLr4FiZi0 +y-QipaafBBRtm83q-l6bG9bQ-C1Hr19-0H6KgzDb3_JJWxxNmGdD-wG95wjlD","token_type":"bearer","expires_in":604799,"refresh_token":"AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAZpRDOzeUzUikVK9ydmsV1QAAAA +ACAAAAAAAQZgAAAAEAACAAAAAocNSP3GFuJ0RK_1dsX5uSR4dmiqzhV7-LYhc9sYbF2gAAAAAOgAAAAAIAACAAAABQuudDm06II62U6vM2u9CczyRa1siP-H3WfP6iDYOmh-AAAADjzqzTweG14Gngd68rC3BX4GA4kBR5FA8JVVly3KHUS2 +Q-SD9q4S9C3yLZxv2k_zGr2YA_bVdfZ78vRCUYC3QgbpJTjzYPWnPNW5RsqLLtd47h6THU5Wc0RkoBG4c8gB569Jvl0WkAG3xJFHitbUQISYbSosd-cIW4JZkHzcT3zkPgAtLkNyhqQd1g1jgCzP63MCAFq1AN2NB2wLCk_jNRi8aypxR1Ty +F5HpSlZ6QzVNycMNeckayAEOCAUAXwx_tBVhqvUwn7YEF_bT2WYoW9boU_IUzWKtO8R5MXsVR6aEAAAAATVk3stUcghjkgv6abuLddE9Hf2S0o9Gpmp4UPallX6dIbAvm10f-De1aTU-jG7LJMdAv2PKVyuGiyUzI-DE0K"} + +``` + +### Authorization + +A user assigns permissions to a client application. Permissions can be combined. + +Activity Monitor 10.0 permissions: + +| Permission | Description | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------- | +| Access activity data | Provides minimal access rights to list and download the log files. | +| Read | Read-only access to all the information about all agents, domains, and hosts. Does not allow one to download the log files. | +| Policy change | Add, modify, and delete the AD monitoring policies. | +| Modify host | Add, modify, enable, disable, and delete Hosts and their Outputs. | +| Modify agent | Add, modify, and delete agents. | + +An unauthorized request fails with `401 Unauthorized` (instead of `403 Forbidden`) when the resource is +specified explicitly, by ID. For collections, the API Server removes unauthorized resources from +results. + +`Access activity data` is special. It provides limited information only about the agent which hosts +the API server, limited monitored domain information, limited monitored hosts/services information, and +outputs - just enough to get information about the log files. See "Detailed Only" column in the next +section for the list of attributes not included into the limited information. + +Here is how the permissions affect the returned resources: + +| Permission\Resource | Agent | Host | Domain | Output | Policy | Log File | +| -------------------- | ------------------------------ | -------------------------------------- | --------------------------------------- | ---------------------------------------- | ------ | ----------------------- | +| Read | All agents, all info | All hosts, all info | All domains, all info | All | All | None | +| Access activity data | Only this agent. Limited info. | This agent's hosts only. Limited info. | This agent's domain only. Limited info. | Outputs of this agent's hosts and domain | None | All files of this agent | diff --git a/docs/activitymonitor/10.0/siem/_category_.json b/docs/activitymonitor/10.0/siem/_category_.json new file mode 100644 index 0000000000..97ac249831 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SIEM Integrations", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/siem/overview.md b/docs/activitymonitor/10.0/siem/overview.md new file mode 100644 index 0000000000..87de2683be --- /dev/null +++ b/docs/activitymonitor/10.0/siem/overview.md @@ -0,0 +1,22 @@ +--- +title: "SIEM Integrations" +description: "SIEM Integrations" +sidebar_position: 70 +--- + +# SIEM Integrations + +Netwrix activity monitoring solutions enable organizations to successfully, efficiently, +and affordably monitor file access and permission changes across Windows and Network Attached +Storage (NAS) file systems in real-time. Using preconfigured Netwrix Activity Monitor Apps, +users can quickly understand all file activities as a whole, for specific resources or users, as +well as patterns of activity indicative of threats such as crypto ransomware or data exfiltration +attempts. With full control over the data, users can create custom searches, all while enabling apps +to correlate file system activity with any log source. + +Preconfigured Netwrix Activity Monitor Apps are: + +- Splunk - See the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) topic for additional + information +- QRadar - See the [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/10.0/siem/qradar/overview.md) topic for + additional information diff --git a/docs/activitymonitor/10.0/siem/qradar/_category_.json b/docs/activitymonitor/10.0/siem/qradar/_category_.json new file mode 100644 index 0000000000..82c7f803f7 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Netwrix File Activity Monitor App for QRadar", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/siem/qradar/app/_category_.json b/docs/activitymonitor/10.0/siem/qradar/app/_category_.json new file mode 100644 index 0000000000..58035c056d --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Activity Monitor App for QRadar", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "app" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/siem/qradar/app/about.md b/docs/activitymonitor/10.0/siem/qradar/app/about.md new file mode 100644 index 0000000000..7b577b29f0 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/about.md @@ -0,0 +1,13 @@ +--- +title: "About Dashboard" +description: "About Dashboard" +sidebar_position: 70 +--- + +# About Dashboard + +The About dashboard provides information about the application. + +![About Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/aboutdashboard.webp) + +Information on how to obtain a license for the applicable Netwrix software is included. diff --git a/docs/activitymonitor/10.0/siem/qradar/app/app.md b/docs/activitymonitor/10.0/siem/qradar/app/app.md new file mode 100644 index 0000000000..a6762fd75f --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/app.md @@ -0,0 +1,44 @@ +--- +title: "File Activity Monitor App for QRadar" +description: "File Activity Monitor App for QRadar" +sidebar_position: 10 +--- + +# File Activity Monitor App for QRadar + +Netwrix Activity Monitor App for QRadar (File Activity Monitor tab) contains several +predefined dashboards: File Activity (Home), Ransomware, Permission Changes, Deletions, User +Investigation, and Host Investigation. There is also an About dashboard with additional information +and a Settings interface for configuring the QRadar SEC token. + +![file_activity_monitor_app](/images/activitymonitor/9.0/siem/qradar/file_activity_monitor_app.webp) + +The User Investigation and Host Investigation dashboards only appear when a search is conducted. +This can be done by clicking a hyperlink within the Username or Destination IP columns of a table +card. Alternatively, type the complete user name or host IP Address in the Search box on the right +side of the navigation bar. + +## Table Card Features + +Within the dashboards are several cards with a tabular format. Each of these cards have the +following features: + +- Only five pages of data will be loaded at a time. Applying the Search or Sort features or moving + beyond the five ‘loaded’ pages will result in a “Processing” banner being temporarily displayed + over the table while the server is directly queried for the necessary data. +- Search data entries for the Username, Destination IP, and File Path columns by typing in the + Search box in the upper-right corner of the card: + + - Any entries with a match will remain in the table, all non-matching entries will be filtered + out. + - Total number of entries “Showing” will adjust for the filtered total. + - Search can also apply to the Operation column, but only for exact matches. + +- Sort can be applied to one column at a time by clicking on the desired column header. +- Show 10, 25, 100, or All entries in the table. Only visible entries can be exported. +- Result data currently visible within the table page displayed can be exported from the dashboard: + + - Copy – Copy to clipboard in order to paste to another application + - CSV – Export to a Comma Separated Value file + - Excel – Export to an Excel Workbook file + - Print – Send currently displayed table to printer diff --git a/docs/activitymonitor/10.0/siem/qradar/app/deletions.md b/docs/activitymonitor/10.0/siem/qradar/app/deletions.md new file mode 100644 index 0000000000..1c570c383e --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/deletions.md @@ -0,0 +1,25 @@ +--- +title: "Deletions Dashboard" +description: "Deletions Dashboard" +sidebar_position: 40 +--- + +# Deletions Dashboard + +The Deletions dashboard contains the following cards: + +![Deletions Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/deletionsdashboard.webp) + +- Activity – Timeline of all deletion events over the specified time interval +- Top Users – Displays up-to the top five users associated with deletion events over the specified + time interval +- Latest Events – Tabular format of all deletion events which occurred over the specified time + interval + + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/10.0/siem/qradar/app/home.md b/docs/activitymonitor/10.0/siem/qradar/app/home.md new file mode 100644 index 0000000000..37bba278e8 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/home.md @@ -0,0 +1,36 @@ +--- +title: "Home Dashboard" +description: "Home Dashboard" +sidebar_position: 10 +--- + +# Home Dashboard + +The File System Activity Home dashboard contains the following cards: + +![Home Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/homedashboard.webp) + +- Active Users – Number of distinct users recorded performing any type of file activity to/from any + host over the specified time interval +- Active Servers – Number of distinct servers accessed (destination IP Addresses) with any type of + file activity recorded over the specified time interval +- Open Offenses – Number of ransomware offenses detected within QRadar from the file activity event + data + + - The value for this card is a hyperlink to the [Ransomware Dashboard](/docs/activitymonitor/10.0/siem/qradar/app/ransomware.md). + +- File Activity – Timeline of all file activity over the specified time interval +- Top Users – Displays up-to the top five users associated with file activity over the specified + time interval +- Top Servers – Displays up-to the top five servers (destination IP Addresses) associated with file + activity over the specified time interval +- Latest Events – Tabular format of all file activity events which occurred over the specified time + interval + + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/10.0/siem/qradar/app/hostinvestigation.md b/docs/activitymonitor/10.0/siem/qradar/app/hostinvestigation.md new file mode 100644 index 0000000000..1f0d0e278a --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/hostinvestigation.md @@ -0,0 +1,40 @@ +--- +title: "Host Investigation Dashboard" +description: "Host Investigation Dashboard" +sidebar_position: 60 +--- + +# Host Investigation Dashboard + +The Host Investigation dashboard only appears when a search is conducted. This can be done by +clicking a hyperlink within the Destination IP column of a table card. Alternatively, type the +complete host IP Address in the Search box on the right side of the navigation bar. + +![Home Investigation Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp) + +The Host Investigation dashboard contains the following cards: + +- Total Actions – Number of all file activity events associated with the host over the specified + time interval +- Users – Number of usernames associated with the host over the specified time interval +- Resources – Number of distinct files associated with the host over the specified time interval +- File Activity – Timeline of all events associated with the host over the specified time interval + + - The graph values can be toggled on an off by clicking on individual elements in the legend. + +- Details of File Activity – Tabular format of all file activity events associated with the host + which occurred over the specified time interval + + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +- Destination Host Offenses – QRadar offenses associated with the host which occurred over the + specified time interval + + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/10.0/siem/qradar/app/permissionchanges.md b/docs/activitymonitor/10.0/siem/qradar/app/permissionchanges.md new file mode 100644 index 0000000000..5573d26414 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/permissionchanges.md @@ -0,0 +1,28 @@ +--- +title: "Permission Changes Dashboard" +description: "Permission Changes Dashboard" +sidebar_position: 30 +--- + +# Permission Changes Dashboard + +The Permission Changes Dashboard for QRadar shows information on changes made to permissions using +various metrics. + +![Permission Changes Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/permissionchangesdashboard.webp) + +The Permission Changes dashboard contains the following cards: + +- Activity – Timeline of all permission change events over the specified time interval +- Top Users – Displays up-to the top five users associated with permission change events over the + specified time interval +- Latest Events – Tabular format of all permission change events which occurred over the specified + time interval + + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/10.0/siem/qradar/app/ransomware.md b/docs/activitymonitor/10.0/siem/qradar/app/ransomware.md new file mode 100644 index 0000000000..3696dffd76 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/ransomware.md @@ -0,0 +1,37 @@ +--- +title: "Ransomware Dashboard" +description: "Ransomware Dashboard" +sidebar_position: 20 +--- + +# Ransomware Dashboard + +The Ransomware Dashboard for QRadar shows a list of suspected ransomware events. + +![Ransomware Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/ransomwaredashboard.webp) + +The Ransomware dashboard contains the following cards: + +- Offenses – List of offenses detected within QRadar from the file activity data as a potential + ransomware attack + + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +- Details of Ransomware Attack – Tabular format of all file activity events for the selected offense + which occurred over the specified time interval + + - Only visible after clicking Search on an offense + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +- Breakdown of File Types – Pie chart of the top eight file extensions of the affected files for the + selected offense + + - Only visible after clicking Search on an offense + +The offenses generated within QRadar are based upon the Netwrix: Ransomware Detected rule that +is packaged with this application. In order to adjust this rule to better suit an organization’s +needs, please refer to the IBM QRadar +[Rule management](https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_qradar_rul_mgt.html) +article on how to modify rules. diff --git a/docs/activitymonitor/10.0/siem/qradar/app/userinvestigation.md b/docs/activitymonitor/10.0/siem/qradar/app/userinvestigation.md new file mode 100644 index 0000000000..7eb65eecd1 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/app/userinvestigation.md @@ -0,0 +1,36 @@ +--- +title: "User Investigation Dashboard" +description: "User Investigation Dashboard" +sidebar_position: 50 +--- + +# User Investigation Dashboard + +The User Investigation dashboard only appears when a search is conducted. This can be done by +clicking a hyperlink within the Username column of a table card. Alternatively, type the complete +user name in the Search box on the right side of the navigation bar. + +![User Investigation Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp) + +The User Investigation dashboard contains the following cards: + +- Total Actions – Number of all file activity events associated with the user over the specified + time interval +- File Servers – Number of destination IP Addresses associated with the user over the specified time + interval +- Resources – Number of distinct files associated with the user over the specified time interval +- File Activity – Timeline of all events associated with the user over the specified time interval + - The graph values can be toggled on an off by clicking on individual elements in the legend. +- Details of File Activity – Tabular format of all file activity events associated with the user + which occurred over the specified time interval + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. +- Destination Host Offenses – QRadar offenses associated with the destination IP Addresses accessed + by the user during the specified time interval + - See the [Table Card Features ](/docs/activitymonitor/10.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/10.0/siem/qradar/offenses.md b/docs/activitymonitor/10.0/siem/qradar/offenses.md new file mode 100644 index 0000000000..19169f74c2 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/offenses.md @@ -0,0 +1,19 @@ +--- +title: "Offenses" +description: "Offenses" +sidebar_position: 30 +--- + +# Offenses + +The Activity Monitor App for QRadar feeds a couple of QRadar Offenses. + +![Netwrix Offenses in QRadar](/images/activitymonitor/9.0/siem/qradar/stealthbitsoffenses.webp) + +While the [Ransomware Dashboard](/docs/activitymonitor/10.0/siem/qradar/app/ransomware.md) reports on incidents of Ransomware attacks +monitored by Netwrix Threat Prevention, the following offenses may be generated by the Netwrix Activity Monitor App. + +| QRadar Offense | Definition | +| ---------------------------------------- | ---------------------------------------------------------------------------- | +| INTERCEPT: File System Attacks (By User) | Significant number of file changes made by an account in a short time period | +| Netwrix: Ransomware Detected | Threshold-based Ransomware Rule | diff --git a/docs/activitymonitor/10.0/siem/qradar/overview.md b/docs/activitymonitor/10.0/siem/qradar/overview.md new file mode 100644 index 0000000000..d5be159e98 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/overview.md @@ -0,0 +1,84 @@ +--- +title: "Netwrix File Activity Monitor App for QRadar" +description: "Netwrix File Activity Monitor App for QRadar" +sidebar_position: 10 +--- + +# Netwrix File Activity Monitor App for QRadar + +Netwrix File Activity monitoring solutions enable organizations to successfully, efficiently, and +affordably monitor file access and permission changes across Windows and Network Attached Storage +(NAS) file systems in real-time. Using the preconfigured  Netwrix File Activity Monitor App for +QRadar, users can quickly understand all file activities as a whole, for specific resources or +users, as well as patterns of activity indicative of threats such as crypto ransomware or data +exfiltration attempts. With full control over the data, users can create custom searches, all while +enabling QRadar to correlate file system activity with any log source. + +This document describes how to integrate Netwrix products with the Netwrix File Activity Monitor App +for QRadar found in the IBM X-Force Exchange. Any Netwrix products can be configured to monitor file +system activity and send the monitored events to QRadar. After installing this app, ensure that +either the Activity Monitor, Threat Prevention, or Access Analyzer has been configured to send +events to QRadar. See the [Netwrix Technical Knowledge Center](https://helpcenter.netwrix.com/) on +the Netwrix website for additional information. + +## App Installation in QRadar + +Download the [Netwrix File Activity Monitor App for +QRadar](https://exchange.xforce.ibmcloud.com/hub/extension/STEALTHbits Technologies:STEALTHbits File Activity Monitor) from the [IBM X-Force App Exchange](https://exchange.xforce.ibmcloud.com/hub). +After downloading the Stealthbits File Activity Monitor App for QRadar, follow the steps to install +it within QRadar. + +**Step 1 –** Click on the Admin tab within QRadar. + +**Step 2 –** Under System Configuration, click Extensions Management. + +**Step 3 –** Click **Add** in the top-right corner of the window. Navigate to the location where you +downloaded the app, and select it. Check the Install Immediately checkbox, and then click Add. + +**Step 4 –** When the Validating Install window is finished processing, check the Overwrite option. +Then click **Install**. + +**Step 5 –** Close the Extensions Management window, and then select the File Activity Monitor tab +within QRadar. + +The File Activity Monitor tab will appear within QRadar. It is necessary for the QRadar SEC token to +be saved to the Settings interface of the **File Activity Monitor** App. See the +[Settings](/docs/activitymonitor/10.0/siem/qradar/settings.md) topic for additional information. + +## Initial Configuration of the QRadar App + +Follow the steps to configure QRadar to receive data from Netwrix products. + +**Step 1 –** Determine the IP Address of the QRadar Console, e.g. run the _ifconfig_ command. This +information is required for the following sections: + +- See the Syslog Tab section of the Netwrix Activity Monitor User Guide for information on + how to configure the Netwrix Activity Monitor to send data to QRadar. +- See the SIEM Tab section of the Netwrix Threat Prevention Admin Console User Guide for information on how + to configure Threat Prevention to send data to QRadar. + +**Step 2 –** Navigate to the **Admin** tab in the QRadar web interface and click Data Sources. + +**Step 3 –** Select Log Sources. + +**Step 4 –** View the Log Sources list. If the data source was not automatically created, click Add +and enter the following information: + +- Log Source Name – Enter a descriptive name to identify the data source +- Log Source Description – Enter a description of the data source +- Log Source Type – Netwrix Threat Prevention + - Use this source type for both the Netwrix Activity Monitor and Netwrix Threat Prevention. + +**Step 5 –** Test that the configuration is working correctly. Check the Log Activity page inside of +the web console for QRadar. There should be logs of events that are generated as soon as QRadar +starts receiving data. If there are no events, use a packet sniffer to ensure that packets are being +sent correctly between the hosts, and diagnose any possible network issues. + +- Protocol Configuration – Select Syslog +- Log Source Identifier – Enter the host name or IP Address of the host where the Netwrix + Activity Monitor agent OR Threat Prevention is installed +- Then click Save. Remember, prior to using the Netwrix File Activity Monitor App for QRadar, the + related Netwrix product must be configured to send data to QRadar. + +The  Netwrix File Activity Monitor App for QRadar can now display activity data from either the + Netwrix Activity Monitor or Netwrix Threat Prevention. diff --git a/docs/activitymonitor/10.0/siem/qradar/settings.md b/docs/activitymonitor/10.0/siem/qradar/settings.md new file mode 100644 index 0000000000..d6760cd22d --- /dev/null +++ b/docs/activitymonitor/10.0/siem/qradar/settings.md @@ -0,0 +1,15 @@ +--- +title: "Settings" +description: "Settings" +sidebar_position: 20 +--- + +# Settings + +Use the gear icon next to the **Search** box to open the **Settings** interface. It is necessary for +the QRadar SEC token to be saved to the **Settings** interface. + +![Settings for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/settings.webp) + +The **More information** link will open the IBM Knowledge Center with information on generating the +QRadar SEC token. Once the token is generated, copy and paste it here and click Save. diff --git a/docs/activitymonitor/10.0/siem/splunk/_category_.json b/docs/activitymonitor/10.0/siem/splunk/_category_.json new file mode 100644 index 0000000000..e9b549fb3f --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Activity Monitor App for Splunk", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/siem/splunk/app/_category_.json b/docs/activitymonitor/10.0/siem/splunk/app/_category_.json new file mode 100644 index 0000000000..dd71e85b85 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/app/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Activity Monitor App for Splunk", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "app" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/siem/splunk/app/app.md b/docs/activitymonitor/10.0/siem/splunk/app/app.md new file mode 100644 index 0000000000..f44cddf87b --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/app/app.md @@ -0,0 +1,18 @@ +--- +title: "File Activity Monitor App for Splunk" +description: "File Activity Monitor App for Splunk" +sidebar_position: 10 +--- + +# File Activity Monitor App for Splunk + +Netwrix File Activity Monitor App for Splunk contains several predefined dashboards: File +Activity (Overview), Ransomware, Permission Changes, and Deletions. + +![file_activity_monitor_app](/images/activitymonitor/9.0/siem/splunk/file_activity_monitor_app.webp) + +The date time search feature uses the default Splunk search features. + +The timeframe interval is identified in the upper-left corner of each dashboard. The drop-down menu +provides additional options. To search within a different interval, choose a new option from the +menu. Then click **Submit** to refresh the card data. diff --git a/docs/activitymonitor/10.0/siem/splunk/app/deletions.md b/docs/activitymonitor/10.0/siem/splunk/app/deletions.md new file mode 100644 index 0000000000..7a67f53482 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/app/deletions.md @@ -0,0 +1,20 @@ +--- +title: "Deletions Dashboard" +description: "Deletions Dashboard" +sidebar_position: 40 +--- + +# Deletions Dashboard + +View deletion information in the Deletions Dashboard for Splunk. + +![Deletions Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/deletionsdashboard.webp) + +The Deletions dashboard contains the following cards: + +- Activity – Timeline of all deletion events in the specified timeframe +- Top Users – Displays up-to the top five users related to deletion events which have been recorded + in the specified timeframe +- Latest Events – Tabular format of all deletion events recorded in the specified timeframe + +The specified timeframe is set by default to the Last 24 hours, or past day. diff --git a/docs/activitymonitor/10.0/siem/splunk/app/overview.md b/docs/activitymonitor/10.0/siem/splunk/app/overview.md new file mode 100644 index 0000000000..bafd3690dc --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/app/overview.md @@ -0,0 +1,25 @@ +--- +title: "Overview Dashobard" +description: "Overview Dashobard" +sidebar_position: 10 +--- + +# Overview Dashobard + +View general information on the Overview Dashboard for Splunk. + +![Overview Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/overviewdashboard.webp) + +The File System Activity Overview dashboard contains the following cards: + +- Active Users – Number of users involved with file system events in the specified timeframe +- Active Servers – Number of servers involved with file system events in the specified timeframe +- File Activity – Timeline of all file system events in the specified timeframe +- Top Users – Displays up-to the top five users addresses related to file system events which have + been recorded in the specified timeframe +- Top Servers – Displays up-to the top five client IP addresses/host names related to file system + events which have been recorded in the specified timeframe +- Latest Events – Tabular format of all file system change events which have been recorded in the + specified timeframe + +The specified timeframe is set by default to the Last 24 hours, or past day. diff --git a/docs/activitymonitor/10.0/siem/splunk/app/permissionchanges.md b/docs/activitymonitor/10.0/siem/splunk/app/permissionchanges.md new file mode 100644 index 0000000000..8a1e47e6ba --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/app/permissionchanges.md @@ -0,0 +1,20 @@ +--- +title: "Permission Changes Dashboard" +description: "Permission Changes Dashboard" +sidebar_position: 30 +--- + +# Permission Changes Dashboard + +View information on permissions changes on the through the Permission Changes Dashboard for Splunk. + +![Permission Changes Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/permissionchangesdashboard.webp) + +The Permission Changes dashboard contains the following cards: + +- Activity – Timeline of all permission change events in the specified timeframe +- Top Users – Displays up-to the top five users related to permission change events which have been + recorded in the specified timeframe +- Latest Events – Tabular format of all permission change events recorded in the specified timeframe + +The specified timeframe is set by default to the Last 24 hours, or past day. diff --git a/docs/activitymonitor/10.0/siem/splunk/app/ransomware.md b/docs/activitymonitor/10.0/siem/splunk/app/ransomware.md new file mode 100644 index 0000000000..062c50fecf --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/app/ransomware.md @@ -0,0 +1,21 @@ +--- +title: "Ransomware Dashboard" +description: "Ransomware Dashboard" +sidebar_position: 20 +--- + +# Ransomware Dashboard + +View information on ransomware using the Ransomware Dashboard for Splunk. + +![Ransomware Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/ransomwaredashboard.webp) + +The Ransomware dashboard contains the following cards: + +- Number of Potential Perpetrators – Number of users involved with events tied to outliers +- Number of Outliers – Number of outliers by count of file/folder update events +- Outliers by Count of File/Folder Updates – Graph of expected values for count of file/folder + update events (blue area) and calculated outliers (red dots) +- Outliers by Count of File/Folder Updates Details – Breakdown of outliers by users involved in each + outlier and percent of events by user +- Outlier Events – Tabular format of all file system change events related to outliers diff --git a/docs/activitymonitor/10.0/siem/splunk/overview.md b/docs/activitymonitor/10.0/siem/splunk/overview.md new file mode 100644 index 0000000000..6c1ac1a719 --- /dev/null +++ b/docs/activitymonitor/10.0/siem/splunk/overview.md @@ -0,0 +1,87 @@ +--- +title: "File Activity Monitor App for Splunk" +description: "File Activity Monitor App for Splunk" +sidebar_position: 20 +--- + +# File Activity Monitor App for Splunk + +Netwrix File Activity monitoring solutions enable organizations to successfully, efficiently, +and affordably monitor file access and permission changes across Windows and Network Attached +Storage (NAS) file systems in real-time. Using the preconfigured Netwrix File Activity Monitor +App for Splunk, users can quickly understand all file activities as a whole, for specific resources +or users, as well as patterns of activity indicative of threats such as crypto ransomware or data +exfiltration attempts. With full control over the data, users can create custom searches, all while +enabling Splunk to correlate file system activity with any log source. + +This document describes how to integrate Netwrix products with the Netwrix File Activity +Monitor App for Splunk found in Splunkbase. Any Netwrix product can be configured to monitor file +system activity and send the monitored events to Splunk. After installing this app, ensure that +either theActivity Monitor, Threat Prevention, or Access Analyzer has been configured to send events +to Splunk. See the product user guide on the +[Netwrix Technical Knowledge Center](https://helpcenter.netwrix.com/) for additional information. + +## App Installation in Splunk + +After downloading the Netwrix File Activity Monitor App for Splunk from [Splunkbase](https://splunkbase.splunk.com/), follow the +[guide](https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons) provided by +Splunk to install the app. + +:::note +In order to use the Ransomware dashboard within the app, install +[Splunk User Behavior Analytics](https://www.splunk.com/en_us/products/premium-solutions/user-behavior-analytics.html) +(any version) and the [Machine Learning Toolkit](https://splunkbase.splunk.com/app/2890/) app for +Splunk (version 2.0.0+). +::: + + +The Netwrix: File Activity Monitor tab will appear within the Splunk web interface. Once +installation of the Netwrix File Activity Monitor App for Splunk is complete, it must be +configured to receive data from either theActivity Monitor or Threat Prevention. + +## Initial Configuration of the Splunk App + +Follow the steps to configure Splunk to receive data from Netwrix products. + +**Step 1 –** Determine the IP Address of the Splunk Console, e.g. run the ifconfig command. This +information is required for the following sections: + +- See the Syslog Tab section in the + [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) + for information on how to configure the Activity Monitor to send data to QRadar. +- See the SIEM Tab section in the + [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) + for information on how to configure Threat Prevention to send data to QRadar. + +**Step 2 –** Navigate to the Settings menu in the Splunk web interface and click Data Inputs. + +**Step 3 –** Select UDP. + +**Step 4 –** Click New and add a new data input with Port 514. If another Splunk UDP input is +already using 514, another value (515 or higher) can be used as long as it is not blocked by the +network. Remember to configure the port within the Netwrix product configuration to align with +this change. + +**Step 5 –** Click Next. + +**Step 6 –** Under Input Settings, enter the following information: + +- Source Type – Enter one of the following options: + - For data coming from the Netwrix Activity Monitor – NAM + - For data coming from Threat Prevention – ThreatPrevention +- App context – Select Search and Reporting +- Host – Select IP +- Index – Select Default + +**Step 7 –** Review and save the new settings. Remember, prior to using the Netwrix File +Activity Monitor App for Splunk, the related Netwrix products must be configured to send data to +Splunk. + +**Step 8 –** Test that the configuration is working correctly. Check the **Search and Reporting** +app inside of the web console for Splunk (search for **NAM or ThreatPrevention**). There should be +logs of events which are generated as soon as Splunk starts receiving data. If there are no events, +use a packet sniffer to ensure that packets are being sent correctly between the hosts, and diagnose +any possible network issues. + +The Netwrix File Activity Monitor App for Splunk can now display activity data from either the +Netwrix Activity Monitor or Netwrix Threat Prevention. diff --git a/docs/activitymonitor/10.0/troubleshooting/_category_.json b/docs/activitymonitor/10.0/troubleshooting/_category_.json new file mode 100644 index 0000000000..53642bd87a --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Troubleshooting and Maintenance", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/troubleshooting/antivirusexclusions.md b/docs/activitymonitor/10.0/troubleshooting/antivirusexclusions.md new file mode 100644 index 0000000000..1ea8abd565 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/antivirusexclusions.md @@ -0,0 +1,75 @@ +--- +title: "Antivirus Exclusions" +description: "Antivirus Exclusions" +sidebar_position: 30 +--- + +# Antivirus Exclusions + +Windows activity monitoring and performance of the Activity Agent may be negatively affected by +antivirus protections. Add the following components to antivirus exclusions in order to avoid +potential performance degradation. + +## Directories + +The following directories can be added to antivirus exclusions: + +- `` — Agent installation directory. Default path is + `%ProgramFiles%\Netwrix\Activity Monitor\Agent`. The agent stores binaries and install files in + this location. +- `` — Agent configuration directory. Default path is + `%ProgramData%\Netwrix\Activity Monitor\Agent`. The agent stores configuration, and debug log + files in this location. +- `\ActivityLogs` — Default location for collected activity files. If files are stored in + a separate location, specify the user-designated directory instead of the default location. +- `\Data` — Various temporary data files, which may be actively updated. + +## Binary Files + +The following binary files can be added to antivirus exclusions: + +- Common Exclusions + + - `\net472\FSACLoggingSvc.exe` — Logging service. Forwards events to files, syslog, AMQP. + - `\ConfigurationAgent.Grpc.Host.exe` — Netwrix Activity Monitor Agent service + + +- Active Directory Monitoring + + - `\MonitorService.exe` — Active Directory monitoring service + - `%ProgramFiles%\Netwrix\Netwrix Threat Prevention\SIWindowsAgent.exe` — Active Directory Module + service. + +- Dell Celerra/VNX, Isilon/PowerScale, PowerStore, and Unity Monitoring + + - `\net472\CelerraServerSvc.exe` — Dell Monitoring service + +- Hitachi Monitoring + + - `\net472\HitachiService.exe` — Hitachi HNAS monitoring service + +- Microsoft Entra ID, SharePoint Online, and Exchange Online Monitoring + + - `\MonitorService.exe` — Microsoft Entra ID monitoring service + +- NetApp Monitoring + + - `\net472\FPolicyServerSvc.exe` — NetApp Monitoring service + +- Nasuni, Panzura, Nutanix Files, Qumulo, CTERA, Cohesity SmartFiles Monitoring + + - `\MonitorService.exe` — NAS monitoring service + +- SharePoint Monitoring + + - `\net472\MonitorService.exe` — SharePoint 2016, 2019, Subscription monitoring service + - `\net40\MonitorService.exe` — SharePoint 2013 monitoring service + +- SQL Server Monitoring + + - `\net472\MonitorService.exe` — SQL Server monitoring service + +- Windows Monitoring + + - `%SystemRoot%\System32\drivers\SBTFSF.sys` — The File System filter driver + - `%ProgramFiles%\Stealthbits\StealthAUDIT\FSAC\SBTService.exe` — Windows File System monitoring service. diff --git a/docs/activitymonitor/10.0/troubleshooting/backuprestore/_category_.json b/docs/activitymonitor/10.0/troubleshooting/backuprestore/_category_.json new file mode 100644 index 0000000000..129e47789f --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/backuprestore/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Backup & Restoration", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentbackup.md b/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentbackup.md new file mode 100644 index 0000000000..836ccaab02 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentbackup.md @@ -0,0 +1,59 @@ +--- +title: "Agent Backup" +description: "Agent Backup" +sidebar_position: 10 +--- + +# Agent Backup + +Follow the steps to back up the configuration, passwords, Active Directory event data file, and +activity log files for Activity Monitor Agents deployed on file system servers, SharePoint servers, +and domain controllers. + +**Configuration** + +**Step 1 –** Back up the `SBTFileMon.ini` file. The default location is + +**C:\ProgramData\Netwrix\Activity Monitor\Agent\SBTFileMon.ini** + +The location of the `SBTFileMon.ini` is determined by the registry value: + +`HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters`, value `ConfigPath`. + +**Step 2 –** Back up passwords + +> Passwords are stored in the `SBTFileMon.ini` file in an encrypted form using DPAPI. They can only +> be decrypted on the same Windows server. To be able to restore the configuration of a different +> server, back up the passwords separately. This includes the following: + +- Credentials for Agent +- Credentials for Monitored Hosts/Services +- Credentials for Archive + +**Active Directory Event Data File** + +**Step 3 –** On a domain controller, back up the `SAMConfig.xml` file. The default location is: + +**C:\Program Files\Netwrix\Netwrix Threat Prevention\SIWindowsAgent** + +The location of the file is determined by the registry value +`HKLM\SOFTWARE\Netwrix\Netwrix Threat Prevention`, value `Installdir`. Append +`SIWindowsAgent` to the value of `Installdir`. + +**Activity Log Files** + +**Step 4 –** Back up the log files stored on the local drive and on the archival network share. The +default folder is + +**C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs** + +:::note +Keep in mind that` C:\ProgramData` folder may be hidden. Navigate to it by typing +`%ALLUSERSPROFILE%` in the File Explorer. +::: + + +The location of the files depend on the configuration and whether the archiving is enabled. See the +[Archiving Tab](/docs/activitymonitor/10.0/admin/agents/properties/archiving.md) topic for additional information. + +All key components necessary for data recovery have now been backed up for the agents. diff --git a/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentrestore.md b/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentrestore.md new file mode 100644 index 0000000000..52f1a33797 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentrestore.md @@ -0,0 +1,37 @@ +--- +title: "Agent Restoration" +description: "Agent Restoration" +sidebar_position: 20 +--- + +# Agent Restoration + +Follow the steps to restore the configuration, Active Directory configuration file, and activity log +files for Activity Monitor Agents deployed on file system servers, SharePoint servers, and domain +controllers. + +:::warning +Restore the agent before restoring the console to ensure connectivity and monitoring +functionality +::: + + +**Step 1 –** Reinstall the Activity Monitor Agents. + +**Step 2 –** Replace the `SBFileMon.ini` file with the backed up configuration file. + +**Step 3 –** Replace the `SAMConfig.xml` file with the backed up Active Directory event data file. + +**Step 4 –** Disable all activity monitoring on the Monitored Hosts & Services and Monitored Domains page. + +**Step 5 –** Use the Console to update the passwords if the agent is restored on a different server. + +**Step 6 –** Use the Console to update the archive password, or the archive location if the location +is moved. + +**Step 7 –** Restore the log files with the backed up activity log files. + +**Step 8 –** Enable all activity monitoring. + +The configuration, Active Directory event data file, and activity log files are now restored on the +Activity Monitor Agents. diff --git a/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolebackup.md b/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolebackup.md new file mode 100644 index 0000000000..f0e06eeb35 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolebackup.md @@ -0,0 +1,25 @@ +--- +title: "Console Backup" +description: "Console Backup" +sidebar_position: 30 +--- + +# Console Backup + +Follow the steps to back up the list of agents managed on the Activity Monitor Console. + +**Step 1 –** Back up the configuration file: + +**%ALLUSERSPROFILE%\Netwrix\Activity Monitor\Console\Agents.ini** + +**Step 2 –** Back up the license file: + +**%ALLUSERSPROFILE%\Netwrix\Activity Monitor\Console\FileMonitor.lic** + +**Step 3 –** Back up passwords. + +Credentials for the agents are stored in the `Agents.ini` file in an encrypted form using PSAPI. +They can only be decrypted on the same Windows workstation. To be able to restore the configuration +on a different workstation, back up the passwords separately. + +All key components necessary for data recovery have now been backed up for the console. diff --git a/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolerestore.md b/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolerestore.md new file mode 100644 index 0000000000..3bdb18b487 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolerestore.md @@ -0,0 +1,19 @@ +--- +title: "Console Restoration" +description: "Console Restoration" +sidebar_position: 40 +--- + +# Console Restoration + +Follow the steps to restore the list of agents managed on the Activity Monitor Console. + +**Step 1 –** Restore `Agents.ini` file. + +**Step 2 –** Restore `FileMonitor.lic` file. + +**Step 3 –** Start the console. + +**Step 4 –** Update the passwords if the console is restored on a different workstation. + +The Activity Monitor Console can now connect to deployed agents. diff --git a/docs/activitymonitor/10.0/troubleshooting/backuprestore/overview.md b/docs/activitymonitor/10.0/troubleshooting/backuprestore/overview.md new file mode 100644 index 0000000000..bf89949079 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/backuprestore/overview.md @@ -0,0 +1,26 @@ +--- +title: "Backup & Restoration" +description: "Backup & Restoration" +sidebar_position: 50 +--- + +# Backup & Restoration + +The Netwrix Activity Monitor is comprised of the following components: + +- Activity Monitor Console - Controls configuration settings. See the + [Administration](/docs/activitymonitor/10.0/admin/overview.md) topic for additional information. +- Deployed Agents - Monitor targeted servers and domains. See the + [Agent Information](/docs/activitymonitor/10.0/install/agents/agents.md) topic for additional information. + +The configuration settings are stored on individual agents, and the console stores which agents have +been deployed. Agents also store activity log files of monitored environments, which can optionally +be stored on a network share. This document describes the process for backing up and restoring the +Activity Monitor Console and the activity agents. + +The sections in this document are: + +- [Agent Backup](/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentbackup.md) +- [Agent Restoration](/docs/activitymonitor/10.0/troubleshooting/backuprestore/agentrestore.md) +- [Console Backup](/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolebackup.md) +- [Console Restoration](/docs/activitymonitor/10.0/troubleshooting/backuprestore/consolerestore.md) diff --git a/docs/activitymonitor/10.0/troubleshooting/credentialpasswords.md b/docs/activitymonitor/10.0/troubleshooting/credentialpasswords.md new file mode 100644 index 0000000000..fa2a55c4d7 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/credentialpasswords.md @@ -0,0 +1,84 @@ +--- +title: "Update Credential Passwords" +description: "Update Credential Passwords" +sidebar_position: 10 +--- + +# Update Credential Passwords + +Credential passwords occasionally need to be updated due to various reasons, such as security +policies that require passwords to be reset on a regular basis. The following types of credentials +may be impacted by password changes or security policies: + +- Agent and Domain Controller User Account +- Archive User Account +- Panzura MQ Protection +- Monitored Host User Account +- Active Directory Domain / DC User Account +- Agent Inactivity Alerts Email Credentials +- Monitored Host Inactivity Alerts Email Credentials + +## Agent and Domain Controller User Account + +The Active Directory Domain / DC User Account is used to run the actions performed by the agent. The +account can be updated in the agent properties under the **Connection** tab. + +:::note +If the AD monitoring account is changed, all accounts on the domain controllers will need +to be updated as well. +::: + + +![Agent User Account Credentials](/images/activitymonitor/9.0/troubleshooting/agentuseraccount.webp) + +See the [Connection Tab](/docs/activitymonitor/10.0/admin/agents/properties/connection.md) topic for additional information. + +## Archive User Account + +The Archive User Account is used to store log files from the agent and store them on a remote server +or share. The credentials can be updated in the agent properties under the **Archiving** tab. + +![Archive User Account Credentials](/images/activitymonitor/9.0/troubleshooting/archiveuseraccount.webp) + +See the [Archiving Tab](/docs/activitymonitor/10.0/admin/agents/properties/archiving.md) topic for additional information. + +## Panzura MQ Protection + +The Panzura MQ Protection Credentials are used to send activity to the Activity Monitor agent. The +credentials can be updated in the agent properties under the **Panzura** tab. + +![Panzura MQ Protection Account Credentials](/images/activitymonitor/9.0/troubleshooting/panzuramqprotectionaccount.webp) + +See the [Panzura Tab](/docs/activitymonitor/10.0/admin/agents/properties/panzura.md) topic for additional information. + +## Monitored Host User Credentials + +The Monitored Host User Credentials is used to connect to the monitored host device and send +activity to the agent. The credentials can be updated in monitored host properties. Select a host +under the **Monitored Host** tab. Then, click the **Edit** button to update the account credentials. + +![Monitored Host User Account](/images/activitymonitor/9.0/troubleshooting/monitoredhostuseraccount.webp) + +See the [Nutanix Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/nutanix.md) topic for additional +information. + +## Agent Inactivity Alerts Email Account + +The Agent Inactivity Alerts Email Account is used to automate email alerts for inactivity detected +by the agent. It can be updated in agent properties under **Inactivity Alerts** tab then Email +Alerts. This can also be changed in the monitored host properties. + +![agentinactivityalertsemailcredentials](/images/activitymonitor/9.0/troubleshooting/agentinactivityalertsemailcredentials.webp) + +See the [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/agents/properties/inactivityalerts.md) topic for additional +information. + +## Monitored Host Inactivity Alerts Email Account + +The Monitored Host Inactivity Alerts Email Account are used to automate email alerts for inactivity +detected by the monitored host. The credentials can be updated in the monitored **Host Properties**. + +![Monitored Host Inactivity Alerts Email Credentials Page](/images/activitymonitor/9.0/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp) + +See the [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) topic for +additional information. diff --git a/docs/activitymonitor/10.0/troubleshooting/overview.md b/docs/activitymonitor/10.0/troubleshooting/overview.md new file mode 100644 index 0000000000..6af516ceda --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/overview.md @@ -0,0 +1,16 @@ +--- +title: "Troubleshooting and Maintenance" +description: "Troubleshooting and Maintenance" +sidebar_position: 50 +--- + +# Troubleshooting and Maintenance + +This section provides an overview of troubleshooting and maintenance steps and processes for +Activity Monitor. See the following topics for additional information: + +- [Update Credential Passwords](/docs/activitymonitor/10.0/troubleshooting/credentialpasswords.md) +- [Trace Logs](/docs/activitymonitor/10.0/troubleshooting/tracelogs.md) +- [Antivirus Exclusions](/docs/activitymonitor/10.0/troubleshooting/antivirusexclusions.md) +- [Performance Monitoring](/docs/activitymonitor/10.0/troubleshooting/performancemonitoring.md) +- [Backup & Restoration](/docs/activitymonitor/10.0/troubleshooting/backuprestore/overview.md) diff --git a/docs/activitymonitor/10.0/troubleshooting/performancemonitoring.md b/docs/activitymonitor/10.0/troubleshooting/performancemonitoring.md new file mode 100644 index 0000000000..1d10293ce7 --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/performancemonitoring.md @@ -0,0 +1,346 @@ +--- +title: "Performance Monitoring" +description: "Performance Monitoring" +sidebar_position: 40 +--- + +# Performance Monitoring + +This topic provides a list of Activity Monitor performance counters and standard system-wide +performance counters (Memory and CPU usage, TCP disconnections, etc) that are recommended for +Activity Monitor performance monitoring. These performance counters can help diagnose performance +issues. + +## Performance Counters + +The following performance counters are provided by Activity Monitor. + +| Category | Recommended | Counter | Description | +| ------------------ | ----------- | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| NetApp | ✔ | Activity Monitor - NetApp\Events Received | Number of events received from NetApp | +| NetApp | ✔ | Activity Monitor - NetApp\Events Received/sec | Rate at which events are received from NetApp | +| NetApp | ✔ | Activity Monitor - NetApp\Events Reported | Number of events passed the filters and being reported to outputs | +| NetApp | ✔ | Activity Monitor - NetApp\Events Reported/sec | Rate at which events are reported to outputs | +| NetApp | ✔ | Activity Monitor - NetApp\Session Negotiated | Number of connections established with ONTAP cluster nodes | +| NetApp | ✔ | Activity Monitor - NetApp\Active Connections | Number of active connections with ONTAP cluster nodes | +| NetApp | | Activity Monitor - NetApp\Outage Files | Number of outage (resilience) files processed | +| NetApp | ✔ | Activity Monitor - NetApp\Overloaded | Number of times the agent was overloaded and had to limit the rate of events. This counter may increase from time to time when processing large batches of events. But if it keeps increasing, it is a sure sign that the agent is not coping with the load. Consider moving some SVMs to another agent or spreading the load from one SVM across multiple agents. | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Received | Number of events received from CEE | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Received/sec | Rate at which events are received from CEE | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Reported | Number of events passed the filters and being reported to outputs | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Reported/sec | Rate at which events are reported to outputs | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Queue Size | Number of events received from CEE and waiting in queue to be processed | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Receive Throttling | Delay, in milliseconds, introduced to manage the queue | +| Outputs | ✔ | Activity Monitor - Outputs\Events Reported | Total number of events reported | +| Outputs | ✔ | Activity Monitor - Outputs\Events Reported/sec | Rate at which events are reported | +| Outputs | | Activity Monitor - Outputs\Events Reported to Files | Total number of events reported to log files | +| Outputs | | Activity Monitor - Outputs\Events Reported to Syslog | Total number of events reported to syslog servers | +| Outputs | | Activity Monitor - Outputs\Events Reported to AMQP | Total number of events reported to AMQP servers (not used currently) | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs | Number of attempts, both successful and failed, to resolve SIDs to names | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs/sec | Rate at which SIDs are resolved to names | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs Failures | Number of failed attempts to resolve SIDs to names | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs Avg Time | The moving average length of time, in microseconds, per a SID to name translation | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs Max Time | The moving maximum length of time, in microseconds, per a SID to name translation | +| Outputs | | Activity Monitor - Outputs\Translated UIDs | Number of attempts, both successful and failed, to translate UIDs to SIDs | +| Outputs | | Activity Monitor - Outputs\Translated UIDs/sec | Rate at which UIDs are translated to SIDs | +| Outputs | | Activity Monitor - Outputs\Translated UIDs Failures | Number of failed attempts to translate UIDs to SIDs | +| Outputs | | Activity Monitor - Outputs\Translated UIDs Avg Time | The moving average length of time, in microseconds, per a UID to SID translation | +| Outputs | | Activity Monitor - Outputs\Translated UIDs Max Time | The moving maximum length of time, in microseconds, per a UID to SID translation | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries | Number of DNS queries, both successful and failed | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries/sec | Rate at which DNS queries are executed | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries Failures | Number of failed DNS queries | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries Avg Time | The moving average length of time, in microseconds, per a DNS query | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries Max Time | The moving maximum length of time, in microseconds, per a DNS query | + +:::note +DNS and AD queries typically contribute the most to the processing time. Since the +resolution occurs in real time, slow responses can affect throughput (A 100ms DNS response limits +the throughput to 10 events per second). Observing average and maximum values of DNS Queries Time, +Resolved SIDs Time, and Translated UIDs Time allows you to estimate the response time. +::: + + +## Recommended System Performance Counters + +In addition to the Activity Monitor performance counters, it is recommended to use the following +performance counters: + +| Counter | Notes | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Processor(\_Total)\% Processor Time | The percentage of elapsed time that the processor spends to execute a non-Idle thread. | +| Memory\Available MBytes | The amount of physical memory, in Megabytes, immediately available for allocation to a process or for system use. | +| Paging File(\_Total)\% Usage | The percentage of the paging file that is currently in use. | +| TCPv4\Connections Reset | The rate of reset TCPv4 connections | +| TCPv4\Segments Received/sec | The quantity of segments received via TCPv4 per second. | +| TCPv4\Segments Retransmitted/Sec | Quantity of segments retransmitted via TCPv4 per second. | +| TCPv6\Segments Received/sec | The quantity of segments received via TCPv6 per second. | +| TCPv6\Segments Retransmitted/Sec | Quantity of segments retransmitted via TCPv6 per second. | +| Network Interface(\*)\Bytes Received/sec | From all network adapters: The rate at which bytes are received. | +| Network Interface(\*)\Bytes Sent/sec | From all network adapters: The rate at which bytes are sent. | +| Network Interface(\*)\Output Queue Length | From all network adapters: The length of the output packet queue (in packets). | +| Network Interface(\*)\Packets Received Discarded | From all network adapters: The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. | +| Network Interface(\*)\Packets Received Errors | From all network adapters: The number of inbound packets that contained errors. As a result, the errored packets were not delivered to a higher-layer protocol. | +| Process(ConfigurationAgent.Grpc.Host)\% Processor Time | For Agent: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(ConfigurationAgent.Grpc.Host)\Elapsed Time | For Agent: The duration from when the process was started until the time it terminated. | +| Process(ConfigurationAgent.Grpc.Host)\Handle Count | For Agent: The number of operating system handles the process has opened. | +| Process(ConfigurationAgent.Grpc.Host)\Thread Count | For Agent: The set of threads that are running in the associated process. | +| Process(ConfigurationAgent.Grpc.Host)\Private Bytes | For Agent: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(ConfigurationAgent.Grpc.Host)\Working Set | For Agent: The associated process's physical memory usage, in bytes. | +| Process(ConfigurationAgent)\% Processor Time | For Agent version 6.0 and earlier: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(ConfigurationAgent)\Elapsed Time | For Agent version 6.0 and earlier: The duration from when the process was started until the time it terminated. | +| Process(ConfigurationAgent)\Handle Count | For Agent version 6.0 and earlier: The number of operating system handles the process has opened. | +| Process(ConfigurationAgent)\Thread Count | For Agent version 6.0 and earlier: The set of threads that are running in the associated process. | +| Process(ConfigurationAgent)\Private Bytes | For Agent version 6.0 and earlier: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(ConfigurationAgent)\Working Set | For Agent version 6.0 and earlier: The associated process's physical memory usage, in bytes. | +| Process(SBTService)\% Processor Time | For Windows Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(SBTService)\Elapsed Time | For Windows Monitoring: The duration from when the process was started until the time it terminated. | +| Process(SBTService)\Handle Count | For Windows Monitoring: The number of operating system handles the process has opened. | +| Process(SBTService)\Thread Count | For Windows Monitoring: The set of threads that are running in the associated process. | +| Process(SBTService)\Private Bytes | For Windows Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(SBTService)\Working Set | For Windows Monitoring: The associated process's physical memory usage, in bytes. | +| Process(FPolicyServerSvc)\% Processor Time | For NetApp Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(FPolicyServerSvc)\Elapsed Time | For NetApp Monitoring: The duration from when the process was started until the time it terminated. | +| Process(FPolicyServerSvc)\Handle Count | For NetApp Monitoring: The number of operating system handles the process has opened. | +| Process(FPolicyServerSvc)\Thread Count | For NetApp Monitoring: The set of threads that are running in the associated process. | +| Process(FPolicyServerSvc)\Private Bytes | For NetApp Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(FPolicyServerSvc)\Working Set | For NetApp Monitoring: The associated process's physical memory usage, in bytes. | +| Process(HitachiService)\% Processor Time | For Hitachi Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(HitachiService)\Elapsed Time | For Hitachi Monitoring: The duration from when the process was started until the time it terminated. | +| Process(HitachiService)\Handle Count | For Hitachi Monitoring: The number of operating system handles the process has opened. | +| Process(HitachiService)\Thread Count | For Hitachi Monitoring: The set of threads that are running in the associated process. | +| Process(HitachiService)\Private Bytes | For Hitachi Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(HitachiService)\Working Set | For Hitachi Monitoring: The associated process's physical memory usage, in bytes. | +| Process(CelerraServerSvc)\% Processor Time | For Dell Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(CelerraServerSvc)\Elapsed Time | For Dell Monitoring: The duration from when the process was started until the time it terminated. | +| Process(CelerraServerSvc)\Handle Count | For Dell Monitoring: The number of operating system handles the process has opened. | +| Process(CelerraServerSvc)\Thread Count | For Dell Monitoring: The set of threads that are running in the associated process. | +| Process(CelerraServerSvc)\Private Bytes | For Dell Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(CelerraServerSvc)\Working Set | For Dell Monitoring: The associated process's physical memory usage, in bytes. | +| Process(FSACLoggingSvc)\% Processor Time | For Logging Service: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(FSACLoggingSvc)\Elapsed Time | For Logging Service: The duration from when the process was started until the time it terminated. | +| Process(FSACLoggingSvc)\Handle Count | For Logging Service: The number of operating system handles the process has opened. | +| Process(FSACLoggingSvc)\Thread Count | For Logging Service: The set of threads that are running in the associated process. | +| Process(FSACLoggingSvc)\Private Bytes | For Logging Service: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(FSACLoggingSvc)\Working Set | For Logging Service: The associated process's physical memory usage, in bytes. | +| Process(MonitorService)\% Processor Time | For Other, Different Device Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(MonitorService)\Elapsed Time | For Other, Different Device Monitoring: The duration from when the process was started until the time it terminated. | +| Process(MonitorService)\Handle Count | For Other, Different Device Monitoring: The number of operating system handles the process has opened. | +| Process(MonitorService)\Thread Count | For Other, Different Device Monitoring: The set of threads that are running in the associated process. | +| Process(MonitorService)\Private Bytes | For Other, Different Device Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(MonitorService)\Working Set | For Other, Different Device Monitoring: The associated process's physical memory usage, in bytes. | + +## Register Performance Counters + +The Activity Monitor performance counters are not registered by default and must be registered +manually. + +Follow the steps to register the Activity Monitor performance counters on each SAM Agent server. + +**Step 1 –** Run `cmd.exe` as Administrator. + +**Step 2 –** Change current directory to the agent installation folder +(`C:\Program Files\Netwrix\Activity Monitor\Agent`). + +**cd "C:\Program Files\Netwrix\Activity Monitor\Agent"** + +**Step 3 –** Register the performance counters manifest file. + +**lodctr /M:PerfCounters.man** + +Expected output: Info: Successfully installed performance counters in +`C:\Program Files\Netwrix\Activity Monitor\Agent\PerfCounters.man` + +**Step 4 –** Restart the services: + +**sc stop SBFileMonAgentSvc** + +sc stop FPolicyServerSvc + +**sc stop CelerraServerSvc** + +sc stop SBTLoggingSvc + +**sc start SBFileMonAgentSvc** + +## Collect Performance Data + +The performance data can be observed or saved using any tool capable of collecting performance +counters. For example, Performance Monitor. + +:::note +The following script is only compatible with PowerShell 5.X and previous versions. Using +PowerShell 7.X requires Windows Performance Monitor to be configured to collect performance +counters. +::: + + +Below is a PowerShell script that collects the counters every second and stores them in +`perfcounters_SERVERNAME_TIMESTAMP.csv` files. The expected file size per day is about 50MB. + +Run the script on each agent server using the following command: + +**powershell -file AM.PerfCollect.ps1** + +To stop the script press **Ctrl+C**. + +Script (save it to AM.PerfCollect.ps1): + +```powershell +$sampleInterval = 1 + +**$maxSamples = 0** + +$outputFile = "perfcounters_$($env:COMPUTERNAME)_$(Get-Date -Format "yyyy_MM_dd_HH_mm_ss").csv" + +**$counters =** + +@( + +**"\Processor(_Total)\% Processor Time"** + +,"\Memory\Available MBytes" + +**,"\Paging File(_Total)\% Usage"** + +,"\TCPv4\Connections Reset" + +**,"\TCPv4\Segments Received/sec"** + +,"\TCPv4\Segments Retransmitted/Sec" + +**,"\TCPv6\Connections Reset"** + +,"\TCPv6\Segments Received/sec" + +**,"\TCPv6\Segments Retransmitted/Sec"** + +,"\Network Interface(*)\Bytes Received/sec" + +**,"\Network Interface(*)\Bytes Sent/sec"** + +,"\Network Interface(*)\Output Queue Length" + +**,"\Network Interface(*)\Packets Received Discarded"** + +,"\Network Interface(*)\Packets Received Errors" + +**,"\Activity Monitor - NetApp\Events Received"** + +,"\Activity Monitor - NetApp\Events Received/sec" + +**,"\Activity Monitor - NetApp\Events Reported"** + +,"\Activity Monitor - NetApp\Events Reported/sec" + +**,"\Activity Monitor - NetApp\Session Negotiated"** + +,"\Activity Monitor - NetApp\Active Connections" + +**,"\Activity Monitor - NetApp\Outage Files"** + +,"\Activity Monitor - Dell\Events Received" + +**,"\Activity Monitor - Dell\Events Received/sec"** + +,"\Activity Monitor - Dell\Events Reported" + +**,"\Activity Monitor - Dell\Events Reported/sec"** + +,"\Activity Monitor - Dell\Queue Size" + +**,"\Activity Monitor - Dell\Receive Throttling"** + +,"\Process(FPolicyServerSvc)\% Processor Time" + +**,"\Process(FPolicyServerSvc)\Elapsed Time"** + +,"\Process(FPolicyServerSvc)\Handle Count" + +**,"\Process(FPolicyServerSvc)\Thread Count"** + +,"\Process(FPolicyServerSvc)\Private Bytes" + +**,"\Process(FPolicyServerSvc)\Working Set"** + +,"\Process(FSACLoggingSvc)\% Processor Time" + +**,"\Process(FSACLoggingSvc)\Elapsed Time"** + +,"\Process(FSACLoggingSvc)\Handle Count" + +**,"\Process(FSACLoggingSvc)\Thread Count"** + +,"\Process(FSACLoggingSvc)\Private Bytes" + +**,"\Process(FSACLoggingSvc)\Working Set"** + +,"\Process(CelerraServerSvc)\% Processor Time" + +**,"\Process(CelerraServerSvc)\Elapsed Time"** + +,"\Process(CelerraServerSvc)\Handle Count" + +**,"\Process(CelerraServerSvc)\Thread Count"** + +,"\Process(CelerraServerSvc)\Private Bytes" + +**,"\Process(CelerraServerSvc)\Working Set"** + +) + +**$variables = @{** + +SampleInterval = $sampleInterval + +**Counter = $counters** + +} + +**if ($maxSamples -eq 0) {** + +$variables.Add("Continuous", 1)} + +**else {** + +$variables.Add("MaxSamples", "$maxSamples") + +**}** + +Write-Host "Collecting performance counters to $outputFile... Press Ctrl+C to stop." + +Get-Counter @variables | Export-Counter -FileFormat csv -Path $outputFile -Force +``` + +## Unregister Performance Counters + +When performance monitoring is not needed anymore, unregister the Activity Monitor performance +counters. + +Follow the steps to unregister the Activity Monitor performance counters on each SAM Agent server. + +**Step 1 –** Run `cmd.exe` as Administrator. + +**Step 2 –** Change current directory to the agent installation folder. + +**cd "C:\Program Files\Netwrix\Activity Monitor\Agent"** + +**Step 3 –** Unregister the performance counters manifest file. + +**unlodctr /M:PerfCounters.man** + +Expected output: Info: Successfully uninstalled the performance counters from the counter definition +XML file PerfCounters.man. + +**Step 4 –** Restart the services: + +**sc stop SBFileMonAgentSvc** + +sc stop FPolicyServerSvc + +**sc stop CelerraServerSvc** + +sc stop SBTLoggingSvc + +**sc start SBFileMonAgentSvc** + +Once the services have been restarted, the Activity Monitor performance counters are unregistered. diff --git a/docs/activitymonitor/10.0/troubleshooting/tracelogs.md b/docs/activitymonitor/10.0/troubleshooting/tracelogs.md new file mode 100644 index 0000000000..345af51ced --- /dev/null +++ b/docs/activitymonitor/10.0/troubleshooting/tracelogs.md @@ -0,0 +1,45 @@ +--- +title: "Trace Logs" +description: "Trace Logs" +sidebar_position: 20 +--- + +# Trace Logs + +While activity agents store activity logs on the servers where they are deployed, the Activity +Monitor creates Trace Logs that aid in troubleshooting issues. The Trace level option set in the +drop-down list in the lower right corner of the Activity Monitor Console determines the kind of +information kept in the activity agent and monitored hosts/services logs. + +![Activity Monitor with location of trace logs](/images/activitymonitor/9.0/troubleshooting/tracelogs.webp) + +The selected log level applies to all hosts added to the **Agents** list (if not specified in agent +properties). Select from the following trace log levels: + +- Trace – Records everything that happens, most verbose level of logging +- Debug – Records all debug messages, in addition to info messages +- Info – Records information on the steps that occur, in addition to warn messages, and is the + recommended setting +- Warning – Records all warnings that occur, in addition to error messages +- Error – Records all errors that occur, in addition to fatal messages +- Fatal – Records only when catastrophic system failures / crashes occur + +When the log level is changed in the Activity Monitor Console, the new log level is propagated and +applied immediately to all of the activity agents that do not have custom trace setting. + +:::note +Trace level can be adjusted in the Agent Properties for the selected agent. See the +[Archiving Tab](/docs/activitymonitor/10.0/admin/agents/properties/archiving.md) topic for additional information. +::: + + +![Collect Logs button](/images/activitymonitor/9.0/troubleshooting/collectlogsbutton.webp) + +The Activity Monitor Console has a function to copy Trace Logs from the activity agents to the +Console machine. Click the Collect Logs button to open the log collection dialog and select Start to +begin the log collection. + +![Copying the log files popup window](/images/activitymonitor/9.0/troubleshooting/collectlogswindow.webp) + +Specific agents or console can be selected. After log collection is successful the logs are +compressed into a zip file and file explorer opens with the zip file selected. diff --git a/kb_allowlist.json b/kb_allowlist.json index f8cb8616d1..df3721e67b 100644 --- a/kb_allowlist.json +++ b/kb_allowlist.json @@ -11,6 +11,7 @@ "12.0" ], "activitymonitor": [ + "10.0", "7.1", "8.0", "9.0" diff --git a/sidebars/activitymonitor/10.0.js b/sidebars/activitymonitor/10.0.js new file mode 100644 index 0000000000..f4e8941a40 --- /dev/null +++ b/sidebars/activitymonitor/10.0.js @@ -0,0 +1,8 @@ +module.exports = { + sidebar: [ + { + type: 'autogenerated', + dirName: '.', + }, + ], +}; diff --git a/src/config/products.js b/src/config/products.js index e9c9e901a9..d96ad48f2d 100644 --- a/src/config/products.js +++ b/src/config/products.js @@ -106,10 +106,16 @@ export const PRODUCTS = [ categories: ['Other'], icon: '', versions: [ + { + version: '10.0', + label: '10.0', + isLatest: true, + sidebarFile: './sidebars/activitymonitor/10.0.js', + }, { version: '9.0', label: '9.0', - isLatest: true, + isLatest: false, sidebarFile: './sidebars/activitymonitor/9.0.js', }, { @@ -125,7 +131,7 @@ export const PRODUCTS = [ sidebarFile: './sidebars/activitymonitor/7.1.js', }, ], - defaultVersion: '9.0', + defaultVersion: '10.0', }, { id: 'auditor', From 11535a5d651663419276ddf6b4d7445ba46f7113 Mon Sep 17 00:00:00 2001 From: Paul Shmakov Date: Mon, 20 Apr 2026 14:42:33 +0100 Subject: [PATCH 02/22] feat(activitymonitor): add Cohesity SmartFiles documentation for v10.0 Documents new Cohesity SmartFiles NAS support: requirements and auditing configuration, firewall ports, host properties tab, and updates to the supported platforms and monitored hosts pages. Generated with AI Co-Authored-By: Claude Code --- .../10.0/admin/monitoredhosts/add/overview.md | 1 + .../10.0/admin/monitoredhosts/overview.md | 10 +- .../monitoredhosts/properties/cohesity.md | 29 ++ .../monitoredhosts/properties/overview.md | 3 +- .../10.0/install/agents/agents.md | 1 + .../activityagent/activityagent.md | 7 + .../activityagent/activityagentports.md | 10 + .../cohesity-activity.md | 292 ++++++++++++++++++ 8 files changed, 345 insertions(+), 8 deletions(-) create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md index 9d2c31b68f..b84fe8fb1e 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md @@ -15,6 +15,7 @@ The window opens for all types of hosts that can be monitored with an Activity A following topics for additional information: - [Azure Files](/docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md) +- [Cohesity SmartFiles](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md) - [CTERA](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md) - [Dell Celerra or VNX](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md) - [Dell Isilon/PowerScale](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md) diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md index cfc0f394cd..3b31e82549 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md @@ -13,6 +13,8 @@ Agent: - Windows - Azure Files +- Cohesity SmartFiles +- CTERA - Dell Celerra or VNX - Dell Isilon/PowerScale - Dell PowerStore @@ -22,7 +24,7 @@ Agent: [Linux Agent Deployment](/docs/activitymonitor/10.0/admin/agents/linux.md) topic for additional information. - Nasuni - NetApp -- Nutanix +- Nutanix Files - Panzura - Qumulo - Microsoft Entra ID (formerly Azure AD) @@ -147,9 +149,3 @@ desired one. If they differ and the immutable mode is enabled, the product displ status section that a server restart is required. After the reboot, the changes take effect and the immutable mode is enabled. -### Qumulo Monitoring Status - -The **No connections from Qumulo clusters** error may be displayed in the status section. This error -indicates that the Qumulo nodes have not yet connected to the agent. This can happen either because -an incorrect address or port is specified in the Audit page of the Qumulo Web Interface, or because -the port (4496 by default) is blocked by a firewall. