diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/addconnectorspo.png b/docs/1secure/admin/organizations/sourcesandconnectors/addconnectorspo.png new file mode 100644 index 0000000000..9e2cdf1a31 Binary files /dev/null and b/docs/1secure/admin/organizations/sourcesandconnectors/addconnectorspo.png differ diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/computer.md b/docs/1secure/admin/organizations/sourcesandconnectors/computer.md index 4f348435a3..277381d74c 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/computer.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/computer.md @@ -119,6 +119,10 @@ the following: - Advanced Activity Selection – Select this checkbox to choose the successful and failed actions to audit on the computer. + :::note + By default, Read activity is not available for auditing. Contact Netwrix support if you need it. + ::: + ![Advanced Activity Selection options](/images/1secure/configuration/computer/objectlevelaccessaudit.webp) **Step 10 –** Click **Finish**. diff --git a/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md b/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md index afc5dee940..13b0e38fc6 100644 --- a/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md +++ b/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md @@ -53,7 +53,7 @@ pane is displayed. **Step 6 –** Click **Next**. -![Choose New Connector %28Step 3 of 3%29 pane](/images/1secure/admin/organizations/sourcesandconnectors/addsourcesharepointonlineconnector.webp) +![Choose New Connector %28Step 3 of 3%29 pane](addconnectorspo.png) **Step 7 –** The Choose new connector (Step 3 of 3) pane lists three connectors for SharePoint Online. Specify the following: @@ -78,6 +78,9 @@ Online. Specify the following: switch to ON to allow 1Secure to read the documents in order to classify and label them based on the type of data they contain. + - Establish connection to your Classifier app – See the + [Configure SharePoint Online Classification App](/docs/1secure/configuration/registerconfig/1secure-classifier-setup-guide.md) + topic for additional information. - Run OCR to improve classification of images (increases processing time) – Toggle this switch to ON to use Optical Character Recognition (OCR) to scan images for text, which helps to classify the sensitive data more effectively. Note that this increases the processing time for diff --git a/docs/1secure/admin/searchandreports/activity.md b/docs/1secure/admin/searchandreports/activity.md index 4d275675ce..2dc5fa395d 100644 --- a/docs/1secure/admin/searchandreports/activity.md +++ b/docs/1secure/admin/searchandreports/activity.md @@ -43,6 +43,7 @@ Activity reports are available under the following categories. - [Overview](#overview) - [Active Directory](#active-directory) +- [Active Directory and Entra ID](#active-directory-and-entra-id) - [Microsoft Entra ID](#microsoft-entra-id) - [Exchange Online](#exchange-online) - [File Server](#file-server) @@ -64,21 +65,26 @@ Activity reports are available under the following categories. | Report Name | Description | | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Accounts Deleted | Lists all user accounts that have been deleted. It also provides information about when and by whom the accounts were deleted, which can help identify any unauthorized or suspicious activity within the system. | -| Accounts Enabled | Lists all user accounts that have been disabled. | -| Accounts Disabled | Lists all user accounts that have been disabled. It also provides information about when and by whom the accounts were disabled. | -| Accounts Locked Out | Lists all user accounts that have been locked out. It also provides information about when and by whom the accounts were locked out. | | Accounts Password Tempered | Lists the user accounts where the password has been altered. It helps to detect unauthorized password changes. | | Administrative Group Membership Changes | Lists changes to membership of the Domain Admins, Enterprise Admins, Schema Admins, Account Operators, and other administrative groups. Members of these groups are entitled to perform critical activities in your IT infrastructure. Subscribe to this report or review it on a regular basis to detect security issues and ensure that administrative group membership is granted or revoked in compliance with your organization's