diff --git a/docs/auditor/10.7/admin/alertsettings/create/create.md b/docs/auditor/10.7/admin/alertsettings/create/create.md index 712a4c1b10..f2bd67cd64 100644 --- a/docs/auditor/10.7/admin/alertsettings/create/create.md +++ b/docs/auditor/10.7/admin/alertsettings/create/create.md @@ -29,11 +29,12 @@ See the [Navigation](/docs/auditor/10.7/admin/navigation/overview.md) topic for **Step 2 –** In the All Alerts window, click Add. Configure the following: -| Option | Description | -| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| General | - Specify a name and enter the description for the new alert. **NOTE:** Make sure that the Send alert when the action occurs option is enabled. Otherwise, the new alert will be disabled. - Email subject — Specify the subject of the email. It is possible to insert variables into the subject line. You can choose between "_Who_", "_What_" and"_Where_" variables. Consider the following: - Only one variable of each type can be added - You need to cut off the full path from the object names in "_What_" alert and leave only the actual name. For example, "_\com\Corp\Users\Departments\IT\Username_" should be just "_Username_". If you want to get back to the default Email subject line, click the **Restore Default** button. - Apply tags — Create a set of tags to more efficiently identify and sort your alerts. Select Edit under Apply tags to associate tags with your alert. Later, you can quickly find an alert of interest using Filter by tags in the upper part of the All Alerts window. To see a full list of alerts ever created in the product, navigate to Settings > Tags. | -| Recipients | Select alert recipients. Click Add Recipient and select alert delivery type: - Email — Specify the email address where notifications will be delivered. You can add as many recipients as necessary. **_RECOMMENDED:_** click **Send Test Email**. The system will send a test message to the specified email address and inform you if any problems are detected. - SMS-enabled email — Netwrix uses the sms gateway technology to deliver notifications to a phone number assigned to a dedicated email address. Specify email address to receive SMS notifications. Make sure that your carrier supports sms to email gateway technology. | -| Filters | Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search. - Filter — Select general type of filter (e.g., "Who", "Data Source", "Monitoring plan", etc.) - Operator — Configure match types for selected filter (e.g., "Equals", "Does not contain", etc.) - Value — Specify filter value. See the [View and Search Collected Data](/docs/auditor/10.7/admin/search/overview.md) topic for additional information on how to create and modify filters. The Filters section contains required fields highlighted with red. Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert. ![preview_thumb_0_0](/img/product_docs/auditor/10.7/admin/alertsettings/preview_thumb_0_0.webp) | -| Thresholds | If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Auditor detects many activity records matching the filters you specified. Slide the switch under the Send alert when the threshold is exceeded option and configure the following: - Limit alerting to activity records with the same... — Select a filter in the drop-down list (e.g., who). Note that, Auditor will search for activity records with the same value in the filter you selected. Only alerts grouped by the Who parameter can be included in the Behavior Anomalies list. Mind that in this case, the product does not summarize risk scores and shows the value you associated with this alert. This may significantly reduce risk score accuracy. - Send alert for `<...>` activity records within `<...>` seconds — Select a number of changes that occurred in a given period (in seconds). For example, you want to receive an alert on suspicious activity. You select "_Action_" in the Limit alerting to activity records with the same list and specify a number of actions to be considered an unexpected behavior: _1000_ changes in _60_ seconds. When the selected threshold exceeded, an alert will be delivered to the specified recipients: one for every 1000 removals in 60 seconds, one for every 1000 failed removals in 60 seconds. So you can easily discover what is going on in your IT infrastructure. | -| Risk Score | - Slide the switch to On under Include this alert in Behavior Anomalies assessment. See the [Behavior Anomalies](/docs/auditor/10.7/admin/behavioranomalies/overview.md) topic for additional information. - Associate a risk score with the alert — Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky. These are general guidelines you can adopt when setting a risk score: - High score — Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients. - Above medium score — Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients. - Low score — Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. - Low score — Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. | -| Response Action | You can instruct Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Auditor server. Slide the switch to turn the feature **ON**, and see the [Configure a Response Action for Alert](/docs/auditor/10.7/admin/alertsettings/responseaction.md) topic for additional information. | +| Option | Description | +| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| General | | +| Recipients | Select alert recipients. Click Add Recipient and select alert delivery type: | +| Filters | Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search. | +| Thresholds | If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Auditor detects many activity records matching the filters you specified. Slide the switch under the Send alert when the threshold is exceeded option and configure the following: | +| Risk Score | | +| Response Action | You can instruct Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Auditor server. Slide the switch to turn the feature **ON**, and see the [Configure a Response Action for Alert](/docs/auditor/10.7/admin/alertsettings/responseaction.md) topic for additional information. | + diff --git a/docs/auditor/10.7/admin/monitoringplans/fileservers/overview.md b/docs/auditor/10.7/admin/monitoringplans/fileservers/overview.md index 4c85e33c5f..3e9a3471b8 100644 --- a/docs/auditor/10.7/admin/monitoringplans/fileservers/overview.md +++ b/docs/auditor/10.7/admin/monitoringplans/fileservers/overview.md @@ -18,18 +18,56 @@ the following topics: - [File Servers](/docs/auditor/10.7/configuration/fileservers/overview.md) – Configure data source as required to be monitored + + Complete the following fields: -| Option | Description | -| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ---------- | ----------- | ------------ | ------------- | --------- | ---------- | --- | --- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------ | --- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | ----------- | ------- | --- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | --- | --- | --- | --- | --- | --- | --- | ----------- | --- | --- | --- | --- | --- | --- | --- | ----------------------------------- | --- | --- | --- | --- | --- | --- | --- | ----------------------------------------- | --- | --- | --- | --- | --- | --- | --- | ------------- | --- | --- | --- | --- | --- | --- | --- | -| General | | -| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | -| Specify actions for monitoring | Specify actions you want to track and auditing mode. | | | | --- | --- | | Changes | | | Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. | | Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. | | Read access | | | Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | | Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. | -| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. To collect data from 32-bit operating systems, network traffic compression must be **disabled**. To collect data from Windows Failover Cluster, network traffic compression must be **enabled**. See the [File Servers](/docs/auditor/10.7/configuration/fileservers/overview.md) topic for additional information. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](/docs/auditor/10.7/requirements/supporteddatasources/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Some settings cannot be configured automatically. The product has the following limitations depending on your file server type. | File Server | SACL Check | SACL Adjust | Policy Check | Policy Adjust | Log Check | Log Adjust | | --- | --- | --- | --- | --- | --- | --- | | Windows | + | + | + | + | + | + | | Dell Celerra\VNX\Unity | + | + | + | — | + | — | | Dell Isilon | n/a | n/a | + | — | n/a | n/a | | NetApp Data ONTAP 7 and 8 in 7-mode | + | + | + | + | + | + | | NetApp Clustered Data ONTAP 8 and ONTAP 9 | + | + | + | + | + | — | | Nutanix Files | n/a | n/a | + | + | n/a | n/a | | -| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | -| Users | | -| Specify monitoring restrictions | Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add and provide user name in the domain\user format: _mydomain\user1_. - Use NetBIOS domain name format. - To exclude events containing "_System_" instead of initiator's account name in the "_Who_" column, enter "_System_" value to the list. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.7/admin/monitoringplans/overview.md)topic for additional information. | +- General +- Monitor this data source and collect activity data – Enable monitoring of the selected data source and configure Auditor to collect and store audit data. +- Specify actions for monitoring – Specify actions you want to track and auditing mode. + +| | | +|---------------|------------------------------------------------------------------------------------------------------------------------------------------| +| **Changes** | | +| Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. | +| Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. | +| **Read access** | | +| Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | +| Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | + +Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. + +- Specify data collection method – You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. +To collect data from 32-bit operating systems, network traffic compression must be disabled. +To collect data from Windows Failover Cluster, network traffic compression must be enabled. + +- Configure audit settings – You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. +Do not select the checkbox if you want to configure audit settings manually. Some settings cannot be configured automatically. The product has the following limitations depending on your file server type + +| File Server | SACL Check | SACL Adjust | Policy Check | Policy Adjust | Log Check | Log Adjust | +|-----------------------------------------|------------|-------------|--------------|---------------|-----------|------------| +| Windows | + | + | + | + | + | + | +| Dell Celerra\VNX\Unity | + | + | + | — | + | — | +| Dell Isilon | n/a | n/a | + | — | + | — | +| NetApp Data ONTAP 7 and 8 in 7-mode | + | + | + | + | + | + | +| NetApp Clustered Data ONTAP 8 and ONTAP 9 | + | + | + | + | + | — | +| Nutanix Files | n/a | n/a | + | — | n/a | n/a | + +- Collect data for state-in-time reports – Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. +When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. +In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. +In the Manage historical snapshots section, you can click Manage and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. +You must be assigned the Global administrator or the Global reviewer role to import snapshots. +Move the selected snapshots to the Snapshots available for reporting list using the arrow button. +The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. + +- Users + +- Specify monitoring restrictions – Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add and provide user name in the domain\user format: *mydomain\user1*. + - Use NetBIOS domain name format. + - To exclude events containing “System” instead of initiator's account name in the “Who” column, enter "System" value to the list. + +In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for @@ -305,19 +343,31 @@ the following topics: Complete the following fields: -| Option | Description | -| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | ------- | --- | --- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------ | --- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | ----------- | --- | --- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. | -| Specify actions for monitoring | Specify actions you want to track and auditing mode. | | | | --- | --- | | Changes | | | Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. | | Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. | | Read access | | | Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | | Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. | -| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. | -| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](/docs/auditor/10.7/requirements/supporteddatasources/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Netwrix Auditor can configure the following settings: - Policy Check - Policy Adjust | -| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. | +- Monitor this data source and collect activity data – Enable monitoring of the selected data source and configure Auditor to collect and store audit data. +- Specify actions for monitoring – Specify actions you want to track and auditing mode. + +| | | +|---------------|------------------------------------------------------------------------------------------------------------------------------------------| +| **Changes** | | +| Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. | +| Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. | +| **Read access** | | +| Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | +| Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. | + +Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. + +- Specify data collection method – You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. + +- Configure audit settings – You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](/docs/auditor/10.7/requirements/supporteddatasources/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Netwrix Auditor can configure the following settings: + - Policy Check + - Policy Adjust + +- Collect data for state-in-time reports – Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.7/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. Review your data source settings and click **Add** to go back to your plan. The newly created data source will appear in the **Data source** list. As a next step, click **Add item** to specify an -object for monitoring. See the -[Add Items for Monitoring](/docs/auditor/10.7/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional -information. +object for monitoring. See the [Add Items for Monitoring](/docs/auditor/10.7/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information. ## Nutanix SMB Shares diff --git a/docs/auditor/10.7/admin/search/filteradvanced.md b/docs/auditor/10.7/admin/search/filteradvanced.md index 2e76cf503f..05a88f1420 100644 --- a/docs/auditor/10.7/admin/search/filteradvanced.md +++ b/docs/auditor/10.7/admin/search/filteradvanced.md @@ -23,19 +23,19 @@ Expand the Filter list to find additional filters or filter values. The most com are described in [Use Filters in Simple Mode](/docs/auditor/10.7/admin/search/filtersimple.md). Review the following for additional information: -| Filter | Description | Example | -| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | ------- | ---------------------- | --- | --------- | ------------------------- | --- | ---------- | ------------------------- | --- | ------ | ----------------------- | --- | ------- | ----------------------- | --- | --------- | ------------------------- | --- | ------------ | ------------- | --- | ------------------- | ------------------ | --- | -------------- | -------- | --- | -------- | ------ | --- | --------------- | ------------- | --- | ----------- | --- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Action | Limits your search to the selected actions only. Specify an action from the Value list or type it yourself. The Action filter in the Advanced mode contains actions besides those available in basic mode (added, modified, removed, and read). Reported actions vary depending on the data source and object type. | | | | --- | --- | | - Added | - Add (Failed Attempt) | | - Removed | - Remove (Failed Attempt) | | - Modified | - Modify (Failed Attempt) | | - Read | - Read (Failed Attempt) | | - Moved | - Move (Failed Attempt) | | - Renamed | - Rename (Failed Attempt) | | - Checked in | - Checked out | | - Discard check out | - Successful Logon | | - Failed Logon | - Logoff | | - Copied | - Sent | | - Session start | - Session end | | - Activated | | | You are investigating suspicious user activity. You have already identified the intruder and now you want to see if any files were deleted or moved, and emails sent. Since you are interested in specific actions only, set the Action filter to Removed, Moved, and Sent. | -| Object type | Limits your search to objects of a specific type only. Specify an object type from the Value list or type it yourself. This filter modifies the What filter. The value list is prepopulated with the most frequent object types. | You noticed that some domain policies were changed and you want to investigate this issue. Your What filter is set to _Policy_, and so you keep receiving search results such as _HiSecPolicy, \\FS\Share\NewPolicy.docx_, _http://corp/sites/col1/Lists/Policy._ These entries correspond to different object types and data sources. Since you are looking for GPOs only, select GroupPolicy from the Value list. | -| Data source | Limits your search to the selected data source only. Specify a data source from the Value list or type it yourself. | You are investigating suspicious user activity. A user specified in the Who filter made a lot of changes across your IT infrastructure, so the search results became difficult to review. Since you are only interested in the way this user's activity could affect your Active Directory domain and Exchange organization, set the Data source filter to Active Directory and Exchange to limit the search results. | -| Monitoring plan | Limits your search to the selected plan only. Specify the name from the Value list or type it yourself. | You are investigating suspicious user activity. A user specified in the Who filter made a lot of changes across your IT infrastructure, so the search results became difficult to review. Since you are only interested in the way this user's activity could affect file shares audited within a single plan, set the Monitoring plan filter to _"My servers"_ to limit the search results. | -| Item | Limits your search to the selected item only. This filter can be helpful if have several items of the same type in your monitoring plan (e.g., two Active Directory domains). Specify the name from the Value list or type it yourself. | Your monitoring plan is configured to track domains and includes your secured corporate domain and a domain for temporary employees. You are investigating who logged in your secured corporate domain outside business hours. You can set the Item filter to this domain name to limit the search results and exclude logons to computers from a less important domain. | -| Working hours | Limits your search results to entries that occurred within the specified hours. You can use this filter together with When if you need, for example, to search for activity in the non-business hours during the last week. | You are investigating an incident and want to know who accessed sensitive data outside business hours. You can set this filter as _Not equal to_ and specify the time interval from _8:00 AM_ to _6:00 PM_. Filtered data will include only operations that occurred outside this interval, that is, during non-business hours. | -| Data categories | Limits your search results to entries that contain sensitive data comply with a classification rule. You can use this filter together with Equal to PCIDSS to, for example, to search for sensitive files that contain data regulated by the PCIDSS. | You are searching all documents containing cardholder data that can potentially be mapped with the PCIDSS compliance standard. You can set this filter _as equal to_ and specify the value as _PCIDSS_. Filtered data will contain only files that match this criteria. This filter shows activity records collected from the following data sources: - Windows File Servers - ShrePoint - SharePoint Online | -| Details | Limits your search results to entries that contain the specified information in the Details column. The Details column normally contains data specific to your target, e.g., assigned permissions, before and after values, start and end dates. This filter can be helpful when you are looking for a unique entry. | You discovered that a registry key was updated to _"242464"_. Now you want to investigate who made the change and what the value was before. You can set the Details filter to _242464_ to find this change faster. | -| Before\* | Limits your search results to entries that contain the specified before value in the Details column. | You are investigating an incident in which the SAM-account-name attribute was changed for an account in your Active Directory domain. You can set the Before filter to the previous name (e.g., _John2000_) to find the new name faster. | -| After\* | Limits your search results to entries that contain the specified after value in the Details column. | You are investigating a security incident and want to know who enabled a local Administrator account on your Windows Server. You can set the After filter to this account's current state (e.g., _Enabled_) to find this change faster. | -| Everywhere | Limits your search results to entries that contain the specified value in any column. | You are investigating a security incident. You have already identified the intruder (e.g., _BadActor_) and now you want to see all actions made by intruder's account or with it. Since the intruder can be the actor (Who), the object (What), or can even show up in details, set the Everywhere filter to intruder's name. | +| Filter | Description | Example | +|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Action | Limits your search to the selected actions only. Specify an action from the Value list or type it yourself. The Action filter in the Advanced mode contains actions besides those available in basic mode (added, modified, removed, and read). Reported actions vary depending on the data source and object type. | You are investigating suspicious user activity. You have already identified the intruder and now you want to see if any files were deleted or moved, and emails sent. Since you are interested in specific actions only, set the Action filter to Removed, Moved, and Sent. | +| Object type | Limits your search to objects of a specific type only. Specify an object type from the Value list or type it yourself. This filter modifies the What filter. The value list is prepopulated with the most frequent object types. | You noticed that some domain policies were changed and you want to investigate this