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md new file mode 100644 index 0000000000..c3fe9a426f --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md @@ -0,0 +1,29 @@ +--- +title: "Cohesity Tab" +description: "Cohesity Tab" +sidebar_position: 25 +--- + +# Cohesity Tab + +Use the Cohesity tab to modify settings after a Cohesity SmartFiles host has been configured. +After a Cohesity SmartFiles host is added to the monitored hosts/services table, the configuration +can be edited in the host Properties. + +The configurable options are: + +- Cluster name – Enter the name of the Cohesity SmartFiles cluster +- API Key – Enter the API key for Cohesity API access. Use the built-in instruction to create the + API key directly from this field. +- Protocol – Select a protocol for the API access from the dropdown menu: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Username – Enter the username of the account with SMB access to the `COHESITY_AUDIT_VIEW` audit + logs share +- Password – Enter the password for the account +- Connect – Click to validate the connection to the Cohesity cluster using the provided credentials +- Enable Audit Log option for specified views – Select this checkbox to have the product + automatically enable auditing for all views in the monitoring scope diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md index 26b7e2352e..8e9016f21f 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md @@ -11,12 +11,13 @@ through the host’s Properties window. ![Activity Monitor with Edit button identified ](/images/activitymonitor/9.0/admin/monitoredhosts/properties/hostpropertiesoverview.webp) -On the Monitored Hosts tab, select the host and click Edit, or right-click on a host and select +On the Monitored Hosts & Services tab, select the host and click Edit, or right-click on a host and select **Edit Host** from the right-click menu, to open the host’s Properties window. The tabs vary based on the type of host selected: - [Auditing Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/auditing.md) — Dell Isilon/PowerScale devices only - [Connection Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md) — Microsoft Entra ID, Exchange Online, and SharePoint Online only +- [Cohesity Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md) — Cohesity SmartFiles devices only - [Dell Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/dell.md) — Dell devices only - [FPolicy Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/fpolicy.md) — NetApp devices only - [Hitachi NAS Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/hitachinas.md) — Hitachi NAS devices only diff --git a/docs/activitymonitor/10.0/install/agents/agents.md b/docs/activitymonitor/10.0/install/agents/agents.md index 8d83e57099..d228eeb630 100644 --- a/docs/activitymonitor/10.0/install/agents/agents.md +++ b/docs/activitymonitor/10.0/install/agents/agents.md @@ -33,6 +33,7 @@ In this mode, the agent is installed on a Windows Server and configured to monit |------------|-----------------------| |**File Systems**|| |Azure Files|| +|Cohesity SmartFiles|| |CTERA|| |Dell VNX/Celerra|Dell Common Event Enabler| |Dell Isilon/PowerScale|Dell Common Event Enabler| diff --git a/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md b/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md index a3109024dd..bbf3c28ccd 100644 --- a/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md +++ b/docs/activitymonitor/10.0/requirements/activityagent/activityagent.md @@ -94,6 +94,13 @@ environment requirements. +**Cohesity SmartFiles** + +- Cohesity SmartFiles 6.8+ + +See the [Cohesity SmartFiles Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md) topic for target +environment requirements. + **CTERA Edge Filter** - CTERA Portal 7.5.x+ diff --git a/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md b/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md index ea3f5e93ba..48af04eac2 100644 --- a/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md +++ b/docs/activitymonitor/10.0/requirements/activityagent/activityagentports.md @@ -21,6 +21,16 @@ article. There might be a need for additional ports for the target environment. +## Cohesity SmartFiles Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Cohesity SmartFiles cluster: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------------------ | -------- | ----- | ------------------------ | +| Activity Agent Server to Cohesity | TCP | 445 | SMB — audit log access | +| Activity Agent Server to Cohesity | HTTPS | 443 | Cohesity API | + ## CTERA Additional Firewall Rules The following firewall settings are required for communication between the Activity Monitor Agent diff --git a/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md new file mode 100644 index 0000000000..4be32074cc --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md @@ -0,0 +1,292 @@ +--- +title: "Cohesity SmartFiles Activity Auditing Configuration" +description: "Cohesity SmartFiles Activity Auditing Configuration" +sidebar_position: 8 +--- + +# Cohesity SmartFiles Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor file activity on Cohesity SmartFiles +devices. Activity Monitor reads activity from audit logs produced by the **File Services Audit +Logs** feature in Cohesity SmartFiles. + +Cohesity disables auditing by default. You can enable or disable it per view. The audit logs are +stored in an internal view named `filesystem_audit`, accessed at the path +`\COHESITY_AUDIT_VIEW\filesystem_audit`. IP allowlists and SMB permissions control access to this +view. + +To monitor Cohesity SmartFiles: + +- Provision an API key for Cohesity API access and an account for access to the audit log share. +- Enable auditing in Cohesity SmartFiles. +- Add Cohesity SmartFiles to Activity Monitor. + +## Provision Accounts + +Monitoring Cohesity SmartFiles requires access by two methods: + +- **Cohesity API** — to retrieve information about the cluster, shares, auditing settings, and, + optionally, to enable auditing. +- **SMB/CIFS** — to read audit logs. + +An API key is required for Cohesity API access. Unlike passwords, API keys bypass the Password +Policy and stay active for a set duration without expiring, which avoids disruption caused by +password rotation. + +The API key can be created directly from the Activity Monitor Console using the built-in +instruction available at the API key step of the Add Host wizard — this is the recommended +approach. Alternatively, create the API key manually using the steps in the +[Create an API Key](#create-an-api-key) section. + +For maximum security, use a local user account with only the minimum privileges required for +monitoring. + +You can grant read-only SMB access to the log files to a domain user or group. + +### Create a Role for API Access + +Create a custom role to restrict access to only the services needed for activity monitoring. + +The permissions required depend on whether you want Activity Monitor to enable auditing +automatically: + +**Permissions for monitoring only** + +- Cluster Management > **View Cluster Details** +- Cluster Management > **View Audit Logs** +- Storage Management > **Read Cohesity Views** + +**Permissions for monitoring and automatic auditing configuration** + +- Cluster Management > **View Cluster Details** +- Cluster Management > **View Audit Logs** +- Cluster Management > **Manage Cluster** (used to enable the global File Services Audit option) +- Storage Management > **Read Cohesity Views** +- Storage Management > **Manage Cohesity Views** (used to enable auditing for specific views) + +**Step 1 –** Open the Cohesity web interface. + +**Step 2 –** Navigate to **Settings** > **Access Management** > **Roles**. + +**Step 3 –** Select **Add Custom Role** and specify a name (for example, `Netwrix Activity Monitor`). + +**Step 4 –** Assign the permissions you want and save the role. + +### Create a Local User for API Access + +**Step 1 –** Open the Cohesity web interface. + +**Step 2 –** Navigate to **Settings** > **Access Management** > **Users & Groups**. + +**Step 3 –** Select **Add Local User**. + +**Step 4 –** Specify a username (for example, `activity_monitor`) and a password. + +**Step 5 –** In the **Roles** field, select the role created in the previous section. + +**Step 6 –** If MFA is enabled, disable it for this user. + +**Step 7 –** Select **Add** to create the user. + +:::note +You can also use a domain user, but MFA can't be disabled for domain users. As a result, you +must either authenticate manually or use a local administrator account to create an API key on +behalf of the domain user. Refer to the +[Cohesity documentation](https://developers.cohesity.com/v1-cluster-7.3.2/reference/createuserapikey) +for additional information. +::: + +### Create an API Key + +The recommended way to create an API key is through the Activity Monitor Console. When adding a +Cohesity SmartFiles host, the Console provides a built-in instruction at the API key step of the +wizard. Enter the username, password, a name for the key, and the duration in days you want, then +select **Create API Key**. The Console will generate the key automatically. + +:::note +The credentials entered in the Console are used only once to retrieve the API key and aren't +saved or cached. +::: + +Alternatively, create the API key manually using the following curl or PowerShell commands. Replace +`` with the hostname or IP address of the Cohesity cluster. + +**curl** + +```bash +# Obtain the access token from the "accessToken" field in the response +curl -k -X POST https:///irisservices/api/v1/public/accessTokens \ + -H "accept: application/json" \ + -d "{\"domain\":\"LOCAL\",\"username\":\"\",\"password\":\"\"}" + +# Obtain the user SID from the "sid" field in the response +curl -k -X GET "https:///irisservices/api/v1/public/users?names=" \ + -H "accept: application/json" \ + -H "Authorization: Bearer " + +# Obtain the API key from the "apiKey" field in the response +curl -k -X POST https:///v2/users//api-keys \ + -H "accept: application/json" \ + -H "Authorization: Bearer " \ + -d "{\"name\":\"\",\"isActive\":true,\"expiryTimeMsecs\":}" + +# To delete API keys, first retrieve the IDs, then perform the deletion +curl -k -X GET "https:///v2/api-keys?ownerSids=" \ + -H "accept: application/json" \ + -H "Authorization: Bearer " +curl -k -X DELETE https:///v2/users//api-keys/ \ + -H "accept: application/json" \ + -H "Authorization: Bearer " +``` + +**PowerShell** + +```powershell +# Configuration variables +$clusterName = "" +$username = "" +$password = "" + +# Skip certificate validation +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + +# Obtain the access token from the "accessToken" field in the response +$tokenResponse = Invoke-WebRequest -Uri "https://$clusterName/irisservices/api/v1/public/accessTokens" ` + -Method POST -UseBasicParsing ` + -Headers @{"accept" = "application/json"} ` + -Body (@{domain="LOCAL"; username=$username; password=$password} | ConvertTo-Json) ` + -ContentType "application/json" | ConvertFrom-Json +$accessToken = $tokenResponse.accessToken + +# Obtain the user SID from the "sid" field in the response +$userResponse = Invoke-WebRequest -Uri "https://$clusterName/irisservices/api/v1/public/users?names=$username" ` + -Method GET -UseBasicParsing ` + -Headers @{"accept" = "application/json"; "Authorization" = "Bearer $accessToken"} | ConvertFrom-Json +$userSid = $userResponse[0].sid + +# Obtain the API key from the "apiKey" field in the response +$expiryTimeMsecs = [System.DateTimeOffset]::UtcNow.AddDays(3650).ToUnixTimeMilliseconds() +$apiKeyResponse = Invoke-WebRequest -Uri "https://$clusterName/v2/users/$userSid/api-keys" ` + -Method POST -UseBasicParsing ` + -Headers @{"accept" = "application/json"; "Authorization" = "Bearer $accessToken"} ` + -Body (@{name=""; isActive=$true; expiryTimeMsecs=$expiryTimeMsecs} | ConvertTo-Json) ` + -ContentType "application/json" | ConvertFrom-Json +$apiKey = $apiKeyResponse.apiKey + +Write-Host "API Key: $apiKey" + +# To delete API keys, first retrieve the IDs, then perform the deletion +# $apiKeysResponse = Invoke-WebRequest -Uri "https://$clusterName/v2/api-keys?ownerSids=$userSid" ` +# -Method GET -UseBasicParsing ` +# -Headers @{"accept" = "application/json"; "Authorization" = "Bearer $accessToken"} | ConvertFrom-Json +# $apiKeyId = $apiKeysResponse.apiKeys[0].id +# Invoke-WebRequest -Uri "https://$clusterName/v2/users/$userSid/api-keys/$apiKeyId" ` +# -Method DELETE -UseBasicParsing ` +# -Headers @{"accept" = "application/json"; "Authorization" = "Bearer $accessToken"} +``` + +## Enable Auditing + +### Enable File Services Audit in Cohesity + +Cohesity disables auditing by default. + +**Step 1 –** Open the Cohesity web interface. + +**Step 2 –** Navigate to **System** > **Audit Logs** > **Log Settings**. + +**Step 3 –** In the **Log Settings** tab, turn on the **File Services Audit** option. + +**Step 4 –** Set the **Log Retention Period** as needed. + +:::note +Activity Monitor retrieves audit log records and stores them in its own log files or transfers them +to other Netwrix or SIEM products. For this reason, long retention periods in Cohesity aren't +required. +::: + +Refer to the *File Services Audit Logs* article in the Cohesity SmartFiles documentation for +additional information. + +### Grant Access to the Audit Logs + +By default, all clients in the Global Allowlist set at the cluster level can access audit logs. +Use the **Override Allowlist** option to restrict access to a specific subnet. SMB permissions +on the view also control access for AD or local principals. Both settings can be managed on the +**System** > **Audit Logs** > **Log Settings** page. + +**Override global IP allowlist** + +**Step 1 –** In the **IP Allowlist** section, enable **Override Global IP Allowlist**. + +**Step 2 –** Select **Add** and specify the IP address or subnet of the Activity Monitor Agent in +CIDR format (for example, `10.0.0.0/24` for IPv4 or `FE80:CD00::211E:729C/60` for IPv6). + +**Grant SMB permissions** + +**Step 1 –** In the **SMB Permissions** section, select **Add**. + +**Step 2 –** Choose an AD domain and principal, and assign the **Allow** permission. + +**Verify access** + +The Activity Monitor Agent reads the audit logs via SMB. + +**Step 1 –** In the Cohesity web interface, go to **System** > **Audit Logs** > **Log Settings**. + +**Step 2 –** In the **Log Location** section, copy the SMB path. + +**Step 3 –** In File Explorer or another SMB client, connect to the hidden internal view +`COHESITY_AUDIT_VIEW`. + +**Step 4 –** Verify access to `\\\COHESITY_AUDIT_VIEW\filesystem_audit`. + +### Enable Auditing for Views + +Auditing can be enabled or disabled per view. + +**Step 1 –** Open the Cohesity web interface. + +**Step 2 –** Navigate to **System** > **Audit Logs** > **File Services**. + +**Step 3 –** In the **Audit Status of Views** section, open the **Audit Logs** menu, select +**Enabled**, and then select **Apply**. + +**Step 4 –** To enable or disable auditing for a specific view, toggle the option in the **Audit +Logs** column. + +## Add Cohesity SmartFiles to Activity Monitor + +**Step 1 –** In the Console, open the **Monitored Hosts/Services** page and select **Add +Host/Service**. + +**Step 2 –** Choose the agent that will monitor the Cohesity SmartFiles cluster. + +**Step 3 –** Select **Cohesity SmartFiles** and enter the Cohesity cluster name. + +**Step 4 –** Specify the API key to access the Cohesity cluster via the API. Use the built-in +instruction to create the API key directly from this step. + +**Step 5 –** Specify the account that has SMB access to the `COHESITY_AUDIT_VIEW` audit logs share. + +**Step 6 –** Select **Connect** to verify that the product has access to the Cohesity cluster. + +**Step 7 –** Select the views to monitor. If the list is left empty, the product monitors all +views that have auditing enabled. + +**Step 8 –** Select **Enable Audit Log option for specified views** if you want the product to +automatically enable auditing for all views in the monitoring scope. + +**Step 9 –** Complete the wizard by selecting the required operations and outputs. + +:::warning +Audit log events from Cohesity SmartFiles may be delayed. Events can appear with a latency ranging +from a few minutes up to an hour. + +This delay is by design: Cohesity prioritizes active workloads over audit log flushing. As a +result, with the default configuration, audit logs are suitable for historical analysis but not +real-time monitoring. + +An internal configuration option exists in Cohesity that can reduce this latency by forcing audit +logs to be written more frequently. If you need to reduce latency, contact Cohesity Support. +::: From 995f2b8109dba2c94db03c6c740266c77b382fcb Mon Sep 17 00:00:00 2001 From: Paul Shmakov Date: Fri, 1 May 2026 04:13:11 +0100 Subject: [PATCH 03/22] feat(activitymonitor): add Access Analyzer 26 output documentation for v10.0 Documents the new native AA26 output type (mTLS/SPKI enrollment-based integration), distinguishes it from the legacy file-based AA12 integration, and fixes Vale/Dale issues across related output pages. Generated with AI Co-Authored-By: Claude Code --- .../activity-monitor-integration.md | 43 ++++++----- .../admin/monitoredhosts/output/output.md | 73 ++++++++++++++++--- .../10.0/admin/monitoredhosts/overview.md | 29 +++----- .../10.0/admin/outputs/accessanalyzer26.md | 47 ++++++++++++ .../admin/outputs/additionalproperties.md | 6 +- .../10.0/admin/outputs/logfiles.md | 18 ++--- .../10.0/admin/outputs/overview.md | 25 ++++--- 7 files changed, 172 insertions(+), 69 deletions(-) create mode 100644 docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md diff --git a/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md b/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md index 0023b38ad2..da26e89086 100644 --- a/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md +++ b/docs/accessanalyzer/2601/configurations/activity-monitor-integration.md @@ -34,19 +34,16 @@ AA2601 Reports (file system activity, SharePoint, Copilot) | Event Type | Content | | --- | --- | -| **File System Events** | SMB/CIFS file access, reads, writes, renames, permission changes — path, user, bytes transferred | -| **SharePoint Online Events** | SharePoint file and folder activity — user, site, event type | -| **Log Event Extended Format (LEEF) Events** | Network-format events — vendor, product, source/destination IP, signatures | -| **Copilot Events** | Microsoft 365 Copilot interactions — user, entity, workload, region | +| **File System Events** | SMB/CIFS file access, reads, writes, renames, permission changes | +| **SharePoint Online Events** | SharePoint file and folder activity | +| **Copilot Events** | Microsoft 365 Copilot interactions — accessed resources | ### Security Model Authentication uses **mutual TLS with SPKI hash pinning**: - AA2601 requires TLS 1.3 and rejects older protocol versions. -- NAM agents must present a client certificate on every connection. -- Certificate chain validation is intentionally permissive — NAM agents use self-signed certificates. -- AA2601 performs real agent authentication by matching the SHA-256 hash of the agent's certificate public key (SPKI hash) against a persistent allowlist in its database. +- Both products perform mutual authentication by matching hashes of each other's certificate public key (SPKI hash) against a persistent allowlist in their configuration. SPKI hashes survive certificate renewal as long as the key pair is unchanged. Re-enroll only when an agent generates a new key pair. @@ -56,7 +53,7 @@ SPKI hashes survive certificate renewal as long as the key pair is unchanged. Re Before connecting NAM agents to AA2601: -- **Netwrix Activity Monitor** must be installed and monitoring the hosts for which you want real-time activity in AA2601. Confirm monitoring is active before adding the AA2601 output. +- **Netwrix Activity Monitor** must be installed and monitoring the hosts or services for which you want real-time activity in AA2601. Confirm monitoring is active before adding the AA2601 output. - **TLS certificates** must be provisioned on the AA2601 server. The server certificate and private key paths are set via the environment variables `SYSLOG_TLS_CERT_PATH` and `SYSLOG_TLS_KEY_PATH`. Contact your infrastructure team if the listener isn't starting. - **Network connectivity** must allow NAM agents to reach AA2601 on TCP port 4504 (default) through any firewalls or network policies. - You must have **Administrator** access to AA2601 to generate enrollment tokens and view enrolled agents. @@ -88,27 +85,33 @@ If the listener isn't running, check the application logs for the reason — mis 4. Copy the token using the clipboard icon. :::note -Tokens expire after **1 hour**. Generating a new token immediately invalidates any previously issued token. A single token can enroll multiple agents simultaneously — plan your enrollment session and generate the token immediately before you begin. +Tokens expire after **1 hour**. Generating a new token immediately invalidates any previously issued token. A single token can enroll multiple agents and outputs simultaneously — plan your enrollment session and generate the token immediately before you begin. ::: ### Step 3 — Add the AA2601 Output in Netwrix Activity Monitor -Add an AA2601 output destination to each monitoring policy in NAM that covers the hosts you want to stream into AA2601. +Add an AA2601 output to each monitored host or service in NAM you want to stream into AA2601. :::note The following steps describe the general configuration flow. Exact menu labels and field names in the NAM console may differ depending on your NAM version. Verify the steps against the NAM documentation for your installed version. ::: 1. Open the Netwrix Activity Monitor console. -2. Navigate to the monitoring policy for the target host or host group. -3. Open the output configuration for that policy. -4. Add a new output destination and select the **Netwrix Access Analyzer** output type. -5. Enter the hostname or IP address of your AA2601 instance and the listener port (default: 4504). -6. When prompted for an enrollment token, enter the token you generated in Step 2. -7. Save the output configuration. -8. Repeat for each monitoring policy covering additional hosts. +2. Navigate to the monitored host or service. +3. Add a new output and select the **Netwrix Access Analyzer 26** output type. +4. Enter the hostname or IP address of your AA2601 instance and the listener port (default: 4504). +5. Enter the enrollment token you generated in Step 2 and select **Enroll**. Ensure the connection is successful. +6. Save the output configuration. +7. Repeat for each monitored host or service. -The NAM agent connects to AA2601, presents its client certificate, and sends an enrollment request. AA2601 validates the token, adds the agent's SPKI hash to the trusted agents allowlist, and confirms enrollment. After that, the agent reconnects and begins streaming events. You no longer need the enrollment token unless the agent generates a new key pair. +:::note +You can add an output in bulk by selecting multiple hosts/services and selecting **Add Output**. +::: + +The NAM agent connects to AA2601, validates AA2601's certificate by comparing it to the hash embedded in the enrollment token, +presents its client certificate, and sends an enrollment request. AA2601 validates the token, adds the agent's SPKI hash to the trusted agents allowlist, and confirms enrollment. +The NAM agent also adds AA2601's SPKI hash to the allowlist. +After that, the agent reconnects and begins streaming events. You no longer need the enrollment token unless the agent generates a new key pair. ### Step 4 — Verify Enrollment @@ -183,8 +186,8 @@ Use the default port (4504) unless you have a conflict. If you must change it: ### TLS Certificate Management - **Monitor certificate expiration.** AA2601 logs a warning when the server certificate is within 30 days of expiry, and again within 7 days. Treat the 30-day warning as actionable. -- **NAM agents use self-signed certificates** — this is expected and supported. Don't replace them with CA-signed certificates unless your NAM deployment specifically requires it. -- **Key pair rotation requires re-enrollment.** If a NAM agent generates a new key pair (for example, after a reinstall), its previous SPKI hash entry will no longer match. Re-enroll the agent using a new enrollment token. Remove the stale entry via the API: `DELETE /api/v1/nam-listener/agents/:spki_hash`. +- **NAM agents use self-signed certificates by default** — this is expected and supported. If you replace them with CA-signed certificates, re-enroll the agent. +- **Key pair rotation requires re-enrollment.** If a NAM agent generates a new key pair, its previous SPKI hash entry will no longer match. Re-enroll the agent using a new enrollment token. Remove the stale entry via the API: `DELETE /api/v1/nam-listener/agents/:spki_hash`. ### Enrollment Token Practices diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md b/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md index 5443e9b02d..e5e1fe0ae6 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md @@ -13,21 +13,76 @@ Once a host is being monitored the event stream can be sent to multiple outputs. Configured outputs are grouped under the host. You can have multiple outputs configured for a host. The host event outputs are: +- Access Analyzer 26 – Sends activity events to Netwrix Access Analyzer 26. - File – Creates an activity log as a TSV or JSON file for every day of activity - Syslog – Sends activity events to the configured SIEM server or Netwrix Threat Manager, where supported -## Add File Output -Follow the steps to add a File output. +## Add Access Analyzer 26 Output + +:::note +Only File System, SharePoint Online, and Microsoft 365 Copilot events are supported by the Access Analyzer 26 output. +::: + +### Generate an Enrollment Token in Access Analyzer 26 + +An enrollment token from Netwrix Access Analyzer 26 authenticates the connection between the applications. + +**Step 1 –** Open the Netwrix Access Analyzer. + +**Step 2 –** Go to **Configuration > Application Settings**. + +**Step 3 –** Scroll to the **Activity Monitor** section. + +**Step 4 –** Under **Enrollment Token**, click **Generate Token**. + +**Step 5 –** Copy the token using the clipboard icon. + +:::note +Tokens expire after **1 hour**. Generating a new token immediately invalidates any previously issued token. +A single token can enroll multiple agents and outputs simultaneously — plan your enrollment session and generate the token immediately before you begin. +::: + +See the [Netwrix Access Analyzer 26 Documentation](/docs/accessanalyzer/2601/configurations/activity-monitor-integration) for +additional information. + +### Add the Output in Netwrix Activity Monitor + +**Step 1 –** Open the Netwrix Activity Monitor console. + +**Step 2 –** On the Monitored Hosts & Services tab, select the host or service you want and click **Add Output**. + +:::note +You can add an output in bulk by selecting multiple hosts or services and clicking **Add Output**. +::: -**Step 1 –** On the Monitored Hosts & Services tab, select the desired host and click **Add Output**. +**Step 3 –** Select **Access Analyzer 26** from the dropdown menu. The Add New Output window opens. -**Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. +**Step 4 –** Enter the hostname or IP address of your Access Analyzer 26 server and the port (default: 4504). + +**Step 5 –** Enter the enrollment token and click **Enroll**. Ensure the connection is successful. + +The Activity Monitor agent connects to the server, compares the server's certificate to the expected one embedded in the enrollment token, and sends the token to Access Analyzer. If Access Analyzer confirms the enrollment, both products store the peer certificate's Subject Public Key Info (SPKI) SHA-256 hash and use mTLS with SPKI hash pinning for mutual authentication. You no longer need the enrollment token after this step. + +If a certificate changes so that its SPKI hash changes — for example, when the agent generates a new key pair — you must re-enroll. Generate a new token and click **Enroll** again. + +**Step 6 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/10.0/admin/outputs/overview.md) topic for additional +information. + + +## Add File Output + +**Step 1 –** On the Monitored Hosts & Services tab, select the host you want and click **Add Output**. + +**Step 2 –** Select **File** from the dropdown menu. The Add New Output window opens. ![addnewoutputfile](/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputfile.webp) -**Step 3 –** Configure the tab(s) as desired. +**Step 3 –** Configure the tabs as needed. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. @@ -37,15 +92,13 @@ information. ## Add Syslog Output -Follow the steps to add a Syslog output. - -**Step 1 –** On the Monitored Hosts & Services tab, select the desired host and click **Add Output**. +**Step 1 –** On the Monitored Hosts & Services tab, select the host you want and click **Add Output**. -**Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. +**Step 2 –** Select **Syslog** from the dropdown menu. The Add New Output window opens. ![addnewoutputsyslog](/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputsyslog.webp) -**Step 3 –** Configure the tab(s) as desired. +**Step 3 –** Configure the tabs as needed. **Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md index 3b31e82549..448d302055 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md @@ -47,7 +47,7 @@ For all other hosts, the agent is deployed to a Windows proxy server. **Tab** -Once the agent(s) installation is complete, hosts can be added for monitoring. The tab is not +After agent installation is complete, hosts can be added for monitoring. The tab isn't visible within the console until at least one agent has been deployed. This tab is comprised of a button bar and a table of hosts being monitored. A list of outputs is @@ -55,14 +55,14 @@ listed under each monitored host. These are destinations to which events are for ## Button Bar -The button bar allows users to take the following actions: +Use the button bar to take the following actions: ![Activity Monitor with Monitored Hosts & Services tab identified](/images/activitymonitor/9.0/admin/monitoredhosts/monitoredhoststab.webp) - Toggle Collapse – Expands and collapses all Monitored Hosts/Services for viewing or hiding host's outputs - Add Host – Opens the Add New Host window to configure monitoring of a new host or platform. See - the section for instructions on adding the desired target environment. -- Add Output – Opens the Add New Output windows to create new output for the selected host or hosts. + the section for instructions on adding the target environment you want. +- Add Output – Opens the Add New Output windows to create new output for the selected hosts or services. - Remove – Remove the selected hosts or outputs from the monitored hosts/services table and end monitoring. A window prompts for confirmation to remove the selected hosts or outputs. - Edit – Opens the selected hosts or outputs' Properties window to modify monitoring settings @@ -76,8 +76,8 @@ can select several hosts or outputs and edit, disable, enable, remove them, or a the same time. Bulk editing allows the user to selectively modify hosts or outputs. For example, with bulk editing -it is possible to add a user to Account Exclusions, or set the retention period for log files, or -disable reporting of Directory Read operations, etc. +you can add a user to Account Exclusions, set the retention period for log files, or +disable reporting of Directory Read operations. To initiate bulk editing, select multiple hosts or outputs (`Ctrl+A` and `Ctrl+Shift+A` may help here), and click the **Edit** Edit button. The Properties window shows divergent settings as blank @@ -102,21 +102,14 @@ The monitored hosts/services table provides the following information: - Status – Indicates the status of activity monitoring for the host. See the Error Propagation topic for additional information. - Received Events – Timestamp of the last event received -- Comment – Comment provided by user: - - Often this indicates the desired output, e.g. Access Analyzer. - - This can be useful if adding the same monitored host multiple times with different - configurations for different outputs. - - If a Activity Monitor Agent has been deployed to a Windows server where an activity agent is - deployed, then the Comment identifies the host as "Managed by Activity Monitor", and that - 'monitored host' is not editable. Add the host again for other outputs. +- Comment – Comment provided by user Hosts can have more than one output. To view a host's outputs, expand the host by clicking the white arrow to the left of the Monitored Host name. -For integration with Netwrix Access Analyzer, only one configuration -of a 'monitored host' can be set as the Netwrix Access Analyzer -output. After a 'monitored host' has been added, use the Edit feature to identify the configuration -as being for Netwrix Access Analyzer on the Log Files tab of the +To integrate with Netwrix Access Analyzer 12 and below, set one file output as the Netwrix Access Analyzer 12 +output. After you add an output, use the Edit feature to identify the configuration +as being for Netwrix Access Analyzer 12 and earlier on the Log Files tab of the host's Properties window. See the [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md) topic for additional information. @@ -130,7 +123,7 @@ to view more information on various status conditions. ![errorpropogationpopulated](/images/activitymonitor/9.0/admin/monitoredhosts/errorpropogationpopulated.webp) Click the **Down Arrow** to expand the Status section. The information listed is dependent on which -host or output is currently selected in the Monitored Hosts & Services table. Users can find information on the +host or output is selected in the Monitored Hosts & Services table. Users can find information on the **Current State** of a host, as well as viewing a history of changes in state. The possible statuses depend on the type of hosts being monitored. What is common is that the status diff --git a/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md b/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md new file mode 100644 index 0000000000..b5c64b8d9b --- /dev/null +++ b/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md @@ -0,0 +1,47 @@ +--- +title: "Access Analyzer 26 Tab" +description: "Access Analyzer 26 Tab" +sidebar_position: 41 +--- + +# Access Analyzer 26 Tab + +Use the Access Analyzer 26 tab on an output Properties window to modify the connection between Activity Monitor and Netwrix Access Analyzer 26. These settings are initially configured when the output is added. + +:::note +Only File System, SharePoint Online, and Microsoft 365 Copilot events are supported by the Access Analyzer 26 output. +::: + +Select an Access Analyzer 26 output from the Monitored Hosts/Services tab and click **Edit** to open the output Properties window. + +The tab contains the following settings: + +- Server in SERVER:PORT format – Server name of the Netwrix Access Analyzer 26 application server and + the communication port being used between the applications. The format must be SERVER:PORT, e.g. + newyorksrv10:4504. + + - The server name can be a short name, fully qualified domain name (FQDN), or IP address, as long as the agent can resolve it. + - The default port for Netwrix Access Analyzer 26 is 4504. + +- Enrollment Token – A code generated in **Configuration > Application Settings** of Netwrix Access Analyzer 26. + +Click **Enroll** to establish a connection to Access Analyzer. The Activity Monitor agent connects to the server, compares the server's certificate to the expected one embedded in the enrollment token, and sends the token to Access Analyzer. If Access Analyzer confirms the enrollment, both products store the peer certificate's Subject Public Key Info (SPKI) SHA-256 hash and use mTLS with SPKI hash pinning for mutual authentication. You no longer need the enrollment token after this step. + +If a certificate changes so that its SPKI hash changes — for example, when the agent generates a new key pair — you must re-enroll. Generate a new token and click **Enroll** again. + +## Generate an Enrollment Token + +To generate a token in Netwrix Access Analyzer 26: + +1. Log in to Access Analyzer. +2. Go to **Configuration > Application Settings**. +3. Scroll to the **Activity Monitor** section. +4. Under **Enrollment Token**, click **Generate Token**. +5. Copy the token using the clipboard icon. + +:::note +Tokens expire after **1 hour**. Generating a new token immediately invalidates any previously issued token. +A single token can enroll multiple agents and outputs simultaneously — plan your enrollment session and generate the token immediately before you begin. +::: + +See the [Netwrix Access Analyzer 26 Documentation](/docs/accessanalyzer/2601/configurations/activity-monitor-integration) for additional information. diff --git a/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md b/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md index aa95f6aa72..453a16e4ee 100644 --- a/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md +++ b/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md @@ -1,7 +1,7 @@ --- title: "Additional Properties Tab" description: "Additional Properties Tab" -sidebar_position: 20 +sidebar_position: 120 --- # Additional Properties Tab @@ -34,5 +34,5 @@ Properties window closes. If a Threat Prevention Agent has been deployed to the same Windows proxy server where and activity agent is deployed to monitor NAS devices, then the **Comment** column in the monitored hosts/services table -identifies the host as being “Managed by Threat Prevention”, and that ‘monitored host’ configuration -is not editable through the Activity Monitor Console. Simply add the host again for other outputs. +identifies the host as being “Managed by Threat Prevention”, and that output +isn't editable through the Activity Monitor Console. Add another output if needed. diff --git a/docs/activitymonitor/10.0/admin/outputs/logfiles.md b/docs/activitymonitor/10.0/admin/outputs/logfiles.md index 067ac410df..85996aa28f 100644 --- a/docs/activitymonitor/10.0/admin/outputs/logfiles.md +++ b/docs/activitymonitor/10.0/admin/outputs/logfiles.md @@ -1,7 +1,7 @@ --- title: "Log Files Tab" description: "Log Files Tab" -sidebar_position: 40 +sidebar_position: 42 --- # Log Files Tab @@ -26,7 +26,7 @@ The tab contains the following settings: information recorded per event. :::note - This setting effects activity log retention whether or not the archiving feature is + This setting effects activity log retention whether the archiving feature is enabled. ::: @@ -66,7 +66,7 @@ The tab contains the following settings: is 10 days. :::note - This setting effects activity log retention whether or not the archiving feature is + This setting effects activity log retention whether the archiving feature is enabled. ::: @@ -83,7 +83,7 @@ The tab contains the following settings: [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for additional information. - For integration with Netwrix Threat Prevention NAS monitoring, this setting only controls the - log retention period for NAS devices, as Netwrix Threat Prevention does not read Windows file + log retention period for NAS devices, as Netwrix Threat Prevention doesn't read Windows file server activity from Activity Monitor. - Report account names – Indicates if an Account Name column is added in the activity log files @@ -92,7 +92,7 @@ The tab contains the following settings: :::note This is needed to feed data into Splunk in a Syslog output. However, Netwrix Access - Analyzer does not support log files with headers. Therefore, do + Analyzer doesn't support log files with headers. Therefore, do not select this option for a File output designed for Netwrix Access Analyzer. ::: @@ -142,7 +142,7 @@ The tab contains the following settings: is 10 days. :::note - This setting effects activity log retention whether or not the archiving feature is + This setting effects activity log retention whether the archiving feature is enabled. ::: @@ -158,7 +158,7 @@ The tab contains the following settings: :::note This is needed to feed data into Splunk in a Syslog output. However, Netwrix Access - Analyzer does not support log files with headers. Therefore, do + Analyzer doesn't support log files with headers. Therefore, do not select this option for a File output designed for Netwrix Access Analyzer. ::: @@ -197,7 +197,7 @@ The tab contains the following settings: is 10 days. :::note - This setting effects activity log retention whether or not the archiving feature is + This setting effects activity log retention whether the archiving feature is enabled. ::: @@ -236,7 +236,7 @@ The tab contains the following settings: is 10 days. :::note - This setting effects activity log retention whether or not the archiving feature is + This setting effects activity log retention whether the archiving feature is enabled. ::: diff --git a/docs/activitymonitor/10.0/admin/outputs/overview.md b/docs/activitymonitor/10.0/admin/outputs/overview.md index 80e92a65b7..08ba48fca3 100644 --- a/docs/activitymonitor/10.0/admin/outputs/overview.md +++ b/docs/activitymonitor/10.0/admin/outputs/overview.md @@ -9,7 +9,11 @@ sidebar_position: 40 Once a domain or a host/service is being monitored the event stream can be sent to multiple outputs. There are three types of outputs: -- File – Creates an activity log as a TSV or JSON file for every day of activity + +- Netwrix Access Analyzer 26 – Sends activity events to Netwrix Access Analyzer 26 and above + +- File – Creates an activity log as a TSV or JSON file for every day of activity. + Use this output type to integrate with Access Analyzer 12 and below. - Syslog – Sends activity events to the configured SIEM server. For file servers, this option is also used to send activity events to Netwrix Threat Manager. @@ -38,6 +42,7 @@ Output Properties window has the following tabs: Output Properties window has the following tabs: +- [Access Analyzer 26 Tab](/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md), Access Analyzer 26 output only - [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only - [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only - [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) @@ -92,30 +97,32 @@ Output Properties window has the following tabs: Output Properties window has the following tabs: -- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) +- [Access Analyzer 26 Tab](/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md), Access Analyzer 26 output only - [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only -- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) - [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) ## For SQL Server Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) -- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) - [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only - [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) - [Objects Tab](/docs/activitymonitor/10.0/admin/outputs/objects.md) -- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) ## For Windows File Server Hosts Output Properties window has the following tabs: -- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) -- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) +- [Access Analyzer 26 Tab](/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md), Access Analyzer 26 output only - [Log Files Tab](/docs/activitymonitor/10.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only - [Operations Tab](/docs/activitymonitor/10.0/admin/outputs/operations/operations.md) - [Path Filtering Tab](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md) - [Protocols Tab](/docs/activitymonitor/10.0/admin/outputs/protocols.md) -- [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Account Exclusions Tab](/docs/activitymonitor/10.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/10.0/admin/outputs/additionalproperties.md) From ff9238ae3516f5bf02a78cf1ecffd8795bc908c1 Mon Sep 17 00:00:00 2001 From: Paul Shmakov Date: Tue, 5 May 2026 17:11:04 +0100 Subject: [PATCH 04/22] feat(activitymonitor): add Microsoft 365 Copilot monitoring documentation for v10.0 - Add host wizard walkthrough and Azure AD/Entra ID registration prerequisites - Add search query reference with filter categories and result columns - Document path filtering options including non-Microsoft resource toggle - Update Add New Host overview and output type count/formatting Generated with AI Co-Authored-By: Claude Code --- .../admin/monitoredhosts/add/m365copilot.md | 69 ++++++++++ .../10.0/admin/monitoredhosts/add/overview.md | 1 + .../10.0/admin/outputs/accessanalyzer26.md | 4 +- .../10.0/admin/outputs/overview.md | 10 +- .../outputs/pathfiltering/pathfiltering.md | 60 ++++++-- .../admin/search/m365copilot/_category_.json | 10 ++ .../admin/search/m365copilot/m365copilot.md | 88 ++++++++++++ .../activityagent/m365copilot-activity.md | 129 ++++++++++++++++++ 8 files changed, 355 insertions(+), 16 deletions(-) create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/m365copilot.md create mode 100644 docs/activitymonitor/10.0/admin/search/m365copilot/_category_.json create mode 100644 docs/activitymonitor/10.0/admin/search/m365copilot/m365copilot.md create mode 100644 docs/activitymonitor/10.0/requirements/activityagent/m365copilot-activity.md diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/m365copilot.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/m365copilot.md new file mode 100644 index 0000000000..da2a395206 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/m365copilot.md @@ -0,0 +1,69 @@ +--- +title: "Microsoft 365 Copilot" +description: "Microsoft 365 Copilot" +sidebar_position: 65 +--- + +# Microsoft 365 Copilot + +The Activity Monitor can be configured to monitor Microsoft 365 Copilot interaction events, +reporting resources accessed while users interact with Copilot. + +Before adding a Microsoft 365 Copilot host to the Activity Monitor, the prerequisites for the +target environment must be met. See the +[Microsoft 365 Copilot Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/m365copilot-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Microsoft 365 Copilot Host + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. +The Add New Host or Service window opens. + +**Step 2 –** On the Choose Agent page, select the Agent to monitor Microsoft 365 Copilot. Click +**Next**. + +**Step 3 –** On the Choose Event Source Type page, select the **Microsoft 365 Copilot** radio +button and enter the tenant domain name. + +_(Optional)_ Enter a comment for the host. + +Click **Next**. + +**Step 4 –** On the Azure AD / Entra ID Connection page, configure the following options: + +- Domain – Displays the tenant domain name entered in the previous step. +- Azure Cloud – Select the Azure cloud environment from the dropdown menu. +- Tenant ID – Auto-populated from the domain entered. +- Client ID – Enter the Client ID for the registered application. +- Client Secret – Enter the Client Secret for the registered application. +- Region – (Optional) Enter the region. +- Certificate – Click **Open agent certificate location** to locate the agent certificate file. + Upload this certificate to the registered application in Microsoft Entra ID. + +Click **Open Instruction...** for steps on registering the Activity Monitor with Microsoft Entra ID, +uploading the agent certificate, and granting the required permissions. + +Click **Connect** to verify the connection. Click **Next**. + +**Step 5 –** Complete the wizard by configuring the output options. See the +[Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +The Microsoft 365 Copilot host appears in the monitored hosts/services table. + +## Host Properties for Microsoft 365 Copilot + +To edit configuration settings, select the host and open its Properties window. The configurable +host properties are: + +- [Connection Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/10.0/admin/monitoredhosts/properties/overview.md) +topic for additional information. diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md index b84fe8fb1e..58902f44fd 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md @@ -23,6 +23,7 @@ following topics for additional information: - [Dell Unity](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellunity.md) - [Exchange Online](/docs/activitymonitor/10.0/admin/monitoredhosts/add/exchangeonline.md) - [Hitachi](/docs/activitymonitor/10.0/admin/monitoredhosts/add/hitachi.md) +- [Microsoft 365 Copilot](/docs/activitymonitor/10.0/admin/monitoredhosts/add/m365copilot.md) - [Microsoft Entra ID](/docs/activitymonitor/10.0/admin/monitoredhosts/add/entraid.md) - [Nasuni](/docs/activitymonitor/10.0/admin/monitoredhosts/add/nasuni.md) - [NetApp](/docs/activitymonitor/10.0/admin/monitoredhosts/add/netapp.md) diff --git a/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md b/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md index b5c64b8d9b..6daa41ed8e 100644 --- a/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md +++ b/docs/activitymonitor/10.0/admin/outputs/accessanalyzer26.md @@ -17,8 +17,8 @@ Select an Access Analyzer 26 output from the Monitored Hosts/Services tab and cl The tab contains the following settings: - Server in SERVER:PORT format – Server name of the Netwrix Access Analyzer 26 application server and - the communication port being used between the applications. The format must be SERVER:PORT, e.g. - newyorksrv10:4504. + the communication port being used between the applications. The format must be `SERVER:PORT`, e.g. + `AASRV01:4504`. - The server name can be a short name, fully qualified domain name (FQDN), or IP address, as long as the agent can resolve it. - The default port for Netwrix Access Analyzer 26 is 4504. diff --git a/docs/activitymonitor/10.0/admin/outputs/overview.md b/docs/activitymonitor/10.0/admin/outputs/overview.md index 08ba48fca3..a4118efe30 100644 --- a/docs/activitymonitor/10.0/admin/outputs/overview.md +++ b/docs/activitymonitor/10.0/admin/outputs/overview.md @@ -7,18 +7,18 @@ sidebar_position: 40 # Output Types Once a domain or a host/service is being monitored the event stream can be sent to multiple outputs. There -are three types of outputs: +are four types of outputs: -- Netwrix Access Analyzer 26 – Sends activity events to Netwrix Access Analyzer 26 and above +- **Netwrix Access Analyzer 26** – Sends activity events to Netwrix Access Analyzer 26 and above -- File – Creates an activity log as a TSV or JSON file for every day of activity. +- **File** – Creates an activity log as a TSV or JSON file for every day of activity. Use this output type to integrate with Access Analyzer 12 and below. -- Syslog – Sends activity events to the configured SIEM server. +- **Syslog** – Sends activity events to the configured SIEM server. For file servers, this option is also used to send activity events to Netwrix Threat Manager. -- Netwrix Threat Manager – Sends Active Directory activity events to Netwrix Threat Manager +- **Netwrix Threat Manager** – Sends Active Directory activity events to Netwrix Threat Manager :::note This output type is only available for Monitored Domains diff --git a/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md index 4809d2d2ee..f3d7511e86 100644 --- a/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md +++ b/docs/activitymonitor/10.0/admin/outputs/pathfiltering/pathfiltering.md @@ -21,7 +21,7 @@ The tab contains the following settings and features: - Add – Opens the Add or Edit Path window to add a new path to the list. See the [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. -- Remove – Removes the selected path from the list. Confirmation is not requested. +- Remove – Removes the selected path from the list. Confirmation isn't requested. :::warning If a path is removed by accident, use the **Cancel** button to discard the change. @@ -32,7 +32,7 @@ The tab contains the following settings and features: buttons move the selected path up or down in the list - Edit – Opens the Add or Edit Path window to modify the selected path. See the [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. -- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to +- Enter a path below to test whether it will be included or excluded – Enter a path in the textbox to test whether it will be included/excluded based on the path filtering list - Result – Under the text box, a description of whether the indicated path is included or @@ -55,7 +55,7 @@ precedence, and the ‘Edward’ child folder will not be monitored. :::note -If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +If ‘Include’ isn't listed under the Filter Type column (or no Include filter paths are added), then all current and new discovered drives will be monitored. ::: @@ -71,7 +71,7 @@ The tab contains the following settings and features: - Add – Opens the Add or Edit Path window to add a new path to the list. See the [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. -- Remove – Removes the selected path from the list. Confirmation is not requested. +- Remove – Removes the selected path from the list. Confirmation isn't requested. :::warning If a path is removed by accident, use the **Cancel** button to discard the change. @@ -82,7 +82,7 @@ The tab contains the following settings and features: buttons move the selected path up or down in the list - Edit – Opens the Add or Edit Path window to modify the selected path. See the [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. -- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to +- Enter a path below to test whether it will be included or excluded – Enter a path in the textbox to test whether it will be included/excluded based on the path filtering list - Result – Under the text box, a description of whether the indicated path is included or @@ -105,7 +105,7 @@ precedence, and the ‘Edward’ child folder will not be monitored. :::note -If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +If ‘Include’ isn't listed under the Filter Type column (or no Include filter paths are added), then all current and new discovered drives will be monitored. ::: @@ -135,7 +135,7 @@ The tab contains the following settings and features: - Add – Opens the Add or Edit Path window to add a new path to the list. See the [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. -- Remove – Removes the selected path from the list. Confirmation is not requested. +- Remove – Removes the selected path from the list. Confirmation isn't requested. :::warning If a path is removed by accident, use the **Cancel** button to discard the change. @@ -148,7 +148,7 @@ The tab contains the following settings and features: [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. - Add all local drives – Retrieves and adds all local drives to the bottom of the list with a type of Include -- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to +- Enter a path below to test whether it will be included or excluded – Enter a path in the textbox to test whether it will be included/excluded based on the path filtering list - Result – Under the text box, a description of whether the indicated path is included or @@ -171,10 +171,52 @@ precedence, and the ‘Edward’ child folder will not be monitored. :::note -If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +If ‘Include’ isn't listed under the Filter Type column (or no Include filter paths are added), then all current and new discovered drives will be monitored. ::: Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output Properties window closes. + + +## For Microsoft 365 Copilot Hosts + +The Path Filtering tab for a Microsoft 365 Copilot host includes an additional option to control +which resources are reported. + +**Report activity on non-Microsoft resources** – When unchecked (default), only activity on +Microsoft 365 resources (SharePoint, OneDrive, Teams, Outlook, and Forms) is reported. When checked, +activity on all resources accessed during Copilot interactions, including external websites, is +reported. + +The tab also contains the following path filtering settings: + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) + topic for additional information. +- Remove – Removes the selected path from the list. Confirmation isn't requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list. +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/10.0/admin/outputs/pathfiltering/addeditpath.md) + topic for additional information. +- Enter a path below to test whether it will be included or excluded – Enter a path in the textbox + to test whether it will be included/excluded based on the path filtering list. + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear. + +- Exclude extensions – Displays a space-separated list of file extensions that are excluded. + +The table lists paths that are being filtered, displaying columns for Type (Include or Exclude) and +Pattern. Path filters are evaluated in the order specified by the table. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. \ No newline at end of file diff --git a/docs/activitymonitor/10.0/admin/search/m365copilot/_category_.json b/docs/activitymonitor/10.0/admin/search/m365copilot/_category_.json new file mode 100644 index 0000000000..af19281d2c --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/m365copilot/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Microsoft 365 Copilot Search Query", + "position": 75, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "m365copilot" + } +} diff --git a/docs/activitymonitor/10.0/admin/search/m365copilot/m365copilot.md b/docs/activitymonitor/10.0/admin/search/m365copilot/m365copilot.md new file mode 100644 index 0000000000..3b9d3b527a --- /dev/null +++ b/docs/activitymonitor/10.0/admin/search/m365copilot/m365copilot.md @@ -0,0 +1,88 @@ +--- +title: "Microsoft 365 Copilot Search Query" +description: "Microsoft 365 Copilot Search Query" +sidebar_position: 70 +--- + +# Microsoft 365 Copilot Search Query + +You can search Microsoft 365 Copilot activity that has been monitored and recorded to a File output. +When you select **Microsoft 365 Copilot** from the search dropdown menu, a New Search tab opens +with the applicable query filters. + +The filters are separated into the following categories: + +- General +- User +- Copilot +- Advanced + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope the results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/10.0/admin/search/overview.md#filter) and +[Sort](/docs/activitymonitor/10.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the +[Export](/docs/activitymonitor/10.0/admin/search/overview.md#export) option. + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. +- To – Set the date and timestamp for the end of the activity range. +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. +- Agent Hosts – Filter the data for a specific agent. + +## User Category + +The User category scopes the query by the user who performed the activity. + +This section has the following filters: + +- Name or UPN +- IP Address +- User Type + +## Copilot Category + +The Copilot category scopes the query by Copilot-specific activity attributes. + +This section has the following filters: + +- App Host – The Microsoft 365 application in which the Copilot interaction occurred, for example + Teams, Word, or Outlook. +- Entity (Resource URL) – The URL of the resource that was accessed during the Copilot interaction. +- Plugins – The Copilot plugins used during the interaction. +- Thread ID – The unique identifier of the Copilot conversation thread. +- Entity Type – The type of entity accessed during the Copilot interaction. + +## Advanced Category + +This section has the following filters: + +- Client Region – The geographic region of the client that initiated the activity. + +## Search Results + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- User – User account that performed the activity event +- User Type – Type of user associated with the event +- External – Indicates whether the resource accessed is external to Microsoft 365 +- IP Address – IP address associated with the event +- App Host – The Microsoft 365 application in which the Copilot interaction occurred +- Thread ID – Unique identifier of the Copilot conversation thread +- Entity (Resource) – URL of the resource accessed during the Copilot interaction +- Entity Type – Type of entity accessed during the Copilot interaction +- Plugins – Copilot plugins used during the interaction +- Client Region – Geographic region of the client that initiated the activity diff --git a/docs/activitymonitor/10.0/requirements/activityagent/m365copilot-activity.md b/docs/activitymonitor/10.0/requirements/activityagent/m365copilot-activity.md new file mode 100644 index 0000000000..d3a4493f51 --- /dev/null +++ b/docs/activitymonitor/10.0/requirements/activityagent/m365copilot-activity.md @@ -0,0 +1,129 @@ +--- +title: "Microsoft 365 Copilot Activity Auditing Configuration" +description: "Microsoft 365 Copilot Activity Auditing Configuration" +sidebar_position: 55 +--- + +# Microsoft 365 Copilot Activity Auditing Configuration + +To collect logs and monitor Microsoft 365 Copilot activity, register the Netwrix Activity Monitor +with Microsoft Entra ID (formerly Azure AD). + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant after you register the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It isn't possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +- Agent Certificate – Upload the agent certificate to the registered application in Microsoft + Entra ID. See the + [Upload the Agent Certificate](#upload-the-agent-certificate) section for additional information. + +**Required API Permissions** + +| API | Permission | Type | Description | +| --- | --- | --- | --- | +| Microsoft Graph | `Directory.Read.All` | Application | Read directory data | +| Microsoft Graph | `Sites.Read.All` | Application | Read items in all site collections | +| Microsoft Graph | `User.Read.All` | Application | Read all users' full profiles | +| SharePoint | `Sites.Read.All` | Application | Read items in all site collections | +| Office 365 Management APIs | `ActivityFeed.Read` | Application | Read activity data for your organization | + +## Register a Microsoft Entra ID Application + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click +**App registrations**. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information on the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + for Microsoft 365 Copilot +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the + dropdown menu. In the text box, enter the following: + +**Urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. + +## Grant Permissions to the Registered Application + +**Step 1 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 2 –** Click **Add a permission** and add the permissions listed in the Required API +Permissions table in this topic. + +**Step 3 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +## Identify the Client ID and Tenant ID + +The Client ID and Tenant ID are available on the registered application's Overview page. + +**Step 1 –** Select the registered application in **Identity** > **Applications** > **App +registrations** > **All applications**. + +**Step 2 –** Copy the **Application (client) ID** and **Directory (tenant) ID** values and save +them to a text file. + +## Generate the Client Secret Key + +:::warning +It isn't possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 2 –** Click **New client secret**, enter a description and expiration period, then click +**Add**. + +:::note +Setting the duration on the key to expire requires reconfiguration at the time of +expiration. It is best to configure it to expire in 1 or 2 years. +::: + + +**Step 3 –** Copy the Client Secret from the Value column and save it to a text file. + +## Upload the Agent Certificate + +Upload the Activity Monitor agent certificate to the registered application in Microsoft Entra ID. +This certificate authenticates the agent when it collects Microsoft 365 Copilot activity data. + +**Step 1 –** On the Azure AD / Entra ID Connection page in the Activity Monitor, click **Open +agent certificate location** to open the folder containing the agent certificate file. + +**Step 2 –** In the Microsoft Entra admin center, select the registered application and click +**Certificates & secrets** in the Manage section. + +**Step 3 –** On the **Certificates** tab, click **Upload certificate**, browse to the agent +certificate file, and click **Add**. From 8678420b9cf7f5290b962cab685d47504f264c7a Mon Sep 17 00:00:00 2001 From: Paul Shmakov Date: Wed, 6 May 2026 18:16:10 +0100 Subject: [PATCH 05/22] feat(activitymonitor): add Cohesity SmartFiles host wizard and fix Vale issues - Add cohesity.md wizard walkthrough for adding a Cohesity SmartFiles host - Fix relative links in cohesity add and properties pages (missing leading /) - Add Microsoft 365 Copilot to supported hosts list in monitoredhosts overview - Update Cohesity link in Add New Host overview to point to the new wizard page - Bump Dell Celerra/VNX sidebar_position to 13 (Cohesity takes 12) - Fix pre-existing Vale warnings in dellcelerravnx.md Generated with AI Co-Authored-By: Claude Code --- .../10.0/admin/monitoredhosts/add/cohesity.md | 46 +++++++++++++++++++ .../monitoredhosts/add/dellcelerravnx.md | 30 ++++++------ .../10.0/admin/monitoredhosts/add/overview.md | 2 +- .../10.0/admin/monitoredhosts/overview.md | 1 + .../monitoredhosts/properties/cohesity.md | 7 +++ 5 files changed, 69 insertions(+), 17 deletions(-) create mode 100644 docs/activitymonitor/10.0/admin/monitoredhosts/add/cohesity.md diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/cohesity.