security policies. | | All Active Directory Changes | Lists changes to all Active Directory objects including changes to permissions, configuration, etc. This is the most comprehensive report on Active Directory changes. Use it when you need to review every single change to any Active Directory object. | -| All Logon Activity | Lists all user login attempts across the Active Directory. It helps track the login trends, such as repeated failed login attempts. | | Computers Removed | Lists all computer accounts that have been deleted. It also provides information about when and by whom the accounts were deleted, which can help identify any unauthorized or suspicious activity within the system. | -| Failed Logons | Lists the failed login attempts. It is useful for identifying the potential security issues, such as unauthorized users trying to access the system. | | Members Added to Administrative Group | Lists all users who have been added to administrative groups. It helps administrators monitor changes to privileged groups and ensures that only authorized users have elevated access. | | Members Removed from Administrative Group | Lists all users who have been removed from the administrative groups. It helps administrators monitor changes to privileged groups and ensures that only authorized users have elevated access. | | Organizational Unit Management | Lists changes made to organization units including, changes to name, description, delegation settings, etc. | | Security Group Membership Changes | Lists changes made to security groups including, changes to group membership, permissions, descriptions, etc. | -| User Account Status Changes | Lists changes made to the status of user accounts, such as enabling, disabling, locking, or unlocking accounts. | + +## Active Directory and Entra ID + +| Report Name | Description | +| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Accounts Deleted | Lists all user accounts that have been deleted from both Active Directory and Entra ID. It also provides information about when and by whom the accounts were deleted, which can help identify any unauthorized or suspicious activity within the system. | +| Accounts Disabled | Lists all user accounts that have been disabled in both Active Directory and Entra ID. It also provides information about when and by whom the accounts were disabled. | +| Accounts Enabled | Lists all user accounts that have been enabled in both Active Directory and Entra ID. | +| Accounts Locked Out | Lists all user accounts that have been locked out in both Active Directory and Entra ID. It also provides information about when and by whom the accounts were locked out. | +| All Logon Activity | Lists all user login attempts across both Active Directory and Entra ID. It helps track the login trends, such as repeated failed login attempts. | +| Failed Logons | Lists the failed login attempts from both Active Directory and Entra ID. It is useful for identifying the potential security issues, such as unauthorized users trying to access the system. | +| User Account Status Changes | Lists changes made to the status of user accounts in both Active Directory and Entra ID, such as enabling, disabling, locking, or unlocking accounts. | ## Microsoft Entra ID diff --git a/docs/1secure/admin/searchandreports/compliance.md b/docs/1secure/admin/searchandreports/compliance.md index f3c9e35162..de16ea2887 100644 --- a/docs/1secure/admin/searchandreports/compliance.md +++ b/docs/1secure/admin/searchandreports/compliance.md @@ -25,13 +25,14 @@ its reports. An organization is selected by default, but you can choose a differ **Step 3 –** Click the **Compliance** tab to access the compliance reports. This opens the Compliance page with the Group Membership report selected by default in the left pane. -![Compliance Reports Page](/images/1secure/admin/searchandreports/reportscompliance.webp) +![Compliance Reports Page](/images/1secure/admin/searchandreports/compliancereport.png) **Step 4 –** In the left pane, click a category to view its reports. Categories are: - [Active Directory](#active-directory) - [Microsoft Entra ID](#microsoft-entra-id) - [SharePoint Online](#sharepoint-online) +- [Permissions](#permissions) **Step 5 –** Click a report to open it. Reports without a filter are automatically generated when you open them. Click **Search** to generate