diff --git a/docs/activitymonitor/9.0/admin/_category_.json b/docs/activitymonitor/9.0/admin/_category_.json new file mode 100644 index 0000000000..51435b6e32 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Administration", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/agents/_category_.json b/docs/activitymonitor/9.0/admin/agents/_category_.json new file mode 100644 index 0000000000..a219cfb8d3 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Agents Tab", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/agents/activedirectory.md b/docs/activitymonitor/9.0/admin/agents/activedirectory.md new file mode 100644 index 0000000000..a585fbcced --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/activedirectory.md @@ -0,0 +1,108 @@ +--- +title: "Active Directory Agent Deployment" +description: "Active Directory Agent Deployment" +sidebar_position: 40 +--- + +# Active Directory Agent Deployment + +Before deploying the Active Directory (AD) agent, ensure all +[AD Agent Server Requirements](/docs/activitymonitor/9.0/requirements/adagent/adagent.md) have been met. To effectively +monitor Active Directory, it is necessary to deploy an AD agent to every domain controller, +including the read only domain controllers. However, it is possible to deploy the agents in batches. +Follow the steps to deploy the AD agents to the domain controllers in the target domain. + +:::note +These steps are specific to deploying AD agents for monitoring Active Directory. +::: + + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** Click on the Install agents on Active Directory domain controllers link to deploy +activity agents to multiple domain controllers. + +:::note +The Activity Monitor will validate the entered Host Name or IP Address entered in the +**Server Name** text box. +::: + + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** Specify the port that should be used by the new agent(s). + +![Agent Install Location](/images/activitymonitor/9.0/admin/agents/add/locationdefault.webp) + +**Step 4 –** Select the agent installation path. + +:::info +Use the default installation path. +::: + + +![Active Directory Connection page with blank text boxes](/images/activitymonitor/9.0/admin/agents/add/adconnectionblank.webp) + +**Step 5 –** On the Active Directory Connection page, enter the domain, and specify an account that +is a member of BUILTIN\Administrators group on the domain. Then, click **Connect**. + +![Example of a successful connection on the Active Directory Connection page](/images/activitymonitor/9.0/admin/agents/add/adconnectionsuccessful.webp) + +When the connection is successful, the Next button is enabled. Click Next to continue. + +:::note +An Administrator’s credentials are required to test the connection to the server. This is +the only way to enable the Next button. +::: + + +![Domains to Monitor page](/images/activitymonitor/9.0/admin/agents/add/domainstomonitorpage.webp) + +**Step 6 –** On the Domains To Monitor page, available domains display in a list, checked by +default. Check/uncheck the boxes as desired to identify the domains to monitor, then click Next. + +![Domain Controllers to Deploy the Agent to page](/images/activitymonitor/9.0/admin/agents/add/dcstodeploytheagenttopage.webp) + +**Step 7 –** On the Domain Controllers to deploy the Agent to page, available domain controllers +display in a list, checked by default. Check/uncheck the boxes as desired to identify the domain +controllers where the AD agent is to be deployed. + +:::note +Agents can be gradually deployed, but the AD agent needs to be installed on all domain +controllers to monitor all activity of the domain. +::: + + +![Test Connection to Domain Controller](/images/activitymonitor/9.0/admin/agents/add/dcsdeployagentconnection.webp) + +**Step 8 –** Click the **Test** button to verify the connection to the domains selected. Once the +connection is verified, click **Next** to continue. + +![Windows Agent Settings Page](/images/activitymonitor/9.0/admin/agents/add/windowsagentsettingspage.webp) + +**Step 9 –** On the Windows Agent Settings page, there are two settings to configure. + +- Add Windows file activity monitoring – Select the check box to add Windows file activity + monitoring after installing the agent. By default a new agent install monitors nothing. If + administrators want to monitor file activity on Windows servers, it is easier to enable it after + installation of the agent. Windows file activity monitoring can be enabled and configured later in + the console. +- Management Group – By default, the agent only accepts commands from members of the + BUILTIN\Administrators group. Less privilege accounts can be configured to manage the agent with + the Management Group setting. Keep in mind that only administrators can install, update and + uninstall the agent. + +**Step 10 –** Click **Finish**. The Add New Agent(s) window closes, and the activity agent is +deployed to and installed on the target host. + +During the installation process, the status will be Installing. If there are any errors, the +Activity Monitor stops the installation and lists the errors in the Agent messages box. + +![AD Agent Installed](/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp) + +When the AD agent installation is complete, the status changes to **Installed** and the agent +version populates in the AD Module column. The next step is to configure the domains to be +monitored. See the [Monitored Domains Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/overview.md) section for +additional information. diff --git a/docs/activitymonitor/9.0/admin/agents/linux.md b/docs/activitymonitor/9.0/admin/agents/linux.md new file mode 100644 index 0000000000..832d088cec --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/linux.md @@ -0,0 +1,138 @@ +--- +title: "Linux Agent Deployment" +description: "Linux Agent Deployment" +sidebar_position: 30 +--- + +# Linux Agent Deployment + +**Understanding Linux File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Manager + +Prior to adding a Windows host to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Linux Agent Server Requirements](/docs/activitymonitor/9.0/requirements/linuxagent.md) topic +for additional information. + +## Deploy Linux Agent + +Follow the steps to deploy the agent to the Linux host. + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent page of the Add New Agent(s) Wizard](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** On the Install New Agent page, enter the server name for the Linux host. Click +**Next**. + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** On the Agent Port page, specify the port to be used by the new agent. The default port +is **4498**. Click **Next**. + +![Credentials to Connect](/images/activitymonitor/9.0/admin/agents/add/credentialsservers.webp) + +**Step 4 –** On the Credentials To Connect To The Server(s) page, connect to the Linux Server using +either a **User name** and **Password**, or a Public Key. + +The options for connecting with a Password are: + +- User name +- Password + +![Public Key Credentials](/images/activitymonitor/9.0/admin/agents/add/publickey.webp) + +The options for connecting with a Public Key are: + +- User name +- Private Key + +![Client Certificate Credentials](/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp) + +To connect with a Client Certificate, select the **Client Certificate** (for already installed +agents) option. Run the following commands on the Linux machine: + +``` +cd /usr/bin/activity-monitor-agentd/ +./activity-monitor-agentd create-client-certificate --name [name] +``` + +The Client Certificate option adds an already installed agent to the console without using SSH. + +To connect with a public key, select the **Public Key** option. Copy the following command into a +command prompt to generate ECDSA key for public key option: + +``` +ssh-keygen -m PEM -t ecdsa +``` + +Netwrix Activity Monitor requires to generate ECDSA Key with a blank passphrase + +``` +cat ~/.ssh/id_ecdsa.pub >> ~/.ssh/authorized_keys +``` + +:::note +It is required to add public key to authorized keys for Activity Monitor. By default, a +private key is generated at ~/.ssh/id_ecdsa location along with the public key (.pub file). A user +can use a different file location. Copy the following command into a command prompt to generate a +private key for Activity Monitor to use: +::: + + +``` +cat ~/.ssh/id_ecdsa +``` + +**Step 5 –** Click **Connect** to test the connection. If the connection is successful, click +**Next**. If the connection is unsuccessful, see the status message that appears for information on +the failed connection. + +![Linux Agent Options](/images/activitymonitor/9.0/admin/agents/add/linuxagentoptions.webp) + +**Step 6 –** On the Linux Agent Options page, select which user name to use to run the daemon. To +use root, leave the **Service user name** field blank. Click **Test** to test the connection. + +**Step 7 –** Click **Finish**. The Add New Agent(s) window closes, and the activity agent is +deployed to and installed on the target host. + +During the installation process, the status will be **Installing**. If there are any errors, +Activity Monitor stops the installation and lists the errors in the **Agent messages** box. + +![Linux Agent Installed](/images/activitymonitor/9.0/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp) + +When the Linux agent installation is complete, the status changes to **Installed**. The Monitored +Host is also configured, and the added Linux host is displayed in the monitored hosts table. See the +[Monitored Hosts & Services Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/overview.md) topic for additional information. + +Once a host has been added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for additional information. + +:::info +Activity Monitor Agent uses certificates to secure the connection between the Linux Agent and the Console / API Server. +By default, the Agent uses an automatically generated self-signed certificate. The Console and the API Server do not enforce +validity checks on these self-signed agent certificates. + +This self-signed certificate can be replaced with one issued by a Certification Authority. Once replaced, the Console and +the API Server will ensure the validity of the agent’s certificates. + +See the [Certificate](/docs/activitymonitor/9.0/admin/agents/properties/certificate.md) topic for additional information. +::: + +## Host Properties for Linux + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional +information. diff --git a/docs/activitymonitor/9.0/admin/agents/multiple.md b/docs/activitymonitor/9.0/admin/agents/multiple.md new file mode 100644 index 0000000000..52803fff42 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/multiple.md @@ -0,0 +1,144 @@ +--- +title: "Multiple Activity Agents Deployment" +description: "Multiple Activity Agents Deployment" +sidebar_position: 20 +--- + +# Multiple Activity Agents Deployment + +Before deploying the activity agent, ensure all Prerequisites are met, including those for NAS +devices when applicable. Follow the steps to deploy the activity agent to a multiple Windows +servers. See the [Activity Agent Server Requirements](/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md) topic +for additional information. + +:::note +These steps are specific to deploying activity agents for monitoring supported target +environments. +::: + + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** On the Install new agent page, click the install agents on multiple hosts link to +deploy activity agents to multiple hosts. + +![Specify Agent Port page - specify port that should be used by new agent](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** On the Specify Agent Port page, specify the port that should be used by the new agent. +The default port is 4498. Click **Next**. + +![Install Agents on Multiple Hosts page](/images/activitymonitor/9.0/admin/agents/add/installagentsonmultiplehosts.webp) + +**Step 4 –** Windows or Linux hosts can be entered as either a name or an IP Address. The options +are: + +- Add server — Opens the Host name or IP address window. See the Manual Entry topic for additional + information. +- Remove — Removes an entered host name or IP address from the table +- Import — Opens the Import from file window. See the Import a List topic for additional + information. + +There are two methods for adding multiple hosts are: + +**Manual Entry** + +Use **Manual Entry** to manually type the host names or IP addresses of the servers to be monitored. + +![Enter Host Name or IP Address window](/images/activitymonitor/9.0/admin/agents/add/hostnameoripaddresswindow.webp) + +For Manual Entry, the options are: + +- Click Add server. The Host name or IP Address window opens. +- Enter the servers, separating the hosts with spaces, commas, or semicolons. + - (Optional) A multi-line list can be pasted into this textbox. When the servers have been + entered, click OK. The Host name or IP address window closes and the identified servers are in + the list. + +**Import a List** + +Use **Import a List** to import host names or IP addresses from an external source. + +![Import Hosts from a CSV File window](/images/activitymonitor/9.0/admin/agents/add/importhostsfromacsvfilewindow.webp) + +For Import a List: + +- Click Import. The Import from file window opens. +- Enter the file path, or use the ellipsis (…) to navigate to the file. +- Identify the Separator used on the file (Comma, Semicolon, Tab, or Space). This is set to + **Comma** for CSV format by default. +- If the first row of the file contains column headers, then check the First row contains field + names box. If there are no column headers, uncheck this box. +- A preview of the selected file displays. Select the column with the host names. +- Click OK. The Import from file window closes and the identified servers are in the list. + +The Activity Monitor will monitor the Host Names or IP Address added to the **Install Agents on +Multiple Hosts** table. Click **Next**. + +![Credentials to Connect to the Server(s) window](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 5 –** On the Credentials To Connect To The Server(s) page, connect to the server using either +a **User name** and **password**, a Public Key, or a Client Certificate. + +The options for connecting with a Password are: + +- User name +- Password + +![Credentials to Connect to the Server(s) ](/images/activitymonitor/9.0/admin/agents/add/publickey.webp) + +The options for connecting with a Public Key are: + +- User name +- Private Key + +- Use the Public Key option to install an agent using SSH + +![clientcertificate](/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp) + +To connect with a Client Certificate, select the Client Certificate (for already installed agents) +option. Copy the following command into a command prompt: + +**activity-monitor-agentd --create-client-certificate --client-name [NAME]** + +Using an existing Client Certificate installs a new agent without using SSH. + +**Step 6 –** Click **Connect** to test the connection. If the connection is successful, click +**Next**. + +The credentials are tested against each server added on the **Install Agent(s) on Multiple Hosts** +page. If the connection is unsuccessful, see the status message that appears for information on the +failed connection. Activity agents are only successfully deployed for servers where the test status +returns Ok. Failed deployments can be retried through the Connection tab of the agent’s Properties +window. When one or more of the connections are successful, click Next. + +![Agent Installation Path page](/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp) + +**Step 7 –** On the Agent Install Location page, browse to theselect the agent installation path. +The default path is `C:\Program Files\Netwrix\Activity Monitor\Agent`. Click **Next**. + +![Windows Agent Settings](/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp) + +**Step 8 –** On the Windows Agent Settings window, configure the following options: + +- Add Windows file activity monitoring after installation — Check the Add Windows file activity + monitoring after installation checkbox to enable monitoring all file system activity on the + targeted Windows server after installation. +- Management Group — By default, the agent only accepts commands from members from the + BUILTIN\Administrators group. Less privileged accounts can be used to manage the agent with the + Management group setting. Keep in mind that an administrator account must be used to install, + upgrade, or uninstall an agent. + +**Step 9 –** Click Finish. The Add New Agent(s) window closes, and the activity agent is deployed to +and installed on the target host. + +During