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/cohesity.md new file mode 100644 index 0000000000..d127dbb036 --- /dev/null +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/cohesity.md @@ -0,0 +1,46 @@ +--- +title: "Cohesity SmartFiles" +description: "Add Cohesity SmartFiles" +sidebar_position: 12 +--- + +# Add Cohesity SmartFiles Host + +Before adding Cohesity SmartFiles to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Cohesity SmartFiles Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md) +topic for additional information. + + +**Step 1 –** In the Console, open the **Monitored Hosts/Services** page and select **Add +Host/Service**. + +**Step 2 –** Choose the agent that will monitor the Cohesity SmartFiles cluster. + +**Step 3 –** Select **Cohesity SmartFiles** and enter the Cohesity cluster name. + +**Step 4 –** Specify the API key to access the Cohesity cluster via the API. Use the built-in +instruction to create the API key directly from this step. + +**Step 5 –** Specify the account that has SMB access to the `COHESITY_AUDIT_VIEW` audit logs share. + +**Step 6 –** Select **Connect** to verify that the product has access to the Cohesity cluster. + +**Step 7 –** Select the views to monitor. If the list is left empty, the product monitors all +views that have auditing enabled. + +**Step 8 –** Select **Enable Audit Log option for specified views** if you want the product to +automatically enable auditing for all views in the monitoring scope. + +**Step 9 –** Complete the wizard by selecting the required operations and outputs. + +:::warning +Audit log events from Cohesity SmartFiles may be delayed. Events can appear with a latency ranging +from a few minutes up to an hour. + +This delay is by design: Cohesity prioritizes active workloads over audit log flushing. As a +result, with the default configuration, audit logs are suitable for historical analysis but not +real-time monitoring. + +An internal configuration option exists in Cohesity that can reduce this latency by forcing audit +logs to be written more frequently. If you need to reduce latency, contact Cohesity Support. +::: diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md index 6591654504..f546f0ac72 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md @@ -1,7 +1,7 @@ --- title: "Dell Celerra or VNX" description: "Dell Celerra or VNX" -sidebar_position: 12 +sidebar_position: 13 --- # Dell Celerra or VNX @@ -13,7 +13,7 @@ The Activity Monitor can be configured to monitor the following: - Ability to collect all or specific file activity for specific values or specific combinations of values -It provides the ability to feed activity data to SIEM products. The following dashboards have been +It lets you feed activity data to SIEM products. The following dashboards have been specifically created for Activity Monitor event data: - For IBM® QRadar®, see the @@ -22,13 +22,13 @@ specifically created for Activity Monitor event data: - For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/10.0/siem/splunk/overview.md) for additional information. -It also provides the ability to feed activity data to other Netwrix products: +It also lets you feed activity data to other Netwrix products: - Netwrix Access Analyzer - Netwrix Threat Prevention - Netwrix Threat Manager -Prior to adding a Dell Celerra or VNX host to the Activity Monitor, the prerequisites for the target +Before adding a Dell Celerra or VNX host to the Activity Monitor, the prerequisites for the target environment must be met. See the [Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md) topic for additional information. @@ -41,8 +41,6 @@ monitoring the target environment. ## Add Dell VNX/Celerra Host -Follow the steps to add a Dell Celerra or VNX host to be monitored. - **Step 1 –** Navigate to the Monitored Hosts & Services tab and click Add. The Add New Host window opens. ![Choose Agent Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) @@ -57,7 +55,7 @@ Server NetBIOS Name** for the device. If desired, add a **Comment**. Click **Nex :::note All Dell event source types must have the CEE Monitor Service installed on the agent in -order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +order to collect events. Activity Monitor will detect if the CEE Monitor isn't installed and display a warning to install the service. If the CEE Monitor service is installed on a remote machine, manual configuration is required. See the [Dell CEE Options Tab](/docs/activitymonitor/10.0/admin/agents/properties/dellceeoptions.md) topic for additional information. @@ -87,7 +85,7 @@ Click **Next**. ![Configure Basic Options Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) **Step 6 –** On the Configure Basic Options page, choose which settings to enable. The "Log files" -are the activity logs created by the activity agent on the proxy host. Select the desired options: +are the activity logs created by the activity agent on the proxy host. Select the options you want: - Report account names – Adds an **Account Name** column in the generated TSV files - Add C:\ to the beginning of the reported file paths – Adds 'C:\" to file paths to be displayed @@ -106,7 +104,7 @@ are the activity logs created by the activity agent on the proxy host. Select th through the UNC Path. If a file is accessed locally, these columns are empty. These columns have also been added as Syslog macros. - When this option is selected, the user needs to provide credentials in the Auditing tab. If - credentials are not provided, the following warning message is displayed: + credentials aren't provided, the following warning message is displayed: - Credentials are required for this feature. Provide the credentials in the Auditing tab. - Report operations with millisecond precision – Changes the timestamps of events being recorded in the TSV log file for better ordering of events if multiple events occur within the same second @@ -149,19 +147,19 @@ Click **Next**. **Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog Output page can be configured. -- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format +- Syslog server in SERVER[:PORT] format – Enter the **Syslog server name** with a SERVER:Port format in the text box. - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the organization's environment can resolve the name format used. The Event stream is the activity being monitored according to this configuration for the monitored host. -- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The dropdown menu includes: - UDP - TCP - TLS - The TCP and TLS protocols add the Message framing drop-down menu. See the + The TCP and TLS protocols add the Message framing dropdown menu. See the [Syslog Tab](/docs/activitymonitor/10.0/admin/outputs/syslog/syslog.md) topic for additional information. - Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The @@ -178,7 +176,7 @@ Output page can be configured. template for Threat Manager. See the [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) for additional information. - - Custom templates can be created. Select the desired template or create a new template by + - Custom templates can be created. Select the template you want or create a new template by modifying an existing template within the Syslog Message Template window. The new message template will be named Custom. - Add C:\ to the beginning of the reported file paths – Adds 'C:\" to file paths to be displayed @@ -197,13 +195,13 @@ Output page can be configured. through the UNC Path. If a file is accessed locally, these columns are empty. These columns have also been added as Syslog macros. - When this option is selected, the user needs to provide credentials in the Auditing tab. If - credentials are not provided, the following warning message is displayed: + credentials aren't provided, the following warning message is displayed: - Credentials are required for this feature. Provide the credentials in the Auditing tab. - The Test button – Sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary by Syslog protocol: - - UDP – Sends a test message and does not verify connection + - UDP – Sends a test message and doesn't verify connection - TCP/TLS – Sends test message and verifies connection - TLS – Shows error if TLS handshake fails @@ -214,7 +212,7 @@ Click **Finish**. ![activitymonitoremcvnxcelerra](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp) The added Dell Celerra or VNX host is displayed in the Monitored Hosts & Services table. Once a host has been -added for monitoring, configure the desired outputs. See the +added for monitoring, configure the outputs you want. See the [Output for Monitored Hosts](/docs/activitymonitor/10.0/admin/monitoredhosts/output/output.md) topic for additional information. ## Host Properties for Dell Celerra or VNX diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md index 58902f44fd..0dc848f4d2 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/add/overview.md @@ -15,7 +15,7 @@ The window opens for all types of hosts that can be monitored with an Activity A following topics for additional information: - [Azure Files](/docs/activitymonitor/10.0/admin/monitoredhosts/add/azurefiles.md) -- [Cohesity SmartFiles](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md) +- [Cohesity SmartFiles](/docs/activitymonitor/10.0/admin/monitoredhosts/add/cohesity.md) - [CTERA](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/ctera-activity.md) - [Dell Celerra or VNX](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellcelerravnx.md) - [Dell Isilon/PowerScale](/docs/activitymonitor/10.0/admin/monitoredhosts/add/dellpowerscale.md) diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md b/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md index 448d302055..2cd95f6cb1 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/overview.md @@ -30,6 +30,7 @@ Agent: - Microsoft Entra ID (formerly Azure AD) - SharePoint - SharePoint Online +- Microsoft 365 Copilot - Exchange Online - SQL Server diff --git a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md index c3fe9a426f..41385005d0 100644 --- a/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md +++ b/docs/activitymonitor/10.0/admin/monitoredhosts/properties/cohesity.md @@ -27,3 +27,10 @@ The configurable options are: - Connect – Click to validate the connection to the Cohesity cluster using the provided credentials - Enable Audit Log option for specified views – Select this checkbox to have the product automatically enable auditing for all views in the monitoring scope + + +:::note +See the [Cohesity SmartFiles Activity Auditing Configuration](/docs/activitymonitor/10.0/requirements/activityagent/nas-device-configuration/cohesity-activity.md) topic for +additional information on Cohesity SmartFiles host. +::: + From 8f42edb6a133346302e345ca5efdb0bba74b57f2 Mon Sep 17 00:00:00 2001 From: jth-nw Date: Wed, 6 May 2026 12:47:44 -0500 Subject: [PATCH 06/22] chore(pingcastle): add CLAUDE.md for pingcastle docs subdirectory Generated with AI Co-Authored-By: Claude Code --- docs/pingcastle/CLAUDE.md | 48 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 docs/pingcastle/CLAUDE.md diff --git a/docs/pingcastle/CLAUDE.md b/docs/pingcastle/CLAUDE.md new file mode 100644 index 0000000000..6b8d891010 --- /dev/null +++ b/docs/pingcastle/CLAUDE.md @@ -0,0 +1,48 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Product Overview + +PingCastle documentation covers three product tiers for Active Directory security assessment: + +- **PingCastle Enterprise** — Full platform with web UI, agents, scheduler, API +- **PingCastle Pro** — Mid-tier with web UI and API features +- **PingCastle Standard/Basic** — Command-line assessment tool (no web server) + +The current version is **3.5** (only one version exists). + +## File Structure + +Each tier has a consistent set of docs under `3.5/`: + +| File | Purpose | sidebar_position | +|---|---|---| +| `enterpriseinstall.md` | Enterprise installation and configuration | 1 | +| `enterpriseupgrade.md` | Enterprise upgrade guide | 2 | +| `enterpriseuser.md` | Enterprise user manual | 3 | +| `index.md` | Standard and Basic user guide | 4 | +| `proinstall.md` | Pro installation and configuration | 5 | +| `proupgrade.md` | Pro upgrade guide | 6 | +| `prouser.md` | Pro user manual | 7 | +| `kb/` | Knowledge Base articles (position 999, collapsed) | — | + +KB article images are PNGs stored in `3.5/kb/0-images/`. Reference them with relative paths from the article file. + +## Naming Conventions + +- Prefix Enterprise docs with `enterprise`, Pro docs with `pro` +- Standard/Basic content lives in `index.md` (no prefix) +- KB article filenames are lowercase kebab-case describing the exact symptom + +## Terminology + +Use these exact product names — don't abbreviate or invent variants: + +- PingCastle Enterprise +- PingCastle Pro +- PingCastle Standard +- PingCastle Basic +- PingCastle for Service Providers + +"Active Directory" and "Entra ID" are always capitalized. Never use "AD" alone without spelling it out first. From c926ac32ac80cd8abaf134a815f776a4eae13266 Mon Sep 17 00:00:00 2001 From: jth-nw Date: Wed, 6 May 2026 13:06:07 -0500 Subject: [PATCH 07/22] pingcastle claudemd vale and dale --- docs/pingcastle/3.5/enterpriseinstall.md | 6 +-- docs/pingcastle/3.5/enterpriseuser.md | 42 +++++++------------ docs/pingcastle/3.5/index.md | 12 +++--- docs/pingcastle/3.5/proinstall.md | 53 ++++++++++-------------- 4 files changed, 45 insertions(+), 68 deletions(-) diff --git a/docs/pingcastle/3.5/enterpriseinstall.md b/docs/pingcastle/3.5/enterpriseinstall.md index 81ed319106..5b4f49adf5 100644 --- a/docs/pingcastle/3.5/enterpriseinstall.md +++ b/docs/pingcastle/3.5/enterpriseinstall.md @@ -74,7 +74,7 @@ Licenses are based on the number of domains managed, with licenses available up - Domain Controllers aren't counted for licensing purposes, only domains - Licenses are bundled in packs of 10 domains, up to 60, with an unlimited license thereafter -**Example**: If you have contoso.com with two subdomains called uk.contoso.com and us.contoso.com, this would require a 10-domain licensing pack. +**Example**: If you have `contoso.com` with two subdomains called `uk.contoso.com` and `us.contoso.com`, this would require a 10-domain licensing pack. ## Architecture @@ -2132,7 +2132,7 @@ Set the certificate requirement to **Accept** (not **Require**) to allow API acc ::: :::note Browser Cache -If certificate settings are changed, close and reopen the browser to avoid connection cache reuse. +Close and reopen the browser after changing certificate settings to avoid connection cache reuse. ::: **PingCastle Configuration** @@ -3363,7 +3363,7 @@ More detailed error messages can be found in the event log or by running the app **Solution:** -Check the detailed error message and correct the issue. For license errors, verify and update the license key in appsettings.json. +Check the detailed error message and correct the issue. If you see a license error, verify the license key in `appsettings.json` and update it if needed. diff --git a/docs/pingcastle/3.5/enterpriseuser.md b/docs/pingcastle/3.5/enterpriseuser.md index bc1c7db060..416fa9b0ba 100644 --- a/docs/pingcastle/3.5/enterpriseuser.md +++ b/docs/pingcastle/3.5/enterpriseuser.md @@ -14,7 +14,7 @@ management, thus improving over time. # PingCastle built-in security -PingCastle Enterprise is a tool dedicated to improve the AD security, so +PingCastle Enterprise is a tool dedicated to improving Active Directory (AD) security, so security has been a major priority alongside every step of the creation and improvement. @@ -67,10 +67,8 @@ These methods can be used separately or in coordination, meaning you can either use a Dual-Factor authentication (recommended) or a single factor authentication. -If the password authentication must be disabled, the setting -\"disablePasswordLogin\" should be set to on. OpenID is automatically -enabled if the OpenID section is completed in the \"appsettings.json\" -file. +To disable password authentication, set `disablePasswordLogin` to `true`. OpenID is automatically +enabled when the OpenID section is completed in `appsettings.json`. Authentication using OpenID: @@ -115,8 +113,8 @@ Saml2, ...) Claims permission is the way to assign dynamically permissions based on Windows group. Claims are case sensitive. You can -also open the "View my user's claims page in "Manage your account" to -see what claims have been pushed to Ping Castle. +also open the user's claims page (available under **Manage your account**) to +see what claims have been pushed to PingCastle Enterprise. ![Une image contenant texte, capture d'écran, Police, conception Description générée automatiquement](/images/pingcastle/enterpriseuser/image9.webp) @@ -145,8 +143,7 @@ Account / User management Management view -Each view is dedicated to a certain kind of audience, which is defined -by the role each stakeholder has. +Each view targets a specific audience based on the stakeholder's role. ## Role-Based Access and Permission Structure @@ -237,9 +234,9 @@ From this global page, you can then access detailed process for each step of the PingCastle maturity assessment (Domain Coverage, Ownership, etc.) while more detailed pages can be shown in the advanced menu. -This view is mainly dedicated for the company management, notably the -\"Maturity Assessment\" part, as it will show KPI as well as Objectives -and goals to improve the overall level of security of the AD. +This view is primarily for company management, notably the +\"Maturity Assessment\" part, which shows KPIs as well as objectives +and goals to improve the overall level of AD security. Nonetheless, it can also be used by Technical stakeholder such as AD administrator, as it can greatly assist in the technical remediation. @@ -300,8 +297,7 @@ Detailed view of the breakdown for a major area: Use this page to understand the work performed and the remaining work for AD security. -Then a button \"Click here to get more details\" is available to switch -to a more detailed dashboard. +Click the **Get more details** button to switch to a more detailed dashboard. ## Area maturity dashboard @@ -403,7 +399,7 @@ the user to the detail of the report. The "View Action Plans" option changes the color of the items and enables the user to see quickly what the status of the action plans are. ::: -Typically, the first step of a remediation will be to request domain owners to set up an action plan without enforcing it. +The first step of a remediation is to request domain owners to set up an action plan without enforcing it. To see the top rules that need to be fixed to improve the maturity or the score, a selection of the 2 tab "Maturity" or "Priority" enables the @@ -438,36 +434,28 @@ Additional reports may be added in the future or if requested. The \"Staled Objects\" are one of the 4 main components of the Risk Score (the 2.2 area) -This section will give a lot of details on how the Stale Objects -influence your overall Risk Score, as well as guidelines on how to -reduce the risk and improve the overall Risk Score. +This section covers how the Stale Objects component influences your overall Risk Score and provides guidelines for reducing risk and improving the score. **Privileged accounts** The \"Privileged accounts\" are one of the 4 main components of the Risk Score (the 2.2 area) -This section will give a lot of details on how the Stale Objects -influence your overall Risk Score, as well as guidelines on how to -reduce the risk and improve the overall Risk Score. +This section covers how the Stale Objects component influences your overall Risk Score and provides guidelines for reducing risk and improving the score. **Trusts** The \"Trusts\" are one of the 4 main components of the Risk Score (the 2.2 area) -This section will give a lot of details on how the Stale Objects -influence your overall Risk Score, as well as guidelines on how to -reduce the risk and improve the overall Risk Score. +This section covers how the Stale Objects component influences your overall Risk Score and provides guidelines for reducing risk and improving the score. **Anomalies** The \"Anomalies\" are one of the 4 main components of the Risk Score (the 2.2 area) -This section will give a lot of details on how the Stale Objects -influence your overall Risk Score, as well as guidelines on how to -reduce the risk and improve the overall Risk Score. +This section covers how the Stale Objects component influences your overall Risk Score and provides guidelines for reducing risk and improving the score. # Technical view (\"Infrastructure\") diff --git a/docs/pingcastle/3.5/index.md b/docs/pingcastle/3.5/index.md index 750613bc51..15f4cb5dd8 100644 --- a/docs/pingcastle/3.5/index.md +++ b/docs/pingcastle/3.5/index.md @@ -17,11 +17,11 @@ The source code of the program is licensed to the Non-Profit Open Software Licen **Binary License and Usage** -The binary code may not be included as part of a commercial package unless a license is purchased. Visit the "our services" section on https://www.pingcastle.com for licensing options. +The binary code may not be included as part of a commercial package unless a license is purchased. Visit the **Services** section on https://www.pingcastle.com for licensing options. **License Expiration** -PingCastle will only run until the built-in license expiration date. After this date, the program will cease to function. +PingCastle only runs until the built-in license expiration date. After this date, the program stops functioning. This date is surfaced as the End of Support date in the tool. @@ -211,7 +211,7 @@ Scan all reachable domains and automatically generate a consolidated report with PingCastle.exe --healthcheck --server * ``` -This will scan all reachable domains, enable reachable mode, and automatically create a consolidation report. The process typically takes a few minutes to an hour depending on your environment size. +This scans all reachable domains, enables reachable mode, and automatically creates a consolidation report. The process typically takes a few minutes to an hour depending on your environment size. ### Option 2: Report Consolidation @@ -228,7 +228,7 @@ PingCastle.exe --hc-conso This consolidates all available XML reports and generates summary reports with trust relationship maps. XML reports generated from multiple locations can be combined to create a comprehensive view of your infrastructure. -**Note**: Consolidation is performed automatically when using `--server *` for automatic domain discovery. +**Note**: PingCastle performs consolidation automatically when using `--server *` for automatic domain discovery. **Output Files** @@ -409,7 +409,7 @@ PingCastle.exe --reload-report encrypted-report.xml ### Email Delivery -PingCastle can automatically send reports via SMTP. If encryption is enabled, reports will be encrypted before sending. +PingCastle can automatically send reports via SMTP. If encryption is enabled, PingCastle encrypts reports before sending. **SMTP Configuration**: @@ -676,7 +676,7 @@ Netwrix is actively working to reduce false positive detections: > * No malicious payloads or hidden behavior are present in the software. > * The detections occur only because its ability to enumerate security risks and misconfigurations could provide information an attacker might misuse. > -> In short, PingCastle should be viewed in the same category as other professional penetration-testing or red-team tools: safe and valuable in the hands of administrators and security professionals, but flagged by antivirus products due to its capabilities. +> In short, PingCastle belongs in the same category as other professional penetration-testing or red-team tools: safe and valuable in the hands of administrators and security professionals, but flagged by antivirus products due to its capabilities. ::: ## List of open source software used diff --git a/docs/pingcastle/3.5/proinstall.md b/docs/pingcastle/3.5/proinstall.md index cd4c94827b..90cb8b1004 100644 --- a/docs/pingcastle/3.5/proinstall.md +++ b/docs/pingcastle/3.5/proinstall.md @@ -65,9 +65,9 @@ relying on \"dotnet standard 2.0\". PingCastle relies on the Windows account to perform scans and doesn't use third party authentication system. -PingCastle Pro requires Azure AD or a Windows Active Directory to -perform authentication. If AzureAD is used, the application must be -allowed to get the token from AAD (typically login.microsoftonline.com). +PingCastle Pro requires Azure Active Directory (Azure AD) or a Windows Active Directory to +perform authentication. If Azure AD is used, the application must be +allowed to get the token from Azure AD (typically `login.microsoftonline.com`). ## License @@ -80,8 +80,8 @@ domains include subdomains of a forest. **Example** -If you have consto.com with two subdomains called uk.consto.com and -us.consto.com, then you would require three licenses. +If you have `consto.com` with two subdomains called `uk.consto.com` and +`us.consto.com`, then you would require three licenses. # Architecture @@ -107,7 +107,7 @@ it in the database. # Minimal AzureAD Configuration -Add the end of the procedure, you will get "Tenant ID" and "Client ID". +At the end of the procedure, you receive a **Tenant ID** and a **Client ID**. **Connect to \"Azure Portal\" located at https://portal.azure.com** @@ -119,15 +119,14 @@ Select the App Registrations pane. ![Une image contenant texte Description générée automatiquement](/images/pingcastle/proinstall/image5.webp) -And then click New registration from the toolbar in the top. That -will open a dialog "Register and app". +Click **New registration** from the toolbar at the top. A **Register an app** dialog opens. ![](/images/pingcastle/proinstall/image6.webp) Add a name but also the redirect Uri. :::note -The redirect URI must point to the FQDN of the server that will be accessed. It MUST starts with HTTPS and MUST ends with /signin-oidc. +The redirect URI must point to the fully qualified domain name (FQDN) of the server that is being accessed. It must start with HTTPS and end with `/signin-oidc`. ::: ![Une image contenant texte Description générée automatiquement](/images/pingcastle/proinstall/image7.webp) @@ -198,8 +197,7 @@ It requires: ## API Key and endpoint -Before starting the setup, the admin is required to provide the Tenant -ID, the Client ID of the application. +Before starting the setup, provide the Tenant ID and Client ID of the application. The Client Secret, Notification group, and SMTP configuration is optional and can be modified later in the appsettings.Production.json @@ -207,7 +205,7 @@ file. ## Procedure -The MSI file guides the installation of the software: +The Windows Installer (MSI) file guides the installation of the software: ![](/images/pingcastle/proinstall/image15.webp) @@ -242,7 +240,7 @@ Then the authentication configuration is asked. ![Une image contenant texte Description générée automatiquement](/images/pingcastle/proinstall/image21.webp) For Windows, default group which is allowed to PingCastle is everyone. -To change the group, select the browse button. A new dialog is shown. +To change the group, select the browse button. A new dialog appears. 2. If you select "Domain admins" this group won't work. Indeed, it will be stripped in the restricted token and the user won't be seen as @@ -437,10 +435,10 @@ Then create a database. ![](/images/pingcastle/proinstall/image38.webp) -Don't forget to set the owner as the user you created before. +Set the owner as the user you created earlier. -You should verify that the credentials and that the server is available -before going further. +Verify that the credentials are correct and that the server is available +before continuing. ![Une image contenant texte, capture d'écran, nombre, affichage Description générée automatiquement](/images/pingcastle/proinstall/image39.webp) @@ -461,12 +459,8 @@ Specify the following: Server=tcp:server.fqdn.com;Database=PingCastle;User Id=pingcastle;password=pingcastle;Trusted_Connection=True;MultipleActiveResultSets=true ``` -Unfortunately, the server will not create the database at the -installation time. You will discover any issue at the first run. Dont -forget to check the event log to have the full error message. You can -change the connection string after the installation by editing the file -appsettings.production.json. Don't forget that special characters may -need to be escaped as they are located inside a json string. +The server doesn't create the database at installation time. Any issues appear on first run. Check the event log for the full error message. You can +change the connection string after installation by editing `appsettings.production.json`. Special characters in the connection string must be escaped because the value is inside a JSON string. ![Une image contenant texte, capture d'écran, Police Description générée automatiquement](/images/pingcastle/proinstall/image42.webp) @@ -500,7 +494,7 @@ Specify the following: Server=tcp:server.fqdn.com;Database=PingCastle;Trusted_Connection=True;MultipleActiveResultSets=true ``` -The installation will continue. +The installation continues. After the installation, another steep need to be done: you need to change the Application Pool identity.\ @@ -588,7 +582,7 @@ the connection string, named as "DefaultConnection". At the first run of the application, the database is created. If there is an error with the database (missing right, invalid connection string) -or hosting, the next screen will not be displayed. +or hosting, the next screen doesn't appear. For Azure configuration, the application asks you to connect using Azure. @@ -783,9 +777,7 @@ dotnet.exe PingCastlePro.dll --server.urls=http://*:8080 However, if there is a permission problem in the database, this method won\'t display an error because the database will be connected under the user context and not the system context. Typically on Windows, the IIS -service connect under IIS APPPool\\AppName. Refer to the following page to grant rights to the application pool account on SQL Server: - -**https://blogs.msdn.microsoft.com/ericparvin/2015/04/14/how-to-add-the-applicationpoolidentity-to-a-sql-server-login** +service connect under IIS APPPool\\AppName. To grant rights to the application pool account on SQL Server, see [How to add the ApplicationPoolIdentity to a SQL Server login](https://blogs.msdn.microsoft.com/ericparvin/2015/04/14/how-to-add-the-applicationpoolidentity-to-a-sql-server-login). Then depending on the platform additional logs can be stored. @@ -862,9 +854,7 @@ Solution: Grant the right to create tables in the database or run a SQL script to create this table. This script is available on demand. -Don't forget that the inability to create table can be seen of a -symptom of a lack of permissions. The inability to add or remove records -in the database will prohibit the use of the application. +The inability to create tables is a symptom of insufficient permissions. If the application pool identity can't add or remove records in the database, the application can't start. If you are running PingCastle from another SQL Server, the default identity used by the application pool will not be granted access. @@ -907,8 +897,7 @@ add `;User ID=sa;Password=pass123` 3. This is usually located at: C:\\PingCastlePro -4. Edit the **Appsettings.json** file so the Logging Section looks like - the example below: +4. Edit the **Appsettings.json** file so the Logging section matches the following: ```json "Logging": { From 88a9732aa56270fe275c2b13dec9223520c7e9b5 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 18:17:22 +0000 Subject: [PATCH 08/22] fix(vale): auto-fix style issues (Vale + Dale) --- docs/pingcastle/3.5/enterpriseinstall.md | 18 ++--- docs/pingcastle/3.5/enterpriseuser.md | 84 +++++++----------------- docs/pingcastle/3.5/index.md | 11 ++-- docs/pingcastle/3.5/proinstall.md | 29 ++------ 4 files changed, 41 insertions(+), 101 deletions(-) diff --git a/docs/pingcastle/3.5/enterpriseinstall.md b/docs/pingcastle/3.5/enterpriseinstall.md index 5b4f49adf5..8967dcb04d 100644 --- a/docs/pingcastle/3.5/enterpriseinstall.md +++ b/docs/pingcastle/3.5/enterpriseinstall.md @@ -8,11 +8,7 @@ import TabItem from '@theme/TabItem'; ## Description -PingCastle Enterprise is a tool designed to improve and follow the -Active Directory overall security level. This software has been -developed to be compatible with most of the possible existing -configurations. The goal is to provide reliable data to present the situation to the -management, enabling continuous improvement over time. +PingCastle Enterprise is a tool that helps you improve and follow your overall Active Directory security level. The software is compatible with most existing configurations and provides reliable data to present the situation to management, enabling continuous improvement over time. ## Requirements @@ -131,7 +127,7 @@ graph LR - Requires SQL Server database for data storage - Accessible via HTTP/HTTPS (ports 80/443) - Provides web interface for administrators and users -- Built-in scheduler that used Windows Task Scheduler for automated scanning of local and trusted domains +- Built-in scheduler that uses Windows Task Scheduler for automated scanning of local and trusted domains #### PingCastle.exe Scanner @@ -1387,7 +1383,7 @@ This section is for advanced users who can't use or prefer not to use the MSI In - **Custom Windows configurations** requiring non-standard setup - Environments where the MSI Installer isn't available or can't be used -For standard Windows Server deployments, the MSI Installer (described earlier in this document) is the recommended and supported installation method. +For standard Windows Server deployments, the MSI Installer is the recommended and supported installation method. ::: PingCastle Enterprise can be manually installed as a standard ASP.NET Core 8.0 application. Manual installation involves: @@ -1422,7 +1418,7 @@ PingCastle Enterprise can run on any infrastructure that supports ASP.NET Core 8 **Windows with IIS (Manual Installation)** - [Host ASP.NET Core on Windows with IIS](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/) -- Follow the steps outlined earlier: extract ZIP, create IIS website, disable Default Web Site, configure app pool, and set SQL permissions +- Follow the preceding steps: extract ZIP, create IIS website, disable Default Web Site, configure app pool, and set SQL permissions **Linux (Limited Support - Manual Installation)** - [Host ASP.NET Core on Linux with Nginx](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx) @@ -1447,7 +1443,7 @@ Database backups are the customer's responsibility. PingCastle Enterprise requires a database user account with database owner permissions. The application automatically creates and updates database tables during initial setup and software updates. :::note MSI Installer Handles This Automatically -If using the MSI Installer, database setup is handled automatically. This section is only relevant for manual installations. +The MSI Installer handles database setup automatically. This section is only relevant for manual installations. ::: @@ -1703,7 +1699,7 @@ You can then view the log stream: ![App Service log stream view](/images/pingcastle/enterpriseinstall/image76.webp) -In the example below, the connectionString wasn't found because Docker doesn't forward it. This must be corrected before the application can start: +In the following example, the connectionString wasn't found because Docker doesn't forward it. Correct this before the application can start: ![Connection string error displayed in log stream](/images/pingcastle/enterpriseinstall/image77.webp) @@ -2168,7 +2164,7 @@ If the certificate can't be recognized, an error is displayed: ![Certificate Not Recognized](/images/pingcastle/enterpriseinstall/Authentication/cert-not-recognized.webp) -Ensure the user account login matches one of the certificate identifiers listed earlier. +Ensure the user account login matches one of the preceding certificate identifiers. diff --git a/docs/pingcastle/3.5/enterpriseuser.md b/docs/pingcastle/3.5/enterpriseuser.md index 416fa9b0ba..1664beacf5 100644 --- a/docs/pingcastle/3.5/enterpriseuser.md +++ b/docs/pingcastle/3.5/enterpriseuser.md @@ -5,41 +5,21 @@ sidebar_position: 3 ## Description -PingCastle Enterprise is a tool designed to improve and follow the -Active Directory overall security level. This software has been -developed to be compatible with most of the possible existing -configurations. The goal (when the tool was created) wasn't to aim for -perfection, but to provide reliable data to present the situation to the -management, thus improving over time. +PingCastle Enterprise is a tool that helps you improve and follow your overall Active Directory security level. The software is compatible with most existing configurations. The goal of the tool isn't perfection, but to provide reliable data that presents the situation to management for improvement over time. # PingCastle built-in security -PingCastle Enterprise is a tool dedicated to improving Active Directory (AD) security, so -security has been a major priority alongside every step of the creation -and improvement. +PingCastle Enterprise is a tool dedicated to improving Active Directory (AD) security, so security is a major priority at every step of creation and improvement. -First, the application has been designed in a framework where most -common attacks such as XSS or SQL Injection are prohibited by design. +First, the application uses a framework that prohibits most common attacks such as XSS or SQL injection by design. -Because such protections can be sometimes avoided, the application has -an additional layer of protection with all known HTTP security headers -and including the header \"Content Security Policy\" in strict mode. -That means that all the JavaScript code of the application is stored in -separate files and that JavaScript included in the page via injection -will not run in the browser. This protection can be checked via third -party service such as \"security headers\". It means that -\"unsafe-inline\" and \"unsafe-eval\" aren't accepted. +Because attackers can sometimes bypass such protections, the application includes an additional layer of protection with all known HTTP security headers, including the "Content Security Policy" header in strict mode. The application stores all JavaScript code in separate files, so JavaScript injected into the page doesn't run in the browser. You can verify this protection with a third-party service such as "security headers". The application doesn't accept "unsafe-inline" and "unsafe-eval". ![](/images/pingcastle/enterpriseuser/image2.webp) -The application uses enforced controls which force parameters to be -checked twice against a model (in the browser then in the server -application) and all queries to the database are parameterized. There is -no SQL string built by the application. +The application uses enforced controls that check parameters twice against a model (in the browser, then in the server application), and parameterizes all database queries. The application never builds SQL strings. -Then each access to the database is verified by a filter which controls -the data to be queried before a database query is sent. This code is -tested by unit tests to lower the risk of a misconception in the filter. +A filter verifies each database access by controlling the data to query before sending the database query. Unit tests cover this code to lower the risk of a misconception in the filter. The application is based mainly on the following frameworks: @@ -53,15 +33,11 @@ The application is based mainly on the following frameworks: - chart.js -The up-to-date list of explicit components can be seen in the about page -of the application. +You can view the up-to-date list of explicit components on the about page of the application. # Authentication and user management -PingCastle Enterprise provides by default two mechanisms for -authentication: classic login password and external authentication. The -external authentication allows to use widely supported providers such as -Azure AD, Google, or professional web SSO such as Okta. +PingCastle Enterprise provides two mechanisms for authentication by default: classic login password and external authentication. External authentication supports widely used providers such as Azure AD, Google, or professional web SSO such as Okta. These methods can be used separately or in coordination, meaning you can either use a Dual-Factor authentication (recommended) or a single factor @@ -86,8 +62,7 @@ method are provided. ## Authorization -Ping Castle allows to set up permissions on Entities, or objects (Domains -or AzureAD) +PingCastle lets you set up permissions on Entities, or objects (Domains or AzureAD). The permissions can be set on the detail of the Entities @@ -122,7 +97,7 @@ see what claims have been pushed to PingCastle Enterprise. **Main pages overview** -The application is divided is 4 different areas: +The application has four areas: - The management view @@ -199,13 +174,9 @@ The product implements three main layers of permission: ## Page organization -All the pages of the PingCastle Enterprise solution has been designed in -order to be as clear as possible. It means that, when it is possible, -the pages follow the same kind of architecture, enabling the users to -quickly get used to the solution in general. +The pages of the PingCastle Enterprise solution follow a consistent architecture so users can quickly get used to the solution. -For instance, most pages can show \"All data\" available to the user or -set up a filter to only see a more narrowed down set of data. +For instance, most pages can show "All data" available to the user, or apply a filter to show a narrower set of data. ![](/images/pingcastle/enterpriseuser/image13.webp) @@ -319,10 +290,7 @@ what is being well done and what can be improved. The first section of the page always shows a global explanation of the objective of the area. -Then, it displays a few KPI which are composing the maturity evaluation. -If the objective is reached, the KPI is in green color, else its color -is red. A \"Detail\" button allows to directly reach the technical view, -with extra advanced information on how to remediate and improve the KPI. +Then, it displays a few KPI that compose the maturity evaluation. If the objective is reached, the KPI appears in green; otherwise, it appears in red. A "Detail" button takes you directly to the technical view, with advanced information on how to remediate and improve the KPI. ![](/images/pingcastle/enterpriseuser/image20.webp) @@ -358,11 +326,7 @@ Entities Details for the related tab: ## Remediation / Rule Matrix -The \"Rule Matrix\" view represents a feature that aggregates every rule -used in the 4 categories to calculate the Global Risk score. Through -that feature, you can efficiently identify what are the main points of -failure within your Active Directory, and then put in place the -associated remediation plan. +The "Rule Matrix" view aggregates every rule used in the 4 categories to calculate the Global Risk score. With this feature, you can identify the main points of failure within your Active Directory and then put the associated remediation plan in place. It takes the form of a double entry table, with on one side all the domains within your perimeter, and on the other side all the rules and @@ -416,9 +380,7 @@ select entity. ## Advanced -The \"Advanced\" part of the Dashboard is composed of a multiple of -extra utilities that can assist you in understanding your current level -of AD security as well as how to improve it +The "Advanced" part of the Dashboard contains extra utilities that help you understand your current level of AD security and how to improve it It consists of the following pages: @@ -632,29 +594,28 @@ list of all the domains that a specific domain can see. **Methodology used to build the maps** -PingCastle is using the data included in the report from the most -reliable source to the less reliable source, in the following order: +PingCastle uses the data in the report from the most reliable source to the least reliable source, in the following order: 1. The most reliable source is domain where the report has been generated. -2. The tool is using direct [trust +2. The tool uses direct [trust data](https://msdn.microsoft.com/en-us/library/cc223765.aspx). -3. The tool is using forest trust information. This information is +3. The tool uses forest trust information. This information is located in the [msDS-TrustForestTrustInfo](https://msdn.microsoft.com/en-us/library/cc223786.aspx) attribute of a forest trust and in the [partition element](https://technet.microsoft.com/en-us/library/cc961591.aspx) of the configuration binding context. -4. The tool is using the information provided by the [domain locator +4. The tool uses the information provided by the [domain locator service](https://technet.microsoft.com/en-us/library/cc961830.aspx) when examining trusts. This information can add the Netbios name or the forest name of a trusted domain. -5. If the "reachable" option has been set when producing a report, the - tool is using domain SID found (in [foreign security +5. If the "reachable" option is set when producing a report, the + tool uses domain SIDs found (in [foreign security principals](https://msdn.microsoft.com/en-us/library/cc223700.aspx) or [sid history]()) to query the [domain locator @@ -680,8 +641,7 @@ domain are shown. ## Domain events -This page allows to query any events which occurred on one or more -domain and to filter then by type. +This page lets you query any events that occurred on one or more domains and filter them by type. ![](/images/pingcastle/enterpriseuser/image45.webp) diff --git a/docs/pingcastle/3.5/index.md b/docs/pingcastle/3.5/index.md index 15f4cb5dd8..7516ed6b6b 100644 --- a/docs/pingcastle/3.5/index.md +++ b/docs/pingcastle/3.5/index.md @@ -7,7 +7,7 @@ sidebar_position: 4 PingCastle is a security assessment and auditing tool for CISOs, Security Auditors, and IT Professionals working with Active Directory and Entra ID. -Netwrix offers various products to help protect your network infrastructure. PingCastle is specifically designed for assessment—not protection. It collects comprehensive information from your Active Directory and Entra ID environments, analyzes this data for security risks and misconfigurations, and generates detailed reports with actionable findings. +Netwrix offers various products to help protect your network infrastructure. PingCastle focuses specifically on assessment. It collects comprehensive information from your Active Directory and Entra ID environments, analyzes this data for security risks and misconfigurations, and generates detailed reports with actionable findings. These reports help you identify and prioritize security issues that need remediation, giving you clear visibility into your security posture and enabling data-driven decisions to improve your environment's security. @@ -34,8 +34,7 @@ To continue using PingCastle after the built-in license expires, you must purcha ## Methodology -The PingCastle tool is just one part of a global methodology aiming at -securing Active Directories. +The PingCastle tool is one part of a global methodology for securing Active Directories. ![](/images/pingcastle/basicuser/image1.webp) @@ -85,7 +84,7 @@ Starting with PingCastle 3.5, the .NET runtime is bundled directly with the appl - No local administrator privileges required - No additional components or frameworks need to be installed -**Previous Versions**: PingCastle versions before 3.5 required .NET Framework 4.7.2 to be installed separately. +**Previous Versions**: PingCastle versions before 3.5 required a separate installation of .NET Framework 4.7.2. ## How it works @@ -641,7 +640,7 @@ During migration: ### PingCastle AntiVirus Detections -PingCastle has been used as a reconnaissance tool in some high-profile attacks, leading some AntiVirus and EDR products to flag it as malicious. +Attackers have used PingCastle as a reconnaissance tool in some high-profile attacks, leading some AntiVirus and EDR products to flag it as malicious. **Recommended Action**: Whitelist PingCastle.exe on specific systems and/or users where it is authorized for security assessments. Normal end users shouldn't be running PingCastle. @@ -667,7 +666,7 @@ Netwrix is actively working to reduce false positive detections: > > PingCastle is a trusted security assessment tool designed to help organizations evaluate the health and security posture of their Active Directory environments. > -> Some antivirus or endpoint protection solutions may flag PingCastle as "hacktool" or a "potentially unwanted program (PUP)". This isn't because PingCastle is malicious, but because it has dual-use potential: the same in-depth techniques it uses to audit and test security could also be misused by attackers. It doesn't itself attack AD, but could be used during reconnaissance to enumerate risks that attackers could exploit. Security vendors often classify such advanced administrative and diagnostic tools conservatively to avoid underestimating risk. +> Some antivirus or endpoint protection solutions may flag PingCastle as "hacktool" or a "potentially unwanted program (PUP)". The flag reflects PingCastle's dual-use potential rather than malicious behavior: the same in-depth techniques it uses to audit and test security can also be misused by attackers. PingCastle doesn't itself attack AD, but attackers could use it during reconnaissance to enumerate risks they could exploit. Security vendors often classify such advanced administrative and diagnostic tools conservatively to avoid underestimating risk. > > The following applies: > diff --git a/docs/pingcastle/3.5/proinstall.md b/docs/pingcastle/3.5/proinstall.md index 90cb8b1004..780782c74f 100644 --- a/docs/pingcastle/3.5/proinstall.md +++ b/docs/pingcastle/3.5/proinstall.md @@ -5,12 +5,7 @@ sidebar_position: 5 ## Description -PingCastle Pro is a tool designed to improve and follow the Active -Directory overall security level. This software has been developed to be -compatible with most of the possible existing configurations. The goal -(when the tool was created) wasn't to aim for perfection, but to -provide reliable data to present the situation to the management, thus -improving over time. +PingCastle Pro is a tool that helps you improve and follow your overall Active Directory security level. The software is compatible with most existing configurations. The goal of the tool isn't perfection, but to provide reliable data that presents the situation to management for improvement over time. # Requirements @@ -38,7 +33,7 @@ See the .NET 8.0 Supported Operating System documentation [here](https://learn.m ## Database -PingCastle Pro is using a database to store its data. +PingCastle Pro uses a database to store its data. The current supported databases are: @@ -55,8 +50,7 @@ The current supported databases are: PingCastle Basic and PingCastle Professional require \"dotnet framework 2.0\" or subsequent versions. -PingCastle Enterprise is using the \"asp.net core 8.0 framework\" still -relying on \"dotnet standard 2.0\". +PingCastle Enterprise uses the "asp.net core 8.0 framework" but still relies on "dotnet standard 2.0". 1. Netwrix recommends not exposing the web application directly. Use a reverse proxy such as IIS, Apache2, or Nginx. @@ -85,15 +79,9 @@ If you have `consto.com` with two subdomains called `uk.consto.com` and # Architecture -PingCastle is using a distributed architecture. +PingCastle uses a distributed architecture. -The PingCastle Basic can be considered as a stand alone agent. The -program executes an assessment of the Active Directory and produces a -report. This report is in two forms: a xml file and a html file. These -two files provide two representations of the same data. By default the -.xml file is being filtered to remove potential private data such as -account name from this collected data. This filter can be deactivated by -running the program with the flag \--level Full. +PingCastle Basic acts as a standalone agent. The program assesses the Active Directory and produces a report in two forms: an XML file and an HTML file. These two files provide two representations of the same data. By default, PingCastle filters the XML file to remove potential private data such as account names from this collected data. To deactivate this filter, run the program with the `--level Full` flag. Then the data contained in the xml file is pushed into PingCastle Pro directly via the API, or indirectly via an indirect import such as @@ -102,8 +90,7 @@ confidentiality of the data. ![](/images/pingcastle/proinstall/image3.webp) -Then the PingCastle Pro provide the services around the data and store -it in the database. +PingCastle Pro then provides services around the data and stores it in the database. # Minimal AzureAD Configuration @@ -665,9 +652,7 @@ the access to the task scheduler can't be delegated. ## Custom installation :::note -PingCastle is using behing the hood a folder named "PingCastle" in -the task scheduler. The COM api is used as it exposes the security -descriptor -- which isn't the case of the native PowerShell APIL +PingCastle uses a folder named "PingCastle" in the task scheduler. The COM API exposes the security descriptor, which the native PowerShell API doesn't. ::: If you want PingCastle to be able to start or stop tasks but not being From ad9e3b304898c2449a25738dcbb3626c6edcec84 Mon Sep 17 00:00:00 2001 From: carlos-mejia_nwx Date: Wed, 6 May 2026 11:16:48 -0400 Subject: [PATCH 09/22] docs(aa2601): update Quick Install for interactive installer wizard - Restructure prerequisites into checklist with DNS, three TLS cert options (self-signed, AD CS, BYOC), cert verification commands, first admin account, and license key sections - Replace env-var install flow with interactive wizard prompt reference table; LICENSE_KEY retained for binary download only - Add dspm-installer --version verification step - Demote bootstrap admin to breakglass account; first admin now provisioned during install and signs in directly with AD credentials - Add Target Revision note under Advanced Settings - Add three new troubleshooting rows (pods blocked, hostname not FQDN, Bind DN format) and diagnostic commands block - Update Reinstalling with uninstall commands and link to uninstall.md - Update configurations/identity-provider.md SYNC block: replace bootstrap first-login flow with first-admin direct sign-in Generated with AI Co-Authored-By: Claude Code --- .../2601/configurations/identity-provider.md | 35 +++++++------------ 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/docs/accessanalyzer/2601/configurations/identity-provider.md b/docs/accessanalyzer/2601/configurations/identity-provider.md index c9fe75b467..fa9c759dd9 100644 --- a/docs/accessanalyzer/2601/configurations/identity-provider.md +++ b/docs/accessanalyzer/2601/configurations/identity-provider.md @@ -109,33 +109,24 @@ Collect the following values: ## Part 2: Prepare Access Analyzer -### Sign in as the bootstrap User Admin +### First sign-in - - - -The installer seeds a bootstrap account, `admin@dspm.local`, with the **User Admin** role. This account can create and manage other users but **cannot** access system configuration. Use it on first login to pre-provision your users, then sign out and sign back in as an Administrator for system-level work. - -1. Retrieve the bootstrap admin password from the Kubernetes secret: - - ```bash - sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \ - -o jsonpath='{.data.password}' | base64 -d; echo - ``` +The installer provisions the first administrator account automatically during setup — the person whose email was entered at the **First Admin Email** prompt can sign in immediately using their Active Directory password. -2. Open a browser and navigate to `https://`. +Navigate to `https://` and sign in with the first admin's AD credentials. From here, add additional users under **Configuration** > **Users**. -3. Sign in with: - - **Username**: `admin@dspm.local` - - **Password**: (from step 1) +#### Breakglass account -4. Complete first-login setup: - - Scan the QR code with an authenticator app, enter a device name, submit the one-time code. **Save this enrollment** — you will need the same authenticator for any future bootstrap admin login. - - Enter a first name and last name. **Do not change the email address.** +The installer also creates a bootstrap account, `admin@dspm.local`, as a recovery mechanism. If the first admin account becomes inaccessible, retrieve the bootstrap password to regain access: -Proceed to [Pre-provision user accounts](#pre-provision-user-accounts) below. +```bash +sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \ + -o jsonpath='{.data.password}' | base64 -d; echo +``` - +:::warning +Do not change the bootstrap account email address — doing so causes authentication failures. +::: ### Pre-provision user accounts @@ -151,8 +142,6 @@ The email address entered during pre-provisioning must exactly match the address 4. Select a **Role**: **Administrator**, **User Admin**, or **Viewer** (see [Roles](#roles) below). 5. Click **Create User**. -Assign at least one user the **Administrator** role — the bootstrap `admin@dspm.local` account is a User Admin only and cannot access system configuration. Assign at least one additional user the **User Admin** role if you want a non-bootstrap user to manage accounts going forward. - No password is required for pre-provisioned accounts. For details on managing users, see [Users](users.md). ### Roles From cc1ccbb041588bed34503e608f0d8e6ff7313275 Mon Sep 17 00:00:00 2001 From: carlos-mejia_nwx Date: Wed, 6 May 2026 15:57:04 -0400 Subject: [PATCH 10/22] docs(aa2601): overhaul install section for interactive wizard installer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - quickinstall: full restructure — prerequisites checklist, three TLS cert options, interactive wizard prompt table, installation complete summary step, direct AD sign-in, bootstrap as breakglass account - quickinstall: remove env-var install flow; LICENSE_KEY retained for binary download only; remove stale troubleshooting rows and old CLI flag references - identity-provider, install-commands: hide with draft: true (old curl/bash installer method preserved for future IdP work) - configurations/identity-provider: update bootstrap section to reflect direct first-admin sign-in; fix broken link to hidden page - postinstall, uninstall: remove broken links to hidden pages - system/certificates: replace env-var/flag table with wizard prompt names; remove DSPM_HOSTNAME reference and --configure-idp-only - system/network: installer binary download; remove SKIP_AV_CHECK note - system/requirements: remove --size flag note Generated with AI Co-Authored-By: Claude Code --- .../2601/configurations/identity-provider.md | 2 +- .../2601/install/identity-provider.md | 1 + .../2601/install/install-commands.md | 1 + .../2601/install/postinstall.md | 2 +- .../2601/install/quickinstall.md | 406 ++++++++++-------- .../2601/install/system/certificates.md | 16 +- .../2601/install/system/network.md | 4 +- .../2601/install/system/requirements.md | 3 - docs/accessanalyzer/2601/install/uninstall.md | 2 +- 9 files changed, 243 insertions(+), 194 deletions(-) diff --git a/docs/accessanalyzer/2601/configurations/identity-provider.md b/docs/accessanalyzer/2601/configurations/identity-provider.md index fa9c759dd9..9b7ff3b075 100644 --- a/docs/accessanalyzer/2601/configurations/identity-provider.md +++ b/docs/accessanalyzer/2601/configurations/identity-provider.md @@ -11,7 +11,7 @@ Access Analyzer supports federation with your organization's identity system so Setting up an identity provider connection is a two-part process: first you configure the integration in your identity system, then you prepare user accounts inside Access Analyzer. :::note -Before completing the steps below, confirm that the infrastructure and network requirements for your IdP type are in place. See [Configure Identity Provider](../install/identity-provider.md) in the Installation section. +Before completing the steps below, confirm that the infrastructure and network requirements for your IdP type are in place. See [Network and Port Requirements](../install/system/network.md) and [TLS Certificate Requirements](../install/system/certificates.md). ::: ## Supported integration types diff --git a/docs/accessanalyzer/2601/install/identity-provider.md b/docs/accessanalyzer/2601/install/identity-provider.md index ef670d89e9..53668ba0e3 100644 --- a/docs/accessanalyzer/2601/install/identity-provider.md +++ b/docs/accessanalyzer/2601/install/identity-provider.md @@ -2,6 +2,7 @@ title: "Configure Identity Provider" description: "Deployment steps for connecting an Identity Provider to Access Analyzer using the installer" sidebar_position: 50 +draft: true --- # Configure Identity Provider diff --git a/docs/accessanalyzer/2601/install/install-commands.md b/docs/accessanalyzer/2601/install/install-commands.md index ca58fb4b04..9f03fed78b 100644 --- a/docs/accessanalyzer/2601/install/install-commands.md +++ b/docs/accessanalyzer/2601/install/install-commands.md @@ -2,6 +2,7 @@ title: "Installer Command Reference" description: "Options you can pass to the Access Analyzer installer to customize your deployment" sidebar_position: 20 +draft: true --- # Installer Command Reference diff --git a/docs/accessanalyzer/2601/install/postinstall.md b/docs/accessanalyzer/2601/install/postinstall.md index 943830a9e8..e1ef68c85d 100644 --- a/docs/accessanalyzer/2601/install/postinstall.md +++ b/docs/accessanalyzer/2601/install/postinstall.md @@ -94,4 +94,4 @@ kubectl top pods -A --sort-by=memory - [Create your first admin account](/docs/accessanalyzer/2601/configurations/users) and sign in - [Configure a data source](../gettingstarted/active-directory/active-directory.md) and run your first scan -- Review [install commands](/docs/accessanalyzer/2601/install/install-commands) for ongoing application management +- Run `dspmctl --help` for ongoing application management via the command line tool diff --git a/docs/accessanalyzer/2601/install/quickinstall.md b/docs/accessanalyzer/2601/install/quickinstall.md index 22784af0e3..c8e2d51194 100644 --- a/docs/accessanalyzer/2601/install/quickinstall.md +++ b/docs/accessanalyzer/2601/install/quickinstall.md @@ -8,11 +8,18 @@ sidebar_position: 5 This guide covers installing Access Analyzer on a fresh Linux VM with **Active Directory** as the identity provider. -For the CLI-flag reference, see [Configure Identity Provider](identity-provider.md). - ## Prerequisites Checklist -Before running the installer, confirm the following. +Before running the installer, confirm the following: + +- [ ] Server meets hardware and OS requirements +- [ ] Outbound HTTPS access confirmed to all required domains +- [ ] Server hostname is a fully qualified domain name (FQDN) that resolves to the server IP +- [ ] TLS certificate option chosen; certificate files prepared if using Bring Your Own +- [ ] AD/DC Root CA bundle file prepared and placed on the server +- [ ] Active Directory service account details collected +- [ ] First admin email address confirmed (must match the AD `mail` attribute exactly) +- [ ] Netwrix license key on hand ### System requirements @@ -46,71 +53,123 @@ Choose a deployment size based on your environment: :::note If running on a hypervisor, configure **static memory allocation** (not dynamic/ballooned memory). See [Hardware and System Requirements](/docs/accessanalyzer/2601/install/system/requirements) for hypervisor-specific instructions. + +- **VMware vSphere:** disable memory ballooning (`mem.balloon.enable = "FALSE"`) +- **Hyper-V:** use static memory (`Set-VMMemory -DynamicMemoryEnabled $false`) ::: -### TLS certificates +### DNS -See [TLS Certificate Requirements](system/certificates.md) for the full specification. At a minimum you need: +The hostname you enter during installation must be a fully qualified domain name (FQDN) — it must contain at least one dot (for example, `analyzer.corp.example.com`). A plain hostname without a dot is rejected by the installer. -- **Application TLS certificate** (PEM). The Subject Alternative Name (SAN) list must include `DSPM_HOSTNAME` **in lowercase** and the server's IP address. -- **Private key** paired with the certificate (PEM). The OS user running the installer must be able to read it, not just `root`. -- **CA bundle** (PEM). Must contain the CA that signed the application certificate. For AD authentication, the CA bundle must also contain the CA that signed the domain controller's LDAPS certificate. If these are different CAs, concatenate them: +The hostname must resolve to the VM's IP address from: - ```bash - cat app-ca.crt ldaps-ca.crt > ca-bundle.crt - ``` +- Client browsers — configure a DNS A record, or add an entry to each client's `hosts` file. +- In-cluster pods — the installer's CoreDNS rewrite handles these automatically. No customer action needed. :::warning -`DSPM_HOSTNAME` must be a DNS hostname, **not an IP address**. The browser TLS handshake requires a hostname in the certificate's SAN. Avoid the `.local` and `.localhost` TLDs — both break in-cluster DNS resolution and silently break sign-in flows. +Use a DNS hostname, **not an IP address**. The browser TLS handshake requires a hostname. Avoid the `.local` and `.localhost` TLDs — both break in-cluster DNS resolution and silently break sign-in flows. ::: -### DNS +### TLS certificates -The value you pick for `DSPM_HOSTNAME` must resolve to the VM's IP address from: +The installer offers three ways to provision the server's TLS certificate. Choose your option before gathering certificate materials — only **Bring your own certificate** requires preparation in advance. -- Client browsers — configure a DNS A record, or add an entry to each client's `hosts` file. -- In-cluster pods — the installer's CoreDNS rewrite handles these automatically. No customer action needed. +| Option | What It Does | Best For | What to Prepare | +| --- | --- | --- | --- | +| **Generate self-signed** | Installer generates a certificate automatically — no CA involvement | Quick evaluations and proof-of-concept installs. Not for production — browsers will show a security warning | Nothing — installer handles it | +| **Sign with AD Certificate Services** | Installer generates a CSR and submits it to your organization's AD CS to be signed by your internal Enterprise CA | Enterprise environments where AD CS is already deployed and the server can reach the CA | AD CS must be reachable from the server; an account with certificate enrollment rights | +| **Bring your own certificate** | You provide a pre-existing certificate, private key, and CA bundle | Environments with a centralized PKI team, or where AD CS is not available | Three PEM files — see below | -### Active Directory information +:::note +**AD/DC Root CA Bundle is always required regardless of which TLS option you choose.** Even if the installer generates your server certificate, it still needs a separate CA file to trust the connection to your domain controller. See [Active Directory information](#active-directory-information). +::: -Gather these values from your directory team before starting: +#### Bring your own certificate — file requirements -- Domain controller hostname or IP, and port (636 LDAPS strongly recommended; 389 plain LDAP works but is unencrypted) -- Service account distinguished name (DN) — read-only access to the user directory is sufficient -- Service account password -- Base DN where your user accounts are stored (for example, `CN=Users,DC=example,DC=com`) -- Email attribute name (usually `mail`) +If you selected **Bring your own certificate**, prepare the following three files and place them in `/opt/dspm-tls/` on the server before running the installer: - +**Bind DN format:** The installer requires full Distinguished Name (DN) format — for example, `CN=svc-dspm,OU=ServiceAccounts,DC=corp,DC=example,DC=com`. User Principal Name (UPN) format (`user@domain.com`) is not accepted. The DN must exactly match the account's record in Active Directory. + +**AD/DC Root CA Bundle:** To identify which CA signed the domain controller's LDAPS certificate, run this from the Access Analyzer server: + +```bash +openssl s_client -connect :636 -showcerts /dev/null \ + | openssl x509 -noout -issuer +``` + +Ask your AD or PKI team for that CA's root certificate in PEM format. Place it at `/opt/dspm-tls/ca-bundle.crt`. + +If the server certificate CA and the DC LDAPS CA are the **same**, one file covers both: + +```bash +sudo cp app-ca.crt /opt/dspm-tls/ca-bundle.crt +``` + +If they are **different CAs**, concatenate both into a single file: + +```bash +cat app-ca.crt ldaps-ca.crt > /opt/dspm-tls/ca-bundle.crt +``` + +### First admin account + +Identify the email address and display name of the person who will be the first administrator. The installer prompts for both values during setup and provisions the account automatically. That person signs in using their Active Directory password — no separate password is set. + +The email address must match the `mail` attribute of the person's Active Directory account exactly, including case. + +### License key + +Your Netwrix license key is required to download the installer and is the first prompt in the installation wizard. Obtain it from your Netwrix account representative before starting. ### Connector port requirements @@ -158,7 +217,7 @@ All outbound endpoints use HTTPS (port 443). The Access Analyzer server must rea | --- | --- | --- | --- | | `api.keygen.sh` | Keygen / Licensing | License validation API | Installation and updates | | `oci.pkg.keygen.sh` | Keygen / Licensing | Netwrix OCI registry — Helm charts and application images | Installation and updates | -| `raw.pkg.keygen.sh` | Keygen / Licensing | Installer script download | Installation and updates | +| `raw.pkg.keygen.sh` | Keygen / Licensing | Installer binary download | Installation and updates | | `keygen-dist.c3c9112df8df715f42d1162cdce5dba1.r2.cloudflarestorage.com` | Keygen / Licensing CDN | Keygen artifact storage | Installation and updates | | `api.github.com` | GitHub | GitHub API | Installation only | | `github.com` | GitHub | Repository and release access | Installation only | @@ -172,166 +231,133 @@ All outbound endpoints use HTTPS (port 443). The Access Analyzer server must rea --- -## Active Directory Authentication +## Installation -### Step 1: Prepare the VM — upload certs and trust the CA +### Step 1: SSH into the server -For full details on each certificate file (SAN rules, ownership, CA bundle concatenation), see [TLS Certificate Requirements](system/certificates.md). +Connect to the Access Analyzer server: ```bash -sudo mkdir -p /opt/dspm-tls - -# Copy your three PEM files into /opt/dspm-tls/: -# - .crt (Access Analyzer server certificate — SAN must match DSPM_HOSTNAME, lowercase) -# - .key (private key — chown to install user, chmod 644) -# - ca-bundle.crt (concatenated: application CA + LDAPS DC CA) - -sudo chown $(whoami) /opt/dspm-tls/.key -sudo chmod 644 /opt/dspm-tls/.key - -sudo cp /opt/dspm-tls/ca-bundle.crt /usr/local/share/ca-certificates/dspm-ca.crt -sudo update-ca-certificates -``` - -### Step 2: Set environment variables - -Paste and customize the following at the top of your terminal session. Every subsequent command references these variables. - -```bash -# export TARGET_REVISION="1.0.8" # optional — omit to stay on latest; see version syntax below -export LICENSE_KEY="" -export DSPM_HOSTNAME="" -export TLS_CERT_FILE="/opt/dspm-tls/.crt" -export TLS_KEY_FILE="/opt/dspm-tls/.key" -export TLS_CA_BUNDLE_FILE="/opt/dspm-tls/ca-bundle.crt" -export IDP_TYPE="ad" -export IDP_ALIAS="" # letters, digits, hyphens, underscores, dots only — no spaces -export LDAP_URL="ldaps://:636" -export LDAP_BIND_DN="" # e.g. CN=svc-dspm,OU=ServiceAccounts,DC=example,DC=com -export LDAP_USERS_DN="" # e.g. CN=Users,DC=example,DC=com -export LDAP_EMAIL_ATTRIBUTE="mail" +ssh @ ``` -**Environment variable reference:** - -| Variable | Description | Example | -| --- | --- | --- | -| `LICENSE_KEY` | Netwrix license key | `NWRX-XXXX-XXXX-XXXX` | -| `DSPM_HOSTNAME` | Fully qualified domain name. Must be lowercase and match the cert SAN | `aa2601.corp.example.com` | -| `TLS_CERT_FILE` | Full path to PEM server certificate | `/opt/dspm-tls/aa2601.crt` | -| `TLS_KEY_FILE` | Full path to PEM private key. The install user must be able to read this file | `/opt/dspm-tls/aa2601.key` | -| `TLS_CA_BUNDLE_FILE` | Full path to CA bundle (application CA + LDAPS DC CA) | `/opt/dspm-tls/ca-bundle.crt` | -| `IDP_TYPE` | Identity provider type | `ad` | -| `IDP_ALIAS` | Login button label. Letters, digits, hyphens, underscores, dots only | `active-directory` | -| `LDAP_URL` | LDAPS URL for the domain controller | `ldaps://dc.corp.example.com:636` | -| `LDAP_BIND_DN` | Distinguished name of the read-only service account | `CN=svc-dspm,OU=ServiceAccounts,DC=corp,DC=example,DC=com` | -| `LDAP_USERS_DN` | Base DN for the OU containing user accounts | `CN=Users,DC=corp,DC=example,DC=com` | -| `LDAP_EMAIL_ATTRIBUTE` | LDAP attribute storing the user's email address | `mail` | -| `TARGET_REVISION` | (Optional) Controls which version is installed and auto-upgraded to. Omit to stay on the latest release. | `1.0.8` | - -**Version syntax for `TARGET_REVISION`:** - -| Value | Behavior | -| --- | --- | -| (unset) | Defaults to `1.*` — installs the latest 1.x release and auto-upgrades within 1.x | -| `1.0.8` | Pinned to exactly 1.0.8 — no auto-upgrade | -| `1.*` | Auto-upgrades to any 1.x version | - -For most deployments, either omit this variable to stay on the latest release, or pin to a specific version (for example, `1.0.8`) to control when upgrades happen during your organization's patching cycle. - -### Step 3: Download and run the installer +### Step 2: Download the installer -Download the installer: +Replace `YOUR_NETWRIX_LICENSE_KEY` on the first line with your license key — that is the only value you need to change. Run the remaining lines as-is: ```bash - -# Download and install the DSPM installer binary for your Linux system architecture (x86_64 or ARM64) using your license key. +export LICENSE_KEY='YOUR_NETWRIX_LICENSE_KEY' ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') TMP_FILE=$(mktemp) -curl -sLf -o "$TMP_FILE" "https://raw.pkg.keygen.sh/v1/accounts/netwrix/artifacts/dspm-installer-linux-$ARCH?auth=license:$LICENSE_KEY" +curl -sLf -o "$TMP_FILE" \ + "https://raw.pkg.keygen.sh/v1/accounts/netwrix/artifacts/dspm-installer-linux-$ARCH?auth=license:${LICENSE_KEY}" sudo install -m 0755 "$TMP_FILE" "/usr/local/bin/dspm-installer" rm -f "$TMP_FILE" - -# Launches the installation wizard -sudo dspm-installer ``` -When prompted, enter the password for the service account you specified in `LDAP_BIND_DN`. - -Run `dspm-installer [command] --help` to view usage and available options for any command. - -### Step 4: Verify the installation -After the installer completes, confirm all pods are healthy: +### Step 5: Review the installation summary + +When the installer finishes, it displays a summary screen. Review it before proceeding — it includes the application URL, required actions, and useful paths. + +:::note +This step can be skipped if you are signing in for the first time and only need to add users and assign roles. Return to complete the required actions before using `kubectl` or configuring firewall rules. +::: -```bash -kubectl get pods -A -kubectl get apps -n argocd ``` +DSPM Installation Complete -All pods should show `Running` or `Completed` status. All ArgoCD applications should be `Synced` and `Healthy`. +## Access Analyzer Web Application -### Step 5: Sign in as the bootstrap User Admin and pre-provision users +• URL: https:// +• Administrator account provisioned for +• Check application status: kubectl get pods -n access-analyzer - - +## DSPM Command Line Tool -The installer seeds a bootstrap account, `admin@dspm.local`, with the **User Admin** role. This account can create and manage other users but **can't** access system configuration. Use it on first log in to pre-provision your AD users, then sign out and sign back in as an Administrator for system-level work. +Path: /usr/local/bin/dspmctl -1. Retrieve the bootstrap admin password: +For detailed usage: /usr/local/bin/dspmctl --help - ```bash - sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \ - -o jsonpath='{.data.password}' | base64 -d; echo - ``` +## Required Actions -2. Open a browser and navigate to `https://`. +• Ensure firewall allows inbound port 443 +• Log out and back in (or run newgrp dspm) to activate kubectl access -3. Sign in with: - - **Username**: `admin@dspm.local` - - **Password**: (from step 1) +## Granting kubectl Access to Additional Users -4. Complete first-login setup: - - Scan the QR code with an authenticator app, enter a device name, submit the one-time code. **Save this enrollment** — you will need the same authenticator for any future bootstrap admin login. - - Enter a first name and last name. **Don't change the email address.** + sudo usermod -aG dspm + export KUBECONFIG=/etc/rancher/k3s/k3s.yaml -5. Pre-provision each user who should be able to sign in. For each user: - - Click **+ Add User**. - - Enter the Name and Email. The email must match the user's AD `mail` attribute exactly, **including case**. - - Assign a role (see [Roles](#roles)). +## Troubleshooting - Assign at least one user the **Administrator** role — the bootstrap account can't access system configuration, so someone needs to. Assign at least one additional user the **User Admin** role if you want a non-bootstrap user to manage accounts going forward. +Installation log: /var/log/dspm-installer.log +``` -6. Sign out. +**Complete the required actions before signing in:** - +1. Confirm that inbound port 443 is open on the server's firewall. +2. Log out of your current SSH session and log back in, or run `newgrp dspm`, to activate `kubectl` access for your user. Commands like `kubectl get pods` will not work until you do this. -### Step 6: Sign in with AD credentials +### Step 6: Sign in -1. Navigate to `https://`. -2. Enter the email and password for a pre-provisioned AD user and sign in. +Navigate to `https://` in a browser. Sign in using the first admin email address and the corresponding Active Directory password. + +From here, add additional users under **Configuration** > **Users**. + +#### Breakglass account + +The installer also creates a bootstrap administrator account (`admin@dspm.local`) as a recovery mechanism. If the first admin account becomes inaccessible, use this account to regain access: + +```bash +sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \ + -o jsonpath='{.data.password}' | base64 -d; echo +``` + +:::warning +Do not change the bootstrap account email address — doing so causes authentication failures. +::: --- @@ -416,11 +442,7 @@ kubectl get apps -n argocd All pods should show `Running` or `Completed` status. All ArgoCD applications should be `Synced` and `Healthy`. -### Step 5: Sign in as the bootstrap User Admin and pre-provision users - -The same bootstrap account flow applies for Entra ID as for AD. Follow [Option A — Step 5](#step-5-sign-in-as-the-bootstrap-user-admin-and-pre-provision-users) with one difference: when pre-provisioning users, the email must match the address sent by Entra ID exactly, **including case** (not the AD `mail` attribute). - -### Step 6: Sign in with Entra ID credentials +### Step 5: Sign in with Entra ID credentials 1. Navigate to `https://`. 