issue. Your What filter is set to Policy, and so you keep receiving search results such as HiSecPolicy, \FS\Share\NewPolicy.docx, http://corp/sites/col1/Lists/Policy. These entries correspond to different object types and data sources. Since you are looking for GPOs only, select GroupPolicy from the Value list. | +| Data source | Limits your search to the selected data source only. Specify a data source from the Value list or type it yourself. | You are investigating suspicious user activity. A user specified in the Who filter made a lot of changes across your IT infrastructure, so the search results became difficult to review. Since you are only interested in the way this user's activity could affect your Active Directory domain and Exchange organization, set the Data source filter to Active Directory and Exchange to limit the search results. | +| Monitoring plan | Limits your search to the selected plan only. Specify the name from the Value list or type it yourself. | You are investigating suspicious user activity. A user specified in the Who filter made a lot of changes across your IT infrastructure, so the search results became difficult to review. Since you are only interested in the way this user's activity could affect file shares audited within a single plan, set the Monitoring plan filter to "My servers" to limit the search results. | +| Item | Limits your search to the selected item only. This filter can be helpful if you have several items of the same type in your monitoring plan (e.g., two Active Directory domains). Specify the name from the Value list or type it yourself. | Your monitoring plan is configured to track domains and includes your secured corporate domain and a domain for temporary employees. You are investigating who logged in your secured corporate domain outside business hours. You can set the Item filter to this domain name to limit the search results and exclude logons to computers from a less important domain. | +| Working hours | Limits your search results to entries that occurred within the specified hours. You can use this filter together with When if you need, for example, to search for activity in the non-business hours during the last week. | You are investigating an incident and want to know who accessed sensitive data outside business hours. You can set this filter as Not equal to and specify the time interval from 8:00 AM to 6:00 PM. Filtered data will include only operations that occurred outside this interval, that is, during non-business hours. | +| Data categories | Limits your search results to entries that contain sensitive data complying with a classification rule. You can use this filter together with Equal to PCIDSS to, for example, search for sensitive files that contain data regulated by the PCIDSS. | You are searching all documents containing cardholder data that can potentially be mapped with the PCIDSS compliance standard. You can set this filter as equal to and specify the value as PCIDSS. Filtered data will contain only files that match this criteria. This filter shows activity records collected from the following data sources: Windows File Servers, SharePoint, SharePoint Online. | +| Details | Limits your search results to entries that contain the specified information in the Details column. The Details column normally contains data specific to your target, e.g., assigned permissions, before and after values, start and end dates. This filter can be helpful when you are looking for a unique entry. | You discovered that a registry key was updated to "242464". Now you want to investigate who made the change and what the value was before. You can set the Details filter to 242464 to find this change faster. | +| Before* | Limits your search results to entries that contain the specified before value in the Details column. | You are investigating an incident in which the SAM-account-name attribute was changed for an account in your Active Directory domain. You can set the Before filter to the previous name (e.g., John2000) to find the new name faster. | +| After* | Limits your search results to entries that contain the specified after value in the Details column. | You are investigating a security incident and want to know who enabled a local Administrator account on your Windows Server. You can set the After filter to this account's current state (e.g., Enabled) to find this change faster. | +| Everywhere | Limits your search results to entries that contain the specified value in any column. | You are investigating a security incident. You have already identified the intruder (e.g., BadActor) and now you want to see all actions made by the intruder's account or with it. Since the intruder can be the actor (Who), the object (What), or can even show up in details, set the Everywhere filter to the intruder's name. | \* If you plan to audit an SQL Server for data changes and browse the results using 'Before' and 'After' filter values, make sure that the audited SQL database tables have a primary key (or a diff --git a/docs/auditor/10.7/api/activityrecordreference.md b/docs/auditor/10.7/api/activityrecordreference.md index 9a9b6706d8..c7e30d4c70 100644 --- a/docs/auditor/10.7/api/activityrecordreference.md +++ b/docs/auditor/10.7/api/activityrecordreference.md @@ -11,24 +11,25 @@ The table below describes Activity Record elements. Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records. -| Element | Mandatory | Datatype | Description | -| ----------------------------------------------------- | --------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | -------------- | -------- | --- | ---------- | ------------------- | --- | -------- | -------------------------- | --- | ------------ | ----------------- | --- | --------------- | --------------------- | --- | ------------- | ------------------------- | --- | ---------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Activity Record main elements | | | | -| RID | No | string | RID is a unique key of the Activity Record. The identifier is created automatically when you write an Activity Record to the Audit Database. RID is included in output Activity Records only. | -| Who | Yes | nvarchar 255 | A specific user who made the change (e.g., _Enterprise\ Administrator_, _Admin@enterprise.onmicrosoft.com_). | -| Action | Yes | — | Activity captured by Auditor (varies depending on the data source): | -| What | Yes | nvarchar max | A specific object that was changed (e.g., _NewPolicy_). | -| When | Yes | dateTime | The moment when the change occurred. When supports the following datetime formats: | -| Where | Yes | nvarchar 255 | A resource where the change was made (e.g., _Enterprise-SQL_, _FileStorage.enterprise.local_). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. | -| ObjectType | Yes | nvarchar 255 | An type of affected object or its class (e.g., _user, mailbox_). | -| Monitoring Plan | No | nvarchar 255 | The Auditor object that responsible for monitoring of a given data source and item. Sub-elements: Name and ID. If you provide a monitoring plan name for input Activity Records, make sure the plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. In this case, data will be written to the database associated with this plan. | -| DataSource | No | nvarchar max | IT infrastructure monitored with Auditor (e.g., _Active Directory_). For input Activity Records, the data source is automatically set to Netwrix API. | -| Item | No | nvarchar max | The exact object that is monitored (e.g., a domain name, SharePoint farm name) or integration name. Sub-element: Name. The item type is added inside the name value in brackets (e.g., _enterprise.local (Domain)_). For input Activity Records, the type is automatically set to Integration, you do not need to provide it. The output Activity Records may contain the following item types depending on the monitoring plan configuration: | | | | --- | --- | | - AD container | - NetApp | | - Computer | - Office 365 tenant | | - Domain | - Oracle Database instance | | - EMC Isilon | - SharePoint farm | | - Dell VNX/VNXe | - SQL Server instance | | - Integration | - VMware ESX/ESXi/vCenter | | - IP range | - Windows file share | If you provide an item name for input Activity Records, make sure this item is included in the monitoring plan within the Netwrix API data source. If you specify an item that does not exist, data will be written to the plan's database anyway but will not be available for search using the Item filter. | -| Workstation | No | nvarchar max | An originating workstation from which the change was made (e.g., _WKSwin12.enterprise.local_). | -| IsArchiveOnly | No | — | IsArchiveOnly allows to save Activity Record to the Long-Term Archive only. In this case, these Activity Records will not be available for search in the Auditor client. | -| DetailList | No | — | Information specific to the data source, e.g., assigned permissions, before and after values, start and end dates. References details. | -| Detail sub-elements (provided that DetailList exists) | | | | -| PropertyName | Yes | nvarchar 255 | The name of a modified property. | -| Message | No | string | Object-specific details about the change. Message is included in output Activity Records only. | -| Before | No | ntext | The previous value of the modified property. | -| After | No | ntext | The new value of the modified property. | +| Element | Mandatory | Datatype | Description | +| --------------------------------------------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Activity Record main elements | | | | +| RID | No | string | RID is a unique key of the Activity Record. The identifier is created automatically when you write an Activity Record to the Audit Database. RID is included in output Activity Records only. | +| Who | Yes | nvarchar 255 | A specific user who made the change (e.g., _Enterprise\ Administrator_, _Admin@enterprise.onmicrosoft.com_). | +| Action | Yes | — | Activity captured by Auditor (varies depending on the data source). | +| What | Yes | nvarchar max | A specific object that was changed (e.g., _NewPolicy_). | +| When | Yes | dateTime | The moment when the change occurred. When supports the following datetime formats. | +| Where | Yes | nvarchar 255 | A resource where the change was made (e.g., _Enterprise-SQL_, _FileStorage.enterprise.local_). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. | +| ObjectType | Yes | nvarchar 255 | A type of affected object or its class (e.g., user, mailbox). | +| Monitoring Plan | No | nvarchar 255 | The Auditor object that is responsible for monitoring a given data source and item. Sub-elements: Name and ID. If you provide a monitoring plan name for input Activity Records, ensure the plan is created in Auditor, the Netwrix API data source is added to the plan, and enabled for monitoring. This ensures data is written to the database associated with this plan. | +| DataSource | No | nvarchar max | IT infrastructure monitored with Auditor (e.g., _Active Directory_). For input Activity Records, the data source is automatically set to Netwrix API. | +| Item | No | nvarchar max | The exact object that is monitored (e.g., a domain name, SharePoint farm name) or integration name. Sub-element: Name. The item type is added inside the name value in brackets (e.g., _enterprise.local (Domain)_). For input Activity Records, the type is automatically set to Integration, you do not need to provide it. The output Activity Records may contain various item types depending on the monitoring plan configuration: | +| Workstation | No | nvarchar max | An originating workstation from which the change was made (e.g., _WKSwin12.enterprise.local_). | +| IsArchiveOnly | No | — | IsArchiveOnly allows saving Activity Record to the Long-Term Archive only. In this case, these Activity Records will not be available for search in the Auditor client. | +| DetailList | No | — | Information specific to the data source, e.g., assigned permissions, before and after values, start and end dates. References details. | +| Detail sub-elements (provided that DetailList exists) | | | | +| PropertyName | Yes | nvarchar 255 | The name of a modified property. | +| Message | No | string | Object-specific details about the change. Message is included in output Activity Records only. | +| Before | No | ntext | The previous value of the modified property. | +| After | No | ntext | The new value of the modified property. | + diff --git a/docs/auditor/10.7/api/compatibility.md b/docs/auditor/10.7/api/compatibility.md index 6c4e052aa2..e862908266 100644 --- a/docs/auditor/10.7/api/compatibility.md +++ b/docs/auditor/10.7/api/compatibility.md @@ -9,11 +9,10 @@ sidebar_position: 130 Make sure to check your product version, and then review and update your add-ons and scripts leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store. -| Property in 8.0 – 8.5 | New property in 9.0 and above | -| ------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| - XML: `` - JSON: `"AuditedSystem"` | - XML: `` - JSON: `"DataSource"` | -| - XML: `` - JSON: `"ManagedObject"` | - XML: ` `````` Name `````` Unique ID `````` ` - JSON: `"MonitoringPlan" : { `````` "ID": "{Unique ID}", `````` "Name": "Name" `````` }` Now the MonitoringPlan contains two sub-entries: ID and Name. The ID property is optional and is assigned automatically by the product. | -| — | - XML: ` `````` Item name `````` ` - JSON: `"Item": {"Name": "Item name"}` | +| Property in 8.0 – 8.5 | New property in 9.0 and above | +|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| XML: ``, JSON: `"AuditedSystem"` | XML: ``, JSON: `"DataSource"` | +| XML: ``, JSON: `"ManagedObject"` | XML: ` Name Unique ID `, JSON: `"MonitoringPlan" : { "ID": "{Unique ID}", "Name": "Name" }` Now the MonitoringPlan contains two sub-entries: ID and Name. The ID property is optional and is assigned automatically by the product. | +| — | XML: ` Item name `, JSON: `"Item": {"Name": "Item name"` | -To learn more about input and output Activity Record structure, refer to -[Activity Records](/docs/auditor/10.7/api/postdata/activityrecords.md). +To learn more about input and output Activity Record structure, refer to [Activity Records](/docs/auditor/10.7/api/postdata/activityrecords.md). diff --git a/docs/auditor/10.7/api/errordetails.md b/docs/auditor/10.7/api/errordetails.md index 79b89c5d8b..501f43d320 100644 --- a/docs/auditor/10.7/api/errordetails.md +++ b/docs/auditor/10.7/api/errordetails.md @@ -19,15 +19,35 @@ The error details include: The error details have the format similar to the following: -| Format | Example | -| ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | ` `````` `````` `````` Category `````` Error Description `````` Error Location `````` `````` ` | -| JSON | `{ `````` "ErrorList": [ `````` { `````` "Category": "Category", `````` "Description": "Error Description", `````` "Location": "Error Location" `````` } `````` ] `````` }` | +**XML:** +```xml + + + + Category + Error Description + Error Location + + +``` + +**JSON:** +```json +{ + "ErrorList": [ + { + "Category": "Category", + "Description": "Error Description", + "Location": "Error Location" + } + ] +} +``` Review examples below to see how error details correspond to invalid requests. -| Request | Error details returned | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Invalid request: XML: `curl -H "Content-Type: application/xml; Charset=UTF-8" https://WKSWin12R2:9699/ netwrix/api/v1/activity_records/search -u Enterprise\ NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.xml` ` `````` `````` `````` Administrator `````` Active Directory `````` Modified `````` `````` ` - JSON: `curl -H "Content-Type: application/json; Charset=UTF-8" https://WKSWin12R2:9699/ netwrix/api/v1/activity_records/search?format=json -u Enterprise\NetwrixUser: NetwrixIsCool --data-binary @C:\APIdocs\Search.json` `{ `````` "FilterList": { `````` "Who": "Administrator", `````` "DataSource": "Active Directory `````` "Action": "Added" `````` } `````` }` | 400 Bad Request - XML: ` `````` `````` `````` XMLError `````` 0xC00CE56D End tag 'FilterList' does not match the start tag 'DataSource' `````` `````` `````` ` - JSON: If JSON is corrupted, server returns 500 Internal Server Error with empty body. | -| Invalid request: - XML: `curl https://WKSWin12R2:9699/ netwrix/api/v1/activity_records/ enum?count=FIVE -u Enterprise\ NetwrixUser:NetwrixIsCool` - JSON: `curl https://WKSWin12R2:9699/ netwrix/api/v1/activity_records/ enum?format=json&count=FIVE -u Enterprise\NetwrixUser: NetwrixIsCool` | 400 Bad Request - XML: ` `````` `````` `````` InputError `````` Invalid count parameter specified. Error details: 0x80040204 Cannot convert the attribute data type `````` `````` `````` ` - JSON: `{ `````` "ErrorList": [ `````` { `````` "Category": "InputError", `````` "Description": "Invalid count parameter specified. Error details: 0x80040204 Cannot convert the attribute data type" `````` } `````` ] `````` }` | -| Valid request, but the Audit Database is unreachable: - XML: `curl https://WKSWin12R2:9699/ netwrix/api/v1/activity_records/enum -u Enterprise\ NetwrixUser:NetwrixIsCool` - JSON: `curl https://WKSWin12R2:9699/ netwrix/api/v1/activity_records/enum?format=json -u Enterprise\NetwrixUser: NetwrixIsCool` | 500 Internal Server Error - XML: ` `````` `````` `````` ServerError `````` 0x80040C0A SQL Server cannot be contacted, connection is lost (0x80040C0A SQL Server cannot be contacted, connection is lost (0x80004005 [DBNETLIB][ConnectionOpen (Connect()). ]SQL Server does not exist or access denied.)) [0x00007FFDCC06BBC8,0x00007FFDB99EF4BA; 0x00007FFDB99BEEEF,0x00007FFDB99EF4DC] `````` `````` `````` ` - JSON: `{ `````` "ErrorList": [ `````` { `````` "Category": "ServerError", `````` "Description": "0x80040C0A SQL Server cannot be contacted, connection is lost (0x80040C0A SQL Server cannot be contacted, connection is lost (0x80004005 [DBNETLIB][ConnectionOpen (Connect()). ]SQL Server does not exist or access denied.)) [0x00007FFDCC06BBC8,0x00007FFDB99EF4BA; 0x00007FFDB99BEEEF,0x00007FFDB99EF4DC]" `````` } `````` ] `````` }` | +| Request | Error details returned | +|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Invalid request: **XML:** `curl -H "Content-Type: application/xml; Charset=UTF-8" https://WKSWin12R2:9699/netwrix/api/v1/activity_records/search -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.xml`; ```xml Administrator Active Directory Modified ```; **JSON:** `curl -H "Content-Type: application/json; Charset=UTF-8" https://WKSWin12R2:9699/netwrix/api/v1/activity_records/search?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.json`; ```json { "FilterList": { "Who": "Administrator", "DataSource": "Active Directory", "Action": "Added" } } ``` | 400 Bad Request; **XML:** ```xml XMLError 0xC00CE56D End tag 'FilterList' does not match the start tag 'DataSource' ```; **JSON:** If JSON is corrupted, server returns 500 Internal Server Error with empty body. | +| Invalid request: **XML:** `curl https://WKSWin12R2:9699/netwrix/api/v1/activity_records/enum?count=FIVE -u Enterprise\NetwrixUser:NetwrixIsCool`; **JSON:** `curl https://WKSWin12R2:9699/netwrix/api/v1/activity_records/enum?format=json&count=FIVE -u Enterprise\NetwrixUser:NetwrixIsCool` | 400 Bad Request; **XML:** ```xml InputError Invalid count parameter specified. Error details: 0x80040204 Cannot convert the attribute data type ```; **JSON:** ```json { "ErrorList": [ { "Category": "InputError", "Description": "Invalid count parameter specified. Error details: 0x80040204 Cannot convert the attribute data type" } ] } ``` | +| Valid request, but the Audit Database is unreachable: **XML:** `curl https://WKSWin12R2:9699/netwrix/api/v1/activity_records/enum -u Enterprise\NetwrixUser:NetwrixIsCool`; **JSON:** `curl https://WKSWin12R2:9699/netwrix/api/v1/activity_records/enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool` | 500 Internal Server Error; **XML:** ```xml ServerError 0x80040C0A SQL Server cannot be contacted, connection is lost (0x80004005 [DBNETLIB][ConnectionOpen (Connect())] SQL Server does not exist or access denied.) [0x00007FFDCC06BBC8,0x00007FFDB99EF4BA; 0x00007FFDB99BEEEF,0x00007FFDB99EF4DC] ```; **JSON:** ```json { "ErrorList": [ { "Category": "ServerError", "Description": "0x80040C0A SQL Server cannot be contacted, connection is lost (0x80004005 [DBNETLIB][ConnectionOpen (Connect())] SQL Server does not exist or access denied.) [0x00007FFDCC06BBC8,0x00007FFDB99EF4BA; 0x00007FFDB99BEEEF,0x00007FFDB99EF4DC]" } ] } ``` | \ No newline at end of file diff --git a/docs/auditor/10.7/api/filterreference/filterreference.md b/docs/auditor/10.7/api/filterreference/filterreference.md index a50c07922e..976bfe9fb7 100644 --- a/docs/auditor/10.7/api/filterreference/filterreference.md +++ b/docs/auditor/10.7/api/filterreference/filterreference.md @@ -12,10 +12,10 @@ to create a unique search. You can: - Add different filters to your search. Search results will be sorted by all selected filters since they work as a logical AND. - | Format | Example | - | ------ | ------------------------------------------------------------------------------------------------------------------------------------ | - | XML | `Admin `````` Active Directory `````` User` | - | JSON | `"Who" : { "Equals" : "Admin" }, `````` "DataSource" : { "NotEqualTo" : "Active Directory" }, `````` "What" : "User"` | + | Format | Example | + |--------|-----------------------------------------------------------------------------------------------------------------------| + | XML | `Admin Active Directory User`| + | JSON | `"Who": { "Equals": "Admin" }, "DataSource": { "NotEqualTo": "Active Directory" }, "What": "User"` | - Specify several values for the same filter. To do this, add two entries one after another. @@ -26,7 +26,7 @@ to create a unique search. You can: | Format | Example | | ------ | ------------------------------------------------------------------------------------------ | - | XML | `Admin `````` Analyst` | + | XML | `Admin Analyst` | | JSON | `"Who" : [ "Admin" , "Analyst" ]` Use square brackets to add several values for the entry. | Review the following for additional information: @@ -36,10 +36,13 @@ Review the following for additional information: The table below shows filters and Activity Records matching them. -| Filters | Matching Activity Records | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| - XML: `Administrator `````` `````` SharePoint `````` `````` `````` Read `````` ` - JSON: `"Who" : "Admin", `````` "DataSource" : "SharePoint", `````` "Action" : { `````` "NotEqualTo" : "Read" `````` }` | Retrieves all activity records where administrator made any actions on SharePoint, except Read. - XML: ` `````` Added `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` SharePoint `````` `````` http://demolabsp:8080 (SharePoint farm) `````` `````` List `````` 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 `````` http://demolabsp/lists/Taskslist `````` 2017-02-17T09:28:35Z `````` http://demolabsp `````` Enterprise\Administrator `````` 172.28.15.126 `````` `````` `````` Removed `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` SharePoint `````` `````` http://demolabsp:8080 (SharePoint farm) `````` `````` List `````` 20160217093959797091D091D2EAF4A89BF7A1CCC27D15857 `````` http://demolabsp/lists/Old/Taskslist `````` 2017-02-17T09:28:35Z `````` http://demolabsp `````` Enterprise\Administrator `````` 172.28.15.126 `````` ` - JSON: `{ `````` "Action": "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "SharePoint", `````` "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, `````` "ObjectType" : "List", `````` "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What" : "http://demolabsp/lists/Taskslist", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "http://demolabsp", `````` "Who" : "Enterprise\\Administrator", `````` "Workstation" : "172.28.15.126" `````` }, `````` { `````` "Action" : "Removed", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "SharePoint", `````` "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, `````` "ObjectType" : "List", `````` "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857", `````` "What" : "http://demolabsp/lists/Old/Taskslist", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "http://demolabsp", `````` "Who" : "Enterprise\\Administrator", `````` "Workstation" : "172.28.15.126" `````` }` | -| - XML: `Administrator `````` Added` - JSON: `"Who" : "Administrator", `````` "Action" : "Added"` | Retrieves all activity records where administrator added an object within any data source. - XML: ` `````` Added `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` SharePoint `````` `````` http://demolabsp:8080 (SharePoint farm) `````` `````` List `````` 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 `````` http://demolabsp/lists/Taskslist `````` 2017-02-17T09:28:35Z `````` http://demolabsp `````` Enterprise\Administrator `````` 172.28.15.126 `````` `````` `````` Added `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` Exchange `````` `````` enterprise.local (Domain) `````` `````` Mailbox `````` 2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3 `````` Shared Mailbox `````` 2017-02-10T14:46:00Z `````` eswks.enterprise.local `````` Enterprise\Administrator `````` ` - JSON: `{ `````` "Action" : "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "SharePoint", `````` "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, `````` "ObjectType": "List", `````` "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What": "http://demolabsp/lists/Taskslist", `````` "When": "2017-02-17T09:28:35Z", `````` "Where": "http://demolabsp", `````` "Who": "Enterprise\\Administrator", `````` "Workstation": "172.28.15.126" `````` }, `````` { `````` "Action" : "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource" : "Exchange", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType" : "Mailbox", `````` "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3", `````` "What": "Shared Mailbox", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "eswks.enterprise.local", `````` "Who": "Enterprise\\Administrator" `````` }` | -| - XML: `Admin `````` Analyst` - JSON: `"Who" : [ "Admin" , "Analyst" ]` | Retrieves all activity records where admin or analyst made any changes within any data source. - XML: ` `````` Added `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` File Servers `````` `````` wks.enterprise.local (Computer) `````` `````` Folder `````` 2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3 `````` Annual_Reports `````` 2017-02-10T14:46:00Z `````` wks.enterprise.local `````` Enterprise\Admin `````` `````` `````` Removed `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` Active Directory `````` `````` enterprise.local (Domain) `````` `````` User `````` 2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3 `````` Anna.Smith `````` 2017-02-10T10:46:00Z `````` dc1.enterprise.local `````` Enterprise\Analyst `````` 172.28.6.15 `````` ` - JSON: `{ `````` "Action": "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource" : "File Servers", `````` "Item": {"Name": "wks.enterprise.local (Computer)"}, `````` "ObjectType": "Folder", `````` "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3", `````` "What": "Annual_Reports", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "wks.enterprise.local", `````` "Who": "Enterprise\\Admin" `````` }, `````` { `````` "Action": "Removed", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "User", `````` "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3", `````` "What": "Anna.Smith", `````` "When": "2017-02-10T10:46:00Z", `````` "Where": "dc1.enterprise.local", `````` "Who": "Enterprise\\Analyst", `````` "Workstation": "172.28.6.15" `````` }` | -| - XML: ` `````` `````` `````` `````` `````` 2017-01-16T16:30:00Z `````` `````` `````` 2017-02-01T00:00:00Z `````` `````` ` - JSON: "When" : [ `{"LastSevenDays" : ""}`, `{` "From" : "2017-01-16T16:30:00Z", "To" : "2017-02-01T00:00:00Z" `}` ] | Retrieves all activity records for all data sources and users within a specified data range: - January 16, 2017 — February 1, 2017 - March 11, 2017 — March 17, 2017 (assume, today is March, 17). - XML: ` `````` Modified `````` My Cloud `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23701} `````` My Cloud `````` `````` Exchange Online `````` `````` mail@corp.onmicrosoft.com (Office 365 tenant) `````` `````` Mailbox `````` 201602170939597970997D56DDA034420B9044249CC15EC5A `````` Shared Mailbox `````` 2017-03-17T09:37:11Z `````` BLUPR05MB1940 `````` admin@corp.onmicrosoft.com `````` `````` `````` Successful Logon `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` Logon Activity `````` `````` enterprise.local (Domain) `````` `````` Logon `````` 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 `````` stationexchange.enterprise.local `````` 2017-02-17T09:28:35Z `````` enterprisedc1.enterprise.local `````` ENTERPRISE\Administrator `````` stwin12R2.enterprise.local `````` ` - JSON: `{ `````` "Action" : "Modified", `````` "MonitoringPlan" : "My Cloud", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}", `````` "Name": "My Cloud" `````` }, `````` "DataSource": "Exchange Online", `````` "Item": { `````` "Name": "mail@corp.onmicrosoft.com (Office 365 tenant)" `````` }, `````` "ObjectType" : "Mailbox", `````` "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", `````` "What" : "Shared Mailbox", `````` "When" : "2017-03-17T09:37:11Z", `````` "Where" : "BLUPR05MB1940", `````` "Who" : "admin@corp.onmicrosoft.com" `````` }, `````` { `````` "Action" : "Successful Logon", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Logon Activity", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "Logon", `````` "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What" : "stationexchange.enterprise.local", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "enterprisedc1.enterprise.local", `````` "Who" : "ENTERPRISE\\Administrator", `````` "Workstation" : "stwin12R2.enterprise.local" `````` }` | -| - XML: ` `````` Logon Activity `````` ` - JSON: `"DataSource" : "Logon Activity"` | Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made. - XML: ` `````` Successful Logon `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` Logon Activity `````` `````` enterprise.local (Domain) `````` `````` Logon `````` 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 `````` stationexchange.enterprise.local `````` 2017-02-17T09:28:35Z `````` enterprisedc1.enterprise.local `````` ENTERPRISE\Administrator `````` stwin12R2.enterprise.local `````` `````` `````` Successful Logon `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` Logon Activity `````` `````` enterprise.local (Domain) `````` `````` Logon `````` 201602170939597970997D56DDA034420B9044249CC15EC5A `````` stationwin12r2.enterprise.local `````` 2017-02-17T09:37:11Z `````` enterprisedc2.enterprise.local `````` ENTERPRISE\Analyst `````` stwin12R2.enterprise.local `````` ` - JSON: `{ `````` "Action" : "Successful Logon", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Logon Activity", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType" : "Logon", `````` "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What" : "stationexchange.enterprise.local", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "enterprisedc1.enterprise.local", `````` "Who" : "ENTERPRISE\\Administrator", `````` "Workstation" : "stwin12R2.enterprise.local" `````` }, `````` { `````` "Action" : "Successful Logon", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Logon Activity", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType" : "Logon", `````` "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", `````` "What" : "stationwin12r2.enterprise.local", `````` "When" : "2017-02-17T09:37:11Z", `````` "Where" : "enterprisedc2.enterprise.local", `````` "Who" : "ENTERPRISE\\Analyst", `````` "Workstation" : "stwin12R2.enterprise.local" `````` }` | +| Filters | Matching Activity Records | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| XML: `Admin Active Directory User` | Retrieves all activity records where the administrator made any actions on SharePoint, except Read. Examples of XML activity record: ` Added {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance SharePoint http://demolabsp:8080 (SharePoint farm) List 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 http://demolabsp/lists/Taskslist 2017-02-17T09:28:35Z http://demolabsp Enterprise\Administrator 172.28.15.126 Removed {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance SharePoint http://demolabsp:8080 (SharePoint farm) List 20160217093959797091D091D2EAF4A89BF7A1CCC27D15857 http://demolabsp/lists/Old/Taskslist 2017-02-17T09:28:35Z http://demolabsp Enterprise\Administrator 172.28.15.126 ` | +| JSON: `"Who" : "Admin", "DataSource" : "SharePoint", "Action" : { "NotEqualTo" : "Read" }` | JSON representation for filtering actions by the administrator on SharePoint. Examples of JSON activity record: `{ "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType": "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What": "http://demolabsp/lists/Taskslist", "When": "2017-02-17T09:28:35Z", "Where": "http://demolabsp", "Who": "Enterprise\\Administrator", "Workstation": "172.28.15.126" }, { "Action" : "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType": "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857", "What": "http://demolabsp/lists/Old/Taskslist", "When": "2017-02-17T09:28:35Z", "Where": "http://demolabsp", "Who": "Enterprise\\Administrator", "Workstation": "172.28.15.126" }` | +| XML: `Admin Analyst` | XML example of filtering for multiple users (Admin and Analyst). Example of XML activity record: ` Added {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance File Servers wks.enterprise.local (Computer) Folder 2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3 Annual_Reports 2017-02-10T14:46:00Z wks.enterprise.local Enterprise\Admin Removed {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance Active Directory enterprise.local (Domain) User 2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3 Anna.Smith 2017-02-10T10:46:00Z dc1.enterprise.local Enterprise\Analyst 172.28.6.15 ` | +| JSON: `"Who" : [ "Admin" , "Analyst" ]` | JSON format for multiple user records. Example JSON activity record: `{ "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource" : "File Servers", "Item": {"Name": "wks.enterprise.local (Computer)"}, "ObjectType": "Folder", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3", "What": "Annual_Reports", "When": "2017-02-10T14:46:00Z", "Where": "wks.enterprise.local", "Who": "Enterprise\\Admin" }, { "Action": "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Active Directory", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "User", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3", "What": "Anna.Smith", "When": "2017-02-10T10:46:00Z", "Where": "dc1.enterprise.local", "Who": "Enterprise\\Analyst", "Workstation": "172.28.6.15" }` | +| XML: ` 2017-01-16T16:30:00Z 2017-02-01T00:00:00Z ` | XML example of date filtering. Example of XML activity record: ` Modified My Cloud {42F64379-163E-4A43-A9C5-4514C5A23701} My Cloud Exchange Online mail@corp.onmicrosoft.com (Office 365 tenant) Mailbox 201602170939597970997D56DDA034420B9044249CC15EC5A Shared Mailbox 2017-03-17T09:37:11Z BLUPR05MB1940 admin@corp.onmicrosoft.com Successful Logon {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance Logon Activity enterprise.local (Domain) Logon 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 stationexchange.enterprise.local 2017-02-17T09:28:35Z enterprisedc1.enterprise.local ENTERPRISE\Administrator stwin12R2.enterprise.local ` | +| JSON: `"When" : [ {"LastSevenDays" : ""}, {"From" : "2017-01-16T16:30:00Z", "To" : "2017-02-01T00:00:00Z" } ]` | JSON representation of filtering by date range. Example JSON activity record: `{ "Action" : "Modified", "MonitoringPlan" : "My Cloud", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}", "Name": "My Cloud" }, "DataSource": "Exchange Online", "Item": { "Name": "mail@corp.onmicrosoft.com (Office 365 tenant)" }, "ObjectType" : "Mailbox", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "Shared Mailbox", "When" : "2017-03-17T09:37:11Z", "Where" : "BLUPR05MB1940", "Who" : "admin@corp.onmicrosoft.com" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }` | +| XML: ` Logon Activity ` | Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made. Example of XML activity record: ` Successful Logon {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance Logon Activity enterprise.local (Domain) Logon 20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7 stationexchange.enterprise.local 2017-02-17T09:28:35Z enterprisedc1.enterprise.local ENTERPRISE\Administrator stwin12R2.enterprise.local Successful Logon {42F64379-163E-4A43-A9C5-4514C5A23798} Compliance Logon Activity enterprise.local (Domain) Logon 201602170939597970997D56DDA034420B9044249CC15EC5A stationwin12r2.enterprise.local 2017-02-17T09:37:11Z enterprisedc2.enterprise.local ENTERPRISE\Analyst stwin12R2.enterprise.local ` | +| JSON: `"DataSource" : "Logon Activity"` | Example JSON retrieval for Logon Activity records. Example JSON activity record: `{ "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "stationwin12r2.enterprise.local", "When" : "2017-02-17T09:37:11Z", "Where" : "enterprisedc2.enterprise.local", "Who" : "ENTERPRISE\\Analyst", "Workstation" : "stwin12R2.enterprise.local" }` | \ No newline at end of file diff --git a/docs/auditor/10.7/api/filterreference/filters.md b/docs/auditor/10.7/api/filterreference/filters.md index ed8fea7e1a..f64e207fb0 100644 --- a/docs/auditor/10.7/api/filterreference/filters.md +++ b/docs/auditor/10.7/api/filterreference/filters.md @@ -9,20 +9,21 @@ sidebar_position: 10 Review the table below to learn more about filters. The filters correspond to Activity Record fields. -| Filter | Description | Supported Operators | -| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ | --- | --- | --- | --- | --------------------- | -------------- | ---------------------- | --- | --------------- | ------------------------- | ---------------- | ---------- | -------------------------- | --- | ------------ | ----------------------- | --------- | -------------- | ----------------------- | --- | ------------- | ------------------------- | --- | ------------ | -------------------- | ----------------------- | ------------------- | ------------------ | --- | -------------- | -------- | -------------------- | -------- | ---------------- | --- | --------------- | ------------- | ------------ | ----------- | ------------ | --- | ---------- | --- | --- | --- | --- | ------------------ | --- | ------------ | --- | -| RID | Activity Record ID. Limits your search to a unique key of the Activity Record. Max length: 49. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Who | Limits your search to a specific user who made the change (e.g., _Enterprise\ Administrator_, _administrator@enterprise.onmicrosoft.com_). Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | - InGroup | | - NotInGroup | | -| Where | Limits your search to a resource where the change was made (e.g., _Enterprise-SQL_, _FileStorage.enterprise.local_). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| ObjectType | Limits your search to objects of a specific type only (e.g., _user_). Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| What | Limits your search to a specific object that was changed (e.g., _NewPolicy_) . Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| DataSource | Limits your search to the selected data source only (e.g., _Active Directory_). Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Monitoring Plan | Limits your search to a specific monitoring plan —Netwrix Auditor object that governs data collection. Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Item | Limits your search to a specific item—object of monitoring—and its type provided in brackets. The following item types are available: | | | | --- | --- | | - AD container | - NetApp | | - Computer | - Office 365 tenant | | - Domain | - Oracle Database instance | | - EMC Isilon | - SharePoint farm | | - EMC VNX/VNXe | - SQL Server instance | | - Integration | - VMware ESX/ESXi/vCenter | | - IP range | - Windows file share | Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Workstation | Limits your search to an originating workstation from which the change was made (e.g., _WKSwin12.enterprise.local_). Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Detail | Limits your search results to entries that contain the specified information in Detail. Normally contains information specific to your data source, e.g., assigned permissions, before and after values, start and end dates. This filter can be helpful when you are looking for a unique entry. Max length: 1073741822. | | | | --- | | - Contains (default) | | | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Before | Limits your search results to entries that contain the specified before value in Detail. Max length: 536870911. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| After | Limits your search results to entries that contain the specified after value in the Detail. Max length: 536870911. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | -| Action | Limits your search results to certain actions: | | | | --- | --- | | - Added | - Add (Failed Attempt) | | - Removed | - Remove (Failed Attempt) | | - Modified | - Modify (Failed Attempt) | | - Read | - Read (Failed Attempt) | | - Moved | - Move (Failed Attempt) | | - Renamed | - Rename (Failed Attempt) | | - Checked in | - Checked out | | - Discard check out | - Successful Logon | | - Failed Logon | - Logoff | | - Copied | - Sent | | - Session start | - Session end | | - Activated | | | | | | --- | | - Equals (default) | | - NotEqualTo | | -| When | Limits your search to a specified time range. Netwrix Auditor supports the following for the When filter: - Use Equals (default operator) or NotEqualTo operator - To specify time interval, use Within timeframe with one of the enumerated values (Today, Yesterday, etc.), and/or values in the To and From. To and From support the following date time formats: - YYYY-mm-ddTHH:MM:SSZ—Indicates UTC time (zero offset) - YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time zones ahead of UTC (positive offset) - YYYY-mm-ddTHH:MM:SS-HH:MM—Indicates time zones behind UTC (negative offset) | 1. Equals (default) 2. NotEqualTo 3. Within timeframe: | | | --- | | - Today | | - Yesterday | | - LastSevenDays | | - LastThirtyDays | | - Equals (default) | | - NotEqualTo | 2. From..To interval | -| WorkingHours | Limits your search to the specified working hours. You can track activity outside the business hours applying the _NotEqualTo_ operator. To and From support the following date time formats: - HH:MM:SSZ—Indicates UTC time (zero offset) - HH:MM:SS+HH:MM—Indicates time zones ahead of UTC (positive offset) - HH:MM:SS-HH:MM—Indicates time zones behind UTC (negative offset) | | | | --- | | - "From..To" interval | | - Equals (default) | | - NotEqualTo | | +| Filter | Description | Supported Operators | +|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| RID | Activity Record ID. Limits your search to a unique key of the Activity Record. Max length: 49. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| Who | Limits your search to a specific user who made the change (e.g., _Enterprise\Administrator_, _administrator@enterprise.onmicrosoft.com_). Max length: 255. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith, InGroup, NotInGroup | +| Where | Limits your search to a resource where the change was made (e.g., _Enterprise-SQL_, _FileStorage.enterprise.local_). Max length: 255. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| ObjectType | Limits your search to objects of a specific type only (e.g., _user_). Max length: 255. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| What | Limits your search to a specific object that was changed (e.g., _NewPolicy_). Max length: 1073741822 | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| DataSource | Limits your search to the selected data source only (e.g., _Active Directory_). Max length: 1073741822 | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| Monitoring Plan | Limits your search to a specific monitoring plan—Netwrix Auditor object that governs data collection. Max length: 255. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| Item | Limits your search to a specific item—object of monitoring—and its type provided in brackets. Max length: 1073741822. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith, Various item types such as AD container, NetApp, Computer, Office 365 tenant, Domain, Oracle Database instance, EMC Isilon, SharePoint farm, etc. | +| Workstation | Limits your search to an originating workstation from which the change was made (e.g., _WKSwin12.enterprise.local_). Max length: 1073741822. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| Detail | Limits your search results to entries that contain the specified information in Detail. Max length: 1073741822. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| Before | Limits your search results to entries that contain the specified before value in Detail. Max length: 536870911. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| After | Limits your search results to entries that contain the specified after value in Detail. Max length: 536870911. | Contains (default), DoesNotContain, Equals, NotEqualTo, StartsWith, EndsWith | +| Action | Limits your search results to certain actions (e.g., Added, Removed, Modified, Read). | Equals (default), NotEqualTo, List includes Added, Removed, Modified, Read, Moved, Renamed, Checked in/out, etc. | +| When | Limits your search to a specified time range. Supports various date/time formats. | Equals (default), NotEqualTo, Within timeframe: Today, Yesterday, LastSevenDays, etc., From..To interval | +| WorkingHours | Limits your search to the specified working hours. You can track activity outside business hours by using the NotEqualTo operator. | "From..To" interval, Equals (default), NotEqualTo | | + diff --git a/docs/auditor/10.7/api/ports.md b/docs/auditor/10.7/api/ports.md index cdb651c6c6..d05fa5ff93 100644 --- a/docs/auditor/10.7/api/ports.md +++ b/docs/auditor/10.7/api/ports.md @@ -18,24 +18,25 @@ On any computer you plan to host the add-on (source), allow outbound connections port. On the computer where Netwrix Auditor Server resides (target), allow inbound connections to local 9699 TCP port. -| Add-on | Port | Protocol | Source | Target | Purpose | -| ------------------------------------------------------------------------------------------------------ | ------- | ------------ | --------------------- | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -| All add-ons or queries | 9699 | TCP | Script or query host | Netwrix Auditor  Server | The default Netwrix Auditor Integration API port. However, you can configure another TCP port for that purpose. | -| AlienVault USM | 53 | UDP/TCP | Script host | DNS Server | DNS Client | -| Amazon Web Services | 443 | TCP | Script host | Amazon Web Services | — | -| 53 | UDP/TCP | Script host | DNS server | DNS Client | | -| - Event Log Export - IBM QRadar - Intel Security - LogRhythm - SolarWinds Log & Event Manager - Splunk | 53 | UDP/TCP | Script host | DNS server | DNS Client | -| CEF Export | 53 | UDP/TCP | Script host | DNS server | DNS Client | -| - Cisco Network Devices - Privileged User Monitoring - General Linux Syslog | 514 | UDP | Cisco network devices | Service host | The default port for Cisco network devices remote Syslog logging. However, you can configure another UDP port for that purpose. | -| 53 | UDP | Service host | DNS server | DNS Client | | -| HPE ArcSight | 515 | TCP | Script host | ArcSight Logger | — | -| 514 | UDP | Script host | ArcSight Logger | — | | -| 53 | UDP/TCP | Script host | DNS server | DNS Client | | -| 53 | UDP | Script host | DNS server | DNS Client | | -| RADIUS Server | 139 | TCP | Script host | RADIUS server | RPC/NP Eventlog | -| 445 | TCP | Script host | RADIUS server | RPC/NP Eventlog | | -| 137 | UDP | Script host | RADIUS server | RPC/NP Eventlog | | -| 138 | UDP | Script host | RADIUS server | RPC/NP Eventlog | | -| 135 | TCP | Script host | RADIUS server | RPC Endpoint Mapper Eventlog | | -| 1024 – 65535 (Dynamically assigned) | TCP | Script host | RADIUS server | RPC Eventlog | | -| 53 | UDP/TCP | Script host | DNS server | DNS Client | | +| Add-on | Port | Protocol | Source | Target | Purpose | +| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------------ | --------------------- | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | +| All add-ons or queries | 9699 | TCP | Script or query host | Netwrix Auditor  Server | The default Netwrix Auditor Integration API port. However, you can configure another TCP port for that purpose. | +| AlienVault USM | 53 | UDP/TCP | Script host | DNS Server | DNS Client | +| Amazon Web Services | 443 | TCP | Script host | Amazon Web Services | — | +| 53 | UDP/TCP | Script host | DNS server | DNS Client | | +| | 53 | UDP/TCP | Script host | DNS server | DNS Client | +| CEF Export | 53 | UDP/TCP | Script host | DNS server | DNS Client | +| | 514 | UDP | Cisco network devices | Service host | The default port for Cisco network devices remote Syslog logging. However, you can configure another UDP port for that purpose. | +| 53 | UDP | Service host | DNS server | DNS Client | | +| HPE ArcSight | 515 | TCP | Script host | ArcSight Logger | — | +| 514 | UDP | Script host | ArcSight Logger | — | | +| 53 | UDP/TCP | Script host | DNS server | DNS Client | | +| 53 | UDP | Script host | DNS server | DNS Client | | +| RADIUS Server | 139 | TCP | Script host | RADIUS server | RPC/NP Eventlog | +| 445 | TCP | Script host | RADIUS server | RPC/NP Eventlog | | +| 137 | UDP | Script host | RADIUS server | RPC/NP Eventlog | | +| 138 | UDP | Script host | RADIUS server | RPC/NP Eventlog | | +| 135 | TCP | Script host | RADIUS server | RPC Endpoint Mapper Eventlog | | +| 1024 – 65535 (Dynamically assigned) | TCP | Script host | RADIUS server | RPC Eventlog | | +| 53 | UDP/TCP | Script host | DNS server | DNS Client | | + diff --git a/docs/auditor/10.7/api/postdata/activityrecords.md b/docs/auditor/10.7/api/postdata/activityrecords.md index cdd4e47b6f..30d9070a0e 100644 --- a/docs/auditor/10.7/api/postdata/activityrecords.md +++ b/docs/auditor/10.7/api/postdata/activityrecords.md @@ -10,10 +10,68 @@ In Netwrix terms, one operable chunk of information is called the Activity Recor Integration API processes both XML and JSON Activity Records. The Activity Records have the format similar to the following—the exact schema depends on operation (input or output). -| Format | Example | -| ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | ` `````` `````` `````` Who `````` Object Type `````` Action `````` What `````` When `````` Where `````` `````` Unique ID `````` Name `````` `````` Data source `````` `````` Item name (Item type) `````` `````` `````` `````` Before Value `````` After Value `````` Property `````` Text `````` `````` `````` `````` ... `````` ` | -| JSON | `[ `````` { `````` "Action": "Action", `````` "MonitoringPlan": { `````` "ID": "Unique ID", `````` "Name": "Name" `````` }, `````` "DataSource": "Data source", `````` "Item": {"Name": "Item name (Item type)"}, `````` "DetailList": [ `````` { `````` "Before": "Before Value", `````` "After": "After Value", `````` "PropertyName": "Property", `````` "Message": "Text" `````` } `````` ], `````` "ObjectType": "Object Type", `````` "What": "What", `````` "When": "When", `````` "Where": "Where", `````` "Who": "Who" `````` }, `````` {...} `````` ]` | +**XML:** +```xml + + + + Who + Object Type + Action + What + When + Where + + Unique ID + Name + + Data source + + Item name (Item type) + + + + Before Value + After Value + Property + Text + + + + ... + +``` + +**JSON:** +```json +[ + { + "Action": "Action", + "MonitoringPlan": { + "ID": "Unique ID", + "Name": "Name" + }, + "DataSource": "Data source", + "Item": { + "Name": "Item name (Item type)" + }, + "DetailList": [ + { + "Before": "Before Value", + "After": "After Value", + "PropertyName": "Property", + "Message": "Text" + } + ], + "ObjectType": "Object Type", + "What": "What", + "When": "When", + "Where": "Where", + "Who": "Who" + }, + {...} +] +``` To feed data from a custom audit source to Netwrix Auditor, send a POST request containing Activity Records. [Write Activity Records](/docs/auditor/10.7/api/writeactivityrecords.md) @@ -33,9 +91,61 @@ by Netwrix Auditor before further data parsing. The examples below show an output Activity Record. -| | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | -| ` `````` `````` `````` Modified `````` `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` Compliance `````` `````` Exchange Online `````` `````` mail@enterprise.onmicrosoft.com (Office 365 tenant) `````` `````` Mailbox `````` Shared Mailbox `````` 2017-03-17T09:37:11Z `````` BLUPR05MB1940 `````` admin@enterprise.onmicrosoft.com `````` `````` `````` 1 `````` 2 `````` Custom_attribute `````` `````` `````` `````` ` | -| JSON | -| `[ `````` { `````` "Action": "Modified", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Exchange Online", `````` "Item": {"Name": "mail@enterprise.onmicrosoft.com (Office 365 tenant)"}, `````` "ObjectType": "Mailbox", `````` "What": "Shared Mailbox", `````` "When": "2017-03-17T09:37:11Z", `````` "Where": "BLUPR05MB1940", `````` "Who": "admin@enterprise.onmicrosoft.com", `````` "DetailList": [ `````` { `````` "PropertyName": "Custom_Attribute", `````` "Before": "1", `````` "After": "2" `````` } `````` ] `````` } `````` ]` | +**XML:** +```xml + + + + Modified + + {42F64379-163E-4A43-A9C5-4514C5A23798} + Compliance + + Exchange Online + + mail@enterprise.onmicrosoft.com (Office 365 tenant) + + Mailbox + Shared Mailbox + 2017-03-17T09:37:11Z + BLUPR05MB1940 + admin@enterprise.onmicrosoft.com + + + 1 + 2 + Custom_attribute + + + + +``` + +**JSON:** +```json +[ + { + "Action": "Modified", + "MonitoringPlan": { + "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", + "Name": "Compliance" + }, + "DataSource": "Exchange Online", + "Item": { + "Name": "mail@enterprise.onmicrosoft.com (Office 365 tenant)" + }, + "ObjectType": "Mailbox", + "What": "Shared Mailbox", + "When": "2017-03-17T09:37:11Z", + "Where": "BLUPR05MB1940", + "Who": "admin@enterprise.onmicrosoft.com", + "DetailList": [ + { + "PropertyName": "Custom_Attribute", + "Before": "1", + "After": "2" + } + ] + } +] +``` \ No newline at end of file diff --git a/docs/auditor/10.7/api/postdata/continuationmark.md b/docs/auditor/10.7/api/postdata/continuationmark.md index 5e38ee201a..c50df2b17d 100644 --- a/docs/auditor/10.7/api/postdata/continuationmark.md +++ b/docs/auditor/10.7/api/postdata/continuationmark.md @@ -42,15 +42,56 @@ Search parameters file. [Search Parameters](/docs/auditor/10.7/api/postdata/sear ## Example -| | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | -| [Retrieve Activity Records](/docs/auditor/10.7/api/retrieveactivityrecords.md) | -| ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` ` | -| [Search Activity Records](/docs/auditor/10.7/api/searchactivityrecords.md) | -| ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` `````` Administrator `````` Active Directory `````` Added `````` Group `````` `````` 2016-09-16T16:30:00+11:00 `````` 2017-03-16T00:00:00Z `````` `````` `````` ` | -| JSON | -| [Retrieve Activity Records](/docs/auditor/10.7/api/retrieveactivityrecords.md) | -| `"PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"` | -| [Search Activity Records](/docs/auditor/10.7/api/searchactivityrecords.md) | -| `{ `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", `````` "FilterList": { `````` "Who": "Administrator", `````` "DataSource": "Active Directory", `````` "Action": "Added", `````` "ObjectType": { "DoesNotContain": "Group"}, `````` "When": { `````` "From": "2016-09-16T16:30:00+11:00", `````` "To": "2017-03-16T00:00:00Z" `````` } `````` } `````` }` | +[Retrieve Activity Records](/docs/auditor/10.7/api/retrieveactivityrecords.md) +```xml + + +PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A + +``` + + +[Search Activity Records](/docs/auditor/10.7/api/searchactivityrecords.md) + +```xml + + + PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A + + Administrator + Active Directory + Added + Group + + 2016-09-16T16:30:00+11:00 + 2017-03-16T00:00:00Z + + + +``` + +[Retrieve Activity Records](/docs/auditor/10.7/api/retrieveactivityrecords.md) + +```json +`"PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"` +``` + +[Search Activity Records](/docs/auditor/10.7/api/searchactivityrecords.md) + +```json + { + "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", + "FilterList": { + "Who": "Administrator", + "DataSource": "Active Directory", + "Action": "Added", + "ObjectType": { + "DoesNotContain": "Group" + }, + "When": { + "From": "2016-09-16T16:30:00+11:00", + "To": "2017-03-16T00:00:00Z" + } + } +} +``` \ No newline at end of file diff --git a/docs/auditor/10.7/api/postdata/searchparameters.md b/docs/auditor/10.7/api/postdata/searchparameters.md index 905253094c..5bb31be336 100644 --- a/docs/auditor/10.7/api/postdata/searchparameters.md +++ b/docs/auditor/10.7/api/postdata/searchparameters.md @@ -12,12 +12,41 @@ parameters file includes one or more filters with operators and values (e.g., to _data source_ is _SharePoint_); it may also contain a [Continuation Mark](/docs/auditor/10.7/api/postdata/continuationmark.md). Generally, the Search parameters file looks similar to the following: -| | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| XML | -| ` `````` `````` Continuation mark `````` `````` Value `````` Value1 `````` Value2 `````` Value1 `````` Value2 `````` Value1 `````` Value2 `````` `````` ` | -| JSON | -| `{ `````` "ContinuationMark": "Continuation Mark", `````` "FilterList": { `````` "Filter1": "Value", `````` "Filter2": [ "Value1", "Value2" ], `````` "Filter3": { `````` "MatchType1": "Value1", `````` "MatchType2": "Value2" `````` }, `````` "Filter4": [ "Value1", { "MatchType": "Value2" } ] `````` } `````` }` | +**XML:** +```xml + + + Continuation mark + + Value + Value1 + Value2 + Value1 + Value2 + Value1 + Value2 + + +``` + +**JSON:** +```json +{ + "ContinuationMark": "Continuation Mark", + "FilterList": { + "Filter1": "Value", + "Filter2": ["Value1", "Value2"], + "Filter3": { + "MatchType1": "Value1", + "MatchType2": "Value2" + }, + "Filter4": [ + "Value1", + {"MatchType": "Value2"} + ] + } +} +``` Ensure to pass information about transferred data, including `Content-Type:application/xml` or `application/json `and encoding. The syntax greatly depends on the tool you use. @@ -36,9 +65,49 @@ Review the following for additional information: ## Example -| | -| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | -| ` `````` `````` `````` Administrator `````` My Hybrid Cloud enterprise `````` Active Directory `````` Exchange `````` Removed `````` Added `````` Group `````` `````` 2016-01-16T16:30:00+11:00 `````` 2017-01-01T00:00:00Z `````` `````` `````` ` | -| JSON | -| `{ `````` "FilterList": { `````` "Who": { "NotEqualTo": "Administrator" }, `````` "MonitoringPlan": "My Hybrid Cloud enterprise", `````` "DataSource": [ "Active Directory", { "StartsWith": "Exchange" } ], `````` "Action": [ "Added", "Removed" ], `````` "ObjectType": { "DoesNotContain": "Group" }, `````` "When": { `````` "From": "2016-01-16T16:30:00+11:00", `````` "To": "2017-01-01T00:00:00Z" `````` } `````` } `````` }` | +**XML:** +```xml + + + + Administrator + My Hybrid Cloud enterprise + Active Directory + Exchange + Removed + Added + Group + + 2016-01-16T16:30:00+11:00 + 2017-01-01T00:00:00Z + + + +``` + +**JSON:** +```json +{ + "FilterList": { + "Who": { + "NotEqualTo": "Administrator" + }, + "MonitoringPlan": "My Hybrid Cloud enterprise", + "DataSource": [ + "Active Directory", + { "StartsWith": "Exchange" } + ], + "Action": [ + "Added", + "Removed" + ], + "ObjectType": { + "DoesNotContain": "Group" + }, + "When": { + "From": "2016-01-16T16:30:00+11:00", + "To": "2017-01-01T00:00:00Z" + } + } +} +``` diff --git a/docs/auditor/10.7/api/responsestatuscodes.md b/docs/auditor/10.7/api/responsestatuscodes.md index d2f482bd93..32135d9094 100644 --- a/docs/auditor/10.7/api/responsestatuscodes.md +++ b/docs/auditor/10.7/api/responsestatuscodes.md @@ -6,16 +6,17 @@ sidebar_position: 100 # Response Status Codes -| Code | Status | Write Activity Records | Retrieve, search Activity Records | -| ---------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 200 OK | Success | Success. The body is empty. Activity Records were written to the Audit Database and the Long-Term Archive. | Success. The body contains Activity Records. Activity Records were retrieved from the Audit Database. | -| 400 Bad Request | Error | Error validating Activity Records. Make sure the Activity Records are compatible with the [Schema](postdata/activityrecords.md#schema). | Error validating request parameters or post data. Make sure the post data files (Continuation mark, Search parameters) are compatible with their schemas and the `?count=` parameter is valid. | -| 401 Unauthorized | Error | The request is unauthorized and the body is empty. See for [API Endpoints](/docs/auditor/10.7/api/endpoints.md) more information. | | -| 404 Not Found | Error | Error addressing the endpoint. The body is empty. The requested endpoint does not exist (e.g., /netwrix/api/v1/mynewendpoint/). | | -| 405 Method Not Allowed | Error | Error addressing the endpoint. The body is empty. Wrong HTTP request was sent (any except POST). | Error addressing the endpoint. The body is empty. Wrong HTTP request was sent (any except GET or POST). | -| 413 Request Entity Too Large | Error | Error transferring files. The body is empty. The posted file exceeds supported size. | | -| 500 Internal Server Error | Error | Error writing Activity Records to the Audit Database or the Long-Term Archive: - One or more Activity Records were not processed. - Netwrix Auditor license has expired. - Internal error occurred. | Error retrieving Activity Records from the Audit Database: - Netwrix Auditorlicense has expired. - The Netwrix Auditor Archive Service is unreachable. Try restarting the service on the computer that hosts Netwrix Auditor Server. - Internal error occurred. | -| 503 Service Unavailable | Error | The Netwrix Auditor Archive Service is busy or unreachable. Try restarting the service on the computer that hosts Netwrix Auditor Server. | — | +| Code | Status | Write Activity Records | Retrieve, search Activity Records | +| ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 200 OK | Success | Success. The body is empty. Activity Records were written to the Audit Database and the Long-Term Archive. | Success. The body contains Activity Records. Activity Records were retrieved from the Audit Database. | +| 400 Bad Request | Error | Error validating Activity Records. Make sure the Activity Records are compatible with the [Schema](postdata/activityrecords.md#schema). | Error validating request parameters or post data. Make sure the post data files (Continuation mark, Search parameters) are compatible with their schemas and the `?count=` parameter is valid. | +| 401 Unauthorized | Error | The request is unauthorized and the body is empty. See for [API Endpoints](/docs/auditor/10.7/api/endpoints.md) more information. | | +| 404 Not Found | Error | Error addressing the endpoint. The body is empty. The requested endpoint does not exist (e.g., /netwrix/api/v1/mynewendpoint/). | | +| 405 Method Not Allowed | Error | Error addressing the endpoint. The body is empty. Wrong HTTP request was sent (any except POST). | Error addressing the endpoint. The body is empty. Wrong HTTP request was sent (any except GET or POST). | +| 413 Request Entity Too Large | Error | Error transferring files. The body is empty. The posted file exceeds supported size. | | +| 500 Internal Server Error | Error | Error writing Activity Records to the Audit Database or the Long-Term Archive: | Error retrieving Activity Records from the Audit Database: | +| 503 Service Unavailable | Error | The Netwrix Auditor Archive Service is busy or unreachable. Try restarting the service on the computer that hosts Netwrix Auditor Server. | — | + Most failed requests contain error in the response body (except those with empty body, e.g., 404, 405). [Error Details](/docs/auditor/10.7/api/errordetails.md) diff --git a/docs/auditor/10.7/api/retrieveactivityrecords.md b/docs/auditor/10.7/api/retrieveactivityrecords.md index 5fa026fb3f..17a835ea4b 100644 --- a/docs/auditor/10.7/api/retrieveactivityrecords.md +++ b/docs/auditor/10.7/api/retrieveactivityrecords.md @@ -31,8 +31,18 @@ with ?, others are joined with &, no spaces required (e.g., `?format=json&count= ## Response | Request Status | Response | -| -------------- | ------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | --- | --- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | | | | | --- | --- | --- | | `HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/xml `````` Date: Fri, 08 Apr 2017 13:56:22 GMT` | or | `HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/json `````` Date: Fri, 08 Apr 2017 13:56:22 GMT` | | +|----------------|--------------------------------------------------------------------------------------------------------------------------| +| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | +| | `HTTP/1.1 200 OK` | +| | `Server: Microsoft-HTTPAPI/2.0` | +| | `Content-Length: 311896` | +| | `Content-Type: application/xml` | +| | `Date: Fri, 08 Apr 2017 13:56:22 GMT` | +| or | `HTTP/1.1 200 OK` | +| | `Server: Microsoft-HTTPAPI/2.0` | +| | `Content-Length: 311896` | +| | `Content-Type: application/json` | +| | `Date: Fri, 08 Apr 2017 13:56:22 GMT` | | Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. | ## Usage Example—Retrieve All Activity Records @@ -52,12 +62,61 @@ response body contains the `ActivityRecordList` root element with Activity Recor Continuation mark inside. For JSON, a response body contains the `ActivityRecordList` array with Activity Records collected in braces {} and a Continuation mark. -| | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | -| ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A `````` `````` `````` AD Monitoring `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` `````` Active Directory `````` `````` enterprise.local (Domain) `````` `````` user `````` 20160215110503420B9451771F5964A9EAC0A5F35307EA155 `````` \local\enterprise\Users\Jason Smith `````` Added `````` 2017-02-14T15:42:34Z `````` EnterpriseDC1.enterprise.local `````` ENTERPRISE\Administrator `````` EnterpriseDC1.enterprise.local `````` `````` ... `````` ... `````` ` | -| JSON | -| `{ `````` "ActivityRecordList": [ `````` { `````` "Action": "Added", `````` "MonitoringPlan" : { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "AD Monitoring" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "user", `````` "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", `````` "What": "\\local\\enterprise\\Users\\Jason Smith", `````` "When": "2017-02-14T15:42:34Z", `````` "Where": "EnterpriseDC1.enterprise.local", `````` "Who": "ENTERPRISE\\Administrator", `````` "Workstation": "EnterpriseDC1.enterprise.local" `````` }, `````` {...}, `````` {...} `````` ], `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" `````` }` | +**XML:** + +```xml + + + PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A + + + AD Monitoring + {42F64379-163E-4A43-A9C5-4514C5A23798} + + Active Directory + + enterprise.local (Domain) + + user + 20160215110503420B9451771F5964A9EAC0A5F35307EA155 + \local\enterprise\Users\Jason Smith + Added + 2017-02-14T15:42:34Z + EnterpriseDC1.enterprise.local + ENTERPRISE\Administrator + EnterpriseDC1.enterprise.local + + ... + ... + +``` +**JSON:** + +```json +{ + "ActivityRecordList": [ + { + "Action": "Added", + "MonitoringPlan": { + "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", + "Name": "AD Monitoring" + }, + "DataSource": "Active Directory", + "Item": {"Name": "enterprise.local (Domain)"}, + "ObjectType": "user", + "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", + "What": "\\local\\enterprise\\Users\\Jason Smith", + "When": "2017-02-14T15:42:34Z", + "Where": "EnterpriseDC1.enterprise.local", + "Who": "ENTERPRISE\\Administrator", + "Workstation": "EnterpriseDC1.enterprise.local" + }, + {...}, + {...} + ], + "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" +} +``` **Step 3 –** Continue retrieving Activity Records. Send a POST request containing this Continuation mark to the same endpoint. See the [Continuation Mark](/docs/auditor/10.7/api/postdata/continuationmark.md) topic for more diff --git a/docs/auditor/10.7/api/searchactivityrecords.md b/docs/auditor/10.7/api/searchactivityrecords.md index c06ff581e8..9bf12ab8e3 100644 --- a/docs/auditor/10.7/api/searchactivityrecords.md +++ b/docs/auditor/10.7/api/searchactivityrecords.md @@ -41,8 +41,24 @@ with ?, others are joined with &, no spaces required (e.g., `?format=json&count= ## Response | Request Status | Response | -| -------------- | ------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | --- | --- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | | | | | --- | --- | --- | | `HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/xml `````` Date: Fri, 08 Apr 2017 13:56:22 GMT` | or | `HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/json `````` Date: Fri, 08 Apr 2017 13:56:22 GMT` | | +|----------------|--------------------------------------------------------------------------------------------------------------------------| +| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | +| | **Example for XML response: ** | +| | ``` | +| | HTTP/1.1 200 OK | +| | Server: Microsoft-HTTPAPI/2.0 | +| | Content-Length: 311896 | +| | Content-Type: application/xml | +| | Date: Fri, 08 Apr 2017 13:56:22 GMT | +| | ``` | +| | **Example for JSON response: ** | +| | ``` | +| | HTTP/1.1 200 OK | +| | Server: Microsoft-HTTPAPI/2.0 | +| | Content-Length: 311896 | +| | Content-Type: application/json | +| | Date: Fri, 08 Apr 2017 13:56:22 GMT | +| | ``` | | Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. | ## Usage Example—Retrieve All Activity Records Matching Search Criteria @@ -66,23 +82,108 @@ criteria and a Continuation mark inside. For JSON, a response body contains the array with Activity Records matching filter criteria and collected in braces {}, and a Continuation mark. -| | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | -| ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A `````` `````` `````` AD Monitoring `````` {42F64379-163E-4A43-A9C5-4514C5A23798} `````` `````` Active Directory `````` `````` enterprise.local (Domain) `````` `````` user `````` 20160215110503420B9451771F5964A9EAC0A5F35307EA155 `````` \local\enterprise\Users\Jason Smith `````` Added `````` 2017-02-14T15:42:34Z `````` EnterpriseDC1.enterprise.local `````` ENTERPRISE\Administrator `````` EnterpriseDC1.enterprise.local `````` `````` ... `````` ... `````` ` | -| JSON | -| `{ `````` "ActivityRecordList": [ `````` { `````` "Action": "Added", `````` "MonitoringPlan" : { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "AD Monitoring" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "user", `````` "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", `````` "What": "\\local\\enterprise\\Users\\Jason Smith", `````` "When": "2017-02-14T15:42:34Z", `````` "Where": "EnterpriseDC1.enterprise.local", `````` "Who": "ENTERPRISE\\Administrator", `````` "Workstation": "EnterpriseDC1.enterprise.local" `````` }, `````` {...