reports with a predefined filter set. @@ -64,12 +65,17 @@ A list of the available Compliance reports(category-wise) is given below. | Name | Description | | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Broken Permissions Inheritance | Lists objects with permissions that differ from their parent, such as a folder with permissions different from its parent site. | +| Sensitive Documents | Lists the documents that are classified according to the sensitive data types enabled in the SharePoint Online Data Classification connector. See step 7 in the [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic for addition information. | +| Sharing Links | Provides an overview of all the active sharing links within your SharePoint Online site. For each record, it displays the site collection, URL of the shared resource, name of the shared object, link creation and expiration dates, link type, assigned permissions, and more. Click the "Shared with" link to see exactly who or which groups have access. | + +### Permissions + +| Name | Description | +| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Direct Object Permissions | Lists all identities (users or groups) that have assigned permissions to specific objects, such as documents, lists, or sites. Use this report to review which users or groups have access to data objects. | | Direct User Permissions | Lists user accounts with direct permissions to specific objects. Use this report to see which users have permissions to what data. | | High Risk Permissions | Lists the permissions and permission levels of high-risk trustees, such as Everyone, Authenticated Users, and Everyone except external users. | | Permissions Overview by Resource | Provides a summary of assigned permissions in your organization, including the count of direct user permissions, stale permissions, broken permission inheritance, and high-risk permissions for each object. Click any permissions value to navigate to the specific permissions report for the selected resource. For example, clicking a High Risk Permissions value will take you to the High Risk Permissions report. | -| Sensitive Documents | Lists the documents that are classified according to the sensitive data types enabled in the SharePoint Online Data Classification connector. See step 7 in the [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic for addition information. | -| Sharing Links | Provides an overview of all the active sharing links within your SharePoint Online site. For each record, it displays the site collection, URL of the shared resource, name of the shared object, link creation and expiration dates, link type, assigned permissions, and more. Click the "Shared with" link to see exactly who or which groups have access. | **Sort a Report** @@ -87,6 +93,29 @@ You can select more than one filter. For options displayed in the Operator drop-down menu, see the [Filter Operators ](/docs/1secure/admin/searchandreports/filteroperators.md)topic. +**Save Custom Filter Views** + +You can save your applied filters as a custom view for quick access and future use. This allows you to: + +- Quickly reapply frequently used filter combinations +- Create subscriptions based on your custom filtered view +- Share consistent report configurations across your team + +To save a custom filter view: + +1. Apply the desired filters to your compliance report +2. Click **Save View** +3. Enter a descriptive name for your custom view +4. Click **Save** + +Your saved view will appear in the left navigation pane under the report category for easy access. + +**Subscribe to Compliance Reports** + +You can subscribe to compliance reports to receive them automatically via email, or have them uploaded to a specified folder in SharePoint Online. When you create a subscription from a custom filtered view, the subscription will preserve all applied filters and generate reports using the same filter criteria. + +Since compliance reports reflect the current state of your environment, subscriptions are based on frequency rather than time periods. See the [Subscriptions](/docs/1secure/admin/searchandreports/subscriptions.md) topic for additional information. + ## Filter Descriptions This table provides a list of filters and descriptions. diff --git a/docs/1secure/configuration/registerconfig/1secure-classifier-setup-guide.md