2. Enter the email and password for a pre-provisioned Entra ID user and sign in. @@ -439,10 +461,10 @@ This table also appears at [Configuration > Identity Provider > Roles](../config | Role | Description | | --- | --- | | **Administrator** | Full access: system configuration (sources, scans, connectors, application settings) and user management (create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users). | -| **User Admin** | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does **not** have system configuration rights. The installer assigns this role to the bootstrap `admin@dspm.local` account. | +| **User Admin** | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does **not** have system configuration rights. The bootstrap `admin@dspm.local` account is assigned this role. | | **Viewer** | Read-only access to data and reports. No configuration or user management rights. | -The **User Admin** role provides a dedicated account for user management with no system configuration access — useful for delegating user administration separately from system configuration. The installer seeds the bootstrap `admin@dspm.local` account as User Admin — you'll use it to pre-provision the rest of your users, including your first Administrator. +The **User Admin** role provides a dedicated account for user management with no system configuration access — useful for delegating user administration separately from system configuration. @@ -454,16 +476,44 @@ For certificate-specific issues, see [TLS Certificate Requirements — Troublesh | --- | --- | --- | | Sign-in returns HTTP 401 with correct credentials | SAN hostname is mixed-case; browser normalized it to lowercase | Re-issue the certificate with lowercase hostname in the SAN list | | Installer exits with "Failed to read TLS private key" | Key file owned by `root`, installer runs as non-root user | `sudo chown /opt/dspm-tls/.key` | -| Sign-in silently fails with `PKIX path building failed` in Keycloak logs | CA bundle is missing the LDAPS DC's CA (AD only) | Concatenate the DC's LDAPS CA into the bundle and re-run the installer with `--configure-idp-only` | -| Browser rejects the application URL with a SAN mismatch error | `DSPM_HOSTNAME` is an IP, or SAN doesn't include the hostname in use | Use a DNS hostname for `DSPM_HOSTNAME` and verify the cert SAN list | -| Installer rejects `--idp-alias` | Alias contains a space or special character | Use only letters, digits, hyphens, underscores, and dots | -| Sign-in fails after pre-provisioning | Pre-provisioned email doesn't match the directory attribute | Confirm the email matches exactly, including case | -| Entra ID login redirects fail | Redirect URI in App Registration doesn't match | Verify the redirect URI is `https:///auth/realms/dspm/broker/entra-id/endpoint` exactly | -| Entra ID login prompt doesn't appear | Client secret entered incorrectly or has expired | Re-run with `--configure-idp-only` and re-enter the secret; rotate the secret in Azure if expired | +| Sign-in silently fails with `PKIX path building failed` in Keycloak logs | CA bundle is missing the LDAPS DC's CA | Concatenate the DC's LDAPS CA into the bundle and re-run the installer | +| Browser rejects the application URL with a SAN mismatch error | Hostname entered as an IP address, or SAN doesn't include the hostname in use | Use a DNS hostname and verify the cert SAN list | +| Pods not starting after installation | Outbound HTTPS blocked to one or more required endpoints | Verify connectivity to all domains in [Required Domains](#required-domains) | +| Installer rejects the hostname | Hostname does not contain a dot — not a valid FQDN | Use a fully qualified domain name such as `analyzer.corp.example.com` | +| Installer rejects the Bind DN | UPN format (`user@domain.com`) entered instead of full DN | Use full Distinguished Name format: `CN=user,OU=ServiceAccounts,DC=corp,DC=example,DC=com` | + +**Useful diagnostic commands:** + +```bash +# View installer log +cat /var/log/dspm-installer.log + +# Check pod status (access-analyzer namespace) +sudo kubectl get pods -n access-analyzer + +# Check all namespaces +sudo kubectl get pods -A -For other identity provider failures, see [Configure Identity Provider — Troubleshooting](identity-provider.md#troubleshooting-idp-configuration). +# Check ArgoCD sync status +sudo kubectl get apps -n argocd + +# View Keycloak logs +sudo kubectl logs -n access-analyzer statefulset/keycloak --tail=50 +``` ## Reinstalling -- **Same VM**: your certificates are already in place at `/opt/dspm-tls/`. Skip Step 1 and restart at Step 2. -- **New VM, same CA**: upload the same three certificate files to `/opt/dspm-tls/` on the new VM (Step 1), then continue with Step 2. +Before reinstalling, completely remove the existing installation: + +```bash +sudo /usr/local/bin/k3s-dspm-uninstall.sh +sudo rm -rf /var/lib/rancher/k3s /opt/dspm ~/.kube/config +sudo rm -f /usr/local/bin/dspm-installer +``` + +See [Uninstalling Access Analyzer](uninstall.md) for the complete uninstall procedure. + +After uninstalling: + +- **Same VM**: your certificates are already in place at `/opt/dspm-tls/`. Skip the certificate preparation steps and restart at [Step 1](#step-1-ssh-into-the-server). +- **New VM, same CA**: upload the same certificate files to `/opt/dspm-tls/` on the new VM (see [TLS certificates](#tls-certificates)), then continue with [Step 1](#step-1-ssh-into-the-server). diff --git a/docs/accessanalyzer/2601/install/system/certificates.md b/docs/accessanalyzer/2601/install/system/certificates.md index 780d5ec07d..6b3dda2c89 100644 --- a/docs/accessanalyzer/2601/install/system/certificates.md +++ b/docs/accessanalyzer/2601/install/system/certificates.md @@ -8,22 +8,22 @@ sidebar_position: 40 Access Analyzer requires three certificate-related files at install time. This page describes the format of each file, the rules the installer enforces, and common gotchas when preparing them. -All three files must be in PEM format. They are passed to the installer as environment variables or CLI flags. +All three files must be in PEM format. When choosing **Bring your own certificate** in the installer wizard, you will be prompted to provide the path to each file. ## Summary -| File | Environment variable | Flag | Purpose | -| --- | --- | --- | --- | -| `.crt` | `TLS_CERT_FILE` | `--tls-cert` | Application TLS certificate (what browsers validate) | -| `.key` | `TLS_KEY_FILE` | `--tls-key` | Private key paired with the certificate | -| `ca-bundle.crt` | `TLS_CA_BUNDLE_FILE` | `--ca-bundle` | Trusted root CAs (application and LDAPS) | +| File | Installer Prompt | Purpose | +| --- | --- | --- | +| `.crt` | TLS Certificate File | Application TLS certificate (what browsers validate) | +| `.key` | TLS Private Key File | Private key paired with the certificate | +| `ca-bundle.crt` | AD/DC Root CA Bundle Path | Trusted root CAs (application and LDAPS) | ## 1. Application TLS Certificate (`.crt`) - **Format**: PEM (Base64 certificate block, starting with `-----BEGIN CERTIFICATE-----`). - **Issued by**: your internal certificate authority. - **Subject Alternative Names (SANs)**: must include **both** the server's hostname (for example, `accessanalyzer.example.com`) **and** the server IP address. Without a matching SAN, browsers reject the connection. -- **Hostname in SANs must be lowercase.** Browsers normalize hostnames to lowercase during TLS validation, and Keycloak's OIDC issuer URL is derived from `DSPM_HOSTNAME`. If the cert SAN is mixed-case but the issuer URL is lowercased by the browser, sign-in fails with HTTP 401. Always generate certificates using a lowercase hostname in the SAN list. +- **Hostname in SANs must be lowercase.** Browsers normalize hostnames to lowercase during TLS validation. If the cert SAN is mixed-case, sign-in fails with HTTP 401. Always generate certificates using a lowercase hostname in the SAN list. - **Where it's used**: served by Traefik for every browser request to the application URL. ## 2. Application TLS Private Key (`.key`) @@ -91,6 +91,6 @@ sudo update-ca-certificates | --- | --- | --- | | Sign-in fails with HTTP 401 after correct credentials | SAN hostname has mixed case, but browser normalized to lowercase | Re-issue the certificate with lowercase hostname in the SAN list | | Installer exits with "Failed to read TLS private key" | Key file owned by `root`, installer runs as non-root user | `sudo chown /opt/dspm-tls/.key` | -| Web UI loads, IdP login button appears, sign-in fails silently | CA bundle missing the LDAPS CA | Concatenate the DC's LDAPS CA into the bundle; re-run the installer with `--configure-idp-only` | +| Web UI loads, IdP login button appears, sign-in fails silently | CA bundle missing the LDAPS CA | Concatenate the DC's LDAPS CA into the bundle and re-run the installer | | Browser shows "certificate not trusted" | Application CA not distributed to client machines | Distribute the CA to client machines via Group Policy or MDM | | "Certificate is valid for X but not for Y" in browser | Cert SAN doesn't include the hostname or IP being used | Re-issue with full SAN list including both DNS name and IP | diff --git a/docs/accessanalyzer/2601/install/system/network.md b/docs/accessanalyzer/2601/install/system/network.md index 4e2e128654..88a4743e44 100644 --- a/docs/accessanalyzer/2601/install/system/network.md +++ b/docs/accessanalyzer/2601/install/system/network.md @@ -16,7 +16,7 @@ All outbound traffic uses HTTPS (port 443). The following endpoints must be reac | --- | --- | --- | --- | | `api.keygen.sh` | Keygen / Licensing | License validation API | Installation and updates | | `oci.pkg.keygen.sh` | Keygen / Licensing | Netwrix OCI registry — Helm charts and application images | Installation and updates | -| `raw.pkg.keygen.sh` | Keygen / Licensing | Installer script download | Installation and updates | +| `raw.pkg.keygen.sh` | Keygen / Licensing | Installer binary download | Installation and updates | | `keygen-dist.c3c9112df8df715f42d1162cdce5dba1.r2.cloudflarestorage.com` | Keygen / Licensing CDN | Keygen artifact storage | Installation and updates | | `api.github.com` | GitHub | GitHub API | Installation only | | `github.com` | GitHub | Repository and release access | Installation only | @@ -84,7 +84,7 @@ If an endpoint detection or antivirus product is running on the Access Analyzer | `/usr/local/bin/k3s` | K3s binary | :::note -Setting `SKIP_AV_CHECK=true` before running the installer bypasses the antivirus detection prompt, but does not configure exclusions automatically. Configure exclusions manually before running the installer. +Configure exclusions manually before running the installer. The installer's preflight check detects common antivirus products and will prompt you to confirm exclusions are in place before proceeding. ::: ## Firewall Configuration diff --git a/docs/accessanalyzer/2601/install/system/requirements.md b/docs/accessanalyzer/2601/install/system/requirements.md index 791ac1bfb0..6a5463247d 100644 --- a/docs/accessanalyzer/2601/install/system/requirements.md +++ b/docs/accessanalyzer/2601/install/system/requirements.md @@ -20,9 +20,6 @@ The installer enforces absolute minimums via preflight checks — installation i | **Medium** | 16 cores | 48 GB | 1 TB SSD | Up to ~5,000 assets | | **Large** | 32 cores | 64 GB | 1 TB SSD | 5,000+ assets / enterprise | -:::note -The `--size` flag scales memory thresholds by the specified multiplier. For example, `--size 2` doubles the minimum and recommended memory requirements enforced by the preflight checks. -::: ## Disk Space Requirements diff --git a/docs/accessanalyzer/2601/install/uninstall.md b/docs/accessanalyzer/2601/install/uninstall.md index bd174e2cb0..38bfeecf7d 100644 --- a/docs/accessanalyzer/2601/install/uninstall.md +++ b/docs/accessanalyzer/2601/install/uninstall.md @@ -49,4 +49,4 @@ The service should not be found or should show as inactive. ## Reinstallation -After uninstalling, you can reinstall Access Analyzer by running the installer again. See [Quick Install](/docs/accessanalyzer/2601/install/quickinstall) or [Install Commands](/docs/accessanalyzer/2601/install/install-commands). +After uninstalling, you can reinstall Access Analyzer by running the installer again. See [Quick Install](/docs/accessanalyzer/2601/install/quickinstall). From 8ad515b59aa714d8ec13c203dd4e2424a790ef8e Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 20:24:10 +0000 Subject: [PATCH 11/22] fix(vale): auto-fix style issues (Vale + Dale) --- .../2601/configurations/identity-provider.md | 12 +++++----- .../2601/configurations/users.md | 2 +- .../2601/install/identity-provider.md | 10 ++++---- .../2601/install/install-commands.md | 2 +- .../2601/install/quickinstall.md | 24 +++++++++---------- .../2601/install/system/certificates.md | 8 +++---- .../2601/install/system/network.md | 10 ++++---- .../2601/install/system/requirements.md | 8 +++---- docs/accessanalyzer/2601/install/uninstall.md | 4 ++-- 9 files changed, 40 insertions(+), 40 deletions(-) diff --git a/docs/accessanalyzer/2601/configurations/identity-provider.md b/docs/accessanalyzer/2601/configurations/identity-provider.md index 9b7ff3b075..b63fcb68b8 100644 --- a/docs/accessanalyzer/2601/configurations/identity-provider.md +++ b/docs/accessanalyzer/2601/configurations/identity-provider.md @@ -11,7 +11,7 @@ Access Analyzer supports federation with your organization's identity system so Setting up an identity provider connection is a two-part process: first you configure the integration in your identity system, then you prepare user accounts inside Access Analyzer. :::note -Before completing the steps below, confirm that the infrastructure and network requirements for your IdP type are in place. See [Network and Port Requirements](../install/system/network.md) and [TLS Certificate Requirements](../install/system/certificates.md). +Before continuing, confirm that the infrastructure and network requirements for your IdP type are in place. See [Network and Port Requirements](../install/system/network.md) and [TLS Certificate Requirements](../install/system/certificates.md). ::: ## Supported integration types @@ -125,7 +125,7 @@ sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \ ``` :::warning -Do not change the bootstrap account email address — doing so causes authentication failures. +Don't change the bootstrap account email address — doing so causes authentication failures. ::: ### Pre-provision user accounts @@ -139,7 +139,7 @@ The email address entered during pre-provisioning must exactly match the address 1. Navigate to **Configuration** > **Users**. 2. Click **Add User**. 3. Enter the user's **Name** and **Email** address. -4. Select a **Role**: **Administrator**, **User Admin**, or **Viewer** (see [Roles](#roles) below). +4. Select a **Role**: **Administrator**, **User Admin**, or **Viewer** (see [Roles](#roles)). 5. Click **Create User**. No password is required for pre-provisioned accounts. For details on managing users, see [Users](users.md). @@ -149,12 +149,12 @@ No password is required for pre-provisioned accounts. For details on managing us -Access Analyzer has three roles. The bootstrap `admin@dspm.local` account is seeded as User Admin, so it can pre-provision the rest of your users, including your first Administrator. +Access Analyzer has three roles. The installer seeds the bootstrap `admin@dspm.local` account as User Admin, so it can pre-provision the rest of your users, including your first Administrator. | Role | Description | | --- | --- | | **Administrator** | Full access: system configuration (sources, scans, connectors, application settings) and user management (create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users). | -| **User Admin** | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does **not** have system configuration rights. The bootstrap `admin@dspm.local` account is assigned this role. | +| **User Admin** | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does **not** have system configuration rights. Access Analyzer assigns this role to the bootstrap `admin@dspm.local` account. | | **Viewer** | Read-only access to data and reports. No configuration or user management rights. | @@ -163,7 +163,7 @@ Access Analyzer has three roles. The bootstrap `admin@dspm.local` account is see When identity provider integration is active, the Access Analyzer login page presents a credential form that validates against your directory. -On first sign-in, Access Analyzer matches the email address from the IdP token or LDAP directory to the pre-provisioned account and permanently links the IdP identity to that account. On all subsequent sign-ins, the user's unique IdP identifier is used directly. +On first sign-in, Access Analyzer matches the email address from the IdP token or LDAP directory to the pre-provisioned account and permanently links the IdP identity to that account. On all subsequent sign-ins, Access Analyzer uses the user's unique IdP identifier directly. Sessions are valid for up to 8 hours from sign-in and expire after 4 hours of inactivity. diff --git a/docs/accessanalyzer/2601/configurations/users.md b/docs/accessanalyzer/2601/configurations/users.md index 12a141c834..9d27bc67de 100644 --- a/docs/accessanalyzer/2601/configurations/users.md +++ b/docs/accessanalyzer/2601/configurations/users.md @@ -55,7 +55,7 @@ On first login, you will be prompted to enroll an authenticator app for MFA and Keep the bootstrap account active as an emergency recovery account, but do not use it for routine user management. Create at least one named User Admin account during initial setup and use that account for ongoing administration. ::: -For the full first-login walkthrough, see [Quick Install — Step 5](/docs/accessanalyzer/2601/install/quickinstall#step-5-sign-in-as-the-bootstrap-user-admin-and-pre-provision-users). +For the full first-login walkthrough, see [Quick Install — Step 5](/docs/accessanalyzer/2601/install/quickinstall#step-5-sign-in-with-entra-id-credentials). ## Recommended initial setup diff --git a/docs/accessanalyzer/2601/install/identity-provider.md b/docs/accessanalyzer/2601/install/identity-provider.md index 53668ba0e3..d4143c774f 100644 --- a/docs/accessanalyzer/2601/install/identity-provider.md +++ b/docs/accessanalyzer/2601/install/identity-provider.md @@ -62,7 +62,7 @@ For full certificate format and preparation details, see [TLS Certificate Requir END HIDDEN --> :::note -`--idp-alias` must match `[A-Za-z0-9._-]+` — letters, digits, hyphens, underscores, and dots only. Spaces are not allowed. The alias is shown as the label on the login button. +`--idp-alias` must match `[A-Za-z0-9._-]+` — letters, digits, hyphens, underscores, and dots only. Spaces aren't allowed. The alias is shown as the label on the login button. ::: :::note -`--idp-alias` must match `[A-Za-z0-9._-]+` — letters, digits, hyphens, underscores, and dots only. Spaces aren't allowed. The alias is shown as the label on the login button. +`--idp-alias` must match `[A-Za-z0-9._-]+` — letters, digits, hyphens, underscores, and dots only. Spaces aren't allowed. The alias appears as the label on the login button. ::: - - - - - -## Symptom - - - -When running [specific job or action] in Netwrix Access Analyzer, the following error appears: - -```text -[Paste the exact error message here, as it appears in the UI or log.] -``` - -[Optional: one additional sentence describing secondary symptoms, e.g., "The job fails immediately and no scan results are produced."] - -## Cause - - - -This error occurs when [plain-language explanation of the root cause]. - -## Resolution - - - -1. Navigate to **[Menu] > [Submenu]** in the Netwrix Access Analyzer console. -2. Select **[Option]** and click **[Button]**. -3. In the **[Field Name]** field, enter [description of required value]. -4. Click **Save** to apply the changes. -5. Re-run the [job or scan] to confirm the issue is resolved. - -> **NOTE:** [Use for important context that does not fit inline. Use **IMPORTANT:** instead for warnings about irreversible actions or data loss.] - -## Related Links - -- [Netwrix Access Analyzer Documentation — System Requirements](/docs/accessanalyzer/2601/install/system/requirements) -- [Link text describing destination — add a line for each relevant resource](#) - ---- - - - - - ---- - -## Style Quick Reference - -Remove this section before publishing. - -| Element | Format | Example | -|---|---|---| -| UI button / menu / tab / field | **Bold** | Click **Save** | -| Command-line input | `` `backtick` `` | Run `npm start` | -| Error message (full block) | ` ```text ``` ` fenced block | See Symptom section above | -| File path (inline) | `` `backtick` `` | Open `` `C:\Program Files\Netwrix` `` | -| Important callout | `> **IMPORTANT:** ...` | Warns of irreversible actions | -| Note callout | `> **NOTE:** ...` | Non-critical supplemental info | -| External link | `[Name ⸱ Company 🡥](URL)` | [SMB Security ⸱ Microsoft 🡥](https://example.com) | -| Image alt text | [Action shown] + [key UI elements] | "Dialog box for scan settings with Schedule tab active" | -| Product — first mention | Full name | Netwrix Access Analyzer | -| Product — subsequent mentions | Short name | Access Analyzer | - -### Title Rules by Article Type - -| Type | Format | Good Example | Bad Example | -|---|---|---|---| -| How-To | [Action Gerund] [Specific Task] | Configuring LDAP Authentication | How to Configure LDAP? | -| Error Resolution | Error: [Unique Code or Message] | Error: Host Unreachable 0x80070005 | Error: Something Went Wrong | -| Symptom Resolution | [Component] [Symptom] [Context] | Scan Jobs Failing After Upgrade | Scans Not Working | - -### Voice and Tone - -- Use "you" (second person) when addressing the reader. -- Write in active voice: "Click **Save**" not "**Save** should be clicked." -- Avoid: "simply," "just," "easy," "obviously," "leverage," "utilize." -- Write out contractions: "do not" not "don't," "cannot" not "can't." -- No exclamation marks, including in callouts. -- One idea per paragraph; paragraphs to 3–4 sentences maximum. diff --git a/docs/accessanalyzer/2601/kb/migration/audit-data-strategy.md b/docs/accessanalyzer/2601/kb/migration/audit-data-strategy.md deleted file mode 100644 index 3f4211b139..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/audit-data-strategy.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: "Historical Audit Data" -description: "How historical audit records in the legacy SQL Server database are preserved and accessed alongside Access Analyzer 26" -keywords: - - audit data migration - - sql server audit records - - historical data - - fsactivity migration - - adactivity migration - - compliance continuity - - stealthaudit database -products: - - access-analyzer -sidebar_label: "Historical Audit Data" -tags: - - migration - - audit-data ---- - -# Historical Audit Data - -## Overview - -Access Analyzer 26 uses a separate database stack (ClickHouse and PostgreSQL) and does not connect to or read from the legacy SQL Server database. Historical audit records collected by the previous version remain in the original SQL Server database and are not affected by the migration. - -The sections below cover what data remains in the SQL Server database, how to maintain access to it, and what data AA2601 collects going forward. - ---- - -## Historical data retention - -Any data you need to maintain for audit and compliance purposes remains in the SQL Server database. This includes activity records from monitored sources and state-in-time collections such as sensitive data discovery findings. - -:::note -State-in-time collections — such as sensitive data findings and permissions snapshots — are stale as soon as they are collected. The priority after migrating to AA2601 is to get the equivalent scans running in AA2601 so that current data is available there. -::: - -## Maintaining access to historical records - -No data is deleted or modified by the migration. The legacy SQL Server database remains intact and queryable at all times. - -To maintain access to historical records: - -1. **Retain the NAA SQL Server instance** and its database. Do not decommission or drop the database while historical records are needed for audit or compliance. - -2. **Grant read-only SQL access** to security analysts, compliance officers, and legal teams who need to query historical records. - -3. **Document the coverage start date for each source.** Record the date AA2601 began collecting data for each migrated source. This date determines which system to query for audit requests that span the migration. - ---- - -## What Access Analyzer 26 collects - -For sources added to AA2601, the product collects the following data: - -| Data Type | Source | Stored In | -| --- | --- | --- | -| Permissions, group memberships, and access rights | Access scan | ClickHouse | -| Files and objects containing sensitive content | Sensitive data scan | ClickHouse | -| Active Directory and Entra ID users, groups, and memberships | IAM sync | ClickHouse | -| Real-time file system activity events | Netwrix Activity Monitor (NAM) integration | ClickHouse | - -Real-time file system activity events require Netwrix Activity Monitor to be installed and monitoring the target hosts. See the **Activity Monitor Integration** page under Configuration for setup steps. - ---- - -## Compliance continuity - -Historical audit records in the SQL Server database remain intact throughout and after the migration. There is no gap in the audit record for any period covered by the legacy system. - -Notify your compliance and legal teams of the coverage start date for each migrated source so that audit requests spanning the migration can be directed to the correct system. - -| Period / Source | System of Record | -| --- | --- | -| Data collected before migration | Legacy NAA SQL Server database | -| Data collected after migration | Access Analyzer 26 (ClickHouse) | -| Sources not yet migrated to AA2601 | Legacy NAA SQL Server database | - ---- - -## Related links - -- [Migration Overview](./index.md) -- [Migration Checklist](./migration-checklist.md) -- [Migrating Target Servers and Host Lists](./migrate-target-servers.md) diff --git a/docs/accessanalyzer/2601/kb/migration/index.md b/docs/accessanalyzer/2601/kb/migration/index.md deleted file mode 100644 index 9fb98f4684..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/index.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: "Migrating to Access Analyzer 26" -description: "Concept mapping and step-by-step procedures for migrating credentials, target servers, and schedules from Netwrix Access Analyzer 12.0 and earlier to Access Analyzer 26" -keywords: - - access analyzer migration - - stealthaudit migration - - migrate to AA2601 - - host list migration - - connection profile migration - - schedule migration - - sql server audit data - - migration guide -products: - - access-analyzer -sidebar_label: "Migration Overview" -tags: - - migration ---- - -# Migrating to Access Analyzer 26 - -This section covers migrating credentials, target servers, and job schedules from Netwrix Access Analyzer 12.0 and earlier (formerly StealthAUDIT) to Access Analyzer 26 (AA2601). These procedures apply whether you are replacing the previous version or running both products in parallel. Historical audit data collected by the previous version remains in the SQL Server database and is not affected. - ---- - -## In this section - -| Article | Description | -| --- | --- | -| [Migrating Connection Profiles to Service Accounts](./migrate-credentials.md) | Inventory legacy connection profiles and recreate them as service accounts in AA2601. | -| [Migrating Proxy Servers to Scanners](./migrate-proxy-servers.md) | Replace legacy Windows proxy servers with Linux-based AA2601 scanner nodes for File Server and Active Directory scanning. | -| [Migrating Target Servers and Host Lists to Source Groups](./migrate-target-servers.md) | Inventory legacy host lists and recreate them as source groups and sources in AA2601. | -| [Migrating Job Configurations to Scan Parameters](./migrate-job-configurations.md) | Map legacy data collector settings to AA2601 scan parameters by connector type. | -| [Migrating Job Schedules to Scan Schedules](./migrate-schedules.md) | Translate Windows Task Scheduler triggers to cron expressions and configure scan schedules in AA2601. | -| [Historical Audit Data](./audit-data-strategy.md) | Understand what audit data stays in the SQL Server database and how to maintain access to it. | -| [Migration Checklist](./migration-checklist.md) | Track and validate progress through each migration phase. | - ---- - -## Concept mapping - -Each legacy concept maps directly to an AA2601 equivalent. Refer to this table throughout the migration. - -| Legacy Concept | AA2601 Equivalent | Key Difference | -| --- | --- | --- | -| **Host** | **Source** | A single target system in both products. In AA2601, sources belong to a source group. | -| **Host List** | **Source Group** | A source group contains sources of a single connector type. Legacy host lists can contain mixed types and must be split before migrating. | -| **Connection Profile** | **Service Account** | Passwords cannot be exported from the legacy system and must be re-entered when creating service accounts in AA2601. | -| **Job / Data Collector** | **Scan** | Scans replace the job/query model. Each source has one scan per scan type (access scan or sensitive data scan). | -| **Schedule / Trigger** | **Scan Schedule (cron)** | AA2601 uses standard five-field cron expressions. Windows Task Scheduler triggers must be translated to cron format. | -| **Proxy Server / Applet** | **Scanner** | AA2601 scanners are Linux-based K3s nodes deployed via SSH from the AA2601 UI. No manual Windows service installation is required. Only File Server and Active Directory connectors use scanners — Entra ID and SharePoint Online connect directly. | -| **Storage Profile (SQL Server)** | **ClickHouse + PostgreSQL** | AA2601 uses a different database stack. Historical data collected by the legacy product remains in the SQL Server database and is not migrated. | -| **FSActivity / ADActivity tables** | **Activity Monitor integration** | Real-time file system and AD activity events are surfaced in AA2601 through Netwrix Activity Monitor (NAM). Customers running NAM can add an AA2601 output to route events directly into AA2601. | - ---- - -## Migration sequence - -Complete the steps in this order. Each step is a prerequisite for the next. - -1. **[Migrate credentials](./migrate-credentials.md)** — Create service accounts in AA2601. The source group creation wizard requires a service account before you can create a group. -2. **[Migrate proxy servers](./migrate-proxy-servers.md)** — Deploy Linux scanner nodes for File Server and Active Directory source groups. Skip this step if you plan to use the Default Scanner (local scanning only). -3. **[Migrate target servers and host lists](./migrate-target-servers.md)** — Create source groups and add sources. Assign scanner labels to connect each source group to the scanner nodes you deployed. -4. **[Migrate job configurations](./migrate-job-configurations.md)** — Configure scan parameters for each source: scan type, scope, workers, differential scanning, and data classification settings. -5. **[Migrate schedules](./migrate-schedules.md)** — Configure scan schedules on each source. -6. **Validate** — Run an initial scan on each source group and compare results against legacy job output. - ---- - -## Related links - -- [Migration Checklist](./migration-checklist.md) -- [Historical Audit Data](./audit-data-strategy.md) diff --git a/docs/accessanalyzer/2601/kb/migration/migrate-credentials.md b/docs/accessanalyzer/2601/kb/migration/migrate-credentials.md deleted file mode 100644 index c9e1f7022c..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/migrate-credentials.md +++ /dev/null @@ -1,92 +0,0 @@ ---- -title: "Migrating Connection Profiles to Service Accounts" -description: "How to inventory legacy Netwrix Access Analyzer connection profiles and recreate them as service accounts in Access Analyzer 26" -keywords: - - connection profile migration - - service account migration - - stealthaudit credentials - - access analyzer credentials - - username password service account - - client id secret - - client certificate -products: - - access-analyzer -sidebar_label: "Migrating Connection Profiles" -tags: - - migration - - service-accounts ---- - -# Migrating Connection Profiles to Service Accounts - -## Overview - -Service accounts in AA2601 replace legacy connection profiles and serve the same purpose: storing the credentials that scanners use to connect to data sources. Complete this inventory and recreation process before creating source groups. - -Complete this procedure before creating source groups. The source group creation wizard requires a service account to be present before you can create a group. - -:::warning -Passwords and client secrets cannot be exported from the legacy system. You must re-enter all credentials when creating service accounts in AA2601. Prepare the necessary credentials before starting this procedure. -::: - ---- - -## Credential type mapping - -Each legacy connection profile credential type maps to an AA2601 service account type as follows: - -| Legacy Credential Type | AA2601 Service Account Type | Used For | -| --- | --- | --- | -| Local machine account (Windows) | Username/Password | File Server sources | -| Active Directory domain account | Username/Password | Active Directory and File Server sources | -| Microsoft Entra ID key | Client ID/Secret | Entra ID sources | -| Web service (certificate) | Client ID/Certificate | SharePoint Online sources | -| Unix account | *(not applicable)* | Not supported in AA2601 connectors | -| SQL account | *(not applicable)* | Not supported in AA2601 connectors | - -Only the four credential types listed as applicable are needed for the connectors supported in AA2601. If your legacy environment uses connection profiles for other purposes (SQL Server inventory, Unix auditing), those do not require migration. - ---- - -## Before you begin - -- Identify all connection profiles used by Active Directory, file server, SharePoint, and Entra ID jobs in the legacy system. -- Obtain the credentials for each profile: username and password for domain accounts, client ID and secret for Entra ID registrations, and client ID and certificate for SharePoint. -- Confirm that each account has the required permissions for its connector type in AA2601. See the connector-specific prerequisites in the Access Analyzer documentation. - ---- - -## Step 1 — Inventory legacy connection profiles - -Before creating service accounts in AA2601, document every connection profile that needs to be migrated. - -1. Open the Netwrix Access Analyzer console. -2. Navigate to **Settings** > **Connection**. -3. Review each connection profile listed. Record the profile name, credential type, username, and domain. -4. Note which jobs reference each profile (visible in the Job Properties panel for each job). - ---- - -## Step 2 — Create service accounts in Access Analyzer - -Create one service account in AA2601 for each legacy connection profile that needs to be migrated. Use the credential type mapping table above to determine which account type to create for each profile. - -For the full creation procedure, navigate to **Configuration** > **Service Accounts** in the Access Analyzer console. See the Service Accounts documentation for steps specific to each credential type. - ---- - -## Step 3 — Verify - -After creating all service accounts, verify each one before using it in a source group: - -1. In the service accounts list, locate a newly created account. -2. Click the actions menu and select **Edit**. -3. Confirm the credential type and username display correctly. -4. You'll verify connectivity through the source group's **Test Connection** function in the [next migration step](./migrate-target-servers.md). - ---- - -## Related links - -- [Migrating Target Servers and Host Lists](./migrate-target-servers.md) -- [Migration Checklist](./migration-checklist.md) diff --git a/docs/accessanalyzer/2601/kb/migration/migrate-job-configurations.md b/docs/accessanalyzer/2601/kb/migration/migrate-job-configurations.md deleted file mode 100644 index b8d9f14c90..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/migrate-job-configurations.md +++ /dev/null @@ -1,173 +0,0 @@ ---- -title: "Migrating Job Configurations to Scan Parameters" -description: "How to map legacy Netwrix Access Analyzer job and data collector settings to scan parameters in Access Analyzer 26" -keywords: - - job migration - - data collector migration - - scan configuration migration - - fsaa migration - - adinventory migration - - stealthaudit job settings - - access analyzer scan parameters -products: - - access-analyzer -sidebar_label: "Migrating Job Configurations" -tags: - - migration - - scans ---- - -# Migrating Job Configurations to Scan Parameters - -## Overview - -Scans in AA2601 replace the legacy job/data collector model. Each source has one scan per scan type, and scan parameters are configured directly on the scan rather than in a job wizard. The tables and procedures below map each legacy data collector setting to its AA2601 equivalent by connector type. - -Before starting this procedure, complete [Migrating Target Servers and Host Lists to Source Groups](./migrate-target-servers.md). Scans exist within source groups and are associated with specific sources. - ---- - -## Data collector to scan type mapping - -Each legacy data collector maps to a specific AA2601 scan type: - -| Legacy Data Collector | AA2601 Scan Type | Notes | -| --- | --- | --- | -| FSAA — File System Access/Permission Auditing | File Server — **Access Scan** | Scans permissions and file metadata | -| FSAA — Sensitive Data Discovery | File Server — **Sensitive Data Scan** | Requires Access Scan to have run first | -| ADInventory | Active Directory — **Identity Sync** | Collects users, groups, and membership | -| AzureAD Inventory | Entra ID — **Identity Sync** | Collects users, groups, and roles | -| SPAA — SharePoint Access Auditing | SharePoint Online — **Access Scan** | Scans permissions and content metadata | -| FSAA — File System Activity | *Not applicable* | Activity data is surfaced through Netwrix Activity Monitor (NAM) integration. See [Historical Audit Data](./audit-data-strategy.md). | - ---- - -## Key differences from legacy jobs - -**One scan per source, not per job.** In the legacy product, multiple jobs could target the same host with different data collector settings. In AA2601, each source has one Access Scan and one Sensitive Data Scan. If you had multiple FSAA jobs targeting the same file server with different scope or depth settings, consolidate those settings into a single scan configuration per source. - -**Scan type is fixed per scan.** Unlike a legacy FSAA job that could include both permission auditing and sensitive data queries, AA2601 uses separate scans for each type. The Access Scan runs first; the Sensitive Data Scan uses the discovered share list from the Access Scan as its scope. - -**Proxy assignment is replaced by scanner labels.** Legacy jobs had a Scan Server Selection step where you assigned a specific proxy server or proxy host list. In AA2601, scanner assignment is configured at the source group level using scanner labels — not per scan. See [Migrating Proxy Servers to Scanners](./migrate-proxy-servers.md). - ---- - -## Managing scans - -Navigate to **Configuration** > **Scans** to view and configure all scans across your sources. - -![Scans list showing existing scans with columns for Name, Scan Type, Source, Source Group, Source Type, Schedule, Scanner, and Actions](/images/accessanalyzer/2601/migration/scans-list.png) - -Each row shows a scan's type, source, schedule, and assigned scanner. Click the scan name to open the edit panel for that scan. - ---- - -## File Server — Access Scan parameters - -The Access Scan collects file permissions, share structure, and file metadata from file servers. - -![Edit Scan panel for a File Server access scan showing Basic Information, Scan Configuration, and Schedule sections](/images/accessanalyzer/2601/migration/scan-edit-file-server-access.png) - -| AA2601 Parameter | Description | Legacy Equivalent | -| --- | --- | --- | -| **Name** | Display name for this scan. | Job name | -| **Description** | Optional notes. | Job description | -| **Scan Type** | Set to **Access Scan**. | FSAA — Access/Permission Auditing query | -| **Schedule** | Enable and configure a recurring schedule. | Windows Task Scheduler trigger on the job | - -The Access Scan has no additional scoping parameters. It scans all accessible shares on the source server. Use the Sensitive Data Scan's Share Selection parameter to scope sensitive data collection to specific shares. - ---- - -## File Server — Sensitive Data Scan parameters - -The Sensitive Data Scan classifies file contents against configured data type patterns. It must be run after the Access Scan — the scan uses the share list discovered by the Access Scan to determine scope. - -![Edit Scan panel for a File Server sensitive data scan showing Scan Type, Configuration Source, and Processing Options sections](/images/accessanalyzer/2601/migration/scan-edit-file-server-sdd.png) - -| AA2601 Parameter | Description | Legacy Equivalent | -| --- | --- | --- | -| **Scan Type** | Set to **Sensitive Data Scan**. | FSAA — Sensitive Data Discovery query | -| **Configuration Source** | **Inherit from global configuration** uses the globally configured sensitive data types. Select a custom configuration to override for this scan. | Global sensitive data policy | -| **Run OCR** | Enable to extract text from image files during classification. | FSAA OCR option | -| **Sensitive Data Types to Classify** | Select which data type categories to classify against: CCPA, CMMC, Credentials, Financial Records, GDPR, GDPR Restricted, GLBA, HIPAA, PCI DSS, PHI, PII. | Sensitive data criteria selection in FSAA wizard | -| **Batch Size** | Number of files to process per batch. Default: 100. | No direct equivalent | -| **Workers** | Number of concurrent workers for scanning. Default: 3. | FSAA thread count or concurrent scan settings | -| **Differential Scan** | When enabled, only files modified since the last scan are classified. The first run scans all files. | FSAA incremental scan option | -| **Share Selection** | Restrict the scan to specific shares discovered by the Access Scan. If empty, all discovered shares are scanned. | FSAA include/exclude share lists | -| **Maximum Scan Depth** | Folder depth limit. Leave empty for unlimited depth. | FSAA scan depth setting | -| **Schedule** | Enable and configure a recurring schedule. | Windows Task Scheduler trigger | - -:::note -The Share Selection list is populated from the results of the Access Scan. If no shares appear, run the Access Scan for that source first. -::: - ---- - -## Active Directory — Identity Sync parameters - -The Identity Sync collects users, groups, group membership, and custom attributes from Active Directory domain controllers. - -![Edit Scan panel for an Active Directory identity sync showing Identity Source, connection override settings, and Schedule](/images/accessanalyzer/2601/migration/scan-edit-ad.png) - -| AA2601 Parameter | Description | Legacy Equivalent | -| --- | --- | --- | -| **Scan Name** | Display name for this sync. | Job name | -| **Identity Source** | The Active Directory source to sync. Selects the domain controller configured on the source. | Job host target / connection profile | -| **Host / Port / Domain** | Override the connection settings inherited from the source. Leave as inherited unless you need to target a specific domain controller. | ADInventory domain and DC settings | -| **Ignore SSL Errors** | Ignore certificate errors on the LDAP/LDAPS connection. | ADInventory SSL options | -| **Differential Scan** | When enabled, only changes since the last sync are collected. | ADInventory incremental collection | -| **Schedule** | Frequency: One-time, Hourly, Daily, Weekly, or Monthly. Set a specific time and optional start/end date. | Windows Task Scheduler trigger | - -:::note -AA2601 collects standard Active Directory attributes: users, groups, group membership, and user custom attributes. Custom attribute collection beyond this set is not configurable in the current release. -::: - ---- - -## Entra ID — Identity Sync parameters - -The Identity Sync collects users, groups, and roles from Entra ID via the Microsoft Graph API. - -![Edit Scan panel for an Entra ID identity sync showing Identity Source, connection override settings, and Schedule](/images/accessanalyzer/2601/migration/scan-edit-entra-id.png) - -| AA2601 Parameter | Description | Legacy Equivalent | -| --- | --- | --- | -| **Scan Name** | Display name for this sync. | Job name | -| **Identity Source** | The Entra ID source to sync. | Job host target | -| **Client ID / Tenant ID** | Override the credentials inherited from the source's service account. Leave as inherited in most cases. | AzureAD Inventory connection profile | -| **Schedule** | Enable and configure a recurring schedule. | Windows Task Scheduler trigger | - ---- - -## SharePoint Online — Access Scan parameters - -The SharePoint Online Access Scan collects site, library, and item permissions from SharePoint Online, OneDrive, and Teams. - -When you create a SharePoint Online source group, the wizard includes a **SharePoint Domain** field. This is equivalent to the legacy SPAA site URL configuration. Within a source group, the scan targets all sites within that domain by default. - ---- - -## Settings that do not migrate - -Some legacy job settings have no equivalent in AA2601: - -| Legacy Setting | Status in AA2601 | -| --- | --- | -| Applet launch mechanism (MSTask / Windows Service / pre-installed service) | Not applicable — scanner deployment is automated via K3s | -| Per-proxy communication timeout | Not applicable — managed by Kubernetes infrastructure | -| Strong proxy affinity (pin host to specific proxy) | No direct equivalent — scanner labels route at source group level | -| Applet port and certificate exchange | Not applicable — managed by K3s infrastructure | -| Custom AD attribute collection beyond standard set | Not supported in current release | -| Multiple jobs targeting same host with different scoping | Consolidate to one scan configuration per source | -| FSAA File System Activity scanning | Not a scan type — route activity data through NAM integration | -| SQL Server, Exchange, Unix data collectors | No equivalent connector in current release | - ---- - -## Related links - -- [Migrating Proxy Servers to Scanners](./migrate-proxy-servers.md) -- [Migrating Target Servers and Host Lists](./migrate-target-servers.md) -- [Historical Audit Data](./audit-data-strategy.md) -- [Migration Checklist](./migration-checklist.md) diff --git a/docs/accessanalyzer/2601/kb/migration/migrate-proxy-servers.md b/docs/accessanalyzer/2601/kb/migration/migrate-proxy-servers.md deleted file mode 100644 index afadc05ef5..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/migrate-proxy-servers.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -title: "Migrating Proxy Servers to Scanners" -description: "How to replace legacy Netwrix Access Analyzer proxy servers with Access Analyzer 26 scanner nodes" -keywords: - - proxy server migration - - scanner migration - - aa26 scanner node - - deploy scanner - - stealthaudit proxy - - access analyzer scanner - - fsaa proxy -products: - - access-analyzer -sidebar_label: "Migrating Proxy Servers" -tags: - - migration - - scanners ---- - -# Migrating Proxy Servers to Scanners - -## Overview - -Scanner nodes in Access Analyzer 26 replace legacy Windows proxy servers for distributed File Server and Active Directory scanning. If your legacy environment used proxy servers to scan hosts close to their network location, deploy equivalent scanner nodes in AA2601 so scans run in the same distributed fashion. - -Without dedicated scanner nodes, File Server and Active Directory source groups use the Default Scanner, which runs scans from the central AA2601 server. This works for small or centralized environments but isn't optimized for distributed deployments where proximity to the target matters. - -:::note -Entra ID and SharePoint Online source groups do not use scanners. Those connectors connect directly from the AA2601 service. Only File Server and Active Directory source groups require scanner deployment. -::: - ---- - -## Architecture comparison - -In the legacy product, distributed scanning relied on Windows proxy servers running the FSAA Proxy Service (`FSAAAppletServer.exe`). These were persistent Windows agents deployed manually and assigned per-job in the Data Collector wizard. - -AA2601 replaces this with **scanner nodes**: Linux virtual machines that AA2601 registers via SSH and automatically configures with a lightweight Kubernetes (K3s) runtime. Scans run as on-demand containers — there is no persistent agent process, and no manual service installation. - -| | Legacy Proxy Server | AA2601 Scanner Node | -| --- | --- | --- | -| **Operating system** | Windows | Linux | -| **Deployment** | Manual installer on each Windows host | Automated via SSH from AA2601 | -| **Runtime** | Persistent Windows service | On-demand containers (per scan) | -| **Assignment** | Per-job (Scan Server Selection wizard page) | Per-source group (via scanner labels) | -| **Connectors supported** | FSAA, ADInventory, and others | File Server, Active Directory | -| **Default option** | Local mode (EA console) | Default Scanner (local, always available) | - -The **Default Scanner** is available immediately without any deployment. It runs scans directly from the AA2601 server — equivalent to the legacy "Local Server" option in the Scan Server Selection page. If your legacy environment ran all scans locally, the Default Scanner covers this case without any migration action. - ---- - -## Before you begin - -- [ ] Identify which legacy proxy servers are in use and which jobs reference them. -- [ ] Confirm the replacement Linux VMs are provisioned and accessible via SSH. -- [ ] Obtain an SSH Username/Key service account with access to each Linux VM. This account is used by AA2601 during scanner registration. -- [ ] Plan your scanner labeling scheme before deploying. Scanner labels route scans to specific scanner pools. A consistent scheme — for example, `region=us-east` or `environment=production` — makes source group assignment straightforward. - ---- - -## Step 1 — Inventory legacy proxy servers - -Before deploying scanner nodes, document every proxy server in use. - -1. Open the Netwrix Access Analyzer console. -2. Navigate to **Settings** > **Proxy Servers** (or the equivalent node in your version). -3. For each proxy server, record: - - The server hostname or IP address. - - The jobs or host lists assigned to it. - - The geographic location or network segment it serves. - -This inventory determines how many scanner nodes you need and how to label them. - ---- - -## Step 2 — Deploy scanner nodes - -Navigate to **Configuration** > **Scanners** in Access Analyzer 26. - -![Scanners list showing the Default Scanner with columns for Name/IP, Labels, Source Groups, Health Status, and Last Heartbeat](/images/accessanalyzer/2601/migration/scanners-list.png) - -The list shows all registered scanner nodes. The **Default Scanner** is always present and represents local scanning from the AA2601 server. - -Click **Deploy Scanner** to register a new scanner node. - -![Deploy Scanner form showing fields for Name, SSH Host, SSH Host Key, SSH Port, Service Account, and Labels](/images/accessanalyzer/2601/migration/scanner-deploy-form.png) - -Complete the form for each scanner node you are deploying: - -| Field | Description | -| --- | --- | -| **Name** | A display name that identifies this scanner. Use a name that reflects its location or purpose, for example `us-east-scanner-01`. | -| **SSH Host** | The hostname or IP address of the Linux VM. | -| **SSH Host Key** | The public SSH host key of the target machine. AA2601 uses this to verify the identity of the remote host before connecting. Retrieve it by running `ssh-keyscan ` on the target machine or your management workstation. | -| **SSH Port** | The SSH port. Defaults to 22 if not specified. | -| **Service Account** | An SSH Username/Key service account that has SSH access to the Linux VM. AA2601 uses these credentials to connect and install the K3s runtime. | -| **Labels** | Key-value pairs used to route scans to this scanner. Add at least one label that matches your labeling scheme, for example `region=us-east`. | - -Click **Test connection** before clicking **Deploy** to verify that AA2601 can reach the Linux VM with the provided credentials. Deployment installs the K3s runtime on the target machine automatically. - -Repeat for each scanner node you are deploying. - ---- - -## Step 3 — Assign scanner labels to source groups - -After deploying scanner nodes, configure each source group to use them. - -1. Navigate to **Configuration** > **Source Groups**. -2. For each File Server or Active Directory source group, open the actions menu and select **Edit**. -3. In the **Scanner Labels** field, enter the key-value labels that match the scanner nodes responsible for that group. For example, if your file servers are in the US East region and you labeled your scanner `region=us-east`, add `region=us-east` to the source group. -4. Click **Save**. - -Scans in that source group will route to any scanner node matching all specified labels. If no labels are set on a source group, scans use the Default Scanner. - -:::note -A source group can match multiple scanner nodes if more than one node carries the specified labels. AA2601 distributes scans across matching nodes. -::: - ---- - -## Step 4 — Verify scanner health - -After deploying and assigning scanner nodes: - -1. Navigate to **Configuration** > **Scanners**. -2. Confirm each deployed scanner shows **Healthy** in the Health Status column. -3. Run a test scan on one source group that uses each new scanner. Verify the scan completes successfully before proceeding. - ---- - -## Step 5 — Decommission legacy proxy servers - -After validating that scanner nodes are handling scans successfully: - -1. Stop the FSAA Proxy Service on each legacy Windows proxy server. -2. Uninstall the proxy service using **Add/Remove Programs** or your organization's standard software removal process. -3. Retire the Windows VMs if they are no longer needed for other purposes. - ---- - -## Related links - -- [Migrating Target Servers and Host Lists](./migrate-target-servers.md) -- [Migrating Job Configurations to Scan Parameters](./migrate-job-configurations.md) -- [Migration Checklist](./migration-checklist.md) diff --git a/docs/accessanalyzer/2601/kb/migration/migrate-schedules.md b/docs/accessanalyzer/2601/kb/migration/migrate-schedules.md deleted file mode 100644 index 39de9b08e9..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/migrate-schedules.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: "Migrating Job Schedules to Scan Schedules" -description: "How to translate legacy Netwrix Access Analyzer job schedules to cron expressions and configure scan schedules in Access Analyzer 26" -keywords: - - schedule migration - - job schedule migration - - cron expression - - windows task scheduler migration - - scan schedule AA2601 - - stealthaudit schedule -products: - - access-analyzer -sidebar_label: "Migrating Job Schedules" -tags: - - migration - - schedules ---- - -# Migrating Job Schedules to Scan Schedules - -## Overview - -The legacy product schedules data collection using Windows Task Scheduler triggers. AA2601 schedules scans using cron expressions — a standard five-field format. The steps below cover how to export legacy schedule data, translate trigger settings to cron format, and apply the resulting schedules to source groups in AA2601. - ---- - -## Concept comparison - -| Legacy Concept | AA2601 Equivalent | -| --- | --- | -| Schedule / Trigger on a job or job group | Cron expression on a scan configuration | -| Schedule Service Account (Windows Task Scheduler) | Scanner service account (runs the scan) | -| Multiple jobs with individual schedules | One scan schedule per source group (shared across all sources in the group) | -| Daily / Weekly / Monthly trigger | Equivalent cron expression | -| Run As — specific domain account | Service account assigned to the source group | - -In AA2601, the scan schedule is set at the source group level and applies to all sources in the group. If you need different schedules for individual sources, override the schedule at the source level after creating the group. - ---- - -## Cron expression reference - -AA2601 uses standard five-field cron expressions in UTC by default. Each field controls a time component: - -``` -┌───────── minute (0–59) -│ ┌─────── hour (0–23, UTC) -│ │ ┌───── day of month (1–31) -│ │ │ ┌─── month (1–12) -│ │ │ │ ┌─ day of week (0=Sunday, 6=Saturday) -│ │ │ │ │ -* * * * * -``` - -### Common schedule translations - -| Legacy Trigger | Cron Expression | Description | -| --- | --- | --- | -| Daily at 11:00 PM (local) | `0 23 * * *` | Runs at 23:00 UTC daily. Adjust hour for your timezone. | -| Daily at 2:00 AM | `0 2 * * *` | Runs at 02:00 UTC daily. | -| Daily at 6:00 AM | `0 6 * * *` | Runs at 06:00 UTC daily. | -| Weekly — Sunday at midnight | `0 0 * * 0` | Runs at 00:00 UTC every Sunday. | -| Weekly — Monday at 6:00 AM | `0 6 * * 1` | Runs at 06:00 UTC every Monday. | -| Weekly — Saturday at 11:00 PM | `0 23 * * 6` | Runs at 23:00 UTC every Saturday. | -| Monthly — 1st of month at midnight | `0 0 1 * *` | Runs at 00:00 UTC on the 1st. | -| Monthly — 15th of month at 3:00 AM | `0 3 15 * *` | Runs at 03:00 UTC on the 15th. | -| Every 6 hours | `0 */6 * * *` | Runs at 00:00, 06:00, 12:00, 18:00 UTC. | -| Every 12 hours | `0 */12 * * *` | Runs at 00:00 and 12:00 UTC daily. | - -:::note -AA2601 stores cron schedules in UTC. If your legacy jobs used local time triggers, convert them to UTC when creating the cron expression. Set the **Time Zone** field on the scan configuration if you want to define the schedule in local time. -::: - ---- - -## Before you begin - -- [ ] Source groups and sources have been created in AA2601 ([Migrating Target Servers and Host Lists](./migrate-target-servers.md)). -- [ ] You have a documented list of legacy job schedules (from Step 1 below). -- [ ] You have determined which cron expressions to use for each source group. - ---- - -## Step 1 — Inventory legacy job schedules - -1. In the NAA console, navigate to the **Schedule** node in the left panel. -2. Review each scheduled task listed. For each task, record: - - The job or job group it runs. - - The trigger type (daily, weekly, monthly). - - The start time and recurrence settings. -3. Use the cron expression table above to determine the equivalent for each. - ---- - -## Step 2 — Configure scan schedules in Access Analyzer - -Scan schedules are configured on source groups. Navigate to **Configuration** > **Source Groups**, then edit the group or configure schedules during source group creation. - -![Source group creation wizard step 3 showing scan type selection and cron schedule configuration fields](/images/accessanalyzer/2601/migration/create-source-group-scan-config.png) - -For each source group: - -1. In the source groups list, click the actions menu for the group and select **Edit**. -2. Navigate to the **Scan Configuration** section. -3. Enter the cron expression for the schedule you determined in Step 1. -4. Set the **Time Zone** if you want to express the schedule in local time rather than UTC. -5. Enable the schedule by setting **Schedule Enabled** to active. -6. Click **Save**. - -:::note -If different legacy jobs targeting the same set of hosts had different schedules, you might need to split those hosts across separate source groups in AA2601 so each group can have its own schedule. -::: - -Repeat the steps in [Step 2](#step-2--configure-scan-schedules-in-access-analyzer) for each source group until all schedules are configured. - ---- - -## Related links - -- [Migrating Target Servers and Host Lists](./migrate-target-servers.md) -- [Migration Checklist](./migration-checklist.md) diff --git a/docs/accessanalyzer/2601/kb/migration/migrate-target-servers.md b/docs/accessanalyzer/2601/kb/migration/migrate-target-servers.md deleted file mode 100644 index 43f028fde1..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/migrate-target-servers.md +++ /dev/null @@ -1,149 +0,0 @@ ---- -title: "Migrating Target Servers and Host Lists to Source Groups" -description: "How to inventory legacy Netwrix Access Analyzer host lists and recreate them as source groups and sources in Access Analyzer 26" -keywords: - - host list migration - - source group migration - - migrate hosts to AA2601 - - stealthaudit host list - - access analyzer source groups - - target server migration -products: - - access-analyzer -sidebar_label: "Migrating Target Servers and Host Lists" -tags: - - migration - - source-groups ---- - -# Migrating Target Servers and Host Lists to Source Groups - -## Overview - -This procedure covers inventorying the host lists in your legacy Netwrix Access Analyzer installation and recreating them as source groups and sources in Access Analyzer 26. - -Before starting this procedure, complete [Migrating Connection Profiles to Service Accounts](./migrate-credentials.md). The source group creation wizard requires a service account to be present before you can create a group. - ---- - -## Key difference: host lists vs. source groups - -In the legacy product, a single host list can contain any mix of target system types. A list named "East Coast Servers" might include file servers, Active Directory domain controllers, and SharePoint sites. - -**AA2601 source groups are single-type.** Each group is created for one connector type, and that type is permanent — it can't be changed after creation. You must split mixed-type host lists into separate source groups before you begin. - -**Planning example:** - -| Legacy Host List | Hosts | AA2601 Source Groups | -| --- | --- | --- | -| East Coast Servers | 12 file servers, 2 AD domains | East Coast — File Servers (12 sources)
East Coast — Active Directory (2 sources) | -| Cloud Resources | Entra ID tenant, SharePoint site | Cloud — Entra ID (1 source)
Cloud — SharePoint Online (1 source) | - -Plan your source group structure on paper before creating anything in AA2601. - ---- - -## Supported connector types - -AA2601 currently supports the following connector types. Only hosts of these types need to be migrated: - -| Legacy Collector / Target Type | AA2601 Connector | -| --- | --- | -| File System (FSAA) — Windows file servers | File Server | -| File System (FSAA) — NetApp ONTAP | File Server | -| File System (FSAA) — Isilon/PowerScale | File Server | -| File System (FSAA) — Dell VNX, Celerra, Unity | File Server | -| AD Inventory / ADActivity — Active Directory | Active Directory | -| Azure AD / Entra ID | Entra ID | -| SPAA — SharePoint Online | SharePoint Online | - -Legacy jobs targeting SQL Server, Exchange, Unix, or other systems do not have corresponding connectors in AA2601 at this time. Document those targets separately for future migration phases. - ---- - -## Before you begin - -- [ ] All service accounts have been created in AA2601 ([Migrating Connection Profiles](./migrate-credentials.md)). -- [ ] Scanner nodes have been deployed for Active Directory and File Server source groups, or you have confirmed that the Default Scanner (local) meets your scanning needs ([Migrating Proxy Servers to Scanners](./migrate-proxy-servers.md)). -- [ ] You have a written inventory of host lists and their members (see Step 1). -- [ ] You have planned which legacy host lists map to which AA2601 source groups. - ---- - -## Step 1 — Inventory legacy host lists - -Export a complete inventory of your legacy host lists and hosts before making any changes. - -1. Open the Netwrix Access Analyzer console. -2. Navigate to **Host Management** in the left panel. -3. For each host list, right-click and select **Export** to export the host list to CSV. -4. Record the host list name, the number of hosts, and the system types present. - ---- - -## Step 2 — Create source groups in Access Analyzer - -Navigate to **Configuration** > **Source Groups**. - -![Source Groups list showing existing groups with source type, service account, scan type, and status columns](/images/accessanalyzer/2601/migration/source-groups-list.png) - -Create one source group for each connector type across your legacy host lists. Click **Create Source Group** to open the wizard. - -### Step 1 of 3 — Select the source type - -The wizard first asks you to choose a connector type. - -![Source group creation wizard step 1 showing four source type options: Active Directory, Entra ID, File Server, and SharePoint Online](/images/accessanalyzer/2601/migration/create-source-group-type-select.png) - -Select the connector type that matches the hosts you are migrating. If you have hosts of multiple types from the same legacy host list, you'll repeat this process for each type. - -### Step 2 of 3 — Configure the group - -![Source group creation wizard step 2 showing name field, service account selection, and max concurrent scans setting for a File Server group](/images/accessanalyzer/2601/migration/create-source-group-file-server.png) - -| Field | What to enter | -| --- | --- | -| **Name** | A descriptive name that identifies the source type and scope. Example: `File Servers — East Coast` | -| **Service Account** | Select the service account you created for this connector type. | -| **Max Concurrent Scans** | Leave at `1` for initial setup. Increase after validating the first scan. | -| **Scanner Labels** | For Active Directory and File Server groups, add the key-value labels that match the scanner nodes you deployed. Leave empty to use the Default Scanner (local scanning from the AA2601 server). | - -Add sources to the group: -- For each host in the matching legacy host list, click **Add Source** and enter the hostname or IP address. -- Use the **Test Connection** button to verify connectivity for each source before saving. - -### Step 3 of 3 — Configure scan parameters - -![Source group creation wizard step 3 showing scan type selection and schedule configuration fields](/images/accessanalyzer/2601/migration/create-source-group-scan-config.png) - -Select the scan types to enable. Configure the scan schedule using a cron expression. See [Migrating Job Schedules](./migrate-schedules.md) for guidance on translating legacy schedule triggers to cron expressions. - -Click **Save** to create the source group. - -:::note -Add sources to the group one at a time using the **Add Source** button in the source group UI, or use the AA2601 REST API. See [Step 3 — Test connections](#step-3--test-connections) after all sources have been added. -::: - ---- - -## Step 3 — Test connections - -After adding sources, verify that AA2601 can reach each target: - -1. Navigate to **Configuration** > **Source Groups**. -2. Click the actions menu for your new source group and select **View Sources**. -3. For each source, click the actions menu and select **Test Connection**. -4. Confirm that all sources show a successful connection result before proceeding. - -If a connection test fails, verify that: -- The service account has the required permissions on the target system. -- The scanner assigned to the source group can reach the target on the required ports. -- The hostname or IP address in the source matches what the scanner can resolve. - ---- - -## Related links - -- [Migrating Connection Profiles](./migrate-credentials.md) -- [Migrating Job Schedules](./migrate-schedules.md) -- [Migration Checklist](./migration-checklist.md) diff --git a/docs/accessanalyzer/2601/kb/migration/migration-checklist.md b/docs/accessanalyzer/2601/kb/migration/migration-checklist.md deleted file mode 100644 index 7c293c92dc..0000000000 --- a/docs/accessanalyzer/2601/kb/migration/migration-checklist.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: "Migration Checklist" -description: "Pre-migration, in-migration, and post-migration validation checklist for migrating from Netwrix Access Analyzer to Access Analyzer 26" -keywords: - - migration checklist - - access analyzer migration validation - - stealthaudit migration checklist - - pre migration checklist - - post migration validation -products: - - access-analyzer -sidebar_label: "Migration Checklist" -tags: - - migration ---- - -# Migration Checklist - -Complete each section before moving to the next. - -**Customer:** _____________________________    **Migration date:** _____________________________ - -**Engineer:** _____________________________    **AA2601 version:** _____________________________ - ---- - -## Pre-migration — Legacy system documentation - -Complete this section before making any changes to either system. - -### Legacy system inventory - -- [ ] Documented all active host lists, including name, description, and member count. -- [ ] Documented the target type of each host in each list (file server, Active Directory, Entra ID, SharePoint Online, other). -- [ ] Exported host list data using `Export-LegacyHostLists.ps1` or manual console export. -- [ ] Identified which host lists contain mixed types and documented the required split into separate source groups. -- [ ] Documented all connection profiles: name, credential type, username/domain. -- [ ] Identified which connection profiles map to which credential type in AA2601 (Username/Password, Client ID/Secret, Client ID/Certificate). -- [ ] Noted which legacy jobs are in scope for migration (AD, file server, SharePoint, Entra ID jobs). -- [ ] Noted which legacy jobs are out of scope (SQL Server, Exchange, Unix, and other unsupported connectors). -- [ ] Exported job schedule data using `Export-LegacySchedules.ps1` or manual review. -- [ ] Translated all required schedules to cron expressions. Cron expressions documented: _______________________. - -### Legacy database documentation - -- [ ] Confirmed the SQL Server instance name and database name for the legacy NAA database. -- [ ] Documented the date of the most recent successful job run for each in-scope job. -- [ ] Identified the activity table names for historical data that needs to remain accessible. -- [ ] Confirmed who requires read access to the legacy SQL Server database post-migration. - -### AA2601 environment readiness - -- [ ] AA2601 instance is deployed and accessible. -- [ ] Administrator account credentials for AA2601 are confirmed. -- [ ] Scanners are deployed and online for all required connector types (Active Directory, File Server). -- [ ] Network connectivity is confirmed from scanner to each target system on required ports. -- [ ] Required app registrations in Entra ID / Azure are in place (for Entra ID and SharePoint Online sources). - ---- - -## Migration phase 1 — Credentials - -- [ ] All required Username/Password service accounts created in AA2601. - - Count: _____ accounts -- [ ] All required Client ID/Secret service accounts created in AA2601. - - Count: _____ accounts -- [ ] All required Client ID/Certificate service accounts created in AA2601. - - Count: _____ accounts -- [ ] Each service account verified by visual inspection in the Service Accounts list. - ---- - -## Migration phase 2 — Source groups and sources - -Complete one row per source group. - -| Source Group Name | Connector Type | No. of Sources | Service Account | Test Connection | -| --- | --- | --- | --- | --- | -| | | | | Pass / Fail | -| | | | | Pass / Fail | -| | | | | Pass / Fail | -| | | | | Pass / Fail | -| | | | | Pass / Fail | -| | | | | Pass / Fail | -| | | | | Pass / Fail | -| | | | | Pass / Fail | - -- [ ] All source groups created in AA2601. -- [ ] All sources added to their respective groups. -- [ ] Test Connection passed for every source in every group. -- [ ] Scanner labels verified on Active Directory and File Server groups. - ---- - -## Migration phase 3 — Scan schedules - -- [ ] Cron expressions applied to all source groups. -- [ ] Schedule time zones confirmed (UTC or local time as required). -- [ ] Schedules verified as enabled on each source group. - ---- - -## Migration phase 4 — Initial scan validation - -For each source group, run an initial access scan manually before enabling the schedule. - -| Source Group Name | Scan Type | Scan Status | Finding Count | Compared to Legacy | -| --- | --- | --- | --- | --- | -| | Access | | | Match / Difference | -| | Sensitive Data | | | Match / Difference | -| | Access | | | Match / Difference | -| | Sensitive Data | | | Match / Difference | -| | Access | | | Match / Difference | -| | Sensitive Data | | | Match / Difference | - -- [ ] All source groups have completed at least one successful access scan. -- [ ] Scan results reviewed and validated against legacy job output. -- [ ] Significant discrepancies documented and investigated. - -**Discrepancy notes:** _______________________________________________________________________________ - ---- - -## Post-migration - -### Legacy system - -- [ ] Legacy NAA jobs for migrated sources stopped or disabled to prevent duplicate collection. -- [ ] Read-only SQL Server access confirmed for authorized users (compliance, legal, analysts). -- [ ] Coverage start date documented for each migrated source: _________________________. -- [ ] Compliance and legal teams notified of which system holds records for which sources and time periods. - -### AA2601 system - -- [ ] AA2601 scheduled scans running on configured cron schedule without errors. -- [ ] No scan execution failures in the first 48 hours of scheduled operation. -- [ ] Users and roles configured for all required analysts and administrators. -- [ ] Dashboards and reports accessible to relevant users. - -### Handover - -- [ ] Migration summary document completed and delivered to customer. -- [ ] Customer IT or security team trained on AA2601 source group management. -- [ ] Customer IT or security team trained on interpreting scan results. -- [ ] Support escalation path communicated to customer. - ---- - -## Sign-off - -| Role | Name | Signature | Date | -| --- | --- | --- | --- | -| Migration Engineer | | | | -| Customer IT Lead | | | | -| Customer Security Lead | | | | - ---- - -## Related links - -- [Migration Overview](./index.md) -- [Migrating Connection Profiles](./migrate-credentials.md) -- [Migrating Target Servers and Host Lists](./migrate-target-servers.md) -- [Migrating Job Schedules](./migrate-schedules.md) -- [Historical Audit Data Strategy](./audit-data-strategy.md) diff --git a/kb_allowlist.json b/kb_allowlist.json deleted file mode 100644 index dd20d7e6a5..0000000000 --- a/kb_allowlist.