}, `````` {...} `````` ], `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" `````` }` | +**XML:** + +```xml + + + PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A + + + AD Monitoring + {42F64379-163E-4A43-A9C5-4514C5A23798} + + Active Directory + + enterprise.local (Domain) + + user + 20160215110503420B9451771F5964A9EAC0A5F35307EA155 + \local\enterprise\Users\Jason Smith + Added + 2017-02-14T15:42:34Z + EnterpriseDC1.enterprise.local + ENTERPRISE\Administrator + EnterpriseDC1.enterprise.local + + ... + ... + +``` + +**JSON:** + +```json +{ + "ActivityRecordList": [ + { + "Action": "Added", + "MonitoringPlan": { + "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", + "Name": "AD Monitoring" + }, + "DataSource": "Active Directory", + "Item": {"Name": "enterprise.local (Domain)"}, + "ObjectType": "user", + "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", + "What": "\\local\\enterprise\\Users\\Jason Smith", + "When": "2017-02-14T15:42:34Z", + "Where": "EnterpriseDC1.enterprise.local", + "Who": "ENTERPRISE\\Administrator", + "Workstation": "EnterpriseDC1.enterprise.local" + }, + {...}, + {...} + ], + "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" +} +``` **Step 3 –** Continue retrieving Activity Records. Send a POST request containing your search parameters and this Continuation mark to the same endpoint. -[Continuation Mark](/docs/auditor/10.7/api/postdata/continuationmark.md) - -| | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| XML | -| `curl -H "Content-Type:application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/search -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.xml` ` `````` `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` `````` Administrator `````` Active Directory `````` Added `````` Group `````` `````` 2016-09-16T16:30:00+11:00 `````` 2017-03-16T00:00:00Z `````` `````` `````` ` | -| JSON | -| `curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/search?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.json` `{ `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", `````` "FilterList": { `````` "Who": "Administrator", `````` "DataSource": "Active Directory", `````` "Action": "Added", `````` "ObjectType": { "DoesNotContain": "Group"}, `````` "When": { `````` "From": "2016-09-16T16:30:00+11:00", `````` "To": "2017-03-16T00:00:00Z" `````` } `````` } `````` }` | +See the [Continuation Mark](/docs/auditor/10.7/api/postdata/continuationmark.md) for additional information. + +**XML:** + +```xml + + + PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A + + Administrator + Active Directory + Added + Group + + 2016-09-16T16:30:00+11:00 + 2017-03-16T00:00:00Z + + + +``` + +**JSON:** + +```bash +curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/search?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.json +``` + +```json +{ + "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", + "FilterList": { + "Who": "Administrator", + "DataSource": "Active Directory", + "Action": "Added", + "ObjectType": { "DoesNotContain": "Group" }, + "When": { + "From": "2016-09-16T16:30:00+11:00", + "To": "2017-03-16T00:00:00Z" + } + } +} + +``` Ensure to pass information about transferred data, including `Content-Type:application/xml` or `application/json `and encoding. The syntax greatly depends on the tool you use. diff --git a/docs/auditor/10.7/api/security.md b/docs/auditor/10.7/api/security.md index 1d617fdf62..1745b87036 100644 --- a/docs/auditor/10.7/api/security.md +++ b/docs/auditor/10.7/api/security.md @@ -37,9 +37,10 @@ HTTP and HTTPS, assigning new certificates, etc. - Append `help `to any command to see available parameters and sub-commands. E.g., `APIAdminTool.exe api help`. -| To... | Execute... | -| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Disable API | `APIAdminTool.exe api disable` This command duplicates the checkbox on the Integrations page in Netwrix Auditor. | -| Switch to HTTP | `APIAdminTool.exe api http` Netwrix recommends switching to HTTP only in safe intranet environments. To use a non-default port (9699), append a parameter port with value to the command above (e.g.,` port= 4431`). | -| Switch to HTTPS | `APIAdminTool.exe api https` Run this command if you want to continue using Netwrix-generated certificate. To use a non-default port (9699), append a parameter port with value to the command above (e.g., `port= 4431`). | -| Assign a new SSL certificate | `APIAdminTool.exe api https certificate` Run this command if you want to apply a new certificate and use it instead default. You must add a certificate to the store before running this command. Provide parameters to specify a certificate: - For a certificate exported to a file: - path—Mandatory, defines certificate location. - store—Optional, defines the store name where certificate is located. By default, Personal. For example: `APIAdminTool.exe api https certificate path= C:\SecureCertificate.cef store= Personal` - For a self-signed certificate: - subject—Mandatory, defines certificate name. - validFrom—Optional, defines a certificate start date. By default, today. - validTo—Optional, defines a certificate expiration date. By default, 5 years after a validFrom date. For example: `APIAdminTool.exe api https certificate subject= New validTo= 01/01/2024` If you want to create a new self-signed certificate for a default period of 5 years from the current date: `APIAdminTool.exe api https certificate subject= "Netwrix Integration API"` - For a certificate specified using thumbprint: - store—Optional, defines the store name where certificate is located. By default, Personal. - thumbprint—Mandatory, defines a thumbprint identifier for a certificate. For example: `APIAdminTool.exe api https certificate thumbprint= 3478cda8586675e420511dc0fdf59078093eeeda` | +| To... | Execute... | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Disable API | `APIAdminTool.exe api disable` This command duplicates the checkbox on the Integrations page in Netwrix Auditor. | +| Switch to HTTP | `APIAdminTool.exe api http` Netwrix recommends switching to HTTP only in safe intranet environments. To use a non-default port (9699), append a parameter port with value to the command above (e.g.,` port= 4431`). | +| Switch to HTTPS | `APIAdminTool.exe api https` Run this command if you want to continue using Netwrix-generated certificate. To use a non-default port (9699), append a parameter port with value to the command above (e.g., `port= 4431`). | +| Assign a new SSL certificate | `APIAdminTool.exe api https certificate` Run this command if you want to apply a new certificate and use it instead default. You must add a certificate to the store before running this command. Provide parameters to specify a certificate: | + diff --git a/docs/auditor/10.7/api/writeactivityrecords.md b/docs/auditor/10.7/api/writeactivityrecords.md index 521320f625..77e571d993 100644 --- a/docs/auditor/10.7/api/writeactivityrecords.md +++ b/docs/auditor/10.7/api/writeactivityrecords.md @@ -49,12 +49,79 @@ This example describes how to feed Activity Records to the Audit Database. **Step 1 –** Send a POST request containing Activity Records. [Activity Records](/docs/auditor/10.7/api/postdata/activityrecords.md) For example: -| | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| XML | -| `curl -H "Content-Type:application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/ -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.xml`````` `````` `````` `````` Admin `````` Stored Procedure `````` Added `````` Databases\ReportServer\Stored Procedures\dbo.sp_New `````` `````` Integrations and custom sources `````` `````` WKSWin12SQL `````` 2017-02-19T03:43:49-11:00 `````` `````` `````` Modified `````` Mailbox `````` Shared Mailbox `````` 2017-02-10T14:46:00Z `````` BLUPR05MB1940 `````` admin@enterprise.onmicrosoft.com `````` `````` `````` Custom_Attribute `````` 1 `````` 2 `````` `````` `````` `````` ` | -| JSON | -| `curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.json` `[ `````` { `````` "Who": "Admin", `````` "ObjectType": "Stored Procedure", `````` "Action": "Added", `````` "MonitoringPlan": {"Name": "Integrations and custom sources"}, `````` "What": "Databases\\ReportServer\\Stored Procedures\\dbo.sp_New", `````` "Where": "WKSWin12SQL", `````` "When": "2017-02-19T03:43:49-11:00" `````` }, `````` { `````` "Action": "Modified", `````` "ObjectType": "Mailbox", `````` "What": "Shared Mailbox", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "BLUPR05MB1940", `````` "Who": "admin@enterprise.onmicrosoft.com", `````` "DetailList": [ `````` { `````` "PropertyName": "Custom_Attribute", `````` "Before": "1", `````` "After": "2" `````` } `````` ] `````` } `````` ]` | +**XML:** + +```bash +curl -H "Content-Type:application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/ -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.xml +``` + +```xml + + + + Admin + Stored Procedure + Added + Databases\ReportServer\Stored Procedures\dbo.sp_New + + Integrations and custom sources + + WKSWin12SQL + 2017-02-19T03:43:49-11:00 + + + Modified + Mailbox + Shared Mailbox + 2017-02-10T14:46:00Z + BLUPR05MB1940 + admin@enterprise.onmicrosoft.com + + + Custom_Attribute + 1 + 2 + + + + +``` + +**JSON:** + +```bash +curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.json +``` + +```json +[ + { + "Who": "Admin", + "ObjectType": "Stored Procedure", + "Action": "Added", + "MonitoringPlan": {"Name": "Integrations and custom sources"}, + "What": "Databases\\ReportServer\\Stored Procedures\\dbo.sp_New", + "Where": "WKSWin12SQL", + "When": "2017-02-19T03:43:49-11:00" + }, + { + "Action": "Modified", + "ObjectType": "Mailbox", + "What": "Shared Mailbox", + "When": "2017-02-10T14:46:00Z", + "Where": "BLUPR05MB1940", + "Who": "admin@enterprise.onmicrosoft.com", + "DetailList": [ + { + "PropertyName": "Custom_Attribute", + "Before": "1", + "After": "2" + } + ] + } +] +``` + Ensure to pass information about transferred data, including `Content-Type:application/xml` or `application/json `and encoding. The syntax greatly depends on the tool you use. @@ -64,27 +131,22 @@ Ensure to pass information about transferred data, including `Content-Type:appli ``` HTTP/1.1 200 OK -``` Server: Microsoft-HTTPAPI/2.0 -``` Content-Length: 0 -``` Content-Type: text/plain -```` Date: Fri, 08 Apr 2017 13:56:22 GMT ``` -__Step 3 –__ Send more POST requests containing Activity Records if necessary. +**Step 3 –** Send more POST requests containing Activity Records if necessary. -__Step 4 –__ Check that posted data is now available in the Audit Database. Run a search request to [/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/api/searchactivityrecords.md) endpoint or use interactive search in the Netwrix Auditor client. For example: +**Step 4 –** Check that posted data is now available in the Audit Database. Run a search request to [/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/api/searchactivityrecords.md) endpoint or use interactive search in the Netwrix Auditor client. For example: ![apiactivity_thumb_0_0](/img/product_docs/auditor/10.7/api/apiactivity_thumb_0_0.webp) -__Step 5 –__ For input Activity Records, the data source is set to Netwrix API. +**Step 5 –** For input Activity Records, the data source is set to Netwrix API. ![apiactivitydetails](/img/product_docs/auditor/10.7/api/apiactivitydetails.webp) -```` diff --git a/docs/auditor/10.7/configuration/fileservers/delldatastorage/cifss.md b/docs/auditor/10.7/configuration/fileservers/delldatastorage/cifss.md index 6215bbbfb4..1ce68bd612 100644 --- a/docs/auditor/10.7/configuration/fileservers/delldatastorage/cifss.md +++ b/docs/auditor/10.7/configuration/fileservers/delldatastorage/cifss.md @@ -54,59 +54,57 @@ information: - Failed read attempts - Failed change attempts -| Auditing Entry | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Successful reads** | -| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: - Apply onto—Select _"Files only"_. - Check _"Successful"_ and _"Failed"_ next to List folder / read data. - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -| **Successful changes** | -| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Successful"_ next to the following permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -| **Failed read attempts** | -| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Failed"_ next to List folder / read data. - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -| **Failed change attempts** | -| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Failed"_ next to the following permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | +| Auditing Entry | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Successful reads** | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: | +| **Successful changes** | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: | +| **Failed read attempts** | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts only: | +| **Failed change attempts** | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts only: | -## Configure Audit Settings for the CIFS File Shares Windows Server 2012 and Above -Follow the steps to configure audit settings. +## Configure Object-level Access Auditing on Windows Server 2012 and Above -**Step 7 –** Navigate to the target file share, right-click it and select **Properties**. +Follow the steps to configure Object-level access auditing on Windows Server 2012 and above. -**Step 8 –** In the **`` Properties** dialog, select the **Security** tab and click +**Step 1 –** Navigate to the target file share, right-click it and select **Properties**. + +**Step 2 –** In the `` Properties dialog box, select the Security tab and click **Advanced**. -**Step 9 –** In the **Advanced Security Settings for ``** dialog, navigate to the -**Auditing** tab. +**Step 3 –** In the Advanced Security Settings for `` dialog box, navigate to the +Auditing tab. -![auditing_entries_netapp_2016](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) +![Advanced Security Settings for Share_Name dialog box](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) -**Step 10 –** Click Add to add a new principal. You can select Everyone (or another user-defined -group containing users that are granted special permissions) and click Edit. +**Step 4 –** Click **Add** to add a new principal. You can select **Everyone** (or another +user-defined group containing users that are granted special permissions) and click **Edit**. -**Step 11 –** In the Auditing Entry for `` dialog, click the Select a principal link -and specify Everyone. +**Step 5 –** In the Auditing Entry for `` dialog box, click the **Select a principal** +link and specify **Everyone**. -**Step 12 –** You can specify any other user group, but in this case Netwrix Auditor will send -emails with warnings on incorrect audit configuration. The product will audit only user accounts -that belong to the selected group. +**NOTE:** You can specify any other user group, but in this case the emails will be sent with +warnings on incorrect audit configuration. The product will audit only user accounts that belong to +the selected group. -**Step 13 –** Apply settings to your Auditing Entries depending on the access types that you want to +**Step 6 –** Apply settings to your Auditing Entries depending on the access types that you want to audit. If you want to audit all access types (successful reads, modification as well as failed read and modification attempts), you need to add separate Auditing Entries for each file share. -Otherwise, reports will contain limited data and warning messages. Review the following for -additional information: +Otherwise, reports will contain limited data and warning messages. -- Successful reads -- Successful changes -- Failed read attempts -- Failed change attempts +Review the following for additional information: + +| Auditing Entry | | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | +| Successful reads | | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp)
  • Type—Set to _"Success"_.
  • Applies to—Set to _"Files only"_.
  • Advanced permissions—Select List folder / read data.
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Successful changes | | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp)
  • Type—Set to _"Success"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Failed read attempts | | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp)
  • Type—Set to _"Fail"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions—Select List folder / read data.
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Failed change attempts | | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp)
  • Type—Set to _"Fail"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | -| Auditing Entry | | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | ------------------------ | -------------------- | ----------------------------- | --- | --- | --- | --- | --- | --- | ---------- | --- | --- | --- | --- | ---------- | --------------------------------- | --------------------------------- | --------------------------------- | --- | ---- | --- | --- | --- | --- | ------- | ------- | ---- | ---- | --- | -------------------- | --- | --- | --- | --- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | -| **Successful reads** | | -| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"Files only"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | -| **Successful changes** | | -| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_emc_auditingentry](/img/product_docs/auditor/10.7/configuration/fileservers/delldatastorage/manualconfig_fileserver_emc_auditingentry.webp) - Type—Set to _"Success"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | -| **Failed read attempts** | | -| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | -| **Failed change attempts** | | -| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_emc_auditingentry_fail](/img/product_docs/auditor/10.7/configuration/fileservers/delldatastorage/manualconfig_fileserver_emc_auditingentry_fail.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | Successful reads | Successful modifications | Failed read attempts | Failed modifications attempts | | --- | --- | --- | --- | | Applies to | | | | | Files only | This folder, subfolders and files | This folder, subfolders and files | This folder, subfolders and files | | Type | | | | | Success | Success | Fail | Fail | | Advanced permissions | | | | | - List Folder / Read Data | - Create Files / Write Data - Create Folders / Append Data - Write Attributes - Write Extended Attributes - Delete Subfolders and Files - Delete - Change Permissions - Take Ownership | - List Folder / Read Data | - Create Files / Write Data - Create Folders / Append Data - Write Attributes - Write Extended Attributes - Delete Subfolders and Files - Delete - Change Permissions - Take Ownership | | | diff --git a/docs/auditor/10.7/configuration/fileservers/netappcmode/cifs.md b/docs/auditor/10.7/configuration/fileservers/netappcmode/cifs.md index 113e23d8ac..5f20bbb2db 100644 --- a/docs/auditor/10.7/configuration/fileservers/netappcmode/cifs.md +++ b/docs/auditor/10.7/configuration/fileservers/netappcmode/cifs.md @@ -65,60 +65,46 @@ Do one of the following depending on the OS: | Failed change attempts | | The Auditing Entry below shows Advanced Permissions for auditing failed change attempts only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Failed"_ next to the following permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -## To configure audit settings for the CIFS file shares from computers running Windows Server 2012 and above +## Configure Object-level Access Auditing on Windows Server 2012 and Above -1. Navigate to the root shared folder, right-click it and select Properties. -2. In the **`` Properties** dialog, select the **Security** tab and click **Advanced**. +Follow the steps to configure Object-level access auditing on Windows Server 2012 and above. - If there is no such tab, it means a wrong security style has been specified for the volume - holding this file share. +**Step 1 –** Navigate to the target file share, right-click it and select **Properties**. -3. In the **Advanced Security Settings for ``** dialog, navigate to the **Auditing** - tab, click Edit. +**Step 2 –** In the `` Properties dialog box, select the Security tab and click +**Advanced**. - ![auditing_entries_netapp_2016](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) +**Step 3 –** In the Advanced Security Settings for `` dialog box, navigate to the +Auditing tab. -4. Click Add to add a new principal. You can also select Everyone (or another user-defined group - containing users that are granted special permissions) and click Edit. -5. In the Auditing Entry for `` dialog, click the Select a principal link and specify - Everyone. +![Advanced Security Settings for Share_Name dialog box](/img/product_docs/1secure/configuration/computer/auditing_entries_netapp_2016.webp) + +**Step 4 –** Click **Add** to add a new principal. You can select **Everyone** (or another +user-defined group containing users that are granted special permissions) and click **Edit**. + +**Step 5 –** In the Auditing Entry for `` dialog box, click the **Select a principal** +link and specify **Everyone**. + +**NOTE:** You can specify any other user group, but in this case the emails will be sent with +warnings on incorrect audit configuration. The product will audit only user accounts that belong to +the selected group. + +**Step 6 –** Apply settings to your Auditing Entries depending on the access types that you want to +audit. If you want to audit all access types (successful reads, modification as well as failed read +and modification attempts), you need to add separate Auditing Entries for each file share. +Otherwise, reports will contain limited data and warning messages. + +Review the following for additional information: + +| Auditing Entry | | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | +| Successful reads | | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp)
  • Type—Set to _"Success"_.