b/docs/1secure/configuration/registerconfig/1secure-classifier-setup-guide.md new file mode 100644 index 0000000000..5bc6a3f04a --- /dev/null +++ b/docs/1secure/configuration/registerconfig/1secure-classifier-setup-guide.md @@ -0,0 +1,144 @@ +--- +title: "Configure SharePoint Online Classification App" +description: "Setup guide for 1Secure SPO Data Classification Connector and Azure classifier deployment" +sidebar_position: 30 +--- + +# Configure SharePoint Online Classification App + +## Create 1Secure SPO Data Classification Connector + +* Log in to 1Secure +* Go to Configuration +* Go to Managed organizations +* Select the child tenant you're working within +* Select the SharePoint Online source's Connectors +* Add/Edit SharePoint Online Data Classification + +## Deploy and Configure the Classifier in Azure + +* Create new resource group +* Give current user at least: Domain Services Contributor, Contributor, Key Vault Secrets Officer, Key Vault Certificates User, and Role Based Access Control Administrator within resource group +* Add "Netwrix 1Secure Classifier" from marketplace + + \ + ![The configuration screen for deploying the 1Secure classifier app](attachments/c8e939c8-8634-4a60-9cba-a931ef38e8f1.png " =599x391") +* Set Region +* Set Resource name ``e.g. CompanyName-1Secure +* After creation go to resource group +* Go to ``-textextraction +* Open Functions page and go to App Keys +* Copy "default" key +* Go to ``-classifier +* Open Settings folder and go to Environment variables +* Paste "default" key into "TextExtraction__ApiKey" value + +## Register the Classifier in 1Secure + +* In Azure classifier app, go to Overview +* Click on the "Default domain" link and copy the full url (see below) + + \ + ![](attachments/0138b931-17d4-4266-ade7-d619757f14e2.png " =1890x197") + + +* In 1Secure and paste as "Classifier Function App Url" +* Go to ``-sb-core +* Open Settings Folder and go to Shared access policies +* Create new shared access policy, only 'Send' claims are required + + + ![](attachments/0fff23ad-9695-406b-b172-636c384d5fba.png " =1678x899") + + +* Copy the "Primary connection string" +* Swap to 1Secure tab and paste as "Service Bus SAS Connection String" + + + ![](attachments/b27669d7-bc3f-4c61-9722-118b77a3d0c2.png " =642x303") + + +* Press Register +* After success, save and swap back to Azure Portal (tab 1) + +## Set Up Classifier Link to SPO + +**On Azure Portal (tab 1):** + +* Go to ``-kv +* Open Objects folder and go to Secrets![](attachments/ac55f3e0-fee7-4318-a86b-58e9899c3a10.png " =1738x283") +* Swap to Azure Portal (tab 2) + +**On Azure Portal (tab 2):** + +* Open your SharePoint App Registration + + + ![](attachments/9ed38a58-714f-4733-98c2-dc6fbc7c7ce4.png " =642x320") + + +* Copy App Registration tenant ID +* Swap to Azure Portal (tab 1) + * Click on the secret with the name "source-auth-key-\{Guid\}-__tenant-id__" + * Click "+New Version" + * Paste the tenant ID as the secret value + * Click Create\n![](attachments/beabf83e-a591-4914-be74-37cd6755fe25.png " =1510x876") +* Copy App Registration client ID +* Swap to Azure Portal (tab 1) + * Click on the secret with the name "source-auth-key-\{Guid\}-__client-id__" + * Click "+New Version" + * Paste the client ID as the secret value + * Click Create + + + + +**On Azure Portal (tab 1):** + + + ![](attachments/2dfd2ba5-c013-43b5-ae8f-c813dda8e9a0.png " =1852x685") + +* Go to Certificates +* Click on "sharepoint-auth-\{Guid\}" +* Click on current version +* Click on "Download in CER format" +* Swap to Azure Portal (tab 2) + +**On Azure Portal (tab 2):** + +* Open Manage folder in App Registration and click Certificates & Secrets +* Go to Certificates +* Click "Upload certificate" +* Upload the downloaded certificate and give it a name + + + ![](attachments/3b0612ed-6b25-40c4-b091-7a5a73921914.png " =1409x817") + +## Troubleshooting + +### General Errors + +**Classification connector successfully registers but shows status 'New' even after a successful state crawl** + +* There could be errors in the classifier app - check the Application Insights resource (in the classifier resource group, resource ending in `-ai`) for more detailed errors - use the below section for further troubleshooting steps + +### Application Insights Errors + +**No ClientId was specified** + +*(Full