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "1secure": [ - "current" - ], - "accessanalyzer": [ - "11.6", - "12.0", - "2601" - ], - "accessinformationcenter": [ - "11.6", - "12.0" - ], - "activitymonitor": [ - "10.0", - "7.1", - "8.0", - "9.0" - ], - "auditor": [ - "10.6", - "10.7", - "10.8" - ], - "changetracker": [ - "8.0", - "8.1" - ], - "dataclassification": [ - "5.6.2", - "5.7" - ], - "directorymanager": [ - "11.0", - "11.1" - ], - "endpointprotector": [ - "current" - ], - "identityrecovery": [ - "2.6", - "3.1" - ], - "passwordpolicyenforcer": [ - "10.2", - "11.0", - "11.1" - ], - "passwordreset": [ - "3.23", - "3.3" - ], - "pingcastle": [ - "3.5" - ], - "privilegesecure": [ - "25.12", - "4.1", - "4.2" - ], - "privilegesecurediscovery": [ - "current" - ], - "recoveryforactivedirectory": [ - "2.6", - "3.1" - ], - "threatmanager": [ - "3.0", - "3.1" - ], - "threatprevention": [ - "7.5", - "8.0" - ] -} From 662ff661d5965160dd1ee361139e06e086ced76c Mon Sep 17 00:00:00 2001 From: toniop-netwrix Date: Thu, 7 May 2026 23:06:26 +1000 Subject: [PATCH 15/22] PPE fixes (#864) * Remove "Getting Started" page * Fix "Domain and Local Policies" page * Remove "Install Mailer Service" page * Remove "Install the Configuration Console" page * Move "Install Password Policy Enforcer Web" * Move "HIBP Updater" * Fix "Install Password Policy Enforcer on a Server" * Move "Password Writeback" * Remove "Uninstall" * Rearrange Installation section * Fix "Install Password Policy Enforcer Client" * Fix "Disable Windows Rules" * Fix "Install with Group Policy Management" * Minor edits --- .../11.2/admin/command_line_interface.md | 26 ---- .../11.2/admin/compromisedpasswordcheck.md | 4 +- .../{installation => admin}/hibpupdater.md | 14 +- .../manage-policies/rules/compromised_rule.md | 2 +- .../11.2/{installation => admin}/writeback.md | 8 +- .../11.2/gettingstarted.md | 54 ------- docs/passwordpolicyenforcer/11.2/index.md | 2 +- .../installation/disable_windows_rules.md | 57 +++---- .../installation/domain_and_local_policies.md | 92 ++++-------- .../11.2/installation/installationclient.md | 141 +++++------------- .../installation/installationconfigconsole.md | 25 ---- .../11.2/installation/installationgpm.md | 91 ++++------- .../11.2/installation/installationmailer.md | 33 ---- .../11.2/installation/installationserver.md | 92 +++++------- .../11.2/installation/uninstall.md | 29 ---- .../11.2/installation/upgrading.md | 8 +- .../installationweb.md | 10 +- .../install/the_password_policy_client_3.webp | Bin 63632 -> 0 bytes .../install/the_password_policy_client_4.webp | Bin 23902 -> 0 bytes .../install/the_password_policy_client_5.webp | Bin 5584 -> 0 bytes 20 files changed, 179 insertions(+), 509 deletions(-) rename docs/passwordpolicyenforcer/11.2/{installation => admin}/hibpupdater.md (93%) rename docs/passwordpolicyenforcer/11.2/{installation => admin}/writeback.md (87%) delete mode 100644 docs/passwordpolicyenforcer/11.2/gettingstarted.md delete mode 100644 docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md delete mode 100644 docs/passwordpolicyenforcer/11.2/installation/installationmailer.md delete mode 100644 docs/passwordpolicyenforcer/11.2/installation/uninstall.md rename docs/passwordpolicyenforcer/11.2/{installation => web-overview}/installationweb.md (85%) delete mode 100644 static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp delete mode 100644 static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp diff --git a/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md b/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md index 5fa3118e1a..98cfab7628 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md +++ b/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md @@ -6,32 +6,6 @@ sidebar_position: 70 # Command Line Interface -## Silent Installation - -Replace _version_ with the complete version and build number of the **msi** file. For example, -11.2.0.148. - -Install only PPE Server: msiexec /i Netwrix_PPE_Server_**version**_x64.msi ADDLOCAL=FeatureServerPPE -/q - -Install only Console: msiexec /i Netwrix_PPE_Server_**version**_x64.msi ADDLOCAL=FeatureConsole /q - -Install only Mailer Server: msiexec /i Netwrix_PPE_Server_**version**_x64.msi -ADDLOCAL=FeaturePPEMailerServer /q - -Install all 3 components: - -msiexec /i Netwrix_PPE_Server_**version**_x64.msi -ADDLOCAL=FeaturePPEMailerServer,FeatureConsole,FeatureServerPPE /q - -By default Console only installed: msiexec /i Netwrix_PPE_Server_**version**_x64.msi /q - -Uninstall all: msiexec /uninstall Netwrix_PPE_Server_**version**_x64.msi /q - -Uninstall only particular feature: msiexec /i _path_to_your_msi_file.msi_ REMOVE=_FeatureName_ /qn - -If a reboot wasn't done, add **/forcerestart** at the end - ## Mailer You can run the Password Policy Enforcer Mailer from the command line to deliver email immediately, diff --git a/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md b/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md index f3ca49c185..50b219b1c6 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md +++ b/docs/passwordpolicyenforcer/11.2/admin/compromisedpasswordcheck.md @@ -12,7 +12,7 @@ The check can be scheduled to run at any time to verify existing passwords again :::note Create the **Compromised Passwords Base** file before enabling the Compromised Password -Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for instructions. +Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for instructions. ::: @@ -32,7 +32,7 @@ Click the **Compromised Password Check** toggle to enable/disable the feature. ![Compromised Password Check](/images/passwordpolicyenforcer/11.2/administration/compromisedpasswords.webp) - **Compromised Passwords Base** specify the database to use when checking for compromised - passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) to create this database. + passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) to create this database. Click **Browse** to navigate to the folder. Default is **C:\HIBP\DB** - **Domain Controller (FQDN)** specify the fully qualified domain controller name where you want to run the password check. Click **Browse** and select from the list. diff --git a/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md b/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md similarity index 93% rename from docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md rename to docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md index 036089103c..ef59bfa304 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md +++ b/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md @@ -1,7 +1,7 @@ --- title: "HIBP Updater" description: "HIBP Updater" -sidebar_position: 90 +sidebar_position: 20 --- # HIBP Updater @@ -27,17 +27,17 @@ If the HIBP database is copied to and stored local on the Domain Controllers: - The HIBP database takes up additional space on the machine where it is copied. (Aproximetly 13GB but subject to change) - If doing local the database needs to be on every Domain Controller in the same location as specified in the Rule. -- A network connection doesn't come into play and possibly affect performance of checking the password against the HIBP database +- A network connection doesn't come into play and possibly affect performance of checking the password against the HIBP database - The pending password candidate is checked against the archived hash file at the local level. If a password hash is matched, the pending password change is rejected. If the HIBP database is kept on a Network Share: -- The database takes up space only on the Network Share, not on each Domain Controller.  -- Requires a working network connection from the Domain Controllers to the Network Share with Read permissions to check: +- The database takes up space only on the Network Share, not on each Domain Controller. +- Requires a working network connection from the Domain Controllers to the Network Share with Read permissions to check: - The pending password candidate from Domain Controller against the HIBP Database stored on the Network Share, this could affect LSASS/Password Change performance depending on the environment. - HIBP database space isn't required on the domain controllers but on one Network Location. -- At the time of a password change, if the Network Share isn't available, the Domain Controller must assume the hash is okay and the possibility of a known compromised password being accepted. +- At the time of a password change, if the Network Share isn't available, the Domain Controller must assume the hash is okay and the possibility of a known compromised password being accepted. ## Installation and Configuration @@ -58,7 +58,7 @@ Only run this from one server. ### Passwords Hash Database -Password Policy Enforcer uses the Passwords Hash database to check if users’ new and pending +Password Policy Enforcer uses the Passwords Hash database to check if users' new and pending password (i.e. during a password reset) matches the hash of a compromised password from a data breach. @@ -83,7 +83,7 @@ size of the hash file, this download takes up a significant amount of CPU and do - Update Type: - - Full Download – Download all data from the HIBP database hosted on the Netwrix website + - Full Download – Download all data from the HIBP database hosted on the Netwrix website - Incremental Update – Download updates from the HIBP database hosted on the Netwrix website instead of downloading the full HIBP database. This option is enabled after a full download of the HIBP database has completed. diff --git a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md index 219cbb13f4..87912ebf8c 100644 --- a/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md +++ b/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/compromised_rule.md @@ -22,5 +22,5 @@ degrades performance, and could jeopardize security. ::: -See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) +See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP) database usage. diff --git a/docs/passwordpolicyenforcer/11.2/installation/writeback.md b/docs/passwordpolicyenforcer/11.2/admin/writeback.md similarity index 87% rename from docs/passwordpolicyenforcer/11.2/installation/writeback.md rename to docs/passwordpolicyenforcer/11.2/admin/writeback.md index 78e5beb5e8..c4014a5d2a 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/writeback.md +++ b/docs/passwordpolicyenforcer/11.2/admin/writeback.md @@ -1,19 +1,19 @@ --- title: "Enforce Password Reset with Azure Password Writeback" description: "Enforce Password Reset with Azure Password Writeback" -sidebar_position: 100 +sidebar_position: 85 --- # Enforce Password Reset with Azure Password Writeback You can use Password Policy Enforcer to enforce password policies for passwords reset from Microsoft -Entra ID and O365 by enabling password writeback in Microsoft Entra ID. See the +Entra ID and O365 by enabling password writeback in Microsoft Entra ID. See the [How does self-service password reset writeback work in Microsoft Entra ID?](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback) Microsoft knowledge base article for additional information on password writeback in Microsoft Entra -ID. Password writeback sends all new passwords from Microsoft Entra ID to an available, on-premises +ID. Password writeback sends all new passwords from Microsoft Entra ID to an available, on-premises domain controller to check with Password Policy Enforcer. This happens while the user is resetting their password. See the [Tutorial: Enable Microsoft Entra self-service password reset writeback to an on-premises environment](https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback) and -[How it works: Microsoft Entra self-service password reset](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-it-works-microsoft-entra-self-service-password-reset) Microsoft +[How it works: Microsoft Entra self-service password reset](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-it-works-microsoft-entra-self-service-password-reset) Microsoft knowledge base articles for additional information on password writeback for Microsoft Entra ID. diff --git a/docs/passwordpolicyenforcer/11.2/gettingstarted.md b/docs/passwordpolicyenforcer/11.2/gettingstarted.md deleted file mode 100644 index 5ad27d2941..0000000000 --- a/docs/passwordpolicyenforcer/11.2/gettingstarted.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: "Getting Started" -description: "Getting Started" -sidebar_position: 2 ---- - -# Getting Started - -Review the [Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) topic. - -## Install Products - -Install Password Policy Enforcer (PPE Server) on every domain controller to enforce the -password policy for domain user accounts, or on individual servers and workstations to enforce the -password policy for local user accounts. See the -[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) or -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topics for additional -information. - -You can install the Configuration Console on whatever servers are convenient for you to access. It -is a selectable feature in the server installation **msi** package. See the -[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) topic for additional -information. - -Install the Mailer Service on a single server in each domain. See the -[Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) topic for additional -information. - -Password Policy Enforcer client is optional, but recommended. Users receive immediate feedback when -setting up their passwords. This saves your users time and frustration when picking compliant -passwords. See the [Install Password Policy Enforcer Client](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md) or -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topics for additional -information. - -Password Policy Enforcer Web is a separate product enabling users to change their Windows domain -password from a web browser. See the [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md) topic for -additional information. - -Create the **Compromised Passwords Base** before enabling the Compromised Password Check. See the -[HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for additional information. - -## Exclude PPE Files from AntiVirus Checks - -**Domain Controller** - -**PPE.DLL** if this file doesn't load, PPE can't enforce the password policy. - -**Clients** - -**PPEClt.DLL** if this file doesn't load, the client doesn't run. - -## Next Steps - -You can work through the [Evaluate Password Policy Enforcer](/docs/passwordpolicyenforcer/11.2/evaluation/evaluation_overview.md). diff --git a/docs/passwordpolicyenforcer/11.2/index.md b/docs/passwordpolicyenforcer/11.2/index.md index 6735acb4ec..430ccc1a98 100644 --- a/docs/passwordpolicyenforcer/11.2/index.md +++ b/docs/passwordpolicyenforcer/11.2/index.md @@ -37,7 +37,7 @@ The Configuration Console has some additional requirements: This component sends email from Password Policy Enforcer to your mail server. Although not required, this component supports several PPE features, so you'll most likely want to install it on one server in the domain. This component requires the [.NET Desktop Runtime 10.0 or later](https://aka.ms/dotnet/10.0/windowsdesktop-runtime-win-x64.exe). ### Password Policy Client (PPC) -The Password Policy Client helps users to choose a compliant password by showing them the password policy rules, and also which rules they don't comply with. This component is optional, but very beneficial. It works on all operating systems listed in the System Requirements section, but you'll typically only install it on users' computers and virtual desktops. +The Password Policy Client helps users to choose a compliant password by showing them the password policy rules, and also which rules they don't comply with. This component is optional, but very beneficial. It works on all operating systems listed in the System Requirements section, but you'll typically only install it on users' computers, virtual desktops, and Remote Desktop Session Hosts. ### Password Policy Enforcer Web Password Policy Enforcer Web is an optional component that runs on Microsoft Internet Information Services (IIS). It has similar features to the Password Policy Client, but via a web interface. Use Password Policy Enforcer Web if you prefer not to install the Password Policy Client, or if you want to integrate Active Directory password changes into your own applications. diff --git a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md index a2ba937f95..751f2c2202 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md +++ b/docs/passwordpolicyenforcer/11.2/installation/disable_windows_rules.md @@ -1,51 +1,36 @@ --- title: "Disable Windows Rules" -description: "Disable Windows Rules" -sidebar_position: 80 +description: "How to disable the Windows password policy rules to avoid conflicts with Password Policy Enforcer." +sidebar_position: 20 --- # Disable Windows Rules -The Windows password policy rules can place restrictions on password history, age, length, and -complexity. If you enable the Password Policy Enforcer rules and the Windows rules, then users must -comply with both sets of rules. +Windows has its own password policy rules for password history, age, length, and complexity. If you enable both Password Policy Enforcer (PPE) rules and Windows rules, users must comply with both the PPE and Windows rules. -Password Policy Enforcer has its own history, minimum age, and maximum age, length, and complexity rules. -See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. You can use the Password Policy Enforcer -and Windows rules together. A password is only accepted if it complies with the Windows and Password -Policy Enforcer password policies. +PPE has its own rules for password [history](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md), [minimum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md), [maximum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [length](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md), and [complexity](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. It is therefore recommended to disable the Windows password policy rules while you are experimenting with and testing your PPE configuration. -These steps disable the Windows password policy rules: +To disable the Windows password policy rules: -**Step 1 –** Start the Group Policy Management Console **(gpmc.msc**). - -**Step 2 –** Expand the forest and domain items in the left pane. - -**Step 3 –** Right-click the **Default Domain Policy GPO** (or whichever GPO you use to set your -domain password policy), then click **Edit...** - -**Step 4 –** Expand the **Computer Configuration**, **Policies**, **Windows Settings**, **Security -Settings**, **Account Policies**, and **Password Policy** items. - -**Step 5 –** Double-click **Enforce password history** in the right pane of the GPO Editor. - -**Step 6 –** Enter **0** in the text box, then click **OK**. - -**Step 7 –** Repeat the step above for the **Maximum password age**, **Minimum password age**, and -**Minimum password length** policies. - -**Step 8 –** Double-click **Password must meet complexity requirements** in the right pane. - -**Step 9 –** Select the **Disabled** option, and then click **OK**. - -**Step 10 –** Close the Group Policy Management Editor. +1. Start the Group Policy Management Console (`gpmc.msc`). +2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane. +3. Right-click the **Default Domain Policy** GPO (or whichever GPO you use for your domain password policy), then click **Edit**. +4. Expand **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**. +5. Double-click **Enforce password history** in the right pane. +6. Enter **0** in the text box, then click **OK**. +7. Repeat step 6 for **Maximum password age**, **Minimum password age**, and **Minimum password length**. +8. Double-click **Password must meet complexity requirements** in the right pane. +9. Select **Disabled**, then click **OK**. +10. Close the Group Policy Management Editor. ![installing_ppe_3](/images/passwordpolicyenforcer/11.2/evaluation/preparing_the_computer.webp) +:::tip +Don't set the Windows policies to **Not Configured** as that leaves the previously enforced value in place and doesn't disable the rule. Instead, follow the steps above to explicitly set each numeric policy to **0** and set the complexity policy to **Disabled**. +::: + :::note -You don't have to disable all the Windows password policy rules to use Password Policy -Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you -like. Remember that a password is only accepted if it complies with the rules enforced by both -Windows and Password Policy Enforcer. +You don't have to disable the Windows password policy rules to use PPE. A password must comply with both the Windows and PPE policies to be accepted. +Fine-Grained Password Policies (FGPP) override the domain password policy. If your organization uses FGPP, you'll also need to remove or modify any Password Settings Objects (PSOs) that apply to your users. To do that, open **Active Directory Administrative Center**, navigate to **System** > **Password Settings Container**, and remove or modify the relevant PSOs. ::: diff --git a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md index 4bf5f4f059..5bcb7abbe2 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md +++ b/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md @@ -1,95 +1,55 @@ --- title: "Domain and Local Policies" -description: "Domain and Local Policies" -sidebar_position: 10 +description: "Use Password Policy Enforcer to enforce domain and local password policies." +sidebar_position: 50 --- # Domain and Local Policies -Netwrix Password Policy Enforcer enforces password policies for both domain and local user accounts. +Netwrix Password Policy Enforcer (PPE) enforces password policies for both domain and local user accounts. Domain user accounts exist in Active Directory. The domain controllers store information about these accounts and replicate changes among themselves. -Local user accounts exist in the SAM database of workstations and servers. The workstations and -servers may be standalone, or domain members. The host computer stores information about these accounts locally and doesn't replicate it to any other computers. +Local user accounts exist in the SAM database of workstations and servers. The workstations and servers can be standalone or domain members. The host computer stores information about these accounts locally and doesn't replicate it to any other computers. -A typical Windows network has both domain and local user accounts, but you may not want to enforce -Password Policy Enforcer password policies for both account types. If your users normally log on with -a domain account, then you will most likely only use Password Policy Enforcer to enforce password -policies for the domain accounts. +A typical Windows network has both domain and local user accounts, but you might not want to enforce PPE policies for both account types. If your users normally log on with a domain account, you'll most likely only enforce password policies for domain accounts. ## Installation Differences -To enforce password policies for domain user accounts, you should install Password Policy Enforcer -onto all the domain controllers in the domain. If you have read-only domain controllers and aren't -using the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md), [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md), or other software -(such as -[Netwrix Password Reset](https://www.netwrix.com/active_directory_password_reset_tool.html)) that -uses the Password Policy Enforcer Client protocol, then you don't need to install Password Policy -Enforcer on the read-only domain controllers. +Install Password Policy Enforcer on all the domain controllers in the domain to enforce password policies for domain user accounts. You don't need to install it on read-only domain controllers unless you're using the [Maximum Age rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md), [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md), or Netwrix Password Reset. -To enforce password policies for local user accounts, you should install Password Policy Enforcer -onto the computers containing the user accounts you want to enforce password policies for. These -computers may be workstations or servers, and they may be standalone or domain members. You don't normally need to install Password Policy Enforcer onto all the workstations and servers in -a domain, because most domain users log on with a domain account. If this is the case, you -will most likely only need to install Password Policy Enforcer on the domain controllers. +To enforce password policies for local user accounts, install Password Policy Enforcer on the computers that contain the user accounts you want to enforce password policies for. These computers can be workstations or servers, and they can be standalone or domain members. You don't normally need to install PPE on the workstations and servers in a domain because most users log on with a domain account. If this is the case, you'll most likely only need to install PPE on the domain controllers. ## Operational Differences -Most of Password Policy Enforcer's rules and features work with both domain and local -policies, but there are some differences. When enforcing the password policy for domain accounts, -Password Policy Enforcer queries Active Directory to get information about the accounts. +Most of Password Policy Enforcer's rules and features work with both domain and local policies, but there are some differences. These differences are due to password filter technical limitations, and also because some information isn't in the SAM. You can't use the following rules and features with local password policies: -Although getting most of this information from the SAM database for local accounts is theoretically possible, a technical limitation prevents password filters from querying the SAM. Some information, such as the user's OU, also doesn't exist in the SAM. Because of these -limitations, you can't use the following rules and features with local password policies: +- The [Minimum Age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md) and [Maximum Age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md) rules (you can still use the Windows versions of these rules). +- [Policy assignments](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) by groups and containers. -- The Minimum Age and Maximum Age rules (you can use the Windows version of these rules with - Password Policy Enforcer). See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. -- Policy assignments by groups and containers. See the - [Assign Policies to Users & Groups](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) topic for additional information. +PPE stores configuration information in Active Directory for domain password policies, and in the Windows registry for local password policies. Use the [**Connected to**](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#connected-to) box in the PPE Configuration Console's home page to choose a configuration source. -Password Policy Enforcer stores its configuration in Active Directory for domain password policies, and in the Windows registry for local password policies. The Connect To page in the Password Policy -Enforcer Configuration Console. Use it to choose a configuration source. See the -[Connected To](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#connected-to) topic for additional information. Changes to Password Policy Enforcer's domain configuration replicate to all domain controllers in the -domain. Changes to a local configuration apply only to the local computer. If you want to use -the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy -Enforcer 10.0\ registry key from the configured computer, and import it into the other computers. +Changes to a domain configuration automatically replicate to all domain controllers in the domain. Changes to a local configuration apply only to the local computer. If you want to use the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 11.0\ registry key from the configured computer, and import it into the other computers. -You can also use Group Policy to distribute Password Policy Enforcer's local configuration to many -computers in a domain. This is only necessary for local password policies. Domain password policies -automatically replicate to the domain controllers because they are stored in Active Directory. +You can also use Group Policy to distribute a local configuration to many computers in a domain. This is only necessary for local password policies. Domain password policies automatically replicate to the domain controllers because they're stored in Active Directory. ### Distribute the local configuration with Group Policy -**Step 1 –** Start the Group Policy Management Console (gpmc.msc). +1. Start the Group Policy Management Console (gpmc.msc). +2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane. +3. Right-click the Group Policy object you want to use, then click **Edit...** +4. Expand the **Computer Configuration**, **Preferences**, and **Windows Settings** items in the left pane. +5. Right-click the **Registry** item, then select **New** > **Registry Wizard**. -**Step 2 –** Expand the forest and domain items in the left pane. + ![domain_and_local_policies](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies.webp) -**Step 3 –** Right-click the **Group Policy** object that you would like to use to distribute the -configuration, and then click the **Edit...** button. +6. Select the computer that contains the Password Policy Enforcer local configuration you want to distribute, then click **Next**. +7. Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, and **ANIXIS** items. +8. Click the **Password Policy Enforcer 11.0** item, then select the check boxes beside each item in the bottom pane of the window. -**Step 4 –** Expand the Computer Configuration, Preferences, and Windows Settings items in the left -pane. + ![domain_and_local_policies_1](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies_1.webp) -**Step 5 –** Right-click the **Registry** item, and then select **New** > **Registry Wizard**. +9. Click **Finish**. +10. Close the Group Policy Management Editor. -![domain_and_local_policies](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies.webp) - -**Step 6 –** Select the computer that contains the Password Policy Enforcer local configuration that -you want to distribute, and then click **Next**. - -**Step 7 –** Expand the **HKEY_LOCAL_MACHINE**, **SOFTWARE**, and **ANIXIS** items. - -**Step 8 –** Click the **Password Policy Enforcer _version_** item, and then select the check boxes -beside each item in the bottom pane of the window. - -![domain_and_local_policies_1](/images/passwordpolicyenforcer/11.2/administration/domain_and_local_policies_1.webp) - -**Step 9 –** Click **Finish**. - -**Step 10 –** Close the Group Policy Management Editor. - -Windows applies Password Policy Enforcer's local configuration to the target computers in the domain. -This doesn't happen immediately, as Windows takes some time to apply the changes to Group Policy. -You can force an immediate refresh of Group Policy on the local computer with this command: -`gpupdate /target:computer` +Windows applies Password Policy Enforcer's local configuration to the target computers in the domain. This doesn't happen immediately, as Windows takes some time to apply the changes to Group Policy. You can force an immediate refresh of Group Policy on the local computer with this command: `gpupdate /target:computer` diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md index ab1450f8d3..5fb92cb972 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationclient.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationclient.md @@ -1,134 +1,69 @@ --- -title: "Install Password Policy Enforcer Client" -description: "Install Password Policy Enforcer Client" +title: "Install the Password Policy Client" +description: "Install the Password Policy Client to help users choose a compliant password." sidebar_position: 30 --- -# Install Password Policy Enforcer Client +# Install the Password Policy Client -This procedure is used to install the client on your current workstation. See the -[Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) top for details on installing the client -across your network. You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). +The Password Policy Client (PPC) is an optional component that helps users choose a compliant password. It shows users which rules they need to comply with while they enter their new password. The PPC also displays a detailed rejection reason message if PPE rejects the new password. You typically install the PPC on users' computers, virtual desktops, and Remote Desktop Session Hosts. The list of supported operating systems is in the [introduction](/docs/passwordpolicyenforcer/11.2/index.md). -**Step 1 –** Navigate to the folder where you extracted the installers downloaded from Netwrix. - -**Step 2 –** Click the **Netwrix_PPE_Client**version**x64.msi** (64 bit OS) or -**Netwrix_PPE_Client**version**x86.msi** (32 bit OS) installation package. The installer is -launched. +:::note +The Password Policy Client doesn't store or send passwords or password hashes over the network. The protocol is encrypted for additional security, but even if an attacker compromised the encryption, it wouldn't reveal any passwords or password hashes. -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup1.webp) +PPE only enforces the [Similarity rule](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/similarity_rule.md) if the user changes their password from the PPC, [PPE Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md), or Netwrix Password Reset. +::: -**Step 3 –** Click **Next**. +## Manual Installation -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup2.webp) +To manually install the Password Policy Client: -**Step 4 –** Review the End-User License Agreement. Click **I accept the terms in the License -Agreement**. +1. Run **Netwrix_PPE_Client_11.2.0.148_x64.msi** (64-bit) or **Netwrix_PPE_Client_11.2.0.148_x86.msi** (32-bit). The Setup wizard opens. -**Step 5 –** Click **Next**. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup1.webp) -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup3.webp) +2. Click **Next**. -**Step 6 –** Click **Install**. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup2.webp) -![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup4.webp) +3. Review the End-User License Agreement, select the checkbox to accept the Agreement, then click + **Next**. -**Step 7 –** Click **Finish** when installation is complete. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup3.webp) -The client is installed. There is no associated desktop icon or menu item. +4. Click **Install**. -Restart each computer to complete the installation. Windows installs the Password Policy Client -during startup. + ![Client Setup](/images/passwordpolicyenforcer/11.2/install/clientsetup4.webp) -## Testing the Password Policy Client - -Test the Password Policy Client by logging on to a computer and pressing the CTRL + ALT + DEL keys -and clicking the **Change a password** item. If you don't see the password policy, it could be -because a Password Policy Enforcer policy hasn't been assigned to you, or because the firewall -rules haven't been created. +5. Click **Finish** when installation is complete. You don't typically need to restart the computer. :::note -The Password Policy Client doesn't store or send passwords or password hashes over the -network. An attacker can't determine user passwords by sniffing the communication protocol. The -protocol is also encrypted by default for additional protection. +The Password Policy Client runs automatically during a password change. There is no associated desktop icon or start menu item. ::: +## Automated Deployment -## Creating Firewall Rules for the Password Policy Client - -You may need to create firewall rules for the Password Policy Client if your domain controllers are -running a software (host) firewall, or if the Password Policy Client and Password Policy Server -communicate through a firewall. Firewall rules aren't necessary for local policies because the -Password Policy Client and Password Policy Server are on the same computer. - -### Windows Firewall +Use a software deployment tool or [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) to automate deployment across many computers. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install the 64-bit Password Policy Client: -If Windows Firewall is enabled on your domain controllers, then you must create a port exception to -allow connections to the Password Policy Server. Windows Firewall is enabled by default on Windows -Server 2008 and later. +```batch +msiexec /i Netwrix_PPE_Client_11.2.0.148_x64.msi /q +``` -Follow the steps to create the port exception on all domain controllers. - -**Step 1 –** Use the **Group Policy Management Console** (gpmc.msc) to display the GPOs linked to -the Domain Controllers OU. - -**Step 2 –** Right-click the **Password Policy Enforcer GPO**, and then click **Edit...**. - -:::note -You need to create the GPO if you chose the Express Setup option. +:::tip +Add an exclusion for `%ProgramFiles%\Netwrix\Password Policy Enforcer\PPEClt.DLL` to exclude the client from antivirus or other security software. This is optional. ::: +## Testing the Password Policy Client -**Step 3 –** Expand the **Computer Configuration**, **Policies**, **Administrative Templates**, -**Network**, **Network Connections**, and **Windows Firewall** items. - -**Step 4 –** Click **Domain Profile** in the left pane then double-click **Windows Firewall: Define -inbound port exceptions** in the right pane. - -![the_password_policy_client_3](/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp) - -**Step 5 –** Select the **Enabled** option, and then click **Show...**. - -![the_password_policy_client_4](/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp) - -**Step 6 –** Select the **Enabled** option, and then click **Show...**. - -![the_password_policy_client_5](/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp) - -**Step 7 –** Click **OK** until you return to the Group Policy Management Editor. - -**Step 8 –** Close the **Group Policy Management Editor**. - -### Other Firewalls - -Use the information on this page to create appropriate rules for your firewall that allow the -Password Policy Client and Password Policy Server to communicate through the firewall. - -The Password Policy Client initiates a request by sending a datagram with the following attributes -to the Password Policy Server: - -| Attribute | Result | -| ------------------- | ---------------------------- | -| Protocol | UDP | -| Source Address | Client Computer IP address | -| Source Port | Any | -| Destination address | Domain controller IP address | -| Destination port | 1333 | - -The Password Policy Server responds by sending a datagram with the following attributes back to the -Password Policy Client: +Test the Password Policy Client by logging on to a computer, pressing **Ctrl+Alt+Del**, and clicking **Change a password**. You should see the password policy rules on the password change screen. If you don't see the rules, then ensure that: +- The [Password Policy Server (PPS)](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) is installed on all domain controllers in the domain. +- You restarted all domain controllers after installing the PPS. +- A PPE policy is [assigned](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/usersgroups.md) to the logged on user account. -| Attribute | Result | -| ------------------- | ---------------------------- | -| Protocol | UDP | -| Source Address | Domain controller IP address | -| Source Port | Any | -| Destination address | Client Computer IP address | -| Destination port | Any | +## Uninstalling -:::note -If your firewall performs Stateful Packet Inspection, then only create a rule for the -request datagram as the firewall automatically recognizes and allows the response datagram. +You can uninstall the Password Policy Client from the **Installed apps** page in Windows Settings, or the **Uninstall or change a program** page in Control Panel. You can also run msiexec to uninstall from the command line. For example, run this command with elevated permissions to silently uninstall the 64-bit Password Policy Client: -::: +```batch +msiexec /x Netwrix_PPE_Client_11.2.0.148_x64.msi /q +``` diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md b/docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md deleted file mode 100644 index e386218e0c..0000000000 --- a/docs/passwordpolicyenforcer/11.2/installation/installationconfigconsole.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: "Install the Configuration Console" -description: "Install the Configuration Console" -sidebar_position: 50 ---- - -# Install the Configuration Console - -The Configuration Console configures and manages Netwrix Password Policy Enforcer on your domain. - -Install the Password Policy Enforcer Configuration Console on any server or workstation where you need it. - -The Configuration Console is a feature package included in the server installation **.msi** file: - -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. -- Configuration Console – manages policy configuration. Install wherever needed. -- Mailer Service – sends email reminders. Install on any server. - -Follow the procedure in [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md), -selecting the **Configuration Console** feature. You can select the other features if appropriate -for the server. - -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md index 55cba924c2..ab4ea85d90 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md @@ -1,86 +1,57 @@ --- -title: "Install with Group Policy Management" -description: "Install with Group Policy Management" +title: "Deploy with Group Policy" +description: "Deploy Password Policy Enforcer to multiple computers with Group Policy." sidebar_position: 40 --- -# Install with Group Policy Management +# Deploy with Group Policy -An automated installation uses Group Policy to distribute Password Policy Enforcer. This type of -installation is recommended when you need to install Password Policy Enforcer on many computers. -This section shows you how to install Password Policy Enforcer on domain controllers to enforce -domain policies, but you can also use Group Policy to target member servers and workstations if you -need to enforce local policies. See the -[Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) topic for additional -information. +You can use Group Policy to deploy the [Password Policy Enforcer server components](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) or the [Password Policy Client (PPC)](/docs/passwordpolicyenforcer/11.2/installation/installationclient.md). Microsoft Endpoint Configuration Manager (MECM) and other software deployment tools can also be used. ## Create a Distribution Point -A distribution point can either be a UNC path to a server share, or a DFS (Distributed File System) -path. To create a Password Policy Enforcer distribution point: +A distribution point can be a UNC path to a server share, or a Distributed File System (DFS) path. To create a distribution point: -**Step 1 –** Log on to a server as an administrator. - -**Step 2 –** Create a shared network folder to distribute the files from. - -**Step 3 –** Give the **Domain Controllers** security group read access to the share, and limit -write access to authorized personnel only. - -**Step 4 –** Download the Netwrix Password Policy Enforcer installation package from Netwrix. - -**Step 5 –** Extract the installers from the compressed file. - -**Step 6 –** Copy the **.msi** files to the distribution folder. +1. Log on to a server as an administrator. +2. Create a shared network folder to distribute the files from. +3. Give the security group for your target computers (for example, **Domain Controllers** for domain controllers or **Domain Computers** for workstations) read access to the share, and limit write access to authorized personnel only. +4. Copy the .msi installers to the distribution folder. ## Create a Group Policy Object -**Step 1 –** Start the Group Policy Management Console (**gpmc.msc**). +1. Start the Group Policy Management Console (**gpmc.msc**). +2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane. +3. Right-click the target OU in the left pane, then click **Create a GPO in this domain, and Link it here...**. Target the Domain Controllers OU to install a package only on the domain controllers (typical for the Password Policy Server). Target the OU containing your workstations to install a package on those computers (typical for the Password Policy Client), or target the domain root to deploy to all computers in the domain. -**Step 2 –** Expand the forest and domain items in the left pane. + ![GPM installation](/images/passwordpolicyenforcer/11.2/install/gpm1.webp) -**Step 3 –** Right-click the **Domain Controllers OU** in the left pane, and then click **Create a -GPO in this domain, and Link it here...** +4. Enter a descriptive name for the GPO (for example, **Password Policy Enforcer**) in the name field, then press **Enter**. -![GPM installation](/images/passwordpolicyenforcer/11.2/install/gpm1.webp) - -**Step 4 –** Enter **Password Policy Enforcer** in the provided field, and then press **Enter**. - -![GPM Install](/images/passwordpolicyenforcer/11.2/install/gpm2.webp) + ![GPM Install](/images/passwordpolicyenforcer/11.2/install/gpm2.webp) ## Edit the Group Policy Object -**Step 1 –** Right-click the **Password Policy Enforcer GPO**, and then click the **Edit...** -button. +1. Right-click the GPO you just created, then click **Edit**. +2. Expand **Computer Configuration**, **Policies**, and **Software Settings**. +3. Right-click **Software installation**, then select **New** > **Package...** +4. Enter the full UNC path to the .msi file in the distribution point. -**Step 2 –** Expand the **Computer Configuration**, **Policies**, and **Software Settings** items. + :::note + You must enter a UNC path so that other computers can access the file over the network. For example: `\\\\Netwrix_PPE_.msi` + ::: -**Step 3 –** Right-click the **Software installation** item, and then select **New** > -**Package...** +5. Click **Open**. -**Step 4 –** Enter the full **UNC path** to your **msi** files. + ![installing_ppe_2](/images/passwordpolicyenforcer/11.2/install/installing_ppe_2.webp) -:::note -You must enter a UNC path so that other computers can access this file over the network. -For example: \\file server\distribution point share\Netwrix*PPE\_\_version*.msi -::: - - -**Step 5 –** Click **Open**. - -![installing_ppe_2](/images/passwordpolicyenforcer/11.2/install/installing_ppe_2.webp) - -**Step 6 –** Select **Assigned** as the deployment method. - -**Step 7 –** Click **OK**. - -**Step 8 –** Close the Group Policy Management Editor. +6. Select **Assigned** as the deployment method. +7. Click **OK**. +8. Close the Group Policy Management Editor. ## Complete the Installation -Restart each domain controller to complete the installation. Windows installs Password Policy -Enforcer during startup, and then immediately restarts the computer a second time to complete the -installation. +Allow time for the GPO to replicate to all domain controllers before proceeding, then restart each target computer to complete the installation. Windows installs the component during startup, then restarts the computer a second time if necessary. -Password Policy Enforcer doesn't enforce a password policy until the policies are defined. Users -can still change their password, and must comply only with the Windows password policy rules -(if enabled). +:::note +The Password Policy Server won't start enforcing a password policy until you [configure](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md) it. Users can still change their passwords during this time, and must comply with the Windows password policy rules (if enabled). +::: diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md b/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md deleted file mode 100644 index 22e072b3cc..0000000000 --- a/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: "Install Mailer Service" -description: "Install Mailer Service" -sidebar_position: 60 ---- - -# Install Mailer Service - -Netwrix Password Policy Enforcer sends email reminders to domain users before their passwords -expire. This is especially useful for users who log on infrequently, and for remote users who access -the network without logging on to the domain. You must install the Password Policy Enforcer Mailer -and configure the email delivery and email message options to send email reminders to users. See the -[Notifications](/docs/passwordpolicyenforcer/11.2/admin/configconsole.md#notifications) topic for additional information. - -Add your email address to a service account, and the Password Policy Enforcer Mailer reminds you to -change the service account password before it expires. - -The Password Policy Enforcer Mailer isn't installed by default. Only install it on one server in -each domain. The Password Policy Enforcer Mailer can be installed on any server. - -The mailer is a feature package included in the server installation **.msi** file: - -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. -- Configuration Console – manages policy configuration. Install wherever needed. -- Mailer Service – sends email reminders. Install on any server. - -Follow the procedure in [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md), -selecting the **Mailer Service** feature. You can select the other features if appropriate for the -server. - -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md index 672252d024..7568c35ba0 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationserver.md +++ b/docs/passwordpolicyenforcer/11.2/installation/installationserver.md @@ -1,79 +1,65 @@ --- -title: "Install Password Policy Enforcer on a Server" -description: "Install Password Policy Enforcer on a Server" -sidebar_position: 20 +title: "Install the Server Components" +description: "Install the Password Policy Enforcer server components with the Setup wizard or the command line." +sidebar_position: 10 --- -# Install Password Policy Enforcer on a Server +# Install the Server Components -Password Policy Enforcer server should be installed on every domain controller to enforce the -password policy for domain user accounts, or on individual servers and workstations to enforce the -password policy for local user accounts. +The Password Policy Enforcer (PPE) server installer includes the following components: +- **Password Policy Server (PPS)** — also known as the _PPE Service for DCs_. This component is typically installed on all the domain controllers in a domain. See [Domain and Local Policies](/docs/passwordpolicyenforcer/11.2/installation/domain_and_local_policies.md) for more information if your domain includes read-only domain controllers, or if you intend to enforce password policies for local user accounts. +- **Configuration Console** — Graphical and command-line tools to configure PPE. Install this component on any computer that you want to configure Password Policy Enforcer from. This could be a domain controller, a management server, or your computer. +- **Mailer Service** — Sends email on behalf of PPE. It is typically installed on one server in the domain. -If your domain contains some read-only domain controllers, then installation of Password Policy -Enforcer on these servers is only necessary if you are using the following features: - -- [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) -- [Password Policy Client](/docs/passwordpolicyenforcer/11.2/admin/password-policy-client/password_policy_client.md) -- [Netwrix Password Reset](https://helpcenter.netwrix.com/category/passwordreset) -- [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.2/web-overview/web_overview.md) +:::note +The [introduction](/docs/passwordpolicyenforcer/11.2/index.md) has more information about these components, including their system requirements. +::: -The Server installation package includes multiple features selected during installation: +## Manual Installation -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. -- Configuration Console – manages policy configuration. Install wherever needed. -- Mailer Service – sends email reminders. Install on any server. +To manually install one or more server components: -**Step 1 –** Download the installation package from Netwrix. +1. Run **Netwrix_PPE_Server_11.2.0.148_x64.msi**. The Setup wizard opens. -**Step 2 –** Extract the installers from the compressed file. If you are going to use Group Policy -Manager to install Netwrix Password Policy Enforcer, copy the **msi** files to a distribution -folder. See the [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) topic for additional -details. You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup1.webp) -:::note -Continue with these steps to install one or more features on your current server or domain -controller. You must repeat these steps for each server where the features are installed. -::: +2. Click **Next**. + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup2.webp) -**Step 3 –** Click the **Netwrix_PPE_Server_version_x64.msi** installation package. The -installer is launched. +3. Review the End-User License Agreement, select the checkbox to accept the Agreement, then click **Next**. -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup1.webp) + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup3.webp) -**Step 4 –** Click **Next**. +4. Select one or more components to install, then click **Next**. -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup2.webp) + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup4.webp) -**Step 5 –** Review the End-User License Agreement. Click **I accept the terms in the License -Agreement**. +5. Review your selections, then click **Install**. -**Step 6 –** Click **Next**. + ![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup5.webp) -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup3.webp) +6. Click **Finish** when installation is complete. If prompted to restart the computer, then restart before using the installed components. -**Step 7 –** Select the features to install. The required storage is shown for each selection. +## Automated Deployment -- PPE Server – enforces password policies. It can be installed on Domain Controllers for domain - password policy, or on servers and workstations for local account password policy. It isn't - selected by default. -- Configuration Console – manages policy configuration. Install wherever needed. Selected by - default. -- Mailer Service – sends email reminders. It isn't selected by default. +If you have many domain controllers, use a software deployment tool or [Group Policy](/docs/passwordpolicyenforcer/11.2/installation/installationgpm.md) to automate the deployment. You can also run msiexec to install from the command line. For example, run this command with elevated permissions to silently install only the PPS component and immediately restart the computer: -**Step 8 –** The default location is shown. Click **Browse** and select a new location if needed. + ```batch +msiexec /i Netwrix_PPE_Server_11.2.0.148_x64.msi ADDLOCAL=FeatureServerPPE /q +``` -**Step 9 –** Click **Next**. +The ADDLOCAL argument tells msiexec which components to install. `ADDLOCAL=FeatureServerPPE,FeatureConsole,FeaturePPEMailerServer` installs all the server components. -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup4.webp) +:::tip +Add an exclusion for `%ProgramFiles%\Netwrix\Password Policy Enforcer\PPE.DLL` to exclude PPE from antivirus or other security software. This is optional. +::: -**Step 10 –** Review your selections. Click **Back** to make any changes. When ready, click -**Install**. +## Uninstalling -![Server Setup](/images/passwordpolicyenforcer/11.2/install/serversetup5.webp) +You can uninstall, repair, or change the installed server components from the **Installed apps** page in Windows Settings, or the **Uninstall or change a program** page in Control Panel. You can also run msiexec to uninstall from the command line. For example, run this command with elevated permissions to silently uninstall all the PPE server components without restarting the computer: -**Step 11 –** Click **Finish** when installation is complete. You are prompted to restart your -system for the changes to take effect. +```batch +msiexec /x Netwrix_PPE_Server_11.2.0.148_x64.msi /q /norestart +``` +Use the REMOVE argument to remove individual components. For example, `REMOVE=FeaturePPEMailerServer` diff --git a/docs/passwordpolicyenforcer/11.2/installation/uninstall.md b/docs/passwordpolicyenforcer/11.2/installation/uninstall.md deleted file mode 100644 index 78e7f5e3d9..0000000000 --- a/docs/passwordpolicyenforcer/11.2/installation/uninstall.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: "Uninstall Netwrix Password Policy Enforcer" -description: "Uninstall Netwrix Password Policy Enforcer" -sidebar_position: 120 ---- - -# Uninstall Netwrix Password Policy Enforcer - -You can uninstall Password Policy Enforcer on every domain server and computer, or use Group Policy -Management to remove the PPE Server and PPE Client on all machines. - -You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). - -**Step 1 –** Open **Start** > **Control Panel** > **Programs and Features** on each system where a -PPE component is installed. - -**Step 2 –** Click **Uninstall a program**. - -**Step 3 –** Select Netwrix Password Policy Enforcer to uninstall the PPE Server, PPE Configuration -Console and Mailer. - -**Step 4 –** Click **Uninstall**. - -**Step 5 –** Select Netwrix Password Policy Client to uninstall the client. - -**Step 6 –** Click **Uninstall**. - -**Step 7 –** Reboot the Domain Controller. diff --git a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md index d8f7bbd0ae..cdc59b152f 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/upgrading.md +++ b/docs/passwordpolicyenforcer/11.2/installation/upgrading.md @@ -1,7 +1,7 @@ --- title: "Upgrading Password Policy Enforcer" description: "Upgrading Password Policy Enforcer" -sidebar_position: 110 +sidebar_position: 60 --- # Upgrading Password Policy Enforcer @@ -11,7 +11,7 @@ Upgrades are supported for versions 9.0 and above. Contact Customer Support at upgrading older versions You can also install/uninstall the products using command line -[Silent Installation](/docs/passwordpolicyenforcer/11.2/admin/command_line_interface.md#silent-installation). +[Silent Installation](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md#automated-deployment). **Upgrading the Password Policy Server** @@ -48,8 +48,8 @@ recommended. **Upgrading the Mailer** The Password Policy Enforcer installer detects existing installations of the Password Policy -Enforcer Mailer and upgrades them to 11. See the [Install Mailer Service](/docs/passwordpolicyenforcer/11.2/installation/installationmailer.md) -topic for additional information. +Enforcer Mailer and upgrades them to 11. See [Install the Password Policy Server](/docs/passwordpolicyenforcer/11.2/installation/installationserver.md) +for information on installing the Mailer Service feature. **Upgrade Notes** diff --git a/docs/passwordpolicyenforcer/11.2/installation/installationweb.md b/docs/passwordpolicyenforcer/11.2/web-overview/installationweb.md similarity index 85% rename from docs/passwordpolicyenforcer/11.2/installation/installationweb.md rename to docs/passwordpolicyenforcer/11.2/web-overview/installationweb.md index a4d21f3558..fd165bb83b 100644 --- a/docs/passwordpolicyenforcer/11.2/installation/installationweb.md +++ b/docs/passwordpolicyenforcer/11.2/web-overview/installationweb.md @@ -1,7 +1,7 @@ --- title: "Install Password Policy Enforcer Web" description: "Install Password Policy Enforcer Web" -sidebar_position: 70 +sidebar_position: 10 --- # Install Password Policy Enforcer Web @@ -34,7 +34,7 @@ click **Next** if you accept all the terms. **Step 5 –** Click **Browse...** if you want to choose a different folder for the Password Policy Enforcer Web documentation and tools, then click **Next**. -**Step 6 –** Select an **IIS Web Site** from the dropdown. Change the default Virtual Directory, if +**Step 6 –** Select an **IIS Web Site** from the dropdown. Change the default Virtual Directory, if needed. :::note @@ -53,8 +53,8 @@ is recommended. #### Before You Begin -The HTML templates and associated images are overwritten during an upgrade. You must back up and -customized HTML templates and images before upgrading. The HTML templates and images are installed +The HTML templates and associated images are overwritten during an upgrade. You must back up and +customized HTML templates and images before upgrading. The HTML templates and images are installed in the `\Inetpub\wwwroot\ppeweb\` folder by default. :::note @@ -76,5 +76,5 @@ integration. **Step 1 –** Start the PPE Web Setup Wizard and follow the prompts. The Setup Wizard uninstalls the previous version. There is no need to manually uninstall previous versions. -**Step 2 –** Restore any customized HTML templates and images after upgrading. Don't restore +**Step 2 –** Restore any customized HTML templates and images after upgrading. Don't restore PPEWeb.dll from the backup as it belongs to the previous version. diff --git a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp b/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_3.webp deleted file mode 100644 index 0a9f8b7fcef2c00f0971361c109c9f5b2d429360..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 63632 zcmY&<1B@>|@aNjLjkmUK+qP}nwr$(C-`cjVx8Cpl{+G+;u4yM})0s}1;xnD8vXr=Z z8GoSvh`!|4-@2~((fC}LF zXW+XaQQ$P-FaYrT=Bo_2__+dHJ{kQo01WOO2G8H`e+mGA$FIPEO8@{cu>%UQ004gZ z4+y{cvOZDU2-UbI^{B^zoUj^3*Z-~EubH0jigOh+tfbB2f*W!!g_x^QX(*V|g z@t1Ilu;91lXZgF~ZQy%<06-dm^*Q!${@P$4um=eLxqsLBnmFBmy_W&7ejk4V&IsQL z6AdN;;sH9pv%fsQnE&=;4MG8QKRQ1dHx3E$A-}NS_a_4PfCYw{0*v4DACYg!?}59$ zGXl3C)UWy1f(OE#|CHYUM0~nG7uXhP4Dbg?{MY~hKY#_qBf!)^KS1MW=J)x(J{n5{ zI{{a}uAjob+uwv=0sjK}2+#co17ZRE0QjHz@AVZ{q2l&HPgh^#P+>ci8HX5t+BU%UXOTlAERs#HREYR3vV3vF2~*v zCuai07?FnRmsq7y=abaX1`Y0wudKR|6!^tdRe%HfVyendgxGfSo}CUC+(Ix3A2!p{ zott0e0VdU$9f;&*Iv2d;zpyX4wR6*E=T19ppk3)2^5|{nE=nRu>bHEg0bzWOJopS$ zb153g7Av&-rx6q-a8D~36UzMdO97s~c>ve|4l99PetAIHKzauLmcaRGyFh2=3|eJJ zOy*w$R+sYnZ;XIFWsdI8CRdss{aAoD8%&YTfd$2IxcrS!Se4EzZBVBfC2Fmt-@VV? zTi^dflBbj^`pJwg<~}|ROs6}`tw4+^8}3%RWI_yZ1Rfp)X&ADB#)$XNgNa1*xxvZ* z#Do#g_CW0`=pF4jB@I?GUFg(ETyy3cbNuEb%#cV#4RTHrA-x3d=?GZr^G z4W;K% z=r+P*YjSKU4BTkTp_Tx5iV$xk?vEEeGo?2RjLNXF+;oA)-nfWQSA(>KkGQolElLws z1L~Qwc~_HWJf7B7=pk2Y>;#;P@4$|lS#G9H5t7+c!rGyy$lIEs#^|m%1iH_C9`{m) zoAm4SG9xv|QRU9hx4cGx8kVjvt2uugC$JP5oo#eNhpU4ddg+Uk#R=^IF%gTO-@Doo z^hse(gI3=C0;R~HkS+Q>$d>eP@&1db09I=y#_umn?BAL6!$OaK*ynw*2^R4^Ka@Rq z;jdJ`E|`{OzQ<6+z3IuNTr39ni#w*Nh&XUh0J^+Z3yjAb=@|EXttOR%aOFA5BEeJ- zja05-f~zN4Rr2V#6)B#0O8?(VLm|@?LtwU}K zR(c#^d(T6Rg)y$JKRb(V$@Y09ULF!_YTTs30;%jKDmjS4k`)cSr&^oPUxd`Bd|};) zEBIwYy@-5W&!P+{P_=}z207Jh0YC$osljGSCX0P=Q3)l6qnDL}dOX0_i<3ReQ(+Xz z%RD{ZD_)m|#z&nKlo?acCF_QEi90K7va^FKo!bw2k!sJImDbELz$LRzw@3gNx;yyPsg0EiEzF@ZO`LkskWW>g0v+s zJ=6H|&ch^aHLkg|IicVzg>FPrhYV^IitWRn1c1QTp3bs4K5VvnG!1tRZ)vMgcgF#3 znTmmJ5s%zm8gd5c%J07|K@4oG%;UE?QXy@K8u+Tg4hj*+^N{`f%bopy%K$(uLGAd! z?xiiwX@Bo~R*e`zC|8J2!aci^9(!h@!k9EvK|{(iu)x^#kq<9 zsk?q8JnWfGgxJWp*IiW?Mb9JnPd@ zql{BLn1c~YnS2)rHMxytSEYy*vJy1ycK=@W){-U{)yGCAbH>b}Q@70?I~szUbQ;P!v`YMv0E~Fl3x+yFXdrZ$=3*I!CqyI&J}i*XT8FuBG&h;=qF_|9^LP z#8O7UXnCEOVvDc@?tUv{3+gQ*_C_DVow`3eiIVM-HhIZ(%LYSD;h=kAkfWwL|4GJ} z`09LNrc!*A!qe4m-Sy9Gg#f>`WF2?&*8v)@bp+U2B&sw{+yhjW|}zgTP>Gu6)@nEeJ)r|TpVTU$fO1toS!roo#f zqXbhyc@#ZHyjD#LX(aAK&I1!HGov-PiC9Ahuux?yu6AKkeyO$m_H(BfNpg=96Y(|r zUgt+nNUE6pq-9}t-}h+)b_C54Wu-RHdT;kLp1AB?RA#pZ)RgqKPyL&~bCX{p zJPcQN{k}Xr;ji`NB0;cW5(w{Q;dn9qI?A4BB(Xicob6z9{i=%kMgjVLU*M4q0xk#R zH-k*S%;Qdu@sPSfB^{S1?MJqdoeVxCn!!90JFk%AORn_ZtTL+)4od=rFfglnx_6kg zoExd9W6i;?>lSXn!LNgC{0B0@^Q2uOZCA*5=r(KZzRK>(Gj(?97o?cdprBQ|psl#G z_DZ*}#uU5;YD(S4A{Uk9l) z{jAWlMA>5mA`j-$>@IP9OXgBZncVVpKRwjxKfdDgM|~7qyg^Gx6{)UbxGr5OE)B`% zkm2{-$qG!_1%z9AH$nGE*$P@0(tjuUK-zK2Olf+5!%;Am_y@*e0H!uea}z5h#{or} z{!qU)MO0N+vKEy6%Th1+BPrRvka8}DzRR*vN>59*ric~}x^~xFZ^GvtkCSZYcFj!7 z0tne{`f1D+4|ofB5i{Df&^dFyN&Y7@TFyPbL4E8=YT_z!9ZFq_7ReT7>rID+N+5JS z?k5;6v~(7JDPUs8KFl-*z^BIdo9|Y~f8nMa_2HOup?zx;3(@(2HZBMoPqz7caImaF zF0&Nx67;>qaG7TWR4d3RwA89^R{91=(XGILeUI2vA9b5u*!zvksw8yV5uU!NgNuRv z4fhotry8BP^#@w1LFJ4~!d@{JB&M4-9N=_)dwdErkiy(r?7@8M*Rcd&>l%oTp_}5B zs|t-k!SJei=uLeI{(50<(f@}lY(n8T2sFEYO!p_J@{BzU*HP`q<_Vu(l1hgf@2L+b zh{YjQa?iQuT>dX{o&-n%^WA;ofUMKlmv44V%C5)}sxUa(#!c7UShQ*cU+{zWmSI^* zQS!4z1pYsa|080&zlRNI?%peSzkV02kT&zQJ%jSerk%ZD*x?Py?5$niyrs7LzL+u_ zf~o_e6~oJZ2I?Df*H5OJz|M@;!T;T*$UfxCVb`0 z2rs4vlvV2>^t@3Y7OcHh`AaF-tK>Arl(xFv7`?2y`JjdQzxA=|u@Un(NbFSOOgrubE7B6K>~d~SsiW2@YdwU`rjd6KvGQ=IIuUivg}Nh?;BlN_ECXe4+Qk% zg&PI8(v?|NasZT_+&~yqO*0sP=jJ|F*rVW8_@-Z>dOJ({tr{!R-5!Kia>elI2lFpt zXXeNRu+P5>v^0Yh#k%pUF7$5HLNC&L3 zef0L3$jF6GC$#Dz)f5Qdx;2=dpp|mC=QCdxU9j-Dz}q}@-(%b$`z6CXUrclE6V}Lf zdp3QMMrQv_Vi;3i$Bkn&tT9`ee?WfAz0(axgZD}cb7mbPp`PW^wRq27B#4j4R8Z;BI|d1adNrT;$e<`CYCPI6fu%7O+( zHDgok97jK~xYFz?Y8I{%Bt?P{1e;>ylf(WaOt{(6j~;iIr4&UK)`16hFXu;i-<#kz@7-99(_6Wno?!QRc)gAOnc&!iF(Zp z!tZF%afVueL{9&0Rcs4hB;6c|2&@Y7Ra~wc$A5-@$Ulb>6$l7co1mit(nN9(JzWXV zr3>^|3;0~}EU7Y>>Ky0vmrL%rjY4X|z3D?&-6;pzc;_IJT$0n{GU}OYV3@5%1>Uq) zPu}aYliWgLzV9JI{z8WHH4s8EYx{8+Ragjfc`Hvy_2{{?`b=v3jNmH9;CZtTa*`X< zpyMMkEAF$#{s={^>rrn0upbsG#cenuxo&jg#boja^gLn)Ui7(C@4Jy^F$zhb%GC1@ z8vJ}bInrL23)~+`ImKV2uJ;J3dNU+#-YHOuEX3&-2EW=Cjys@ilgN@6A;)8<*Nq3a ze}&F~$cRalge-Kq%NBA=geF>uPNp*YB2x_R#H=qC6K|End$yIYr_Mm8{%&i*$cp0SLcHCr}Qsfzn`TWYv*?ifdZpd_#R3 zV9a9)*)vpn5MF6 zz(_T;_$?mxX5nws9$zYG+cvr+xVen(Wg9mxPa!$I98bq;iTY#T|6BqLhTpzOpDTq7 zJ5ET5D)9RZIJF12&f4qawsm^2w0G$G38G!;q-|96{6=%EjF_Y24X}rSVH1li-N$h&I^K(FwpMZvGOAf3xD( z5?dm`fNmI^_4U1#*c-2pO}g_>{o$$3e>Pqai_N9U(EmUgkLPDLM6b~L-=X7|N4FWs zGq3|Z^{BD?xp7UByb4n&hxoZ`;;K3U5%F<6!<@OJDk`?dJmg*_$hK=GX!>#cgImPh zw?DMyZdhgG;yw0Q`#-UR-F-GXdhwgN@K`e_s1mERBF!VQq`L3XNWR+*O4u9AL%?Y1 z$~~UX17UYBXiNitu1j)ai~-G$o-&tU&{U#S>>K&GQ)`BzWEaFdauOt^G@9La zv~!hD)5|w!5lT4OE6QMJUh{Eews>%1Gj0)HIn5>?mIV;Pr`;pHvztuctqLK;&bvl? z<~NzY+LS|yUG|OlEKFm+MFfZ;5G;6E{5sjq&;&;hba=k4Qa@TY^!C`*fE>*{q!gIR zRnp@u{$8beXNO;XuU9=Tj?S+0@`JQILjKS9KYd+bR<~F*k8Ss8(7ML^e{_dz!v<}o zslwrV%v=(YjuXK-LT3RU$cnR1fsNy%nz82#A@qJrNB3lGKk3gqc}gXMp6$7Az0-Q^P8zr)dY4<6}tSw$21K+cf%u#ytJT zI2vkXg*PfnCo+FeIZAA4X(M6IaU;#+Pq~~GJWjK&ct;`cM9P$vfs8OUK2-flJh2A< zBH&aIrn({RIlol6Zf^1F&torztgJe>LcvU}NIT1bc+w{?4wwJ_9hRqdkT!nV0*>y3 zfYrS4Zhh7ybH$>>uG~-s5TQ}Td!|aFL zzgxd}N3&4C&Vkw2VvFRl2@fQ+VbI%QqOoM*CmC7^OctJ{Otb7n$mM=-`gh*3Z)om; zk2l*ILjavPj63Dfeg(~PGlKX^)amk1_u%SoMXc#fomLiZl>gG|QJbR#b;^cJRdrU$ z(W<#6rxI~?0{d76u9*P)>zKKVC$d&Dc42$*{>VhNlM63OW*)SKFiXqb!OqQBz>-4p z_DOix1yrjnhS1oX*rAF@$_t06Lh7tRYDaym(rZ$_ka8*y zgG;#E^hUp;)s1C!v)T>=?&{gS?=+A`4EMe6%r1wM&~O8GYN(Q|Hdvv*3@Iganet{Rw=&-x6x9DXt|-x;W;@&djYFBWZ{CwlmlK{9}spWLGcp%kr94RwS1brC{+v_14eG|CRJc4YpAaW}^@FSz5zfXp=> zn*a`_r=rxpFUlxqGi&s5)K=a0XfyHI+(fI-2m*kC7SpHJX%d1^6N^z?-g7^-ebK+8 zXVc9DXs=})<62|Y=ugitMUvC28w#B>1*%&)=xOYFCrQobomJI7eYmGd zQsfO2KfNkoMtDCZ?54`qWcYA-G(k6FMBVt9C= zJ$Zk|zK7VlR(KP*_tD6sjasEg$1$F#t&5`{fl27BC#+p_6AyuR++7nh=U2RG&7JSU zD_&{C0fAk1q(MNCX4~J5TcAR%tw1+e{n$0N$q67Ogxk;)g#Gh*2`blnhK|HE51S5( z4AFnA#J$GSxKg2BP%js8_`2nj59pjfrg3&v?k- z|C3STDac0Z!+9rC1w6n*)NG@6gsYq6hWQyRLi5w~esFqa$ z#2k*F%IUpQ8ZpTVa`cyevU!3NGnY^4gDbMY4%Q3VBm~E-Wd`N~TQ@!q9(2R5|cj;@~w%+b^jR($wL+i7q0Bx zaNPpqnYYD^YKOi+$?Ke5(YpQ7HYS^olNWQ1aplAbW*D~?NK68YM7K}Q?9+BHS z3uV?F1}=A~2pmaH^44^X#qs!^tI1QkB|I91fOh z6JI))sVvV*B%z=a`MAZCxPTw1+%H|uMGCJG0ZuvK(OQlxMzLpl>Spz~?%ldv%8WV` z`0_&k^Vh!+K*Tla2UaL5<*kCh5yFhn;t4AbHp(zS*oMPpCU|w^6LhbFzMN#)>_Cv$ z=-&1~y<#l@#+1md#KfQ9tlNGcGG!xw&ACtn=l3jdf-}G7E-CB?DzLS>uue| zf8Q0>SCJKO$*{NTs|kkm(^`{Bu`vlqkuSaxW~jDzOp&mte{+tGAA4h1rtVnv9MtMV zjj@qjDkwToxKJ87#^8AABN*M^IYUiNq;!@$bK}he0aeY7M~T%Fmqqab_BQ1iQP(zm zA}r4p@WsR35sWT+Q3b3d=O^r>$AZ|wl^iNJ3;(BCwu~HSkE-4M=o^Vh3 zFh%3ol>NWskaN&>N`4Nhhb~&al7AA<7!&)J*l6kK;i46JJ7F)ZAuR6@IGwGn7!n?b zJ}}H;Kg4{Acr?8Zqq?O>L`)g*+eFP!NcxtgVRb6mHWfeq1V&c^w|R@y8F%IL*PHD% ztI{4Arkg-hYj@KxQi0IakC8>0)y?uU6dpokO15o(INTpI@!;#)JPDI zx63R(ell};A@C357|zpi@2-C8Hz|k2{Pz6GqMk2kQz)Qr7H)@bvFY@*kPGb3f1rSG z7!sbvwTO~@ncpHL{CKY6aU^GWkWOMSd4WrDC0Xtq5&VI!m3hWGzgI=6mw;(9&s&6ZqtA1~<^%cSkyGA!hyjF*x(Ui!@ zz?y3LsX^!R=>Vadzn|7c{HP_Wc^BEe26sFOO%+xQ=w;&DKD^%Icksd}V#Ct5e5^)+ zC%8*#6RJYNgUg(BXus4o0SD>B6jBXJ5b_z@K*e?!$xH@l9(oH5tQ_;icpzSdsayJrv_GV3|+}F6PQCg5PQ{6YcD--1oRgR`*<&L$!Dw$qq$m`Bdy^l-dmm3?4e+!5Lb7c z=?}hn8IPT;!n-_ZbbY`mLavbdYPghB8ra0B`cjpiZ-xd$vrlsUcI;;}bkI;2iq|gK z0f0qI=@7jwowkAWX*0tx8sKKr;K9aY&Y;B#d1o&P(Inyj@~gERFgGcQ>3!L^p8y~G zl;V{=+H~e~eTD>9lwlfGMX<{od3g3uADGBm2%`vQBmhkSvF;I<>?&E%TN3qXLR5vA@FYSo;*X4+3mg}By7zL-2&{Go>voAERakdTr?>BMEz*c)@duWH{s2ukPL zB4T@sa(9qPHRiM?z^R&uc5oJ#+m6_nB-?y4WVaWj%n%Sjt)M9d+)FntAf_o2HPvg~K)q=*)owj6>5&{zep>nv2%9Nq81L@7u(pVs?QioB%xU~P@@ zSe8G$=W(1gdb~a-6PE9u*x=l<-5=K2`Ml@RY9JwB-^vs}3U9CgGZ9_jIN(d7V4c|P zu3o92Zq1M6;I9JYuBg_Z-Bfk={GO-NBZ{!B?ktsn77D6vwT z@HEh}BlWKo{iq)r>R}dsV#KJI4v4Ik!%ip-u=w7&z!}DI8{+&1R3Nao3NG#8@Qu^@Yj4gcB=`{`p~Y71r>P zrt_jh2f*+1W}`Bj#=vI%ZJ2jbs~eL3lHGE)&RSqg54c@b7HMr-2Ap--r)jgPF2qPE zqQ7~t>*VX+69ZP3mQ~Q8eV~k5s_Zenge_cT*X;}aCZLavO4h4aP)CA9nsJE=e7{x5 z)SOzb!A`$9;E4#yc-jZ_z(MIY@xd^zKx9FT=6^u?k4W5)2keCyP%7zYAh>PXihIFw zvVdaQ4|}LuM2QyynCi8zetQhU-^qm#>&2|V=Q%*AR04i-M`j`~mU>b^a)u10@Ho>1 zT(cWsiNZ(K_BTsN*yJTB-j(?J1Q6 zMZN>E|Gm9e8yxL7ZQC|kYO|ebhuK#@vILbyC(Rv?1_u&GF#hqC_OcQ6!Ybcx0vUkL zDVAsiF*s+B4RT>o^5EVfC9bTz311nEa=xD8EHH+MX*zn!kkJX(!fmnMcUdrauo`>F zl%?~X{$cTwcogumK${n1hiCZ7ihBYV0Yn{^ykUUS=7ESPC{kBgcPpn%)TtRKS;xa?Nm4+!9mO zWmb_BA<~q<7#CQrnIbLqH3PHNj2C_A7F3KgA+{{}l7t;Odgl&Qq0i`Gg_T2A%b5*q z`x~{TJtYRY?G5trF?6dzoS((iGe(uR`N zVY%nH5V>>mITP5&I{I9L7+X-vL*l@z?ESHD=9lsQ8DSojgaWVh-%`gs00d7%SS0-U zyG-}lHY(i;-UzzZg`z!PyqR_Qc8OWOT_9==_O$O$h=H%$EMvYg^Ann2F&?W4;fEp# zw`*C0k(9v%a2huULU@QfP?K`OhpD96SegNR*Gmu~3A8FZP4-PTj;6)S)cmnu*{8 zL~1qu&ya{;xwYJ5Nr-_*)9=j>0NZ1Ws1Hk(UL4ueUAf$X%~yh*<#2AF(6T{1A#;00 zUAX|TRv(g3pQyI}g+sec6KAP(>%X<_WiQRw<(X5lZ@G;LSrW0pn%A_IvAs_-GH!_h z@^N&=${^HGQLIFgIr@3(3$e5^BeuG4Q<==*+8TIzN43@Goae|8|4w`63ujztcaTuC zaldDG9?&~Ga9QemY zxQRPnpK4juovdssrO(7MuQzB#iaF_1SfGz}Vb?FG>l1n3I&arft^%p@fPBD3Vc)R6 zuNI;1hh>P#60*}d5)L4g4-UO@!sPcn`g=qpVlvZ(;Ji9(pn&71LOrrp;!XDcAu4>hY7ZT7+c zv3H_mO&_;3ha+$4qQ@k1Z9+di{GXwo#60Y;_X-6dSeNljneb>x&>(#gwq#SCUP7?{ zkd<&v@2og$z!jDdnk&e3B#j9|g7U4>aU(Y}SCI2)kDr;cpK4s0ld0DuJ@cWssl&{L zR+5!06byCHV6!6p84HfF$rh$I67J;pcD~<0&WsE)<-WM$J2LhQ9W~@)VzK&4bs9h zQSFaOdwE3nf4|B)D}2A>3eI9@DQ$icHxz+l8DK%AQdy^O985us63Xuxk=duqw~VHR zLvLReM|PY&_0crSaDElXY#@6$4JBdpiUM$8*xNyiMYMjlcd#Fd;1Nt7EN!P4qBW6= zdwF}qm(n>1bPV?Ib)qWhus5>wy57V?=FpR~nFWes< zDeznS+)KRHoRfJv+la6W0IN?F_G_y}FTArv!sed`h zT&95V?DpY-BG6wudwUaTMy)`!{3IuR-a+i;u+0O$%1%<13faQ$KODkI_%F2i2O2$S zi}l9Q;o(WNl1tt~^SmPVNl`HK*6wA$>p?|-N%oDq$8tTOpn<<-kKPL+H;nra#Qc~= zRL$5-0~PL5GuH>CJX*WUOeGr&(Dv$!P6xmd531H*Zw+OV9+2VwsU;}Z(xZ!C?|auPax(<`Uu z4Dl_+y_V0o>CYP(<3$r;%6L+>?nNp5RhSo9ymDpwOOSUNTABkf$K1`~nMt>S zVtWPPpDjPLo6upIb756}`<$Vf|JEBl=cGy8+!iA{&_us8oE%_5F-U8W-#?t-2rso{ zL`3MZVa$kaQSi^mSsuCv8$FmIgHQrU}27ro7f!uYPpuxzJHU%B9akU>k*VD(}X4iJHmvM^2+3A;&{o>7Q}%ycg}qrw-x!j~t`r0>woo4oWpZAF zXV}a+9c)ub{*SkZP9+2{w-W36jT$mem>v$!-}70LYW3w)$&7J}1p(t38+#Gj6hOul z{x+giXA$|z+Pp1&pDr?7C7bK33_20fow}F=LIYt{h=1k_AtZ9-1=YX8!=cBRWpi|A zKa40;Ac4dk+0M9si_HWYG*(a4wd=Ys1mlz9W+-!BII(-uq|n&92Y69OFU7|;yIy9aC_k>UIvt;UkCK$fNXO5=FrJ{6pkphLJX-k^l?u!0mOx79b zsO^a0ko^Fy`uK!(a)^0rmjycZwe&I7|dhOZ9y;a*PM6!y|h-DFWmZ6di&S%g~ z-K_(+9xm4k#SLfoEn{jkPgHHWNwK$1Or*JVNNMq%>8`kL{;lMC*amgw>?T7lytYII zo_+=jH87+CeoCJl;#e8@riumpb2VjPWxrGWAWwjwKEjS8=Y9 zU`C3i`f8_pW*SjSQ>AS+!3pUjh@b(CE0A6k7Q49om)<)055Js#ByLmDm_o-@0*g;q zbr37J4syJEsYg(D13n1XH!c9K`^E_eoK2JD7!tf9vXgm_`AagUxNb} zfy;Z>0V3UP6sxTBcFE}X!yXZB~3D*8=tZfMbJn8sI#;jtoHVS;(TAB zl$vUY{xdU2E%qNH6v@QuRJ+vZF!v{3j*EKtZ!O0tJsWM4rQAb$!NO$z8b$%%R*Uth zo$GMghbNp;6+6sbA^4eew`t`>qJpp0mryBy?u0k#t`_!6ue~iKUjcefq1UgOCyO;D zo`26S3m>_R5Y(U2^%FUlaza%INSNzZA(43&;S7_F-!3GiIldypk9A%3+(afE%~sTx)w{0Pm-k6WOo z8P;X{+lSZ1^ozj}Oux-(L|P%g{lrK;bwgtEk7ZH)Ch@;Hy~0WY%$d#nFzdCa)Pn~X!R$*2QsW&y zog8t3rRV%tA}gQXS{?7WSBzNi$r|dyAHKj7#iEQWPFcjaK%wrV4}`A|NylcPXYnzd zX`CD9TL4AZj4<86T}?EXY3$RTtv;nK!c#Xfzr7>T6y}cqqH>fYsD}XzIk20gOQRj?`I|a_h$_^?)}__+5n*b;d&-#IWkUbLW_hZC!a1Va7QBTQ{E}_ z8_m#&o=bXQ3(G*Y7Y{a4Ag~_n!gX6zziSs zYem@cK)h;Gx2%~wyIbtphe^6$icKNu1TOk0jQ`W8o~~XF^V^k9TjdKJ<<+%=%_iFLe}hCBal6R53@(Hwe`#sZZM_Wl95Ce%i1BcEBwW{7&GbRBFsOEDOBhkl6i( zZ;?=|Et_3lYu>kHExShS-?ja1qetl$bRXl7qJ*UuAD0tPmY;s(#h}WNrrmwg+kn zg=B7?>uCXY&WFI)ZbfM}CejXeY=|_%4h1l3lq<7^S7(K3gqp7~v4_@;DY4S7?q7Rn z`G@c!4PxD`I9Tw2hOkzV!Kpx9K2$xT^{du(V%6(vlRwFge_536klyh~pGhxgEHCT>}kFJezmvi~|%qxuBUZ4KpK4Vo$Ooa>kR zZ?r5lUVD3EGYq7;{FKk?opw@xOB_&&`_AjIUYL$iTtuv4Z|=n;TitLE%?r)+Zp1+4i3|rjJTC~>~V`wAu-E7C;LeNdkZGhs_w}Q{P!C0hM$TK zTyiD#8+N_C)^POJ+)91_sC!J}b_Z4*dbcj^pM=b}A2)LMI=#%#Vo)$u#F<+nHo2EpsEA0Wm&lwB^*iEwp`Pd%>(TuvW%^<=N21M#L*W{Shr%6!9DU@1h0|oQ5iP|& z;1O1aJB5U}_Fu6UuSXfT_$tjdt6BigqfHhtNJ0|ZEDU-G@YZ$8hN~=3AW;%eg{}%{ z6V5HmlSo<(NpC0RRrG9dznBPudQ`#h-$*t_3UTg5n6zb=!2^SX|E#T?q5jp_$* zEfY78y@E8uSlb`1eObpwh2J5_(Fu-S{(e6`xZzY)(OY>D1s*%j_`V4gDIjoYxV`Y{ z@+|O2lheV~08Q~$c>Q#~N5~_!EAV4nG{5R|-#-yPzTWL=qumo7)*D#hpCe9|v(!um zDJsN&9(AZ<^Lgyr=*FHf{ExL|1ah?a(gY>NG-n*PNprR&8T z<=L;K^|#dM#RQ6K7=%m&?}?!TD_CMiv?ip-Yk(7B0?6KxcD<=!Pk|;uNDeGj8*RYY zyyp4!*!+>6>lh?Yof0f6R%28vqs;fqyy4-rMZPA=9!NL4r{*z#-<)vd?o=f_Vfow! z?EU}jLltKS7&Xm$&v*6324!g_E6g-B$qx%fq*kMAdDf!w?D`_fo<|Zk&It@0a8p&H z9f3T}`4fKvJ3zsPB&Q;^PpbkETF?St^jfLUQ0V!Ce84BLp)pBd;7n;f*4NV5`MThQ zvnRYH4n(Yb^gI$tMD=n>Y_e__xMvS5;pQP&sDoWo8;6Uo(L9Q7wR83o2lyydL5`u4gHpL~x z8GbjCvHz=y;J8y^)Rd{OS3Bs(CefD2t=q>tj3`78xId@FnDBKBLtYS}9BFz{m?qa+ zUK6n4^8{uuaP~jF{HQAk_e9v9a`&nXE zP%{S&q}*a>PWul);x6~x7;iFcQ10Y^9?MrweXecGuA>&(BHLhsFGeFh##-#PX*gD59VVIyfuWj45ZQJ(ly|!)Jwr$(CZQEv^H_4Zrlm9R? z-P2WdHFm;o>m5A6L^%ai1`EJk_q^JE1`=6AZA$aD6jkYhfJ(Z=i*Twj>3F1?Z9Ech zEleWwB)g+~YKFnEK+f!iD(tCMq+u*>=56~%YkS`h%OG}Fg4|1#)!$V}?*>z@-2K_G zHvH)uX>kPY=r={!N=IzCz7_xQ$xsd|S%}FQAlg;WkY!-l`)lF+18xtAS^1VoR>x?h znQor2$#3DnF!T-4Y2+GeHW#Qi@elQ>CpGhW5>&ZXPv@|1DQF1$82DLFaFBRsU{gqZ zH+cR(m$~W%E4)}3!U}d~_q-PQQ$!{lgoTVgY~01rBGuSTa2VED_TAm3)UWgJB>`LR zaKIiC^EY%p3n2aR*zx{2hymB7n3${euEvXSC<*_#`D6uU=%S+2j7a6`^wqwu*PM!r zP|}>9B_1Zf0m$u>L8&gE^bT1^;B#$4gOkfn_@~-(a#SvPM2jy+mqVH-c$!MGY{wN& zkp-7g_hJ|?>HjFFTVJH@0494d_%oOkKfGPFG#Os!4Wsd2c^XS z2pn0KIX~dQIkg3)1a5Q1@dh>l~e3zh)hWa4WRCMxj1WlkP7|D4>Tch8=hiUQnJ>U#St;OhKx41)}yT2v=xVl#f zS`EbJGLV}$?1YR8TXhASA}5bRM6hg_-t0guTk-^>{*7lS)i#;k9#K~9DPG20DZX(O zR}A(?Go`Ozm_pxyl>TTkH*|`=77K0T&GdchX7z!AN8=cVi$!4Q*DdPr%2~J~$XlJE zXF6mwG&lJTWq!hhA_@r?@%$+}7bh0ZCN}11!ltvh5p=6a2TBJ-%&*{hLh);bNo~AW ztq<$PSxm>*&W+mxanxP>QkMs{el|(pHONQ{e4nS27N$)RwLfZRLy}Z820D{WNp#e` z45wbcg(CCTP^B{OQcfMIAtv?Vtxt6lX-9Z*L#VInzQ=)a33bFUS7$;4pr@DP6Lg) zz7f1swkOz@Y(pc`SNaU*1f7Q0gU2o-In-6eRf%rtttE{tFp)L6{gIGul`=wYBMoV@>5SR5(^tKeL) zL@Zv%NZk(NQHuC>>XD7lbA!@_TZw`3s3fhicfT3?8+=4wyqJ+D{h`FK z0nCOK11W`4G8CUJ%_<6a1LpBm9L0gw^ro1l(c;V1aL?|~Hv)(}1U|7~n$TRBnb7MA z#Hh_x&G{tI zd!}NxA^?Q{?>8YulD1QJtJ6zvQ{K(jG19GDls)v1{bCKK_b8p=;yoL)n55rX1Q}Ym zY4Llk2kv4~B>~ogB^dMCZG{?)0xtR=*j#5v;k{y913`Zs{$>Rg z>D2_0c@`>FRmUW+mW@ulS2#_D*wWz7iKY1V6oN#gp19p=Veun4loU$8LZweNY$bd@ zc>^~XQqbTZ8$Y5UOI^?wRcsv+ZTLS}Z{$Ivp%PLD3=>MZJ6|q&%6zEYk7_B={q^r9 zExBzO5iV9cajtq1LiKQEgM1^h6w8&&xE)!6t!i{>e>a)tyoMC)FN{&Q)XQjP#eOgn zSSZ7&9~IH61yMnBmRQqbS_NTQQ8=NDNY`L5u+dgZ(O<4a9AsXOC(V)@9VAQ`r=`BT<&A6Bsu$?}3FuXbOkFSTk-KYW<~? z#F_GI=|xW`$$bNYTH!&fs4I-)XvLw}P;9p|{JrG$`_^P!YBPiW(5|G7eYbdQ=%M0epF7O<3mm8B5LH@gu zrF%g4>sXbj&y{Ub(9`vm%{obI=6@aASrX<;$Fs{D)UoNwXoi)MO}pL&ZFEkr5rG#8 z&3e`+s4a3=*3Rv6+9Se}7cFD#1L%9Qs}S8ds&~c7spyk~0$o1NRm(Bp{eJ-NYCj~; z^F6usU9{utDb|w9KipPpk%LGSJbqe-jQ7}Kb9djOibb`Ibz6ztko8NKYD6;^`+M!W zEPWk@bbplUP%(iD>WlCw*vra{Mjv)cs`dz>3WA7R7z=K;bYVQdO~;ygI3{_uJYLw1 z`CM-OV{axltc~TmZ(P(VjYBx_Ty}Q)8|vZ}8~jjZ)(>eT5THLxBt zwG9caGj1O91wBi=cg3i@$c$l9VO&sH13zN(QLfwu&UBw6c-yavE<0@-JF7v+|485dkTdfxwwpq%`wc-eJj&(!`IBabzj@1 z`#?l=59fzhqoPM*s~tsIB)Uoz-8c^mThs07 z20ycq*ohQ~ocj37onP{JrwD29=6$09yt^!ivkH#!VW`s-uFMEjO-o0cVJN~`vum+L zA6|ntOu_VM6^^Qd%FK&jDelvqMp|3 z*qxw&oLP9Q+|&&whx=171bK&dEH}A-43w6p0aJ2E7AvcIa!(yk1I10rLmuf34*m`P znIF7}fP7`xm#GNXh@KL~XP3z#n$Cs*mzzG;Acnu2&plIL00Q!z>Hww`;y&CJEZ337 zD+(pGuxFi_mul_%%<%CoU}69*T070?Ih` zwVWTJ-BzC*5usuYv~g>E*&AH-(NdYS>CUHgGM+60!wqe`hq0(7x8ZIEuOnsDcz6{W z%JG|BKi7j8(UUnoD*2Mf7{&_4H^(0hYDD+btii`O`pmu*u||XfStXfoLMn#18$NK- z7JVu@w2pL$S4WQ2Hi|-=#e`Gk>RU;XX8e>PI9<{_t?xZ&-!MomlZJLSlB$#arLX>4 z(EO;56CtX_NV_t0Q`nB#5a`YJhu`RF!=VCpeYdvsG1=EL0Fd04P<1~hh8}Tj&xZ+_ z)fN0%7$^5Y7}AC3S$$UGh^0{)LdfN^LVS(=@r-V?A1N$4Y|LadO_W%M?0L#vs?Rx; zpZ6GTudv#dZUr~c26v`TD@_?kI*gx$P{+|}v^=DDRN$NVC5O*ha4+@Og#q3MMpYpl z*HEWkXyGTEQL7!{5s$_ca(OiXtn|na+&zy_X>;LSgE?Cm+)IYk*w6NGGCXOHLJH4E zHdG$EpbS-+{v@C)VI13_^gzr|I6L?ImqnUg?o5KrojbkI7(%GwO)0eXe3kh>qcT;3 zQ980P5bH;|lm^9f)6GP8-|Ln*#!D25ek0w~KF22>oOdnK-ex@JuKLGX5OAG7A$a+_~?I+i4c^4-wep}#bO9y5-1caA{O!na&n`9@RE@Tmd3UH zt1BAFup8#qb*R`~A}$2&q+ur(62k-kYC#I^$b)SK-xjF$SQikl?nr&cEr$7&CXZry zf=)Zm8?e`98x&qApxQXZ=@A>VgEF3lGZRi7`lAH`@^`G6(3bL23GV6v7t9Ate{tWoH=3(dXY;m(R*Q? z(Z(kME0ic-BH?(}?iww;CVYV`m7)xi0bwb70-7ewPSPhBu57)v7s|SL6;X$6ut%Zh zsDBE6;z@8#_F#F5uM{2W0oE?5^vNq0KZ7P6psOtfw@kEEFhIRAc)K4nv@EbhiRF07 zipNorT#S9!B9hNEtuGA+uHHUGK+}eRv2JS6r2kFmtjh-yo%5IDYQSJQ**3k+eu=g= z;oMYbyQ2<)*dLK2U3%#xEqV80*P0)u%$1QL7L#&6-tVQLPBA9FW;9O@zK4BH z>f;GAVI?m~f1P!a&`>G{f39cy*t3&$Y6k3Jak6ZS^}X$fP}Ei2OXO+cSk|OZjMbVO z?%b(Q{c*R7LGSHyX+}ref>ACiSmQEwO!)d@1P1On^``D!ilQ_ zV&E6rGiC8a=h4^34NyLY&NhP~MBw1xiL=_{D3Glfq3rL@D?_k}Q}q z;h+?FQQ3MbM34CechVhot!B#D^#Fc88)}`hY;4#HqkQP7mk>)zXR1wFRnB=g&L5p+ zboYAB2s*)`=RFHEVhwJ(Qa!jrl^lT##tdxx7 zUoZBjdV}%=^)~%s!x)J0bQQFpj=TM{M$}YLqlD^GEvJJ(TBWPty2LDdrJrCt zaBYF3^j-agTFqUjP092k-in_&d0Gyr&(k-uvY-aX+Otib(>^$tL6yh~&WVBM z#nDZp&4`I~CjMSJQ~`iQd)Z>pwXj}(Ya!Jb`jZ9*C%i^iCwCg`*_&R{YS9{**^-k~ z|E?nq^m(dUMxldznrDUuMparnJvYp%CTu6JsXF#Vj1)fNdzKu^qG!K{>05fMF(DVb z)|&3P9mjw>6?h4D-`m?E37%ZLEL_~{>TQFe#*D2h@9l7Aw9G(z`mFQ>&Y%wQF!XrK zDNh^0aBex1XiO+ySz__KAN#$&B33#BFX{xzA%Os~%%F+V`_D_8v9R)6H2xk{5;d)a?ERvD1nr#VtwPH_H+ur;6kf6o_fw&xvD+i z-L&yp+q`l1=>^|8kAL99xreZ?dc{Z^hniYJ9r1F)p}umoSE5Oy(f+xF@nurFM@NfV zo#N6XuHDL(ofq;E8FPPmlh7q`l;~r#GR@_ieZu#n1xhghVzzO2AP|O}+teFd?Usg< z%{Yi0cG>r8;?{Kp^c9v}Li4 zAhKDfmax&ADc678eF`MmTSz}vFAPsO#l zV|eN4Y@N$h(2hUmSDP$&fYV^MO47C&tLgA3)S1u5b&hT+$vF65dDElPe5-YKe^~6c z<3Jbobx>oB-8kF{xi9AzMZeVj2XxH{`@8N@wNwX?&TPoqq7$>;(`rncU?&nnet+Kd z>FG>oC)JJMvNCOR-VsWN>5P7bzN&R}6M!WqpUxoMg#X^)Ytnn)(~tQZ^VUPmIeb;Z z`5a!E2f7-3Qi8F$DO;sp(bvyhiEHfgfj#r!h{r{sYjW#Nx5A3UOk1kv==S%R6>1#o ze1@v3H{JDDY~BRO@~DN}b&mgX2(Xe>`UvVPF@w)Xl9-x-)}LZ0_4XsO&|0gkkn?W> zvg+IiojhdlRgmoSGW5PVI>l?Rrq5vMCkHT;{TE2xsI#<>&-!{8Skn_N?{|&ouh$bErG2)l$Ulea_zS zRU5s%*EK}Or7mP0DUu9B(%NN9dFpFx6uZ?#!Tq8PIA9&4bjk^wKg8`sB=OIThYrGL z|4Bah(Jj^I9#(fR36vreU;6^^+05h~1RovNx8C~0DAtR@ky%ROcNlya>C!5Cka zLRNF+M@@V1(3~1T8zsPh#2CIa88>+{eN(4P76tuc_YK-s|$l zkK(3NcD9xcYObec$AS~bE)XvHGA1S6EvJ#yTn6RCjJjE zb`!I$5%mLQslE0DtPT?apK&x_cMfqdtUWchN%lb_l zx&V2!nM+FN`gZUv;_dtPx*F?l!6S}&kDKtrOAI*3(NSl>B+D@|Nr8=iHZU%eqT%Xy8SBf>)sDPw%D|( z8PZZW0LH_V90O`Up+NWZ<0)O`k#=Zfd#2hnf=a`Ymf}dz0YLo z6kKEmofIw@6>s|{SgqJbJ0))$czs4RWCQfF6i=0zxNvDQ1+JHBIj2oTR2+5nT3sV{Zucduc^Hw%$TE$`BjyL&_G4XzAS+ zIK(6nbV89BGI)g)1LNJR2M&APGN{W7H>K0N&8zHDQ2-m8SCf2B%TEXzG@~2bX~G3g z5yAWb!_wH2CPR1)KHGMyfy25gg2@kG@&xuJ*$v_Q6gfby*CQq=ET2b9H-mt`7H$my zy{n&{d>=;Z4+AyJ*GHT@x-RxJ(Edry6_0YQRi#>W{r(g{XI&*kh4q4oGc$+m>$=Se zQ|SF(^ZO~{%n&-WLchjQ4?>c(>hJfnhEc!{P#d*=H+P<2Q8N75 zX$@!jKyl~FV3R%g<8ZP93*vxT%P0z55YDF1%&;Lf+8wq2a=-P*UfAX^q{H7^e-L~B z1N%3uG66L<)$oE^sJ4hR@eTrg@e@U17c69QD)sRW0y3UWeGcNX#S zZxrwEmq@+j$x#88Og>_SZ=4zbBF3p2^$AXzt)f-`8D2u&LV#+orhLfiuUsoNU{(SM z>B4?g+FcOEIGyoJaxY*J12(ogG`7tNTa{5r;!@jjEB9~&41j7BWnv!$1%6E+pcuWY zSHLy#n54T2VuXtXVK(562FNHdPuwnD?+9n+pq_XeJO&d1KYp^buh21MvsmR3mQ zuwgZonVc)D@?#TvC5(XOd};Dt+1ZsLWDo136_S9Xgp_{@{2S#4yLAKbBUC(DuN#Cf z#?Qo?wn$?=h%zt;V-+ncvN)A^)gqKxO-PWQE z*Ik}Dy>2Hf%bCioty_acCxhD;bSf_3X{wwsLd#`bndkaAQ%0*o89V@i0iWlHxtK`P z4MLCsjvy)3oju%{i09aV+`{ub3oP$ob-h9iloZ@pV1?c1g$M5q9nW3(e}|a>U-s*E ztdInV+c>*sAb6{;vp&+CEuPOCh`HWIqu#1=QAvW_Ohf*NvljHOYx0kOhZpt4u#O80 z%UGN-xkBOcJRc1&{}I9oMt{FG*3cN3`9%aIqsTv1H`@9G3G5fK3Nm#C-JsBq{dIMspRHI`l=mhTO>*$@x-))LK=-8$iB% z`>Z9${WsU9CO!l9qJ;zA>EuO8=z2eULcRd^MoO=&`Fa^wLBM{ud$Z;JGC-BLH$tvs zP9_?GTnufdi%1N`$NI*ZygpyV4WaWrhxgvDI`UqTAKQ_%Y?eIF#Ua%MunX4**uhA` zN;Cpdj6#KI#KqC(+XHh10^@!m*ahB5k86T>b0Z6>5&EHv zr5QG_Iz~ZpIfrx(QZcnJzhP0W{Pg(fKu#cD_?T9i3lFMx#VJL)ma?QE=W`F2*N4|9 zPs-5_z76Ta{h`fV2H2C<{V~KGx4yk31L&eiFjmT1a*rPu5b?&KOxP10P!Nbh2z9E8 zCbvP>B_zq{ZbT&{*+T@1>~%3EZ(G=IQCfRNIiSa$8puC*iEQ>^r*$)zXf|){5jud5 z+&US~Uq@U4=qe6`o*$$miTP(oJiNaP^9$^3*lZFXf_b|MDoz5{GhI&Mj+L$*HFZwm2I}vhdb?_gM7q`xi5q?l1 z3+J5NWY}BAVRuUKgL9_5J+itvi58kDj~RX*T(ri#0&FDJu0r#El6Gs3(_6Bda2Xbn z^Y64FKyjCN)RTbmhwu>5jM!OB)XjgrFGXIO|7JrhAKTpOJCB81cc`FHb8t<7cZ!y= zeh@7l{&Hp`B?a)%F7h#?%0!^ssHZym{3>PU_A? zRp;iUN~E14j3G9=9H$y3Cd|&M&#{&obGb&XmkhI+!YPvi@iJS~uj_+b{nuq#m~YGqKjk=S z!XmkFDH5CSPWi1;CB?_~6-xVpXGviuRPM?z+K}x6j-MmJuo$cmf)KR892E!{OnQK9 zhb#qMUUbaY%tD)iYC0v<`oc{-PEfLPQx3UE0*bho(ysJ$67BawE^?t=fYx1v5JjkH`n-P<%=2VvkDx9I{ z++E&z7fKn3@L#^5lXHesXO=-Jr*)?|^BDGT#4xYEF}AjziwOi_qX1a=7nLhfp($Jw zs`J<|`8@I2t!FsyfDI$t!7%uk zyX=nT6@T9?r?b-<&?Ox&{K##5!Gm#Ou)S!0Z_$AYG8DdLV+{`WixQK>wm?IHkGNUS zT}Kg9eaEq%7Y#?|791YUx!FzT7BG!0m@S++^}Ni6zofR-`bXJNr=EQ)&=lTWy=F?3 z*a9EK_1p^<#G~J>5HjiNQ_eYbC7h87kYTd1$Jg*juwA43U5IreLW4`!D&Y|X6GG1s zR0$x66uR1QF4ASYG7DbRAe2GUvHf@(Bbrz{h*1CpU7K3(c9J0IHE9_K87k z)@IgOdSSm+({e(02dUKUIoAf{!yZ=ze8z0~s?(iCzy0tv-uEKhRUDd@`6(FwWwVt? zr?M?R^|{BQ+E{T~fpG}=#}xjnq_FM$RrTsdcb+LXu&dQ01@gf>R*~g&gNi|WQ`2(; zE8Tp#@CXKoOJc`2??VcCj5#?ZYI2>CIc8)j79C7}xfVqLA<9AplsNJj(C@tpA|?)2 zaX#JflXjJHH#&lh-v7C)8KtGM(f`bIJi*Ot~Yre%o{u)J}$Y&oOhdo|m zwf{`Zj`)#fdr-$XFSQm!N?yuD5ZUde<{r(&6pETKJD@&<-ggCHXEU|Z{rvNNsyVS-^WzFks(VOi`sW5lZcg?wdEb4=w zM~fE3T>5Ad17;Qf3L_~21kA7##1BEYyxSafhhx*|$G!u;YzJu3q`*vsyGpJh9UG=Y zz*K#czdAxT3+Fy}47t9J;(aWN{3)8`31i<_r!#;jJiF59nNil_GPvGa7yK%U0_f_5 zsxT_