  • Applies to—Set to _"Files only"_.
  • Advanced permissions—Select List folder / read data.
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Successful changes | | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp)
  • Type—Set to _"Success"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Failed read attempts | | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp)
  • Type—Set to _"Fail"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions—Select List folder / read data.
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Failed change attempts | | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp)
  • Type—Set to _"Fail"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | - You can specify any other user group, but in this case Netwrix Auditor will send emails with - warnings on incorrect audit configuration. In this case, the product will only monitor user - accounts that belong to the selected group. -6. Apply settings to your Auditing Entries depending on actions that you want to audit. If you want - to audit all actions (successful reads and changes as well as failed read and change attempts), - you need to add three separate Auditing Entries for each file share. Otherwise, reports will - contain limited data and warning messages. Review the following for additional information: - - - Successful reads - - Successful changes - - Failed read attempts - - Failed change attempts | Auditing Entry | | | --- | --- | | Successful reads | | | The - Auditing Entry below shows Advanced Permissions for auditing successful reads only: - ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - - Type—Set to*"Success"*. - Applies to—Set to*"Files only"*. - Advanced permissions—SelectList - folder / read data. - Make sure that theOnly apply these auditing settings to objects and/or - containers within this containercheckbox is cleared. | | | Successful changes | | | The - Auditing Entry below shows Advanced Permissions for auditing successful changes only: - ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp) - - Type—Set to*"Success"*. - Applies to—Set to*"This folder, subfolders and files"*. - Advanced - permissions: - Create files / write data - Create folders / append data - Write extended - attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make - sure that theOnly apply these auditing settings to objects and/or containers within this - containercheckbox is cleared. | | | Failed read attempts | | | The Auditing Entry below shows - Advanced Permissions for auditing failed read attempts: - ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - - Type—Set to*"Fail"*. - Applies to—Set to*"This folder, subfolders and files"*. - Advanced - permissions—SelectList folder / read data. - Make sure that theOnly apply these auditing - settings to objects and/or containers within this containercheckbox is cleared. | | | Failed - change attempts | | | The Auditing Entry below shows Advanced Permissions for auditing failed - change attempts: - ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp) - - Type—Set to*"Fail"*. - Applies to—Set to*"This folder, subfolders and files"*. - Advanced - permissions: - Create files / write data - Create folders / append data - Write extended - attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make - sure that theOnly apply these auditing settings to objects and/or containers within this - containercheckbox is cleared. To audit successful changes on NetApp 8.x or earlier, also - selectWrite Attributesin the**Advanced permissions**list in the auditing entry settings. | | diff --git a/docs/auditor/10.7/configuration/fileservers/netappcmode/overview.md b/docs/auditor/10.7/configuration/fileservers/netappcmode/overview.md index 077650d4be..881b6d9ebc 100644 --- a/docs/auditor/10.7/configuration/fileservers/netappcmode/overview.md +++ b/docs/auditor/10.7/configuration/fileservers/netappcmode/overview.md @@ -130,11 +130,12 @@ To configure Clustered Data ONTAP 8 and ONTAP 9 for monitoring, perform the foll Netwrix assumes that you are aware of basic installation and configuration steps. If not, refer to the following administration and management guides. -| Version | Related documentation | -| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Clustered Data ONTAP 8.2 | - [Clustered Data ONTAP® 8.2 File Access and Protocols Management Guide](https://library.netapp.com/ecm/ecm_download_file/ECMP1196891) - [Clustered Data ONTAP® 8.2 System Administration Guide for SVM Administrators](https://library.netapp.com/ecm/ecm_download_file/ECMP1368704) | -| Clustered Data ONTAP 8.3 | - [Clustered Data ONTAP® 8.3 System Administration Guide for Cluster Administrators](https://library.netapp.com/ecm/ecm_get_file/ECMP1636037) - [Clustered Data ONTAP® 8.3 File Access Management Guide for CIFS](https://library.netapp.com/ecm/ecm_download_file/ECMP1610207) | -| ONTAP 9.0 - 9.10 | - [ONTAP 9 Documentation Center](http://docs.netapp.com/ontap-9/index.jsp) | +| Version | Related documentation | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Clustered Data ONTAP 8.2 |
  • [Clustered Data ONTAP® 8.2 File Access and Protocols Management Guide](https://library.netapp.com/ecm/ecm_download_file/ECMP1196891)
  • [Clustered Data ONTAP® 8.2 System Administration Guide for SVM Administrators](https://library.netapp.com/ecm/ecm_download_file/ECMP1368704)
| +| Clustered Data ONTAP 8.3 |
  • [Clustered Data ONTAP® 8.3 System Administration Guide for Cluster Administrators](https://library.netapp.com/ecm/ecm_get_file/ECMP1636037)
  • [Clustered Data ONTAP® 8.3 File Access Management Guide for CIFS](https://library.netapp.com/ecm/ecm_download_file/ECMP1610207)
| +| ONTAP 9.0
  • 9.10
|
  • [ONTAP 9 Documentation Center](http://docs.netapp.com/ontap-9/index.jsp)
| + Perform the following steps before proceeding with the audit configuration. diff --git a/docs/auditor/10.7/configuration/fileservers/windows/advancedpolicy.md b/docs/auditor/10.7/configuration/fileservers/windows/advancedpolicy.md index 34fe478fc1..d1361226aa 100644 --- a/docs/auditor/10.7/configuration/fileservers/windows/advancedpolicy.md +++ b/docs/auditor/10.7/configuration/fileservers/windows/advancedpolicy.md @@ -42,12 +42,13 @@ System Audit Policies. **Step 3 –** Configure the following audit policies. -| Policy Subnode | Policy Name | Audit Events | -| --------------------------- | ----------------------------------------------- | ----------------------------------------------------------------------------- | -| Object Access | - Audit File System - Audit Handle Manipulation | "Success" and/or "Failure" depending on the type of events you want to track. | -| - Audit Detailed File Share | "Failure" | | -| - Audit File Share | "Success" | | -| Policy Change | - Audit Policy Change | "Success" | -| Logon/Logoff | - Logon | "Success" | -| - Logoff | "Success" | | -| System | - Security State Change | "Success" | +| Policy Subnode | Policy Name | Audit Events | +| ------------------------------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------- | +| Object Access |
  • Audit File System
  • Audit Handle Manipulation
| "Success" and/or "Failure" depending on the type of events you want to track. | +|
  • Audit Detailed File Share
| "Failure" | | +|
  • Audit File Share
| "Success" | | +| Policy Change |
  • Audit Policy Change
| "Success" | +| Logon/Logoff |
  • Logon
| "Success" | +|
  • Logoff
| "Success" | | +| System |
  • Security State Change
| "Success" | + diff --git a/docs/auditor/10.7/configuration/fileservers/windows/objectlevel.md b/docs/auditor/10.7/configuration/fileservers/windows/objectlevel.md index 68330227bb..9dbf5d97a2 100644 --- a/docs/auditor/10.7/configuration/fileservers/windows/objectlevel.md +++ b/docs/auditor/10.7/configuration/fileservers/windows/objectlevel.md @@ -57,16 +57,17 @@ Otherwise, reports will contain limited data and warning messages. Review the following for additional information: -| Auditing Entry | | -| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| Successful reads | | -| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"Files only"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | -| Successful changes | | -| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp) - Type—Set to _"Success"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | -| Failed read attempts | | -| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions—Select List folder / read data. - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | -| Failed change attempts | | -| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp) - Type—Set to _"Fail"_. - Applies to—Set to _"This folder, subfolders and files"_. - Advanced permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared. | | +| Auditing Entry | | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | +| Successful reads | | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: ![manualconfig_fileserver_auditingentry_1_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_1_2016.webp)
  • Type—Set to _"Success"_.
  • Applies to—Set to _"Files only"_.
  • Advanced permissions—Select List folder / read data.
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Successful changes | | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: ![manualconfig_fileserver_auditingentry_2_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_2_2016.webp)
  • Type—Set to _"Success"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Failed read attempts | | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts: ![manualconfig_fileserver_auditingentry_3_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_3_2016.webp)
  • Type—Set to _"Fail"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions—Select List folder / read data.
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | +| Failed change attempts | | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts: ![manualconfig_fileserver_auditingentry_4_2016](/img/product_docs/auditor/10.7/configuration/fileservers/netappcmode/manualconfig_fileserver_auditingentry_4_2016.webp)
  • Type—Set to _"Fail"_.
  • Applies to—Set to _"This folder, subfolders and files"_.
  • Advanced permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the Only apply these auditing settings to objects and/or containers within this container checkbox is cleared.
| | + ## Configure Object-level access auditing on pre-Windows Server 2012 versions @@ -98,13 +99,14 @@ information: - Failed read attempts - Failed change attempts -| Auditing Entry | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Successful reads** | -| The Auditing Entry below shows Advanced Permissions for auditing successful reads only: - Apply onto—Select _"Files only"_. - Check _"Successful"_ and _"Failed"_ next to List folder / read data. - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -| **Successful changes** | -| The Auditing Entry below shows Advanced Permissions for auditing successful changes only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Successful"_ next to the following permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -| **Failed read attempts** | -| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Failed"_ next to List folder / read data. - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | -| **Failed change attempts** | -| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts only: - Apply onto—Select _"This folder, subfolders and files"_. - Check _"Failed"_ next to the following permissions: - Create files / write data - Create folders / append data - Write extended attributes - Delete subfolders and files - Delete - Change permissions - Take ownership - Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared. | +| Auditing Entry | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Successful reads** | +| The Auditing Entry below shows Advanced Permissions for auditing successful reads only:
  • Apply onto—Select _"Files only"_.
  • Check _"Successful"_ and _"Failed"_ next to List folder / read data.
  • Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared.
| +| **Successful changes** | +| The Auditing Entry below shows Advanced Permissions for auditing successful changes only:
  • Apply onto—Select _"This folder, subfolders and files"_.
  • Check _"Successful"_ next to the following permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared.
| +| **Failed read attempts** | +| The Auditing Entry below shows Advanced Permissions for auditing failed read attempts only:
  • Apply onto—Select _"This folder, subfolders and files"_.
  • Check _"Failed"_ next to List folder / read data.
  • Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared.
| +| **Failed change attempts** | +| The Auditing Entry below shows Advanced Permissions for auditing failed change attempts only:
  • Apply onto—Select _"This folder, subfolders and files"_.
  • Check _"Failed"_ next to the following permissions:
  • Create files / write data
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take ownership
  • Make sure that the **Apply these auditing entries to objects and/or containers within this container only** checkbox is cleared.
| + diff --git a/docs/auditor/10.7/configuration/microsoft365/exchangeonline/permissions.md b/docs/auditor/10.7/configuration/microsoft365/exchangeonline/permissions.md index f4884ffae0..d088527358 100644 --- a/docs/auditor/10.7/configuration/microsoft365/exchangeonline/permissions.md +++ b/docs/auditor/10.7/configuration/microsoft365/exchangeonline/permissions.md @@ -167,7 +167,20 @@ Microsoft article. **Step 3 –** Run the cmdlet, depending on the mailboxes you plan to audit (all mailboxes or selected individual mailbox): -| For | Command | -| -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| All | Execute the following cmdlet: Get-ExoMailbox -PropertySets Minimum -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,LinkedMailbox,RoomMailbox | Set-Mailbox -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create | -| Selected | Execute the following cmdlet: Set-Mailbox -Identity `{0}` -AuditEnabled $true –AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create –AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create Where the _`{0}`_ character must be replaced with any of the following: - Display Name. Example: "Michael Jones" - Domain\User. Example: enterprise.local\MJones - Email address. Example: analyst@enterprise.onmicrosoft.com - GUID. Example: `{c43a7694-ba06-46d2-ac9b-205f25dfb32d}` - LegacyExchangeDN. Example: /o=EnterpriseDev/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=97da560450c942aba 81b2da46c60858a-analyst - SamAccountName. Example: MANAG58792-1758064122 - (DN) Distinguished name. Example: CN=MJones,CN=Users,DC=enterprisedc1,DC=enterprise,DC=local - User ID or User Principal Name. Example: MJones@enterprise.onmicrosoft.com If you are going to audit multiple individual mailboxes, run the cmdlet for each mailbox you need. | +| For | Command | +|----------|-------------------------------------------------------------------------------------------------------------| +| All | Execute the following cmdlet: | +| | `Get-ExoMailbox -PropertySets Minimum -RecipientTypeDetails UserMailbox,SharedMailbox,EquipmentMailbox,LinkedMailbox,RoomMailbox` | +| | `Set-Mailbox -AuditEnabled $true --AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create --AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create` | +| Selected | Execute the following cmdlet: | +| | `Set-Mailbox -Identity {0} -AuditEnabled $true --AuditAdmin Update,Copy,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create --AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create` | +| | Where the {0} character must be replaced with any of the following: | +| | - Display Name. Example: "Michael Jones" | +| | - Domain\User. Example: `enterprise.local\MJones` | +| | - Email address. Example: `analyst@enterprise.onmicrosoft.com` | +| | - GUID. Example: `{c43a7694-ba06-46d2-ac9b-205f25dfb32d}` | +| | - LegacyExchangeDN. Example: `/o=EnterpriseDev/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=97da560450c942aba81b2da46c60858a-analyst` | +| | - SamAccountName. Example: `MANAG58792-1758064122` | +| | - (DN) Distinguished name. Example: `CN=MJones,CN=Users,DC=enterprisedc1,DC=enterprise,DC=local` | +| | - User ID or User Principal Name. Example: `MJones@enterprise.onmicrosoft.com` | +| | If you are going to audit multiple individual mailboxes, run the cmdlet for each mailbox you need. | \ No newline at end of file diff --git a/docs/auditor/10.7/configuration/oracle/permissions.md b/docs/auditor/10.7/configuration/oracle/permissions.md index cec20b8c1d..5b982b94ce 100644 --- a/docs/auditor/10.7/configuration/oracle/permissions.md +++ b/docs/auditor/10.7/configuration/oracle/permissions.md @@ -63,17 +63,33 @@ provide this account in the monitoring plan wizard. 1. The `CREATE SESSION` system privilege must be granted to the account used to connect to Oracle Database for data collection. 2. Depending on your Oracle Database version, the `SELECT` privilege on the certain objects must be - granted to that account: | | | | --- | --- | | Oracle Database 12c, 18c, 19c | Grant `SELECT` - privilege on the following objects: - `aud$ ` - `gv_$xml_audit_trail` - `dba_stmt_audit_opts` - - `v_$parameter` - `dba_obj_audit_opts` - `dba_audit_policies` - `dba_audit_mgmt_clean_events` - - `gv_$instance` - `fga_log$` - `gv_$unified_audit_trail` - `all_unified_audit_actions` - - `audit_unified_policies` - `audit_unified_enabled_policies` - `audsys.aud$unified` (for Oracle - Database 12c Release 2 and higher) | | Oracle Database 11g Starting with version 10.5, Netwrix - Auditor provides limited support of Oracle Database 11g. | Grant `SELECT` privilege on the - following objects: - `aud$ ` - `gv_$xml_audit_trail` - `dba_stmt_audit_opts` - `v_$parameter` - - `dba_obj_audit_opts` - `dba_audit_policies` - `dba_audit_mgmt_clean_events` - `gv_$instance` - - `fga_log$` | - - You can grant the default **Administrator** role to the account. - - If you are going to configure Fine Grained Auditing, make sure that you are using Oracle - Database _Enterprise Edition_. Then grant privileges depending on your Oracle Database - version. + granted to that account: + +| Version | Privileges Required | +|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------| +| Oracle Database 12c, 18c, 19c | Grant SELECT privilege on the following objects: | +| | - aud$ | +| | - gv_$xml_audit_trail | +| | - dba_stmt_audit_opts | +| | - v_$parameter | +| | - dba_obj_audit_opts | +| | - dba_audit_policies | +| | - dba_audit_mgmt_clean_events | +| | - gv_$instance | +| | - fga_log$ | +| | - gv_$unified_audit_trail | +| | - all_unified_audit_actions | +| | - audit_unified_policies | +| | - audit_unified_enabled_policies | +| | - audsys.aud$unified (for Oracle Database 12c Release 2 and higher) | +| Oracle Database 11g | Starting with version 10.5, Netwrix Auditor provides limited support of Oracle Database 11g. | +| | Grant SELECT privilege on the following objects: | +| | - aud$ | +| | - gv_$xml_audit_trail | +| | - dba_stmt_audit_opts | +| | - v_$parameter | +| | - dba_obj_audit_opts | +| | - dba_audit_policies | +| | - dba_audit_mgmt_clean_events | +| | - gv_$instance | +| | - fga_log$ | diff --git a/docs/auditor/10.7/configuration/windowsserver/advancedpolicy.md b/docs/auditor/10.7/configuration/windowsserver/advancedpolicy.md index f3c953ea53..2e5b235a1e 100644 --- a/docs/auditor/10.7/configuration/windowsserver/advancedpolicy.md +++ b/docs/auditor/10.7/configuration/windowsserver/advancedpolicy.md @@ -96,8 +96,9 @@ System Audit Policies. **Step 3 –** Configure the following audit policies. -| Policy Subnode | Policy Name | Audit Events | -| ------------------ | -------------------------------------------------------------------------------------------------- | ------------ | -| Account Management | - Audit Security Group Management - Audit User Account Management | "Success" | -| Object Access | - Audit Handle Manipulation - Audit Other Object Access Events - Audit Registry - Audit File Share | "Success" | -| Policy Change | - Audit Audit Policy Change | "Success" | +| Policy Subnode | Policy Name | Audit Events | +| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ------------ | +| Account Management |