error: Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. ---> MSAL.NetCore.4.70.2.0.MsalClientException: ErrorCode: no_client_id……)* + +* Check that the client ID and tenant ID secrets are set in the KeyVault instance + +**The maximum entity size has been reached or exceeded for queue** + +* The classifier has been unable to process service bus messages and the queue is now full, the queue can be emptied. The classifications should be processed successfully on the next crawl. + * In the classifier resource group, find the service bus namespace resource (named ``**-class-sb-core**) + * Open the **state-classification** queue, and click **Service Bus Explorer** in the left-hand side bar + * Click **Peek Mode** and change it to **Receive Mode**, then click **Purge messages** + +**Name or service not known** + +*(Example error: Microsoft.Graph.ServiceException: Code: generalException*\n*Message: An error occurred sending the request.*\n *---> System.AggregateException: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (Name or service not known (*``*-kv:443))* + +* One of the environment variables may be incorrect in the classifier or text extraction app. Ensure that URLs in the variables are valid (for example variables `FileDownload__ClientCredentialsKeyVaultUrl` and `TextExtraction__ApiBaseUrl`) \ No newline at end of file diff --git a/docs/1secure/configuration/registerconfig/attachments/0138b931-17d4-4266-ade7-d619757f14e2.png b/docs/1secure/configuration/registerconfig/attachments/0138b931-17d4-4266-ade7-d619757f14e2.png new file mode 100644 index 0000000000..5eb11ebd6f Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/0138b931-17d4-4266-ade7-d619757f14e2.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/0fff23ad-9695-406b-b172-636c384d5fba.png b/docs/1secure/configuration/registerconfig/attachments/0fff23ad-9695-406b-b172-636c384d5fba.png new file mode 100644 index 0000000000..cef0cd1804 Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/0fff23ad-9695-406b-b172-636c384d5fba.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/2dfd2ba5-c013-43b5-ae8f-c813dda8e9a0.png b/docs/1secure/configuration/registerconfig/attachments/2dfd2ba5-c013-43b5-ae8f-c813dda8e9a0.png new file mode 100644 index 0000000000..8b342900c0 Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/2dfd2ba5-c013-43b5-ae8f-c813dda8e9a0.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/3b0612ed-6b25-40c4-b091-7a5a73921914.png b/docs/1secure/configuration/registerconfig/attachments/3b0612ed-6b25-40c4-b091-7a5a73921914.png new file mode 100644 index 0000000000..be4d960ab7 Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/3b0612ed-6b25-40c4-b091-7a5a73921914.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/9ed38a58-714f-4733-98c2-dc6fbc7c7ce4.png b/docs/1secure/configuration/registerconfig/attachments/9ed38a58-714f-4733-98c2-dc6fbc7c7ce4.png new file mode 100644 index 0000000000..758da86fdf Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/9ed38a58-714f-4733-98c2-dc6fbc7c7ce4.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/ac55f3e0-fee7-4318-a86b-58e9899c3a10.png b/docs/1secure/configuration/registerconfig/attachments/ac55f3e0-fee7-4318-a86b-58e9899c3a10.png new file mode 100644 index 0000000000..869602e091 Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/ac55f3e0-fee7-4318-a86b-58e9899c3a10.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/b27669d7-bc3f-4c61-9722-118b77a3d0c2.png b/docs/1secure/configuration/registerconfig/attachments/b27669d7-bc3f-4c61-9722-118b77a3d0c2.png new file mode 100644 index 0000000000..7d35f84390 Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/b27669d7-bc3f-4c61-9722-118b77a3d0c2.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/beabf83e-a591-4914-be74-37cd6755fe25.png b/docs/1secure/configuration/registerconfig/attachments/beabf83e-a591-4914-be74-37cd6755fe25.png new file mode 100644 index 0000000000..aebaa82e9e Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/beabf83e-a591-4914-be74-37cd6755fe25.png differ diff --git a/docs/1secure/configuration/registerconfig/attachments/c8e939c8-8634-4a60-9cba-a931ef38e8f1.png b/docs/1secure/configuration/registerconfig/attachments/c8e939c8-8634-4a60-9cba-a931ef38e8f1.png new file mode 100644 index 0000000000..baf679495a Binary files /dev/null and b/docs/1secure/configuration/registerconfig/attachments/c8e939c8-8634-4a60-9cba-a931ef38e8f1.png differ