cBdye7X&|MxF_n0 zrVzG7u>|E2jl3-16-`#Fi&wX7oLj(0-^DURKRCI;nomY8p*Xq2nB*sxeNAng zJu)jlxO}!#i9$i6f;(!Qteaj=4QjK}0}e6}2An< z15#NUYU^nx;5?}8HuyhQ&_ow4@g|8(Sbz%ks-wD$&ao7D7}p92f)W3ApuU7L?3wIh z-=sEi1TMyKs3%fF#i+vq-LrbMvJzNEs}NKzP&O3fTw?&WiyE}giHjAW)1n`-<9ON2 zBON&B%#3@ol6cX!Nq#f(_wV~T8gDDFhdcHX%Y#gI)$n%TwrwKPqPMT+u5S5yep6GX zLZGT=v+g;sZ2*z`BowxX`2<2uLu8Ny1Q&Z8GAcJ z$07(VMhY%$rp2;d5oxb=gGR4}=KU_p(Iyya!l+4qcP^Y(MJXHe=%bG(t^agQJrF5o z8R0>IoZ?@OQ%*BszpflC-V=O}9>i$pX7I=%iR_KC+JkA|@)Au@FQ_QYg&9TFErC3R zq#YQPqvMn{g1=`?VhDy>B=g?bZo47T5#yZN?M=A^3G190J?*+$NmVMewc5eWDRbt` z2bvbl#++k>c#L=U7nk{534l^e5o9v)f@`UODoscITW!$352f^p5Nc%Yak{fY1y-ht z zM6iL`4RGU~x^&&4%FP1dce}q&J|7u?VVUpMaOD|zp5kT?Gq2|pb2ANVk{-#YEm&XS zn8~k+6TIY}@%)a^QC4Uj2R*IcO;=88-YSvM6M0^E@{-)r9O(?I}RDx2&)+YOzMLW=@g%6HXf5Unnxcz$hk zF_?)zTpjp3SwS9*jlNxiTE+Xfc1UJ<7r_)Fm=aKGZvEDu>5aEPV}WifvjblXWyqu_ zLvzg%rZx96>U;5Ql62h37{PWnW3hueRp5C_{MP|Efk~H8*g0kFq=%Bd?KY%Z^ zrbQWE9xR>ViY||Yl%5PnuC`?!t)ia7=UDQJ+|Tiq&Xh`b9eqF^lh0kQ4~GszE1xv} zOKmOln4-hK0sN^^1R^uhk{{bX?s%Y)HMznXJ?oxO|MD2r2XCuLSTSB6b1s2+soC;l zgi*^00fL8YU+067T8f5$pI*|1=FC->FmLmhxm;rt)@Es>ZcW}sdw4y&vz8;Q!U{@l zDwr~-b`S+!lY-%eUC^&}G)n}ybNmlOXeo$zSl#L)istmJaDxdNjukh}9ZDzZ)rZ0* z8O+RB^R**mTwsAygS2I+8=rE@faFTr0L1_MGIrzw5jxz3H#YDM*Thdq@}j9LakO4I>I1L4x#X|@z;Yyktq;}j5$jxXUy#fr+ za;rVLh&p$Iaw%gmIcxxPd?`~<%B#i1uL=A3G4tOt1qg8@02}4Yu{&xD<+NY47X5nz z?Unepn(sy1WLSYTX58~a_^R1%nV|_o1jvx6OLj#!}Q&7b=bgh6jOM@i%( z2)Kv6+2FK85n2!&(0ThrrJ*P{p34=?4%oU{lNv_b!4J$}1{D>V?8NP5u2BMw__5>( zEeL$C{u4K+$)vEes^6XP&VgN>KAeNP<(sB7E7hTKChEmY?_EMubQy8d4Fdht`M`bv z>`F-#b=c;Ryb7K-UgibFN@;_!uAZ?NgQ)8pl>arkQ&n%h)p2e^FpLLE`o*2gF93FY zGw?ez8$*Pym_+h|3h0z-&uQ#Hs44yfhiX}sl{odi=b)ap9NqJ_5Rvm%WpqG;d|IBr znVs3B?!er&?2hh_B!>Pa_~0_*<4d@i`>j^IO_)CmLBJO$F-I#Z?g*S4leM0|qorDl zqL%umeC5*{YgRr#c`K@+6c8Z9*Y{2LRt1B6%1CrG9O4JeORf#RKd2JRdWAM$@}CS} z)ROWa$(EI&EqdQe<&~DQ3$-puv2B67e9xx)_Q>J-{=Z=2A@^pfCcdf7y#3Eii+eRP z^PN=T@L=X}`QesVJpBbPgB16#IndsuF7?^lq4=W-wt9s12k^O*BbFpZ{4c_`n$#8wf;q1%sOXX0wE z#ItcBphc(|0*g$+KxDB2%9zt{jbRz30R`IhBoN=HmzIg&~Z*enMJZ_=>2^4R71o z+&o;>V5WI*y-o!3Ft4k-;yupNUegOV%-vaXfGX%8mV@-bb65^>ZSg5jGM#fF3SH^3db- zR%Q`W_NH0|-`c9ZX(U|x*y9=hu#^fAK)wXf(eI>G?5wD7YJN)EH+eG$+YCM@f$J&3 zBhkp#B3XaSgar2!&^)P2WPm_bh*^3+6(M&1#|T$}IlH1+@PxrhnD?POY5pph2^3|+ z`>qX{bcKKb7|d>mCLoQxVrDDROGBIf)mJVy!8cD&RXR)&%mb z>-nC9G=rEhz;AK@*=V`Dn+Amg?+nBHt7QT1=DHCE{2<4yh0tJI_RkH6PiW$;A)#XU zb15pW6dz+;O3EuzW|6irUb6-t@2c$%4fy;K%mIbe@^VG3W3f#axHaJK0%E@F!`nA5 zMqi7#+jTagj6x(alU5wP9a;IpN??qxw54w}lAI$Q{_80!uiHs-Uv3H#62qgt=&;-I zpya~!o?oD9MIckh!PPFK!ZQ?&wCMFF``C!h0z^c z4dL!O@xR0)DnhqF*|rsdn@6yu@=I||vwT@NrNVV%`cA5x>3@}jS0TdnQ%^@k^eG!{ z^S32225827@S}3QxR3#jsb3GW46-HwD$ki3JN7L+gWBxf2B+e8Ov60MY?v^SBK~{d zElu_&U|wH*ir^9|s=8D%bd|vz@;gV9&C2{FY@A307i*8V_)Z?E7YDpc94ZMo^CjmY zT^D+hw4Sp~29;9?oUm3QaW`*EGBqj=wAM1*BIYfCa^tJXP?{r=Lu$(dGYQeO7G9HS zni`BpQ;Xv$0A9>Uk=|(W7xBiarO)Wdg3Wd8pEI|#J7}1$B)_dCn6X)Q+eR~h76iL7 z6A_ElX&&qLfgM%NK?bPmPzz4roH*AoQl!ct z_sHa~O6c5C>8Fb3X}@uUqI^RaK=cCt3h-_0CAl{vM}}pu;eDfGH0);be@flSUaK+^ z6AX2j=_w%8n425Hd(9l0=)<9oB%>@x*8>zWP6Vp8Vu|Rk*q-Ebfpl#_L_{1ySra@! zq&Tna$WD%A0>Y}jXdD3Xk5^{4Z5iCoJd4{R zS&Yye;t9LyV0n&b?oQGJlE@ZD<#9;@sw&{J-OQ>h`fDX8x%CpXr1m0OO*|2KhbBM{ z4xs;@A~*RxPBV+aVf_}JAIZk8oRQyJ>$P90U{DdXn1CRg=oi;|&Y%gU!ikzK|7tQcNYr|= zFPXYUbXw!p`PBBV_qr12xU*YW`2n+5aDY`;-T|#S;!qkGw5?QylD$9-`ef`7B^9>F z3RASUzw%$VDKXkPD$u`78ln8UY&X)M_w9MA@MGS)A1j?l4l2o6%cgC!*`>FhogBsTn5#U|E0*-UWBuCVT1SGTltUZz-eD<^ga9#z1L))36` zU=sfMtGwYd zrKMcHSvuHWLmCqmU2$f8d+pX#<=^Mz5NcT?WYZ@296l*IfPVOaY$7e@2IiD0;{&&6 zG#B0-3R=79s=4(Td65!{yTCCgg=Tc97Tr&yzqio={+e!_i!K&&^tvj|@ z(s8x>!2A~uP#zOqu`m>1JjtK%@4LamN^WER%ymC|Mc9HQ2y`GsO9^peP=0*afqrd% z(?fGi+T3gzocy{nSrv9YH843etaqLj(g4&p&SUg zIMQdhd?hEWTiQDBS>PZ=30I40S3@Nv1j8!3{WOjHn|-@x)D(ap_BZ0|M7~EZIk`$n zpsX$8)p9mF4!GJEk`f}iqFtgu*FsN;m<1TB^qFtt(%p(Es-~y4JVsF{c%iBe|I+#s zdEl|yX~fvE4|{!w=6YHsffDDcB~|wDxUbNg!!*N`>-S=khKeJ>g$T0VyYr)wdF-RHe*9lyxJs^H+!$bI2_1JbE{%hUZ zBdrP?ftI|xZqIB-(L3x~&fVfww7_Ed8nPo9P%8ln2gUY=jrr-o(DQg+_{68=I+95< z)Dep%MhhQXS+7b*Rv#P`dU`=;1_*=8Uh?FkCdDxyHk|!dPRkQmris zd{dwV=i_;J+?{$s%4rb0M0SsF-6Hk%n^sMQgCN8g4#fXTJQpl(?knAz^(3>V8l*0# zB<>77S;L*><(0N)`uecpEvo;|bA8XqebI4rcRJEHxM}h3oO}!U!y%N|srN$yF~MLv zu!!wINK3BVx7RuW-NO}9fHjLQJHNzkLbYkH0KqG@Ees$fs3{Q=W#7cVrA z3m7#b7~*_#=UO1gIenh72k z4%4dj73(Xp5*|lK%}OT4z_n{|m)vMe6bd_2{@JL?A#Inigh^PYc0!$zKJxhk6D~0` zst$D8OK7iK?E~Gja14iq4LZe#Ch;g;8|HvRmDE@t2@eD!1)oF`*8fA6Fhz-R`wc#t zTT%&U!ZlewJ;daI+7%vt`T6}|;&HYBL|7!-ZVMCmjEV=pVm3=`%stVPYYrhJHCfUV z{?C%W+=v@eY`32ycyi52UD9S}F7}`?I)I>DDVrX5+T8IEyhQ}C=dY1v|6zGn-eB^s zg=%fl-Co5s9#9fCm$m94>S#6_09*o!dlIfSycuepSI5k>>cMg8gMyIMl69|1#bX-y zk$zkcg6XL%r+cE?KKGCgZn7pwZb+?6{VWjqz-Rm$;h0Nl-p#Z)15z5a?ZSViIVqy7 zmOF6;4aH2j%1K$q0qHVw*5bf%2_$3q`E(?j2(xCWam@03+b87$I(+b^rSAA;0o7h4 zH>MsO1^|-Tin-NJe)O*xjdK$b^dRck+d-81qw2n3f3oN0X)>4NUTf<@&F%UBF=e82 z*c_kh9vD0a@P$Hk3%AB+MBbC$kFj36hjCaJ06TI18^Z5@V4R{S+^@UI#ANQ?R&Eqc zu)6sb>kJjCeNog7TZCB|%+N4mv=#CUGPi|WR(aPrtn8Odj)Um-yqdLdq2AovLKnHf z!&xzMhIgPv9X;JD49m7LB-cUS`@Hv3d?xQYQ?v36j+KZB`8xIQyS6xXSQs78uzT8E z>_J@p{hbzZbh~SB(1w~8;$l+oo?8~A3oM(WZP45#js^^5(DX|W5S42!kt!exI0WlL&B0AO!$^go>x2IjiGI5Qh{!V^qk=Ig-_b(lBrxXycSVf>n@ z)AvG2F(D~pqdY73=X)zOgkf!$Kk#RXVSth=*haK&_~@+%a%PO(wRNrKw-wOW%it$s z$xhXU!d(BxthnH=du*3Cs3l69S@_lj-abJq7`y0uDM1C148D<@86ww-t3*1b){1g zM=Gn!ISO}L&^GC(_d@17%)$AyKRKvZWw-T*r>lY3MU2v>=1LZOTbe?y7DrTK0Y%`8 z1mn-EF7&_=5|)rbM0y`KX_3xS3Y+^MVSd#YIb%j;R>;8aYxD31qC1Tj%ZD zq5qrVlQ?>So&abHOHrx2W}X-0DKG;M60cP#<-e?;G+mBYk@4fPqL20*qanl#6Ue{w z*Ryx+SnTdjN=QH+>BSHoc(a`2oIsY1^wdqdE zt!!B##(%8J0^xm6nQ}ks#)jNxfruO~o_~&N!S)08O;$J5qGr`I$FKhjctD50?8N1e z0Owv}8^wu|QJ-?s(hAsSH0{u!g3OWaw4DW39E`~V{pex;h4>#sNS5A5*z0& z7r9)-NbXsz11DrerUB~n769Mb#zq1P;N}m1YJOGtuTm`+_#g?#-vXD>HNX}tL%7S4 zu>5or7ceqdX~;jy8qBhU*}fl-cj@m$%+b~m&TP}Yr2CW`*@v$kF;W@A4<&#vfuuTG zW9Z&o_W-9}YBB*yz9Vl6mF0pkO0ESZ@>5tBerE?_?bSt+A-oNhK`?H*2=PB*b9r@c zRyICKkB<|T165J?A^dCDPIDv%k@YXSfqNhf9a`0+S8~??2aDs8zp;%hhwGlA1lQ0B zlTIZ%sji@(Ev=AC+HjVkZ3sUuCje4(isvuTa~)n%kc-<&xZyDhBZo4>Gl5|k%(}?y z_#N&c&pg(C9x2rR>p~~}@FSJ-fdPZT{s@3c!q{bcTg2b+wz9Y%VSj|I;wA7nCl&cR zf8pBfEx0jZcpAJdkFNboB9@mOb;r;ZCr{r!Yy4a_8sYb684NlG_DBJ$|a8_2nk z)Z5p653k;47Fhzd>2w6?V_&Xwn@@7^BJX2h6Kc2qKB~PZ?IquysI0zg5P{Oa&pr6h zfBtz3AT=}U^7iJ6_<2VOm(_~rQc{8YuR3Bq$bO0t9t!bbUF&|b)7&I>ko5fOw3OHz zU?a4Sa8djaw%el0XP`%?E+y3(Jw3B^#zHWL&+LduLh`uoC2NGgt*G>R%tZH(WNSfinrlBKG(AbIAv`HUJA5N;|fVI@a>KVLcKyCRm zo_iRw_}IVLAh)g$Wo-|7&2iIs%ghNMuw>h?taG0gfL`8EOR6epy7KQNN+X+y>LBm( zTAiWcdRHQ(*0GLO>XHKVZnK;4HI#g z>LGu@z<;-bC?)8bxdaYeF4}oKNN%^;3pCt~oB)d;aC%mg?P=NxhhVI}21V%(`jp|k zrrUbF3?HR&sU5^n`rjT!LFgx*X0id~t!$6~*$Q0H!24MR%^uW&HCuH((QLxBfn={!oGks~s$a zE7TD_&Y=*-RVS^od@zRS_zf2%3hwX;5rQa|pzjfTWaty|Pb%XjZVflaSqu8;vkX4< zZQcZfzD0;D?fBAj zm4(#uoWZJ?%FrH){<_Zazn>m+`hbH03yHGwVR=Ewt$B{?_E|POCS=3CxVCBaFc(1d zMOLp-@$+wUmIpk53H^UU=t>movjz_4wa$;x{K;JvSN@k5T z)`z;9?tpgoHE%tqQOc4s5s>j#*vd}(aqqqpQV-ouo)5rYEq*1aTNYOtTS@wo!@R0> zz;k-~Y*tL!;{G{HGZ_yH`gi%mP2~@WiKfc^eJ*D)$C|#6HCj3cJ}ZL%Z>RJ6D}d*r z+T5RRut0)Ot)bZL`D~4GGJ}pRZ_m#g$Olu75;EJEQSxj~Ha%b^=-kvzXukyeQnD$l zEZn9Uq?CPAz2AwThyBCt9+pyo+_a)O6ACFKB`TebBg~l?V&C``S*+y<85lr{FxI;= zvyBq_@BF}Lk&K_M)I^XmS=zGcougK0AVLE+ZiN6BtPsw2bwhD_Gm-~ol$D_4u~!pkXE5D@YR#m-+-U-uffc&&W$11Qs?e~ z_s!vDBl;#DdSl|d)aGS^a3q(KH+MCYOT*VEELG^qOw)+(v%XwYZiWzRo>4cK}+}71%;I? z^H-Ybqa3_OWZSpRR`uaV77Y^c>(P)Ew&L+;iJQyjF-$Nt8C>ZPa9kh`^DMv|+WnSURh%odqz~f*#t1`?R z7yZ5R9=rEQv?|+TE}Orw%6ZTuf@sM}h3T=6C%=&xeUhX(MAC#(ZMhooO#s+kDJGwY z!Ot6_g+y$(h~tQ&h45p4B+1bpeCC@u0BSYWR+ibqifUmWI23jG=A-%IehNd7YbW+h zJ;RNTeXsQgNqAKPCGNcIZXvKG59e=kK5-JPY*;sy?vXeP)!(++q4ofOqi%)1r`jc< ztwc-*$@nl7J2hAXR#LFE&T;eDM*w?aUa#Cq7GMwj(B0?jns>m|I1)W$Ta2$tjoFvvE=R$4z(yJc_Ci zvNU14g&J~lR}aKqUlUjnQvDJtw8?`cSa1*h2pcsB!@4n=3IqGvZE~OSn=Q7ubK0 zF3thZK$kbz_~vVXMf~9v1}TIyg#NH%OPBaC4H2G&MLyEsma;}L_+KIk3=hlR){i9)r;Y?f+H7B8bQ3ZV5~afCnGurl=P3r`$< zIZSqynfx()C3Xr-Uq$R*B|GjU#|h86XuF?zXjKS~n3+Eu)Lxnko%x5E*qpH)eTC}! z0%LiH0%e#`h<~AM5N&et$5Akvxu2VI=s?prMuVJn*^oC*iVpaD%FQQr!ZEL`k?Krk z-FZ<;*Bpka(Y`dxPq-4aMx$f{lC{N?oy7*YpS&ftyFusNte7wuvM%mOcgxp@ zJ?Zo6lUzh&k62fjK6R+|6N%*Jw2?*HD)T?Q6bM;WkQjq+>W}!wh#n9I+2ED#hE9@$ zGc8pHdJ_KLejyATI48o6sCAmX>8O0&A!XCW(r7p{s+S6eC6KF?I$e-$V22>L(bm|~ za0|&Ag@Z}hu0%K3FjA$Y-CSlb+0`DPWN7q0+)6Ptc0eyv@xK8;)!c+@@MsXaz!qCE zG*FqGm*nZ`Sd=r7EZIi`h-;Tx%vE`C9eM_byKqD~mtW%~{j6)C6~iUy9ZMPiR}+1_ zVJ7;)N99vHInT^!hAl(JC~z+2G!ERQUe9PpYBo=PDiCRm@f{=4jBXJF#sjhPkV{~A ztD#qAM&YXgd@kE1ZU*j1>r%76Yr7&>ni|2=Rhu;wbioVlhsnOftpH0cCIx8Muspx(#N%NSr zW!I08HZ`5-=22>gY}g;=OBH7>0w50Y^nlo%-W|Y5Bl9|M|!^4hJGlj zQLF)gcS}~8Wn{P|<=&{C?DnS&@z5(#aJZd-7&1%UQ3$Ok!^0RgO zAZ%?=k&`%Mp|DLDQ%*o+GvI6-=effuX<1VwEtqgSJa;d(^Fx-eb6K+78V4T!^WXcR z^$kE2Ykr^mGmx5kH9RmZ?4V7VlwtZHO|#W&QH`AgQF!+?L9V*oZB|BApV^qy*Ed4o zE%Z?Y&0x`d!k>&lkW5F}y6#hBV0c3ex~~-ocOsxLc%5HOwif2NH=-xE9rkq-nL=cJ z2|M*MUGtl&q8u=!E;6o|W`$9$&B7`$f$$}R8P8Lo%iHL9ugy7&3blaJX=kiuwctk= z8U~~^BfRHSJY&++2kU3gm~*JkJ#B_Q5oR9Gl2ZBS`Wl+xY1%|Dp4XZM>>d5N*#&Wu zx>H+%>#ECKNAsSpm>7^ztMH%Tx8Q)M~lVorXMXk88O9A&qG z@t==>dM}46^PH#l6R)|-E4JU;m-kP>HgR4sgEOdJ5~wF5vgcFiQ8?aL{bp%uIgq1e zc$p~02Y*x|T(e*gr=HN>so6`yxPn~~h%Uv%wwr?0yFb(>Oq_`%;ioDjM=wO}lg`kx zyivt4Nx0U(8UJXjoM&T@FGs7;dyzl;3N`d$!O8j69bjudwCRroI$se0|>^nlh=1(3n8h zDh>U;g(%sGFhCyG%<+PjfXIy37_?(6=(@2Ea-ACaopx#Cd02K-PxtbmG+06W2y|m- z=p?Quf0pBDdNdJLRp`ZRRvI-JioiyT)A3AF>Kg}B@DU`^0aAIcte^^g{+Bj{g0EF~ zqd2l*bUmdy((>WxaC{?i9ssf|2<~B)F{-rIb>-va05HOYzz+Qjpx1pqNo4qJ!3FY`i{r{oEl}B*rnP&8%whq(zYU9GoBjXt zKd@Nh(mu;@p~%M<6P)0#LtcwgFU;JJp(&o5!b4FM%zua+8;<$JcFvm!9jVmR%LJ8h zqXHFac+PHU+UnMVb)6!-W?1!FxD=!~{59wVMaNvm;-*ZHOPc`N>8NDrct?Ru=pb#) zp>@;JILHB1b+&Sas%n=>!G)khvF8Ca+vQr9u(iOo!$^@jGDpEE_!-QQ4iMlS1lZRg z>Ay)Vk;J)fqO2N;_wUvX_PR05l|PtQ{FuuJf7K#zW@*DKUvior8OOIig%geCf7W+j z?R^q`#nu+?5*nhENqJ#~Ps*d_q~yE^>x-f@jVPVOm(QaFptj!aS~7au>sp9dM{(@J zH*;xwy~fM$2gN^j59^|M$<23((?LYR$}a6lKy*rpBG8B%r_L+zFHV|lGMt8eJaL_tT2(Rl$C$y6qE0e}2Pum?C$`qo zowXyQNQ79a1z7%4R3b<18&O455+h}qLnEjhV0I=1wI{&*qPWR_NfN> z6mVr20y>GX9{z$gt6vdg*Is23EhHrfm7$~|W9`-AYqh@l&7@4MRhpcJvkGstB3;KI z{&8OS007s;y$$^xp9==O)GzyNw=HW=AUmNH{Kw)ef|l{M%s1py?zMTE&zG=6r4sv zR*oB!g0Vv{26!qdEjM7SARC8D^`;~N-e5r8-+gFE_kn|1nouXQclvloi!c_h@gss) z{?jvBGz{QM6+V#oF+vLW} zIPPC19>nu8CE$Q%VlwL~^$h`<@4|_lq?x(g@KdldfuPk=>rQtwQXp8JUNV;06f^;= zX?IeX~moo-5eW0s6?$%!m@tSWsIK546G3p)3{(Wkp*1|Nk0M(NF|O+r|)MVgzB zbHfv&%{ImdUH9(1AZTkvGe>1h8nx8*o$u3`sVM#q(5Sf9HEfgOLd$t8ILo+ya9F&; z_9o%!N?U1o#eR>Q%+&&Cgf*yI6P!?+k@9FB-aFF zDLSRC>u)CTl&zbIe#S1J(Vor?IpQldh~X`vDu%zw6EYr`KNtC_bxxQ~E|DteXf571 zoZXtM#9CP?v-}UISa*~XzvNa8+yyuu>*x68${lL&1aerq&yOh)Hf|ew0dgSEo?2Y3~GSSA_r=QYlE==+W7Fw=_ zI0lkJlCI|z;6)9aq;67pXwQSJP=TEmvLD0uCW^8T5jj#+F$qGrSt>Dw&=1*(6V@Gw zXSS%fH7jPWOnU?`kZyY1uZzro@(RD4()|5FG6jpZ!YjiqRCB~C=5?=p)yvioeWdo; zq_i&g#drbe^6njpYl8P9Ez)kmhXB$PC}Y9k@X>K+R1JU?iRnW?0!{D&_ix@ujnw`* zK2R?#W0M8QCy72o;*0sIR`8O);bKjPf`S8q;B7(41n<@48T+<64>AlHSdH3IVgq4m49tVaJA2D*OfxSwPSxRC8-1{rGb z{ID{40j^pmpJwd$)OJYt@LG=t2S9*LArJe@LkU0f@OXQxJD9dZ%g4AYV;J#6B_o!J zk!H)K6@IO{tHTR)Y=7)WfHWG)L+nqL5Rd?lTmap5Q0z&>$P~n^w~r&?63^So4@qz) z*qZ3L#EA7_paBP>N)jJYAz_7wk3&KdxPVTy1R4scD5H4vU!QAfD$rCmh`Ltlb(Ts< zOVNmznPw#G>RYu9fFs2>6AO7OJ8h7hEM`)h49$lOE=CU*C1v`V1_R^Xtb?ulkUjM= zU3`WZPV21tQzQ9GwtOowfX3-h!TX?ubtqBpr8yk{Mh~uUQ9IBeM)70<&t$*`m&;Xj zhdf3&vZ{^7+-fZUb1|y(3Z)ac>_~-Nz7Yzel2n~oaUhB7E71vpZKQOZpywg8=-3MQ zk^f#X+U8tbHy`TtU@RyF2MBJWu)TW%In*MF8hyRm)#AC`y4uO^M%4rMntS3|uC6Zq z7N@qkYx9sl49Mi@ZGqH#v|-qwP=KwU6$mo+le~RKrM`xV{!0y{4d)DOSiJCJF}=tb-b=_r0#RhFcXha3k3pT!U&Jl)3xs~CI$^5acHAq>RKcxDUD3_I0J`%}76 z*jrVsjKr5E{^hV+|CK3>m{PGdyn^m}B?D6`olX^!8hZRw5p}RhlvSY1mIhAaE2~a@ zM6@TLTq1XNf+kZBK%8`hoGDqClk5mrkqeD?(N3x`FlyTZW}n1$fX=7Q9$DV~Ia(Rk z8woE`eD=dz1Z*)v9PSJYU6 zw|QT#O*`fUx2us>Vf;gt=#Y_WTeRIy#*Ye>hy&lirPl;TUjCgNge=C;)i5|#X~sWd zxGt33^*V0Qimr|Tz;H?Hm+z1vBJsq2xM*;7JwRD8$DW)1BZS)M7(Ps681^}&5!PMm zL_Dk(Oqqlyf3dG&=$(l^uG{eopvty{1PT=k;9W@J)72r>ARMb)t zGd@eqI!Ytp>)ReUhzl4t3gKAJu3@36D+g47z^CvhFcVw#VycHk#n1|)h~51wvfc+u`!gxAF= zPAGE}Viq$FvAG|>K>$Oq=>CoGN()aylr`bxegs*Y{uKgq0<10rNg-)%2t9XE1g5tR zmSv<+D=XsWbWfLmvhO1%k&1NB)^S)M&LWG@N#|39zJR~~qPI4J>}9=;0~Py*y9RA8 zcE6&w!smX#^Sdu<6iWG;Tt~!@Psr4EALMVX)yFxd<4X6zd?%98m6Z_#RCyWYqwN#E z&e}U~n>N@C1d%JInc8#$}Oa*N_xq*_JOB>&5^hl-Mc>GqAAhXH*3o+nEq^A5k@Gx+0s$hkJfwS~>A+i_Afk~xlD#Ve=+>#fx|2CvN5aJD(a#E_OHU%i%6w5lrbo+nA|dpspgYr7Tr{!~D)zN<@BjWf>#^Q5v=VxAEk# zeb}v_qJk=8*^YLIZm<=;9ntsY-%xMlzqd8KTZHu%heOxj`v#Fmj#<^OzpT)$jx3VwN^gRP2XaJdJ zJJow~X6u*~Ulva=r3jb@x~?hw*l;bjBN$PGFq|@pf+cj%Y!R>9DH5@f&u7FflNaI% z`2(2A4Nx4HEB?R%6DR|s_FHQzanQPjq+3BMf z7#V)1gf5)-L?ix-azoCzqrD1tvnDwV_Rum&LG=q_cG;#NKQ4qRY1SyvhQ=rTCC>1R zd9SwbYpAwKYv3BP^HgtF!ZOas9}63=9y4>uRXG7H6@61lH7&oe-kdCD5z=qw38U-R zjAZq}hgk@KIuYYyXrkz-m@d!U`)N^lz_F&6`Bq5%;HLd38jGt5_QfANRq`k-2yrcgR^Q{*tUeCNrr17O?Ig)KNlIF~nO*iBjHFDEMzq>wNAvmXJ5Cf-QuVHaLk z$R_tVU`B2JgwZL7lQCiprXg zReUlqYC)hr8+!8(KS$r2%}JDX2W}S`s8_mRu(Mio*oH%3!&J%`%qn8Tr1b}>Cmv-G zm(>$E`e)a*Jwqj`S_%wnrR@T+p==9#x4v;PdqzUIje;pV!-j^?7oLw0pM?>M4j2tI zFb4J*4(H*m2S^R_VpPuOA=?;{XfHVsH>0`w!V=6$dZj@-^A!s^m!Vm1K$+C>2$5kr z07bR`Fg@O~IUNLT9E~LT_KRI%0hFK*(TcY?TS8!Dgk=jJ*6ZYTlzB{4S5P4(OB;qK zoknzny1)jiBhX=S)N*Z+5V_mVdVeyY?4X+uE$zhP~6oH=rFG$-lJKRwZ7W3vos{1znsd(+mE>%sX+rNOxngSHto-!YUsD_Pi2jL*?ZEaQU@HHEl0&Vv81qLd&LPT}d~4u!j0V7G z$LDjFwY$VoBAsaaix;=^;*@u*}r3^h!ln;3J!2#6iRIC(S@Zb+Sa zs1OI*{+0DwN^m;BZ3TCJn0ed1vYb;1gGd7@Gm2HI=N7R&@fCsUvjORk2aFjo&?c;0e2hf(+vIaNyXA=ohY!E; z?B=gg2=^By3$RiJ!np)TkFFbOCen|w$ZCKty7j4R0Y(COk7LPufdNnr~tz#Z8Q zxo6*(_tF}@$15Y=)QcR)mF!x};o*OWHPKE1sCUB&(`-Fx(=5H>eK5pc!5hB`&i7<% z2y0FQ9egn4RT3x7k>=*2BGncrX81+adY?`df!dqk4CB3j@DwB={2bt|2@89Qye_R2 zB$j;#FgnD7uVg4%p41&7(I@j&H{x1B8>R0fvtb1oWi(s7+%$V)Be1hC$JyL|@UZU=ohEtN{+ERRC=h zc_J#$1D$iH!)5MkCSLa13q#2zh)K$7Te5NR`_vmGuslV<87IV95 z|3K7~?~j88^s3el=fm_V?leFvSb-7bKO5Mou;v=H6|6Ix$VKepeqOw&A1R-rWfNjI z=4-sX?Fj>l=vb7RDaA&y%CK z($;;MUM_YXx@|MLPNw)~Y-)pM^MLB_Qc6-H>OJBpCu%3B$n6xV-{Ofu~(i^?p)j`b0 zsHiUM$EM**(FYgJe$0Irti_O69a;w1Vi^_ zu=)Je7o|}Q$ou#qIe5meet^;iimUL~k?Ax>(CbKp=0HigKMz@iydd_2MI(>F3a;F> zMmO{ri&X7e`t%5~`qW$+H>Qo4QabWkjFMa+h)Lc4EzE zr?Qf?B9dZKy;O{zi2Y8&Ol!$XevhJWtYiEd4F;P;-Dw1ifVsYAuS$MxBIET?5y#YJ zCtKs38`CZ#k*;S+R%NK7yarJA?B^Th*}GDgBbo0^@^>x zBJS&maQt+0&Z5qL`b68nwmo7l@pjJs5%$9Khgtj`vZG3ks7?pv;5Tq;xlqjdSb_fR zcQZa6D1h7N00JtbaUt zQ-Z(u>h$w_YcZ`%5(-7X>pf!sG3kS?>^LIm!~4v`I3UeK7LJ}4IfAEeP%5xV*$%6? z)Qtb2bVub#&@xvAk9YfI3-=a;70+38%ce1S?<|xK&9fcEU>1iVYsKu-?&60KZD4I)5@AK9H8T@VaxSO#m@$qs{KZVfv7 zGWf)Mh!aakQU)f4E#I6&ZGq3`;g^wRTP9Pcr6=a@#QESi{5<^ zaz~SyXVo=Mgwy?j^*~=F|FR;c3W~6t=NE4``+uPQEQpzKG{TPj{#&PvAN%awx#b4M zTIf<62Kdm0Ncw$c^!hQ@BLFSM8OSUJgSC9GXT!&2gde!4$Ky(e-+)B-wMsSI^pA&fb1 zI$C~iby4J2%+6zeC-7Aw;Sxucs%JM9xyEQGOhEl#?Let9d9-c3$r2W?Byr@o=?*no zD=Ynyx>x>o{EYDyn`GEQxF64?Y~_L>bFidKm-M54FiJ80^IS%HDz|BnQ#z{1*Qs7m5N2`$lG$|sxiNy#9F6o-6#~YqD`g3Ej02td`0Um5IOnn7|~r^EtY_kBAW3NQCo41?S|EyRdai6p4x}`^_ zo$Y2tm8IqheKmxsMrsFpXB35l8EaQ|@tkbS^NJ@OaXh^jq|kQSdzE|I z^Yn%r^^Jw$8j$%DnhMMQbQ`fm-Dn-4W!usR#Se)d{FSpb&z!;M!Lx)>xJtY1(GA8BjB!2!?yy6qkC3GbTy6ypKR z!Z!eay%@h5q@T0%1164&+Y?n50<_P+d0K%t#elt_w)Xuar%ODE0} zhv|$+czt9grpFMKX&?aR{HGA;I4*@G@Q$dhE%$PcN7k5bSsC)cEv^tt@bg?g> z^l3cIZ?Xsfx=)@q!*=Vctc@&wCD)S_xetTpX1hNT)0OQnlwSnT7hfhPoEjEUgrs2O)c!fXGK^<+p+NM)J_D%Z=jHgVwt zc^dw^-rC-!r$ljL!WZ|T-H0Mr8U}2-myYfLmz`JmhOpkJe7_Y4+^RXZ@hY6p$b>#* zMYWQ1E8mqT`@s$h(d}e%aAm_&em|IV{y59Xo=c(R8N`$3p@!fl0gMyH5zyjjOf{=P z%u@!~W)(8t3HI5JwUn8mmeSMjT%7~5G6YuLD|WM_x3Hc=rWZ%S=wE?z!Lwr$=w#0G zaZbq=MX$H{8tNGmyVXT*A4oG-3T0u4#kmRU4WYO@QB&b#imL%SQamE@>lPM0_D%de z?+bshxso1@5UJE`+-_~UD0#-#5_Q2n|E~vE?v(qP(||Sg$NA||6=f2D_^Mc~$`R^J z;y<)D^^&`DeJ5M{`!Ny8-@1+)1AvUjAU5i~IPLrJmU&twUXVlq!%#SU;STcND9D=R zyn%X;r%VcYs*h#5;Ar9nh@MPy_6mo6p4Yg;8yx{Wm9Gx*apAAtL@g7|63%}2twC;F z-Y#0Ev`#ft*o_z}dMY61f{lrZWZ();9nXz#V=!xrh^h76*aOz=A;xGIXEDSzNC@C> zsd(TKK-D%iqqg)E78S}G*+E7X=h|V7iHX`p8KeC}gyi=9y+gd~ate(yfp2?aVWZXN zFp(6umdfb%Iqp4_lkm?>)vq)eLJ>3D1$v+>@gA5u-lNK{#SH8{%+!C?zT#@0ZTXeT z${QtMn7!7x?m5**6E^Q^>g>*-WUeNtJ@ai+eCOcdcWAPqb=9&9kqd|wJ>%Wqarb|+DcZ&ld_#MR zRC=Iv1eCXHFj<5K8Y!k|14_}dzE7G8n+%#wzt(Zv1217IL>&6{yaj{rB|&KG5b*r+ z5{hL^6c)~BpVQClUYg6D0H;f4;z{s4lJ;1kZNOwmk@XUlXPacf#CSIO@ky;KXIt~H zj%qJW1@v0gRZ%5v6k*b=B5eDmtNzOC(FtS2YIT#{n&^;6*_Lb^xkt)9-`xODSkL?SUmFO=KsnFt9Sf7}N4S8?Johw)) zYE>7z`FHn&*koS>6YQKxS9U*kAEX@W1V-(7(?G|hoA@F;uzCo6|ev$ zJT$fpF=!nV+|4rzABgd&!H+|hxD*0%)2zA+YBItw*8&=4m|3=5mMH|7&CHEa@{Ax{ zi-3N>8?2!X<9NjLnSvhDr&nyCyS>P#@>u7dIupuydq=1r$Dp+&@^dU)VK4~C#Q%%2 zW&y4qH)kj75vn8EF&M3x4~Njb!O z1w$tCdpmO@lRnNDszbVd0>!%VSR6G;%#j;(_a4CKtYc#l_M^{2Vk{K~oxw>4QD+%= ziM+ZyI;a`hpEV9c^M>Pxt#-nwQ{ICyh%{EC9S-KTQjYL5;l#pepu~A>@{_9z0o^{a zf~i%wywZ$%#Ts9-H!~_5{&1x2K-!Jp9FVbL$1(d*LhIvKnLu~z6ctV}Csmp|lYwr5 zZ#RSz+kQ;vS>s84rB8wm-2X-wJV#CAlgEm#T3o=Qxqr@UIOS@piiBA_1u8VY2LLTN`dBDl{}1S?M_ra zG1F3?77PDTLn9yN$p5S)4*C2;xrAKTY*_$M776V1%yi|YTjh`ld!UOuuV7e1DvV-j zA(Uncf&c9@8uUc_a|z|S;dN|x)Fw*8)S(&I#o zTA>ELE$W2U^?vm(%q%NiIOr+zOCW8mmECe$D3dh>k?(!bsgKMj-IEn6oJhY#iP+r` zv^4*J#omC;E{utDo)BF*!q@fMpSbCa$F0wg`4;AgV+KJjX9V|d;8`Tf8G1|qT1StO z^|gMQIzYLt5592dAF(!us=3^ac&sEA0Qhy(h)54F2t-DvpjWK{Z8Jvd^YFp#uE?;E zPludZoFYQn`gdm<9wGnmqdlXY>aN`B+K~MX_?c+!MOnfnqdOBhUW|EHxi{QLQVsg8 zs?!WZ*Ppn;n^GnzvvtC+^&JdLaDvl0yrN~*6EEBesG=r$qRRYBjhy}l@y=h4Ys_Qc zsD{xC26ZUBG9g>Uf& z;Hd%-8x*m>{XB% zN)r*D>{T~XaO=EG6@$Uh(vYyDiu~F+3}xb)H#Svg{+-Vt+pK1tKl=1B-CBDxs+S+m zj;Su+4zOtXR3jqP$;K^diJ!P_+p-fO8J5P^Wf<3R!Glx3j#uE69fa$7`ZCl@SKAo(oT@h)?I&P|7>i3I#56> zw(&aH=kR3Ae~lgT^KHHeGZT`hH0!xee($!r3!D)s7c}HwZ$6cxs6Nz#(?$-$kmUfNo&$*gw`QLquro15PY}_c1b+U#zaDTrj>>)rWH`b}EE@ZMhTx z>V`NM^?^5`b{MAj$ilkKe?zvuUC%8z6AOzxuU8!mjvEIrDHE-QuWl&{!!sz>)Ad{R zeI(f#=Ti0%^muIAXso>h7v%8f8K{lSeL(GB+mfuyyXyGnc*%-ly$8!MU20@rbb`nj+kURRxer8 zA93G!5{9dUR5)r&yoO!qB62l>6rl_5hrsLOV&d(%glb$O`3Hgg7SY!b8#5AbdPLWK ztZ)0`&+S>J#vk!ynD%?E?$y%2NlI}mmA-T1cQ?Og8fmJD@{^wNh(^L4$i{e&LSwWq z875z3ZuZBIY1A(18!t)o`H%ln>o#XkQb#~VSnMl<)zBB6xam$~IOh#k+qy{B=Ppj- zVaJ*7FEz|;*b?K9HkXO^k`R?K1Rw3F-99a4nHEnXefj+s<{E=A^n64tbDPSW!OE@o z2cY1%wIQsi_}%{GF~krn=7Liyc=I0<+&gp=<8cHH#s3WfzCt-_xHL}F3lbt2Ky!vf|+0wjcTHYAIwX7P?U$~-S&EoH(V(D}k~SSgB)8^}PHyNVQoAjDwb`KTI!F>y0VOxu$agPvcx>C@@&$sK9rRb0z8X@3SPd@LsZK3*;|JTS zvaSYQbXyjwW7l>Fhf*gzX7#Z5)%5QH%+s(MH*@x3j;=N@zfL314&RIrt5v{wwh0=i zFBO8i-1l2<^y+rXZZ;-5uBcT2xr6_OU-Dtz?kJDM!qWH2dhl7lRE>^h+8MD?a4$c zEw-~7P&UGQ>KV~2W+)C~!uQ<4C4{sG%uz$evp4toj-%syiNcG}GG+qsXq*-ub&;C5$peD6g}nD>T} zx=00SGf;(T)@eQebxp7EwUq#jh4x&s)x^j2)HW+lA+&UfAohbG3xQ*B>1SjiGU=G3 z=H%wv>nD}1d*3hL*w{?)!;uY$aqR{%`qqc6 z%<59KstU3^YO_Yr#8H*E0r{l`k^V??Jw}FCaw^7!sQL7XJTFP@C?Kk;d_*9{RfYRi zY0yKuNUFalg75fp^-#XWI>@q{_S_KJwT?e>EX;IfbMzf=2qSW5475{Bw}<~)Zy|o* z+Ex1I_x5Xi6$S%Q4`XW!2R-#9roEO$pWAhsowQv~+?sb)_u5mN?eFN(f|oCKV*FxR z_~2W?8q(XbFbVbH%$420=K`+m#0gn7Ceo`9vj#8-Q>-n;Pi0#GWFdWNe(_2xi`cq( zoMyq*W;%8}x8ZLP$~BD+t1`9z&h9_uSpVkjH~DS#wqU*{n;|oh^0NurP~y(bRbPDulPaFL5fS^cPqkzaq7R!0o+I{l-&L zi;z_YZXXiHH3wLXLx%9|c?A4GwI)1BZ;40l+azVPb`2mEvQ}v>g0gC(YW2^%(ea11 zy^A!4imo)Xhm0_`&#^Yl1F>q7VMXUbr`;mEJUi)qu5J2pb1mm6>i!t9sj%jTo7Z+$ z80NqJKzUHEyXj;lT`0_Yr&`+{FmqXPDTaqu^N{~QO{~`?N>TAk<$Tmcs?xk0Xc3?D z{q169V<*`dA{pc8D#zV({tXPR-V z-#SVkf**N#m+lAg**6i&=-ouerwReXN<#LUvqWbkpyh1dBms_?Q-#_W#|bc$zVs$n zA_HP4i0K}TV{nKbFddJSf?ET{T?)G@Hw{<|;da|>?5X;$o8Dc5Lc(1OqwGsQB;X2i z31oDM(CLJYm|C$x7{O9%LtmS;2AXQhka&<-$E<6rMV^p&-M`>aBA|%j(B5itgTS749U*akZL;h!D z@*+5x2f(tcoa3BC8{4FjDMXR=={Xw(WTi2sT_vb8nuL&cT5-|%KjUM5vNKMf+vlj| z%=MXoV9~!Izi9RRh+VqkCt1xEXphWPq@Qy>?1`hPcP=|=2YsH%KRl+&mq}HMEO|P8 zJy^~7|6*RDAmEfq0_otac+mtS9cCcfP*qr9{IMzZl#eODU^-LeF{K_9ncW6nkwCF7X?MvNfJW%(AxIz!Af8&T7qPa5D~QyeK^DO6aPSSn^? z8M>|(DK&sR%`nh*leIJt>r5XYN}uz(ocm`8b*um&3^&5T`AmyK<2u7^lGZGk?9TT{bEz@ah6h1p{FB@EPCJ!ES!d!P45*smkmOl+ zjzUC69PM5z>4=NoeE7|PGc9JCTOc3Fw14Tx1i|wU6`v+B@6@|tICr4Q2M?pOq{ruy zDD3#JoGz9?OtKUS&2JbryKgoCQi=Anvso6WW6|Au!CfuHGOT=9a0E%jJggC8LDtS! z&WytFq~^WpG&zp_9K#+*!gdpsfy3C90$%X>?LQwBH z447Y2$V>V5yF04!u60EN8lm}73&QNC?x31Mp-wEU;3XMr16}?c7oa{nct;C-rypHp zaiK2hV8s|iR-S3&hL&e$E0Aa=$4&|89sVDn!xK{c-$WVg2fjl+(X;bF6c1eQL8}D4 zC{h_vQHL|n3vd2?xr|8!Ffh>{a!`0xK(z*Ia+t+V<6@BQ6f#=@#0Yi&e5$Zrx#RV* z+2uy@t0l{I6?XTOy}S?2ut_uFQ;T1hmDF|^M@}5LRJ9Oo(W3HcSN>rto7j3F$w54w z?|Pb)h}i)eFzks@IpPbDZKVxExjd3_Vo^>Bs^@VmhfKT4MY;;G2OP zyF2yZK2p?gyvKB=9pkmPM3Gexa!%vY@~w3+0SD}?`4*Q;Z$0NP zTcm#wghRTWwBB=&&Rh2+L!O+KUB_0;Ns<)UAU2&Fr@Z;pZgiko2FbFxoJL@-a0+wi29z9-FTz=PlYL>zIl`W&gO|1qEyBd-`E`D zSG(BR@!%VMU^c05CdNWZ4b)P5Ez8)DUg{VP^U4zYh5WO4Jo#dUG%axi)_h~Tm64lN ze)wtxi$2FXgMoz|H4iwP4q&nd`;Vz@2kd?9u;gsO+Nc`P#W{;pS9Kt$lk0+xhR)qo=`fpc$9=_t+^o_YN zuuj2BL)`yOl#0ae+cH_Jv+M2jk@G1R3^t(KM4-JQ%8JaY^tujt9V=@Ua8VNo&w=cV z>zQG@vBi^MDM-!2nq2@{0fi!IWt1KMBQ1416va@Q^uI@m8I)z0zgT=TtM7fJO#feID9^XNc&) z146S1@KCUg+MfuGJQtfVC&XiN1332GjVa46=!M^fCwZ6bwp9&9o;*VPah>Jd`yC+C zJ=r9{f|-(ffVl_sBU~1nA#}DOAXP~LAFu~dX~|pKntsVbj6SaabfvgR^XfpV7>Ol; zPR#_?T91|L9^#uHmfd9*C(#qePVW%5OusX3&u) zm(IZ|MmTomO~1I;YMy?Cvs@e4T&Thpj7koM%(SWZkrLka6eHsgK|2;z{rAu(Q~>AN z)?lR}?sow@ye`C3PwMI|cO$w=U)g@ymGS$D_6Wqodm?c(d>%2Nwz2e0)Q#PaDj?YR1*cn$z;;p{N4eu&wX z3y;ddGd}dHEKD`Yc_y7m$@X=^p=$?4MZvNT$-7@LyN6Y^LWl6*|MYzNm;rc24WHDD<5n3KiW{r}sc=L5^hkd-*wgV{R0IAdXMh7U!0RJ`oXNb! z9MkO3U%71`*d+Qn2Qy%d?$u*>n6_z#2BplvRZHBU0qHATuy^nT2A4m8CY*I8_SQHF zjipbc1Ut@-VoJiz{R+c>HLgM=8R+$gc0m<2y0z>@`#N3;emzt60d#^-+UN@=IP=qW zfcu~DhTB>8a)yViQ3{2HG?hoF`}Txs#%E3Mn3l=Gp~oQlHq!BIJzV%k42p>7dj>iG zaa=^VpDDw}uNe1{oZ4C_)?xKu_#UQpxgly%U)s{QxJ{Y;UjgSq9UJe>c}ch`Z2n)X zx@e-ZhC=a&7|#0KvgYg`(z3eVB5u}=`f(B)LL?Y1hHglMDW(IQ-mJntDn1hU<+K(1 z;!!PD*zqDBc}*vZGlPJsb#ez?5{Iqb0JOOz$o6kr6GfUQ(bJmluEZ5=sso;zGk04u z_Wlo;7Wv3eFZ>QyoJO$mepo?UUwAD_9w%@fI48<9g!F2|TplD{ga8HV{usA9;T|c% z+?22SPPI8s<1Aa0wpZbxnSZ!BDz2<^!!u)r{@+jM^j7`45`X}eWY`>Yg$=@BDq@}4 z2o)WJ$(Z1o1tIub;9CJ)$r~NnEG~Qu1ENRRoif)>OU-;ugYfir))V7m5Prbr=-bCT zjma})dGrH=$|V&w>7PSTEN{UZK4YZlIPo^Ua9J9H<|h-Lw1`JoS?YJ8Fyyw0ST$OQ@@9vjn)lV<3KBv%lV3|tkl{E~ zE1GODEvnRe+&oHe(jQ{-Z&*evFR-#k9?7n z?0v*R5J(2Vh;S9IGL%zG#E?xOE5Y~7Ra0;ZtbHP)gBRIMVYJ+CIJ}=M4C;G_Ta28% zv0}pAU|RRy#=YWX7ekH9Rf6d*9-_0a@kC1UE#U9L+EQuX%OM{Rm>#9u!i80L9m)! z$V~18d&LZZ8tK=5E9zngV=K$a33`vbEq}S~67BGq|NlPkIY>}(gTf=Qg^FfWpxwSG ztZpoVozxGRF7yibiBH@u&Z#$^KsjoisYxJliyat_q4ni#*-TR7Me3G{XexVG_*)IT zL~;GdgAo`XaI&sBu@J;Lo5nt^dLx54Ok-)E&em|?#8H0kUdD(=k8zTDNY7Z5)E!(^ zW?94B#C#IETiVgcWTIxv$PX!`EctTB(cs{kpf^Q^wjfAeUGBW0idS)#U(hTWPLz{* zJ%pYJ;K8rWmqiRNUAYF(?dpVkJpCm`1VS#eX)Buij z9&E%0a$ufQWo-#tGesMh8g#DM0GzZx*XH|)$a3dKuU^@qX95c*WCh2+&Tv1 zQ2LAmO>l7zup{8>5UX0tC@9KNvIePwy#qS3qCOH;y%NeZ3PXs_qnY!ea4TBXF{!dVV{fa4bhYUi6Cof1gg5du7e_pN1%O-ol^(RM zR!xoNV80zFDy_tyPLc`|mMm@Nc%bs+q6?mIyuux9FflwC+w`lHshn%c^5l%pVh)X= z%)9#yuL1qbBFEE9`ymHKy;>bhz&`+E!A&fd7ODUuh5ULBhcfL!%fi5 zQg+LE$~=+ZV0aKb1HeNKzDorQ>v6oFUstE%I($#%6PQn`_-MG8=E7+B{aWo7>HCNU z=sE>YEtQ=es1II9QVdV>MA;hYO!)Oh44AWye5{jck-b`TlgU>RPRd}f3%_-c1~Y^> z*LQy)?vPPw9M4Pvy}v&pGS5%EYYvyTXk^awaZbr3B+;;mA|GcH^)q}-`AUHDbiN}x zV4>;LoN3k3U<(MljsJspsu14=Q@o6zbTPIDinY4E#|7%WDK<7>9)~uN0%R|6HybR0 zjX`}o{}8p|DK_ zoX56rIevbl86n3E-$ji$!c9POq9lb*M^lxDrJ#6%^EDk6Aj z^@8z}@nFgTG<6`KKdd9*QIwYjI#>|pIorPlA0J-`qqJOU*otbgWc`dKHV7-Q6J4xK z{n2aadp2tR_oqD2y=MDbB}IRi7ah<3H$7R51%=n{{6RtoxvRX*EC^1@3;Sd%6VT${ zyL}{!Fb|P~XX53hP}L3@2~}P~O(r$3E~zM(mxhxaC-Af)r3w9jSq59UqhlR{OpH`2 zJT4nv(euT@o;lMpNSsy}7W%`XX1d(J7p)K-h0_9Z;Y{c0`_ojm=whz4jR=S{HX0G} zEa%cY;Y><18wB-RGn6Zf-g|x;eWDi)?*p*&CtbZbrRfD;-b4jz(sRVrjLIeEXhInu zj6jo1C&zO#Hmgs%eF0nbwJ%B?-_}EuN`XG-&<_hF-zdK5EJK1cb>Ect=m$Ewwm~qt zNB=Y<6FzfPeKdgjQLwKmHlmul1i0T^EwmuRCeqU_`H*Lh=*?PW`KHjFmf-jCm%1l; zBt!27cw#d}Ty$u4EX5#L;{as^SVv)~08_hT#G>F!G0?|m(i+V~BHZ>%EFH_(-(`ViWrkda#T-o_!Y8@vZm>=J=P z3|(t-mTmskhy4P;VE)s}^qp^~M78M`=MB3-?7(*!)tE`>P@4T6`4Jx z?@t2090$8K>eJ}Hh>eBzNcN&;Vrp$##gp~j!srTqfmWvkf13LgC|LAd+O(V*!?F%# zcI6lxfTt3lEjVg*BPMG%$B@zY9gh~I1?d%ECc#u6+-?_kWiC(O=tSMDXAK_lF?%)# z+h{?zy!;R@djC(*8Haq0F;X&;T!<0U1fJ7>gi)7VlPus%m{ErRwq)9%!t>7X{Pn#5WDga&B`?h#inM|%(IPauQ8ik%C%5LVG)XZ~E z#$cLAXnWRHAncI66ad%=M;$+Qd9RBYi~dpTKg^(SwS^ zY~c?tMH_3TCBlPRBXU&nc9$i|qII;j&63hih}zAj^hHxOv7nEQ_)v$G72``yPnP*YGE zY)_v`jvma?=*X8j;8#tlt(RR})k)V)d%W0ktGFi+MhRieX1-B+D^!EV!~*AofEOSr z;#W|yS748$+hRM9IyT~avEuns`<~omMerw|fbPXKP<`f_<#Pv+22FA6uPOq~>KJIo znvBmK14;Xy+q+%BPhIiT=)gjrp4i$L@h?d*2sJjYTT4G= zO@OO2poHE9H{QB>=UR>?E~8d0upTItSsFI7hQU}wvBZXl8e8J>52 zN?{+3?Uj7_r0AZskU-Wk5q$aK;+nyz)@E>?*g7n&LhLBEv356GL3&$ zNa!Xebh7Vbp1dqv8=MCuuGsze^~WGu&UBul5CX>?(avu|z1B#SMWe5_0!~LV=$SXw zx@i7FGFHDx-SdxPtDA@%bAP|;O>XF+hQFT@a?lVvAQiaq6LSzFu!}QXao^9bcTlCh z;pV`v2BG{;UC^J&2)!IJ>;rH~%4TUBUWS|`U?l7H`N4SIX>J`}jI$<(bYuTRLC0;A zzxoFGo0uq4q*cj%o9$Z`xJjoIJc!`g8$V*#c^520v7k62Ys^C4jq0pZ?bM z5yD~I<_dg5uK~yX`XMb(=#6*=V2KiooA7i@Y>s#G8YmRQ~&WB*Aqj`$N6 z6tY|v36XJjYt{I}gt{=pp*6B>`EkfNyyz6ZV>@Neaf?DMZJdh5*&COZqAPUA~YW59U!qX{Mr$m zj^Jo3$P?JNp*6)BPmbM|Awr;3)OX2acwmY^QP%VTE1 z{@m(*VL??CVX^=1pi6k@UXTNUF+uF5Cd}NZ~j(!TibSwg4;tVn;+$o-T$J#>L=`_&STFDrvsOMgJ_ zLv!!l!txss+>*E%i?!EHcL zNM%4E?4SA`Z12Fg`fR0gd)~ZtbhdHcTAUBYe985=hS0fzxuiAI$ zbX*yN+8B3;8UOPg4Rv(i6pebJ2$u|ZK}+Y==8uq{BavUQb0191X_%6CwmQE#2&qzY z$(Z7A;L`4%i!kJZ_jPbNX|ZNFfaLD{gD-=%^M$d~|fkiGD zU!b$zm9G?zj6IeC4(h~tL#Xna^w04)a6b|TUcaMmSQcEV%^@}XG>Jfsnx(v9L8ni8Zn%17s0}R?%iRO++~p9@j8Ag;egW4y!nG~_#9SWPYv8( zV*pS1Iic}*Cc&oATost&X=Y%$T}B=U2DBCJIzDs9o~(puNYIE{H3u1XW)O7796Q}3 zIRdO)Wlj_B0`>ILtX!R&lS#oa?kIF)S1R!9ORNITDM zV+Zxz{&*O1lE&EoY+ogPB91Trkjusi@ZsIucdEJ=59PU>2?dOoyV}jocCtJqdYayzHtw-zRQ~r%8$4U6^bB;i+q?K3xx)jeSQZHSRNMlU0QCpSElGwlQXTJ} z332z#i8^g?orgDm#$$&ziVP|HKJ>k8(8oZh5Eqtn@ej}octBhnl%R!^T0jE8S|rl( z@7{6KX=OOyGAN%(XQOYM=mxbCEjY*5x=}#we}oBJT54-%RbhtK40FN4Lv!aB1GMKZ z^_%3gg(WWuP#Cl`#x%|q!{@ix%^3C-|K)hw%41qwAPV!8-9#&lKK|h4`vxp%2xna8 zmkX4Rh(vo5_>lo>|7Qx+m31^YOHkO{4bGx)3J}Tg?0pmRg$hj2k{)iAhw<;=r>Ur} zxkZvayeMG7(;wv}N4T;g*npBkftuc>M+2z2VGs1GP#!XPsBrLqWQ&q*T95QWCizhs zz@A@j{hv&FJ}vCjhkETkFHE8}aKc7Bnf)t$F!b~+J&|>*bEG55>S|M}6oyD2dws9CO4` zsxaKe|00Drwi=i2tD-PLNMQ@1mEJT!6Grf9f~-$_sBv}^p%}$q-kjtFcf&F_{*F6( zGZ-d-v24hl=i4AYDk-YS1;V?a0 zj77E;MLgl`sQ>B1uZtgUdwup5d>`h%yJ%hk?nM)I11=CT{K2SAi~Jim1bqy9uA|^$ z8^`e~I7O^}aqCHiQYian{=+v}Ac!DC)2M`AA5Z?~NI0HpHge)!)KvnTZ`Oz*;iO=q zf*XX*zjT8>xVp+7lBE319HjLCd;cLB@gb$~1g7ztv%xIHHc2V_TR$Bu`%N$xfmbt_ zvcKtqgmhReZwDT3T^SzFR44hAu%f4AU6{a-Ql1sGE?bQ(ZMW@COL&QozmRuw?*Td8 zXEewVh)@W zRgdPb%paaq$?I@=Na#Y8|Eo4KKn`@Tj;pp98c!S>VxHN=Vc*0NJK36Vi}edF53D6- zco0TPq10b#=Y{NUU_bhoAP6B)4lv}i@18gA*HiR!7!nFo!nTFW zaixv6{i(@s5i$92dK_S(SEea=?d=}7Y~p5I&|bO6zyBU7-Pk9Xa+C%g8t$kBW(qwE zLoG7G>kY$FSGJabULcHtUn$^QO-$3zG(-T%et9A0Q|B2_)6TH9+1d@BVe&#wfbT+$ zs6vN11)mwtV5i zk9To`u{krvo7jL^HHzdj7~)IeyKi7XnHJI&7Eh36baOV+EO;|&c;SdVf!`TLlR3#X zO94wFm&#H6v)BJ8w;HE)$JsI+tth+z0000000001qbf!&YeR?Fc@tThe9^{_Dh)#_ zUWhkHO(%B6N>UD7RC08C@1ZhR=tKZPz@NUyt_kor6IeztNU}q)LG)z}6A{%I8O$C4 z4x3bp);T*5st`jDEw(c4@U-JT2V485+#1TCe3z$EV1;^Vcd1AojAnwgT10E@!!yB1 zY`!JlKjby5Qz{H{;UpoeHLQ43orH$rfE~=~t9ce!{VL_2@gH=b`WQvzRuei+V!Ek5 zIv!g!m>ko0%Npr#2Tli0YO(@Tt*05{b#L>24I z>kNb9U*W9_ii3K8#=i$Lm3b`JWV4ce(wcp1p7I~5VSLdlmgaow1zHk<^r8xS!)2d^ zD88!|-TC3%WGthHADf_-yWpHkGF`Ms9x(DXpKL3!;uHA$N?7{@2KiaPp+(NiTfIRC zaWsAr16e{@T(%;e7gZ<6LaH3yAWaJ+?Tkcp+@NywB3~;f*oKrYE>7fODmz?@-Ih^h;B@?%j+?FAoRU6#LOz;W>V+e zzUR%_Q|>(M8@~PlalkX|jDU-G1%GSgC^CZ>DyIUYepIW+9bu0bnw!x?LiN@9*@mHu zO<RC$wHGw%yp-u?pTjcF_(fOpr?LB!+8cw%gHu7@}d4V>=b2J-gJ zN>@`Qv9cz=wu=&3`|O%6MSyD|pF7t41;F?;fdK4BI*`YT+7~d4RC|Xw<4NR(O@!lk z!#&#TPo4Na^O3^3gf&=BYVARtQ!jsdCq-48Q=VmQyKik{h6Ev_L1RV6(Ih2LJ=tF5 zmW#vR4X0}jXzCGA_h9J@^b-2hTgjkpPk^k|FbmIKyhQWiqOh&M)ZM%nOCsdHcvLI7 zlxBmc<&=cf>GyLO8{)*#u!$lcXA|;XA-vUdIp?b~yGkkl(z(Xs8O92)#iqrX$k*jF z@M6=GN&?28zW~%dD|5rbcINbBE@{1DK>s)I_E#H~O8LBuRQ=E=Bka|HWgm}^dLbM` zAITmXNomZv00d1x0sw!IGvF3{2&K2kCg=+`1pIg6 zJpY-hq=Z;}7yUp@A}0#rr^czrbI1kSGg~!?GGnOAs3)%It5p&cSOC}b9#Q85;OL|b z6HS{kZEO|clH>8JX^Y0Vm0sCjseN6(JL~4|EOR_UqBZO_*RoEmaJyCrg2+OruF~DL zmTQ)k-7^G$lrK~aa}C5F&AE!yB9__SHzUrWsfJ+uH3(tf4bWh?;eusb!7{3E*$4UQ z&e@uKoU+IvA1o2E3r3(|K};TQvSAu%rp7~hvqmGH4s)hxD@aV$W$|~#Uy6N%;Ny~M z6C;}=UY2$Uz~=Id2=UqUfA8!M=sU$(W|Nq|9*XtjG9gn_eJpG*OR>)wdK zU`n~7yr-bHxWA+;ACJ1-Y^7?`*tRg&)g{?_rAoiNcWk63JgiU*92y+NKgGr0w=x=* zavv$suUq*a^=wD)6IqK@Xxlfv@PN8W;k1`Vr9S)-eL*?X>JI~LBD^Hcy94zQ6*&fS z+g^wpS%p$O*#G=-y?yo=Wrw=}iYjGA6XPF?09^Tym~Tfwd{d8Y)c-QJOYQvq*kBAH z^CXmOlUiCbl*%KlhEv)FB=TWw062xr5tw5!DG^>U?J5efv*`@?O5tJm1JlJ?@Rx)2pco~yCE<}Hm#IrAbLO>cRW1TrxmT$44Yg1i*Yyl(t4dC$ zn;5_v=Ra?OgPKe~!-PI6%4Il7OKKf=)NGOQq-{j`DMU`HC=jB@H8Ur@g9Y*vaOwQ7 zC=&&E{{+GSST=N*cc)mzq+^jMp?rVHxn17{(<(^$$37dCRI=7$=Z6<1w_m)Z=%eq4 z5&38G@){AjNoN zosl*4NXR_G_*5M$9zBicVk*>87=y06GLtu=v9f5PR{8c(96RnPaV0@$LdYLDdD9?G0G zUX;wM;C&l{kAEM=^$MbM(HF_6~NcYX%ISU)eN`h$gP;88ch`}sJg}BG8IkJ zaTz&zTQ{^Rgi;!&+g}{Up^c;cBB-I^^8iG%nmZZ4giI~ELY1dQ$mk|7+uY3@FqGk( z_f>*Wu}a|^x<{3!ldO46hfMfBj|k4>1exqpRxgi2Dn&MHOa=@U-=%Nc775y?5ZW+? zrv{H#)QN}Dh5W8kbo3^Uu?7n!ZwkWi0Wq#C{#dq|>?`wyQ#}j7>J?>3{guCVRM@|w z9>~Nh&;|xA1+J#Mkfad+ob2JNQdjocx*`BfN64X(n}9cop}#M;;}F6r8n%;0lJ8du zqr24)gb>3#o3YBFtZzM#hmPsKhfqzqxW|v0xO--o}(?PDZ;DPW2 zl;EwSyzD4_JC3u!LX=wP6lm=LWtiwAOHXXaG9DxocYW32!8`Q zrWtCg(2wKWX`_o=Wc=~qYPFxmw6=TOEX! zTi0W*T5d6Q(1%VVFf1O79n@0oUPsaB#ZR$^^Bb7Ii7k227nBSycwlw6TA#A9dDxSqtCKH%+^ zDoNDIZyb@-`k1a#E#V8*q%$ zsXft(nrf&OqaxV+I^5v43JLsT%0kC)Tf<>~d zvmGkU3hL*qrd!s0W`pw}Ekz9W<&x_7Ez8CzjD_0YLz~K=CItI{1A{I@;m86yTrr8$ zk3UShN7QVZFiF>AZC=jamFD-VH)bZ zA`gQIKf>ZampH2tP6ZQQ%F1?{ZIEd{>4z`PXQ{}Zw{d5>AEY|@xv%NAsA&mh`|iTi zvuvb3t6n>fsbvxJPMB^}Hp{0!RnfK_cJZ8A38wQmvl>+++pZ1ZgoHlq#hL)v6)3oh zhLj7qv+Wvk?W^-GsA-d8k2q2+OCiNgnKd(i3~>J{e`ytiv>6%kaPq<_dyF+Ays{y* z`9ZCDJ8BQRc0(bP^RR)|3-s&nIw{#`#R>4SFVwGUz&U>;82)_@s1@MeWG4l^=tlP< z_RQ(OsV^)4m~B&`B}jjE3C&&5AMW*-uUJUCHQ>7%Y5u9p1Z@V$5!xh>RAUd8NERFN(?I&NIuRab|-S%TStl_FiO zc1pNT!{Kp18Cd$tWHcSs>$(d@BqL_L^h8vRVR5qu>U)zw$mL~TA>k`4m$2z6de;FL zD7?>fCgdkIgGE({D{|=3rLWsN5k?T8#_l~citSqI5%z35!BDJ-RxyIlB2LFv?dAiR zX+q|s6~D#4hXoBk<|FN|GO4;Nv)2J{b@lw!Iy7O7iDCnbHcfZc1}PZkK0@+cw0+jT zzoO;vkaM8d$|qQlT{qVf7p$INlmJ1tK|T=<06~-%sJqVc`;Knc9l$UE;Ei_uLC^p_ z7RrRc33Ryt8Rg_*Rt><8k_rGC-IA{NwpVr-ZW^}}D)a++2Ytvw01*;6@wSGAiiklE z-Vuk&w1 zwIJ17FcI;4TehliW2cAXCwIR*0Q6Y?u(}C<`|pF!LPlUJ{CD%jPo|Ablyj{K$S2~W zTjAr0?pOt{H22}*<=*U}FF1Kh*VGa7qeq&Xinl~1vJF}r!iFPt@tkYw|K~cs&-~|C|2gY}7ht*Is-EMa`j>}iI=}hOul~ZQ x7-`V|)j3!fuE6Ly)&I_BQ0ny*qd?yrla%K-SI5HYikiJ|{0_vO*-;Pg00186N%H^z diff --git a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp b/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_4.webp deleted file mode 100644 index 688a5338f566efbda62597d58597637e35481489..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 23902 zcmV)NK)1hANk&FiT>t=AMM6+kP&il$0000G000240suS#06|PpNQnUe009p${}B;F zjthCC0F(Zc6=6WWp})Q15~L69ThPA3IN=^m1h{y z{|Uea-SR@#z5jau_5SPq*ZZ&c-~THn7u3-Ope002H*-od?DFFzWJXfGokf#wIHlWV z^y^sD+(RGTH~~T1bem`DNJ4>@6qooI$sx%xIhjXDzz32xB`H7Q*Dej`kupDOQq6$2 z4%%i^OSR?6RVwR9sze1mZ%LDo2XLf@x7C+a{h9P^B(PTaFeWPiZ2?$mNmhFAi3SoS zEM;23HHim@6eFJGeZZ0mBU_kA{P-Qk(}`uV2Oua!0F2B6SpZl89OtWV0ZVNQjC=y1 z!m6XxtBC?IKp?5ysu_zDtBs(HsvO=TOat=10ARRj064OUYz4R%&wvDyQ3YW2nbSr? zA)cY*6TDwV#}VRBt4JYlF^J4mQZpIc*aU!q*@VI{(fJ8ZvP>XIhpai$DJw`10BoQ< z-u{VXjXqx22bnFL!{KS<&qa9_uKEC0P&go_TL1tM69Jt8Dz5@P0X}Uqlt-i@q9G>J z>zIHIiA~>!Qy6@+ru@$Kir0S?{Rj8&NnVxmi|0CeSp(L&Tl;r{FY}-8KeqdX{~7*| z{&%Tl~`zK_NaaeujAs2}RS0Dn9F-T$BcU%Qw5zufq_Gyf0CH}`+~Ke!+JzC=H0|Nj5H_W=LL|NsB5xCi~O z|Ng)pu>B?ef%!4!SMrbP-`Brg|EYRc_>ac_QU1;QHT|#ItNV`{9U1;x(I4X(Z7A4y?w&`fqpOiZ~E`|Kir@0ewqJX`=hik@xSB$Fn$4j zU-wbU#&JZL9crNo(81d{#A0g+fzr{K`WFqqON$Qi0r=4i?5>9B4O|9NKf|#yzMOH2a z=c5dz+lw|IPX$30$mqTN!xbJ6V9_{+beQ!+0jMj0pK-^8kc&hbOnQvVrpo8(G?Zpu z_#cJ_N|cT@7}Tl5RP$>@@B3h(5MXT?V*S2xRp~o!4+m>S>W3b{WzWHOJ%Se%oWLc{*9*A2rU^o+0yG z)0w{-*m&nIYW3^pzJ|pqySQQquP;#|JWNH8RI-y!o2nDD9E#lLk>dF%*K`?ZSMuS( zxmj)_I88l57S>{Mg4>qT$-A+vRC$rqprdIaMN%36HE2-cymfqpV zx5T)nsF_~uYe;J}>`z|Qe+_SAA-t-rwD`Vh^h;c@g=~<#h&Ow)JfSEM?Zh!0%h}^i zU$wkG{{^zk3SU*{Bm`G0TmI+7d?ID^k$0{-$=%aSEM(^B$C8DUmbEpV`VoMhp%W{P z<^qIZB^3kAsrK`rp>_KG)w+N*DGlUoGA?8>R-?CY?)y-)_WkZ+Bly0Fu%IkU5Qhb~ zFOz%`_d;?u=OB3Fa({G>*Kwt6>FI!XrbOVRhded*5%(*g6M1{wBJW2x0H*ICDdI9n zPiIe(rHP{;GoAZVm$MVop)~onHFz=U(54P9nX#9CiA&`jP{%1J-u&U{ewKSHeYkz^ zPE|()>sC>l5Bh4P*;;MfY%|5(5BdDs8#m16;a(D@gPBq z4>zp&3Dc)BT9nL^a7Wz+ErwCUbr&4`=!faaB1Mlij@WT@l9L-~>5K14HM(nNwPRd8Ed32v@!Zqu$Fh%aFqB@-n z-V%CrDT9lmF(X)S@os0s?u6Mphlkj=iXJQj1G4r+R#p5G63h!k##}MX@Nyu9Y5ic> zXrXBldNdmOET_d=q%G>?i>$+QMO4x-*Rsrl>QSe0pq{*rI&|hMQkX_Rm!<+ip`g%5 z-61J+Gl6X}JAkouM*=?RPMtZ5)SboVo-(|$iO@V&r85B7Zq_Cg!Nt=zgr1!WVB+bU z!cR_xFlrtS0kUZ7BSQ{iMsf5->kwA~qDjFYbSF-k%-@#4y$$<9A5rLXiaReMI&|hM zQkjxY2R4EhAx|FhojHosreu?F1Jwv;PGYqwnIzzkx(?1uVsO@yoeEY&y^7W459 zc2~8+aHLIRh=k^ z(Qy9YY){VVjJID^eCX7y!D6Db^}84!+^y2m>kd*!*p7ClFwqEy+0LUp;JD~j8xOJTXiM2W zTU7bgQQ{#Y2rGdhKlz3HULA1`=^Y(E=ZW^!Co{?7q8>apPequ-hpa3Tx9-2qPSUOZ~1;h<$0OD+Lq;R0{fH+a+&Ikn^atV^< z()UzjRIC#4h~Vrq1_TB>(Wy2-Ty=2-LrD(e6uI%T5+*izm4!I9>=aRh*a`~MoE639 zUo}`Z{3lmE&EHIqk6z)oT+?y?nZdc&{P>r-h`EC8lb`t@6Au@)Wc>en`MXTNSPjaT z>}T$;mqJ1_j9GSxh^MSVGV=JFkh`5%8m!jik-G3L2j0@Fhs$rO5Vf8fbF4iy8ypAN z-@(XZ&^=#>K2+T8@o*O|Uy5O7w{7sbIGWbf$i%naP^NNS0%hKvX0{@RKC8cQS8E@V zy<37oJ;~P@b_#K)QO8<)qMIuEb{@Y*A|Ti>`SHyjHhRu^a@5sSkfL1cak83*kch^_ zds^9O0R4!#5&KHny(V#WhY1=iq$1jD_FSjT0Z)H)nAjjEPf8vG5{8C4eO{~o|3H1) zDq#&84IEErNpOS)Pb2K#{T}sL^`g3lqaWY0arJM>BJ%>2awtS2SO|`7)0q(j)6n5a zFiT6%XKJVPBqXE}|tKEss7 zfYl-@9Kz7=@Xe{4LSyKDhsaPfSu)3Q6T2-|0)_rgJB&Yktn)i+BWn8cMEF z32VDJir?)c53@8zQ}0{3My|+-JQ0_;RY0EM)l2CA!T`P+0m+zoi~b(VQq3)H@Qsc{ z95Sw~MDxw32t5QhoPVD-(bxEBTBTANcbrC8^dZ{zwJw=lUY9>nPxm+;^B09otg< z-Y01L8mPN9Q4C!wB7`K)%}B%v98SwJHP+>Yo(;|vt8Duu)Tr&sRJxOTJsJ6l(Zq7} zdpe6>o`S_x#$l8cj0?GDAmCR}s;1C(Q&)Css%IfIun8bR;x%G+$l~cqR58>hbC}tq zMiCjXxqaJrg?3x9U7c3hF)vEAb}hFb>dO`T9qah~XXIVla!OW}{IYziVL=aDn!m&X zRR6s-$U}7EgXqZ15tsqzs7HQ~9BcV#mvU7Kdv~Yxwe22tRl-YSn>mEMB$!IzTc2@v z!tVd1hRjS!hJVb*=#vKf(Ox&UR#Rsb#?PuJCY}U1M;3IQTkWBDOOTgx^Wa7_W(_qe z)b2(QZ3^3-D5YJLzjl)*-ii zqfBcx@w4oWg>2Bt21^ID07~o9WJE}nPZu&mAeIHx8)P(&Gumy=vU!g_izhmN8#5=l+kz3bx1&Q6wEnD`{jLi9t^Jg)#$EngEg)F6Y;ut@3&nIAq znttnOW%dF)Xu23QY7I@{B~FEe0y{A^;G+TVAPDXp2p^6d`D2z!v6la}_7pO66najW zI7>I4^j51-;W5Q)X z3qscAojnYM>)_Jki(T8ll~EZbw9Sw9uBYSb#ySbD=pg0ElMWx+SIG$xEXS*D+nfv5 zcwWk?gbX>H@Vn#~!q4}xH{(vTkq(#1dJlOcuO?zVr#&H8`1_E4Rn$VoPM9IEsMwCW zj2mCp>=O_@@tpt?`2@0sIyC|u8K-5V8-nJeV6zO&8>s~kw}p&S(M6k zJ=0rNDd~{=PLWBkhu69;N)XzxoiZ0?lnBU`cEUR@4fa7hZaw?Nsw+4z<<1w|_&`Wq z&!KhyF43u-qHC*No1gK8h(7zdhSzz}t?28{K~&=Blx0A*Ur_x9ezl}ChRGO3L5JCsJGhJdAkRwN6@!MB8D`^xZ2w$!(QmLPRm=EZSP`*$w~H!n%%M z#Eo9JQ{N|L7^^(jB{P6;C&o2r@>!0VStL}%aI6y@Rvm+bCZC!&SOhky5%P6iZ-OJU^2#EobN z0n@0R}Tqec&>;pqhVS&*DIGm9ORD{NFXr^-iuD zNynA5g=1~4SHC%u6^MPpH;CTJlJ97wGUtm&7=qGE(r+^lXvJu!E9V&1w9~g3VPcHX zFEL5das(FETbO(dHk=ITnXfjgf%0l9qhjaFV;EzqT3~ED1`AHaDsDx6TKe4@g8|o7 zIH(!jyQlnu&}Smd=sb;k)y9Z@RTpR8+d?_2s{;=d3-ZySVH&?R zUAv?pbnt*j+opx&f6se=ld&s7?z%>9WdbGVANmXxlNG;M86?EW#EZ3i0cK<#ls6Ot z%VK#S9-?8y7ag`_xpIy4SgtQmseiYjJQ;SOIrZ2Q4^Bak3JzV7PNI0LgTtxX3T{u4<@f$3DOuCo~tc&Wg~te7m-i-wTRC;5i$KCh1;i zE^F5sJMYaxk2yVc!-3HR2n3WHv7CpdDyzws9- z%=h`8gU<`%BxSQPQP$G?mLH>hD$JA}BjI^NVkx&Hm@Wn^^gOYV&zu$VbD&y3Jq^G` zuDezy0(H{acBWMENclHvQWL=6lGp9ScvJuW88)0BFewp?H^I~XsA8~+KGY{oP-s# zY#v$}sds`n<^B}c%$GpKgat#!&XDfFWe2ls(s&c(Ilr$yR}(5kDwW3Fe&-j4$~B*w zZ3LD`GZm|+=3ml+m%U4=A??vsJqd3CYzno`C8bowS9JeJ#>Y+x5|h?xV0``1@N-HP z?=mJ0zJ=>6PBM0?%Efyv2&6=~v}~+ai!9h2@vt&`7{c4>#g6ZRW!iuIWQ+fEB`T1W zi&pMG$-g^gloOt7-Er!Pq&P%hb}C(q(=@C>Oa78OD@WF5L4#}RyM?#rx_CH{u4R}J zU-VXZ^wzv-Tb@&Tws7nF7;fbRw^;JlS`PXj-%=CPX=&tE%-c^Oa~C27 zTa^w$BSK2EW%!lefcece+5ec9W`47-Y(-@&=Tb?i!odZQ7<>Arb-2T=7DipXiEo{z* zObp=_URMMVp;|?SM{(0ZDp;UcFkBHn!s(6He!Av*H1n3N?xpfA{uf+#UZ2qJUpB?r z!7j7+E4c(mY+ItBYSW>XhnSF)D1@d1EKq&Sk3w)=_G7DM0Vh+?$`#>d*G`aiZ$%eR zEe{)>{L|~f7$Xi~hTD8GIVnkQ>K!nEZ;~~q@?8@#aWi;?j*AP2c!^Up{Z+T zbUI*V$mXkmY^8u2Mb$kCEfPEF?rg`~XM?7hLJQ51-5uA4;!eJjqu%$kQM$^I>hdEo zy3y)uK4;7rI@R{PBle3b+`vqqKf`{Lll&PD@O{#@G*4dYGsN3xukR1PcgvTp2w@To zbW_V)w)8WL_WBe!pKwWhO8Ai@l(}zWmFJ?b#uQgiHJmV-L609lH6hPgce3_E>BR?! zh!PMm8?lP8l^N;{Ditm8ba)K4sr(5+@*K8v8opjKw;CX8h2bqe6=`r3VgV1H6!;Wug@K&Jro zvaqpcvhc^(iJ^Eoq>k=SznS#!U2T#Vf6O#n^GO8t>c-P&XYqh_Xs^v?fC$%em<0J^ z5j-YK`hdcqeKCk+AArJ|t@H0R!?87d=javV(9SmPM<0-q;ff;b_Dm+YiVEB|v&bhD z0P&$k%VVvM5p!)ewum{L)C6~Gw14h<}mRe@Qz;vLUlTdN4)#s~KX3TLH4d9J_vGL>PyzJJN zkvcT|(ehG`nR+@WdE-uybP%ncf`Q}BP|t(z6G#b2WEK)`6HKCs(xa3VN+4~jj3e_n+3Pa8RlBe`}F&KQO~@tS86R8OdSf7II!`=-5i$mTp()(9TaM6fqc!;Gyp$WAbIc zO!-q&*>ma1IMVNUJulCg?)E^=NFa#X)%g}xUE2F1wZnw&D4+lRWHE;AYqIQ0JAech zq)$qM0(Mkirh&}0eoH%IuJss=ZGzxK5x4a$JUb?pGnq)QTJ=avTKs-MK^PdhWpFs@ zve@Jfye^XQsJWdS6Uk6fBTWd%(;@;6r>UIcoD$pdwc36Am7W0DHLNtq z*)xgvxZ(&fdXO~lYn;&ybpqb1m-0hzkluWz!Ogf}tw(`4Ss*4Q?U|^3>NfQv^rt#; z=61GYNj04@#efwjRxixHCZP%|vvW#HCV`K2<<^pMj71xUaDsmh?F6WBb$j(8Ha0&OrkFsCwqrB)HfY*EZ!zp5ntabrI*SpBY>(JM)eiwXuRZ z11$W@y_<0^|08v!3(*VdaOO&e5z6KF*+XUdb#C5D9>BRyF`N|RGnCPI$zBP{PB7?I zWD|Cg!#$17rpGqUlOxDrIt$j@B)5+rwkf5!G@Hd%J4sbKiA@-~d zZPgwvu*QA`?dM{G-W~fR0o==^$mZR-=Nz3?`~?Uxn(Qoe{5u$fbdZkzly)KpZgU#y z((_r&p;De7txTDiF@_^0P{CnCpRGzS!+?xcD^Tw;Nr@}ds9uVDI@Op;SVTkWI{< zQe{WjCOMKALSC%y+&BG&4+^oK^ee6!3GLg1D;fMkKO$#8J6P~nQ{#u9v#R!|+K>!OD>0?xqDt$~OG5DWAx zi|fyA*W@(2yCG5^r;r=Ex(<@I6>NF$*XP3Eogb{4D7uBpDwpnD}UVB53h z5hv;#iDXG0$UGYRAx3e~#1Ryd$Pepbui>idPaz4vEg?va7m_hM7_jqCxA@Y$`4+m{ zb%cb|n^}j4?;#{AFj!i*gDy^?3Y#}{nxz6+CU^t&0YmFD$&BRDOAJK5)oD-Qxw@E`#_z0?A;Hw{5U<)0Uvh=Ep6 zF;~krO&2-teosvhj#iMvvCM0rSv;sk*o$?`)48sB5>^Onmpk~usg3FrM-|)Ht!K)- zqK}dvQ4~(;JNgBn_7X=1XDCfDAro$TFBt{X6_^{^#0&ro!cT~Y*rfAj00003!*E~$ z94PA1;XaFGkl#W7Lajhxn&Q+MiW&4yUmhSQO$v2{hj5AV-(Kf#l9(pzN8+F#?thDm zF~5R#Abt)Y(O>`tcTz6U(3OFcths-h^(@_byXM9W-P7+TDqFTgX|C>yGS3B3tx7gw zD(R)*yGraLszy5tY13AECgm|+|7mpvgcIAh0vrxuKN@OL4L$yX0TVdlSRO}vpHj-)nfry0g(EN9E^3-3-_sY zO(y2UED%PUsXJg!D>!wlK;07sK?{J>x=2Z|&X8X8xR9;U(L-{($*591{gq?Qzna{? zQ#NHf8Fd0(Y6KKgI&bt_ABtWCJ#_xgK~dXltXDYgg6@M9Fh_`XC{o9&NGRpLw4Ny; zLdCK6xl4mash+d+OCgIORvwquuaVfme$e5dC2z$b;UA8~qd`SXE?)`@cEp;$51y+| z&Z$z?eA<=a*0mI&eLMJ$M9_Jd&F3K(s1?piOe%N5^!Ft{SW3jvf^r#j(SbX-jmEj z``NG+TLZA@35$)2vj~k__RK{|lM?c|8r+E4C9n-D!3a@8m+M~(QbJt>GeOXd7x#)A zlfeQF0^CHqq$LlheE!{{`lJAiY9$FqXjH0T+;)tsPf>HC1ELFf%r-@Ip!Fo%%W?2_ z3mFs+!Soz+M`ZlQO7vl8INZbtzj$`%1x=}2s0lq&!(v|5D(x{l^Z3Q7^D0u=S6m>R zB-i5`M@l~p8VIF~Z*r|Cphdq!N<3J>KG>~#*vtB635-OSGs3C~dyxeV?`L<2t+6!p zmLFRk_3m9OUTL<=n&xHgJN>s_Y4Eb^5QU4dp_0JzM_^oq?dH?hkT6CI7b!kKb z3%|9MIk~MLvW<-2GCgEc#Y?%deB%;{A_ER6E2TZe{`2ptV*3_iQ9kZz(7rlol?0Sh zQ+NDwa&aJJ0-F6MUi1IHM;#LFB9SDtFR1IEhYf+g^Y7%Q%AHZZyAZof9`?*R^_vAc zn%VGa@f7F=ZB;WeI>cAZ?o*XWT5R(6fe%kUTxYbhyha*ni44# z$<#@l?p^}A)mZ>xM)mtvwZ^ljk8u7(XnedpvU1NSddJmfSDu7dRHb%MbE(Pd-ciW9 z!+Q|wL6Jl1A>lX|3IY2zbrhleHpJ6=0RtNM;cZ*8F6l5)x5G#P03`xjKu|!Ea=;mB zJmt#S2T^B?EDw>smOZNbKAsTlguFf;7u7j0O_1joXOmoV>CSJxYY*?1nP|kU9Fi8+Hh7AIwy= zCiE^+ZD>=jPd@$2$)SI(Qy-Yj+#@iyoJH5{m`$3I;tRzg94`F3ByPj;4OL5`%58E8 zN6v19Ag1*=d?UMi_85Pegow(mKb!>qrRvH=<~?fesE6@ZdS?kl3}}w^&u-n7~REus% zAEXS3tzRRaj0C4;ew}kVjv%Y_1v}*7*eY@xevFvfy64jgzbcXJNOzQ_a31$sV@hzR zYKkymW)?pfM16&XgKRA3p9Ngyn<3%|<)N}un-2bTa)DsAa-uIt>Phm;evIP-zU60q zo7=5Fh!?k?Ba@E+Zv0Hztu;CE1HnrZ>$&;BIMy+>S+GqnyLbbI(v$9#zzLFBNSj(O zS`j4H9yXdKU;?6e+728o7Y@bh{)jl)I?D|iV&udZAWh8$#hh8p)-&lJ*1T=_8b@su zm>>`yHjmM7;;nye4C|A99*=<5r28Q^eL>e=1?}-BKeey9Wr4^GK=CTv3?+TIC$j~o z=lw8WgI+08wZ^%9*aFsTg{w7Gv}LT5r8fuvwT@N)A@ig8oeQ#K#*$46$$?qqHTHWX zc#)L^00C)BHmz~ot{u!^4v{?5O?^aqA_bUCgjYrDIhT4EZ@5XW*cF)~jsJ&MiSJ7m z{5>}Y33irDIzMl+{Ms9KxhIRTpr7ti+4~|V_I!*75zGb~e541Y9+BeOS!u$84ukQ^(V_`${o#!Yv<5*mTS#Pl^mopxKH0_%C~;a3hf#uM z^EXiBdRBQ2cKj@PV;JZ1&^3y&6ft3%FDxM;Ixf3d`ZW-LEJt(+>tZJTlBd1%AfNr` zI)dE>_ZKUrKY+Tf1A*2r#P%P<%GC_%i*o4yRY z_@I(h;I$8{^Zwib00l{{N;Y9C>80b8cSD%F1Cacat4(@d^_E(8Gx;)kg(DS^`$P~8 zA#J*lLh>wR_jJ#V(0i@UStB{%<8jkK-+wG@9hv%Q7OFN1IKp17{$lW^Bl#VDF#Otk*-GNqs z#=7IxQ;2IP75)UE40UJ^ohI_V9J9C~^99&w$rx`i=mYh~_H?gK_~iS%mxcMlx3JR~ z1j?(|IN-%p-4YW$M7?DyVL6BjsfLFK-p^3D{_yTsa;7@FNnC}NEd{Rp6G?8^aBFBA zC|mUFH9*bWh{2~(S1%W1?L%(6CUV;`#x3wYsrQufKjh7m%82M1E$_1TgPqkeM^50f~RfCzMj?nW!%HQ z_JfIo^GT9jB2gOsd4P7!PSkFwB4o|6vnHgHRIOkD00001MzR*SrLhOdQSgy84e4v} zYUFBZk|T?iGp-U#7bw*|WV9;JS#A#BzE%)LVuA2OmSxNk42~(L`Eo94Enxxv@9G6ST7)AR zY&?ZJd-&bDVRzSHd42W}M05H0ye>*o3XJ5rBzJS7=yJ$V2hTqIU?Z}6rm~^&OAKH< z__cfTMHg9CxN-@4W7da{AUdS$^W60;FiW7KD@RXdf}PjQ1X@25vo7J8qdM2>`hHHe zd2fT&cE2_$-wP6W0) ziS^OpU!(JkGG4R5Yv5i?Ll~^aZT}~W!g9}ueHpDMtLLnb_;s6{HiUuk{z~C-m%*GC zwdc@lN?%$}8k%cbd5;RM^a+vVCf&w%2+o-@M~TWVuxZQM{#QyyTad2Az4A8Wa7ua-70R$h zzfW*?P^V>_86>{w3u-&P($Tv6VA>WWSRAXEDu6b}0uEf0HH)a}s(y8CiVW@FVAcFg zPMGT|YN0uNT&=#b?swiS-!kDmjCO4yBp+uY%@Ye#l)VSZvR2OOcoXin++E(_qF5V| zq8$Fr?*)Q)#kJu{7|WBh?}QS+GcHSBa7BUP%oyVW1n&7F+D7 z;D=1%?|Sy8<}&G(Xa3>qsJF1&ttzcnp~OH72zcc|o~*mxUZ~9f*ixgdGZh*QKLVCM zw2IRW5Jl?Za3J|o7LYUkXQiE2x(mhl^T-D;h2bF}2IV3W^cE%svQK|}J;=W&<1iq& z`}1W4ZeIW)#jf6!v+N#DY9PS7@16A){)S)&~eohX7^UWH8 zP_EZ^{~j6oacheCZeLpa@91^wn&Puy);6tyQKS>^!n~xe<_aOGD1v=f8v{Gt>Tu}r z7^^MXqRer5F^P^u^8==-_~Oz?2x(_$z2Lz65gM)aKkZ3K&)pYq9E6~rkFA5&B73kZ z_ToPOTQGWGO}24xS4XhW@%axBOuWVS))l{@^Z;Iq^D3m5zkrG+s0xCIW`xqih1;+V z6TTVmyb)9Oo@_)85|l5uANT2^dsL7Zn^F>|Zi%um(7ub=5u=;xOVgW=yG@OTZ1}ye z(F$5gDSjc;Rz=(9Vy!=-zIXSG- zHGPE2_98)R&59;JuzSPFUJ_2PPJlcW0y(bDC`0w`&1O^~R6!$PlySfWSxVq&^0n{O zSa~f*=*aelRpwnt>f^(l$PxCLqqm z{k_;#r-OisWwLtDW`0^9xS&wCDH>~tM|M;V$)a$Ndmz}-I~)M8@ro@@-H>m7AdXba zl8OfTb3Kc0(`(R@8_gF-lj~95er*f&ep&a-S{E8e>QXa!x2-(`XK%8b{|)$GtoN#@ zJD!|=Pw$uo-8oSy98dtysQDzv;1miL9eT?9m8?~D@1?*|*$G zU}e9gC!XYU=3lmQ-HBaUB)RXN!Ow{VbO;{JVYmIevgqz?A2q6FAZd128lwAzlW834 zgYrS3JJv_cdF>{K2jXESOge&vxk%GoLOZ88)ncOc_4afZqCHgZZ6x#a3Ms5~=Hm66 z9tKt@T<}#n2sFk8;`qK6jI-T%k)yPjU@-m|^A;s(AfBaMfK~@}De7URp^`ucd zq~g=J<9GhP@7h|R?eu^ctDmCR zFxKG+5B4Z~;Z9)>$ zw_gtLsME_k*Df9D*=mGUn^o$bP%(P%7HEP`02$X}$*i=6zWpVmU$^MU!DU>zf1Q&9t z>QjNuqlVd=QeOL*5~en&zud8y)ezM1?}IsSgq?SY{mM20Zn15qO|Vzjl!t-yL#*TD zZaq*Nt4xN{;ue==9aM`{M=c0^40RAY*v_2Qxtt8GdI4G9lq56R2)=S zB3%4EPv$CF)VW$!ROZB)!KY>-rUnU{C$NeyfZkw4Y_n8e$v}m|c@g?qN-cDX0btX) z!iu8!Q$?HX6Z_x)Z`I$HWm;u=Ka{*J)>W8&SPIvB-s0ajOuj%Xjs`mA6!3=!mkZmG z17hY@?ETbLb?R`lG>ZDDH7=0hR@-Wjl3|0G=fy|BBI_yQwa?U-iUt5&?M3X&o(*;Q z5<^`#=NB1ps#8)Wht{0zmyE%;oj_C#a1)f=z73mHRH%GyNR1!r*_O3kC>;3G@7a}B zbFr$Yg^D^xq9E!M%&IiCVQxk{aWW?JOpWy_!GcOc-c@{)>gTCCY&jgZ*|YS?^xAQ0 zLtnk0L%t?|yxb$hN`S1DsMeQxfDnvMTFa~ntgreBc~EtJsu*Y_pVnCGRF@uy^o}%^ zYUbEBZa`Gf+YB=d`H>=0eivXmL#P2t8%X2!@snPwF(&$HEF~wOv9W002KgtCwwNeb*RChMbM;(HKj1=7cy4=pu5ySCWfLp8Mc_`_fC8>iUf)mEPJwc-8u6b%> zED@E8a%v)MM^WYg(o*5^BRb?)kK?_sMiU~h`s4o5Wo3IJX=8i9QZZiYs zh3)6GM`8ocIZle?-@1^LCbOesYBmtCnu>8DKvl3j{zHtFU$>i_;U0~#-`-EwcF}u{ z;qbT9XZotgIw7qs2)A)2+9RSn4v~DB<^zzz{L?>633`C`jEZBI<^Ni96V3BHVMOwk ze`13g(vf{E2mN{?_;rg5Mg-X|plT}z2_S!`o{xqyhv4XT?#Ys2q9j!*Y3y)mKX)3o zrAQ-BX$iM{ISEqr;mKk-lvn2ip181~YuzpMZlGV#Ruglf!D{w?mCZ@Cn@OTiRoHNh zO^(MD!$t~Q`!<5r-huS^#qbByrQF{Iw{W6RDC;Iq?~;cXR=`XDJwWDPD~P{|O*`?m zXvzww+D8sAcqj^fqX5I!#!36_b37>!e@ch)O>R@AqYJYnT|)mClgjND(Ru@XHH*>0 zzra5kdEZp05ZY#Rhugt!l;(!R<&K8{(un(kfqOlLDpS2*=JnExYxazaz^{a0>{=*x_-EZI<$|1$8akZc< ztpSZeYpVtVoW&;SZ)w&-gmrbMl>t`40iYJ(Py7{MSsdaZXGn_>orQQuk^bus*NXz`EKA!N- zf8kY@;sh?q;mB6_6>JmZ)VmpmO)Qf49m^4fM7uVmZqQD2f?MQhvS71Q*hvm9H1ul*7; z+`WBK<@Esny+@W|=C{<`<(zL9 z>TRx31AH-BWXOAacmQ8PZiJo#S&qdRj)6M6YkV5mpZoAU98=55k6Ak);e##p&X&yx zWrqP>?1YpkbLX=5CyvvH_$@oY6sPIkB$fj()JeLu8VXo3%I(8lj+vsxwNQogTjbUs z184c&rFxC%O(oJCnrzXP+>KZ;LYT;{HYWY@USHg9*Z3F=vRL*fd;D0e{l1*!`1^mC8uDHnOAo zGAP00#CwenYDAZR1*dodl>IxTlgA|LiZTpfbTFpK?2HK?7YChQsDw)~f++omNc$-c z4t)5S_5qp-SziPMS!Uw4`r1cj2%uBL@$r#Nz9nJ@DQQCADjruBmiH}X&ueYzIbxRa zOQ#Vg9pTdMZnzp(XN+Lj(P+sKmA&bIUBhI5<=nqy%2n1hqk)0s48q2U4g??%fG3r= zSGS4}5M>cwJv%VE)*tsa*{lEU^)$63G3sCFMT~kz2mJzJ(~oP?4N-kpxp~-MUUD+e z*{OiS(4%M81M0GmvnrWss+@^eipC=7iRq`T;fS04B_Z-{f!AVk@|(-Fd}F)a1L;O& z9Fa8_8l2{3R%-qv-rxs5u4dOGaIrTwu+j@0=(aO5OzHH2`6f;!g(?yFo=JBQ+oXZ~`g;sQ+Be|*#h>RC*P^0gZ7_=QCB zt=F)i$6aC^k;I&o!%xTKrO=g~KYO#B|kkf6};7giDN z%UHV7phiV%zBrS*?Uy($>$}U7Vl|u2)v|WF7_TfNhv(viIT9!>D$V#vd!KU?Z@b7P zhv{>{yc`_ibuocPq{fWa6Ecz=bDawe$|)r5CuB?SGyEOM`*LiE%@I}6&94YOXOuoX^p`gyJyJH3@$w?C;s6@YppSY*|?6LIJoY;0Sx31@VExHXoUU?sv zA&6(rDRPCxT!`1F8LMhk@g$MD*OW7;h4KB|j2Maq{nN;Dyd7kW@MI7qgdmp_OH>Fu z`KgEL6;i7>Q&Saofg!3Z3%Bg`*6#%^z)>)F_lO!0bkVx808`GP)1}8OXRm_Ao4xQc z^R-_=w8UbziI9{YvwIsMIf3lxv=o5WtVNAF(5B0uzCR=+AW$eX!5}^n=uN=-BkfHg zx?`sUK>9o`LN}S=u}2N&b&+rz$up#pjt+Kbnm8g=-$;hqbw7AXA~DNs=h=I)^4IZjyQh@G77e2^$@Fg zWfLuBX5>H`!}Srv!hMe|7M5lE;oTl{z-1lnQ!#ClgWfzX7A86T{&8J;>AE4eEE%TG zSX8KqGPllT90pkYW9*;%n;b&o@!+3`ofy%{tGX{@F5t`4EE*Jk{u5{VAx+qIfxvS1 z>>su6`U6mfaHMh`Ul6;7W6fdt-&w}O;s@V{{}}{GB45Xv!(Mx`yZ{qjG$qy&u-=ea zwlsqH+qKR=OLmA5G)}ayRvF95b2z2CCuyysdF6f)qt1vCu_2L0PK&HX4!}@ffW@c5 zp^apJDektXEq^7zSuGGLt=PIcRolyr2_WP_6`YrXLfNi&7)drN%|=3yf7Y2`kmS8* z*Ww=uNAz3#rDpRq-3kWsrbkXOc`Z<_EoYdbC>WkvktD0@bDzhj9ef%t^lNLZXJgBe zz8$uSoqa$KmIYy8P-UF83-o`sW;guhf8)gRa%n3B$zXHg1(*T6>+(^E_r-T80KTKJ z?u0OH{Rw?Xg!6*T11vZPhTXCFrw2-rEwLf ziKsM?t5Zcj%q>D+%!jo&D?DiKL`gDolqDW(VI}jjfVb=8tlJ+YHf=;D6KrA_l))&O9`c)8Quu?kUop_Q*r~=Xz0J~U69RR0C`KH*hB<*2 zh1V#@Zmz+{%la;Y+-lH(-+dQNO@>e5r~Z}7b$=y1oGFgj4^HP$7%a3O*UmS>xT{>4 zIL=gIJ#p7&`pW_G;h>imopAJfy37LuyebxYAd7}FbYLT_%v@wsx$qS%7E7_eNQ1oC8oW#kiL=X#jlGN&V{w&vHeXcMAb~bi{M?qj zTtW~8?Dm;f)dzlQe9VFj8Rq4TKa7${vAy0~BR@kNw-!J|G zLMJN36C<|;+7gxS5G#IHpa*EjUNo`BAZW7{(VH)2<3e)c&mNaSH6KS*oE4j0rv!&2 zW#h$D{0vvthh%Z45SMLn=V1V#$FxkKh{lFNRA?idhHCNtzRQ41*7do~{FztCQr6{H ztYRbw)6{`=e?snEPBr`CoZ3uJd~(wD{CH@SxHaWez)WRGiT<wTG(NPXgjNkfJ7KI>f^P2rp zx%0i81yY6Uu}m`k=EV0fX0_~8FMlO`7(8E>BXK<@@;I^b5xp%F4X{h+)M$w6=N)d9 zR5FGv+P(+l?Fw!BLM=ftxTZWC$odmsr^EcSmwpdS>H&t!nAP5yd8!`ID5W?JhOYEt z!PB1Sn0IZyszlpFWca3~hnqT`J6)T$O9sqC9vyp(r9YbcS8UZ!BNnEN%R%aqkOJ<|-ohoTTEBgdt*uPRq&4O-=Kg; zt)-6v_Vq4vO!RgW!DK$-L_b(ckgOf!GZy*2hi5pw#2X10d67IqQ9AlRj8{JV_G0tG za!%JCQQk!^V}|NaNgMqHO{ZK&TU4w<#}w6O*e%?M);iQ4_30^eZ0NVa;q#zn=?tUudBZ zU}ovIP(1`$(-3eQ+p(ffSZWH*0t^!!CJR{_&2FU*({vDq(A?|C^Z|aJcKLYE$;FM6 zh#Aa;MiZDI3~$9D-eiWrYHU^aaQP?8*p#DQ9Abw|lE2l5YhnwY0mJjoC9-d<`?Vo>8jRx9Q9#?@4Y>2{HbAN?@qxPInY*+m^MZGa*8eE8Gkw>q=-XO`NViA5H2pxTpH#R?q<4?9DX#=Bh!7!(px5 zgrCLETkObu0jDFm77onmW2&{e4(P)hhk31S6BI>M0xw#Tj)H@lX(cm2d-d=M1dP~& z0mKq_Jj~x=J2up8p>m)mGZ?*?x6pH>RVla6`4m_xq4*|^N>+^wV#|^9dVu^K6q&5$ zItV>PLW&MQN}BBAiG6tyP*8vznpuGf?9qQu*oik~h>)K3$7bsdwHf*gkMWTmgQ?I% zDB@yRX%=p^{Y*_6+5rNzj52CHkIa}lS5Nw~z5<8unY16YkORdfL;oG0uci!|h{;s~ zxAw7r>yw$P8(_Bn>x?%;n!)by;C_z;=nG5T_t=^=*c^x5nMFy+AEl4lL6tIlZ52rj zoLkdYc3(3wNuN9ppMwxKGpQQIE)r-L51zW6u(zcwIec{E!Db54qQ=r{*ixR8kYC1s zkZ1s*Lgj>}F5v7S3?rkPs#^}S)BQgJyNa2es!Lx>EXLOEI@f42@a?JXdr^%Em&+0U zNY9tndsHkwi|zY>v$?msAC*lD!-g&l{Fjez6MGu48dd|EFumxky}i$x`f&18<6GWF zVS2g$)QQZmSfM5z~w>> zLMN@Vp|pAdO%~)V-$=(}yK=LVx>WiqkQ34ONOhT?ymC>?ywoFLBw>B!T-1wVI-Nz$A7oJ1M<-NnX# zh#iGA8l1u7rit1DsO!!8=A5KC`$>*`E zm3VN+9SXgwJ*vjEBYo2JG(CRIyJJb+$UYJxWLy}`1%{tY`)P5TGJ z#{UQk0lQgIASaRvBIDje^xh3R+TG-Cl2f}(d-scrXdNPzLX0+1fu`dM@V_vJM5cN2 zbqTW$>s|+5M_0!!y8U6eVjrj>fvmPCWO9LE@uvH8u{Bec=ys3tdIDG_#IXgH^B7eQ z5&pWs*>_LiiYy~vvpGmX@xC!Feeuy{mxw(3S5IT$r<>@Ny-4b2ajaUQD8MHZ;V;0v z0W70$b|oZiT)^3zw(k*#%|{0F&9e>JCzX+*N*4N^u!@Q6=<|rvk9pI7zX8{So7<1S z_F`@ePD{>G?YvA0`pWJG{k?65gHK+E^G@h+htqPnQ#vw~w0GtNNErofA-k%_Q0R1x zz+z}Gb*U>Z&e-Zq*X?AJDXg-Ue3{;LwDoO3Zw*W>4N`dR*`%-2bV$#m;ZVVmun?;_ z&TiOoFUX;osISmqN5I^vK>~z7Q4(KlNl~HftO+rMh=w~>cPn{KGy6uwIu5w3c5Tvk z`3v^Q!V2r`+s%9at23lqH3 zz+#_Uk|N8GV(!eAdo^pry6SKz@E?}H?2O?L;hJux%+W?;4933UhT)g5u)GDv%1iqY*Dk!3KT&t zRN_k2dPE7Hfcvg)9;k*{ZU!ki5XwOs-@tY9OG|fhSd5USFxI)*K4`jk^;}AY9$Yxd zxZ1TO#pFI+D0CN=#Ra|vvL~+cOv5%zf~NuQnT!kZRmunJ2OPq|{>w-hN_!EB%N$t>o)`Q41|a3duZFhWF)VE>E+~)F@kWx~Gqq4tu~vsNZ<QsJHn_yMS!J}oaXwUX`YUT@WotE0GoqSuHlLvd29^e zwUWK2N(5E@dGgNotXd2R%6ommN??b(l!Il`IX;;RjS>rMx`HoUys{mBj1-=RhL1N60PP>np_^MC&T&Ad+oYuuvG=7~$mEQ}VJIXz1n5I@oj$ zJ4N0lP;r%w@57o$Bhk@<@H&jslZu5PggcJZsC?>+kI8>9H4o+R#@QSHRhye4%zdkh z$|AtPew&l|kr!Ne+it^ySY{I+3XOb*1?5)e2P!|H`fQZ`SWv;Y+Qz%u0#CJ!sHVY9 zutb~ei%9L?{)wu~M`}r{p6JpL;W=%;CH2(Rc3egrXq|y8!*v$Hnu%@iWUjG3F@kC} z)2*lp-BPB|qw0(K>bY#`+?dgizj{azD=U>a6yLb6G53LrvgCP;c5I|El%yV{bKShEZ9}UtGqCBWF?b z=T^bsq#3D>kud6lZ)Qe8^bwQXYefSIBFMrjQ?fYVszJ3ZQT)D@i1k)LvvbcbYY*a| z{u_T8X-1dtJGr8jDuc`e-gs`0D!WhgfnAw@@z)+rRyc6&lIsubO^#_)(+gst;3Y%b!H2m$2g<+*_0^yA^4P5kj~#|KJ!&>OhB9NU!O z^CwU*#0X$hP|1!{^d)8J7)~bDay0g5M7(6DvJK`p#PFcF!o{j&4(Be za$gan4NR2~<+xApin<^{wY6lPKo=gIES7jk_cdTj@7tp;xVrgqMi~4I>Nw7umw?V_ zy?~7_9J_l2h8{y;2LjLh=RGy$E_yryU z>5r23lT?n_?pvadhHp;DIO!N;)nH6u%Pm{Bo{%ID@nOkYqPyARQ#Bj@nI#2bzG@4? z@@z+JSg7vZ+b9iBq6*afOl4BcbF{uQdhC&-4c_$4rhb=~%fizmW|rYmu@?Vn7Z#k4 z)cYHuCtz-F(JoO3_(sPlZ$_UA4E+7>mMF-|=K@Da($Yfy*;rYYp(|0=d$%-TW}Jl2 zc5=&(@~UFHr7qF)^85!M%1vTRs0igI)`W$l2HPPwJRDJT`j@kOrvm@!fJy=hsC=}M z!EkzaUWGjCWlfu9Mme69;t4-wTuuuJ>up}W2O`Qmwd1`ROD^OWnV6Ksl?e!d6pqOL za#OH8z!%m|lU#om62x;+O$0`&HQ7^dty?Z~ZB-=*sl?a_53D_nU%qa9%C%f*riIs= zijSVI32)FtX^MVm(7Y0yx*L+RHR=#9?U33NyS#x6ZV0JoI}f3rs3C-ko0c!mh_*e^ zuPGK?Pi;SlZ+3q*vlXktJa~vN5F1~f3T9rC)fqTkzEk`_2_;T37M}q-c^Cs?gYW#e@c$wtBVRl zX4k|z%NXZ4*d{rPVzzlqo{`AzVC4NqAjOD`KMIIA#->wQ>iQUud-{&}CQPWraYWK* zw;4tXLb&;x9X}ao`9V(tE@CV;gvGem5HZyp@FNnko&FZ(Ut6>x^u9mLvT)*JM(E^9 zCBTa$;B)gvC>Fy*(%3p%vd^s;bux&|Ab|jj zC3r@G7EpE+pmKTE==RO19X?tjnImIt6Lc+}>ZS5fiAUa;>G)6h=rVTu)ec8jbACWQ zbFND|QS8J(gg6}u*f2_uFx6^+Q=}(j;}AlChJydicgJi?u<}$k8ajjbXn1nFcg~%A zH>DOD8#EyKx>KmP0a(zWDwq4^jtj$FxqctvE4dvp^b$C#9Uryy^Z64Z&ZUS$Kvbv! zuDWJYALJMo-alX`XGh!PQUZvm6$!9+aB2Ju065r^U#3X=j9aRbV}u6vJ^dd$(&CD0 z6nP>v2sraR*!L)pa2a86;J$XV4~>UG^_H@Y>r+UA3Ek!P9=Md(Vm1P?xb!lVbBIY6 z+5XJ|v=|J_sP~u!E(_QB++X7w&}B^2pP`9%Tz1_CEaW>$9=uXY=LLPIGTSvv%T}k` zheA~xR;Wqx>gV5 zw{}-qrjDnI?S9sniDOw}UCVM3_p?;eTXC+fY-Ve7?g8+KWip+W>Mrt~x-KTb1MV0cJ>W?B?|9+=KemB- znDnng9a{^_i?l5BRpCUcDqWWW)aILdSH@`!4|!W^fjr2^8Qw`AT;%2D9Ry_d3YC`5 zppLZ>=GycC4V|LmMITc08oK`}zt3+$JF+lmPzO(ErHa21P#wS}&*=-2VTo*}^|eat zpo!FTE#n)>7iSH}-l&b(Vl<4GY$g=Ld%*lH2izg(qRoz~;VscaY8=P|bhrZ1bLl^U zGAp6vu$sZUW4|glD}2<&)pPPrXT^IG>H|4WJ@rKCP8Jc9>&>l2RUnwU{?cKo`os?G zuPKRkDhX++pQaTTNZNSM0vey0rv|rALaF@Nzx0fS+4n&Htt9C8AmvW-s{3KL2QchH zJZ;T!k&=4E5vd{R=t3iXr!_RCPkj((V(=d^v^DVK%|`jc6Wa(M*Ti=j2Rd>)cVl*( z1tN>#)t>Dt^|F3JV=*j$=ZB}tX{klcG6h0@6Pf!%oP7~>yzv;jDJSJ!+vh1H>LYj& zc|uwlw|=I)BUU1@1F}WODDVriCA`+prnJwn`!}HEXf8FsjTp7khK;tlj<0Zg(%V&@ zbI+>I`;)wnE}ZUkIjs1H;JD#;A`8<&CC}`y?Wt();avbrC5l+kzjoL0W(}MmcwBme zrzl?!2y#^9n98M_Vw0EB!*XEpy6PT5mLf@c2MZyD2I~ao&|RP|Lfgzovx+;AQv)VP zP3z8mrYnSB#}1#++!DrihnIFgQAZ;7TwqJUn_^k%n8i5bW%Nvz zldZEd?nA3O;))4C9weTNu#Sbru>7?P;kHb}-P*V&10y|_BeomzAP-Y(k{Fb52!Rcl z)&rrcs6SX{ut%|u?(`iFpje6%Gs*mm$@~`%b^d~{VNgT&co5B2>?{+yshA`Ke2kr9 z^S9no@oSW@EL>1v8{A zXS0i4{UCTAxAt7*GYI~Qb5WU3KLg8H=`yBu&%|l?2i2EWBY@F*j-ZJuIt=T0VPnTm%m}-*Rm7dfz`AEa}3i0QU405)>%tV>IzlJ^o_JDWy z^EGz~;-YD0G7thAuVK$%xTd%Yjk}-4ore3GIH0gghmZk_evnyd4#A3(466bHU zIqMVSiwH(N()T6jp6TBmkO4WL2auC`=;ibvcN0=m$!M=eQB;`UFTcr!RM44%lbmf9 x!75Y$*4qLNW+EL1JK`dKpuE^IZfW@pf|Il85P|Dnbuc9oOi*CSAf?UF000;z$3*}D diff --git a/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp b/static/images/passwordpolicyenforcer/11.2/install/the_password_policy_client_5.webp deleted file mode 100644 index c9c02b4ac03e2a11b826c7f3b248aee032d14ec2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5584 zcmV;>6));iNk&G<6#xKNMM6+kP&il$0000G0002-0RZX%06|PpNFV?J009p${}BA%-V=vGiTAc7SD0FZb9odGKH0qX!hZ8Vifq$46B zBT-zSfDMUbZt|Z_Gn)EZ$BNzR?LX0eJ$^cRpXyZ4cx&}uFwfooGyadTZ|}e1y?{SZ zJoPZa9r7R5eX2e_1@OXaW3R`j7dq?Z3Jo+y0Y3Xa9x%Q~W3Ff3uIuKehkJ{|o+Cs)2B|I zI&|sNq)(z*1j8gbIFjA+plvP_ktt$Q^(c^TvF?4^wj7Teyi^UM0`8EyxkD!H9kNdB zabt@dSmMVPGK{>uYI_?Bpxfh3y>|}5PJ7y<+C|n9uwQhggK1 z3}6=l3-tH)fLh#5zYB)MjA3*d+e9>V?la+~hb=RRLbw^=Y{4*O?BZc)&jr(l86@B_ z4IfH`V+)|x+992Gw1YpW7w1Y5P^1}zYO1xEEq$+{UZJz7l&~(E^9^&Htn%A<=XVDF zA-ndDov99ujsF-V-MWgee8qChm2`1^hOk}AC$zul=ss0`9;p!jDOr^4!Bm(xDi_=ry*8X!=wm z7P_}@3Aw7u0^B5-hkkWM*(qx^?x9CMTK{=EGxWvABjpIG+2?0 zE`wWWhL5E|xaLL_4I{3dB7G!=0#?};)a#&iK9fP*>o-EM31#BL?FY#?R5;(_FB_O;Yo{=Z~!TMiv3foZzwBj(g^+plBeli z_{K~~l7{p6QFDE>j84KJn!D8&_*1p3WZ3xb5uy6w2N+znZk~@s?sST-W8%Y@{cz%w z%&*|AN)W5_`{n0fn>6$vt%y944f(2Cb%s>5hL&MlK=Dyv;7*b1u+ARc5m<8%Kfr_W zWI6)}<6l3aeeK~rx2lI*v~39M`&a?t{nzx*U6S_g# zFZc_&*iYW}bCzt8`yTE>~K>5GM%Za*{mpd`v|cqZBZ zoHWz}U>MMB+wyN0$>T9e$T1Oi^ZfVm6e*m%KVYhlq*S43p-koB`vp{eBBcvO3TH0} zomqk~(vF`b16JpAYxoce<6&M~-;AgjWs}-G8u?Wx2LjwrV7I;2SwdNMmF6; ztXmej5HKQn!4ohDk3wyJ`F_;0N#JAf)#oZAVuA=g;|JE!AB7E`95pi7EId~+T18=&-zoB=G zTobhaox6!HPr7!(kvWq(5u;a~a1^pMA1!g~$d$T~j0ROLfUA>_qUTfwgtI@L{yb04 zR>*ifIw%rUp7zl21$lU(4C}o?fKWc!6nBIyJ(=I!@w+aMSmRgl#vUU>RJM?w)u+4> zMnULvAbY^XD!mWjr=9<;MFa=y@gfwL7|s3$u9#l9hJEvMveo;v2LAFDf6!M$(h z3Io%ApGN>OV|4u+IGde0rE4AfM_zjH!Z0>I4JM|>htk-y>^hzEubO>-$1CCLB_dAI`CT1br_L z)}GnV=x7w~e!p;x;`Sge^>Aq`nq-!lf+_Ba<{IY;cGjMnBlA6=Y`JgO?!w^mn}FQbJ!f`fW z^q0K?yw7q|703ZwF3rf&gz^%G;Mq`{X+_J! z#u=S^o4X*thvc$>Zb6;M`2UW4e!~uH{*lX< z1=Keah{dw|KYlmxyq6Pzsl`$|=&X#=t(%3YNH;avVF49A9xLXCwQp>5_^glK^)kov z2A{$uKtiyTLB`LH0oT6jj+UIu)&kJYrq8rE+@0tBR(F8%NL)-F%+GQMVUX&oU@tpR z|MflUwD;+$1PArB5yfUB$^DxE0$y|}Buzg+*K4b?wP|;O0Evw^EfT?ZLQLm#aDzk} z8pU*9_^_n7rxoj-6=DfTV^?a%y-Ax^wX{IOSd%sG_J@*bYcZT{rcY3E+oVDa>i@;>ieb{XBN6I%-FZp;8%1Pxq3<_W3*oyfOE;W# zU$AM#LLulZ+1GYY@I==>zN2LLSQepopzuJB9|a?(N^5Db1cxH`aWwz3#T@1QjQSl> zA}KOoq9{%py<~buV$^5Sb{G1LN-W6}EfBgKCDI3^C2wo&c&O$(PC^IGpc8pK)jvKonH~h`Byyo`#k{1AQ@ly z_M2wwqX%eJ2x^f@s9lFAryx-&zj{_W#Gm+V1FuX^;F?(pqlG*sT=k#;p` zu0ZxAK*owINF&Dz$EKH6+g@x~a}GE`-cy7Xbo#f=U>sTfJ;OgCu`Y;sSU9px&u1c? zXH%U(fDLrLQ_*_@HM!+}0HPtpX0jvri!yo!KlgVhYrS6vT$r&rZ~W{6xp|5+m&wnpti?l*P!fd${hiV3{4)oyKjgyu02DO z^AVWfqNZc0(U)rGOnPM$=CZ5pbLB>^)6cK4z4N4cJ;oz1ZH_k6VX6B`0Enx+%b9$6 zZH*uC0^=!e^$V$RQ^{@x!@&T1M?;9;$2`X;Bf{wT1rLs6}!D>_W@j6y1(Tz58vKxBfE$4 z?cP&-Cxgm8*L}0yP5<6W(M`2VIPSk`hEycQ^Cu+MmE?NAZg;RZJ>?*Ga`~mOdylM} z7J{&VCrr$2OzT0<8=W>(F4Fcat}iD&g8aZ4l%(aDGErN? zw(iKnR&dg~9J{y%B}fS{H2a&Ryzj7NU5v7eiI^6G+1Ii)h5!t{(*E#*8aoHxm^Ae{ z`lEI-ViYU8lC;p(urg!28+pnGNQ}fUX@FNsopiUa;B>Q#fvW{{t2DGi3Bszo9yQZ=!^mEBig|a*IdW}L6Ro)Ox#?x(@J zT~182xBxf7ajCC?3s1PyJM#tjIlE*xG@2?4A{~yW_Juv6SDo3BY{~Zfk$$iGsKf}A$;bJ zUY-3^*W;|(X}QR`LJyx+J=$q;f zDG5e8qO3LMiT=U?+aXzZ{w<-h;=mutc*=(@`ba`|=bLE6xVMw}%EFElbTw|56Car= zqdGt70!R&CzbGbFz_zb5l9jJH?MrETN`7F&$ov1KqiSCKbHeV@&lw4Q;vMitKf<4V z0?JDoY9llWXDE3(II;s7D&yc>HDbwSzM$G6yo_-jc;d(NW{fWQa6WS%4-~-FtZ7&Y z!uqmxL}D8Q*!?DE#ZrMI4HgKA{hIjF+2FaeS+&c8O+*$}-+P-gBoNqTRNBgG9UaXM z7)kS~C(M=2@)_vA)l?8L@?A11pM77|*%-pK_eCzq|9V1FvQn@D)6Mh%5IpbR(GKR$ zY Date: Thu, 7 May 2026 12:07:58 -0400 Subject: [PATCH 16/22] NAA-11.6-FSAA-SCHEMA-DOC (#870) * Add updated FSAA 11.6 schema * fix(vale): auto-fix style issues (Vale + Dale) * fix(vale): auto-fix style issues (Vale + Dale) --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> --- .../11.6/admin/schema/fsaadc/_category_.json | 10 + .../schema/fsaadc/coretables/_category_.json | 10 + .../schema/fsaadc/coretables/overview.md | 933 ++++++++++++++++++ .../schema/fsaadc/enumeration/_category_.json | 10 + .../schema/fsaadc/enumeration/overview.md | 98 ++ .../admin/schema/fsaadc/erd/_category_.json | 10 + .../11.6/admin/schema/fsaadc/erd/overview.md | 193 ++++ .../schema/fsaadc/fkreference/_category_.json | 10 + .../schema/fsaadc/fkreference/overview.md | 77 ++ .../schema/fsaadc/functions/_category_.json | 10 + .../admin/schema/fsaadc/functions/overview.md | 229 +++++ .../fsaadc/indexreference/_category_.json | 10 + .../schema/fsaadc/indexreference/overview.md | 62 ++ .../11.6/admin/schema/fsaadc/overview.md | 158 +++ .../admin/schema/fsaadc/views/_category_.json | 10 + .../admin/schema/fsaadc/views/overview.md | 637 ++++++++++++ .../11.6/admin/schema/overview.md | 11 + 17 files changed, 2478 insertions(+) create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json new file mode 100644 index 0000000000..62e25445cc --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File System Access Data Collector Schema", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json new file mode 100644 index 0000000000..e390b2c64a --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Core Data Collection Tables", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md new file mode 100644 index 0000000000..67a8be7792 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md @@ -0,0 +1,933 @@ +# Core Data Collection Tables + +All `SA_FSAA_*` tables are partitioned by `HOST INT` (FK → `SA_FSAA_Hosts.ID`) with `ON DELETE CASCADE` so that removing a host purges its data set. Within a host, identifiers (`ID`, `RightsProxyID`, etc.) are assigned by the FSAA bulk-import pipeline. + +--- + +## FSAA Tables + +### SA_FSAA_SchemaVer {#sa_fsaa_schemaver} + +**Description:** Single-row table holding the FSAA schema version string. The CREATE-Schema job clears and re-inserts the version on every run. Used by upgrades to decide whether to apply migrations. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SchemaVer | varchar | 64 | No | | | | Schema version (current value `8.0.11`) | + +No primary key, foreign keys, or indexes. + +--- + +### SA_FSAA_Hosts {#sa_fsaa_hosts} + +**Description:** Registry of every host scanned by FSAA. One row per host. The integer `ID` is the FK target for every other FSAA table's `HOST` column. `USN`/`AccessUSN`/`ActivityUSN`/`DLPUSN` are per-scan-type Update Sequence Numbers used by the C# importer to detect deltas; the matching `*GUID` columns identify the SQLite cache that produced the last upload. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ID | int | | No | PK | | IDENTITY(1,1) | Surrogate host ID — referenced by every FSAA table | +| HOST | nvarchar | 64 | No | | | | Host name (NetBIOS / FQDN). Has unique constraint | +| SAConsole | nvarchar | 64 | No | | | | Console host that initiated the scan | +| ScanTime | datetime | | No | | | | Time of most recent scan | +| GUID | varchar | 38 | No | | | `''` | Top-level scan correlation GUID | +| USN | int | | No | | | `-1` | Top-level Update Sequence Number for the structural scan | +| AccessUSN | int | | No | | | `-1` | USN tracking the latest Access (FSAA) data import | +| AccessGUID | varchar | 38 | No | | | `''` | Correlation GUID for the latest Access scan | +| ActivityUSN | int | | No | | | `-1` | USN tracking the latest Activity (FSAC) data import | +| ActivityGUID | varchar | 38 | No | | | `''` | Correlation GUID for the latest Activity scan | +| DLPUSN | int | | No | | | `-1` | USN tracking the latest DLP scan | +| DLPGUID | varchar | 38 | No | | | `''` | Correlation GUID for the latest DLP scan | +| LastScanHost | nvarchar | 64 | Yes | | | | Hostname of machine that performed the last scan | + +**Primary Key:** `PK_SA_FSAA_Hosts` — clustered on `(ID)` + +**Unique Constraints:** `UQ_SA_FSAA_Hosts_HOST` — unique on `(HOST)` + +--- + +### SA_FSAA_ImportHistory {#sa_fsaa_importhistory} + +**Description:** Append-only history of every successful data import for each host. One row per host per import per scan type. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host that the import covered | +| GUID | varchar | 38 | No | | | | Correlation GUID for the imported scan | +| USN | int | | No | | | | USN observed at import time | +| ScanType | varchar | 32 | No | | | | One of `Access`, `Activity`, `DLP` | +| ImportTime | datetime | | No | PK | | `CURRENT_TIMESTAMP` | When the import ran | + +**Primary Key:** `PK_SA_FSAA_ImportHistory` — clustered on `(HOST, ImportTime)` + +**Foreign Keys:** +- `FK_SA_FSAA_ImportHistory_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_Trustees {#sa_fsaa_trustees} + +**Description:** Every distinct security principal observed in ACLs on a host, identified by `(HOST, ID)`. This table holds only the SID and the `TrusteeType` enumeration; human-readable name fields live in `SA_FSAA_LocalTrustees` (for local accounts) or are looked up from the AD inventory at view time. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host trustee ID | +| SID | varchar | 184 | No | | | | Security identifier (string form, e.g. `S-1-5-21-...`) | +| TrusteeType | smallint | | No | | | | See [TrusteeType enumeration](../enumeration/overview.md#trusteetype) | + +**Primary Key:** `PK_SA_FSAA_Trustees` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Trustees_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_LocalTrustees {#sa_fsaa_localtrustees} + +**Description:** Subset of `SA_FSAA_Trustees`: the local accounts and groups that exist on the scanned host (NT-style domain/name plus display name). `(HOST, ID)` is a foreign key into `SA_FSAA_Trustees`. `IsDisabled` is stored as `'Y'`/`'N'`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Trustees.HOST | | Host partition | +| ID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Trustee ID, must exist in `SA_FSAA_Trustees` | +| NTDomain | nvarchar | 128 | Yes | | | | Domain portion of NT-style name | +| NTName | nvarchar | 256 | Yes | | | | SAM account name | +| DisplayName | nvarchar | 256 | Yes | | | | Display name | +| SID | varchar | 184 | No | | | | SID (denormalized copy from `SA_FSAA_Trustees`) | +| TrusteeType | smallint | | No | | | | See [TrusteeType enumeration](../enumeration/overview.md#trusteetype) | +| IsDisabled | varchar | 2 | No | | | | `'Y'` / `'N'` | +| USN | int | | No | | | `-1` | USN at last sighting | +| DeletedUSN | int | | Yes | | | | USN when the principal was removed (NULL = still present) | + +**Primary Key:** `PK_SA_FSAA_LocalTrustees` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_LocalTrustees_ID` → `(HOST, ID) → SA_FSAA_Trustees(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_TrusteeEquivalence {#sa_fsaa_trusteeequivalence} + +**Description:** Group-membership edges between local trustees on the host. Each row is a `(group → member)` pair, where `EquivalentTrusteeID` is the group and `TrusteeID` is the member. Used to expand local-group memberships during effective-access calculations and by `SA_FSAA_LocalGroupMembersView`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Member trustee | +| EquivalentTrusteeID | int | | No | PK | FK → SA_FSAA_LocalTrustees.ID | | Group (local trustee) the member belongs to | + +**Primary Key:** `PK_SA_FSAA_TrusteeEquivalence` — clustered on `(HOST, TrusteeID, EquivalentTrusteeID)` + +**Foreign Keys:** +- `FK_SA_FSAA_TrusteeEquivalence_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAA_TrusteeEquivalence_EquivalentTrusteeID` → `(HOST, EquivalentTrusteeID) → SA_FSAA_LocalTrustees(HOST, ID) ON DELETE CASCADE` + +**Indexes:** +- `SA_FSAA_TrusteeEquivalence_Group_IDX` — nonclustered on `(HOST, EquivalentTrusteeID)` INCLUDE `(TrusteeID)` + +--- + +### SA_FSAA_Rights {#sa_fsaa_rights} + +**Description:** Permission-entry table. Every distinct ACL is given a `RightsProxyID`; resources that share an identical ACL share one `RightsProxyID`, deduplicating the storage cost dramatically. Each row of `SA_FSAA_Rights` is one access-control entry within an ACL: a `TrusteeID` plus its allow/deny rights (broken down by direct/inherited and by simplified bitmask vs. full Windows mask). + +The **Rights bitmask** (`AllowRights` / `DenyRights`) uses the simplified six-bit FSAA representation — see [Rights bitmask enumeration](../enumeration/overview.md#rights-bitmask). The **Mask** columns (`AllowMask` / `DenyMask`) hold the full Windows access mask (for example, `2032127 = Full Control`, `1245631 = Modify`). + +`AllowRights = DirectAllowRights | InheritedAllowRights` (and similarly for `DenyRights`); the table is created with `WITH (DATA_COMPRESSION = ROW)` on Enterprise editions because it is the largest table in the schema. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| RightsProxyID | int | | No | PK | | | Deduplication key — multiple resources may share one proxy | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | The principal this ACE applies to | +| AllowRights | smallint | | No | | | `0` | Combined direct+inherited allow bits (see [Rights bitmask](../enumeration/overview.md#rights-bitmask)) | +| DenyRights | smallint | | No | | | `0` | Combined direct+inherited deny bits | +| DirectAllowRights | smallint | | No | | | | Direct (non-inherited) allow bits | +| DirectDenyRights | smallint | | No | | | | Direct deny bits | +| InheritedAllowRights | smallint | | No | | | | Inherited allow bits | +| InheritedDenyRights | smallint | | No | | | | Inherited deny bits | +| AllowMask | int | | No | | | | Full Windows allow access mask | +| DenyMask | int | | No | | | | Full Windows deny access mask | +| DirectAllowMask | int | | No | | | | Direct allow mask | +| DirectDenyMask | int | | No | | | | Direct deny mask | +| InheritedAllowMask | int | | No | | | | Inherited allow mask | +| InheritedDenyMask | int | | No | | | | Inherited deny mask | + +**Primary Key:** `PK_SA_FSAA_Rights` — clustered on `(HOST, RightsProxyID, TrusteeID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Rights_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_Tags {#sa_fsaa_tags} + +**Description:** Distinct file tag values per host. Two-level deduplication: `Tags` holds the unique tag string, `TagKeys`/`TagProxies` define a multi-tag set, and `Resources.TagProxyID` references a particular set. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| TagID | int | | No | PK | | | Per-host tag ID | +| Tag | nvarchar | MAX | No | | | | Tag string (for example, an Azure Information Protection label or custom tag) | +| Source | tinyint | | No | | | `0` | Tag source | + +**Primary Key:** `PK_SA_FSAA_Tags` — clustered on `(HOST, TagID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Tags_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_TagKeys {#sa_fsaa_tagkeys} + +**Description:** Defines a "tag set" identity. Each `TagProxyID` represents a unique combination of tag values that one or more resources share. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| TagProxyID | int | | No | PK | | | Identifier for the tag set | + +**Primary Key:** `PK_SA_FSAA_TagKeys` — clustered on `(HOST, TagProxyID)` + +**Foreign Keys:** +- `FK_SA_FSAA_TagKeys_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_TagProxies {#sa_fsaa_tagproxies} + +**Description:** Membership of `Tags` in a `TagKeys` set: each row links one tag to one tag-proxy. A resource's `TagProxyID` points at a row in `TagKeys`; joining through `TagProxies` yields the list of tags applied. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| TagProxyID | int | | No | PK | FK → SA_FSAA_TagKeys.TagProxyID | | Tag set | +| TagID | int | | No | PK | FK → SA_FSAA_Tags.TagID | | Tag in the set | + +**Primary Key:** `PK_SA_FSAA_TagProxies` — clustered on `(HOST, TagProxyID, TagID)` + +**Foreign Keys:** +- `FK_SA_FSAA_TagProxies_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_TagProxies_TagProxyID` → `(HOST, TagProxyID) → SA_FSAA_TagKeys(HOST, TagProxyID)` +- `FK_SA_FSAA_TagProxies_TagID` → `(HOST, TagID) → SA_FSAA_Tags(HOST, TagID)` + +--- + +### SA_FSAA_Resources {#sa_fsaa_resources} + +**Description:** The structural backbone — every share, folder, and file the DC has seen on the host, plus its parent linkage, owner, ACL pointer, gate pointer, tag pointer, sizing, timestamps, and per-scan-type tracking columns. This is the largest table in the schema by row count and is created `WITH (DATA_COMPRESSION = ROW)` on Enterprise editions. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | bigint | | No | PK | | | Per-host resource ID (bigint to support very large file systems) | +| ParentResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Parent folder/share. NULL = root | +| Name | nvarchar | 2000 | No | | | | Leaf name (folder/file name; share name for shares) | +| ResourceType | tinyint | | No | | | | See [ResourceType enumeration](../enumeration/overview.md#resourcetype) | +| OwnerID | int | | Yes | | FK → SA_FSAA_Trustees.ID | | Resource owner trustee | +| RightsProxyID | int | | Yes | | | | FK-style pointer into `SA_FSAA_Rights` (no enforced FK; NULL = inherited from parent) | +| GatesProxyID | bigint | | Yes | | | | Pointer into `SA_FSAA_GatesProxy` (no enforced FK) | +| NestedLevel | int | | No | | | | Depth in the resource tree (0 = root) | +| Size | bigint | | Yes | | | | Aggregated file-content size | +| LastModified | datetime | | Yes | | | | NTFS last-modified timestamp | +| LastAccessed | datetime | | Yes | | | | NTFS last-accessed timestamp | +| Created | datetime | | Yes | | | | NTFS creation timestamp | +| TagProxyID | int | | Yes | | | | Pointer into `SA_FSAA_TagKeys` (no enforced FK) | +| AccessID | bigint | | Yes | | | | Cross-module link to the Access (FSAA) ID for this resource | +| AccessUSN | int | | Yes | | | | USN at last Access sighting | +| AccessLastSeen | datetime2 | | Yes | | | | Last time Access scan saw this resource | +| AccessLastDeleted | datetime2 | | Yes | | | | Time the resource was last marked deleted by Access | +| ActivityID | bigint | | Yes | | | | Cross-module link to the Activity (FSAC) ID for this resource | +| ActivityUSN | int | | Yes | | | | USN at last Activity sighting | +| ActivityLastSeen | datetime2 | | Yes | | | | Last time Activity scan saw this resource | +| ActivityLastDeleted | datetime2 | | Yes | | | | Time the resource was last marked deleted by Activity | +| DLPID | bigint | | Yes | | | | Cross-module link to the DLP (FSDLP) ID for this resource | +| DLPUSN | int | | Yes | | | | USN at last DLP sighting | +| DLPLastSeen | datetime2 | | Yes | | | | Last time DLP saw this resource | +| DLPLastDeleted | datetime2 | | Yes | | | | Time the resource was last marked deleted by DLP | +| USN | int | | No | | | `-1` | Structural USN — last seen in this scan | +| DeletedUSN | int | | Yes | | | | USN when the resource was deleted (NULL = still present) | + +**Primary Key:** `PK_SA_FSAA_Resources` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Resources_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Resources_ParentResourceID` → `(HOST, ParentResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Resources_OwnerID` → `(HOST, OwnerID) → SA_FSAA_Trustees(HOST, ID)` + +**Indexes:** +- `SA_FSAA_Resources_Enum_IDX` — `(HOST, ParentResourceID)` INCLUDE `(ID, ResourceType, DeletedUSN)` +- `SA_FSAA_Resources_RightsProxyID_IDX` — `(HOST, RightsProxyID)` INCLUDE `(ID, GatesProxyID, DeletedUSN, ResourceType)` +- `SA_FSAA_Resources_GatesProxyID_IDX` — `(HOST, GatesProxyID)` INCLUDE `(ID)` +- `SA_FSAA_Resources_USN_IDX` — `(HOST, USN)` INCLUDE `(ID)` +- `SA_FSAA_Resources_ParentResourceID_Name_IDX` — `(HOST, ParentResourceID, Name)` + +--- + +### SA_FSAA_UnixRights {#sa_fsaa_unixrights} + +**Description:** POSIX permission triplet (`Mask`, owner, group) for Unix/NFS resources. One row per resource that has Unix rights. The `Mask` column stores the standard POSIX mode bits. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource these rights apply to | +| OwnerID | int | | No | | FK → SA_FSAA_Trustees.ID | | POSIX owner trustee | +| GroupID | int | | No | | FK → SA_FSAA_Trustees.ID | | POSIX group trustee | +| Mask | int | | No | | | | POSIX mode mask | +| USN | int | | No | | | | Update Sequence Number | + +**Primary Key:** `PK_SA_FSAA_UnixRights` — clustered on `(HOST, ResourceID)` + +**Foreign Keys:** +- `FK_SA_FSAA_UnixRights_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_UnixRights_OwnerID` → `(HOST, OwnerID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAA_UnixRights_GroupID` → `(HOST, GroupID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_Gates {#sa_fsaa_gates} + +**Description:** A "gate" is the entry point through which clients reach a resource: an SMB share, an NFS export, an NFS export policy, or an Azure Files share. Gates have their own ACLs (share permissions) separate from the resource ACLs. A gate references the underlying `ShareID` and the `FolderID` it grants access to. NFS share-level ACLs (export rules) are modeled as a separate "policy" gate referenced by `PolicyID` self-FK. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host gate ID | +| ShareID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource that represents the share root | +| FolderID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Folder the gate grants access to | +| PolicyID | int | | Yes | | FK → SA_FSAA_Gates.ID | | Self-FK — points at the export-policy gate when this is an NFS export | +| DisplayName | nvarchar | 256 | No | | | | Share name (for example, `Public$`) | +| Path | nvarchar | 512 | Yes | | | | Local path of the share (for example, `C:\Shares\Public`) | +| NestedLevel | int | | Yes | | | | Depth from the host root | +| GateType | int | | No | | | `0` | See [GateType enumeration](../enumeration/overview.md#gatetype) | +| USN | int | | No | | | `-1` | Update Sequence Number | +| DeletedUSN | int | | Yes | | | | USN at deletion (NULL = still present) | + +**Primary Key:** `PK_SA_FSAA_Gates` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Gates_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Gates_ShareID` → `(HOST, ShareID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Gates_FolderID` → `(HOST, FolderID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Gates_PolicyID` → `(HOST, PolicyID) → SA_FSAA_Gates(HOST, ID)` (self-FK for NFS export policies) + +--- + +### SA_FSAA_GatesProxy {#sa_fsaa_gatesproxy} + +**Description:** Many-to-many bridge from a resource to gates. A resource may be reachable through multiple shares (or no share at all). The proxy `ID` is denormalized onto `SA_FSAA_Resources.GatesProxyID`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ID | bigint | | No | PK | | | Proxy ID — referenced by `Resources.GatesProxyID` | +| GateID | int | | No | PK | FK → SA_FSAA_Gates.ID | | Gate that grants reach to this resource | + +**Primary Key:** `PK_SA_FSAA_GatesProxy` — clustered on `(HOST, ID, GateID)` + +**Foreign Keys:** +- `FK_SA_FSAA_GatesProxy_GateID` → `(HOST, GateID) → SA_FSAA_Gates(HOST, ID) ON DELETE CASCADE` + +**Indexes:** +- `SA_FSAA_GatesProxy_GateID_IDX` — `(HOST, GateID)` INCLUDE `(ID)` + +--- + +### SA_FSAA_Policies {#sa_fsaa_policies} + +**Description:** Local Security Authority (LSA) policies attached to a host's "policy gates" (for example, *Logon as a service*, *Allow log on locally*). Used by the `SA_FSAA_GetPolicyMembership` UDF to expand pseudo-trustees such as `NT AUTHORITY\INTERACTIVE` and `NT AUTHORITY\SERVICE` into the underlying user accounts. `PolicyID` is a foreign key into `SA_FSAA_Gates` because policies are modeled as a special gate type. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| PolicyID | int | | No | PK | FK → SA_FSAA_Gates.ID | | Policy gate (1 = INTERACTIVE, 3 = BATCH, 4 = SERVICE, 5 = TERMINAL SERVER USER) | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Trustee assigned to the policy | +| Allow | smallint | | No | | | | Allow flag (1 = granted, 0 = denied) | + +**Primary Key:** `PK_SA_FSAA_Policies` — clustered on `(HOST, PolicyID, TrusteeID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Policies_PolicyID` → `(HOST, PolicyID) → SA_FSAA_Gates(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Policies_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_Exceptions {#sa_fsaa_exceptions} + +**Description:** One row per detected access-control anomaly (for example, *Open Access*, *Broken Inheritance*, *Direct User Permissions*). The kind of anomaly is identified by `ExceptionType` joining `SA_FSAA_ExceptionTypes`. Either `ResourceID`, `GateID`, `TrusteeID`, or `SourceTrusteeID` may be NULL depending on the exception class — for example, *Open Access* needs only Gate+Trustee, while *SID History* needs Trustee+SourceTrustee. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host exception ID | +| ExceptionType | int | | No | | | | Class of exception (logical reference to `SA_FSAA_ExceptionTypes.ExceptionType` — no enforced FK) | +| GateID | int | | Yes | | FK → SA_FSAA_Gates.ID | | Gate involved (if any) | +| ResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource involved (if any) | +| TrusteeID | int | | Yes | | FK → SA_FSAA_Trustees.ID | | Subject trustee (if any) | +| SourceTrusteeID | int | | Yes | | FK → SA_FSAA_Trustees.ID | | Source trustee — for SID-History exceptions, the historical SID's owner | + +**Primary Key:** `PK_SA_FSAA_Exceptions` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Exceptions_HOST` → `(HOST) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSAA_Exceptions_GateID` → `(HOST, GateID) → SA_FSAA_Gates(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Exceptions_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Exceptions_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAA_Exceptions_SourceTrusteeID` → `(HOST, SourceTrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +**Indexes:** +- `SA_FSAA_Exceptions_Resource_IDX` — `(HOST, ResourceID)` INCLUDE `(ExceptionType, GateID)` + +:::note +`ExceptionType` joins `SA_FSAA_ExceptionTypes` logically but no SQL FK is enforced — the exception-type catalog is repopulated by the import pipeline and the absence of an FK avoids load-order constraints. +::: + +--- + +### SA_FSAA_ExceptionTypes {#sa_fsaa_exceptiontypes} + +**Description:** Per-host catalog of every exception class FSAA can detect. `ParentType` allows hierarchical grouping of related exceptions (for example, *Open Access — Everyone* is a child of *Open Access*). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ExceptionType | int | | No | PK | | | Type code (referenced by `Exceptions.ExceptionType`) | +| GUID | varchar | 38 | No | | | | Stable GUID identifying this exception kind | +| USN | int | | No | | | | Update Sequence Number | +| Name | varchar | 128 | No | | | | Short name (for example, `OpenAccess`) | +| Description | varchar | 256 | No | | | | Human-readable description | +| Count | int | | No | | | | Cached count of `SA_FSAA_Exceptions` rows of this type | +| ParentType | int | | Yes | | | | Optional parent exception type (self-reference within the host) | + +**Primary Key:** `PK_SA_FSAA_ExceptionTypes` — clustered on `(HOST, ExceptionType)` + +**Foreign Keys:** +- `FK_SA_FSAA_ExceptionTypes_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_ProbableOwners {#sa_fsaa_probableowners} + +**Description:** Probable-owner heuristic results — one row per `(resource, candidate-owner)` pair, scored by file count and aggregated size of files the candidate owns within the resource subtree. Populated by the *Probable Owner* analysis job. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) being scored | +| OwnerID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Candidate owner | +| FileSize | bigint | | Yes | | | | Total bytes owned by this candidate within the subtree | +| FileCount | int | | Yes | | | | Number of files owned by this candidate within the subtree | + +**Primary Key:** `PK_SA_FSAA_ProbableOwners` — clustered on `(HOST, ResourceID, OwnerID)` + +**Foreign Keys:** +- `FK_SA_FSAA_ProbableOwners_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_ProbableOwners_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_ProbableOwners_OwnerID` → `(HOST, OwnerID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_FileSizes {#sa_fsaa_filesizes} + +**Description:** Aggregated size and count of all files within each resource subtree. Populated by the bulk-import pipeline when the *Sizing* option is enabled. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| FileSize | bigint | | Yes | | | | Total file bytes within the subtree | +| FileCount | int | | Yes | | | | Total number of files within the subtree | + +**Primary Key:** `PK_SA_FSAA_FileSizes` — clustered on `(HOST, ResourceID)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileSizes_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_FileTypes {#sa_fsaa_filetypes} + +**Description:** Per-extension breakdown of files within each resource subtree. One row per `(resource, extension)`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| Extension | nvarchar | 255 | No | PK | | | File extension (for example, `.docx`) | +| FileSize | bigint | | Yes | | | | Total bytes of files with this extension | +| FileCount | int | | Yes | | | | Number of files with this extension | + +**Primary Key:** `PK_SA_FSAA_FileTypes` — clustered on `(HOST, ResourceID, Extension)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileTypes_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_FileAges {#sa_fsaa_fileages} + +**Description:** Histogram of file age buckets within each resource subtree. The 11 `FileCount0..FileCount10` columns hold counts in successively older buckets; the bucket boundaries are determined at scan configuration time. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| LastModified | datetime | | Yes | | | | Most recent file modification within the subtree | +| FileCount0 | int | | Yes | | | | Files in age bucket 0 (newest) | +| FileCount1 | int | | Yes | | | | Files in age bucket 1 | +| FileCount2 | int | | Yes | | | | Files in age bucket 2 | +| FileCount3 | int | | Yes | | | | Files in age bucket 3 | +| FileCount4 | int | | Yes | | | | Files in age bucket 4 | +| FileCount5 | int | | Yes | | | | Files in age bucket 5 | +| FileCount6 | int | | Yes | | | | Files in age bucket 6 | +| FileCount7 | int | | Yes | | | | Files in age bucket 7 | +| FileCount8 | int | | Yes | | | | Files in age bucket 8 | +| FileCount9 | int | | Yes | | | | Files in age bucket 9 | +| FileCount10 | int | | Yes | | | | Files in age bucket 10 (oldest) | + +**Primary Key:** `PK_SA_FSAA_FileAges` — clustered on `(HOST, ResourceID)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileAges_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_FileTags {#sa_fsaa_filetags} + +**Description:** Aggregated file count and size per `(resource, tag-set)`. Populated when AIP / sensitive-data tags are collected. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| TagProxyID | int | | No | PK | FK → SA_FSAA_TagKeys.TagProxyID | | Tag set | +| FileSize | bigint | | No | | | | Total bytes of files with this tag set | +| FileCount | int | | No | | | | Number of files with this tag set | + +**Primary Key:** `PK_SA_FSAA_FileTags` — clustered on `(HOST, ResourceID, TagProxyID)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileTags_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_FileTags_TagProxyID` → `(HOST, TagProxyID) → SA_FSAA_TagKeys(HOST, TagProxyID)` + +--- + +### SA_FSAA_ScanHistory {#sa_fsaa_scanhistory} + +**Description:** Append-only audit log of every scan run, including the FSAA configuration XML used. Useful for forensic / configuration-tracking purposes. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ConsoleHost | nvarchar | 64 | Yes | | | | NAA console that initiated the scan | +| ScanHost | nvarchar | 64 | Yes | | | | Host machine that performed the scan | +| ScanType | nvarchar | 64 | Yes | | | | Scan type (Access / Activity / DLP) | +| JobGUID | varchar | 38 | Yes | | | | Job correlation GUID | +| RunTime | datetime2 | | Yes | | | | When the scan ran | +| FSAAConfigXml | xml | | Yes | | | | Snapshot of the FSAA XML configuration | + +This table is intentionally append-only with no primary key, foreign keys, or indexes. Every scan run inserts a new row; rows are never updated and aren't referenced by other tables. Querying is by `ScanHost` / `RunTime` and is expected to be infrequent (forensic / support use). + +--- + +## Activity Collector Tables (SA_FSAC_*) {#activity-collector-tables-sa_fsac_} + +The **File System Activity Collector** produces the following tables. They capture audit events streamed from agents on the file servers and roll those events up into daily-activity aggregates and exception detections. + +### SA_FSAC_ProcessNames {#sa_fsac_processnames} + +**Description:** Per-host lookup of process names observed in audit events. Activity events reference process names by `ID` to avoid storing the same long path string repeatedly. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host process-name ID | +| Name | nvarchar | 255 | No | | | | Process name (for example, `EXPLORER.EXE`) | + +**Primary Key:** `PK_SA_FSAC_ProcessNames` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAC_ProcessNames_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAC_ActivityEvents {#sa_fsac_activityevents} + +**Description:** The activity-event firehose. One row per audited file-system operation captured by an FSAC agent. `Operation` is a coded enumeration covering Read / Add / Update / Delete / PermissionChange / Rename. `Allow` is `1` for successful operations and `0` for denied operations. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | bigint | | No | PK | | | Per-host event ID | +| AccessTime | datetime2 | | No | | | | Time the operation occurred | +| PathID | bigint | | No | | FK → SA_FSAA_Resources.ID | | Resource (file or folder) the operation acted on | +| TrusteeID | int | | No | | FK → SA_FSAA_Trustees.ID | | The user / principal that performed the operation | +| ProcessID | int | | Yes | | FK → SA_FSAC_ProcessNames.ID | | Process executing the operation (NULL if unknown) | +| Operation | tinyint | | No | | | | Operation code: `0`=Read, `1`=Add, `2`=Update, `3`=Delete, `4`=PermissionChange, `5`=Rename | +| Allow | bit | | No | | | `1` | `1` = operation allowed, `0` = operation denied | +| USN | int | | No | | | | Update Sequence Number | + +**Primary Key:** `PK_SA_FSAC_ActivityEvents` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAC_ActivityEvents_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAC_ActivityEvents_PathID` → `(HOST, PathID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAC_ActivityEvents_ProcessID` → `(HOST, ProcessID) → SA_FSAC_ProcessNames(HOST, ID)` +- `FK_SA_FSAC_ActivityEvents_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +**Indexes:** +- `SA_FSAC_ActivityEvents_PathID_IDX` — `(HOST, PathID)` INCLUDE `(ID, AccessTime, TrusteeID, Operation, Allow)` +- `SA_FSAC_ActivityEvents_TrusteeID_IDX` — `(TrusteeID, AccessTime)` INCLUDE `(PathID, ProcessID, Operation, Allow)` + +--- + +### SA_FSAC_PermissionChanges {#sa_fsac_permissionchanges} + +**Description:** Detail rows for activity events where `Operation = 4` (PermissionChange). Each event may have multiple change rows — one per ACE that was added, removed, or modified. `AccessRights` is the bitmask before the change; `NewAccessRights` is the bitmask after the change (NULL on removal). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityID | bigint | | No | PK | FK → SA_FSAC_ActivityEvents.ID | | Owning activity event | +| ChangeID | smallint | | No | PK | | | Per-event change index | +| AclType | tinyint | | No | | | | ACL type (DACL / SACL distinction) | +| TrusteeID | int | | No | | FK → SA_FSAA_Trustees.ID | | Trustee whose ACE changed | +| ChangeType | tinyint | | No | | | | Change kind: added / removed / modified | +| AceType | tinyint | | No | | | | ACE type (Allow / Deny) | +| InheritanceFlags | tinyint | | No | | | | NTFS inheritance flags | +| AceFlags | tinyint | | No | | | | NTFS ACE flags | +| AccessRights | bigint | | No | | | | Pre-change Windows access mask | +| NewAccessRights | bigint | | Yes | | | | Post-change access mask (NULL when ACE was removed) | + +**Primary Key:** `PK_SA_FSAC_PermissionChanges` — clustered on `(HOST, ActivityID, ChangeID)` + +**Foreign Keys:** +- `FK_SA_FSAC_PermissionChanges_HOST` → `(HOST) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSAC_PermissionChanges_ActivityID` → `(HOST, ActivityID) → SA_FSAC_ActivityEvents(HOST, ID)` +- `FK_SA_FSAC_PermissionChanges_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAC_OwnerChanges {#sa_fsac_ownerchanges} + +**Description:** Detail rows for activity events that changed a resource's owner (Take Ownership / chown). One row per qualifying activity event. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityID | bigint | | No | PK | FK → SA_FSAC_ActivityEvents.ID | | Owning activity event | +| PreviousOwnerID | int | | No | | FK → SA_FSAA_Trustees.ID | | Owner before the change | +| NewOwnerID | int | | No | | FK → SA_FSAA_Trustees.ID | | Owner after the change | + +**Primary Key:** `PK_SA_FSAC_OwnerChanges` — clustered on `(HOST, ActivityID)` + +**Foreign Keys:** +- `FK_SA_FSAC_OwnerChanges_HOST` → `(HOST) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSAC_OwnerChanges_ActivityID` → `(HOST, ActivityID) → SA_FSAC_ActivityEvents(HOST, ID)` +- `FK_SA_FSAC_OwnerChanges_PreviousOwnerID` → `(HOST, PreviousOwnerID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAC_OwnerChanges_NewOwnerID` → `(HOST, NewOwnerID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAC_DailyActivity {#sa_fsac_dailyactivity} + +**Description:** Daily aggregation of activity-event counts, partitioned by `(host, date, folder, trustee, operation, allow)`. The folder ID is the *containing folder* for the operation, so each row counts how many times a trustee performed a given operation type in a folder on a given day. This table feeds the daily-activity views and the *Most Active Users* / *Most Active Servers* reports. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityDate | date | | No | PK | | | Date the activity occurred | +| FolderID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Containing folder | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Acting trustee | +| Operation | tinyint | | No | PK | | | Operation code (0–5) | +| Allow | bit | | No | PK | | `1` | Allow / Deny flag | +| Count | int | | No | | | | Number of operations | + +**Primary Key:** `PK_SA_FSAC_DailyActivity` — clustered on `(HOST, FolderID, ActivityDate, TrusteeID, Operation, Allow)` + +**Foreign Keys:** +- `FK_SA_FSAC_DailyActivity_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAC_DailyActivity_FolderID` → `(HOST, FolderID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAC_DailyActivity_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAC_RenameTargets {#sa_fsac_renametargets} + +**Description:** Detail rows for `Operation = 5` (Rename) activity events: stores the *target* path-ID of the rename. The activity event itself records the *source* path; this table records the destination. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityID | bigint | | No | PK | FK → SA_FSAC_ActivityEvents.ID | | Owning rename event | +| TargetPathID | bigint | | No | | FK → SA_FSAA_Resources.ID | | Resource the source was renamed to | + +**Primary Key:** `PK_SA_FSAC_RenameTargets` — clustered on `(HOST, ActivityID)` + +**Foreign Keys:** +- `FK_SA_FSAC_RenameTargets_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAC_RenameTargets_ActivityID` → `(HOST, ActivityID) → SA_FSAC_ActivityEvents(HOST, ID)` +- `FK_SA_FSAC_RenameTargets_TargetPathID` → `(HOST, TargetPathID) → SA_FSAA_Resources(HOST, ID)` + +--- + +### SA_FSAC_ExceptionTypes {#sa_fsac_exceptiontypes} + +**Description:** Catalog of activity-exception classes (for example, *Unusual hourly activity*, *Mass deletion*, *Ransomware artifact*). One row per `(host, exception type)`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ExceptionType | int | | No | PK | | | Exception type code | +| Name | varchar | 128 | No | | | | Short name | +| Description | varchar | 256 | No | | | | Human-readable description | +| Count | int | | No | | | | Cached count of `SA_FSAC_Exceptions` rows of this type | +| ParentType | int | | Yes | | | | Optional parent exception type for hierarchical grouping | + +**Primary Key:** `PK_SA_FSAC_ExceptionTypes` — clustered on `(HOST, ExceptionType)` + +--- + +### SA_FSAC_Exceptions {#sa_fsac_exceptions} + +**Description:** One row per detected activity anomaly. The `Value` / `Average` / `StandardDeviations` columns capture the statistical model output that triggered the exception (for example, observed value vs. baseline). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ID | int | | No | PK | | | Per-host exception ID | +| ExceptionType | int | | No | | | | Class of exception (logical reference to `SA_FSAC_ExceptionTypes.ExceptionType` — no enforced FK) | +| ActivityDate | date | | No | | | | Date the anomaly occurred | +| ActivityHour | tinyint | | Yes | | | | Hour-of-day (0–23) for hourly-bucketed anomalies | +| GateID | int | | No | | | | Gate (share) where the anomaly was observed | +| TrusteeID | int | | Yes | | | | User involved (if applicable) | +| ResourceID | bigint | | Yes | | | | Resource involved (if applicable) | +| Value | int | | Yes | | | | Observed value (for example, operation count) | +| Average | float | | Yes | | | | Baseline average for comparison | +| StandardDeviations | float | | Yes | | | | How many σ the observed value is from the average | + +**Primary Key:** `PK_SA_FSAC_Exceptions` — clustered on `(HOST, ID)` + +**Indexes:** +- `SA_FSAC_Exceptions_ResourceID_IDX` — `(HOST, ResourceID)` INCLUDE `(GateID)` + +:::note +No foreign keys are declared on this table; `GateID`, `TrusteeID`, `ResourceID`, and `ExceptionType` are logical references only. +::: + +--- + +### SA_FSAC_UserExceptionTypes {#sa_fsac_userexceptiontypes} + +**Description:** User-centric variant of `SA_FSAC_ExceptionTypes` — partitioned by user `SID` instead of by host. Used when an exception is associated with a particular user across multiple hosts. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SID | varchar | 184 | No | PK | | | User SID | +| ExceptionType | int | | No | PK | | | Exception type code | +| Name | varchar | 128 | No | | | | Short name | +| Description | varchar | 256 | No | | | | Description | +| Count | int | | No | | | | Cached count | +| ParentType | int | | Yes | | | | Optional parent exception type | + +**Primary Key:** `PK_SA_FSAC_UserExceptionTypes` — clustered on `(SID, ExceptionType)` + +--- + +### SA_FSAC_UserExceptions {#sa_fsac_userexceptions} + +**Description:** One row per detected per-user activity anomaly (for example, unusual login pattern attributed to a specific SID). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SID | varchar | 184 | No | | | | User SID | +| ID | int | | No | PK | | | Surrogate exception ID | +| ExceptionType | int | | No | | | | Exception type | +| ActivityDate | date | | No | | | | Date the anomaly occurred | +| ActivityStartTime | tinyint | | Yes | | | | Start hour of the activity window (0–23) | +| ActivityPeriod | tinyint | | Yes | | | | Length of the activity window in hours | +| Value | int | | Yes | | | | Observed value | +| Average | float | | Yes | | | | Baseline average | +| StandardDeviations | float | | Yes | | | | σ from baseline | + +**Primary Key:** `PK_SA_FSAC_UserExceptions` — clustered on `(ID)` + +--- + +## Sensitive Data Tables (SA_FSDLP_*) {#sensitive-data-tables-sa_fsdlp_} + +The **Sensitive Data / DLP collector** produces the following tables. They capture matches against configured DLP criteria, including per-match excerpt context and links to the subject-profile system that ties hits to specific identities. + +### SA_FSDLP_ImportHistory {#sa_fsdlp_importhistory} + +**Description:** Append-only history of DLP scan imports per host. One row per imported scan run. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| GUID | varchar | 38 | No | | | | Scan correlation GUID | +| USN | int | | No | PK | | | USN at import time | + +**Primary Key:** `PK_SA_FSDLP_ImportHistory` — clustered on `(HOST, USN)` + +**Foreign Keys:** +- `FK_SA_FSDLP_ImportHistory_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSDLP_Criteria {#sa_fsdlp_criteria} + +**Description:** Per-host catalog of the DLP criteria (patterns / classifiers) that produced matches. The `pattern_guid` is the global identifier that links back to the centrally managed criteria definitions. `Risk` is a numeric severity score. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host criterion ID | +| Name | nvarchar | 256 | No | | | | Criterion name (for example, "U.S. Social Security Number") | +| Risk | int | | No | | | `0` | Risk score | +| pattern_guid | uniqueidentifier | | Yes | | | | Global criterion GUID | + +**Primary Key:** `PK_SA_FSDLP_Criteria` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSDLP_Criteria_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSDLP_Matches {#sa_fsdlp_matches} + +**Description:** One row per `(file, criterion)` pair where the criterion produced at least one hit in the file. `MatchCount` is the total number of hits. + +`DataSource` is a bitmask indicating where in the file the matches came from: `1` = Content, `2` = Metadata, `4` = Filename. Combinations are summed (for example, `5` = Content + Filename). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| FileId | bigint | | No | PK | | | Resource ID of the matched file (joins `SA_FSAA_Resources.ID`) | +| CriteriaId | int | | No | PK | FK → SA_FSDLP_Criteria.ID | | Criterion that matched | +| MatchCount | int | | Yes | | | | Number of hits within this file for this criterion | +| DataSource | int | | No | | | `0` | Bitmask: 1=Content, 2=Metadata, 4=Filename | + +**Primary Key:** `PK_SA_FSDLP_Matches` — clustered on `(HOST, FileId, CriteriaId)` + +**Foreign Keys:** +- `FK_SA_FSDLP_Matches_CriteriaId` → `(HOST, CriteriaId) → SA_FSDLP_Criteria(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSDLP_MatchHits {#sa_fsdlp_matchhits} + +**Description:** Per-hit detail rows. For every match in `SA_FSDLP_Matches`, this table holds the prefix / data / suffix excerpt around each hit, plus a confidence score. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| FileId | bigint | | No | PK | | | Resource ID of the matched file | +| CriteriaId | int | | No | PK | | | Criterion that produced the hit | +| ID | bigint | | No | PK | | | Per-`(File, Criterion)` hit ID | +| SubFileName | nvarchar | 1024 | Yes | | | | Sub-file name (for archives such as ZIP / RAR) | +| MatchPrefix | nvarchar | 1024 | Yes | | | | Text immediately before the matched data | +| MatchData | nvarchar | 1024 | Yes | | | | The matched data itself | +| MatchSuffix | nvarchar | 1024 | Yes | | | | Text immediately after the matched data | +| Confidence | int | | No | | | `0` | Confidence score (0–100) | +| DataSource | int | | No | | | `0` | Where the hit was found (see `SA_FSDLP_Matches.DataSource`) | + +**Primary Key:** `PK_SA_FSDLP_MatchHits` — clustered on `(HOST, FileId, CriteriaId, ID)` + +**Foreign Keys:** +- `FK_SA_FSDLP_MatchHits_Match` → `(HOST, FileId, CriteriaId) → SA_FSDLP_Matches(HOST, FileId, CriteriaId) ON DELETE CASCADE` + +--- + +### SA_FSDLP_MatchHits_SubjectProfile {#sa_fsdlp_matchhits_subjectprofile} + +**Description:** Links a DLP match hit to the subject-profile system, which identifies which person / entity the hit is about. Populated when subject-profile correlation is enabled. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| FileId | bigint | | No | PK | | | Resource ID of the matched file | +| CriteriaId | int | | No | PK | | | Criterion that produced the hit | +| ID | bigint | | No | PK | FK → SA_FSDLP_MatchHits.ID | | Hit ID | +| SourceId | int | | No | | FK → SA_SubjectProfile_Sources.Id | | Subject-profile source | +| IdentityId | bigint | | No | | FK → SA_SubjectProfile_Identities.Id | | Resolved identity | +| AttributeId | int | | No | | | | Attribute on the identity that the hit aligns with | +| Order | int | | No | | | | Position within multi-valued attributes | + +**Primary Key:** `PK_SA_FSDLP_MatchHits_SubjectProfile` — clustered on `(HOST, FileId, CriteriaId, ID)` + +**Foreign Keys:** +- `FK_SA_FSDLP_MatchHits_SubjectProfile` → `(HOST, FileId, CriteriaId, ID) → SA_FSDLP_MatchHits(HOST, FileId, CriteriaId, ID) ON DELETE CASCADE` +- `FK_SA_FSDLP_MatchHits_SubjectProfile_Source` → `(SourceId) → SA_SubjectProfile_Sources(Id)` +- `FK_SA_FSDLP_MatchHits_SubjectProfile_Identity` → `(IdentityId) → SA_SubjectProfile_Identities(Id)` +- `FK_SA_FSDLP_MatchHits_SubjectProfile_Attribute` → `(IdentityId, AttributeId, Order) → SA_SubjectProfile_AttributeValues(IdentityId, AttributeId, Order) ON DELETE CASCADE` + +**Indexes:** +- `SA_FSDLP_MatchHits_SubjectProfile_Source_IDX` — nonclustered on `(SourceId)` +- `SA_FSDLP_MatchHits_SubjectProfile_Identity_IDX` — nonclustered on `(IdentityId)` + +:::note +The `SA_SubjectProfile_*` tables are owned by the central Subject Profile module and are documented separately. +::: + +--- + +## DFS Namespace Tables (SA_FSDFS_*) {#dfs-namespace-tables-sa_fsdfs_} + +The **DFS Namespace collector** produces the following tables. They capture Microsoft DFS namespaces and the links that map DFS paths to underlying physical shares. + +### SA_FSDFS_Namespaces {#sa_fsdfs_namespaces} + +**Description:** One row per discovered DFS namespace (for example, `\\contoso.com\public`). Each namespace anchors zero or more DFS links. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ID | int | | No | PK | | IDENTITY(1,1) | Surrogate namespace ID | +| HOST | int | | No | | | | Host that owns the namespace record | +| Name | nvarchar | 450 | No | | | | DFS namespace name | +| RootHostID | int | | Yes | | FK → SA_FSAA_Hosts.ID | | The FSAA host that hosts the namespace root | +| RootGateID | int | | Yes | | | | The gate (share) that backs the namespace root | + +**Primary Key:** `PK_SA_FSDFS_Namespaces` — clustered on `(ID)` + +**Foreign Keys:** +- `FK_SA_FSDFS_Namespaces_Hosts` → `(RootHostID) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSDFS_Namespaces_GateID` → `(RootHostID, RootGateID) → SA_FSAA_Gates(HOST, ID)` + +--- + +### SA_FSDFS_Links {#sa_fsdfs_links} + +**Description:** Each DFS link maps a logical DFS path (for example, `\\contoso.com\public\sales`) to a physical target path on a specific server. Multiple links may exist per namespace. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ID | int | | No | PK | | IDENTITY(1,1) | Surrogate link ID | +| HOST | int | | No | PK | | | Host partition (the DFS host) | +| NamespaceID | int | | Yes | | FK → SA_FSDFS_Namespaces.ID | | Owning namespace | +| NamespaceName | nvarchar | 512 | No | | | | Cached namespace name | +| DfsPath | nvarchar | 400 | No | | | | DFS-side logical path (for example, `sales\reports`) | +| DfsResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource representing the DFS-side path (when available) | +| DfsHostID | int | | Yes | | | | Host on the DFS side | +| TargetPath | nvarchar | 450 | No | | | | UNC path of the physical target (for example, `\\fileserver\sales`) | +| TargetHostID | int | | Yes | | FK → SA_FSAA_Hosts.ID | | FSAA host that holds the physical target | +| TargetGateID | int | | Yes | | FK → SA_FSAA_Gates.ID | | Gate (share) that holds the physical target | +| TargetResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource on the target host | +| State | int | | Yes | | | | DFS link state (online / offline) | +| Timeout | int | | Yes | | | | DFS-link cache timeout | +| DfsGuid | uniqueidentifier | | Yes | | | | DFS link's unique identifier | +| Comment | nvarchar | 1024 | Yes | | | | Free-text comment | +| IsRoot | bit | | No | | | | True if the DFS link represents the namespace root rather than a sub-link | + +**Primary Key:** `PK_SA_FSDFS_Links` — clustered on `(HOST, ID)` + +**Unique Constraints:** `UQ_FSDFS_Links_DfsPath` — unique on `(DfsPath, NamespaceID)` + +**Foreign Keys:** +- `FK_SA_FSDFS_Links_NamespaceID` → `(NamespaceID) → SA_FSDFS_Namespaces(ID) ON DELETE CASCADE` +- `FK_SA_FSDFS_Links_TargetHostID` → `(TargetHostID) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSDFS_Links_TargetGateID` → `(TargetHostID, TargetGateID) → SA_FSAA_Gates(HOST, ID)` +- `FK_SA_FSDFS_Links_TargetResourceID` → `(TargetHostID, TargetResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSDFS_Links_DfsResourceID` → `(DfsHostID, DfsResourceID) → SA_FSAA_Resources(HOST, ID)` + +**Indexes:** +- `SA_FSDFS_Links_GateID_IDX` — `(TargetHostID, TargetGateID)` diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json new file mode 100644 index 0000000000..1ae864a8b0 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Enumeration & Lookup Values Reference", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md new file mode 100644 index 0000000000..71aa35e3bf --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md @@ -0,0 +1,98 @@ +# Enumeration & Lookup Values Reference + +This section documents the possible values stored in coded columns used throughout the FSAA DC schema. These values appear in core data tables, and views decode them into human-readable labels. + +--- + +## TrusteeType + +Referenced by `SA_FSAA_Trustees.TrusteeType` and `SA_FSAA_LocalTrustees.TrusteeType`. + +| Value | Name | Description | +|---|---|---| +| 0 | Unknown | Type couldn't be determined | +| 1 | SecurityPrincipal | Built-in / well-known security principal (for example, `Everyone`) | +| 2 | LocalUser | Local user account | +| 3 | LocalGroup | Local group account | +| 4 | GlobalUser | Domain user account ("Domain User" in views) | +| 5 | GlobalGroup | Domain group account ("Domain Group" in views) | +| 6 | SharepointUser | SharePoint user | +| 7 | SharepointGroup | SharePoint group | +| 8 | Unsupported | Trustee type not supported | +| 9 | ServiceAccount | Service account | +| 10 | Computer | Computer account | +| 11 | GlobalTrustee | Cross-domain trustee | +| 20 | UnixUser | POSIX user | +| 21 | UnixGroup | POSIX group | + +:::note +The descriptive labels emitted by views (`SA_FSAA_PermissionsView.TrusteeTypeDescription`, etc.) cover values 0, 1, 2, 3, 4, 5, 8, 9, and 10 only. +::: + +--- + +## ResourceType + +Referenced by `SA_FSAA_Resources.ResourceType`. + +| Value | Name | View label | Description | +|---|---|---|---| +| 0 | Share | Share | SMB / Windows share root | +| 1 | NFSExport | Share | NFS export root | +| 2 | NetAppVolume | Folder | NetApp volume root | +| 3 | WinDir | Folder | Windows directory | +| 4 | WinFile | File | Windows file | +| 5 | UnixDir | Folder | Unix directory | +| 6 | UnixFile | File | Unix file | + +Views map these to three labels using `CASE WHEN r.ResourceType IN (0,1) THEN 'Share' WHEN r.ResourceType IN (2,3,5) THEN 'Folder' WHEN r.ResourceType IN (4,6) THEN 'File' END`. + +--- + +## GateType + +Referenced by `SA_FSAA_Gates.GateType`. + +| Value | Description | +|---|---| +| 0 | SMB share gate | +| 1 | Policy gate (LSA logon-right pseudo-trustee container — `INTERACTIVE`, `BATCH`, `SERVICE`, `TERMINAL SERVER USER`, etc.) | +| 2 | NFS export gate | + +Share gates (`0`/`2`) carry NTFS / share permissions and are reachable via `SA_FSAA_GatesProxy`. Policy gates (`1`) are produced by the local-policy enumerator: they have no `ShareID` or `FolderID`, and their members are stored in `SA_FSAA_Policies` and resolved at query time by `SA_FSAA_GetPolicyMembership`. Views that surface share traversal label any non-zero `GateType` as `'NFS'` for legacy compatibility (`CASE WHEN g.GateType = 0 THEN 'SMB' ELSE 'NFS' END`); policy gates are normally filtered out by the `r.GatesProxyID IS NOT NULL` predicate before reaching that CASE. + +--- + +## Rights Bitmask + +The simplified six-bit FSAA rights model. Used in `SA_FSAA_Rights.AllowRights`, `DenyRights`, `DirectAllowRights`, `InheritedAllowRights`, `DirectDenyRights`, `InheritedDenyRights` and surfaced in views as the `AllowRightsDescription` / `DenyRightsDescription` text columns (for example, `LRWDMA`). + +| Bit | Hex / Decimal | Letter | Name | +|---|---|---|---| +| 0 | `0x01` (1) | R | Read | +| 1 | `0x02` (2) | W | Write | +| 2 | `0x04` (4) | D | Delete | +| 3 | `0x08` (8) | M | Manage | +| 4 | `0x10` (16) | A | Admin | +| 5 | `0x20` (32) | L | List | + +The corresponding Windows mask values are stored separately in the `*Mask` columns. Common mappings used by `SA_FSAA_PermissionsView.AllowMaskDescription`: + +| Mask (decimal) | Description | +|---|---| +| 0 | None | +| 2032127 | Full Control (allow) | +| 1245631 | Modify | +| 1179817 | Read & Execute (or "List folder contents" when `AllowRights = 32`) | +| 1179785 | Read | +| 1179926 | Write | +| 983551 | Full Control (deny) | +| 197055 | Modify (deny) | +| 1310720 | Change Permissions | +| 1572864 | Take Ownership | +| 1114112 | Delete | +| 1179648 | Read Permissions | + +:::note +The `CASE` expression in `SA_FSAA_PermissionsView` / `SA_FSAA_DirectPermissionsView` / `SA_FSAA_InheritedPermissionsView` decodes many additional special-permission decimal values. +::: diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json new file mode 100644 index 0000000000..8e87e36269 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Table Relationship Diagrams (ERD)", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md new file mode 100644 index 0000000000..071b371c04 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md @@ -0,0 +1,193 @@ +# Table Relationship Diagrams (ERD) + +The following subsystem-focused sub-diagrams divide the schema. Relationship lines use standard crow's foot notation: a single vertical bar on the parent side and a crow's foot (fork) on the child side means "exactly one parent, zero or more children"; a single bar on each side with an open circle means one-to-zero-or-one (sidecar / extension table). + +:::note +Every core table includes a `HOST INT` column that is a foreign key to `SA_FSAA_Hosts.ID` with `ON DELETE CASCADE`. To keep the sub-diagrams readable, that fan-out is shown only in the **Top-level partitioning** diagram; in the other diagrams `HOST` is implicit on every relationship. + +Tables not shown in any diagram (no foreign keys): `SA_FSAA_SchemaVer` (single-row config) and `SA_FSAA_ScanHistory` (audit log). +::: + +--- + +## Top-level Partitioning + +`SA_FSAA_Hosts` is the root of the schema. Every other table includes a `HOST` column whose foreign key cascades on delete, so removing a host atomically purges its entire data set. The following diagrams are **representative, not exhaustive** — they show the parent tables for each subsystem; the per-subsystem diagrams that follow cover the remaining HOST-partitioned tables (for example, `SA_FSAA_Rights`, `SA_FSAA_LocalTrustees`, `SA_FSAA_GatesProxy`, `SA_FSAA_Policies`, the four `SA_FSAA_File*` aggregations, and every `SA_FSAC_*` / `SA_FSDLP_*` / `SA_FSDFS_*` table). + +**Core subsystem roots:** + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSAA_ImportHistory : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Trustees : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Resources : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Gates : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_ExceptionTypes : "HOST" +``` + +**Tag infrastructure and exception/ownership tables:** + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSAA_Tags : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_TagKeys : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_TagProxies : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Exceptions : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_ProbableOwners : "HOST" +``` + +--- + +## Trustees + +`SA_FSAA_Trustees` is the canonical trustee table. `SA_FSAA_LocalTrustees` is a 1:0..1 *extension* that adds NT-style domain/name/display fields for principals that are local to the host. `SA_FSAA_TrusteeEquivalence` is the local-group-membership edge table — `TrusteeID` is the member, `EquivalentTrusteeID` is the local-group it belongs to. + +```mermaid +erDiagram + SA_FSAA_Trustees ||--o| SA_FSAA_LocalTrustees : "ID (extension)" + SA_FSAA_Trustees ||--o{ SA_FSAA_TrusteeEquivalence : "TrusteeID (member)" + SA_FSAA_LocalTrustees ||--o{ SA_FSAA_TrusteeEquivalence : "EquivalentTrusteeID (group)" +``` + +--- + +## Resources & Content Aggregations {#resources--content-aggregations} + +`SA_FSAA_Resources` is the file/folder/share tree (note the self-reference for parent-child folder hierarchy and the `OwnerID` FK back to `SA_FSAA_Trustees`). The five sidecar tables on the right hold per-resource aggregations populated by the structural import. + +```mermaid +erDiagram + SA_FSAA_Resources ||--o{ SA_FSAA_Resources : "ParentResourceID (self)" + SA_FSAA_Trustees ||--o{ SA_FSAA_Resources : "OwnerID" + + SA_FSAA_Resources ||--o{ SA_FSAA_FileSizes : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_FileTypes : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_FileAges : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_UnixRights : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_ProbableOwners : "ResourceID" + + SA_FSAA_Trustees ||--o{ SA_FSAA_UnixRights : "OwnerID + GroupID" + SA_FSAA_Trustees ||--o{ SA_FSAA_ProbableOwners : "OwnerID" +``` + +--- + +## Gates and Permissions + +A "gate" is a way to reach a resource — an SMB share, NFS export, or LSA-policy container. `SA_FSAA_Gates` self-references through `PolicyID` (an NFS export gate points at its export-policy gate). `SA_FSAA_GatesProxy` is the dedup bridge between resources and gates (`SA_FSAA_Resources.GatesProxyID` is a logical reference, not an enforced FK). `SA_FSAA_Rights` holds the per-trustee allow/deny ACL entries; `RightsProxyID` is also a logical reference from `SA_FSAA_Resources` rather than an enforced FK. + +```mermaid +erDiagram + SA_FSAA_Gates ||--o{ SA_FSAA_Gates : "PolicyID (self)" + SA_FSAA_Resources ||--o{ SA_FSAA_Gates : "ShareID + FolderID" + + SA_FSAA_Gates ||--o{ SA_FSAA_GatesProxy : "GateID" + SA_FSAA_Gates ||--o{ SA_FSAA_Policies : "PolicyID" + SA_FSAA_Trustees ||--o{ SA_FSAA_Policies : "TrusteeID" + + SA_FSAA_Trustees ||--o{ SA_FSAA_Rights : "TrusteeID" +``` + +:::note +Logical (un-enforced) references not shown: `SA_FSAA_Resources.RightsProxyID → SA_FSAA_Rights.RightsProxyID` and `SA_FSAA_Resources.GatesProxyID → SA_FSAA_GatesProxy.ID`. These are denormalized pointers maintained by the import pipeline; no FK constraint is created on them so that bulk imports can stage rows in any order. +::: + +--- + +## Tags + +Tags use a three-table dedup pattern. `SA_FSAA_Tags` holds each unique tag string. `SA_FSAA_TagKeys` defines a "tag set" identity. `SA_FSAA_TagProxies` is the membership table linking tag sets to their tags. `SA_FSAA_Resources.TagProxyID` and `SA_FSAA_FileTags.TagProxyID` reference the tag-set identity in `TagKeys`. + +```mermaid +erDiagram + SA_FSAA_TagKeys ||--o{ SA_FSAA_TagProxies : "TagProxyID" + SA_FSAA_Tags ||--o{ SA_FSAA_TagProxies : "TagID" + SA_FSAA_TagKeys ||--o{ SA_FSAA_FileTags : "TagProxyID" + SA_FSAA_Resources ||--o{ SA_FSAA_FileTags : "ResourceID" +``` + +--- + +## Exceptions + +`SA_FSAA_ExceptionTypes` is the per-host catalog of exception classes. `SA_FSAA_Exceptions` carries one row per detected anomaly and has FKs out to *all four* foundational tables — Hosts, Gates, Resources, and Trustees (twice — `TrusteeID` and `SourceTrusteeID`). Most of these FK columns are nullable because different exception types use different combinations. + +```mermaid +erDiagram + SA_FSAA_ExceptionTypes ||--o{ SA_FSAA_Exceptions : "ExceptionType" + SA_FSAA_Gates ||--o{ SA_FSAA_Exceptions : "GateID" + SA_FSAA_Resources ||--o{ SA_FSAA_Exceptions : "ResourceID" + SA_FSAA_Trustees ||--o{ SA_FSAA_Exceptions : "TrusteeID" + SA_FSAA_Trustees ||--o{ SA_FSAA_Exceptions : "SourceTrusteeID" +``` + +--- + +## Activity Collection + +`SA_FSAC_ActivityEvents` is the audit-event firehose; each row is one observed file-system operation (read / add / update / delete / permission-change / rename). Every event references the resource (`PathID`), the trustee that performed the operation, and the process (`ProcessID`) that ran it. Three detail tables hang off `ActivityEvents`: `SA_FSAC_PermissionChanges` and `SA_FSAC_OwnerChanges` for permission-change and owner-change details, and `SA_FSAC_RenameTargets` for rename destinations. `SA_FSAC_DailyActivity` is a daily aggregation rolled up by `(folder, trustee, operation)`. `SA_FSAC_Exceptions` records detected anomalies; `SA_FSAC_UserExceptions` is the per-user variant (partitioned by `SID` instead of by host). + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSAC_ProcessNames : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAC_ActivityEvents : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAC_DailyActivity : "HOST" + + SA_FSAA_Resources ||--o{ SA_FSAC_ActivityEvents : "PathID" + SA_FSAA_Trustees ||--o{ SA_FSAC_ActivityEvents : "TrusteeID" + SA_FSAC_ProcessNames ||--o{ SA_FSAC_ActivityEvents : "ProcessID" + + SA_FSAC_ActivityEvents ||--o{ SA_FSAC_PermissionChanges : "ActivityID" + SA_FSAC_ActivityEvents ||--o| SA_FSAC_OwnerChanges : "ActivityID" + SA_FSAC_ActivityEvents ||--o| SA_FSAC_RenameTargets : "ActivityID" + + SA_FSAA_Trustees ||--o{ SA_FSAC_PermissionChanges : "TrusteeID" + SA_FSAA_Trustees ||--o{ SA_FSAC_OwnerChanges : "PreviousOwnerID + NewOwnerID" + SA_FSAA_Resources ||--o{ SA_FSAC_RenameTargets : "TargetPathID" + + SA_FSAA_Resources ||--o{ SA_FSAC_DailyActivity : "FolderID" + SA_FSAA_Trustees ||--o{ SA_FSAC_DailyActivity : "TrusteeID" + + SA_FSAC_ExceptionTypes ||--o{ SA_FSAC_Exceptions : "ExceptionType" + SA_FSAC_UserExceptionTypes ||--o{ SA_FSAC_UserExceptions : "ExceptionType (by SID)" +``` + +--- + +## Sensitive Data + +`SA_FSDLP_Criteria` lists the active DLP patterns. `SA_FSDLP_Matches` records, for each `(file, criterion)` pair, how many hits were found. `SA_FSDLP_MatchHits` carries the per-hit excerpt (prefix / data / suffix) and confidence score. `SA_FSDLP_MatchHits_SubjectProfile` links each hit to a subject in the central Subject Profile system (the identity / attribute that the matched data corresponds to). `FileId` on Matches is a logical reference to `SA_FSAA_Resources.ID`. + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSDLP_ImportHistory : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSDLP_Criteria : "HOST" + + SA_FSDLP_Criteria ||--o{ SA_FSDLP_Matches : "CriteriaId" + SA_FSDLP_Matches ||--o{ SA_FSDLP_MatchHits : "FileId + CriteriaId" + SA_FSDLP_MatchHits ||--o{ SA_FSDLP_MatchHits_SubjectProfile : "FileId + CriteriaId + ID" +``` + +:::note +Logical (un-enforced) reference not shown: `SA_FSDLP_Matches.FileId → SA_FSAA_Resources.ID`. The DLP collector populates `FileId` to match the FSAA resource ID but no SQL FK constraint is created so DLP imports can run independently of structural scans. + +`SA_FSDLP_MatchHits_SubjectProfile` has foreign keys into the central Subject Profile tables (`SA_SubjectProfile_Sources`, `SA_SubjectProfile_Identities`, `SA_SubjectProfile_AttributeValues`). Those tables are owned by the Subject Profile module and not shown here. +::: + +--- + +## DFS Namespaces + +`SA_FSDFS_Namespaces` lists the discovered DFS namespaces. `SA_FSDFS_Links` resolves each DFS-side path into the physical target (host / gate / resource) on a real file server. The link table has FKs into both the FSAA host and the FSAA structural tables on the target side. + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSDFS_Namespaces : "RootHostID" + SA_FSAA_Gates ||--o{ SA_FSDFS_Namespaces : "RootGateID" + + SA_FSDFS_Namespaces ||--o{ SA_FSDFS_Links : "NamespaceID" + SA_FSAA_Hosts ||--o{ SA_FSDFS_Links : "TargetHostID" + SA_FSAA_Gates ||--o{ SA_FSDFS_Links : "TargetGateID" + SA_FSAA_Resources ||--o{ SA_FSDFS_Links : "TargetResourceID" + SA_FSAA_Resources ||--o{ SA_FSDFS_Links : "DfsResourceID" +``` diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json new file mode 100644 index 0000000000..c990fe38d8 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Foreign Key Reference", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md new file mode 100644 index 0000000000..6f505e5b71 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md @@ -0,0 +1,77 @@ +# Foreign Key Reference + +## Complete Foreign Key Listing + +| FK Name | Parent Table | Parent Columns | Referenced Table | Referenced Columns | On Delete | +|---|---|---|---|---|---| +| FK_SA_FSAA_ImportHistory_HOST | SA_FSAA_ImportHistory | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_Trustees_HOST | SA_FSAA_Trustees | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_LocalTrustees_ID | SA_FSAA_LocalTrustees | HOST, ID | SA_FSAA_Trustees | HOST, ID | CASCADE | +| FK_SA_FSAA_TrusteeEquivalence_TrusteeID | SA_FSAA_TrusteeEquivalence | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_TrusteeEquivalence_EquivalentTrusteeID | SA_FSAA_TrusteeEquivalence | HOST, EquivalentTrusteeID | SA_FSAA_LocalTrustees | HOST, ID | CASCADE | +| FK_SA_FSAA_Rights_TrusteeID | SA_FSAA_Rights | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Tags_HOST | SA_FSAA_Tags | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_TagKeys_HOST | SA_FSAA_TagKeys | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_TagProxies_HOST | SA_FSAA_TagProxies | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_TagProxies_TagProxyID | SA_FSAA_TagProxies | HOST, TagProxyID | SA_FSAA_TagKeys | HOST, TagProxyID | NO ACTION | +| FK_SA_FSAA_TagProxies_TagID | SA_FSAA_TagProxies | HOST, TagID | SA_FSAA_Tags | HOST, TagID | NO ACTION | +| FK_SA_FSAA_Resources_HOST | SA_FSAA_Resources | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_Resources_ParentResourceID | SA_FSAA_Resources | HOST, ParentResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Resources_OwnerID | SA_FSAA_Resources | HOST, OwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_UnixRights_ResourceID | SA_FSAA_UnixRights | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_UnixRights_OwnerID | SA_FSAA_UnixRights | HOST, OwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_UnixRights_GroupID | SA_FSAA_UnixRights | HOST, GroupID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Gates_HOST | SA_FSAA_Gates | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_Gates_ShareID | SA_FSAA_Gates | HOST, ShareID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Gates_FolderID | SA_FSAA_Gates | HOST, FolderID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Gates_PolicyID | SA_FSAA_Gates | HOST, PolicyID | SA_FSAA_Gates | HOST, ID | NO ACTION | +| FK_SA_FSAA_GatesProxy_GateID | SA_FSAA_GatesProxy | HOST, GateID | SA_FSAA_Gates | HOST, ID | CASCADE | +| FK_SA_FSAA_Policies_PolicyID | SA_FSAA_Policies | HOST, PolicyID | SA_FSAA_Gates | HOST, ID | CASCADE | +| FK_SA_FSAA_Policies_TrusteeID | SA_FSAA_Policies | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Exceptions_HOST | SA_FSAA_Exceptions | HOST | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSAA_Exceptions_GateID | SA_FSAA_Exceptions | HOST, GateID | SA_FSAA_Gates | HOST, ID | CASCADE | +| FK_SA_FSAA_Exceptions_ResourceID | SA_FSAA_Exceptions | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Exceptions_TrusteeID | SA_FSAA_Exceptions | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Exceptions_SourceTrusteeID | SA_FSAA_Exceptions | HOST, SourceTrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_ExceptionTypes_HOST | SA_FSAA_ExceptionTypes | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_ProbableOwners_HOST | SA_FSAA_ProbableOwners | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_ProbableOwners_ResourceID | SA_FSAA_ProbableOwners | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_ProbableOwners_OwnerID | SA_FSAA_ProbableOwners | HOST, OwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_FileSizes_ResourceID | SA_FSAA_FileSizes | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileTypes_ResourceID | SA_FSAA_FileTypes | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileAges_ResourceID | SA_FSAA_FileAges | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileTags_ResourceID | SA_FSAA_FileTags | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileTags_TagProxyID | SA_FSAA_FileTags | HOST, TagProxyID | SA_FSAA_TagKeys | HOST, TagProxyID | NO ACTION | +| FK_SA_FSAC_ProcessNames_HOST | SA_FSAC_ProcessNames | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_ActivityEvents_HOST | SA_FSAC_ActivityEvents | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_ActivityEvents_PathID | SA_FSAC_ActivityEvents | HOST, PathID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAC_ActivityEvents_ProcessID | SA_FSAC_ActivityEvents | HOST, ProcessID | SA_FSAC_ProcessNames | HOST, ID | NO ACTION | +| FK_SA_FSAC_ActivityEvents_TrusteeID | SA_FSAC_ActivityEvents | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_PermissionChanges_HOST | SA_FSAC_PermissionChanges | HOST | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSAC_PermissionChanges_ActivityID | SA_FSAC_PermissionChanges | HOST, ActivityID | SA_FSAC_ActivityEvents | HOST, ID | NO ACTION | +| FK_SA_FSAC_PermissionChanges_TrusteeID | SA_FSAC_PermissionChanges | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_HOST | SA_FSAC_OwnerChanges | HOST | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_ActivityID | SA_FSAC_OwnerChanges | HOST, ActivityID | SA_FSAC_ActivityEvents | HOST, ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_PreviousOwnerID | SA_FSAC_OwnerChanges | HOST, PreviousOwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_NewOwnerID | SA_FSAC_OwnerChanges | HOST, NewOwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_DailyActivity_HOST | SA_FSAC_DailyActivity | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_DailyActivity_FolderID | SA_FSAC_DailyActivity | HOST, FolderID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAC_DailyActivity_TrusteeID | SA_FSAC_DailyActivity | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_RenameTargets_HOST | SA_FSAC_RenameTargets | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_RenameTargets_ActivityID | SA_FSAC_RenameTargets | HOST, ActivityID | SA_FSAC_ActivityEvents | HOST, ID | NO ACTION | +| FK_SA_FSAC_RenameTargets_TargetPathID | SA_FSAC_RenameTargets | HOST, TargetPathID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSDLP_ImportHistory_HOST | SA_FSDLP_ImportHistory | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSDLP_Criteria_HOST | SA_FSDLP_Criteria | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSDLP_Matches_CriteriaId | SA_FSDLP_Matches | HOST, CriteriaId | SA_FSDLP_Criteria | HOST, ID | CASCADE | +| FK_SA_FSDLP_MatchHits_Match | SA_FSDLP_MatchHits | HOST, FileId, CriteriaId | SA_FSDLP_Matches | HOST, FileId, CriteriaId | CASCADE | +| FK_SA_FSDLP_MatchHits_SubjectProfile | SA_FSDLP_MatchHits_SubjectProfile | HOST, FileId, CriteriaId, ID | SA_FSDLP_MatchHits | HOST, FileId, CriteriaId, ID | CASCADE | +| FK_SA_FSDLP_MatchHits_SubjectProfile_Source | SA_FSDLP_MatchHits_SubjectProfile | SourceId | SA_SubjectProfile_Sources | Id | NO ACTION | +| FK_SA_FSDLP_MatchHits_SubjectProfile_Identity | SA_FSDLP_MatchHits_SubjectProfile | IdentityId | SA_SubjectProfile_Identities | Id | NO ACTION | +| FK_SA_FSDLP_MatchHits_SubjectProfile_Attribute | SA_FSDLP_MatchHits_SubjectProfile | IdentityId, AttributeId, Order | SA_SubjectProfile_AttributeValues | IdentityId, AttributeId, Order | CASCADE | +| FK_SA_FSDFS_Namespaces_Hosts | SA_FSDFS_Namespaces | RootHostID | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSDFS_Namespaces_GateID | SA_FSDFS_Namespaces | RootHostID, RootGateID | SA_FSAA_Gates | HOST, ID | NO ACTION | +| FK_SA_FSDFS_Links_NamespaceID | SA_FSDFS_Links | NamespaceID | SA_FSDFS_Namespaces | ID | CASCADE | +| FK_SA_FSDFS_Links_TargetHostID | SA_FSDFS_Links | TargetHostID | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSDFS_Links_TargetGateID | SA_FSDFS_Links | TargetHostID, TargetGateID | SA_FSAA_Gates | HOST, ID | NO ACTION | +| FK_SA_FSDFS_Links_TargetResourceID | SA_FSDFS_Links | TargetHostID, TargetResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSDFS_Links_DfsResourceID | SA_FSDFS_Links | DfsHostID, DfsResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json new file mode 100644 index 0000000000..7b82af05dc --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Functions & Stored Procedures", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md new file mode 100644 index 0000000000..452cddfb87 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md @@ -0,0 +1,229 @@ +# Functions & Stored Procedures + +All functions and procedures live in the `dbo` schema. Most of the table-valued functions are inline (UDFs) and are joined into views with `CROSS APPLY` / `OUTER APPLY`. Two cross-database UDF table types — `SA_CORE_GroupMemberPathTable` and `SA_CORE_GroupMembersTable` — are used as `READONLY` table-valued parameters; both come from the `SA_CORE_*` shared schema (created elsewhere). + +--- + +## FSAA Functions + +### SA_FSAA_GetPath {#sa_fsaa_getpath} + +**Signature:** `(@serverID INT, @resourceID BIGINT) RETURNS NVARCHAR(4000)` + +**Type:** Scalar function + +**Description:** Walks the parent chain in `SA_FSAA_Resources` and concatenates names with the appropriate delimiter (`/` for Unix resources of type 5/6, `\` for everything else) to produce the full resource path. Returns NULL if the resource isn't found. + +--- + +### SA_FSAA_GetTrusteeMembership {#sa_fsaa_gettrusteemembership} + +**Signature:** `(@serverID INT, @objectSID VARCHAR(184), @trusteeType INT, @groupPath SA_CORE_GroupMemberPathTable READONLY, @directlyApplied INT = 0, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveMembers TABLE (NTDomain, NTName, DisplayName, ObjectSID, TrusteeType)` + +**Type:** Multi-statement table-valued function + +**Description:** Recursively expands a group/principal into its effective members. Handles well-known SIDs specially (`S-1-5-2 NETWORK`, `S-1-5-3 BATCH`, `S-1-5-4 INTERACTIVE`, `S-1-5-6 SERVICE`, `S-1-5-13 TERMINAL SERVER USER`, `S-1-5-14 REMOTE INTERACTIVE LOGON`, `S-1-2-0 LOCAL`) by routing through `SA_FSAA_GetPolicyMembership`. Domain groups are expanded via `SA_CORE_GetDomainGroupMembershipEx` or `SA_ADInventory_GroupMembersView`. Local groups are expanded via `SA_FSAA_GetLocalGroupMembership`. The `@groupPath` parameter prevents infinite recursion. + +--- + +### SA_FSAA_IsTrusteeMember {#sa_fsaa_istrusteemember} + +**Signature:** `(@serverID INT, @trusteeSID VARCHAR(184), @trusteeDomain NVARCHAR(256), @trusteeType INT, @groupSID VARCHAR(184), @groupDomain NVARCHAR(256), @groupType INT, @directlyApplied INT) RETURNS INT` + +**Type:** Scalar function + +**Description:** Returns 1 if the trustee is a (recursive) member of the group, else 0. Encodes well-known fast paths for `Everyone (S-1-1-0)`, `Authenticated Users (S-1-5-11)` (excluding Guest, Anonymous, and Domain Computers), and `Domain Users (S-1-5-21-...-513)`. Falls back to `SA_FSAA_GetTrusteeMembership` when the relationship can't be answered by a fast path. + +--- + +### SA_FSAA_RecurseFolders {#sa_fsaa_recursefolders} + +**Signature:** `(@serverID INT, @resourceID BIGINT) RETURNS TABLE (ID, NestedLevel, ResourceType, DeletedUSN)` + +**Type:** Inline table-valued function (recursive CTE) + +**Description:** Returns every descendant of the given resource (used for subtree aggregation queries). + +--- + +### SA_FSAA_WalkTrusteePath {#sa_fsaa_walktrusteepath} + +**Signature:** `(@serverID INT, @trusteeType INT, @trusteeSID VARCHAR(184), @trusteeDomain NVARCHAR(256), @trusteeDisplay NVARCHAR(256), @groupSID VARCHAR(184), @groupType INT, @groupDomain NVARCHAR(256), @groupName NVARCHAR(256), @pathString NVARCHAR(1024), ...) RETURNS TABLE` + +**Type:** Inline table-valued function + +**Description:** Helper that walks an effective-membership path and accumulates the membership chain into a textual breadcrumb (`group → subgroup → user`). + +--- + +### SA_FSAA_GetTrusteeInformationEx {#sa_fsaa_gettrusteeinformationex} + +**Signature:** `(@serverID INT, @trusteeID INT, @objectSID VARCHAR(184), @trusteeType SMALLINT) RETURNS TABLE (NTDomain, NTName, DisplayName, TrusteeType, IsHistoricalSID, PrincipalId)` + +**Type:** Inline table-valued function + +**Description:** Returns a single row of trustee identity. For local trustees the values come from `SA_FSAA_LocalTrustees`; for domain trustees they come from the AD inventory's `SA_ADInventory_*` tables matched by SID (handling SID History when `IsHistoricalSID = 1`). The function doesn't project the SID — callers pass it in via `@objectSID` and the wrapper `SA_FSAA_GetTrusteeInformation` re-emits it from `SA_FSAA_Trustees`. + +--- + +### SA_FSAA_GetTrusteeInformation {#sa_fsaa_gettrusteeinformation} + +**Signature:** `(@serverID INT, @trusteeID INT) RETURNS TABLE (NTDomain, NTName, DisplayName, SID, TrusteeType, IsHistoricalSID, PrincipalId)` + +**Type:** Inline table-valued function + +**Description:** Wrapper around `SA_FSAA_GetTrusteeInformationEx` that pulls the SID and `TrusteeType` from `SA_FSAA_Trustees` first. + +--- + +### SA_FSAA_GetResourcePermissions {#sa_fsaa_getresourcepermissions} + +**Signature:** `(@serverID INT, @resourceID BIGINT) RETURNS TABLE (AllowRights, DenyRights, AllowMask, DenyMask, TrusteeID, NTDomain, NTName, DisplayName, SID, TrusteeType)` + +**Type:** Inline table-valued function + +**Description:** Joins `Resources → Rights → LocalTrustees` and returns the ACL of the resource as a flat table (one row per ACE). + +--- + +### SA_FSAA_GetGatePermissions {#sa_fsaa_getgatepermissions} + +**Signature:** `(@serverID INT, @gateID INT) RETURNS TABLE (AllowRights, DenyRights, TrusteeID, NTDomain, NTName, DisplayName, SID, TrusteeType)` + +**Type:** Inline table-valued function + +**Description:** Returns the share-level permissions for a gate. Computes the synthetic Allow/Deny bits by `b.Allow * -63` (turn the boolean into the full 6-bit `LRWDMA` mask). + +--- + +### SA_FSAA_GetExpandedPermissions {#sa_fsaa_getexpandedpermissions} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @ispolicy BIT, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @expandedRights TABLE (AllowRights, DenyRights, ...trustee columns...)` + +**Type:** Multi-statement table-valued function + +**Description:** Takes a resource's ACL and recursively expands every group ACE into per-leaf-trustee entries via `SA_FSAA_GetTrusteeMembership`. Used by `SA_FSAA_ExpandedPermissionsView`. + +--- + +### SA_FSAA_GetExpandedPermissionsEx {#sa_fsaa_getexpandedpermissionsex} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @ispolicy INT, @trusteeFilter SA_CORE_TrusteeInformationTable READONLY, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @expandedRights TABLE (...)` + +**Type:** Multi-statement table-valued function + +**Description:** Same as `SA_FSAA_GetExpandedPermissions` but pre-filtered to only the trustees in `@trusteeFilter` (significantly faster when caller cares about a specific user). + +--- + +### SA_FSAA_GetPolicyMembership {#sa_fsaa_getpolicymembership} + +**Signature:** `(@serverID INT, @policyID INT, @groupPath SA_CORE_GroupMemberPathTable READONLY, @directlyApplied INT = 0, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveMembers TABLE (...)` + +**Type:** Multi-statement table-valued function + +**Description:** Resolves the trustees of a local-policy gate (for example, *Logon Interactively*). Reads `SA_FSAA_Policies` and recursively expands each policy member. + +--- + +### SA_FSAA_GetLocalGroupMembership {#sa_fsaa_getlocalgroupmembership} + +**Signature:** `(@serverID INT, @objectSID VARCHAR(184), @groupPath SA_CORE_GroupMemberPathTable READONLY, @directlyApplied INT = 0, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveMembers TABLE (NTDomain, NTName, DisplayName, ObjectSID, TrusteeType, IsDirect BIT NOT NULL)` + +**Type:** Multi-statement table-valued function + +**Description:** Walks `SA_FSAA_TrusteeEquivalence` for the given local group and recursively expands each equivalent trustee. Unlike the sibling membership UDFs, the return-table includes an extra `IsDirect BIT` column flagging directly-applied vs. transitively-resolved members. + +--- + +### SA_FSAA_GetEffectiveRights {#sa_fsaa_geteffectiverights} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @gateID INT, @directlyApplied INT, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveRights TABLE (AllowRights, DenyRights, ...trustee columns..., DirectTrustee BIT)` + +**Type:** Multi-statement table-valued function + +**Description:** Computes the *effective* allow/deny bits for every leaf trustee that can reach the resource through the gate. This is the heaviest UDF in the schema — it composes share permissions, NTFS permissions, group membership expansion, and domain inventory data. Used by `SA_FSAA_EffectiveAccessView`. + +--- + +### SA_FSAA_GetEffectiveRightsEx {#sa_fsaa_geteffectiverightsex} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @gateID INT, @trusteeFilter SA_CORE_TrusteeInformationTable READONLY, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveRights TABLE (...)` + +**Type:** Multi-statement table-valued function + +**Description:** Same as `SA_FSAA_GetEffectiveRights` but filtered to a specific set of trustees. + +--- + +### SA_FSAA_GetTrusteePermissionSource {#sa_fsaa_gettrusteepermissionsource} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @gateID INT, @trusteeSID VARCHAR(184)) RETURNS @permissionSource TABLE (HOST VARCHAR(64) NOT NULL, AllowRights, DenyRights, AllowRightsDescription, ...)