  • Audit Security Group Management
  • Audit User Account Management
| "Success" | +| Object Access |
  • Audit Handle Manipulation
  • Audit Other Object Access Events
  • Audit Registry
  • Audit File Share
| "Success" | +| Policy Change |
  • Audit Audit Policy Change
| "Success" | + diff --git a/docs/auditor/10.7/configuration/windowsserver/overview.md b/docs/auditor/10.7/configuration/windowsserver/overview.md index 5d80a0c7e3..99ac44277c 100644 --- a/docs/auditor/10.7/configuration/windowsserver/overview.md +++ b/docs/auditor/10.7/configuration/windowsserver/overview.md @@ -142,108 +142,109 @@ Keystopic for additional information. In the table below, double asterisks (\*\*) indicates the components and settings for which the Who value is reported as _“Not Applicable”_. -| Object type | Attributes | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| General Computer Settings | | -| Computer | - System state changed to Started - System state changed to Stopped. Reason: Reason type - System state changed to Stopped. Reason: unexpected shutdown or system failure | -| Computer Name | - Computer Description - Name - Domain | -| Environment Variables | - Type - Value | -| Event Log | - Event Log Cleared | -| General | - Caption - Organization - Registered User - Serial Number - Service Pack\*\* - Version\*\* | -| Remote | - Enable Remote Desktop on this computer | -| Startup and Recovery | - Automatically Restart - Dump File - Dump Type - Overwrite any existing file - Send Alert - System Startup Delay - Write an Event | -| System Time | - System time changed from ... to ... - Time zone changed Not supported on Windows Server 2008 SP2 and Windows Server 2008 R2. | -| Add / Remove Programs | | -| Add or Remove Programs | - Installed For\*\* - Version | -| Services | | -| System Service | - Action in case of failed service startup - Action in case of service stopping - Allow service to interact with desktop - Caption - Created - Deleted - Description - Name - Path to executable - Service Account - Service Type - Start Mode - Error Control | -| Audit Policies | | -| Local Audit Policy | - Added Audit settings Only for the Global Object Access Auditing advanced policies. - Successful audit enabled/disabled - Failure audit enabled/disabled | -| Per-User Local Audit Policy | - Success audit include added - Success audit include removed - Failure audit include added - Failure audit include removed - Success audit exclude added - Success audit exclude removed - Failure audit exclude added - Failure audit exclude remove | -| Hardware | | -| Base Board\*\* | - Hosting Board - Status - Manufacturer - Product - Version - Serial Number | -| BIOS\*\* | - Manufacturer - Version | -| Bus\*\* | - Bus Type - Status | -| Cache Memory\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Purpose - Status | -| CD-ROM Drive\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Media Type - Name - SCSI Bus - SCSI Logical Unit - SCSI Port - SCSI Target ID - Status | -| Disk Partition\*\* | - Primary Partition - Size (bytes) - Starting offset (bytes) | -| Display Adapter\*\* | - Adapter RAM (bytes) - Adapter Type - Bits/Pixel - Configuration Manager Error Code - Driver Version - Installed Drivers - Last Error Description - Last Error Code - Refresh Rate - Resolution - Status | -| DMA\*\* | - Status | -| Floppy Drive\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Status | -| Hard Drive\*\* | - Bytes/Sector - Configuration Manager Error Code - Interface Type - Last Error Description - Last Error Code - Media Loaded - Media Type - Model - Partitions - SCSI Bus - SCSI Logical Unit - SCSI Port - SCSI Target ID - Sectors/Track - Size (bytes) - Status - Total Cylinders - Total Heads - Total Sectors - Total Tracks - Tracks/Cylinder | -| IDE\*\* | - Configuration Manager Error Code - Description - Last Error Description - Last Error Code - Status | -| Infrared\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Status | -| Keyboard\*\* | - Configuration Manager Error Code - Description - Last Error Description - Last Error Code - Layout - Name - Status | -| Logical Disk\*\* | - Description - File System - Size (bytes) - Status | -| Monitor\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Monitor Type - Status | -| Network Adapter | - Adapter Type \* - Configuration Manager Error Code - Default IP Gateway \* - DHCP Enabled\* - DHCP Server - DNS Server Search Order - IP Address \* - Last Error Description - Last Error Code - MAC Address - Network Connection Name - Network Connection Status - Service Name - Status \* — indicates the properties whose changes may not be reported correctly, displaying "_Who_" (i.e. initiator's account) as _System_. | -| Network Protocol\*\* | - Description - Status | -| Parallel Ports\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Status | -| PCMCIA Controller\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Status | -| Physical Memory\*\* | - Capacity (bytes) - Status - Manufacturer - Memory Type - Speed - Part Number - Serial Number | -| Pointing Device\*\* | - Configuration Manager Error Code - Double Click Threshold - Handedness - Hardware Type - Last Error Description - Last Error Code - Number of buttons - Status | -| Printing | - Comment\*\* - Hidden\*\* - Local\*\* - Location\*\* - Name\*\* - Network\*\* - Port Name\*\* - Printer error information - Published\*\* - Shared\*\* - Share Name\*\* - Status | -| Processor\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Max Clock Speed (MHz) - Name - Status | -| SCSI\*\* | - Configuration Manager Error Code - Description - Last Error Description - Last Error Code - Status | -| Serial Ports\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Maximum Bits/Second - Name - Status | -| Sound Device\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Status | -| System Slot\*\* | - Slot Designation - Status | -| USB Controller\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Name - Status | -| USB Hub\*\* | - Configuration Manager Error Code - Last Error Description - Last Error Code - Name - Status | -| DHCP configuration | | -| If the DHCP server runs on Windows Server 2008 (or below), then the Who value for DHCP server configuration events is reported as _“Not Applicable”_. | | -| Server role | - Added - Removed | -| Server settings | - Type: - IPv4 - IPv4 Filters - IPv6 - Action: - Modified | -| DHCP scope | - Type: - IPv4 - Multicast IPv4 - Superscope for IPv4 - IPv6 - Action: - Added - Removed - Modified - Moved | -| DHCP Reservation | - Type: - IPv4 - IPv6 - Action: - Added - Removed - Modified | -| DHCP Policy | - Type: - IPv4 - IPv4 server-wide - Action: - Added - Removed - Modified - Renamed | -| Removable media | | -| Removable Storage Media\*\* | Netwrix Auditor does not report on floppy/optical disk and memory card storage medias. For removable storages, the When value reports actual time when a change was made and/or a target server was started. - Device class: - CD and DVD - Floppy Drives - Removable Disk - Tape Drives - Windows Portable Devices When the Audit Object Access local audit policy and/or the Audit Central Access Policy Staging \ Audit Removable Storage advanced audit policies are enabled on the target server, the `gpupdate /force` command execution issues removable storage restart. These actions are disclosed in Netwrix Auditor reports, search, and activity summaries. Note that these actions are system, not user-effected. | -| Scheduled Tasks | | -| Scheduled Task | - Account Name - Application - Comment - Creator - Enabled - Parameters - Triggers | -| Local Users and Groups | | -| Local Group | - Description - Name - Members | -| Local User | - Description - Disabled/Enabled - Full Name - Name - User cannot change password - Password Never Expires - User must change password at next logon | -| DNS Configuration | | -| The Who value will be reported for DNS configuration settings only if the DNS server runs on Windows Server 2012 R2. See the following Microsoft article for additional information: [Update adds query logging and change auditing to Windows DNS servers](https://support.microsoft.com/en-us/kb/2956577). | | -| DNS Server | - Address Answer Limit - Allow Update - Auto Cache Update - Auto Config File Zones - Bind Secondaries - Boot Method - Default Aging State - Default No Refresh Interval - Default Refresh Interval - Disable Auto Reverse Zones - Disjoint Nets - Ds Available - Ds Polling Interval - Ds Tombstone Interval - EDns Cache Timeout - Enable Directory Partitions - Enable Dns Sec - Enable EDns Probes - CD-ROM D Enable Netmask Ordering - Event Log Level - Fail On Load If Bad Zone Data - Forward Delegations - Forwarders - Forwarding Timeout - Is Slave - Listen Addresses - Log File Max Size - Log File Path - Log Level - Loose Wildcarding - Max Cache TTL - Max Negative Cache TTL - Name Check Flag - No Recursion - Recursion Retry - Recursion Timeout - Round Robin - Rpc Protocol - Scavenging Interval - Secure Cache Against Pollution - Send Port - Server Addresses | -| DNS Zone | - Aging State - Allow update - Auto created - Data file name - Ds integrated - Expires after - Forwarder slave - Forwarder timeout - Master servers - Minimum TTL - No refresh interval - Notify - Notify servers - Owner name - Paused - Primary server - Refresh interval - Responsible person - Retry interval - Reverse - Scavenge servers - Secondary servers - Secure secondaries - Shutdown - TTL - User NB stat - Use WINS - Zone type | -| DNS Resource Records | | -| The Who value will be reported for DNS Resource Records only if the DNS server runs Windows Server 2012 R2. See the following Microsoft article for additional information: [Update adds query logging and change auditing to Windows DNS servers](https://support.microsoft.com/en-us/kb/2956577). | | -| DNS AAAA | - Container name - IPv6 Address - Owner name - Record class - TTL - Zone type | -| DNS AFSDB | - Container name - Owner name - Server name - Server subtype - Record class - TTL - Zone type | -| DNS ATM A | - ATM Address - Container name - Format - Owner name - Record class - TTL - Value - Zone type | -| DNS A | - Container name - IP Address - Owner name - Record class - TTL - Zone type | -| DNS CNAME | - Container name - FQDN for target host - Owner name - Record class - TTL - Zone type | -| DNS DHCID | - Container name - DHCID (base 64) - Owner name - Record class - TTL - Zone type | -| DNS DNAME | - Container name - FQDN for target domain - Owner name - Record class - TTL - Zone type | -| DNS DNSKEY | - Algorithm - Container name - Key type - Key (base 64) - Name type - Owner name - Protocol - Record class - Signatory field - TTL - Zone type | -| DNS DS | - Algorithm - Container name - Data - DigestType - Key tag - Owner name - Record class - TTL - Zone type | -| DNS HINFO | - Container name - CPU type - Operating system - Owner name - Record class - TTL - Zone type | -| DNS ISDN | - Container name - ISDN phone number and DDI - ISDN subaddress - Owner name - Record class - TTL - Zone type | -| DNS KEY | - Algorithm - Container name - Key type - Key (base 64) - Name type - Owner name - Protocol - Record class - Signatory field - TTL - Zone type | -| DNS MB\*\*\* | - Container name - Mailbox host - Owner name - Record class - TTL - Zone type | -| DNS MD | - Container name - MD host - Owner name - Record class - TTL - Zone type | -| DNS MF | - Container name - MF host - Owner name - Record class - TTL - Zone type | -| DNS MG | - Container name - Member mailbox - Owner name - Record class - TTL - Zone type | -| DNS MINFO | - Container name - Error mailbox - Owner name - Responsible mailbox - Record class - TTL - Zone type | -| DNS MR | - Container name - Owner name - Replacement mailbox - Record class - TTL - Zone type | -| DNS MX | - Container name - FQDN of mail server - Mail server priority - Owner name - Record class - TTL - Zone type | -| DNS NAPTR | - Container name - Flag string - Order - Owner name - Preference - Record class - Regular expression string - Replacement domain - Service string - TTL - Zone type | -| DNS NS | - Container name - Name servers - Owner name - TTL | -| DNS NXT | - Container name - Next domain name - Owner name - Record class - Record types - TTL - Zone type | -| DNS PTR | - Container name - Owner name - PTR domain name - Record class - TTL - Zone type | -| DNS RP | - Container name - Mailbox of responsible person - Optional associated text (TXT) record - Owner name - Record class - TTL - Zone type | -| DNS RRSIG | - Algorithm - Container name - Key tag - Labels - Original TTL - Owner name - Record class - Signature expiration (GMT) - Signature inception (GMT) - Signature (base 64) - Signer's name - TTL - Type covered - Zone type | -| DNS RT | - Container name - Intermediate host - Owner name - Preference - Record class - TTL - Zone type | -| DNS SIG | - Algorithm - Container name - Key tag - Labels - Original TTL - Owner name - Record class - Signature expiration (GMT) - Signature inception (GMT) - Signature (base 64) - Signer's name - TTL - Type covered - Zone type | -| DNS SRV | - Container name - Host offering this service - Owner name - Port number - Priority - Record class - TTL - Weight - Zone type | -| DNS TEXT | - Container name - Owner name - Record class - Text - TTL - Zone type | -| DNS WINS | - Cache time-out - Container name - Do not replicate this record - Lookup time-out - Owner name - Record class - Wins servers - Zone type | -| DNS WKS | - Container name - IP address - Owner name - Protocol - Record class - Services - TTL - Zone type | -| DNS X25 | - Container name - Owner name - Record - Record class - TTL - X.121 PSDN address - Zone type | -| File Shares | | -| Share | - Access-based enumeration - Caching - Description - Enable BranchCache - Encrypt data access - Folder path - Share permissions - User limit | +| Object type | Attributes | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| General Computer Settings | | +| Computer |
  • System state changed to Started
  • System state changed to Stopped. Reason: Reason type
  • System state changed to Stopped. Reason: unexpected shutdown or system failure
| +| Computer Name |
  • Computer Description
  • Name
  • Domain
| +| Environment Variables |
  • Type
  • Value
| +| Event Log |
  • Event Log Cleared
| +| General |
  • Caption
  • Organization
  • Registered User
  • Serial Number
  • Service Pack\*\*
  • Version\*\*
| +| Remote |
  • Enable Remote Desktop on this computer
| +| Startup and Recovery |
  • Automatically Restart
  • Dump File
  • Dump Type
  • Overwrite any existing file
  • Send Alert
  • System Startup Delay
  • Write an Event
| +| System Time |
  • System time changed from ... to ...
  • Time zone changed Not supported on Windows Server 2008 SP2 and Windows Server 2008 R2.
| +| Add / Remove Programs | | +| Add or Remove Programs |
  • Installed For\*\*
  • Version
| +| Services | | +| System Service |
  • Action in case of failed service startup
  • Action in case of service stopping
  • Allow service to interact with desktop
  • Caption
  • Created
  • Deleted
  • Description
  • Name
  • Path to executable
  • Service Account
  • Service Type
  • Start Mode
  • Error Control
| +| Audit Policies | | +| Local Audit Policy |
  • Added Audit settings Only for the Global Object Access Auditing advanced policies.
  • Successful audit enabled/disabled
  • Failure audit enabled/disabled
| +| Per-User Local Audit Policy |
  • Success audit include added
  • Success audit include removed
  • Failure audit include added
  • Failure audit include removed
  • Success audit exclude added
  • Success audit exclude removed
  • Failure audit exclude added
  • Failure audit exclude remove
| +| Hardware | | +| Base Board\*\* |
  • Hosting Board
  • Status
  • Manufacturer
  • Product
  • Version
  • Serial Number
| +| BIOS\*\* |
  • Manufacturer
  • Version
| +| Bus\*\* |
  • Bus Type
  • Status
| +| Cache Memory\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Purpose
  • Status
| +| CD-ROM Drive\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Media Type
  • Name
  • SCSI Bus
  • SCSI Logical Unit
  • SCSI Port
  • SCSI Target ID
  • Status
| +| Disk Partition\*\* |
  • Primary Partition
  • Size (bytes)
  • Starting offset (bytes)
| +| Display Adapter\*\* |
  • Adapter RAM (bytes)
  • Adapter Type
  • Bits/Pixel
  • Configuration Manager Error Code
  • Driver Version
  • Installed Drivers
  • Last Error Description
  • Last Error Code
  • Refresh Rate
  • Resolution
  • Status
| +| DMA\*\* |
  • Status
| +| Floppy Drive\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
| +| Hard Drive\*\* |
  • Bytes/Sector
  • Configuration Manager Error Code
  • Interface Type
  • Last Error Description
  • Last Error Code
  • Media Loaded
  • Media Type
  • Model
  • Partitions
  • SCSI Bus
  • SCSI Logical Unit
  • SCSI Port
  • SCSI Target ID
  • Sectors/Track
  • Size (bytes)
  • Status
  • Total Cylinders
  • Total Heads
  • Total Sectors
  • Total Tracks
  • Tracks/Cylinder
| +| IDE\*\* |
  • Configuration Manager Error Code
  • Description
  • Last Error Description
  • Last Error Code
  • Status
| +| Infrared\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
| +| Keyboard\*\* |
  • Configuration Manager Error Code
  • Description
  • Last Error Description
  • Last Error Code
  • Layout
  • Name
  • Status
| +| Logical Disk\*\* |
  • Description
  • File System
  • Size (bytes)
  • Status
| +| Monitor\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Monitor Type
  • Status
| +| Network Adapter |
  • Adapter Type \*
  • Configuration Manager Error Code
  • Default IP Gateway \*
  • DHCP Enabled\*
  • DHCP Server
  • DNS Server Search Order
  • IP Address \*
  • Last Error Description
  • Last Error Code
  • MAC Address
  • Network Connection Name
  • Network Connection Status
  • Service Name
  • Status \* — indicates the properties whose changes may not be reported correctly, displaying "_Who_" (i.e. initiator's account) as _System_.
| +| Network Protocol\*\* |
  • Description
  • Status
| +| Parallel Ports\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
| +| PCMCIA Controller\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
| +| Physical Memory\*\* |
  • Capacity (bytes)
  • Status
  • Manufacturer
  • Memory Type
  • Speed
  • Part Number
  • Serial Number
| +| Pointing Device\*\* |
  • Configuration Manager Error Code
  • Double Click Threshold
  • Handedness
  • Hardware Type
  • Last Error Description
  • Last Error Code
  • Number of buttons
  • Status
| +| Printing |
  • Comment\*\*
  • Hidden\*\*
  • Local\*\*
  • Location\*\*
  • Name\*\*
  • Network\*\*
  • Port Name\*\*
  • Printer error information
  • Published\*\*
  • Shared\*\*
  • Share Name\*\*
  • Status
| +| Processor\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Max Clock Speed (MHz)
  • Name
  • Status
| +| SCSI\*\* |
  • Configuration Manager Error Code
  • Description
  • Last Error Description
  • Last Error Code
  • Status
| +| Serial Ports\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Maximum Bits/Second
  • Name
  • Status
| +| Sound Device\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
| +| System Slot\*\* |
  • Slot Designation
  • Status
| +| USB Controller\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Name
  • Status
| +| USB Hub\*\* |
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Name
  • Status
| +| DHCP configuration | | +| If the DHCP server runs on Windows Server 2008 (or below), then the Who value for DHCP server configuration events is reported as _“Not Applicable”_. | | +| Server role |
  • Added
  • Removed
| +| Server settings |
  • Type:
  • IPv4
  • IPv4 Filters
  • IPv6
  • Action:
  • Modified
| +| DHCP scope |
  • Type:
  • IPv4
  • Multicast IPv4
  • Superscope for IPv4
  • IPv6
  • Action:
  • Added
  • Removed
  • Modified
  • Moved
| +| DHCP Reservation |
  • Type:
  • IPv4
  • IPv6
  • Action:
  • Added
  • Removed
  • Modified
| +| DHCP Policy |
  • Type:
  • IPv4
  • IPv4 server-wide
  • Action:
  • Added
  • Removed
  • Modified
  • Renamed
| +| Removable media | | +| Removable Storage Media\*\* | Netwrix Auditor does not report on floppy/optical disk and memory card storage medias. For removable storages, the When value reports actual time when a change was made and/or a target server was started.