` + +**Type:** Multi-statement table-valued function + +**Description:** Given a resource, gate, and trustee SID, returns the *source* ACEs that contribute to that trustee's effective rights — useful for "who granted this user access?" diagnostic UI. + +--- + +### SA_FSAA_LookupResourcePath {#sa_fsaa_lookupresourcepath} + +**Signature:** `(@serverID INT, @path NVARCHAR(1024)) RETURNS BIGINT` + +**Type:** Scalar function + +**Description:** Resolves a backslash-delimited path string against the resource tree for a host and returns the matching `SA_FSAA_Resources.ID`, or NULL if no match. + +--- + +### SA_FSAA_LookupUncPath {#sa_fsaa_lookupuncpath} + +**Signature:** `(@path NVARCHAR(1024)) RETURNS @results TABLE (HostID INT NOT NULL, HostName NVARCHAR(256) NOT NULL, GateID INT NOT NULL, ResourceID BIGINT NULL, ShareName NVARCHAR(256) NOT NULL, FolderPath NVARCHAR(1024) NOT NULL)` + +**Type:** Multi-statement table-valued function + +**Description:** Parses a UNC path (`\\server\share\path`) and returns the matching host, gate, and resource, plus the parsed `ShareName` and the folder path beneath the share. Used to map paths captured in DLP / Activity tables back into the FSAA structural keyspace. + +--- + +### SA_FSAA_UpdateStatistics {#sa_fsaa_updatestatistics} + +**Signature:** `()` + +**Type:** Stored procedure (no parameters) + +**Description:** Runs `UPDATE STATISTICS` on the FSAA tables. Invoked by the structural-import job after a bulk import to keep the SQL Server query optimizer's row-count estimates current. Long-running on large data sets. + +--- + +## Activity Collector Functions (SA_FSAC_*) {#activity-collector-functions-sa_fsac_} + +### SA_FSAC_GetActiveFolderPermissions {#sa_fsac_getactivefolderpermissions} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @activityDays INT) RETURNS @results TABLE (AllowRights, ActiveRights, AllowRightsDescription, ActiveRightsDescription, TrusteeID, NTDomain, NTName, DisplayName, ObjectSID, TrusteeType)` + +**Type:** Multi-statement table-valued function + +**Description:** For a given resource and a recent activity window (`@activityDays`), returns each trustee's `AllowRights` (statically granted) alongside `ActiveRights` (the subset of those rights the trustee has actually exercised). The "active" mask is computed by walking the resource's subtree of recent daily activity through `SA_FSAC_GetFolderActivityMask`, then ANDing it with the granted rights — so it shows what each user is *using*, not just what they *can* use. Drives the *Least Privileged Access* report. + +--- + +### SA_FSAC_GetFolderActivityMask {#sa_fsac_getfolderactivitymask} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @activityDays INT) RETURNS @results TABLE (ActiveRights, ActiveRightsDescription, TrusteeID, NTDomain, NTName, DisplayName, ObjectSID, TrusteeType)` + +**Type:** Multi-statement table-valued function + +**Description:** Translates a user's recent activity (within `@activityDays` days) on a folder subtree into the equivalent rights bitmask. Each operation type maps to a specific right (Read → R, Add/Update/Rename → W, Delete → D, PermissionChange → M); any activity at all also implies List (L). Returns one row per user with the consolidated `ActiveRights` mask and identity columns from `SA_FSAA_GetTrusteeInformation`. + +--- + +## DFS Functions (SA_FSDFS_*) {#dfs-functions-sa_fsdfs_} + +### SA_FSDFS_LookupDfsPath {#sa_fsdfs_lookupdfsepath} + +**Signature:** `(@path NVARCHAR(1024)) RETURNS @values TABLE (TargetHostID INT NULL, TargetGateID INT NULL, TargetResourceID BIGINT NULL, TargetFolderPath NVARCHAR(1024) NOT NULL)` + +**Type:** Multi-statement table-valued function + +**Description:** Resolves a DFS-style path (for example, `\\contoso.com\public\sales\reports`) by walking `SA_FSDFS_Links` to find the matching link and returning the underlying physical target — the host, gate, resource, and remaining sub-folder path beneath the link. Used to translate DFS-relative report rows back into FSAA structural identifiers. diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json new file mode 100644 index 0000000000..4e9158bae9 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Index Reference", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md new file mode 100644 index 0000000000..50b81af771 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md @@ -0,0 +1,62 @@ +# Index Reference + +## Complete Index Listing + +| Table | Index Name | Type | Unique | Columns | +|---|---|---|---|---| +| SA_FSAA_Hosts | PK_SA_FSAA_Hosts | CLUSTERED | Yes | ID | +| SA_FSAA_Hosts | UQ_SA_FSAA_Hosts_HOST | UNIQUE | Yes | HOST | +| SA_FSAA_ImportHistory | PK_SA_FSAA_ImportHistory | CLUSTERED | Yes | HOST, ImportTime | +| SA_FSAA_Trustees | PK_SA_FSAA_Trustees | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_LocalTrustees | PK_SA_FSAA_LocalTrustees | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_TrusteeEquivalence | PK_SA_FSAA_TrusteeEquivalence | CLUSTERED | Yes | HOST, TrusteeID, EquivalentTrusteeID | +| SA_FSAA_TrusteeEquivalence | SA_FSAA_TrusteeEquivalence_Group_IDX | NONCLUSTERED | No | HOST, EquivalentTrusteeID, TrusteeID (INCLUDE) | +| SA_FSAA_Rights | PK_SA_FSAA_Rights | CLUSTERED | Yes | HOST, RightsProxyID, TrusteeID | +| SA_FSAA_Tags | PK_SA_FSAA_Tags | CLUSTERED | Yes | HOST, TagID | +| SA_FSAA_TagKeys | PK_SA_FSAA_TagKeys | CLUSTERED | Yes | HOST, TagProxyID | +| SA_FSAA_TagProxies | PK_SA_FSAA_TagProxies | CLUSTERED | Yes | HOST, TagProxyID, TagID | +| SA_FSAA_Resources | PK_SA_FSAA_Resources | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_Resources | SA_FSAA_Resources_Enum_IDX | NONCLUSTERED | No | HOST, ParentResourceID, ID, ResourceType, DeletedUSN (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_RightsProxyID_IDX | NONCLUSTERED | No | HOST, RightsProxyID, ID, GatesProxyID, DeletedUSN, ResourceType (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_GatesProxyID_IDX | NONCLUSTERED | No | HOST, GatesProxyID, ID (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_USN_IDX | NONCLUSTERED | No | HOST, USN, ID (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_ParentResourceID_Name_IDX | NONCLUSTERED | No | HOST, ParentResourceID, Name | +| SA_FSAA_UnixRights | PK_SA_FSAA_UnixRights | CLUSTERED | Yes | HOST, ResourceID | +| SA_FSAA_Gates | PK_SA_FSAA_Gates | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_GatesProxy | PK_SA_FSAA_GatesProxy | CLUSTERED | Yes | HOST, ID, GateID | +| SA_FSAA_GatesProxy | SA_FSAA_GatesProxy_GateID_IDX | NONCLUSTERED | No | HOST, GateID, ID (INCLUDE) | +| SA_FSAA_Policies | PK_SA_FSAA_Policies | CLUSTERED | Yes | HOST, PolicyID, TrusteeID | +| SA_FSAA_Exceptions | PK_SA_FSAA_Exceptions | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_Exceptions | SA_FSAA_Exceptions_Resource_IDX | NONCLUSTERED | No | HOST, ResourceID, ExceptionType, GateID (INCLUDE) | +| SA_FSAA_ExceptionTypes | PK_SA_FSAA_ExceptionTypes | CLUSTERED | Yes | HOST, ExceptionType | +| SA_FSAA_ProbableOwners | PK_SA_FSAA_ProbableOwners | CLUSTERED | Yes | HOST, ResourceID, OwnerID | +| SA_FSAA_FileSizes | PK_SA_FSAA_FileSizes | CLUSTERED | Yes | HOST, ResourceID | +| SA_FSAA_FileTypes | PK_SA_FSAA_FileTypes | CLUSTERED | Yes | HOST, ResourceID, Extension | +| SA_FSAA_FileAges | PK_SA_FSAA_FileAges | CLUSTERED | Yes | HOST, ResourceID | +| SA_FSAA_FileTags | PK_SA_FSAA_FileTags | CLUSTERED | Yes | HOST, ResourceID, TagProxyID | +| SA_FSAC_ProcessNames | PK_SA_FSAC_ProcessNames | CLUSTERED | Yes | HOST, ID | +| SA_FSAC_ActivityEvents | PK_SA_FSAC_ActivityEvents | CLUSTERED | Yes | HOST, ID | +| SA_FSAC_ActivityEvents | SA_FSAC_ActivityEvents_PathID_IDX | NONCLUSTERED | No | HOST, PathID, ID, AccessTime, TrusteeID, Operation, Allow (INCLUDE) | +| SA_FSAC_ActivityEvents | SA_FSAC_ActivityEvents_TrusteeID_IDX | NONCLUSTERED | No | TrusteeID, AccessTime, PathID, ProcessID, Operation, Allow (INCLUDE) | +| SA_FSAC_PermissionChanges | PK_SA_FSAC_PermissionChanges | CLUSTERED | Yes | HOST, ActivityID, ChangeID | +| SA_FSAC_OwnerChanges | PK_SA_FSAC_OwnerChanges | CLUSTERED | Yes | HOST, ActivityID | +| SA_FSAC_RenameTargets | PK_SA_FSAC_RenameTargets | CLUSTERED | Yes | HOST, ActivityID | +| SA_FSAC_DailyActivity | PK_SA_FSAC_DailyActivity | CLUSTERED | Yes | HOST, FolderID, ActivityDate, TrusteeID, Operation, Allow | +| SA_FSAC_ExceptionTypes | PK_SA_FSAC_ExceptionTypes | CLUSTERED | Yes | HOST, ExceptionType | +| SA_FSAC_Exceptions | PK_SA_FSAC_Exceptions | CLUSTERED | Yes | HOST, ID | +| SA_FSAC_Exceptions | SA_FSAC_Exceptions_ResourceID_IDX | NONCLUSTERED | No | HOST, ResourceID, GateID (INCLUDE) | +| SA_FSAC_UserExceptionTypes | PK_SA_FSAC_UserExceptionTypes | CLUSTERED | Yes | SID, ExceptionType | +| SA_FSAC_UserExceptions | PK_SA_FSAC_UserExceptions | CLUSTERED | Yes | ID | +| SA_FSDLP_ImportHistory | PK_SA_FSDLP_ImportHistory | CLUSTERED | Yes | HOST, USN | +| SA_FSDLP_Criteria | PK_SA_FSDLP_Criteria | CLUSTERED | Yes | HOST, ID | +| SA_FSDLP_Matches | PK_SA_FSDLP_Matches | CLUSTERED | Yes | HOST, FileId, CriteriaId | +| SA_FSDLP_MatchHits | PK_SA_FSDLP_MatchHits | CLUSTERED | Yes | HOST, FileId, CriteriaId, ID | +| SA_FSDLP_MatchHits_SubjectProfile | PK_SA_FSDLP_MatchHits_SubjectProfile | CLUSTERED | Yes | HOST, FileId, CriteriaId, ID | +| SA_FSDLP_MatchHits_SubjectProfile | SA_FSDLP_MatchHits_SubjectProfile_Source_IDX | NONCLUSTERED | No | SourceId | +| SA_FSDLP_MatchHits_SubjectProfile | SA_FSDLP_MatchHits_SubjectProfile_Identity_IDX | NONCLUSTERED | No | IdentityId | +| SA_FSDFS_Namespaces | PK_SA_FSDFS_Namespaces | CLUSTERED | Yes | ID | +| SA_FSDFS_Links | PK_SA_FSDFS_Links | CLUSTERED | Yes | HOST, ID | +| SA_FSDFS_Links | UQ_FSDFS_Links_DfsPath | UNIQUE | Yes | DfsPath, NamespaceID | +| SA_FSDFS_Links | SA_FSDFS_Links_GateID_IDX | NONCLUSTERED | No | TargetHostID, TargetGateID | + +`SA_FSAA_SchemaVer` and `SA_FSAA_ScanHistory` carry no indexes. diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md new file mode 100644 index 0000000000..686880a91b --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md @@ -0,0 +1,158 @@ +# File System Access Data Collector Schema + +## Overview + +This is a comprehensive schema documentation for the **NAA 11.6 File System Access Data Collector (FSAA)**. The FSAA data collector audits Windows and NFS file systems for permissions, ownership, content, activity, and sensitive-data classification. FSAA scans Windows servers, NetApp / EMC / Dell filers, and Linux/Unix hosts; normalizes the security model into a unified per-host identity space; and writes the results to the central database. + +This documentation covers four collector modules that share one schema: + +- **`SA_FSAA_`** — File System Access Analyzer: file / folder / share inventory, NTFS and share permissions, file-content statistics (sizing, types, ages), ownership, and tags. +- **`SA_FSAC_`** — File System Activity Collector: file-system audit events (read / add / update / delete / permission-change / rename), aggregated daily activity, permission-change details, and exception detection. +- **`SA_FSDLP_`** — Sensitive Data / Data Loss Prevention: detected matches against DLP criteria, with per-match excerpts and subject-profile linkage. +- **`SA_FSDFS_`** — DFS Namespace mapping: DFS namespaces and links, plus the mapping from DFS paths to the underlying physical shares. + +### Data model overview + +Every core data table is **partitioned by host**: each table has a `HOST INT` column that is a foreign key to `SA_FSAA_Hosts.ID` with `ON DELETE CASCADE`. Removing a host from `SA_FSAA_Hosts` therefore atomically purges every collected row for that host across all four modules (FSAA, FSAC, FSDLP, DFS). + +Within a host, the canonical secondary keys are: + +- **Resources** — folders / files / shares — keyed by `bigint ID` (table `SA_FSAA_Resources`). +- **Trustees** — security principals seen in ACLs — keyed by `int ID` (table `SA_FSAA_Trustees`). +- **Gates** — entry points such as SMB shares and NFS exports — keyed by `int ID` (table `SA_FSAA_Gates`). +- **RightsProxyID** — a shared dedup key on `SA_FSAA_Rights` so that many resources sharing identical ACLs all reference one set of permission rows. +- **GatesProxyID** — analogous dedup pointer from a resource to the gates that grant access to it. +- **TagProxyID** — analogous dedup pointer from a resource to its set of file tags. + +### Cross-module integration + +`SA_FSAA_Resources` carries `AccessID`, `ActivityID`, and `DLPID` columns that link a resource into its corresponding rows in the Activity (FSAC) and DLP (FSDLP) tables. Reports that combine permissions, activity, and sensitive-data findings — for example the *Open Access* and *Least Privileged Access* reports — join across those columns. + +--- + +### [Table Relationship Diagrams (ERD)](erd/overview.md) + - [Top-level partitioning](erd/overview.md#top-level-partitioning) + - [Trustees](erd/overview.md#trustees) + - [Resources & content aggregations](erd/overview.md#resources--content-aggregations) + - [Gates and permissions](erd/overview.md#gates-and-permissions) + - [Tags](erd/overview.md#tags) + - [Exceptions](erd/overview.md#exceptions) + - [Activity collection](erd/overview.md#activity-collection) + - [Sensitive data](erd/overview.md#sensitive-data) + - [DFS namespaces](erd/overview.md#dfs-namespaces) + +### [Core Data Collection Tables](coretables/overview.md) +#### [FSAA Tables](coretables/overview.md#fsaa-tables) + - [SA_FSAA_SchemaVer](coretables/overview.md#sa_fsaa_schemaver) + - [SA_FSAA_Hosts](coretables/overview.md#sa_fsaa_hosts) + - [SA_FSAA_ImportHistory](coretables/overview.md#sa_fsaa_importhistory) + - [SA_FSAA_Trustees](coretables/overview.md#sa_fsaa_trustees) + - [SA_FSAA_LocalTrustees](coretables/overview.md#sa_fsaa_localtrustees) + - [SA_FSAA_TrusteeEquivalence](coretables/overview.md#sa_fsaa_trusteeequivalence) + - [SA_FSAA_Rights](coretables/overview.md#sa_fsaa_rights) + - [SA_FSAA_Tags](coretables/overview.md#sa_fsaa_tags) + - [SA_FSAA_TagKeys](coretables/overview.md#sa_fsaa_tagkeys) + - [SA_FSAA_TagProxies](coretables/overview.md#sa_fsaa_tagproxies) + - [SA_FSAA_Resources](coretables/overview.md#sa_fsaa_resources) + - [SA_FSAA_UnixRights](coretables/overview.md#sa_fsaa_unixrights) + - [SA_FSAA_Gates](coretables/overview.md#sa_fsaa_gates) + - [SA_FSAA_GatesProxy](coretables/overview.md#sa_fsaa_gatesproxy) + - [SA_FSAA_Policies](coretables/overview.md#sa_fsaa_policies) + - [SA_FSAA_Exceptions](coretables/overview.md#sa_fsaa_exceptions) + - [SA_FSAA_ExceptionTypes](coretables/overview.md#sa_fsaa_exceptiontypes) + - [SA_FSAA_ProbableOwners](coretables/overview.md#sa_fsaa_probableowners) + - [SA_FSAA_FileSizes](coretables/overview.md#sa_fsaa_filesizes) + - [SA_FSAA_FileTypes](coretables/overview.md#sa_fsaa_filetypes) + - [SA_FSAA_FileAges](coretables/overview.md#sa_fsaa_fileages) + - [SA_FSAA_FileTags](coretables/overview.md#sa_fsaa_filetags) + - [SA_FSAA_ScanHistory](coretables/overview.md#sa_fsaa_scanhistory) + +#### [Activity Collector Tables (SA_FSAC_*)](coretables/overview.md#activity-collector-tables-sa_fsac_) + - [SA_FSAC_ProcessNames](coretables/overview.md#sa_fsac_processnames) + - [SA_FSAC_ActivityEvents](coretables/overview.md#sa_fsac_activityevents) + - [SA_FSAC_PermissionChanges](coretables/overview.md#sa_fsac_permissionchanges) + - [SA_FSAC_OwnerChanges](coretables/overview.md#sa_fsac_ownerchanges) + - [SA_FSAC_DailyActivity](coretables/overview.md#sa_fsac_dailyactivity) + - [SA_FSAC_RenameTargets](coretables/overview.md#sa_fsac_renametargets) + - [SA_FSAC_ExceptionTypes](coretables/overview.md#sa_fsac_exceptiontypes) + - [SA_FSAC_Exceptions](coretables/overview.md#sa_fsac_exceptions) + - [SA_FSAC_UserExceptionTypes](coretables/overview.md#sa_fsac_userexceptiontypes) + - [SA_FSAC_UserExceptions](coretables/overview.md#sa_fsac_userexceptions) + +#### [Sensitive Data Tables (SA_FSDLP_*)](coretables/overview.md#sensitive-data-tables-sa_fsdlp_) + - [SA_FSDLP_ImportHistory](coretables/overview.md#sa_fsdlp_importhistory) + - [SA_FSDLP_Criteria](coretables/overview.md#sa_fsdlp_criteria) + - [SA_FSDLP_Matches](coretables/overview.md#sa_fsdlp_matches) + - [SA_FSDLP_MatchHits](coretables/overview.md#sa_fsdlp_matchhits) + - [SA_FSDLP_MatchHits_SubjectProfile](coretables/overview.md#sa_fsdlp_matchhits_subjectprofile) + +#### [DFS Namespace Tables (SA_FSDFS_*)](coretables/overview.md#dfs-namespace-tables-sa_fsdfs_) + - [SA_FSDFS_Namespaces](coretables/overview.md#sa_fsdfs_namespaces) + - [SA_FSDFS_Links](coretables/overview.md#sa_fsdfs_links) + +### [Views](views/overview.md) +#### [FSAA Views](views/overview.md#fsaa-views) + - [SA_FSAA_Paths](views/overview.md#sa_fsaa_paths) + - [SA_FSAA_ResourcesView](views/overview.md#sa_fsaa_resourcesview) + - [SA_FSAA_PermissionsView](views/overview.md#sa_fsaa_permissionsview) + - [SA_FSAA_ExpandedPermissionsView](views/overview.md#sa_fsaa_expandedpermissionsview) + - [SA_FSAA_DirectPermissionsView](views/overview.md#sa_fsaa_directpermissionsview) + - [SA_FSAA_InheritedPermissionsView](views/overview.md#sa_fsaa_inheritedpermissionsview) + - [SA_FSAA_SharesTraversalView](views/overview.md#sa_fsaa_sharestraversalview) + - [SA_FSAA_EffectiveAccessView](views/overview.md#sa_fsaa_effectiveaccessview) + - [SA_FSAA_LocalGroupMembersView](views/overview.md#sa_fsaa_localgroupmembersview) + - [SA_FSAA_ExceptionsView](views/overview.md#sa_fsaa_exceptionsview) + +#### [Activity Views (SA_FSAC_*)](views/overview.md#activity-views-sa_fsac_) + - [SA_FSAC_DailyActivityView](views/overview.md#sa_fsac_dailyactivityview) + - [SA_FSAC_DailyUserActivityView](views/overview.md#sa_fsac_dailyuseractivityview) + - [SA_FSAC_DailyResourceActivityView](views/overview.md#sa_fsac_dailyresourceactivityview) + - [SA_FSAC_ActivityEventsView](views/overview.md#sa_fsac_activityeventsview) + - [SA_FSAC_ExceptionsView](views/overview.md#sa_fsac_exceptionsview) + - [SA_FSAC_UserExceptionsView](views/overview.md#sa_fsac_userexceptionsview) + - [SA_FSAC_PermissionChangesView](views/overview.md#sa_fsac_permissionchangesview) + +#### [Sensitive Data Views (SA_FSDLP_*)](views/overview.md#sensitive-data-views-sa_fsdlp_) + - [SA_FSDLP_MatchesView](views/overview.md#sa_fsdlp_matchesview) + - [SA_FSDLP_MatchHitsView](views/overview.md#sa_fsdlp_matchhitsview) + +### [Enumeration & Lookup Values Reference](enumeration/overview.md) + - [TrusteeType](enumeration/overview.md#trusteetype) + - [ResourceType](enumeration/overview.md#resourcetype) + - [GateType](enumeration/overview.md#gatetype) + - [Rights Bitmask](enumeration/overview.md#rights-bitmask) + +### [Functions & Stored Procedures](functions/overview.md) +#### [FSAA Functions](functions/overview.md#fsaa-functions) + - [SA_FSAA_GetPath](functions/overview.md#sa_fsaa_getpath) + - [SA_FSAA_GetTrusteeMembership](functions/overview.md#sa_fsaa_gettrusteemembership) + - [SA_FSAA_IsTrusteeMember](functions/overview.md#sa_fsaa_istrusteemember) + - [SA_FSAA_RecurseFolders](functions/overview.md#sa_fsaa_recursefolders) + - [SA_FSAA_WalkTrusteePath](functions/overview.md#sa_fsaa_walktrusteepath) + - [SA_FSAA_GetTrusteeInformationEx](functions/overview.md#sa_fsaa_gettrusteeinformationex) + - [SA_FSAA_GetTrusteeInformation](functions/overview.md#sa_fsaa_gettrusteeinformation) + - [SA_FSAA_GetResourcePermissions](functions/overview.md#sa_fsaa_getresourcepermissions) + - [SA_FSAA_GetGatePermissions](functions/overview.md#sa_fsaa_getgatepermissions) + - [SA_FSAA_GetExpandedPermissions](functions/overview.md#sa_fsaa_getexpandedpermissions) + - [SA_FSAA_GetExpandedPermissionsEx](functions/overview.md#sa_fsaa_getexpandedpermissionsex) + - [SA_FSAA_GetPolicyMembership](functions/overview.md#sa_fsaa_getpolicymembership) + - [SA_FSAA_GetLocalGroupMembership](functions/overview.md#sa_fsaa_getlocalgroupmembership) + - [SA_FSAA_GetEffectiveRights](functions/overview.md#sa_fsaa_geteffectiverights) + - [SA_FSAA_GetEffectiveRightsEx](functions/overview.md#sa_fsaa_geteffectiverightsex) + - [SA_FSAA_GetTrusteePermissionSource](functions/overview.md#sa_fsaa_gettrusteepermissionsource) + - [SA_FSAA_LookupResourcePath](functions/overview.md#sa_fsaa_lookupresourcepath) + - [SA_FSAA_LookupUncPath](functions/overview.md#sa_fsaa_lookupuncpath) + - [SA_FSAA_UpdateStatistics](functions/overview.md#sa_fsaa_updatestatistics) + +#### [Activity Collector Functions (SA_FSAC_*)](functions/overview.md#activity-collector-functions-sa_fsac_) + - [SA_FSAC_GetActiveFolderPermissions](functions/overview.md#sa_fsac_getactivefolderpermissions) + - [SA_FSAC_GetFolderActivityMask](functions/overview.md#sa_fsac_getfolderactivitymask) + +#### [DFS Functions (SA_FSDFS_*)](functions/overview.md#dfs-functions-sa_fsdfs_) + - [SA_FSDFS_LookupDfsPath](functions/overview.md#sa_fsdfs_lookupdfsepath) + +### [Index Reference](indexreference/overview.md) + - [Complete Index Listing](indexreference/overview.md#complete-index-listing) + +### [Foreign Key Reference](fkreference/overview.md) + - [Complete Foreign Key Listing](fkreference/overview.md#complete-foreign-key-listing) diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json new file mode 100644 index 0000000000..2c72e59702 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Views", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md new file mode 100644 index 0000000000..63efdbc8f3 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md @@ -0,0 +1,637 @@ +# Views + +FSAA, FSAC, and FSDLP views provide pre-joined, human-readable projections of the underlying tables. Reports and the FSAA web UI consume these views rather than the raw tables. + +:::note +For views, column sizes are derived from the underlying source columns and the SQL `CASE` expressions in the view definitions; on a populated database the actual `sys.columns.max_length` may differ slightly. Use `EXEC sp_help ''` to inspect a view's exact runtime shape. +::: + +--- + +## FSAA Views + +### SA_FSAA_Paths {#sa_fsaa_paths} + +**Description:** Per-resource path projection. This is a real `CREATE VIEW` that wraps the `SA_FSAA_GetPath` UDF — every read recomputes the path by walking the parent chain in `SA_FSAA_Resources`. (The create-schema script issues a defensive `DROP TABLE` first to clean up any legacy table-form from older builds.) + +**Source:** `SA_FSAA_Resources` (parent-chain walk performed by `SA_FSAA_GetPath` UDF). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HOST | int | | No | SA_FSAA_Resources.HOST | Host partition | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | Resource | +| Path | nvarchar | 4000 | Yes | Computed (recursive concat of `SA_FSAA_Resources.Name` up the parent chain) | Full path string | + +--- + +### SA_FSAA_ResourcesView {#sa_fsaa_resourcesview} + +**Description:** Surface view of `SA_FSAA_Resources` enriched with computed full path, resource-type description, and three boolean flags (`PermissionChange`, `InheritedPermission`, `DirectPermission`). + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`. + +**Logic:** Outer-joins `SA_FSAA_Resources` with `SA_FSAA_Hosts`. The three permission booleans are computed via correlated `EXISTS` against `SA_FSAA_Rights`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | Host ID | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | Host name | +| ID | bigint | | No | SA_FSAA_Resources.ID | Resource ID | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | Parent resource | +| Name | nvarchar | 2000 | No | SA_FSAA_Resources.Name | Leaf name | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full path | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Share`, `Folder`, or `File` | +| OwnerID | int | | Yes | SA_FSAA_Resources.OwnerID | | +| RightsProxyID | int | | Yes | SA_FSAA_Resources.RightsProxyID | | +| GatesProxyID | bigint | | Yes | SA_FSAA_Resources.GatesProxyID | | +| NestedLevel | int | | No | SA_FSAA_Resources.NestedLevel | | +| Size | bigint | | Yes | SA_FSAA_Resources.Size | | +| LastModified | datetime | | Yes | SA_FSAA_Resources.LastModified | | +| LastAccessed | datetime | | Yes | SA_FSAA_Resources.LastAccessed | | +| Created | datetime | | Yes | SA_FSAA_Resources.Created | | +| USN | int | | No | SA_FSAA_Resources.USN | | +| DeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| PermissionChange | bit | | No | Computed (CASE / EXISTS) | True if ACL differs from parent | +| InheritedPermission | bit | | No | Computed (CASE / EXISTS) | True if any inherited rights exist | +| DirectPermission | bit | | No | Computed (CASE / EXISTS) | True if any direct rights exist | + +--- + +### SA_FSAA_PermissionsView {#sa_fsaa_permissionsview} + +**Description:** Resource × ACE flat view with effective allow/deny rights expanded into 12 boolean columns plus textual `Allow/DenyRightsDescription` (for example, `LRWDMA`) and a `RightsSource` column (`Direct` / `Inherited` / `Both` / `None`). + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Filter:** `r.RightsProxyID IS NOT NULL` (rows that have an ACL). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | Host partition | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | Host name | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | Resource | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | Parent resource | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | NULL if not deleted | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full resource path | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Share` / `Folder` / `File` | +| AllowRights | smallint | | Yes | SA_FSAA_Rights.AllowRights | Combined bitmask | +| DenyRights | smallint | | Yes | SA_FSAA_Rights.DenyRights | Combined bitmask | +| AllowList | bit | | Yes | Computed (`AllowRights & 32`) | Has list right | +| AllowRead | bit | | Yes | Computed (`AllowRights & 1`) | Has read right | +| AllowWrite | bit | | Yes | Computed (`AllowRights & 2`) | Has write right | +| AllowDelete | bit | | Yes | Computed (`AllowRights & 4`) | Has delete right | +| AllowManage | bit | | Yes | Computed (`AllowRights & 8`) | Has manage right | +| AllowAdmin | bit | | Yes | Computed (`AllowRights & 16`) | Has admin right | +| DenyList | bit | | Yes | Computed (`DenyRights & 32`) | Deny list right | +| DenyRead | bit | | Yes | Computed (`DenyRights & 1`) | Deny read right | +| DenyWrite | bit | | Yes | Computed (`DenyRights & 2`) | Deny write right | +| DenyDelete | bit | | Yes | Computed (`DenyRights & 4`) | Deny delete right | +| DenyManage | bit | | Yes | Computed (`DenyRights & 8`) | Deny manage right | +| DenyAdmin | bit | | Yes | Computed (`DenyRights & 16`) | Deny admin right | +| AllowRightsDescription | varchar | 6 | Yes | Computed (concat letters L/R/W/D/M/A) | For example, `LRW` | +| DenyRightsDescription | varchar | 6 | Yes | Computed (concat letters L/R/W/D/M/A) | For example, `D` | +| RightsSource | varchar | 9 | Yes | Computed (CASE on Direct/Inherited columns) | `Both` / `Inherited` / `Direct` / `None` | +| AllowMask | int | | Yes | SA_FSAA_Rights.AllowMask | Full Windows access mask | +| DenyMask | int | | Yes | SA_FSAA_Rights.DenyMask | Full Windows deny mask | +| AllowMaskDescription | varchar | 32 | Yes | Computed (CASE) | `Full Control` / `Modify` / `Read & Execute` / etc. | +| DenyMaskDescription | varchar | 32 | Yes | Computed (CASE) | Same vocabulary as `AllowMaskDescription` | +| TrusteeID | int | | Yes | SA_FSAA_Rights.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | UDF column (TrusteeType) | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeIsHistoricalSID | bit | | Yes | UDF column | True if SID came from SID History | +| TrusteePrincipalID | int | | Yes | UDF column | AD-Inventory principal ID | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | For example, `Domain User` | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | NT domain | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | SAM account name | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | Concatenated NT-style name | + +--- + +### SA_FSAA_ExpandedPermissionsView {#sa_fsaa_expandedpermissionsview} + +**Description:** Resource × *expanded* effective trustee — group memberships are recursively expanded and the view returns one row per `(resource, leaf trustee)` instead of one per `(resource, ACE)`. Uses `CROSS APPLY dbo.SA_FSAA_GetExpandedPermissions(r.HOST, r.ID, 0, DEFAULT)` to do the expansion. + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetExpandedPermissions`. + +**Filter:** `r.RightsProxyID IS NOT NULL`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | Host partition | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | Host name | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | Resource | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | Parent resource | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full path | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Share` / `Folder` / `File` | +| AllowRights | smallint | | No | UDF column | Effective allow bitmask after group expansion | +| DenyRights | smallint | | No | UDF column | Effective deny bitmask | +| AllowList ... AllowAdmin | bit | | Yes | Computed (`AllowRights & N`) | Six boolean columns (bits 32, 1, 2, 4, 8, 16) | +| DenyList ... DenyAdmin | bit | | Yes | Computed (`DenyRights & N`) | Six boolean columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | Letter form `LRWDMA` | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| TrusteeSID | varchar | 184 | Yes | UDF column | Leaf-trustee SID | +| TrusteeType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | + +--- + +### SA_FSAA_DirectPermissionsView {#sa_fsaa_directpermissionsview} + +**Description:** Same shape as `SA_FSAA_PermissionsView` but filtered to direct (non-inherited) ACEs only. Uses `p.DirectAllowRights` / `p.DirectDenyRights` / `p.DirectAllowMask` / `p.DirectDenyMask` instead of the combined columns; the column names in the output are still `AllowRights`, `DenyRights`, `AllowMask`, `DenyMask`. + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Filter:** `r.RightsProxyID IS NOT NULL AND ((p.DirectAllowRights <> 0) OR (p.DirectDenyRights <> 0) OR (p.DirectAllowMask <> 0) OR (p.DirectDenyMask <> 0))`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath / fallback `r.Name` | | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | +| AllowRights | smallint | | Yes | SA_FSAA_Rights.DirectAllowRights | | +| DenyRights | smallint | | Yes | SA_FSAA_Rights.DirectDenyRights | | +| AllowList ... AllowAdmin | bit | | Yes | Computed | Six bit columns | +| DenyList ... DenyAdmin | bit | | Yes | Computed | Six bit columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | `LRWDMA`-style | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| AllowMask | int | | Yes | SA_FSAA_Rights.DirectAllowMask | | +| DenyMask | int | | Yes | SA_FSAA_Rights.DirectDenyMask | | +| AllowMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| DenyMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| TrusteeID | int | | Yes | SA_FSAA_Rights.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | UDF column | | +| TrusteeIsHistoricalSID | bit | | Yes | UDF column | | +| TrusteePrincipalID | int | | Yes | UDF column | | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAA_InheritedPermissionsView {#sa_fsaa_inheritedpermissionsview} + +**Description:** Same shape as `SA_FSAA_DirectPermissionsView` but reads from the `Inherited*` rights/mask columns. The output column names (`AllowRights`, `DenyRights`, `AllowMask`, `DenyMask`) are identical to `SA_FSAA_DirectPermissionsView`; only the underlying `SA_FSAA_Rights` source columns change. + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Filter:** `r.RightsProxyID IS NOT NULL AND ((p.InheritedAllowRights <> 0) OR (p.InheritedDenyRights <> 0) OR (p.InheritedAllowMask <> 0) OR (p.InheritedDenyMask <> 0))`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath / fallback `r.Name` | | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | +| AllowRights | smallint | | Yes | SA_FSAA_Rights.InheritedAllowRights | | +| DenyRights | smallint | | Yes | SA_FSAA_Rights.InheritedDenyRights | | +| AllowList ... AllowAdmin | bit | | Yes | Computed | Six bit columns | +| DenyList ... DenyAdmin | bit | | Yes | Computed | Six bit columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | `LRWDMA`-style | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| AllowMask | int | | Yes | SA_FSAA_Rights.InheritedAllowMask | | +| DenyMask | int | | Yes | SA_FSAA_Rights.InheritedDenyMask | | +| AllowMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| DenyMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| TrusteeID | int | | Yes | SA_FSAA_Rights.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | UDF column | | +| TrusteeIsHistoricalSID | bit | | Yes | UDF column | | +| TrusteePrincipalID | int | | Yes | UDF column | | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAA_SharesTraversalView {#sa_fsaa_sharestraversalview} + +**Description:** For every resource reachable through a gate, returns the gate, the resource, the share-relative resource path, and the SMB / NFS UNC path. + +**Source tables:** `SA_FSAA_Hosts`, `SA_FSAA_Gates`, `SA_FSAA_GatesProxy`, `SA_FSAA_Resources`, `SA_FSAA_Paths`. + +**Filter:** `r.GatesProxyID IS NOT NULL`. + +**Network-path logic:** if `g.GateType = 2` (NFS), builds `host:share//rel-path` where the relative path is `SUBSTRING(y.Path, LEN(g.DisplayName) + 2, 2048)`; otherwise builds `\\host\share\rel-path` by trimming the gate's local path off `y.Path` (`SUBSTRING(y.Path, LEN(g.Path), 2048)`). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Hosts.ID | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| GateID | int | | Yes | SA_FSAA_Gates.ID | | +| GateType | int | | Yes | SA_FSAA_Gates.GateType | See [GateType](../enumeration/overview.md#gatetype) | +| GateTypeDescription | varchar | 3 | Yes | Computed (CASE) | `'SMB'` when `GateType = 0`, otherwise `'NFS'` (any non-zero `GateType`) | +| GateDeletedUSN | int | | Yes | SA_FSAA_Gates.DeletedUSN | | +| ShareID | bigint | | Yes | SA_FSAA_Gates.ShareID | | +| ShareName | nvarchar | 256 | Yes | SA_FSAA_Gates.DisplayName | | +| ResourceID | bigint | | Yes | SA_FSAA_Resources.ID | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceType | tinyint | | Yes | SA_FSAA_Resources.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | SA_FSAA_Paths.Path | Local resource path | +| NetworkPath | nvarchar | 4000 | Yes | Computed (see Network-path logic) | UNC path or NFS-style path | +| NestedLevel | int | | Yes | Computed (`r.NestedLevel - g.NestedLevel`) | Depth from share root | + +--- + +### SA_FSAA_EffectiveAccessView {#sa_fsaa_effectiveaccessview} + +**Description:** Like `SA_FSAA_SharesTraversalView` but additionally resolves each row through `SA_FSAA_GetEffectiveRights` to attribute the effective allow/deny rights to each leaf trustee. Used to answer "who can do what on this resource through this share?" + +**Source tables:** `SA_FSAA_SharesTraversalView`, UDF `SA_FSAA_GetEffectiveRights`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_SharesTraversalView.HostID | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_SharesTraversalView.HostName | | +| GateID | int | | Yes | SA_FSAA_SharesTraversalView.GateID | | +| ShareID | bigint | | Yes | SA_FSAA_SharesTraversalView.ShareID | | +| ResourceID | bigint | | Yes | SA_FSAA_SharesTraversalView.ResourceID | | +| ShareName | nvarchar | 256 | Yes | SA_FSAA_SharesTraversalView.ShareName | | +| NestedLevel | int | | Yes | SA_FSAA_SharesTraversalView.NestedLevel | | +| ResourcePath | nvarchar | 4000 | Yes | SA_FSAA_SharesTraversalView.ResourcePath | | +| NetworkPath | nvarchar | 4000 | Yes | SA_FSAA_SharesTraversalView.NetworkPath | | +| ResourceType | tinyint | | Yes | SA_FSAA_SharesTraversalView.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | SA_FSAA_SharesTraversalView.ResourceTypeDescription | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_SharesTraversalView.ResourceDeletedUSN | | +| GateDeletedUSN | int | | Yes | SA_FSAA_SharesTraversalView.GateDeletedUSN | | +| AllowRights | smallint | | No | UDF column | Effective allow bitmask | +| DenyRights | smallint | | No | UDF column | Effective deny bitmask | +| DirectTrustee | bit | | Yes | UDF column | True if rights come from a direct ACE rather than group expansion | +| AllowList ... AllowAdmin | bit | | Yes | Computed | Six bit columns | +| DenyList ... DenyAdmin | bit | | Yes | Computed | Six bit columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| TrusteeSID | varchar | 184 | Yes | UDF column | | +| TrusteeType | smallint | | Yes | UDF column | | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAA_LocalGroupMembersView {#sa_fsaa_localgroupmembersview} + +**Description:** Flat view of local-group memberships derived from `SA_FSAA_TrusteeEquivalence`. One row per `(group, member)` pair on a host, with both group and member identity columns expanded via `SA_FSAA_GetTrusteeInformation`. + +**Source tables:** `SA_FSAA_TrusteeEquivalence`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetTrusteeInformation` (called twice — once for the group, once for the member). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_TrusteeEquivalence.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| GroupTrusteeID | int | | No | SA_FSAA_TrusteeEquivalence.EquivalentTrusteeID | | +| GroupSID | varchar | 184 | Yes | UDF column (group) | | +| GroupDisplayName | nvarchar | 256 | Yes | UDF column (group) | | +| GroupDomain | nvarchar | 128 | Yes | UDF column (group) | | +| GroupNTName | nvarchar | 256 | Yes | UDF column (group) | | +| GroupNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| MemberTrusteeID | int | | No | SA_FSAA_TrusteeEquivalence.TrusteeID | | +| MemberSID | varchar | 184 | Yes | UDF column (member) | | +| MemberDomain | nvarchar | 128 | Yes | UDF column (member) | | +| MemberNTName | nvarchar | 256 | Yes | UDF column (member) | | +| MemberDisplayName | nvarchar | 256 | Yes | UDF column (member) | | +| MemberNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| MemberType | smallint | | Yes | UDF column (member) | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| MemberTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| MemberPrincipalID | int | | Yes | UDF column (member) | AD-Inventory principal ID | + +--- + +### SA_FSAA_ExceptionsView {#sa_fsaa_exceptionsview} + +**Description:** `SA_FSAA_Exceptions` joined with the type catalog and with both `TrusteeID` and `SourceTrusteeID` resolved to display names. + +**Source tables:** `SA_FSAA_Exceptions`, `SA_FSAA_ExceptionTypes`, `SA_FSAA_Trustees` (twice — once for each trustee column), `SA_FSAA_Hosts`, `SA_FSAA_Resources`, `SA_FSAA_Gates`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Path logic:** if both `ResourceID` and `GateID` are present, returns a UNC-style path `\\host\share`; if only `ResourceID`, returns the bare resource path from `SA_FSAA_GetPath`; otherwise NULL. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Exceptions.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ExceptionType | int | | No | SA_FSAA_Exceptions.ExceptionType | | +| ParentType | int | | Yes | SA_FSAA_ExceptionTypes.ParentType | Hierarchical parent type | +| ExceptionName | varchar | 128 | No | SA_FSAA_ExceptionTypes.Name | | +| GateID | int | | Yes | SA_FSAA_Exceptions.GateID | | +| ResourceID | bigint | | Yes | SA_FSAA_Exceptions.ResourceID | | +| Path | nvarchar | 4000 | Yes | Computed (see Path logic) | UNC path / resource path / NULL | +| TrusteeID | int | | Yes | SA_FSAA_Exceptions.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | SA_FSAA_Trustees.TrusteeType | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | +| TrusteePrincipalID | int | | Yes | UDF column | | +| SourceTrusteeID | int | | Yes | SA_FSAA_Exceptions.SourceTrusteeID | | +| SourceTrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID (second join) | | +| SourceTrusteeType | smallint | | Yes | SA_FSAA_Trustees.TrusteeType (second join) | | +| SourceTrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| SourceTrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | +| SourceTrusteePrincipalID | int | | Yes | UDF column | | + +--- + +## Activity Views (SA_FSAC_*) {#activity-views-sa_fsac_} + +### SA_FSAC_DailyActivityView {#sa_fsac_dailyactivityview} + +**Description:** Per-`(host, date, folder, trustee, operation)` activity row, with the trustee identity expanded and the operation code translated to a human-readable label. The most common entry point for activity reporting; one row per recorded daily-activity bucket. + +**Source tables:** `SA_FSAC_DailyActivity`, `SA_FSAA_Hosts`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_DailyActivity.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ActivityDate | date | | No | SA_FSAC_DailyActivity.ActivityDate | | +| FolderID | bigint | | No | SA_FSAC_DailyActivity.FolderID | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full folder path | +| UserID | int | | No | SA_FSAC_DailyActivity.TrusteeID | | +| UserSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| UserType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| UserPrincipalID | int | | Yes | UDF column | AD-Inventory principal ID | +| UserTypeDescription | varchar | 18 | Yes | Computed (CASE) | For example, `Domain User` | +| UserDisplayName | nvarchar | 256 | Yes | UDF column | | +| UserNTName | nvarchar | 256 | Yes | UDF column | | +| UserNTDomain | nvarchar | 128 | Yes | UDF column | | +| UserNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| Operation | tinyint | | No | SA_FSAC_DailyActivity.Operation | | +| OperationDescription | varchar | 18 | Yes | Computed (CASE) | `Read` / `Add` / `Update` / `Delete` / `Permission Change` / `Rename` | +| Allow | bit | | No | SA_FSAC_DailyActivity.Allow | | +| AllowDescription | varchar | 7 | Yes | Computed (CASE) | `Allowed` / `Denied` | +| OperationCount | int | | No | SA_FSAC_DailyActivity.Count | | + +--- + +### SA_FSAC_DailyUserActivityView {#sa_fsac_dailyuseractivityview} + +**Description:** Pivoted version of `SA_FSAC_DailyActivityView` — one row per `(host, date, folder, user)`, with separate columns for each operation type's count. Filtered to `Allow = 1` (allowed operations only). + +**Source tables:** `SA_FSAC_DailyActivity` (pivoted on Operation), `SA_FSAA_Hosts`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_DailyActivity.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ActivityDate | date | | No | SA_FSAC_DailyActivity.ActivityDate | | +| FolderID | bigint | | No | SA_FSAC_DailyActivity.FolderID | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| UserID | int | | No | SA_FSAC_DailyActivity.TrusteeID | | +| UserSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| UserType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| UserPrincipalID | int | | Yes | UDF column | | +| UserTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| UserDisplayName | nvarchar | 256 | Yes | UDF column | | +| UserNTName | nvarchar | 256 | Yes | UDF column | | +| UserNTDomain | nvarchar | 128 | Yes | UDF column | | +| UserNTStyleName | nvarchar | 385 | Yes | Computed | | +| Reads | int | | No | Pivot (Operation = 0) | Read-operation count | +| Adds | int | | No | Pivot (Operation = 1) | Add-operation count | +| Updates | int | | No | Pivot (Operation = 2) | Update-operation count | +| Deletes | int | | No | Pivot (Operation = 3) | Delete-operation count | +| PermissionChanges | int | | No | Pivot (Operation = 4) | Permission-change count | +| Renames | int | | No | Pivot (Operation = 5) | Rename count | + +--- + +### SA_FSAC_DailyResourceActivityView {#sa_fsac_dailyresourceactivityview} + +**Description:** Same shape as `SA_FSAC_DailyUserActivityView` but rolled up across users — one row per `(host, date, folder)` with operation counts and a count of distinct active users. + +**Source tables:** `SA_FSAC_DailyActivity` (pivoted on Operation, then aggregated), `SA_FSAA_Hosts`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_DailyActivity.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ActivityDate | date | | No | SA_FSAC_DailyActivity.ActivityDate | | +| FolderID | bigint | | No | SA_FSAC_DailyActivity.FolderID | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| Reads | int | | Yes | SUM (Operation = 0) | | +| Adds | int | | Yes | SUM (Operation = 1) | | +| Updates | int | | Yes | SUM (Operation = 2) | | +| Deletes | int | | Yes | SUM (Operation = 3) | | +| PermissionChanges | int | | Yes | SUM (Operation = 4) | | +| Renames | int | | Yes | SUM (Operation = 5) | | +| ActiveUsers | int | | Yes | COUNT(DISTINCT TrusteeID) | Distinct users with activity that day | + +--- + +### SA_FSAC_ActivityEventsView {#sa_fsac_activityeventsview} + +**Description:** Detailed event view — one row per `SA_FSAC_ActivityEvents` row, joined to resource metadata, process name, trustee identity, and (for renames) the rename target. + +**Source tables:** `SA_FSAC_ActivityEvents`, `SA_FSAA_Hosts`, `SA_FSAC_ProcessNames`, `SA_FSAA_Resources`, `SA_FSAA_Trustees`, `SA_FSAC_RenameTargets`, UDF `SA_FSAA_GetTrusteeInformationEx`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_ActivityEvents.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ID | bigint | | No | SA_FSAC_ActivityEvents.ID | | +| AccessTime | datetime2 | | No | SA_FSAC_ActivityEvents.AccessTime | | +| ResourceID | bigint | | No | SA_FSAC_ActivityEvents.PathID | | +| ResourceType | tinyint | | Yes | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Folder` / `File` | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceName | nvarchar | 2000 | Yes | SA_FSAA_Resources.Name | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| ProcessID | int | | Yes | SA_FSAC_ActivityEvents.ProcessID | | +| ProcessName | nvarchar | 255 | Yes | SA_FSAC_ProcessNames.Name | | +| Operation | tinyint | | No | SA_FSAC_ActivityEvents.Operation | | +| OperationDescription | varchar | 18 | Yes | Computed (CASE) | | +| Allow | bit | | No | SA_FSAC_ActivityEvents.Allow | | +| AllowDescription | varchar | 7 | Yes | Computed (CASE) | `Allowed` / `Denied` | +| TargetResourceID | bigint | | Yes | SA_FSAC_RenameTargets.TargetPathID | (Renames only) | +| TargetResourceName | nvarchar | 2000 | Yes | SA_FSAA_Resources.Name (target) | (Renames only) | +| TargetParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID (target) | (Renames only) | +| TargetPath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath (target) | (Renames only) | +| UserID | int | | No | SA_FSAC_ActivityEvents.TrusteeID | | +| UserSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| UserDisplayName | nvarchar | 256 | Yes | UDF column | | +| UserNTDomain | nvarchar | 128 | Yes | UDF column | | +| UserNTName | nvarchar | 256 | Yes | UDF column | | +| UserType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| UserPrincipalID | int | | Yes | UDF column | | +| UserTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| UserNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAC_ExceptionsView {#sa_fsac_exceptionsview} + +**Description:** `SA_FSAC_Exceptions` joined to the type catalog and to the trustee / gate / resource references, with day-of-week and time-of-day translations. + +**Source tables:** `SA_FSAC_Exceptions`, `SA_FSAC_ExceptionTypes`, `SA_FSAA_Hosts`, `SA_FSAA_Gates`, `SA_FSAA_Resources`, UDF `SA_FSAA_GetPath`, UDF `SA_FSAA_GetTrusteeInformation`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_Exceptions.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ID | int | | No | SA_FSAC_Exceptions.ID | | +| ExceptionType | int | | No | SA_FSAC_Exceptions.ExceptionType | | +| ParentType | int | | Yes | SA_FSAC_ExceptionTypes.ParentType | | +| ExceptionName | varchar | 128 | No | SA_FSAC_ExceptionTypes.Name | | +| ActivityDate | date | | No | SA_FSAC_Exceptions.ActivityDate | | +| ActivityHour | tinyint | | Yes | SA_FSAC_Exceptions.ActivityHour | | +| DayOfWeek | nvarchar | 30 | Yes | Computed (`DATENAME(dw, ActivityDate)`) | For example, `Monday` | +| TimeOfDay | varchar | 8 | Yes | Computed (CASE on ActivityHour) | For example, `3 PM`, `12 AM` | +| GateID | int | | No | SA_FSAC_Exceptions.GateID | | +| ResourceID | bigint | | Yes | SA_FSAC_Exceptions.ResourceID | | +| Path | nvarchar | 4000 | Yes | Computed (`\\host\share`) | | +| TrusteeID | int | | Yes | SA_FSAC_Exceptions.TrusteeID | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| NTDomain | nvarchar | 128 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| NTName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| TrusteeType | smallint | | Yes | UDF: SA_FSAA_GetTrusteeInformation | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| Value | int | | Yes | SA_FSAC_Exceptions.Value | | +| Average | float | | Yes | SA_FSAC_Exceptions.Average | | +| StandardDeviations | float | | Yes | SA_FSAC_Exceptions.StandardDeviations | | + +--- + +### SA_FSAC_UserExceptionsView {#sa_fsac_userexceptionsview} + +**Description:** Same shape as `SA_FSAC_ExceptionsView` but partitioned by user `SID` rather than `(HOST, ID)`. Used for cross-host user-behaviour anomalies. Trustee identity is resolved by joining `SA_ADInventory_UsersView` on the SID. + +**Source tables:** `SA_FSAC_UserExceptions`, `SA_FSAC_UserExceptionTypes`, `SA_ADInventory_UsersView`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| ID | int | | No | SA_FSAC_UserExceptions.ID | | +| ExceptionType | int | | No | SA_FSAC_UserExceptions.ExceptionType | | +| ParentType | int | | Yes | SA_FSAC_UserExceptionTypes.ParentType | | +| ExceptionName | varchar | 128 | No | SA_FSAC_UserExceptionTypes.Name | | +| ActivityDate | date | | No | SA_FSAC_UserExceptions.ActivityDate | | +| ActivityStartTime | tinyint | | Yes | SA_FSAC_UserExceptions.ActivityStartTime | Start hour 0–23 | +| ActivityPeriod | tinyint | | Yes | SA_FSAC_UserExceptions.ActivityPeriod | Window length in hours | +| DayOfWeek | nvarchar | 30 | Yes | Computed (`DATENAME(dw, ActivityDate)`) | For example, `Monday` | +| TimeOfDay | varchar | 8 | Yes | Computed (CASE on ActivityStartTime) | For example, `3 PM`, `12 AM` | +| TrusteeDisplayName | nvarchar | 256 | Yes | SA_ADInventory_UsersView.DisplayName | | +| NTDomain | nvarchar | 128 | Yes | SA_ADInventory_UsersView.DomainName | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | SA_ADInventory_UsersView.NTAccount | `Domain\Name` | +| TrusteeSID | varchar | 184 | No | SA_FSAC_UserExceptions.SID | | +| TrusteePrincipalID | int | | Yes | SA_ADInventory_UsersView.PrincipalId | | +| Value | int | | Yes | SA_FSAC_UserExceptions.Value | | +| Average | float | | Yes | SA_FSAC_UserExceptions.Average | | +| StandardDeviations | float | | Yes | SA_FSAC_UserExceptions.StandardDeviations | | + +--- + +### SA_FSAC_PermissionChangesView {#sa_fsac_permissionchangesview} + +**Description:** Surface view over `SA_FSAC_PermissionChanges` that resolves the affected trustee and decodes the ACL / ACE / inheritance / access-rights bitmasks into descriptive strings. + +:::note +This view doesn't join `SA_FSAC_ActivityEvents` or `SA_FSAA_Resources` — the access time and resource path aren't exposed; reports needing them must join `SA_FSAC_ActivityEvents` themselves. +::: + +**Source tables:** `SA_FSAC_PermissionChanges`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetTrusteeInformation`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_PermissionChanges.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ActivityID | bigint | | No | SA_FSAC_PermissionChanges.ActivityID | | +| ChangeID | smallint | | No | SA_FSAC_PermissionChanges.ChangeID | | +| AclType | tinyint | | No | SA_FSAC_PermissionChanges.AclType | | +| AclTypeDescription | varchar | 4 | Yes | Computed (CASE) | `DACL` / `SACL` | +| TrusteeID | int | | No | SA_FSAC_PermissionChanges.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeType | smallint | | Yes | UDF: SA_FSAA_GetTrusteeInformation | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteePrincipalID | int | | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeDomainName | nvarchar | 128 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| ChangeType | tinyint | | No | SA_FSAC_PermissionChanges.ChangeType | | +| ChangeTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Add` / `Remove` / `Update` | +| AceType | tinyint | | No | SA_FSAC_PermissionChanges.AceType | | +| AceTypeDescription | varchar | 16 | Yes | Computed (CASE) | `Allowed`, `Denied`, `Object Allowed`, `Object Denied`, `System Audit`, `System Alarm`, `Object Audit`, `Object Alarm` | +| InheritanceFlags | tinyint | | No | SA_FSAC_PermissionChanges.InheritanceFlags | | +| InheritanceFlagsDescription | varchar | 64 | Yes | Computed (bitmask decode) | Comma-joined: `Inheritance Blocked` / `Inheritance Allowed` / `Child Objects Inherit` | +| AceFlags | tinyint | | No | SA_FSAC_PermissionChanges.AceFlags | | +| AceFlagsDescription | varchar | 256 | Yes | Computed (bitmask decode) | Comma-joined: `Container Inherit`, `Object Inherit`, `No Propogate`, `Inheritance Only`, `Ace Is Inherited`, `Successful Access Audit`, `Failed Access Audit` | +| AccessRights | bigint | | No | SA_FSAC_PermissionChanges.AccessRights | | +| AccessRightsDescription | varchar | 32 | Yes | Computed (CASE) | Windows-style label such as `Full Control`, `Modify`, `Read`, `Write`, `Special` | +| NewAccessRights | bigint | | Yes | SA_FSAC_PermissionChanges.NewAccessRights | | +| NewAccessRightsDescription | varchar | 32 | Yes | Computed (CASE) | Same vocabulary as `AccessRightsDescription` | + +--- + +## Sensitive Data Views (SA_FSDLP_*) {#sensitive-data-views-sa_fsdlp_} + +### SA_FSDLP_MatchesView {#sa_fsdlp_matchesview} + +**Description:** `SA_FSDLP_Matches` enriched with file path, criterion name and GUID, a human-readable `DataSource` description, and an `IsExcluded` flag computed from the SDD exclusion-filter table. + +**Source tables:** `SA_FSDLP_Matches`, `SA_FSAA_Hosts`, `SA_FSDLP_Criteria`, `SA_FSAA_Resources`, `SA_FSAA_SharesTraversalView`, `SA_SDDExclusionFilters`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSDLP_Matches.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| CriteriaId | int | | No | SA_FSDLP_Matches.CriteriaId | | +| CriteriaName | nvarchar | 256 | Yes | SA_FSDLP_Criteria.Name | | +| CriteriaGUID | uniqueidentifier | | Yes | SA_FSDLP_Criteria.pattern_guid | | +| ResourceID | bigint | | No | SA_FSDLP_Matches.FileId | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| FileName | nvarchar | 2000 | Yes | SA_FSAA_Resources.Name | | +| FilePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| MatchCount | int | | Yes | SA_FSDLP_Matches.MatchCount | | +| DataSource | varchar | 30 | Yes | Computed (CASE) | `Content` / `Metadata` / `Filename` / combinations | +| IsExcluded | bit | | No | Computed (EXISTS against `SA_SDDExclusionFilters`) | True if the file is covered by an exclusion filter | + +--- + +### SA_FSDLP_MatchHitsView {#sa_fsdlp_matchhitsview} + +**Description:** `SA_FSDLP_MatchHits` joined to `SA_FSDLP_MatchesView` so each hit carries the parent file/criterion identity. Used by the Sensitive Data report's drill-down view. + +**Source tables:** `SA_FSDLP_MatchHits` (aliased `H`), `SA_FSDLP_MatchesView` (aliased `M`). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSDLP_MatchesView.HostID | | +| HostName | nvarchar | 64 | Yes | SA_FSDLP_MatchesView.HostName | | +| CriteriaID | int | | No | SA_FSDLP_MatchesView.CriteriaId | | +| CriteriaName | nvarchar | 256 | Yes | SA_FSDLP_MatchesView.CriteriaName | | +| CriteriaGUID | uniqueidentifier | | Yes | SA_FSDLP_MatchesView.CriteriaGUID | | +| ResourceID | bigint | | No | SA_FSDLP_MatchesView.ResourceID | | +| ParentResourceID | bigint | | Yes | SA_FSDLP_MatchesView.ParentResourceID | | +| FileName | nvarchar | 2000 | Yes | SA_FSDLP_MatchesView.FileName | | +| FilePath | nvarchar | 4000 | Yes | SA_FSDLP_MatchesView.FilePath | | +| MatchCount | int | | Yes | SA_FSDLP_MatchesView.MatchCount | | +| SubFileName | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.SubFileName | | +| MatchPrefix | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.MatchPrefix | | +| MatchData | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.MatchData | | +| MatchSuffix | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.MatchSuffix | | +| Confidence | int | | No | SA_FSDLP_MatchHits.Confidence | | +| DataSource | varchar | 30 | Yes | Computed (CASE on `SA_FSDLP_MatchHits.DataSource`) | Same vocabulary as `SA_FSDLP_MatchesView.DataSource` | diff --git a/docs/accessanalyzer/11.6/admin/schema/overview.md b/docs/accessanalyzer/11.6/admin/schema/overview.md index 398c764625..038bf4dbd2 100644 --- a/docs/accessanalyzer/11.6/admin/schema/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/overview.md @@ -14,3 +14,14 @@ The SQL Data Collector discovers, audits, and reports on SQL Server instances, d - **[Index Reference](sqldc/indexreference/overview.md)** — Documentation of database indexes - **[Functions & Stored Procedures](sqldc/functions/overview.md)** — SQL scalar functions and stored procedures +## [File System Access Data Collector Schema](fsaadc/overview.md) + +The File System Access Data Collector (FSAA) audits Windows and NFS file systems for permissions, ownership, content, activity, and sensitive-data classification across Windows servers, NetApp / EMC / Dell filers, and Linux/Unix hosts. The schema documentation covers: + +- **[Entity Relationship Diagrams](fsaadc/erd/overview.md)** — Visual ERDs showing table relationships across all four collector modules +- **[Core Data Collection Tables](fsaadc/coretables/overview.md)** — 40 normalized tables populated directly by data collectors (FSAA, FSAC, FSDLP, and DFS modules) +- **[Views](fsaadc/views/overview.md)** — 19 SQL views that join and denormalize data for reporting and the FSAA web UI +- **[Enumeration & Lookup Values](fsaadc/enumeration/overview.md)** — Reference for TrusteeType, ResourceType, GateType, and the rights bitmask +- **[Functions & Stored Procedures](fsaadc/functions/overview.md)** — UDFs and stored procedures for path resolution, membership expansion, and effective-access computation +- **[Index Reference](fsaadc/indexreference/overview.md)** — Complete listing of database indexes +- **[Foreign Key Reference](fsaadc/fkreference/overview.md)** — Complete listing of foreign key constraints and cascade behaviors From 6304d3d04f8763f987a900572e32c144ca0fd149 Mon Sep 17 00:00:00 2001 From: jth-nw Date: Thu, 7 May 2026 11:39:25 -0500 Subject: [PATCH 17/22] fix(vale-autofix): scope anchor step to PR-changed files only The --anchors-only step previously ran `git diff origin/dev -- '*.md'` across the full working tree, which caused it to process files from unrelated branches that were merged into a PR by mistake. Now it diffs only the files listed in changed-files.txt (the same PR-scoped list used by all other phases), so heading-anchor replacements can't affect files outside the PR's scope. Generated with AI Co-Authored-By: Claude Code --- .github/workflows/vale-autofix.yml | 2 +- scripts/vale-autofix.sh | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vale-autofix.yml b/.github/workflows/vale-autofix.yml index 032be3061a..9428445e95 100644 --- a/.github/workflows/vale-autofix.yml +++ b/.github/workflows/vale-autofix.yml @@ -233,7 +233,7 @@ jobs: - name: Fix heading anchors if: steps.bot-check.outputs.skip != 'true' && steps.changed-files.outputs.count > 0 run: | - bash scripts/vale-autofix.sh --anchors-only origin/dev + bash scripts/vale-autofix.sh --anchors-only origin/dev /tmp/changed-files.txt - name: Check anchor links id: anchor-check diff --git a/scripts/vale-autofix.sh b/scripts/vale-autofix.sh index dc893def63..359e397bfe 100755 --- a/scripts/vale-autofix.sh +++ b/scripts/vale-autofix.sh @@ -84,8 +84,17 @@ _process_heading_pairs() { update_heading_anchors() { local base_ref="${1:-}" + local files_list="${2:-}" local diff_output - if [ -n "$base_ref" ]; then + + if [ -n "$files_list" ] && [ -f "$files_list" ]; then + local files=() + mapfile -t files < "$files_list" + if [ ${#files[@]} -eq 0 ]; then + return 0 + fi + diff_output=$(git diff "${base_ref}" -- "${files[@]}" 2>/dev/null || true) + elif [ -n "$base_ref" ]; then diff_output=$(git diff "${base_ref}" -- '*.md' 2>/dev/null || true) else diff_output=$(git diff HEAD -- '*.md' 2>/dev/null || true) @@ -164,7 +173,7 @@ case "${1:-}" in return 0 2>/dev/null || exit 0 ;; --anchors-only) - update_heading_anchors "${2:-}" + update_heading_anchors "${2:-}" "${3:-}" exit 0 ;; esac From 5754bbeaa8c7292861edb3579247b34918772cfc Mon Sep 17 00:00:00 2001 From: jth-nw Date: Thu, 7 May 2026 15:45:32 -0500 Subject: [PATCH 18/22] fix(anchor-update): replace positional diff-pairing with content-based word overlap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The old algorithm collected removed/added headings from diff hunks and paired them by array index, which broke on restructured files where the old[N] and new[N] heading at the same position are unrelated. It also had no code-fence tracking, so bash comments inside fenced blocks were treated as markdown headings. The new algorithm: - Reads the base and current versions of each file directly (git show vs working tree) instead of parsing the diff stream - Extracts headings with code-fence tracking so shell comments inside code blocks are ignored - Computes set difference to identify removed/added headings - Matches removed→added pairs using word-overlap scoring on slugified words (Jaccard-style: |intersection|/max(|old|,|new|)) - Only updates anchors when score ≥ 50; unmatched headings are left for check-anchors.sh to report Generated with AI Co-Authored-By: Claude Code --- scripts/test-anchor-update.sh | 2 +- scripts/vale-autofix.sh | 202 +++++++++++++++------------------- 2 files changed, 92 insertions(+), 112 deletions(-) diff --git a/scripts/test-anchor-update.sh b/scripts/test-anchor-update.sh index 3e3c60acb8..f73fa943f2 100644 --- a/scripts/test-anchor-update.sh +++ b/scripts/test-anchor-update.sh @@ -58,7 +58,7 @@ git commit -q -m "fix(vale): auto-fix substitutions and removals" # Run the anchor update function source "$SCRIPT_DIR/vale-autofix.sh" --test -update_heading_anchors +update_heading_anchors HEAD~1 # Verify: guide.md should have updated anchor PASS=0 diff --git a/scripts/vale-autofix.sh b/scripts/vale-autofix.sh index 359e397bfe..6d578550af 100755 --- a/scripts/vale-autofix.sh +++ b/scripts/vale-autofix.sh @@ -38,131 +38,111 @@ _get_product_version_folder() { fi } -_process_heading_pairs() { - local file="$1" - local -n _old="$2" - local -n _new="$3" - local updates=0 - - if [ -z "$file" ] || [ ${#_old[@]} -eq 0 ] || [ ${#_new[@]} -eq 0 ]; then - echo 0 - return 0 - fi - - local count=${#_old[@]} - if [ ${#_new[@]} -lt "$count" ]; then - count=${#_new[@]} - fi - - local folder - folder=$(_get_product_version_folder "$file") - - if [ ! -d "$folder" ]; then - echo 0 - return 0 - fi - - for ((i = 0; i < count; i++)); do - local old_slug new_slug - old_slug=$(slugify "${_old[$i]}") - new_slug=$(slugify "${_new[$i]}") - - if [ "$old_slug" = "$new_slug" ] || [ -z "$old_slug" ] || [ -z "$new_slug" ]; then - continue - fi - - # Replace #old-slug with #new-slug in all .md files in the folder - find "$folder" -name '*.md' -exec \ - sed -i "s|#${old_slug}\([) ]\)|#${new_slug}\1|g" {} + - - updates=$((updates + 1)) +_word_overlap_score() { + local old_heading="$1" new_heading="$2" + local old_slug new_slug + old_slug=$(slugify "$old_heading") + new_slug=$(slugify "$new_heading") + [ "$old_slug" = "$new_slug" ] && echo 100 && return + local -a ow nw + IFS='-' read -ra ow <<< "$old_slug" + IFS='-' read -ra nw <<< "$new_slug" + local intersect=0 word nword + for word in "${ow[@]}"; do + [ -z "$word" ] && continue + for nword in "${nw[@]}"; do + [ -z "$nword" ] && continue + if [ "$word" = "$nword" ]; then intersect=$((intersect + 1)); break; fi + done done - - echo "$updates" - return 0 + local maxlen=${#ow[@]} + [ ${#nw[@]} -gt "$maxlen" ] && maxlen=${#nw[@]} + [ "$maxlen" -eq 0 ] && echo 0 && return + echo $(( (intersect * 100) / maxlen )) } update_heading_anchors() { - local base_ref="${1:-}" + local base_ref="${1:-HEAD}" local files_list="${2:-}" - local diff_output - + local -a files=() if [ -n "$files_list" ] && [ -f "$files_list" ]; then - local files=() mapfile -t files < "$files_list" - if [ ${#files[@]} -eq 0 ]; then - return 0 - fi - diff_output=$(git diff "${base_ref}" -- "${files[@]}" 2>/dev/null || true) - elif [ -n "$base_ref" ]; then - diff_output=$(git diff "${base_ref}" -- '*.md' 2>/dev/null || true) else - diff_output=$(git diff HEAD -- '*.md' 2>/dev/null || true) - fi - - if [ -z "$diff_output" ]; then - return 0 + mapfile -t files < <(git diff --name-only "${base_ref}" -- '*.md' 2>/dev/null || true) fi + [ ${#files[@]} -eq 0 ] && return 0 - local current_file="" - local old_headings=() - local new_headings=() - local in_hunk=0 local anchor_updates=0 - - while IFS= read -r line; do - if [[ "$line" =~ ^diff\ --git\ a/(.*\.md)\ b/ ]]; then - # Process pending heading pairs from previous file - if [ -n "$current_file" ] && [ ${#old_headings[@]} -gt 0 ] && [ ${#new_headings[@]} -gt 0 ]; then - local _pair_result - _pair_result=$(_process_heading_pairs "$current_file" old_headings new_headings) - anchor_updates=$((anchor_updates + _pair_result)) + local file + for file in "${files[@]}"; do + [ -f "$file" ] || continue + local base_content + base_content=$(git show "${base_ref}:${file}" 2>/dev/null || true) + [ -z "$base_content" ] && continue + + local -a old_h=() new_h=() + local line in_fence=0 + while IFS= read -r line; do + if [[ "$line" =~ ^(\`{3,}|~{3,}) ]]; then + in_fence=$(( 1 - in_fence )); continue fi - current_file="${BASH_REMATCH[1]}" - old_headings=() - new_headings=() - in_hunk=0 - continue - fi - - if [[ "$line" =~ ^@@ ]]; then - if [ -n "$current_file" ] && [ ${#old_headings[@]} -gt 0 ] && [ ${#new_headings[@]} -gt 0 ]; then - local _pair_result - _pair_result=$(_process_heading_pairs "$current_file" old_headings new_headings) - anchor_updates=$((anchor_updates + _pair_result)) + [ "$in_fence" -eq 0 ] && [[ "$line" =~ ^#{1,6}[[:space:]] ]] && old_h+=("$line") + done <<< "$base_content" + in_fence=0 + while IFS= read -r line; do + if [[ "$line" =~ ^(\`{3,}|~{3,}) ]]; then + in_fence=$(( 1 - in_fence )); continue fi - old_headings=() - new_headings=() - in_hunk=1 - continue - fi - - if [ "$in_hunk" -eq 0 ]; then - continue - fi - - # Collect removed headings (lines starting with - then #) - if [[ "$line" =~ ^-#{1,6}\ + ]]; then - old_headings+=("${line:1}") - fi - - # Collect added headings (lines starting with + then #) - if [[ "$line" =~ ^\+#{1,6}\ + ]]; then - new_headings+=("${line:1}") - fi - done <<< "$diff_output" - - # Process final file - if [ -n "$current_file" ] && [ ${#old_headings[@]} -gt 0 ] && [ ${#new_headings[@]} -gt 0 ]; then - local _pair_result - _pair_result=$(_process_heading_pairs "$current_file" old_headings new_headings) - anchor_updates=$((anchor_updates + _pair_result)) - fi - - if [ "$anchor_updates" -gt 0 ]; then - echo "Updated $anchor_updates anchor link(s)" - fi + [ "$in_fence" -eq 0 ] && [[ "$line" =~ ^#{1,6}[[:space:]] ]] && new_h+=("$line") + done < "$file" + + local -a removed=() added=() + local h match n o + for h in "${old_h[@]}"; do + match=0 + for n in "${new_h[@]}"; do [ "$h" = "$n" ] && match=1 && break; done + [ "$match" -eq 0 ] && removed+=("$h") + done + for h in "${new_h[@]}"; do + match=0 + for o in "${old_h[@]}"; do [ "$h" = "$o" ] && match=1 && break; done + [ "$match" -eq 0 ] && added+=("$h") + done + if [ ${#removed[@]} -eq 0 ] || [ ${#added[@]} -eq 0 ]; then continue; fi + + local folder + folder=$(_get_product_version_folder "$file") + [ -d "$folder" ] || continue + + local -a used_new_idx=() + for h in "${removed[@]}"; do + local best_score=0 best_idx=-1 best_new="" idx=0 cand + for cand in "${added[@]}"; do + local already=0 ui + for ui in "${used_new_idx[@]}"; do [ "$ui" -eq "$idx" ] && already=1 && break; done + if [ "$already" -eq 0 ]; then + local score + score=$(_word_overlap_score "$h" "$cand") + if [ "$score" -gt "$best_score" ]; then + best_score=$score; best_idx=$idx; best_new="$cand" + fi + fi + idx=$((idx + 1)) + done + [ "$best_score" -lt 50 ] && continue + local old_slug new_slug + old_slug=$(slugify "$h") + new_slug=$(slugify "$best_new") + if [ "$old_slug" != "$new_slug" ] && [ -n "$old_slug" ] && [ -n "$new_slug" ]; then + find "$folder" -name '*.md' -exec \ + sed -i "s|#${old_slug}\([) ]\)|#${new_slug}\1|g" {} + + anchor_updates=$((anchor_updates + 1)) + used_new_idx+=("$best_idx") + fi + done + done + [ "$anchor_updates" -gt 0 ] && echo "Updated $anchor_updates anchor link(s)" return 0 } From 3d02e776b441520f58c917709e1bbfc09702596e Mon Sep 17 00:00:00 2001 From: jth-nw Date: Thu, 7 May 2026 17:40:36 -0500 Subject: [PATCH 19/22] fix broken link --- .husky/pre-commit | 10 ++++------ docs/accessanalyzer/2601/install/quickinstall.md | 2 +- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.husky/pre-commit b/.husky/pre-commit index e35b8ba9bd..bbe84eb46a 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,9 +1,7 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh REPO_ROOT="$(git rev-parse --show-toplevel)" # check-anchors.sh requires bash 4+ (associative arrays). On macOS the system -# bash is 3.2; prefer the Homebrew one if present. -BASH_EXEC=bash -if [[ ${BASH_VERSINFO[0]:-0} -lt 4 ]] && [[ -x /opt/homebrew/bin/bash ]]; then - BASH_EXEC=/opt/homebrew/bin/bash -fi +# bash is 3.2; prefer Homebrew bash if present. +BASH_EXEC="${HOMEBREW_PREFIX:-/opt/homebrew}/bin/bash" +[ ! -x "$BASH_EXEC" ] && BASH_EXEC=bash "$BASH_EXEC" "$REPO_ROOT/scripts/check-anchors.sh" --staged diff --git a/docs/accessanalyzer/2601/install/quickinstall.md b/docs/accessanalyzer/2601/install/quickinstall.md index 3b98a1c85d..63e3531ab4 100644 --- a/docs/accessanalyzer/2601/install/quickinstall.md +++ b/docs/accessanalyzer/2601/install/quickinstall.md @@ -85,7 +85,7 @@ The installer offers three ways to provision the server's TLS certificate. Choos **AD/DC Root CA Bundle is always required regardless of which TLS option you choose.** Even if the installer generates your server certificate, it still needs a separate CA file to trust the connection to your domain controller. See [Active Directory information](#bring-your-own-certificate-file-requirements). ::: -#### Bring your own certificate — file requirements +#### Bring your own certificate file requirements If you selected **Bring your own certificate**, prepare the following three files and place them in `/opt/dspm-tls/` on the server before running the installer: From c113ef700aacc9380814f2b3535f71fe5bdb1492 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 22:45:14 +0000 Subject: [PATCH 20/22] fix(vale): auto-fix style issues (Vale + Dale) --- docs/accessanalyzer/2601/install/quickinstall.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/accessanalyzer/2601/install/quickinstall.md b/docs/accessanalyzer/2601/install/quickinstall.md index 63e3531ab4..086c6d3e12 100644 --- a/docs/accessanalyzer/2601/install/quickinstall.md +++ b/docs/accessanalyzer/2601/install/quickinstall.md @@ -78,8 +78,8 @@ The installer offers three ways to provision the server's TLS certificate. Choos | Option | What It Does | Best For | What to Prepare | | --- | --- | --- | --- | | **Generate self-signed** | Installer generates a certificate automatically — no CA involvement | Quick evaluations and proof-of-concept installs. Not for production — browsers will show a security warning | Nothing — installer handles it | -| **Sign with AD Certificate Services** | Installer generates a CSR and submits it to your organization's AD CS to be signed by your internal Enterprise CA | Enterprise environments where AD CS is already deployed and the server can reach the CA | AD CS must be reachable from the server; an account with certificate enrollment rights | -| **Bring your own certificate** | You provide a pre-existing certificate, private key, and CA bundle | Environments with a centralized PKI team, or where AD CS isn't available | Three PEM files — see below | +| **Sign with AD Certificate Services** | Installer generates a CSR and submits it to your organization's AD CS, where your internal Enterprise CA signs it | Enterprise environments where AD CS is already deployed and the server can reach the CA | AD CS must be reachable from the server; an account with certificate enrollment rights | +| **Bring your own certificate** | You provide a pre-existing certificate, private key, and CA bundle | Environments with a centralized PKI team, or where AD CS isn't available | Three PEM files — see [file requirements](#bring-your-own-certificate-file-requirements) | :::note **AD/DC Root CA Bundle is always required regardless of which TLS option you choose.** Even if the installer generates your server certificate, it still needs a separate CA file to trust the connection to your domain controller. See [Active Directory information](#bring-your-own-certificate-file-requirements). @@ -163,7 +163,7 @@ cat app-ca.crt ldaps-ca.crt > /opt/dspm-tls/ca-bundle.crt ### First admin account -Identify the email address and display name of the person who will be the first administrator. The installer prompts for both values during setup and provisions the account automatically. That person signs in using their Active Directory password — no separate password is needed. +Identify the email address and display name of the person who will be the first administrator. The installer prompts for both values during setup and provisions the account automatically. That person signs in using their Active Directory password and doesn't need a separate one. The email address must match the `mail` attribute of the person's Active Directory account exactly, including case. @@ -261,7 +261,7 @@ rm -f "$TMP_FILE" dspm-installer --version ``` -If this returns a version number, the binary is ready. If it returns an error, the download failed — verify your license key is correct and that the server has outbound access to all required domains listed earlier. +If this returns a version number, the binary is ready. If it returns an error, the download failed — verify your license key is correct and that the server has outbound access to all [required domains](#required-domains). ### Step 4: Run the installer From 74378fee1a9876a51167ec495c70019df3647341 Mon Sep 17 00:00:00 2001 From: Nate W <163451867+nwx-natew@users.noreply.github.com> Date: Fri, 8 May 2026 07:21:49 -0400 Subject: [PATCH 21/22] docs(auditor): correct SQL Server 2025 Express reporting services guidance (#875) SQL Server 2025 Express does not include Power BI Report Server or any built-in reporting services. Remove incorrect PBIRS claim from the 2025 table row and add notes in the intro paragraph and Install section clarifying that Express 2025 users who need reporting should either upgrade to Standard/Enterprise or stay on SQL Server 2022 Express with SSRS 2022 (unsupported configuration; may break with future Microsoft changes). --- docs/auditor/10.8/requirements/sqlserver.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/auditor/10.8/requirements/sqlserver.md b/docs/auditor/10.8/requirements/sqlserver.md index a968cdeef6..97e9cd727f 100644 --- a/docs/auditor/10.8/requirements/sqlserver.md +++ b/docs/auditor/10.8/requirements/sqlserver.md @@ -13,12 +13,17 @@ generation, Reporting Services (or Advanced Services) are also required. The following table lists supported SQL Server versions and editions. Due to limited database size, Netwrix recommends Express Edition (with Reporting Services) only for -evaluation, PoC, or small environments. For production environment, consider using Standard or -Enterprise Edition. +evaluation, PoC, or small environments **when using SQL Server 2022 or earlier**. For production +environments, consider using Standard or Enterprise Edition. + +**NOTE:** SQL Server 2025 Express Edition does not include Power BI Report Server (PBIRS) or any +built-in reporting services. If reporting functionality is required, use Standard or Enterprise +Edition with SQL Server 2025, or remain on SQL Server Express 2022 or earlier. See the SQL Server +2025 row in the table below for details. | Version | Edition | | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| SQL Server 2025 | - Standard or Enterprise Edition - [Express Edition](https://www.microsoft.com/en-us/sql-server/sql-server-downloads?msockid=112beb089ec7691328c3fc2e9fa568c1) with [Power BI Report Server](https://www.microsoft.com/en-us/download/details.aspx?id=105944) (for evaluation, PoC, and small environments) | +| SQL Server 2025 | - Standard or Enterprise Edition
**NOTE:** Express Edition is supported for SQL Server 2025, but does not include Power BI Report Server (PBIRS) or any built-in reporting services. Reporting functionality is not available with SQL Server 2025 Express. If reporting is required, use Standard or Enterprise Edition with SQL Server 2025, or remain on [SQL Server 2022 Express](https://www.microsoft.com/en-us/download/details.aspx?id=104781) with [SQL Server Reporting Services 2022](https://www.microsoft.com/en-us/download/details.aspx?id=104502). Note that using SSRS 2022 (or earlier) with SQL Server 2025 Express is not an officially supported configuration and may break if Microsoft introduces incompatible changes in a future update. | | SQL Server 2022 | - Standard or Enterprise Edition - [Express Edition](https://www.microsoft.com/en-us/download/details.aspx?id=104781) with [Reporting Services](https://www.microsoft.com/en-us/download/details.aspx?id=104502) (for evaluation, PoC, and small environments) | | SQL Server 2019 (on-premises Windows version) cumulative update 10 and above | - Standard or Enterprise Edition - [Express Edition](https://www.microsoft.com/en-us/download/details.aspx?id=101064) with [Reporting Services](https://www.microsoft.com/en-us/download/details.aspx?id=100122) (for evaluation, PoC, and small environments) | | SQL Server 2017 | - Standard or Enterprise Edition - [Express Edition](https://www.microsoft.com/en-us/download/details.aspx?id=55994) with [Reporting Services](https://www.microsoft.com/en-us/download/details.aspx?id=55252) (for evaluation, PoC, and small environments) | @@ -114,7 +119,8 @@ Consider the following: - Supported versions are 2012 and later. - Reporting Services supports only English-language operating systems. - Supported editions are Enterprise, Standard, and Express with Advanced Services (it includes - Reporting Services). + Reporting Services). **Note:** SQL Server 2025 Express Edition does not include any reporting + services. For SQL Server 2025, only Standard and Enterprise Editions support report generation. - If downloading SQL Server Express Edition with Advanced Services from Microsoft site, ensure you download the file whose name contains SQLEXPRADV. Otherwise, the installer won't deploy Reporting Services, and you won't be able to analyze and report on collected data. From 4ee4ecd0cb42d8e3a53906f01eed14fb90fab77a Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 15:02:31 +0000 Subject: [PATCH 22/22] fix(vale): auto-fix style issues (Vale + Dale) --- docs/accessanalyzer/2601/install/quickinstall.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/accessanalyzer/2601/install/quickinstall.md b/docs/accessanalyzer/2601/install/quickinstall.md index 086c6d3e12..4c88199c05 100644 --- a/docs/accessanalyzer/2601/install/quickinstall.md +++ b/docs/accessanalyzer/2601/install/quickinstall.md @@ -19,7 +19,7 @@ Before running the installer, confirm the following: - [ ] AD/DC Root CA bundle file prepared and placed on the server - [ ] Active Directory service account details collected - [ ] First admin email address confirmed (must match the AD `mail` attribute exactly) -- [ ] Netwrix license key on hand +- [ ] Netwrix license key ready ### System requirements @@ -134,7 +134,7 @@ Gather these values from your directory team before starting. The installer wiza | LDAP URL | Address of your domain controller. Use port 636 (LDAPS, encrypted) — strongly recommended; port 389 (plain LDAP) is available if LDAPS isn't configured | `ldaps://dc.corp.example.com:636` | | Bind DN | Full Distinguished Name of a read-only service account | `CN=svc-dspm,OU=ServiceAccounts,DC=corp,DC=example,DC=com` | | Bind Password | Password for the service account | — | -| Users Base DN | LDAP container where user accounts are stored | `CN=Users,DC=corp,DC=example,DC=com` | +| Users Base DN | LDAP container that holds user accounts | `CN=Users,DC=corp,DC=example,DC=com` | | Email Attribute | LDAP attribute storing the user's email address (usually `mail`) | `mail` | | AD/DC Root CA Bundle | Root CA certificate that signed the domain controller's LDAPS certificate. Required for all TLS options | `/opt/dspm-tls/ca-bundle.crt` | @@ -283,7 +283,7 @@ The **Example** column shows representative values for illustration — enter yo | LDAP URL | `ldaps://dc.corp.example.com:636` | Use port 636 (LDAPS) — port 389 is available but unencrypted | | Bind DN | `CN=svc-dspm,OU=ServiceAccounts,DC=corp,DC=example,DC=com` | Full DN format required — not UPN format | | Bind Password | *(your service account password)* | Input is silent — no characters appear | -| Users Base DN | `CN=Users,DC=corp,DC=example,DC=com` | The LDAP container where user accounts are stored | +| Users Base DN | `CN=Users,DC=corp,DC=example,DC=com` | The LDAP container that holds user accounts | | Email Attribute | `mail` | The LDAP attribute that holds the user's email address | | First Admin Email | `admin@corp.example.com` | Must match their AD `mail` attribute exactly, including case | | First Admin Name | `Jane Smith` | Used in the UI only | @@ -461,7 +461,7 @@ This table also appears at [Configuration > Identity Provider > Roles](../config | Role | Description | | --- | --- | | **Administrator** | Full access: system configuration (sources, scans, connectors, application settings) and user management (create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users). | -| **User Admin** | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does **not** have system configuration rights. The bootstrap `admin@dspm.local` account is assigned this role. | +| **User Admin** | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does **not** have system configuration rights. The bootstrap `admin@dspm.local` account has this role. | | **Viewer** | Read-only access to data and reports. No configuration or user management rights. | The **User Admin** role provides a dedicated account for user management with no system configuration access — useful for delegating user administration separately from system configuration.