  • Device class:
  • CD and DVD
  • Floppy Drives
  • Removable Disk
  • Tape Drives
  • Windows Portable Devices When the Audit Object Access local audit policy and/or the Audit Central Access Policy Staging \ Audit Removable Storage advanced audit policies are enabled on the target server, the `gpupdate /force` command execution issues removable storage restart. These actions are disclosed in Netwrix Auditor reports, search, and activity summaries. Note that these actions are system, not user-effected.
| +| Scheduled Tasks | | +| Scheduled Task |
  • Account Name
  • Application
  • Comment
  • Creator
  • Enabled
  • Parameters
  • Triggers
| +| Local Users and Groups | | +| Local Group |
  • Description
  • Name
  • Members
| +| Local User |
  • Description
  • Disabled/Enabled
  • Full Name
  • Name
  • User cannot change password
  • Password Never Expires
  • User must change password at next logon
| +| DNS Configuration | | +| The Who value will be reported for DNS configuration settings only if the DNS server runs on Windows Server 2012 R2. See the following Microsoft article for additional information: [Update adds query logging and change auditing to Windows DNS servers](https://support.microsoft.com/en-us/kb/2956577). | | +| DNS Server |
  • Address Answer Limit
  • Allow Update
  • Auto Cache Update
  • Auto Config File Zones
  • Bind Secondaries
  • Boot Method
  • Default Aging State
  • Default No Refresh Interval
  • Default Refresh Interval
  • Disable Auto Reverse Zones
  • Disjoint Nets
  • Ds Available
  • Ds Polling Interval
  • Ds Tombstone Interval
  • EDns Cache Timeout
  • Enable Directory Partitions
  • Enable Dns Sec
  • Enable EDns Probes
  • CD-ROM D Enable Netmask Ordering
  • Event Log Level
  • Fail On Load If Bad Zone Data
  • Forward Delegations
  • Forwarders
  • Forwarding Timeout
  • Is Slave
  • Listen Addresses
  • Log File Max Size
  • Log File Path
  • Log Level
  • Loose Wildcarding
  • Max Cache TTL
  • Max Negative Cache TTL
  • Name Check Flag
  • No Recursion
  • Recursion Retry
  • Recursion Timeout
  • Round Robin
  • Rpc Protocol
  • Scavenging Interval
  • Secure Cache Against Pollution
  • Send Port
  • Server Addresses
| +| DNS Zone |
  • Aging State
  • Allow update
  • Auto created
  • Data file name
  • Ds integrated
  • Expires after
  • Forwarder slave
  • Forwarder timeout
  • Master servers
  • Minimum TTL
  • No refresh interval
  • Notify
  • Notify servers
  • Owner name
  • Paused
  • Primary server
  • Refresh interval
  • Responsible person
  • Retry interval
  • Reverse
  • Scavenge servers
  • Secondary servers
  • Secure secondaries
  • Shutdown
  • TTL
  • User NB stat
  • Use WINS
  • Zone type
| +| DNS Resource Records | | +| The Who value will be reported for DNS Resource Records only if the DNS server runs Windows Server 2012 R2. See the following Microsoft article for additional information: [Update adds query logging and change auditing to Windows DNS servers](https://support.microsoft.com/en-us/kb/2956577). | | +| DNS AAAA |
  • Container name
  • IPv6 Address
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS AFSDB |
  • Container name
  • Owner name
  • Server name
  • Server subtype
  • Record class
  • TTL
  • Zone type
| +| DNS ATM A |
  • ATM Address
  • Container name
  • Format
  • Owner name
  • Record class
  • TTL
  • Value
  • Zone type
| +| DNS A |
  • Container name
  • IP Address
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS CNAME |
  • Container name
  • FQDN for target host
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS DHCID |
  • Container name
  • DHCID (base 64)
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS DNAME |
  • Container name
  • FQDN for target domain
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS DNSKEY |
  • Algorithm
  • Container name
  • Key type
  • Key (base 64)
  • Name type
  • Owner name
  • Protocol
  • Record class
  • Signatory field
  • TTL
  • Zone type
| +| DNS DS |
  • Algorithm
  • Container name
  • Data
  • DigestType
  • Key tag
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS HINFO |
  • Container name
  • CPU type
  • Operating system
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS ISDN |
  • Container name
  • ISDN phone number and DDI
  • ISDN subaddress
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS KEY |
  • Algorithm
  • Container name
  • Key type
  • Key (base 64)
  • Name type
  • Owner name
  • Protocol
  • Record class
  • Signatory field
  • TTL
  • Zone type
| +| DNS MB\*\*\* |
  • Container name
  • Mailbox host
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS MD |
  • Container name
  • MD host
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS MF |
  • Container name
  • MF host
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS MG |
  • Container name
  • Member mailbox
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS MINFO |
  • Container name
  • Error mailbox
  • Owner name
  • Responsible mailbox
  • Record class
  • TTL
  • Zone type
| +| DNS MR |
  • Container name
  • Owner name
  • Replacement mailbox
  • Record class
  • TTL
  • Zone type
| +| DNS MX |
  • Container name
  • FQDN of mail server
  • Mail server priority
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS NAPTR |
  • Container name
  • Flag string
  • Order
  • Owner name
  • Preference
  • Record class
  • Regular expression string
  • Replacement domain
  • Service string
  • TTL
  • Zone type
| +| DNS NS |
  • Container name
  • Name servers
  • Owner name
  • TTL
| +| DNS NXT |
  • Container name
  • Next domain name
  • Owner name
  • Record class
  • Record types
  • TTL
  • Zone type
| +| DNS PTR |
  • Container name
  • Owner name
  • PTR domain name
  • Record class
  • TTL
  • Zone type
| +| DNS RP |
  • Container name
  • Mailbox of responsible person
  • Optional associated text (TXT) record
  • Owner name
  • Record class
  • TTL
  • Zone type
| +| DNS RRSIG |
  • Algorithm
  • Container name
  • Key tag
  • Labels
  • Original TTL
  • Owner name
  • Record class
  • Signature expiration (GMT)
  • Signature inception (GMT)
  • Signature (base 64)
  • Signer's name
  • TTL
  • Type covered
  • Zone type
| +| DNS RT |
  • Container name
  • Intermediate host
  • Owner name
  • Preference
  • Record class
  • TTL
  • Zone type
| +| DNS SIG |
  • Algorithm
  • Container name
  • Key tag
  • Labels
  • Original TTL
  • Owner name
  • Record class
  • Signature expiration (GMT)
  • Signature inception (GMT)
  • Signature (base 64)
  • Signer's name
  • TTL
  • Type covered
  • Zone type
| +| DNS SRV |
  • Container name
  • Host offering this service
  • Owner name
  • Port number
  • Priority
  • Record class
  • TTL
  • Weight
  • Zone type
| +| DNS TEXT |
  • Container name
  • Owner name
  • Record class
  • Text
  • TTL
  • Zone type
| +| DNS WINS |
  • Cache time-out
  • Container name
  • Do not replicate this record
  • Lookup time-out
  • Owner name
  • Record class
  • Wins servers
  • Zone type
| +| DNS WKS |
  • Container name
  • IP address
  • Owner name
  • Protocol
  • Record class
  • Services
  • TTL
  • Zone type
| +| DNS X25 |
  • Container name
  • Owner name
  • Record
  • Record class
  • TTL
  • X.121 PSDN address
  • Zone type
| +| File Shares | | +| Share |
  • Access-based enumeration
  • Caching
  • Description
  • Enable BranchCache
  • Encrypt data access
  • Folder path
  • Share permissions
  • User limit
| + ### Windows Server Registry Keys @@ -267,13 +268,24 @@ type required): The below is the full list of keys (and subkeys) involved in Windows Server auditing. -| | | -| -------------- | ------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ | ----- | -| Hardware | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services( | \.\*) | -| General | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CrashControl( | \.\*) - HKEY_LOCAL_MACHINE\Software\WOW6432NODE\Microsoft\Windows NT\CurrentVersion( | \.\*) - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion( | \.\*) | -| Software | - HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL( | \.\*) - HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL( | \.\*) | -| Services | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services( | \.\*) - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services( | \.\*) | -| RemovableMedia | - SYSTEM\CurrentControlSet\Enum | +| Category | Registry Keys | +|----------------|-------------------------------------------------------------------------------------------------------------------| +| Hardware | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\* | +| General | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CrashControl\* | +| | - HKEY_LOCAL_MACHINE\Software\WOW6432NODE\Microsoft\Windows NT\CurrentVersion\* | +| | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\* | +| Software | - HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\* | +| | - HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\* | +| Services | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\* | +| | - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\* | +| RemovableMedia | - SYSTEM\CurrentControlSet\Enum\* | + Consider that audit data for the registry keys themselves will not appear in Netwrix Auditor reports, alerts or search results, as it is only used as one of the sources for the Activity Records diff --git a/docs/auditor/10.7/configuration/windowsserver/registrykey.md b/docs/auditor/10.7/configuration/windowsserver/registrykey.md index 2178a910b2..ea0538b4eb 100644 --- a/docs/auditor/10.7/configuration/windowsserver/registrykey.md +++ b/docs/auditor/10.7/configuration/windowsserver/registrykey.md @@ -9,25 +9,27 @@ sidebar_position: 110 Review the basic registry keys that you may need to configure for monitoring Windows Server with Netwrix Auditor. Navigate to Start → Run and type _"regedit"_. -| Registry key (REG_DWORD type) | Description / Value | -| -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Windows Server Change Reporter | | -| CleanAutoBackupLogs | Defines the retention period for the security log backups: - 0—Backups are never deleted from Domain controllers - [X]— Backups are deleted after [X] hours | -| ProcessBackupLogs | Defines whether to process security log backups: - 0—No - 1—Yes Even if this key is set to _"0"_, the security log backups will not be deleted regardless of the value of the CleanAutoBackupLogs key. | +| Registry key (REG_DWORD type) | Description / Value | +| -------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Windows Server Change Reporter | | +| CleanAutoBackupLogs | Defines the retention period for the security log backups:
  • 0—Backups are never deleted from Domain controllers
  • [X]— Backups are deleted after [X] hours
| +| ProcessBackupLogs | Defines whether to process security log backups:
  • 0—No
  • 1—Yes Even if this key is set to _"0"_, the security log backups will not be deleted regardless of the value of the CleanAutoBackupLogs key.
| + ## Event Log Review the basic registry keys that you may need to configure for monitoring event logs with Netwrix Auditor. Navigate to Start → Run and type _"regedit"_. -| Registry key (REG_DWORD type) | Description / Value | -| ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log Manager\\Database Settings | | -| ConnectionTimeout | Defines SQL database connection timeout (in seconds). | -| BatchTimeOut | Defines batch writing timeout (in seconds). | -| DeadLockErrorCount | Defines the number of write attempts to a SQL database. | -| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log Manager | | -| CleanAutoBackupLogs | Defines the retention period for the security log backups: - 0—Backups are never deleted from Domain controllers - [X]— Backups are deleted after [X] hours | -| ProcessBackupLogs | Defines whether to process security log backups: - 0—No - 1—Yes Even if this key is set to _"0"_, the security log backups will not be deleted regardless of the value of the CleanAutoBackupLogs key. | -| WriteAgentsToApplicationLog | Defines whether to write the events produced by the Netwrix Auditor Event Log Compression Service to the Application Log of a monitored machine: - 0—Disabled - 1—Enabled | -| WriteToApplicationLog | Defines whether to write events produced by Netwrix Auditor to the Application Log of the machine where the product is installed: - 0—No - 1—Yes | +| Registry key (REG_DWORD type) | Description / Value | +| ------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log Manager\\Database Settings | | +| ConnectionTimeout | Defines SQL database connection timeout (in seconds). | +| BatchTimeOut | Defines batch writing timeout (in seconds). | +| DeadLockErrorCount | Defines the number of write attempts to a SQL database. | +| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log Manager | | +| CleanAutoBackupLogs | Defines the retention period for the security log backups:
  • 0—Backups are never deleted from Domain controllers
  • [X]— Backups are deleted after [X] hours
| +| ProcessBackupLogs | Defines whether to process security log backups:
  • 0—No
  • 1—Yes Even if this key is set to _"0"_, the security log backups will not be deleted regardless of the value of the CleanAutoBackupLogs key.
| +| WriteAgentsToApplicationLog | Defines whether to write the events produced by the Netwrix Auditor Event Log Compression Service to the Application Log of a monitored machine:
  • 0—Disabled
  • 1—Enabled
| +| WriteToApplicationLog | Defines whether to write events produced by Netwrix Auditor to the Application Log of the machine where the product is installed:
  • 0—No
  • 1—Yes
| + diff --git a/docs/auditor/10.7/requirements/deploymentscenarios.md b/docs/auditor/10.7/requirements/deploymentscenarios.md index f9c60a676b..7bc567f001 100644 --- a/docs/auditor/10.7/requirements/deploymentscenarios.md +++ b/docs/auditor/10.7/requirements/deploymentscenarios.md @@ -38,13 +38,18 @@ periods (e.g., to provide for investigations, compliance audit, etc.) - SSD Recommendations below refer to deployment in the evaluation lab or small infrastructure (up to 500 users): -1. Prepare a virtual machine meeting the following requirements: | Hardware component | Requirement - | | --- | --- | | Processor | 2 cores | | RAM | 4 GB minimum, 8 GB recommended | | Disk space | - 100 GB on system drive 100 GB on data drive (capacity required for SQL Server and Long-Term - Archive) | | Screen resolution | Minimum 1280x1024 Recommended 1920x1080 or higher | -2. Download and install Netwrix Auditor on that VM, selecting Full installation to deploy both +1. Prepare a virtual machine meeting the following requirements: + +| Hardware Component | Requirement | +|---------------------|-----------------------------------------------------------------------------------------------| +| Processor | 2 cores | +| RAM | 4 GB minimum, 8 GB recommended | +| Disk space | 100 GB on system drive and 100 GB on data drive (capacity required for SQL Server and Long-Term Archive)| +| Screen resolution | Minimum 1280x1024; Recommended 1920x1080 or higher | + +1. Download and install Netwrix Auditor on that VM, selecting Full installation to deploy both server and client components. -3. When prompted to configure the Audit database settings, proceed with installing SQL Server +2. When prompted to configure the Audit database settings, proceed with installing SQL Server Express Edition with Advanced Services on the same VM. See the [SQL Server Reporting Services](/docs/auditor/10.7/requirements/sqlserverreportingservice.md) topic for additional information. @@ -68,10 +73,15 @@ Hyper-V virtualization server. For more information on this deployment option, r Recommendations below refer to the product deployment in a in a regular environment (500 — 1000 users, approximately up to 1 million of activity records generated per day): -1. Prepare a physical or a virtual machine meeting the following requirements: | Hardware component - | Requirement | | --- | --- | | Processor | 4 cores | | RAM | 16 - 32 GB | | Disk space | 200 GB - on system drive 0.5 - 1 TB or more on data drive (capacity required for SQL Server and Long-Term - Archive) | | Screen resolution | Minimum 1280x1024 Recommended 1920x1080 or higher | +1. Prepare a physical or a virtual machine meeting the following requirements: + +| Hardware Component | Requirement | +|---------------------|------------------------------------------------------------------------------------------------------| +| Processor | 4 cores | +| RAM | 16 - 32 GB | +| Disk space | 200 GB on system drive, 0.5 - 1 TB or more on data drive (capacity required for SQL Server and Long-Term Archive) | +| Screen resolution | Minimum 1280x1024; Recommended 1920x1080 or higher | + 2. Download and install Netwrix Auditor on that machine. Deploy the required number of Netwrix Auditor clients on the remote Windows machines. @@ -92,21 +102,37 @@ Recommendations below refer to the product deployment in a large environment (up approximately 1+ million of activity records generated per day): 1. Prepare a physical or a virtual machine for Netwrix Auditor server, meeting the following - requirements: | Hardware component | Requirement | | --- | --- | | Processor | 8 cores | | RAM | - 16 - 32 GB | | Disk space | - 200-500 GB on system drive - 0.5 - 1 TB on data drive | | Screen - resolution | Minimum 1280 x 1024 Recommended 1920 x 1080 or higher | + requirements: + +| Hardware Component | Requirement | +|---------------------|------------------------------------------------------------------------------------------------------| +| Processor | 8 cores | +| RAM | 16 - 32 GB | +| Disk space | - 200-500 GB on system drive | +| | - 0.5 - 1 TB on data drive | +| Screen resolution | Minimum 1280 x 1024, Recommended 1920 x 1080 or higher | + 2. Download and install Netwrix Auditor on that machine. Deploy the required number of Netwrix Auditor clients on the remote Windows machines. Client-server connection requires user sign-in. You can automate this process, as described in the [Automate Sign-in to the Client](/docs/auditor/10.7/install/automatelogin.md) section of Online Help. -3. Prepare Microsoft SQL Server meeting the following requirements: | Hardware component | - Requirement | | --- | --- | | Processor | 2-4 cores | | RAM | 16-32 GB | | Disk space | - 100 GB - on system drive - 200-400 GB on data drive | | Software component | Requirement | | --- | --- | | - Microsoft SQL Server 2012 or later | Standard or Enterprise edition (Express cannot be used due - to its database size limitation) | | Dedicated SQL Server instance or cluster is recommended | | - | SQL Server Reporting Services for reporting | | +3. Prepare Microsoft SQL Server meeting the following requirements: + +| Hardware Component | Requirement | +|---------------------|-----------------------------------------------------------------------------| +| Processor | 2-4 cores | +| RAM | 16-32 GB | +| Disk space | - 100 GB on system drive | +| | - 200-400 GB on data drive | + +| Software Component | Requirement | +|---------------------------------------|---------------------------------------------------------------------------------------------| +| Microsoft SQL Server 2012 or later | Standard or Enterprise edition (Express cannot be used due to its database size limitation) | +| Dedicated SQL Server instance or cluster is recommended | | +| SQL Server Reporting Services for reporting | | + 4. When prompted to configure the Audit database settings, proceed using the dedicated SQL Server with Reporting Services. @@ -115,24 +141,45 @@ approximately 1+ million of activity records generated per day): Recommendations below refer to the product deployment in an extra-large environment, that is, with more than 20 000 users (10+ million of activity records generated per day): -1. Prepare a physical or a virtual machine for Auditor Server, meeting the following requirements: | - Hardware component | Requirement | | --- | --- | | Processor | 16 cores (recommended) | | RAM | - 32 - 64 GB | | Disk space | - 300-500 GB on system drive - 1+ TB on data drive | | Screen - resolution | Minimum 1280 x 1024 Recommended 1920 x 1080 or higher | +1. Prepare a physical or a virtual machine for Auditor Server, meeting the following requirements: + +| Hardware Component | Requirement | +|---------------------|----------------------------------------------------------------------------------| +| Processor | 16 cores (recommended) | +| RAM | 32 - 64 GB | +| Disk space | - 300-500 GB on system drive | +| | - 1+ TB on data drive | +| Screen resolution | Minimum 1280 x 1024, Recommended 1920 x 1080 or higher | + 2. Download and install Netwrix Auditor on that machine. Deploy the required number of Netwrix Auditor clients on the remote Windows machines. Client-server connection requires user sign-in. You can automate this process, as described in the [Automate Sign-in to the Client](/docs/auditor/10.7/install/automatelogin.md) section. -3. Prepare a machine for Microsoft SQL Server meeting the following requirements: | Hardware - component | Requirement | | --- | --- | | Processor | 4 cores | | RAM | 32 - 64 GB | | Disk space - | - 100 GB on system drive - 1 TB on data drive | | Software component | Requirement | | --- | - --- | | Microsoft SQL Server 2012 or later | Standard or Enterprise edition (Express cannot be - used due to its database size limitation) | | Dedicated SQL Server instance or cluster is - recommended | | | SQL Server Reporting Services for reporting | | +3. Prepare a machine for Microsoft SQL Server meeting the following requirements: + +| Hardware Component | Requirement | +|---------------------|-----------------------------------------------------------------------------| +| Processor | 4 cores | +| RAM | 32 - 64 GB | +| Disk space | - 100 GB on system drive | +| | - 1 TB on data drive | + +| Software Component | Requirement | +|-----------------------------------------|------------------------------------------------------------------------------------------------------| +| Microsoft SQL Server 2012 or later | Standard or Enterprise edition (Express cannot be used due to its database size limitation) | +| Dedicated SQL Server instance or cluster| Recommended | +| SQL Server Reporting Services | For reporting | + 4. As an option, you can install Reporting Services on a dedicated machine. The following hardware - configuration is recommended: | Hardware component | Requirement | | --- | --- | | Processor | 4 - cores | | RAM | 32 GB | | Disk space | - 100 GB on system drive | + configuration is recommended: + +| Hardware Component | Requirement | +|---------------------|-----------------------------| +| Processor | 4 cores | +| RAM | 32 GB | +| Disk space | 100 GB on system drive | + 5. When prompted to configure the Audit database settings, proceed using the dedicated SQL Server and Reporting Services.