the installation process, the status will be **Installing**. If there are any errors, the +Activity Monitor stops the installation for that host and lists the errors in the **Agent messages** +box. + +![Multiple Agents Installed](/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp) + +When the activity agent installation completes, the status changes to **Installed** and the activity +agent version populates. The next step is to add hosts to be monitored. See the +[Monitored Hosts & Services Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/agents/overview.md b/docs/activitymonitor/9.0/admin/agents/overview.md new file mode 100644 index 0000000000..99ba201135 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/overview.md @@ -0,0 +1,72 @@ +--- +title: "Agents Tab" +description: "Agents Tab" +sidebar_position: 10 +--- + +# Agents Tab + +The **Agents** tab is used to deploy activity agents and manage settings. This is the only tab +available until an agent is installed. + +![Image of Agents Home Page](/images/activitymonitor/9.0/admin/agents/agentaddedfinalimage.webp) + +The Agents tab is comprised of a button bar, a table of servers hosting activity agents, and an +Agent Messages box. The button bar allows users to take the following actions: + +- Add Agent – Opens the Add New Agent(s) window to deploy the activity/AD agent to a single server + or to multiple servers at the same time. The following sections provide additional information: + + - [Single Activity Agent Deployment](/docs/activitymonitor/9.0/admin/agents/single.md) + - [Multiple Activity Agents Deployment](/docs/activitymonitor/9.0/admin/agents/multiple.md) + - [Active Directory Agent Deployment](/docs/activitymonitor/9.0/admin/agents/activedirectory.md) + - [Linux Agent Deployment](/docs/activitymonitor/9.0/admin/agents/linux.md) + +- Remove – Opens the Remove Agents window where users can choose to remove the hosting server + from the activity agents table or uninstalling the activity agent from the hosting server + before removing the activity agent from the table. See the + [Remove Agents](/docs/activitymonitor/9.0/install/upgrade/removeagent.md) topic for additional information. + +- Edit – Opens the selected server’s Properties window to modify the server name or credentials. See + the [Agent Properties Window](/docs/activitymonitor/9.0/admin/agents/properties/overview.md) topic for additional information. +- Start pending AD Module – Starts the Active Directory monitoring module, which is part of the Activity Monitor Agent, when the module is in a pending (not yet started) state. + + - Occasionally, a Microsoft Security Bulletin that affects LSASS can interfere with the AD module’s instrumentation, causing LSASS to shut down. + The AD module monitors for LSASS process termination shortly after a server reboot. + It can be configured to run in Safe Mode to prevent the operating system from loading the AD monitoring module if the versions of the DLLs that the module hooks into have changed since the last restart. + +- Install – Deploy or upgrade an activity agent to the selected host +- Upgrade – [When Agent Status is Outdated] Replaces outdated activity agent with current version +- Update AD Module Installer – Allows you to select the newer AD Module installer. A confirmation + window then opens and identifies the new installer version. See the + [Update AD Module Installer](/docs/activitymonitor/9.0/install/upgrade/updateadagentinstaller.md) topic for additional + information. +- Refresh all – Refresh the status of all activity agents + +The table of servers hosting activity agents provides the following information: + +- Server Name – Name or IP Address of the server hosting an activity agent +- Status – Status of the deployed activity agent(s) + + :::note + If the AD agent has been deployed, a status of “outdated” could apply to either the + activity agent or the AD agent installed on the domain controller. + ::: + + +- Version – Version of the deployed activity agent +- AD Module – Version of the deployed AD Module, used for Active Directory monitoring +- Domain – Name of the domain +- Messages – Count of the number of error and warning messages for the selected server +- Archive Location – If archiving is enabled for the activity agent, displays the archive file path +- Archive Size – If archiving is enabled for the activity agent, displays the archive size + +![Agent Messages](/images/activitymonitor/9.0/admin/agents/agentmessages.webp) + +The **Agent messages** box displays any error or warning messages from the selected activity agent. +These messages are related to deployment/installation, communication between the Console and the +Activity Agent, and upgrade of an agent. + + +For additional information on how to deploy agents manually, see the +[Agent Information](/docs/activitymonitor/9.0/install/agents/agents.md) topic. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/_category_.json b/docs/activitymonitor/9.0/admin/agents/properties/_category_.json new file mode 100644 index 0000000000..7f658621ec --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Agent Properties Window", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/agents/properties/activedirectory.md b/docs/activitymonitor/9.0/admin/agents/properties/activedirectory.md new file mode 100644 index 0000000000..12b48125b0 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/activedirectory.md @@ -0,0 +1,83 @@ +--- +title: "Active Directory Tab" +description: "Active Directory Tab" +sidebar_position: 10 +--- + +# Active Directory Tab + +The Active Directory tab provides options to configure the agent settings for monitoring an Active +Directory domain controller. These settings are part of the Active Directory monitoring and can only +be enabled for agents on domain controllers. + +![Agent Properties - Active Directory Tab](/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp) + +The Agent Settings allow users to control the AD agent’s properties: + +- Harden the Agent – Protects the AD agent from being altered, stopped, or started from within the + local Service Control Manager +- Safe Mode – If selected, the AD agent checks LSASS versions upon start up. Any change in LSASS + since the previous start prevents the monitoring modules from loading. + + :::note + This is a safety measure that disables monitoring if the environment changes as in + rare cases the instrumentation may cause LSASS crashes. Should the version change occur, a + warning will be shown next to the agent on the Agents page. The **Start pending AD Module** button + allows you to force the agent to enable monitoring. + ::: + + +- Enable DNS Host Name Resolution – If selected, the AD agent looks up the missing data (a NetBIOS + name, a Fully Qualified Domain Name, or an IP Address) that is missing fromthe event + + :::note + This provides more uniform data, but may have a performance impact on the machine + where the AD agent is deployed, especially if that machine does not handle the name resolution + locally. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## Advanced Active Directory Monitoring using Threat Prevention + +More advanced Active Directory Monitoring features are available for use through Netwrix Threat Prevention. +See the following sections for additional information: + +- See the Configuring Threat Prevention to Send Active Directory Activity to the Activity Monitor + topic for additional information + +## Configuring Threat Prevention to Send Active Directory Activity to Activity Monitor + +Once the activity agent is deployed to a domain controller with an existing Threat Prevention agent, +a connection can be secured between both agents. Follow these instructions to configure the policy +used for Active Directory Activity Monitoring from the Threat Prevention Admin Console. + +**Step 1 –** Configure the File, Syslog, or Threat Manager outputs on the Monitored Domains Tab in +the Activity Monitor Console. See the +[Output for Monitored Domains](/docs/activitymonitor/9.0/admin/monitoreddomains/output/output.md) topic for additional information. + +**Step 2 –** Within the Threat Prevention Admin Console, select the Threat Manager Event Sink +Configuration Window option under the Configuration menu, and enter `amqp://localhost:4499` within the +Threat Manager URI field on the pop-up window. Then click Save. + +**Step 3 –** Still within Threat Prevention, create a New Policy or select an existing one to send +Active Directory events data to Activity Monitor. See the Navigation Pane Right-Click Commands +section of the +[Netwrix Threat Prevention Documentation](https://docs.netwrix.com/docs/threatprevention/7_5) +for additional information. + +**Step 4 –** Enter a description within the General Tab of the New Policy Configuration page to +identify the AD Module policy settings. Click the button in front of the policy status to toggle +from Disabled to Enabled. + +**Step 5 –** On the Event Type Tab, add events and objects to monitor. Click the AD Operations to +include in the policy. + +**Step 6 –** Under the Actions Tab, check the **Send to Threat Manager** checkbox to enable sending +Active Directory Activity events data to Activity Monitor. Click Save + +See the +[Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) +for additional information on policy configurations. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/additionalproperties.md b/docs/activitymonitor/9.0/admin/agents/properties/additionalproperties.md new file mode 100644 index 0000000000..600db09f0d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/additionalproperties.md @@ -0,0 +1,87 @@ +--- +title: "Additional Properties Tab" +description: "Additional Properties Tab" +sidebar_position: 20 +--- + +# Additional Properties Tab + +The Additional Properties Tab provides additional configuration options for the agent. The tab +varies based on the type of agent selected. + +## For Activity Agent + +The Additional Properties tab for the Activity Agent has the following configuration options: + +![Agent Additional Properties Tab](/images/activitymonitor/9.0/admin/agents/properties/additionalpropertiestab.webp) + +- Comment – Create an annotation for the agent in the **Comment** text box. Annotations entered here + will appear in the Comment column in the table on the Agents tab. +- Agent's Trace Level – Select a trace level for the agent log from the drop-down list: + + - Same Level as the Console (uses the global level selected in the console) + - Trace (the most verbose) many collection points and can slow down + + :::warning + Selecting the **Trace** option can slow down collection due to the large amount + of data points + ::: + + + - Debug + - Info (recommended) + - Warning + - Error + - Fatal + +In certain situations, the trace logs are not enough to identify issues. Collect extended debugging +data (ETW) can be useful for problems related to the following: + +- Not getting events +- Missing event attributes +- Getting unexpected events +- High RAM/CPU caused by SBTService +- Issues caused by Antivirus or Backup software + +When this is needed, enable the **Collect extended debugging data (ETW) from the Windows driver when +the Trace level is activated** option to diagnose these problems. + +:::warning +Selecting this option collects a large amount of data. Therefore, it is important to +enable it only for short periods of time. Otherwise, the trace file may overflow with data. +::: + + +In general for troubleshooting, start with trace logs. If the root cause of the problem might be a +low-level functionality the driver, then the ETW logs must be enabled. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## For Linux Agent + +The Additional Properties tab for the Linux Agent has the following configuration options: + +![Linux Agent Additional Properties Tab](/images/activitymonitor/9.0/admin/agents/properties/linuxagentadditionalpropertiestab.webp) + +- Comment – Create an annotation for the agent in the **Comment** text box. Annotations entered here + will appear in the Comment column in the table on the Agents tab. +- Agent's Trace Level – Select a trace level for the agent log from the drop-down list: + + - Same Level as the Console (uses the global level selected in the console) + - Trace (the most verbose) many collection points and can slow down + + :::warning + Selecting the **Trace** option can slow down collection due to the large amount + of data points + ::: + + + - Debug + - Info (recommended) + - Warning + - Error + - Fatal + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/adusers.md b/docs/activitymonitor/9.0/admin/agents/properties/adusers.md new file mode 100644 index 0000000000..512720dcf5 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/adusers.md @@ -0,0 +1,35 @@ +--- +title: "AD Users Tab" +description: "AD Users Tab" +sidebar_position: 30 +--- + +# AD Users Tab + +Use the AD Users tab to customize Active Directory service queries and caching behavior. + +![AD Users Tab](/images/activitymonitor/9.0/admin/agents/properties/aduserstab.webp) + +The configurable options are: + +- Domain Controllers (IPs and FQDNs) – IP addresses or FQDN of domain controllers. IP addresses or + FQDN should be entered as separate addresses with space, comma (,), semicolon (;), or a multi-line + list. Leave the box blank to use the default domain controller. +- Lookup timeout – Specify the time for look-up timeout in milliseconds. The default is 2000 + milliseconds. If a query fails to complete in the specified interval then the product reports an + empty username or a previous result from the cache. The product continues to wait for a response + in the background so that further events can use the resolution result. +- Cache TTL for successful results –Specify the caching interval (time-to-live) for successful AD + responses.The default is 10 hours. When an AD query returns a valid username or SID, the response + is cached for the specified time. It is recommended to use large TTL values as the user + information does not often change. +- Cache TTL for failed results – Specify the caching interval (time-to-live) for failed AD + responses. The default is 1 minute. When an AD query cannot resolve a SID or username, the failed + result is cached for the specified time. Caching of failed responses helps to reduce the load on + domain controllers and improve performance of event processing. Short TTL values are recommended + to make the product report accurate user information. +- Maximum cache size – Specify the maximum cache size for both successful and failed responses. The + default is 300000. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/apiserver.md b/docs/activitymonitor/9.0/admin/agents/properties/apiserver.md new file mode 100644 index 0000000000..43c5ffc223 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/apiserver.md @@ -0,0 +1,66 @@ +--- +title: "API Server Tab" +description: "API Server Tab" +sidebar_position: 40 +--- + +# API Server Tab + +The API Server Tab provides options to configure API server settings to send information about +agents, agent configuration, and agent data to applications remotely. If an application wants to +read the activity data using the API, the API Server must be enabled on each agent collecting +activity. + +![API Server Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/apiservertab.webp) + +Check the Enable API access on this agent box to utilize the options on this tab: + +- API server port (TCP): [number] (from 1000 to 65535) – Enter the API server port. The default + is 4494. +- Configure what applications have access to the API – Specifies which API servers can be included + or excluded from receiving event data. + - Add Application – Click Add Application to open the Add or edit API client window to add an + Application name to the list + - Remove – Select an Application Name and click Remove to remove an Application name from the + list + - Edit – Select an Application Name and click Edit... to open the Add or edit API client window + for that Application Name + +Grant or revoke access to the API Server by registering applications. + +![Add or Edit API Client popup window](/images/activitymonitor/9.0/admin/agents/properties/addoreditapiclient.webp) + +Click Add Application to open the Add or edit API client window. + +- Application name – Name of application to provide read-only access to +- Permissions – list of permissions for Activity Monitor  through API Server + - Access activity data – Provides a read-only access to the activity log files of the agent + hosting the API Server. The access is provided to the files stored on the agent's server or on + the archival network share. The permission also provides minimal and read-only access to + configuration of monitored hosts/domain, enough to match the monitored hosts/services to their log + files. + - Read – Provides a read-only access to the list of the agents and their configuration settings; + configuration of monitored domains; configuration of monitored hosts/services. The permission does not + provide access to the saved passwords or other secrets. + - Policy change - Provides permissions required to update the AD Monitoring domain configuration + settings + - Modify host - Provides permissions required to update the monitored hosts/services settings + - Modify agent - Provides permissions required to update the agent hosts settings +- Client ID/Generate – Generate button creates a new Client ID and Client Secret (password) + credentials for applications to access API server +- Client Secret/Copy – Copy button copies the Client ID and Client Secret (password) into its + respective textbox after the application is added or the Generate button is pressed +- Secret Expires – Displays the number of days until the Client Secret expires before activated. The + default is 3 days. + +The options below the API Application Access window are: + +- Managing console/Use this console – Use this console button enters the host name of the Activity + Monitor Console within the textbox +- IPv4 or IPv6 whitelist – IP Addresses of the remote hosts, which are allowed to connect to the API + port, can be whitelisted by entering them in the box. IP Addresses should be entered as separate + addresses with space, comma (,), semicolon (;), or a multi-line list. Leave the box blank to + accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/archiving.md b/docs/activitymonitor/9.0/admin/agents/properties/archiving.md new file mode 100644 index 0000000000..7d4d7e0f60 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/archiving.md @@ -0,0 +1,53 @@ +--- +title: "Archiving Tab" +description: "Archiving Tab" +sidebar_position: 6 +--- + +# Archiving Tab + +By default, the Activity Monitor keeps the activity logs on the servers where the activity agents +are deployed. The Archiving tab provides users with options to enable archiving for the activity +agent and move the archived files to another location on the server or to a network location. + +![Archiving Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/archiving_tab.webp) + +The Days to keep Log files option, listed under the Log Files tab within Host Properties, applies to +Archive log files. When the entered number of days entered have passed, the activity logs and +Archive log files are deleted. The path to the Archive log files is next to the Configure button, +and listed under the Archive Location column within the Agents tab. + +Check the Enable archiving for this agent box to enable the options on this tab. The archive feature +is disabled by default. + +- Disk Quota — Maximum disk space the agent is allowed to use on the server it is installed on (at + least 100MB) – Select the number of megabytes or gigabytes. The default is 5 GB. +- Archive log files on this computer – Select to archive the logs on the server hosting this + activity agent. When archiving is enabled, this is the default selection. Click Configure to open + the Configure a network share on this computer window and provide the following information: + +![Popup window for Configure a network share on this computer option](/images/activitymonitor/9.0/admin/agents/properties/archivingtabconfigure.webp) + +The options in the Configure a network share on this computer window are: + +- Directory – Click the ellipsis (…) to browse to a location on the server +- Share name – Enter the share name for the archives +- Grant read access to – Click the ellipsis (…) to specify an account or group to be granted Read + and Write access to the archive + +The options below the **Configure** button are: + +- Archive log files on an UNC path (e.g. \\host-name.domain.local\share-name) – Click the ellipsis + (…) to browse for a location and select the UNC path +- User name/User password – Specify credentials to access the network share. Leave the credentials + blank to access the share using the credentials supplied for activity agent deployment. +- Test – Click Test to ensure a successful connection to the network share + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +:::note +Linux agents move activity logs to a set local path. Remote storage can be mounted to use +this path for archiving. + +::: diff --git a/docs/activitymonitor/9.0/admin/agents/properties/certificate.md b/docs/activitymonitor/9.0/admin/agents/properties/certificate.md new file mode 100644 index 0000000000..9f560cd421 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/certificate.md @@ -0,0 +1,153 @@ +--- +title: "Certificate Tab" +description: "Certificate Tab" +sidebar_position: 5 +--- + +# Certificate Tab + +Activity Monitor Agent uses certificates to secure the connection between the Linux Agent and the Console / API Server; +between NAS devices and the Agent; between the Agent and REST API users. + +By default, the Agent uses an automatically generated self-signed certificate. The Console and the API Server do not enforce +validity checks on these self-signed agent certificates. + +This self-signed certificate can be replaced with one issued by a Certification Authority. Once replaced, the Console and +the API Server will ensure the validity of the agent’s certificates. + + +## Certificate Status + +The details of the current Agent certificate can be accessed via the **Certificate** page within the Agent settings. +The Console displays the Subject, Issuer, validity period, and whether it is a self-signed certificate. +The **Status** field indicates the Console’s trust in the presented certificate. + +An 'untrusted' status indicates that the agent's certificate has either been modified since the agent was initially added +to the Console or its validity period has expired. + + +:::warning +An untrusted certificate will prevent the Console and API Server from connecting to the agent. +::: + +If the change was intentional, use the **Trust this certificate** button to validate the certificate. This action will +establish trust for self-signed certificates, or for the issuing Certificate Authority in the case of CA-issued certificates. + +To replace the current certificate, use the **Manage certificates…** button. + + +:::info +Both **Trust this certificate** and **Manage certificates** functions support batch execution for multiple selected agents. +Also, when multiple agents are selected, the certificate information will only include fields with identical values across +all selected certificates, which can aid in identifying differences. +::: + +## Using CA-issued Certificates + +The **Manage certificates...** button launches a wizard to replace the current certificate of the agent or selected agents +with certificates issued by your Certification Authority. The whole process involves four steps: + + +1. **Generate CSRs** + +The wizard will guide you through the generation of Certificate Signing Request (CSR) for each agent. +This CSR file will contain the agent’s hostname, FQDN, static IP addresses, optional attributes (organization, OU, country, state, locality), and the agent’s digital signature. The generated CSR files, named after their corresponding agents, will be saved to a specified directory. + +2. **Submit CSRs to the Certification Authority** + +The CSR files generated in the previous step must be manually submitted by a user to their Certification Authority. This process must be performed manually, outside of the Activity Monitor, due to the varying workflows and policies inherent to different Certification Authorities. +This step yields a set of certificate files for the agents issued by the Certification Authority based on the CSRs. The CA certificate itself also needs to be collected. +Make sure that the agent certificates have the `Server Authentication` purpose listed in the Extended Key Usage extension and have DER or PEM encoding. + +If you are using OpenSSL’s Micro CA, you can generate a certificate from a CSR file using the `x509 -req` command. + +``` +openssl x509 -req -in AGENT01.req -CA ca.crt -CAkey ca.key -out AGENT01.crt -CAcreateserial -copy_extensions copyall +``` + +3. **Apply Certificates** + +Launch the wizard again to apply the new certificates to the agents. You will be prompted to select the CA certificate file and the directory +containing the certificate files for the agents. By using the **Verify Files** button, the product will validate the certificates, +confirming issuance by the specified CA, the correct association with the agents and their private keys, and their validity period. + +Upon successful validation, the Console will permit the immediate application of the certificates via the **Apply Certificates** button. +Failed application can be retried. + +4. **Update Other Console Instances (optional)** + +If your deployment includes multiple Console instances, each instance must be updated to trust the new certificates via the **Trust this certificate** button. + +## Using Self-Signed Certificates + +The **Manage certificates** wizard can be used to switch to automatically generated self-signed certificates. The wizard presents two options: + +1. **Use existing self-signed certificates** +2. **Generate new private key and self-signed certificate** + +The first option attempts to locate and apply a previously generated self-signed certificate, if one exists, that was in use prior +to application of a CA-issued certificate. If the certificate does not exist, a new one will be created. + +This approach may be beneficial in deployments with multiple instances of the Console or API Server that still rely on this specific +self-signed certificate, so its restoration would reinstate their operational status. + +The second option will generate a new private key and a corresponding self-signed certificate for the agent. +In the event of a suspected compromise of the agent's private key, this option should be employed. + +The **Apply Changes** button immediately applies the changes to the agents. + +If your deployment includes multiple Console instances, each instance must be updated to trust the new certificates via the **Trust this certificate** button. + + +## **Command-Line Interface** + +For automated deployments, the agent executable provides a Command-Line Interface offering equivalent functionality to the Console. +All CLI commands return a non-zero exit code upon failure and output error details in JSON format.  + +### **Get current certificate** + +Command: `certificate-get` - Prints the current agent’s certificate. + +Parameters: + +* `out-file` (optional) - Path to a file where the certificate will be written. If the file exists, it will be overwritten. +If not provided, the certificate content is printed to the standard output. + +### **Generate CSR** + +Command: `certificate-create-csr` - Generates a Certificate Signing Request (CSR) for the agent. + +Parameters: + +* `out-file` (optional) - Path to a file where the CSR will be written. If the file exists, it will be overwritten. +If not provided, the CSR content is printed to the standard output. +* `common-name` (optional) - Common Name. If not specified, the server’s FQDN is used. +* `organization` (optional) - Organization name. +* `organization-unit` (optional) - Organization Unit. +* `country` (optional) - Country name. +* `state` (optional) - State name. +* `locality` (optional) - Locality name. +* `alternative-names` (optional) - A comma-separated list of Subject Alternative Names. If not specified, server’s hostname, +FQDN, and static IP addresses are added to the SAN list. + +### **Apply Certificate** + +Command: `certificate-apply` - Applies the certificate issued by a Certification Authority. + +Parameters: + +* `ca-file` - Path to the CA certificate file. +* `file` - Path to the agent's certificate file to apply. +* `what-if` (optional) - If specified, the CA and agent certificates are validated, but the new certificate is not applied. +Use this option to check the certificates before applying. + +### **Use Self-Signed Certificate** + +Command: `certificate-apply-self-signed` - Applies an automatically generated self-signed certificate. +The command will attempt to use an existing self-signed certificate, if one exists. + +Parameters: + +* `rekey` (optional) - If specified, a new private key and a new self-signed certificate will be generated. +Otherwise, the command will first attempt to use an existing self-signed certificate. If no existing certificate is found, +a new certificate will be created using the existing private key. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/connection.md b/docs/activitymonitor/9.0/admin/agents/properties/connection.md new file mode 100644 index 0000000000..3434ba242b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/connection.md @@ -0,0 +1,119 @@ +--- +title: "Connection Tab" +description: "Connection Tab" +sidebar_position: 1 +--- + +# Connection Tab + +The Connection tab allows users to modify the agent host server name and the credentials used for +installation and communication. The tab varies based on the type of agent selected. + +## For Activity Agent + +The server name can be modified in the text box. Modifying the name value does not move the activity +agent to a new server. The credentials can be updated or modified as well. + +:::tip +Remember, **Test** the credentials before clicking OK to ensure a successful connection. +::: + + +![Connection Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/connectiontab.webp) + +Agent server fields: + +- Server name – Name or IP address of the server where the agent is deployed +- Port – Port the agent uses for communication with the application + +Credential fields: + +- User name – Account provisioned for use by the agent +- Password – Password for the supplied User name + +**Permissions** + +This account must be: + +- Membership in the local Administrators group + +If the user name is not specified, the currently logged in user's account will be used. + +**Less Privileged Permissions Option** + +By default, the agent accepts commands only from members of the local Administrators group. You can +allow less privileged accounts to manage the agent with the **Management Group** option. Keep in +mind that you still need to be an administrator to install, upgrade, or uninstall the agent. The +Management Group applies to the users of the console and API servers. The Management Group does not +restrict access to the agents, but grants access to its members in addition to existing members of +the local Administrators group. + +The Specify account or group window is opened from a field where a Windows account is needed. + +![Specify Account or Group popup window](/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp) + +Follow the steps to use this window. + +**Step 1 –** Select the Domain from the drop-down menu. + +**Step 2 –** Enter the Account in the textbox. + +- Accounts can be entered in NTAccount format, UPN format, or SID format. +- Use the ellipsis (…) button to open the Select Users, Computers, Service Accounts, or Groups + window to browse for an account. + +**Step 3 –** Then click Resolve. A message displays indicating whether or not the account could be +resolved. + +**Step 4 –** If successful, click OK. + +The Specify account or group window closes, and the account is added to the field where the window +was opened. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## For Linux Agent + +The server name can be modified in the text box. Modifying the name value does not move the Linux +agent to a new server. The credentials can be updated or modified as well. + +:::tip +Remember, **Test** the credentials before clicking OK to ensure a successful connection. +::: + + +![linuxconnectiontab](/images/activitymonitor/9.0/admin/agents/properties/linuxconnectiontab.webp) + +Agent server fields: + +- Server name – Name or IP address of the server where the agent is deployed +- Port – Port the agent uses for communication with the application + +Credential fields: + +- User name – Account provisioned for use by the agent +- Password – Password for the supplied User name + +**Permissions** + +This account must be: + +- Root privileges with password (or SSH private key) + +The **Trace level** option configures the level for the agent log it includes the following levels: + +- Same Level as the Console (uses the global level selected in the console) +- Trace (the most verbose) many collection points and can slow down + + :::warning + Selecting the **Trace** option can slow down collection due to the large amount of + data points + ::: + + +- Debug +- Info (recommended) +- Warning +- Error +- Fatal diff --git a/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md b/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md new file mode 100644 index 0000000000..ee42ca935b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md @@ -0,0 +1,244 @@ +--- +title: "Dell CEE Options Tab" +description: "Dell CEE Options Tab" +sidebar_position: 70 +--- + +# Dell CEE Options Tab + +The Dell CEE Options tab provides options to configure Dell Common Event Enabler (CEE) settings for +monitoring Dell devices. File activity monitoring leverages the Dell CEE to deliver activity events +from Dell devices. + +CEE supports two protocols to deliver events to Activity Monitor: RPC and HTTP. An agent can receive +activity from several CEEs at the same time. Among them can be a local Windows CEE, remote Windows +and Linux CEEs. Windows versions of CEEs can use both RPC and HTTP protocols. Linux versions can +only support HTTP protocols. + +:::note +Dell CEE can be installed on the same host as the activity agent, or on a different host. +If it is installed on the same host, the activity agent can configure it automatically. +::: + + +![EMC CEE Options Tab](/images/activitymonitor/9.0/admin/agents/properties/emcceeoptionstab.webp) + +The options are: + +- Check CEE Status – Click the button to confirm the status of Dell CEE installed on the agent + server +- Choose the CEE event delivery mode: + + - Synchronous real-time delivery – Events are delivered immediately as they occur, one by one. + - Asynchronous bulk delivery (VCAPS) - Events are delivered in batches with a cadence based on a + time period or a number of events. As this mode provides better throughput, it is recommended + for heavily loaded servers. If selected, specify how often events are delivered by Dell CEE + using the following options: + + - Every [number] seconds (from 60 to 600) - Default is 60 seconds + - Or every [number] events (from 10 to 10000) - Default is 100 events + - The number of events and number of seconds, are used simultaneously, whichever is reached + first + +- Choose network protocols for event delivery: + + - Both – Delivers events via MS-RPC and HTTP protocol + - MS-RPC – Delivers events via the MS-RPC protocol (Windows versions of CEE only) + - HTTP – Delivers events via the HTTP protocol (Windows and Linux versions of CEE) + + - HTTP port – The port number to communicate with the agent. The default port number is + 4492, modify if needed. The agent will add the port to the firewall exclusions + automatically. + - IPv4 or IPv6 allowlist – Specify IP addresses of CEE instance that are allowed to connect + to the agent via the HTTP protocol. Leave blank to accept connections from any host. + +:::note +For Remote Windows CEE or Linux CEE, Manual Configuration is needed. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## Windows CEE Manual Configuration + +Windows CEE is configured with the windows registry and depends on the selected event delivery mode, +AUDIT or VCAPS. + +For the synchronous real-time delivery mode (AUDIT), use the following steps. + +**Step 1 –** Navigate to the following windows registry key +`HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration`. + +**Step 2 –** Set the `Enabled` parameter to 1. + +**Step 3 –** If the `EndPoint` parameter is empty, set it to the string listed below. If it is not +empty (i.e. some other 3rd party application is also receiving activity events from CEE), append the +following string to the existing `EndPoint` value, separating them with a semicolon. + +- For the RPC protocol, `StealthAUDIT@ip-address-of-the-agent` +- For the HTTP protocol, `StealthAUDIT@http://ip-address-of-the-agent:port` + +**Step 4 –** Restart the CEE Monitor service. + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key +`HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration`. + +**Step 2 –** Set the `Enabled` parameter to 1. + +**Step 3 –** If the `EndPoint` parameter is empty, set it to the string listed below. If it is not +empty (i.e. some other 3rd party application is also receiving activity events from CEE), append the +following string to the existing `EndPoint` value, separating them with a semicolon. + +- For the RPC protocol, `StealthVCAPS@ip-address-of-the-agent` +- For the HTTP protocol, `StealthVCAPS@http://ip-address-of-the-agent:port` + +**Step 4 –** Set `FeedInterval` to how often, in seconds, information is sent from CEE to the +Activity Monitor. The default is 60 seconds. The range is from 60 seconds to 600 seconds. + +**Step 5 –** Set `MaxEventsPerFeed` to how many events must occur before information is sent from +CEE to Activity Monitor. The default is 100 events. The range is from 10 events to 10,000 events. + +:::note +The `FeedInterval` and `MaxEventsPerFeed` delivery cadences are used simultaneously. +::: + + +**Step 6 –** Restart the CEE Monitor service. + +:::note +All protocol strings are case sensitive. +::: + + +## Linux CEE Manual Configuration + +CEE binaries, configuration, and log files are located in `/opt/CEEPack` directory. + +**Step 1 –** Update the configuration file `/opt/CEEPack/emc_cee_config.xml`. + +**Step 2 –** Restart CEE with `/opt/CEEPack/emc_cee_svc restart` command. + +The CEE configuration file is located at` /opt/CEEPack/emc_cee_config.xml`. You need to add an +endpoint to the `EndPoint` node. In addition to the `EndPoint` node, you need to set `Enabled` to +`1` in either `Audit` or `VCAPS` if the Activity Monitor is the only application getting events from +the CEE. If there are multiple applications, enable the delivery modes accordingly. + +The EndPoint node's format is a semicolon-separated list of applications +in` PartnerId@http://address-of-the-app:port` format. + +For the Activity Monitor use the following strings: + +- For Audit, `StealthAUDIT@http://ip-address-of-the-agent:port` +- For VCAPS, `StealthVCAPS@http://ip-address-of-the-agent:port` + +Here's an example for the synchronous delivery (Audit): + +```xml + + +**** + + + +**** + + + +**1** + +StealthAUDIT@http://[IP Address]:[Port] + +**** + + + +... + +**** + + + +**0** + +StealthVCAPS@http://[IP Address]:[Port] + +**60** + +100 + +**** + + + + +``` + +Here's an example for the asynchronous delivery (VCAPS): + +```xml + + +**** + + + +**** + + + +**0** + +StealthAUDIT@http://[IP Address]:[Port] + +**** + + + +... + +**** + + + +**1** + +StealthVCAPS@http://[IP Address]:[Port] + +**60** + +100 + +**** + + + + +``` + +Make sure to set `Enabled` to `1` only in `Audit` or `VCAPS` if Activity Monitor is the only product +receiving activity from CEE. Otherwise, enable the modes according to all product requirements. + +If you want to send activity to several 3rd party applications, separate them with semicolons. + +```xml + + +**** + +1 + +**Splunk@10.20.30.40:12345;StealthAUDIT@http://[IP Address]:[Port]** + + + + +``` + +:::note +All protocol strings are case sensitive. + +::: diff --git a/docs/activitymonitor/9.0/admin/agents/properties/diskquota.md b/docs/activitymonitor/9.0/admin/agents/properties/diskquota.md new file mode 100644 index 0000000000..695a8f4d98 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/diskquota.md @@ -0,0 +1,22 @@ +--- +title: "Disk Quota Tab" +description: "Disk Quota Tab" +sidebar_position: 7 +--- + +# Disk Quota Tab + +The **Disk Quota Tab** is used to limit the size of logs to save disk space. + +![diskquotatab](/images/activitymonitor/9.0/admin/agents/properties/diskquotatab.webp) + +The configurable options are: + +- Enable disk quota monitoring for this agent – Check the box to enable disk quota monitoring for + the agent +- Maximum disk space the agent is allowed to use on the server it is installed on (at least 100MB) – + Set the maximum disk space that is allowed to be used on the server to store log files. The + default value is **5 GB**. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/dns.md b/docs/activitymonitor/9.0/admin/agents/properties/dns.md new file mode 100644 index 0000000000..5f116d918b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/dns.md @@ -0,0 +1,48 @@ +--- +title: "DNS Tab" +description: "DNS Tab" +sidebar_position: 90 +--- + +# DNS Tab + +Use the DNS tab to customize how the agent queries and caches DNS results. + +![DNS Tab](/images/activitymonitor/9.0/admin/agents/properties/dnstab.webp) + +The configurable options are: + +- Enable local DNS cache service – Select this checkbox to enable the local DNS cache service. Leave + the option unchecked to disable the local DNS cache service. The DNS cache service proactively + updates data, keeping DNS records up to date and available for real-time event reporting. Use this + option if your DNS infrastructure cannot handle the load (requests take hundreds of milliseconds) + during peak hours. +- DNS servers (IPs) – IP addresses of the DNS servers to be used for look-ups. IP addresses should + be entered as separate addresses with space, comma (,), semicolon (;), or a multi-line list. Leave + the box blank to use the default DNS server. +- Lookup timeout – Specify the time for look-up timeout in milliseconds. The default is 1800 + milliseconds. If a DNS request fails to complete during the specified interval, the product + reports an empty host-name or a previous result from the cache. The product continues to wait for + a response in the background so that further events can use the result. +- Cache TTL for successful results – Specify the caching interval (time-to-live) for successful DNS + responses. The default is 1 hour. When a DNS query returns a valid IP address or host-name, the + response is cached for the specified time. The choice of TTL value depends on the environment: how + often IP addresses are reassigned; how much load the DNS server can handle. High TTL values reduce + the load on DNS servers but may result in stale data being reported. + If the DNS Cache service is used, the records are automatically updated when the TTL expires. +- Cache TTL for failed results – Specify the caching interval (time-to-live) for failed DNS + responses. The default is 1 minute. When a DNS query cannot resolve an IP address or host-name, + the failed result is cached for the specified time. Caching of failed responses helps to reduce + the load on DNS servers and improve performance of event processing. + If the DNS Cache service is used, the records are automatically updated when the TTL expires. +- Maximum cache size – Specify the maximum cache size. The default is 100000. +- Refresh throttle time – Specify the time interval between DNS queries that the DNS Cache service + uses to update expired records. The default is 1000 milliseconds. + If the DNS Cache service is used, the records are automatically updated when the TTL expires. This + option allows you to limit the number of DNS requests the service sends to update the cache. A + throttling period of 100 milliseconds will limit the update task to 10 requests per second. +- Parallelism – Specify how many DNS requests the DNS Cache service is allowed to send in parallel. + High values may overload DNS servers. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/inactivityalerts.md b/docs/activitymonitor/9.0/admin/agents/properties/inactivityalerts.md new file mode 100644 index 0000000000..bf22fbcd1b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/inactivityalerts.md @@ -0,0 +1,130 @@ +--- +title: "Inactivity Alerts Tab" +description: "Inactivity Alerts Tab" +sidebar_position: 100 +--- + +# Inactivity Alerts Tab + +The Inactivity Alerts tab, once enabled and configured, sends real-time alerts when the agent stops +receiving events for a specific time frame. The tab varies based on the type of agent selected. + +Check the **Enable Inactivity alerting for this agent** box to enable the options on this tab. + +![Inactivity Alerts Tab for Agent Properties](/images/activitymonitor/9.0/admin/agents/properties/inactivityalerts.webp) + +Once enabled, set the alerting parameters: + +- Length of inactivity – Enter the number of Minutes, Hours, or Days for inactivity before an alert + is triggered. The default is 6 Hours. +- Repeat an alert every – Enter the number of Minutes, Hours, or Days for an alert to be repeated if + inactivity continues. The default is 6 Hours. + +The two tabs at the bottom are for configuring the method used to send the alert: + +- Syslog Alerts – Configure the application to send alerts to a SIEM platform +- Email Alerts – Configure the application to send alerts through an SMTP server + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. + +## Syslog Alerts Tab + +The Syslog alert sends a notification that the activity agent has not received event data for the +configured interval. The alert is sent to the Syslog configured on the **Syslog Alerts** tab. + +![inactivityalertssyslogalerts](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalerts.webp) + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:PORT format + in the text box. The server name can be short name, fully qualified name (FQDN), or IP Address, as + long as the organization’s environment can resolve the name format used. +- Syslog protocol – Identify the **Syslog protocol** to be used for the alert. The drop-down menu + includes: + + - UDP + - TCP + - TLS + + :::note + The TCP and TLS protocols add the **Message framing** drop-down menu. **Message + framing** options include: + ::: + + + - LS (ASCII 10) delimiter + - CR (ASCII 13) delimiter + - CRLF (ASCII 13, 10) delimiter + - NUL (ASCII 0) delimiter + - Octet Count (RFC 5425) + +- Test Button – The **Test** button sends a test message to the Syslog server to check the + connection. A connection status message displays with either a green check mark or a red X + identifying the success of the sent test message. Messages vary by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + +- Syslog Message Template – Select the **Syslog message template** to be used. Click the ellipsis + (…) to open the Syslog Message Template window. The Syslog template provided is **AlienVault / + Generic Syslog**. + +![Message Template popup window for Syslog Alerts](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp) + +Custom templates can be created. Select the desired template or create a new template by modifying +an existing template within the Syslog Message Template window. The new message template is named +Custom. + +Click **OK** to apply changes and exit, or **Cancel** to exit without saving any changes. + +## Email Alerts Tab + +The email alert sends a notification that the activity agent has not received event data for the +configured interval. The alert is sent to the configured recipients on the Email Alerts tab. + +![inactivityalertsemailalerts](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalerts.webp) + +- Syslog server in SERVER[:PORT] format – Type the **SMTP server name** with a SERVER:PORT format in + the text box. The server name can be short name, fully qualified name (FQDN), or IP Address, as + long as the organization’s environment can resolve the name format used. + + - Check the Enable TLS box if an SMTP server requires TLS protocol. + +- User Name/Password – Specify credentials to send email alert. If using the current agent’s machine + account, leave these fields blank. +- From email address – Enter the Sender’s email address +- To email address – Enter the Recipient’s email address. Multiple addresses are comma separated. + +![Email Alerts - Message Subject popup window](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp) + +- Message subject – Click the ellipsis (…) to open the Message Template window to customize the + subject. Macros can be used to insert + +![Email Alerts - Message Body popup window](/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp) + +- Message body – Click the ellipsis (…) to open the Message Template window to customize the body +- Test – The Test button sends a test message to the receiver’s email address to check the + connection. A connection status message displays with either a green check mark or a red X + identifying the success of the sent test message. + +Click **OK** to apply changes and exit, or **Cancel** to exit without saving any changes. + +## Macro Variables for Agents + +Macros are text strings that are replaced with actual values at run time. The following Macro +variables are available to customize the Syslog and Email message template: + +| Macro | Definition | +| --------------------------- | ------------------------------------------------------------- | +| %SYSLOG_DATE% | Date/Time of the alert (local time, Syslog format) | +| %TIME_STAMP% | Date/Time of the alert (local time) | +| %TIME_STAMP_UTC% | Date/Time of the alert (UTC) | +| %AGENT% | Agent host name | +| %PRODUCT% | Product name | +| %PRODUCT_VERSION% | Product Version | +| %INACTIVE_SERVER% | Host name of the monitored host which stopped sending events | +| %INACTIVE_SERVER_IP% | IP address of the monitored host which stopped sending events | +| %LAST_EVENT_TIME_STAMP% | Date/Time of the last received call (local time) | +| %LAST_EVENT_TIME_STAMP_UTC% | Date/Time of the last received event (UTC) | +| %INACTIVITY_PERIOD_MINUTES% | Period of inactivity in minutes | +| %INACTIVITY_PERIOD_HOURS% | Period of inactivity in hours | diff --git a/docs/activitymonitor/9.0/admin/agents/properties/linux.md b/docs/activitymonitor/9.0/admin/agents/properties/linux.md new file mode 100644 index 0000000000..bbf77a57d9 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/linux.md @@ -0,0 +1,17 @@ +--- +title: "Linux Tab" +description: "Linux Tab" +sidebar_position: 110 +--- + +# Linux Tab + +The service user name configured during agent installation can be updated on the Agent Properties +Linux Tab. + +![linuxtab](/images/activitymonitor/9.0/admin/agents/properties/linuxtab.webp) + +Enter a new service user name to run daemon and click **Test** to verify the connection. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.md b/docs/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.md new file mode 100644 index 0000000000..fca6569f53 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.md @@ -0,0 +1,35 @@ +--- +title: "NetApp FPolicy Options Tab" +description: "NetApp FPolicy Options Tab" +sidebar_position: 120 +--- + +# NetApp FPolicy Options Tab + +The NetApp FPolicy Options tab provides options to configure FPolicy server settings for monitoring +a NetApp Data ONTAP Cluster-Mode device. + +![Agent Properties - NetApp FPolicy Options page](/images/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.webp) + +The available options are: + +- FPolicy server port (TCP): [number] (from 1000 to 65535) – Enter the FPolicy server port. The + default is 9999. +- FPolicy authentication – Select from the following options in the drop-down list. For TLS server + authentication, a Server certificate is required. For TLS, mutual authentication, a Server + certificate and Client certificate are required. + + - TCP, no authentication – Default setting, with no server authentication required + - TLS, server authentication – Click Server certificate to open the Server certificate window + and import a certificate + - TLS, mutual authentication – Click Server certificate to open the Server certificate window + and import a certificate, and Client certificate to open the Trusted client or CA certificate + window to import a certificate + +- IPv4 or IPv6 whitelist – IP Addresses of the Clustered Data ONTAP nodes, which are allowed to + connect to the FPolicy server, can be whitelisted by entering them in the box. IP Addresses should + be entered as separate addresses with space, comma, semicolon, or a multi-line list. Leave the box + blank to accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/network.md b/docs/activitymonitor/9.0/admin/agents/properties/network.md new file mode 100644 index 0000000000..7311fd90eb --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/network.md @@ -0,0 +1,20 @@ +--- +title: "Network Tab" +description: "Network Tab" +sidebar_position: 130 +--- + +# Network Tab + +Use the Network Tab to specify the network interface that NAS devices or API Server users use to +connect to this server. + +![Agent Properties - Network Tab](/images/activitymonitor/9.0/admin/agents/properties/networktab.webp) + +If an agent machine has multiple network adapters, network interfaces can be specified in the +Network Tab. Select a network interface option from the **Network Interface** dropdown menu. The +Network Interface is set to Auto Detect by default. **Auto Detect** will use the first network +adapter or IP address that is found. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/networkproxy.md b/docs/activitymonitor/9.0/admin/agents/properties/networkproxy.md new file mode 100644 index 0000000000..2fece877f8 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/networkproxy.md @@ -0,0 +1,32 @@ +--- +title: "Network Proxy Tab" +description: "Network Proxy Tab" +sidebar_position: 140 +--- + +# Network Proxy Tab + +Use the Network Proxy tab to set the proxy for connection to Microsoft Entra ID (formerly Azure AD) +and Office 365 monitoring. You can leave the properties blank to connect to Microsoft Entra ID +directly. + +![Agent Properties - Network Tab](/images/activitymonitor/9.0/admin/agents/properties/networkproxytab.webp) + +The configurable options are: + +- HTTP proxy server in SERVER[:PORT] format – Specify the IP address or name and the port number of + the proxy server to query Microsoft Entra ID and Office 365. You can leave this field blank to + disable HTTP proxy. +- Select one of the following checkboxes: + + - Authenticate as the agent's machine account + - Bypass the proxy server for local addresses + +- User name – Specify a user name for the proxy server +- User password – Specify a password for the user name +- Bypass list – Specify the Bypass list. This is a list of URIs that do not use the proxy server + when accessed. Multiple addresses can be entered separated by space, comma (,), semicolon (;), or + as a multi-line list. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/nutanix.md b/docs/activitymonitor/9.0/admin/agents/properties/nutanix.md new file mode 100644 index 0000000000..5d2e676f48 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/nutanix.md @@ -0,0 +1,28 @@ +--- +title: "Nutanix Tab" +description: "Nutanix Tab" +sidebar_position: 150 +--- + +# Nutanix Tab + +The Nutanix tab provides features to configure settings for monitoring Nutanix devices. + +![Agent Properties - Nutanix](/images/activitymonitor/9.0/admin/agents/properties/nutanix.webp) + +The available Agent server settings for Nutanix are: + +- Agent server port (TCP) – Enter the TCP port that Nutanix will use to connect to the agent. The + agent will add the port to the firewall exclusions automatically. The default is 4501. +- IPv4 or IPv6 allowlist – Specify the IP addresses of the Nutanix nodes, which are allowed to + connect to the agent server port. Multiple addresses can be entered separated by space, comma (,), + semicolon (;), or as a multi-line list. Leave the box blank to accept connections from any hosts. + + :::note + This setting is optional and it allows you to improve security by limiting the number + of IP addresses allowed to connect. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/overview.md b/docs/activitymonitor/9.0/admin/agents/properties/overview.md new file mode 100644 index 0000000000..59d2413086 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/overview.md @@ -0,0 +1,33 @@ +--- +title: "Agent Properties Window" +description: "Agent Properties Window" +sidebar_position: 50 +--- + +# Agent Properties Window + +On the Agents tab, the Edit button opens the agent’s Properties window, which contains the following +tabs: + +- [Connection Tab](/docs/activitymonitor/9.0/admin/agents/properties/connection.md) +- [Certificate Tab](/docs/activitymonitor/9.0/admin/agents/properties/certificate.md) +- [Archiving Tab](/docs/activitymonitor/9.0/admin/agents/properties/archiving.md) +- [Disk Quota Tab](/docs/activitymonitor/9.0/admin/agents/properties/diskquota.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/agents/properties/inactivityalerts.md) +- [Active Directory Tab](/docs/activitymonitor/9.0/admin/agents/properties/activedirectory.md) – AD Agent only +- [AD Users Tab](/docs/activitymonitor/9.0/admin/agents/properties/adusers.md) +- [API Server Tab](/docs/activitymonitor/9.0/admin/agents/properties/apiserver.md) +- [Dell CEE Options Tab](/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md) – Activity Agent only +- [DNS Tab](/docs/activitymonitor/9.0/admin/agents/properties/dns.md) +- [Linux Tab](/docs/activitymonitor/9.0/admin/agents/properties/linux.md) – Linux Agent only +- [NetApp FPolicy Options Tab](/docs/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.md) – Activity Agent only +- [Network Tab](/docs/activitymonitor/9.0/admin/agents/properties/network.md) +- [Network Proxy Tab](/docs/activitymonitor/9.0/admin/agents/properties/networkproxy.md) +- [Nutanix Tab](/docs/activitymonitor/9.0/admin/agents/properties/nutanix.md) – Activity Agent only +- [Panzura Tab](/docs/activitymonitor/9.0/admin/agents/properties/panzura.md) – Activity Agent only +- [Qumulo Tab](/docs/activitymonitor/9.0/admin/agents/properties/qumulo.md) – Activity Agent only +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/agents/properties/additionalproperties.md) + +Select the desired agent and click **Edit** to open the agent’s Properties window. + +![Properties Window](/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp) diff --git a/docs/activitymonitor/9.0/admin/agents/properties/panzura.md b/docs/activitymonitor/9.0/admin/agents/properties/panzura.md new file mode 100644 index 0000000000..f20d618439 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/panzura.md @@ -0,0 +1,30 @@ +--- +title: "Panzura Tab" +description: "Panzura Tab" +sidebar_position: 160 +--- + +# Panzura Tab + +The Panzura Tab provides features to configure settings for monitoring Panzura devices. + +![Agent Properties - Panzura Tab](/images/activitymonitor/9.0/admin/agents/properties/panzuratab.webp) + +The available options are: + +- Agent server port (TCP) - Enter the agent server port. The default is 4497. +- Users can protect the port with a username and password. The credentials will be configured in + Panzura + + - User name – Enter a custom user name or click **Generate** to create a random username and + password + - Password – Enter a custom password or use the generated password. Click **Copy** to copy the + user name and password to the clipboard. + +- IPv4 or IPv6 allowlist – IP Addresses of the remote hosts, which are allowed to connect to the API + port, can be whitelisted by entering them in the box. IP Addresses should be entered as separate + addresses with space, comma (,), semicolon (;), or a multi-line list. Leave the box blank to + accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/properties/qumulo.md b/docs/activitymonitor/9.0/admin/agents/properties/qumulo.md new file mode 100644 index 0000000000..3ae93edd46 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/properties/qumulo.md @@ -0,0 +1,23 @@ +--- +title: "Qumulo Tab" +description: "Qumulo Tab" +sidebar_position: 170 +--- + +# Qumulo Tab + +The Qumulo tab provides features to configure settings for monitoring Qumulo devices. + +![Agent Properties - Qumulo](/images/activitymonitor/9.0/admin/agents/properties/qumulo.webp) + +The available options are: + +- Syslog port (TCP) – Enter the TCP port that Qumulo will use to connect to the agent. The agent + will add the port to the firewall exclusions automatically. The default is 4496. The range of + valid values is from 1000 to 65535. +- IPv4 or IPv6 allowlist – Specify the IP addresses of the Qumulo nodes, which are allowed to + connect to the agent server port. Multiple addresses can be entered separated by space, comma (,), + semicolon (;), or as a multi-line list. Leave the box blank to accept connections from any hosts. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The Agent +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/agents/single.md b/docs/activitymonitor/9.0/admin/agents/single.md new file mode 100644 index 0000000000..bc44fc463d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/agents/single.md @@ -0,0 +1,72 @@ +--- +title: "Single Activity Agent Deployment" +description: "Single Activity Agent Deployment" +sidebar_position: 10 +--- + +# Single Activity Agent Deployment + +Before deploying the activity agent, ensure all +[Activity Agent Server Requirements](/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md) have been met, +including those for NAS devices when applicable. Follow the steps to deploy the activity agent to a +single Windows server. + +:::note +These steps are specific to deploying activity agents for monitoring supported target +environments. +::: + + +**Step 1 –** On the Agents tab, click Add agent to open the Add New Agent(s) window. + +![Install New Agent window](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 2 –** On the Install new agent page, enter the Server name (name or IP Address) to deploy to +a single server. Leave the field blank to deploy the agent on the local server. Click Next. + +![Specify Agent Port page](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 3 –** On the Specify Port page, specify the port that should be used by the new agent. The +default port is 4498. Click **Next**. + +![Credentials to Connect to the Server(s) page](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 4 –** On the Credentials To Connect To The Server(s) page, select either Windows or Linux file +monitoring. Then, enter the **User name** and **Password** to connect to the API Server. + +![Test Account Connection](/images/activitymonitor/9.0/admin/agents/add/testaccountconnection.webp) + +**Step 5 –** Click **Connect** to test the connection. If the connection is successful, click +**Next**. If the connection is unsuccessful, see the status message that appears for information on +the failed connection and correct the error to proceed. + +![agentinstalllocation](/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp) + +**Step 6 –** On the Agent Install location page, specify the **Agent installation path**. The +default path is `C:\Program Files\Netwrix\Activity Monitor\Agent`. Click **Next**. + +![Enable Windows File Activity Monitoring page](/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp) + +**Step 7 –** On the Windows Agent Settings window, configure the following options: + +- Windows Activity Monitoring — Check the Add Windows file activity monitoring after installation + checkbox to enable monitoring all file system activity on the targeted Windows server after + installation. Alternatively, the Windows monitoring can be enabled later on the Monitored Hosts & Services + tab. +- Management Group — By default, the agent only accepts commands from members from the + BUILTIN\Administrators group. Less privileged accounts can be used to manage the agent with the + Management group setting. Keep in mind that an administrator account must be used to install, + upgrade or uninstall an agent. The value must be a domain or local security group entered in the + DOMAIN\groupname format. + +**Step 8 –** Click Finish. The Add New Agent(s) window closes, and the activity agent is deployed to +and installed on the target host. + +During the installation process of the agent, the status will display Installing. If there are any +errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. + +![consolewithagent](/images/activitymonitor/9.0/install/agent/consolewithagent.webp) + +When the activity agent installation is complete, the status changes to **Installed** and the +activity agent version populates. The next step is to add hosts to be monitored. See the +[Monitored Hosts & Services Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/_category_.json b/docs/activitymonitor/9.0/admin/monitoreddomains/_category_.json new file mode 100644 index 0000000000..d6345b7c09 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Monitored Domains Tab", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json new file mode 100644 index 0000000000..0f6c7ce58f --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "AD Monitoring Configuration Window", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md new file mode 100644 index 0000000000..9e6592f894 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md @@ -0,0 +1,190 @@ +--- +title: "Authentication Tab" +description: "Authentication Tab" +sidebar_position: 30 +--- + +# Authentication Tab + +The Authentication tab on a domain’s Configuration window allows users to configure communication +with servers. + +![AD Monitoring Configuration - Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) + +After checking the Enable Authentication box, the following event filters can be modified on the +sub-tabs: + +- Forged PAC Analytic +- Host (From) +- Host (To) +- IP Addresses (From) +- IP Addresses (To) +- Operations +- Servers +- Users + +## Forged PAC Analytic + +The Forged Privilege Account Certificate (PAC) analytic type identifies Kerberos tickets with a +modified PAC. By manipulating the PAC, a field in the Kerberos ticket that contains a user’s +authorization data (in Active Directory this is group membership), an attacker is able to grant +themselves additional elevated privileges. + +![AD Monitoring Configuration - Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp) + +Double-click text box to enter specific **RIDs**. Click OK. The AD agent then compares against the +PAC and user’s access token for a mismatch to trigger the incident. + +:::note +The Forged PAC analytic is monitoring for when the user is not a member of a group that is +listed in the PAC section of the user’s Kerberos ticket. This analytic can be scoped to monitor +specific groups. To reduce the number of false positives, the AD agent only checks for a mismatch of +sensitive groups as selected in the policy Settings tab. +::: + + +## Host (From) + +The Hosts (from) option is where the policy can be scoped to only monitor specific hosts as +originators of an authentication event or to exclude specific hosts from being monitored for +authentication events. + +![Host (From) Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from authentication event collection. + +## Host (To) + +The Hosts (to) option is where the policy can be scoped to only monitor specific hosts as target +hosts of an authentication event or to exclude specific hosts from being monitored as targets of +authentication events. + +![Host (To) Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostto.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the target host from +authentication event collection. + +## IP Addresses (From) + +The IP Addresses (from) option is where the policy can be scoped to only monitor specific IP +Addresses as originators of an authentication event or to exclude specific IP Addresses from being +monitored for authentication events. + +![IP Addresses (From) Tab in the Authenticatoin Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) + +Underneath each section, there is an additional Address detail: + +- Value – Must be provided in IP address format + +Double-click the text box beneath **Value** to enter the desired IP Addresses to include or exclude. +Press the Enter or Tab key to add another text box. + +## IP Addresses (To) + +The IP Addresses (to) option is where the policy can be scoped to only monitor specific IP Addresses +as target hosts of an authentication event or to exclude specific IP Addresses from being monitored +as targets of authentication events. + +![IP Addresses (To) Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp) + +Underneath each section, there is an additional Address detail: + +Value – Must be provided in IP address format + +Double-click the text box beneath **Value** to enter the desired IP Addresses to include or exclude. +Press the Enter or Tab key to add another text box. + +## Operations + +The Operations option filters for successful events, failed events, or both. + +![Operations Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp) + +The **Monitor These Attempts** section is where monitoring is set to filter for successful events, +failed events, or both: + +- Success – Monitors successful events +- Failure – Monitors failed events + +The **Monitor These Protocols** section is where authentication protocols to be monitored are +selected for the policy. Check the box to select the authentication protocol(s) to be monitored: + +- All +- Kerberos +- NTLM + +:::warning +If Login Type is enabled, authentication events will be received from Domain +Controllers only. +::: + + +The Login Type options apply only to Domain Controllers. These options provide the choice to monitor +Local Interactive and/or Remote Interactive logins to the Domain Controllers: + +- All - Report all authentication activity approved by the Domain Controller which includes any + local or RDP direct connections to the DC. + + - Local - Report only local login to the Domain Controller - ignore all else + - Remote - Report only remote/RDP access to the Domain Controller - ignore all else + +- Exclude failed authentications with previously valid (N-2) password – If enabled, allows to ignore + failed authentications that failed due to use of a previously valid, but now expired, password +- Exclude failed authentications with expired password – If enabled, allows to ignore failed + authentications that failed due to use of still valid, but now expired, password + +## Servers + +The Servers option targets servers to be included or excluded when filtering for authentication. + +![Servers Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users + +The Users filter is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the Authentication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath **Type** to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another text box. Check the box under **Subtree** to +include or exclude child contexts. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/changes.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/changes.md new file mode 100644 index 0000000000..cbda892375 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/changes.md @@ -0,0 +1,200 @@ +--- +title: "Changes Tab" +description: "Changes Tab" +sidebar_position: 20 +--- + +# Changes Tab + +The Changes tab for AD Monitoring Configuration window provides additional options to monitor +changes made to the domain. + +![Operations Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) + +After checking the Enable AD Changes box, the following event filters can be modified on the +sub-tabs: + +- Attributes +- Classes +- Context +- Host (From) +- IP Addresses (From) +- Objects +- Operations +- Servers +- Users + +## Attributes + +The Attributes Tab is where monitoring can be scoped to include events with specific attributes +within Active Directory. Further scoping of attributes can enable monitoring to only capture events +based on the new value. + +![Attributes Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp) + +Double-click the text box beneath Name to enter the desired attribute to include or exclude. +Double-click the text box beneath Value to enter the desired attribute value to reference. Choose +the Operation to relate the Name and Value with. Press the **Enter** or **Tab** key to add another +textbox. + +:::note +Name field must contain Active Directory attribute name. +::: + + +Scoping the filter captures events when the new value matches with the supplied value. To scope the +filter based on the new value of the attribute, use the Operation drop-down menu. + +- AnyValue – No scoping applied for this attribute +- EmptyValue – Blank attribute values +- Equal – Attribute values that are identical to the Value field +- NotEqual – Attribute values that do not match the Value field +- LessThan – Attribute values below the supplied numeric value or before alphabetically +- GreaterThan – Attribute values above the supplied numeric value or after alphabetically +- Contains – Attribute values includes the user supplied string (numbers are treated as strings) +- NotContain – Attribute values do not include the user supplied string (numbers are treated as + strings) +- Startswith – Attribute values start with the user supplied string + +## Classes + +The Classes Tab is where the policy can be scoped to only monitor specific classes within Active +Directory or to exclude specific classes from being monitored. + +![Classes Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/classestab.webp) + +Double-click the text box beneath Name to enter the desired classes to include or exclude. Press the +**Enter** or **Tab** key to add another text box. + +:::note +Class must be specified in the form of `objectClass` attribute syntax but must contain +only last value of this multi-valued attribute. For example, for +`top; person; organizationalPerson; user` it must have 'user' value. +::: + + +## Context + +The Context Tab is where the policy can be scoped to only monitor specific contexts (e.g. Containers +and Organizational Units) within Active Directory or to exclude specific contexts from being +monitored. + +![Context Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp) + +Underneath each section, there are additional Context details: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Distinguished Name – Field must be specified in the form of `distinguishedName` attribute syntax, + e.g. `CN=Users,DC=Domain,DC=com` + +Double-click the text box beneath Distinguished Name to enter the desired context to include or +exclude. Press the **Enter** or **Tab** key to add another text box. Check the box under Subtree to +include or exclude child contexts. + +## Host (From) + +The Hosts (from) Tab is where the policy can be scoped to only monitor specific hosts as originators +of an authentication event or to exclude specific hosts from being monitored for authentication +events. + +![Host (From) Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details. + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. ex01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. ex01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from change event collection. + +## IP Addresses (From) + +The IP Addresses (from) Tab is where the policy can be scoped to only monitor specific IP Addresses +as originators of an authentication event or to exclude specific IP Addresses from being monitored +for authentication events. + +![IP Addresses (From) Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp) + +Underneath each section, there is an additional Address detail. + +- Value – Must be provided in IP address format + +Double-click the text box beneath **Value** to enter the desired IP addresses to include or exclude. +Press **Enter** or **Tab** key to add another text box. + +## Objects + +The Objects Tab is where the policy can be scoped to only monitor specific objects within Active +Directory or to exclude specific objects from being monitored. + +![Objects Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp) + +Underneath each section, there is an additional Object detail. + +- Distinguished Name – Field must be specified in the form of `distinguishedName` attribute syntax, + e.g. `CN=Users,DC=Domain,DC=com` + +Double-click the text box beneath Distinguished Name to enter the desired objects to include or +exclude. Press the **Enter** or **Tab** key to add another text box. + +## Operations + +The Operations Tab provides additional configuration filters for AD event collection. + +![Operations Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp) + +Monitor These Attempts – Filter for successful events, failed events, or both can be selected. + +- Success – Monitors successful events +- Failure – Monitors failed events + +Operations – Filter for Active Directory events to be monitored. + +- Object Added – Monitors for objects being added to Active Directory +- Object Deleted – Monitors for objects being deleted from Active Directory +- Object Modified – Monitors for objects being modified within Active Directory +- Object Moved or Renamed – Monitors for objects being moved or renamed within Active Directory + +## Servers + +The Servers Tab targets servers to be included or excluded when filtering for changes. + +![Servers Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users + +The Users Tab is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the Changes Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections. + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user –  Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of `distinguishedName` attribute syntax, + e.g. `CN=Users,DC=Domain,DC=com`. However, for objects with `sidType` type, it must be in the form + of WellKnownSidType Enum, e.g. `AnonymousSid` or `LocalSid`. + +Double-click the text box beneath **Distinguished Name** to enter the desired group types to include +or exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the **Enter** or **Tab** key to add another text box. Check the box under Subtree to +include or exclude child contexts. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md new file mode 100644 index 0000000000..05af6502bb --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md @@ -0,0 +1,148 @@ +--- +title: "Global Filters Tab" +description: "Global Filters Tab" +sidebar_position: 10 +--- + +# Global Filters Tab + +The Global Filters options are for excluding specific Active Directory and Authentication events +from being monitored. + +![Global Filters Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) + +The filter options are grouped by AD Global Pre-Filters, and Authentication Global Pre-Filters. +Check the boxes to activate the filters. To disable for diagnostic purposes, simply uncheck the +option(s) and click OK. All Authentication Global Pre-Filters options require configuration before +they can be enabled. + +Enable all of the AD Global Pre-Filters options as well as the Exclude Logins from Machine Accounts +option in the Authentication Global Pre-Filters section. + +When activated, the AD Agent(s) filters out the event data according to configuration defined in the +`filters.json` file located in the installation directory. + +The configurable options in the Global Filters tab are: + +- Exclude ‘Noise’ Events Option +- Exclude AD DNS Events Option +- Exclude Logins from Machine Accounts Option +- Exclude Authentication Events from Selected Hosts Option +- Exclude Authentication Events from Selected Accounts Option + +The ‘Help’ icon (**?**) opens a window that explains the type of “noise” events being filtered. + +## Exclude ‘Noise’ Events Option + +This option is enabled by default to filter out login and internal low level attributes which can be +considered ‘noise’ events. This option can be scoped to include any combination to the following +‘noise’ events: + +- Successful AD User Logins – Excludes events with the following attributes where ‘objectClass’ does + not equal computer: + + - logonCount + - lastLogon + - badPwdCount + - lastLogonTimestamp + +- AD User Logins with Bad Password – Excludes events with the following set of attributes where + ‘objectClass’ does not equal computer: + + - badPwdCount + - badPasswordTime + +- AD Computer Logins – Excludes events with the following set of attributes where ‘objectClass’ + equals computer: + + - logonCount + - lastLogon + - badPwdCount + - lastLogonTimestamp + - badPasswordTime + - badPwdCount + +- Low Level Attributes – Excludes the following attributes from event: + + - lmPwdHistory + - dBCSPwd + - ntPwdHistory + +## Exclude AD DNS Events Option + +This option is enabled by default to filter out DNS events. They must meet both of the following +conditions to be excluded: + +- objectClass = ‘dnsNode’ or ‘dnsZone’ +- Contains the ‘dnsRecord’ or ‘dNSTombstoned’ attribute + +## Exclude Logins from Machine Accounts Option + +This option is enabled by default to filter out machine logins. Click the configure link to open the +Edit Accounts window. + +![Edit Accounts window](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp) + +The Exclude Logins from Machine Accounts collection is only accessible for configuration through the +Global Filters tab. + +:::note +Only perpetrators with accounts ending in “$” are considered for this filter. Wild cards +(\*) can be used for partial matches to account names. +::: + + +All machine accounts in the textbox are either included or excluded from event data monitoring by +the AD Agent. Machine accounts not in the list have the unselected property applied. + +Repeat the process until all machine accounts to be included or excluded from Authentication event +data have been entered in the list. Then click **OK**. + +**Usage Tip** + +Windows Server 2012 introduced gMSA (Group Managed Service Accounts). The account names for gMSA +accounts include +“$” in their names so by default authentication traffic generated by these accounts is filtered out because they ‘look’ like machine accounts, which prior to Server 2012 were the only account names ending in “$”. +The ability to add a list of filter strings to the “Exclude Logins from Machine Accounts” global +filter provides a means to capture activity by gMSA type accounts as this activity is typically of +interest where as true ‘machine accounts’ is not. By supplying either an explicit list of gMSA +account names, or if a naming convention has been adopted, a set of wild card strings such as +“gMSA\*” or “svc\*”, allows capturing authentication activity from such accounts while ignoring the +noisy ‘machine accounts’. + +## Exclude Authentication Events from Selected Hosts Option + +This option is disabled by default as it requires configuration before it can be enabled. Click the +selected hosts link to open the Edit Hosts window. + +![edithostsexcludeselectedhosts](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp) + +The Exclude Authentication Events from selected hosts collection is only accessible for +configuration through the Global Filters tab. All three methods of identification for a host (IP +Address, NETBIOS host name, or DNS host name) must be known in order to effectively exclude +authentication from the host. Identify the host to be excluded in the textbox of the IP Address +column and press the Enter or Tab to add another row on the grid. Activity Monitor attempts to +discover the NETBIOS host name and the DNS host name associated with the supplied IP Address. + +Repeat the process until all hosts for which Authentication event data will not be collected have +been entered in the list. Then click **OK**. + +## Exclude Authentication Events from Selected Accounts Option + +This option is disabled by default as it requires configuration before it can be enabled. Click the +selected accounts link to open the Edit Accounts window. + +![editaccountsexcludeauthenticationselectedaccounts](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp) + +The Exclude Authentication Events from selected accounts collection is only accessible for +configuration through the Global Filtering tab. Account names [domain name\account] can also be +typed in the textbox. Wild cards (\*) can be used as part of either the domain name or account. An +asterisk (\*) appearing anywhere other than as the first character or the last character are treated +as a literal character instead of as a wild card. + +For example, \*\Service1 would exclude all Service1 accounts whether it is a domain or local +account, and Example\Service\* would exclude all accounts that start with “Service” for the Example +domain. + +Repeat the process until all accounts to be excluded from Authentication event data have been +entered in the list. Then click **OK**. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json new file mode 100644 index 0000000000..9da02d87e2 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "LDAP Monitor Tab", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ldapmonitor" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md new file mode 100644 index 0000000000..18b3805a24 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md @@ -0,0 +1,124 @@ +--- +title: "LDAP Monitor Tab" +description: "LDAP Monitor Tab" +sidebar_position: 60 +--- + +# LDAP Monitor Tab + +The LDAP Monitor tab on a domain’s Configuration window allows users to scope monitoring by adding +filters for accounts by name or type. + +![Operations Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +After checking the Enable Ldap Monitor box, the following event filters can be modified on the +sub-tabs: + +- Host (From) +- LDAP +- Operations +- Servers +- Users + +Each filter tab acts like an “AND” statement for the filter. Any filter tab left blank is treated +like an all for that filter set. + +## Host (From) + +The Hosts (from) option is where the policy can be scoped to only monitor specific hosts as +originators of an authentication event or to exclude specific hosts from being monitored for +authentication events. + +![Host (From) Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the text boxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from authentication event collection. + +## LDAP + +The LDAP option is where query and result objects can be monitored by group type. + +![LDAP Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldap.webp) + +The Query section is where monitoring can be scoped to those LDAP queries that contain at least one +of the user-supplied string as a substring in BaseDN or in Query field of the LDAP Search request. +For the Query value, provide the user-supplied string in the text box. + +Double-click the text box beneath Value to enter the desired string. Press the Enter or Tab key to +add another text box. + +Example Values: + +- ‘DC=domain’ +- ‘objectClass=’ + +The Result section is where monitoring can be scoped to those LDAP query results that contain at +least one of the user-supplied string as a substring. For the Result value, provide the +user-supplied string in the text box. + +Double-click the text box beneath Value to enter the desired string. Press the Enter or Tab key to +add another text box. + +Example Value: + +- ‘CN=Domain Admins’ + +## Operations + +The Operations option filters for successful events, failed events, or both. + +![Operations Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +The Monitor These Attempts section is where monitoring is set to filter for successful events, +failed events, or both: + +- Success – Monitors successful events +- Failure – Monitors failed events + +## Servers + +The Servers option targets servers to be included or excluded when filtering for a LDAP changes. + +![Servers Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users + +The Users option is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the LDAP Monitor Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/users.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another text box. Check the box under Subtree to include +or exclude child contexts. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md new file mode 100644 index 0000000000..b1a7554c93 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapthreatmanager.md @@ -0,0 +1,33 @@ +--- +title: "Configure LDAP Monitoring for Netwrix Threat Manager" +description: "Configure LDAP Monitoring for Netwrix Threat Manager" +sidebar_position: 10 +--- + +# Configure LDAP Monitoring for Netwrix Threat Manager + +Follow the steps to configure LDAP monitoring within Netwrix Activity Monitor for Netwrix Threat +Manager. + +:::note +LDAP Monitoring is not enabled, it must be enabled in the Monitored Domains tab. +::: + + +![Activity Monitor with SD Only](/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) + +**Step 1 –** In the Activity Monitor, click on the **Monitored Domains** tab. + +**Step 2 –** Select a domain and click **Edit**. + +![LDAP Monitoring Configuration for Threat Manager](/images/activitymonitor/9.0/admin/monitoreddomains/sdldapmonitoring.webp) + +**Step 3 –** Select the **LDAP Monitor** tab. + +**Step 4 –** Select the **LDAP** tab. + +**Step 5 –** In the “Query” section, double-click the blank line below the last filled in line. + +**Step 6 –** Paste the string copied from Threat Manager and press **Enter**. + +LDAP monitoring has been configured for Threat Manager. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md new file mode 100644 index 0000000000..f40854571c --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md @@ -0,0 +1,101 @@ +--- +title: "LSASS Guardian Tab" +description: "LSASS Guardian Tab" +sidebar_position: 50 +--- + +# LSASS Guardian Tab + +The LSASS Guardian tab allows users to modify settings that were populated with the information +entered when the host was added to prevent, monitor, or block LSASS code injections. + +![Operations Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +After checking the Enable LSASS Guardian box, the following event filters can be modified on the +sub-tabs: + +- Operations +- Processes +- Servers +- Users + +Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated +like an "ALL" for that filter set. + +:::info +Add exclusion process filters for legitimate processes that make changes to +LSASS, e.g. third-party malware applications. +::: + + +## Operations + +The Operations option filters for successful events, failed events, or both. + +![Operations Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp) + +The Open Process Flags section is where monitoring can be scoped for requested handles that would +maliciously impact LSASS processes. + +Check the box to select the process flag(s) to be monitored: + +- PROCESS_VM_WRITE – Writes to memory in a process +- PROCESS_CREATE_THREAD – Creates a thread + +## Processes + +The Processes option is where legitimate processes, which make changes to LSASS, e.g. third-party +malware applications, can be included/excluded from being monitored by the policy. + +![Processes Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/processes.webp) + +Double-click the text box beneath Name to enter the desired processes to include or exclude. Press +the Enter or Tab key to add another text box. + +:::note +While a processes inclusion is a filter option, it is not recommended for monitoring +LSASS. Adding a process inclusion filter will limit the scope to only monitor that process. Unknown +malicious processes would not be monitored in this case. +::: + + +## Servers + +The Servers option targets servers to be included or excluded when filtering for LSASS changes. + +![Servers Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp) + +In both sections, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS +Domain name and SERVER is NetBIOS server name. + +Double-click the textbox beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another textbox. + +## Users + +The Users option is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored. + +![Users Tab in the LSASS Guardian Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another text box. Check the box under Subtree to include +or exclude child contexts. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/overview.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/overview.md new file mode 100644 index 0000000000..79d570a76e --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/overview.md @@ -0,0 +1,23 @@ +--- +title: "AD Monitoring Configuration Window" +description: "AD Monitoring Configuration Window" +sidebar_position: 10 +--- + +# AD Monitoring Configuration Window + +On the Monitored Domains tab, select the domain and click **Edit** to open the AD Monitoring +Configuration window. + +![AD Monitoring Configuration - Global Filters Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp) + +This initially configured when the AD Agent is deployed to a domain controller. However, the +monitoring configuration can be edited after that. Use the following tabs to modify monitoring of AD +events: + +- [Global Filters Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilters.md) +- [Changes Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/changes.md) +- [Authentication Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/authentication.md) +- [Replication Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/replication.md) +- [LSASS Guardian Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/lsassguardian.md) +- [LDAP Monitor Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldapmonitor/ldapmonitor.md) diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/replication.md b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/replication.md new file mode 100644 index 0000000000..42990b4526 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/replication.md @@ -0,0 +1,89 @@ +--- +title: "Replication Tab" +description: "Replication Tab" +sidebar_position: 40 +--- + +# Replication Tab + +The Replication tab on a domain’s Configuration window monitors domain controller syncing and +replication. + +![Servers Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +After checking the Enable Replication box, the following event filters can be modified on the +sub-tabs: + +- Host (From) +- Servers +- Users + +Each filter tab acts like an “AND” statement for the filter. Any filter tab left blank is treated +like an ALL for that filter set. + +Windows cannot detect if a sync request is coming from a legitimate domain controller. This option +is designed to monitor requests from computers that are not ‘excluded’ by the policy. Therefore, +legitimate domain controllers should be identified in the event filters. + +## Host (From) Filter + +The Hosts (From) option is where the policy can be scoped to only monitor specific hosts as +originators of an authentication event or to exclude specific hosts from being monitored for +authentication events. + +![Host (From) Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp) + +Underneath each section, there are additional Host details: + +- IP – Field must contain IP address, e.g. 123.456.7.890 +- DNS – Field must contain a fully qualified domain name of the host, e.g. dc01.nwxtech.com +- Netbios – Field must contain NetBIOS name of the host, e.g. dc01 + +Double-click the textboxes within the column, then enter all three methods of identification for a +host (IP Address, NETBIOS host name, or DNS host name) to include or exclude the originating host +from replication event collection. + +The Threat Manager DC Sync threat is sourced by the Activity Monitor's Replication AD monitoring +configuration. It is necessary for it to be configured to exclude domain controllers on the Host +(From) filter. + +## Servers Filter + +The Servers option targets servers to be included or excluded when filtering for replication. + +![Servers Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp) + +In both cases, servers must be specified in the form 'DOMAIN\SERVER', where DOMAIN is NetBIOS Domain +name and SERVER is NetBIOS server name. + +Double-click the text box beneath Name to enter the desired servers to include or exclude. Press the +Enter or Tab key to add another text box. + +## Users Filter + +The Users option is where the policy can be scoped to only monitor specific security principals +committing changes within Active Directory or to exclude specific users committing changes from +being monitored + +![Users Tab in the Replication Tab](/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp) + +The following details appear beneath both sections: + +- Subtree – If checked, the filter is applied to the parent and all child contexts. If unchecked, + the filter is only applied to the listed context. +- Type – Field must describe the type of the select Active Directory object and can have the + following values: + + - user – Indicates that selected object is user + - group – Indicates that selected object is group + - context – Indicates that selected object is container + - sidType – Indicates that selected object is well-known SID type + +- Distinguished Name – Field must be specified in the form of 'distinguishedName' attribute syntax, + e.g. 'CN=Users,DC=Domain,DC=com'. However, for objects with 'sidType' type, it must be in the form + of WellKnownSidType Enum, e.g. 'AnonymousSid' or 'LocalSid'. + +Double-click the text box beneath Distinguished Name to enter the desired group types to include or +exclude. Double-click the text box beneath Type to enter the desired AD object to include or +exclude. Press the Enter or Tab key to add another textbox. Check the box under Subtree to include +or exclude child contexts. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/output/_category_.json b/docs/activitymonitor/9.0/admin/monitoreddomains/output/_category_.json new file mode 100644 index 0000000000..fca4ddfb78 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/output/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Output for Monitored Domains", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "output" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/output/activedirectoryjson.md b/docs/activitymonitor/9.0/admin/monitoreddomains/output/activedirectoryjson.md new file mode 100644 index 0000000000..c5a046c00b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/output/activedirectoryjson.md @@ -0,0 +1,61 @@ +--- +title: "Active Directory JSON Log File" +description: "Active Directory JSON Log File" +sidebar_position: 10 +--- + +# Active Directory JSON Log File + +The following information lists all of the attributes generated by Active Directory Activity Monitor +into a JSON log file: + +| Attributes | Description | +| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AffectedObject | If resolved, contains DN of the object affected by operation; otherwise, some textual representation of the object | +| AffectedObjectAccountName | If resolved, contains account name of the object affected by operation | +| AffectedObjectSid | If resolved, contains Sid of the object affected by operation | +| AgentDomain | Domain where SI agent is installed | +| AgentHost | Host name where SI agent is installed | +| AgentIP | IP address where SI agent is installed. If multiple IP addresses, one of them is reported. | +| AuthenticationType | Indicates type of the authentication event. Possible values: Kerberos, NTLM. | +| AuthProtocol | Indicates authentication protocol. Possible values: Unknown, Kerberos, KerberosTgs, KerberosAS, NTLM, NTLMv1, NTLMMixed, NTLMv2. | +| Blocked | Indicates if operation was blocked by SI agent. Blocking policies are required. | +| ClassName | Affected object class | +| DesiredAccess | Security and access rights requested during OpenProcess invoke. List of possible values can be found at:  [https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights](https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights). | +| EncryptionType | Indicates encryption type used in request part of the Kerberos ticket. Possible values: des_cbc_crc, des_cbc_md4, des_cbc_md5, reserved_0x4, des3_cbc_md5, reserved_0x6, des3_cbc_sha1, dsaWithSHA1, md5WithRSAEncryption, rc2CBC, rsaEncryption, rsaES, des_ede3_cbc, des3_cbc_sha1_kd, aes128, aes256, rc4_hmac, rc4_hmac_exp, subkey_keymaterial. | +| EventResult | Result of the operation triggered current event | +| EventType | Identifies event | +| EventsCount | Number of similar events captured during consolidation period which is 1 minute by default | +| From | Contains raw representation of the machine from which event was triggered | +| FromHost | If resolved, contains host name of the machine from which event was triggered | +| FromIp | If resolved, contains the IP address of the machine from which event was triggered | +| FromMac | If resolved, contains mac address of the machine from which event was triggered | +| IsN2Password | Indicates if password that was used for authentication is a previous or one before previous | +| IsUserExist | Indicates if user exists | +| KerbAuthTime | Time at which KDC issued the initial ticket that corresponds to this ticket | +| KerbEndTime | Ticket expiration time | +| KerbRenewTill | Latest time at which renewal of ticket can be valid | +| KerbSPN | Service principal name for which ticket was requested | +| KerbStartTime | Ticket start time | +| LogonType | Contains SECURITY_LOGON_TYPE. More details at [https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type](https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type). | +| NewAttributes | Map of new attributes where key is name and value attribute value | +| NewName | New name of the AD object | +| NlpLogonType | NTLM logon type. Possible values: Unknown, Interactive, Network, Service, Generic, TransitiveInteractive, TransitiveNetwork, TransitiveService | +| OldAttributes | Map of old attributes where key is attribute name and value attribute value | +| PAC | List of RIDs extracted from ticket authorization data | +| ProcessID | Contains process ID that attempted to open LSASS process | +| ProcessName | Contains process name that attempted to open LSASS process | +| Protocol | Operation specific details | +| QueryFilter | LDAP filter used in the operation | +| QueryIsSSL | Indicates if LDAP connection is secure or not | +| QueryObjectsReturned | Number of returned objects produced by the LDAP request | +| Source | Indicates source of the operation. Currently can be: ‘Authentication’, ‘Active Directory’, ‘LSASS Guardian – Monitor’, ‘LDAP Monitor’, ‘AD Replication Monitoring’. | +| Success | Indicates if original operation completed successfully or not | +| TargetHost | Contains host name to which authentication attempt took place. In case of failed Kerberos AS, this field contains name of the domain controller. | +| TargetHostIP | If resolved, contains IP address of the target host | +| TargetProcess | Contains process name that is monitored. Currently this is only lsass.exe. | +| TgsReplyEncryptionType | Indicates encryption type used in reply part of the TGS Kerberos ticket. Possible values the same as for EncryptionType. | +| TimeLogged | UTC timestamp of the event | +| UserDN | If resolved, contains DN of the object triggered operation | +| UserName | If resolved, contains account name of the object triggered operation | +| UserSid | If resolved, contains SID of the object triggered operation | diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/output/output.md b/docs/activitymonitor/9.0/admin/monitoreddomains/output/output.md new file mode 100644 index 0000000000..2e2c9e0e8b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/output/output.md @@ -0,0 +1,89 @@ +--- +title: "Output for Monitored Domains" +description: "Output for Monitored Domains" +sidebar_position: 20 +--- + +# Output for Monitored Domains + +Once a domain is being monitored the event stream can be sent to multiple outputs. + +![Monitored Domains tab with Domain Outputs added](/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) + +Configured outputs are grouped under the domain. You can have multiple outputs configured for a +domain. The domain event outputs are: + +- File – Creates an activity log as a JSON file for every day of activity + + :::note + This is required to search event data for Active Directory within the application. + ::: + + +- Syslog – Sends activity events to the configured SIEM server +- Netwrix Threat Manager – Sends activity events to Netwrix Threat Manager or + receives Active Directory monitoring events from Netwrix Threat Prevention for integration with + Netwrix Access Analyzer + +## Add File Output + +Follow the steps to add a File output. + +**Step 1 –** On the Monitored Domains tab, select the desired domain and click **Add Output**. + +**Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. + +![Log Files configuration](/images/activitymonitor/9.0/admin/monitoreddomains/logfiles.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/9.0/admin/outputs/overview.md) topic for additional +information. + +## Add Syslog Output + +Follow the steps to add a Syslog output. + +**Step 1 –** On the Monitored Domains tab, select the desired domain and click **Add Output**. + +**Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. + +![Syslog Properties](/images/activitymonitor/9.0/admin/monitoreddomains/syslogudp.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/9.0/admin/outputs/overview.md) topic for additional +information. + +## Add Netwrix Threat Manager Output + +:::note +An App Token created by Netwrix Threat Manager is used to authenticate connection between +the applications. See the App Tokens Page topic of the +[Netwrix Threat Manager Documentation](https://docs.netwrix.com/docs/threatmanager/3_0) for +additional information. +::: + + +Follow the steps to add a Netwrix Threat Manager output. + +**Step 1 –** On the Monitored Domains tab, select the desired domain and click **Add Output**. + +**Step 2 –** Select **Netwrix Threat Manager** from the drop-down menu. The Add New +Output window opens. + +![Threat Manager Properties](/images/activitymonitor/9.0/admin/monitoreddomains/stealthdefendproperties.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/9.0/admin/outputs/overview.md) topic for additional +information. diff --git a/docs/activitymonitor/9.0/admin/monitoreddomains/overview.md b/docs/activitymonitor/9.0/admin/monitoreddomains/overview.md new file mode 100644 index 0000000000..b0a04c7dc1 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoreddomains/overview.md @@ -0,0 +1,82 @@ +--- +title: "Monitored Domains Tab" +description: "Monitored Domains Tab" +sidebar_position: 20 +--- + +# Monitored Domains Tab + +**Understanding Active Directory Activity Monitoring** + +The Activity Monitor can be configured to monitor the following Active Directory changes: + +- Success and Failure on Object Create +- Success and Failure on Object Delete +- Success and Failure on Object Rename +- Success and Failure on Object Move +- Success and Failure on Logon +- LDAP Activity Monitoring + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Manager + +It also provides the ability to feed activity data to SIEM products. + +**Agents** + +For monitoring an Active Directory domain, the AD Agent must be installed on all domain controllers +within the domain to be monitored. + +**Tab** + +Once the AD Agent(s) installation is complete on a domain controller, the domain appear on the +Monitored Domains tab. The tab is not visible within the console until at least one AD Agent has +been deployed. + +This tab is comprised of a button bar and a table of domains being monitored. The events stream +output needs to be designated to view data after an activity search has been performed. + +## Button Bar + +The button bar allows users to take the following actions: + +![Monitored Domains Tab in the Activiy Monitor](/images/activitymonitor/9.0/admin/monitoreddomains/activtymonitorblank.webp) + +- Add Output – Select an output from the Add Output dropdown. The outputs are: File, Syslog, and + Threat Manager. See the [Output for Monitored Domains](/docs/activitymonitor/9.0/admin/monitoreddomains/output/output.md) +- Remove – Removes the configured domain from the table of domains being monitored and end + monitoring. Confirmation of this option will be asked for. +- Edit – Opens the selected AD Monitoring Configuration window to modify monitoring settings. See + the [AD Monitoring Configuration Window](/docs/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/overview.md) topic for + additional information. + +## Table + +The table of Domains being monitored provides the following information: + +![Monitored Domains Tab with Domain Outputs added](/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp) + +- Domain – Name or IP Address of the domain being monitored + + :::note + The same domain can be monitored for different outputs. Each output is listed under + the domain with destination information. + ::: + + +- Master – Name or IP Address of the domain controller where the AD agent is deployed +- Last Event – Date timestamp of the last event + +## Monitoring Status + +The Error Propagation collapsible section located above the Status Bar of the Activity Monitor +provides visibility into a domain's monitoring state. Domain monitoring status is depicted in the +Monitored Domains table under the Status column. Users can expand the Error Propagation section to +view more information on various status conditions. + +![Error Propagation](/images/activitymonitor/9.0/admin/monitoreddomains/errorpropagation.webp) + +Click the **Down Arrow** to expand the Error Propagation section. The information listed is +dependent on which domain is currently selected in the Monitored Domains table. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/_category_.json b/docs/activitymonitor/9.0/admin/monitoredhosts/_category_.json new file mode 100644 index 0000000000..b5822ef440 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Monitored Hosts Tab", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/_category_.json b/docs/activitymonitor/9.0/admin/monitoredhosts/add/_category_.json new file mode 100644 index 0000000000..dfb29708e2 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Add New Host Window", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/azurefiles.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/azurefiles.md new file mode 100644 index 0000000000..6dbc41a03b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/azurefiles.md @@ -0,0 +1,35 @@ +--- +title: "Azure Files" +description: "Add Azure Files Storage Accounts" +sidebar_position: 11 +--- + +# Add Azure Files Storage Accounts + +Prior to adding Azure Files storage accounts to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Azure Files Requirements](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md) +topic for additional information. + +Follow the steps to add Azure Files storage accounts to be monitored. + +1. On the **Monitored Hosts & Services** page, select **Add Host/Service**. +2. Select the agent that will be monitoring Azure Files, and then select **Next**. +3. Select **Azure Files**, specify the tenant’s domain name, and then select **Next**. +4. On the **Connection** page, specify the Tenant ID (if it was not resolved automatically), Client ID, and Client Secret—values +copied in the previous steps during application registration. +5. Select **Connect**. +The button will verify the connection to Azure, enumerate all storage accounts, and retrieve their settings visible to the registered application. + +:::note +If the product fails to enumerate storage accounts, the RBAC roles were either assigned incorrectly or have not yet become effective. Retry later. +::: + +6. On the **Storage Accounts** page, select the storage accounts to be monitored, and then select **Next**. +7. Complete the wizard by selecting operations and output settings. + +:::tip +You can use this wizard multiple times to add newly created storage accounts—already added accounts will be ignored. +::: + +8. Check the status of the added storage accounts on the **Monitored Hosts & Services** page. +Address any audit setting misconfigurations or missing RBAC roles. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellcelerravnx.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellcelerravnx.md new file mode 100644 index 0000000000..e6acb1da97 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellcelerravnx.md @@ -0,0 +1,229 @@ +--- +title: "Dell Celerra or VNX" +description: "Dell Celerra or VNX" +sidebar_position: 12 +--- + +# Dell Celerra or VNX + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell Celerra or VNX host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell VNX/Celerra Host + +Follow the steps to add a Dell Celerra or VNX host to be monitored. + +**Step 1 –** Navigate to the Monitored Hosts & Services tab and click Add. The Add New Host window opens. + +![Choose Agent Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Dell VNX or Celerra Host](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcvnxcelerra.webp) + +**Step 3 –** On the Add Host page, select the Dell VNX/Celerra radio button and enter the **CIFS +Server NetBIOS Name** for the device. If desired, add a **Comment**. Click **Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![Protocol Monitoring Options](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp) + +**Step 4 –** On the Protocols page, select which protocols to monitor. The list of protocols that +can be monitored are All, CIFS, or NIFS. Click **Next**. + +![Configure Operations Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. Additional options include: + +:::warning +Suppress Microsoft Office operations on temporary files – Filters out events for +Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary +files are created. With this option enabled, events for these temporary files are ignored. This +feature may delay reporting of activity. +::: + + +Click **Next**. + +![Configure Basic Options Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The "Log files" +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an **Account Name** column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds 'C:\" to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to Log the Activity Page Generic](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the text box. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization's environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The + following Syslog templates have been provided: + - AlienVault / Generic Syslog + - CEF – Incorporates the CEF message format + - HP Arcsight + - LEEF – Incorporates the LEEF message format + - LogRhythm + - McAfee + - QRadar – Use this template for IBM QRadar integration + - Splunk – Use this template for Splunk integration + - Threat Manager – Use this template for Threat Manager integration. This is the only supported + template for Threat Manager. See the + [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) + for additional information. + - Custom templates can be created. Select the desired template or create a new template by + modifying an existing template within the Syslog Message Template window. The new message + template will be named Custom. +- Add C:\ to the beginning of the reported file paths – Adds 'C:\" to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- The Test button – Sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![activitymonitoremcvnxcelerra](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp) + +The added Dell Celerra or VNX host is displayed in the Monitored Hosts & Services table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Dell Celerra or VNX + +Configuration settings can be edited through the tabs in the host's Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) +- [Unix IDs Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerscale.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerscale.md new file mode 100644 index 0000000000..86ccfc2b37 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerscale.md @@ -0,0 +1,273 @@ +--- +title: "Dell Isilon/PowerScale" +description: "Dell Isilon/PowerScale" +sidebar_position: 20 +--- + +# Dell Isilon/PowerScale + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell Isilon/PowerScale host to the Activity Monitor, the prerequisites for the +target environment must be met. See the +[Dell Isilon/PowerScale Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell Isilon/PowerScale Host + +Follow the steps to add a Dell Isilon/PowerScale host to be monitored. + +**Step 1 –** Navigate to the Monitored Hosts & Services tab and click Add. The Add New Host window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Host page with Dell Isilon selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcisilon.webp) + +**Step 3 –** On the Add Host page, select the Dell Isilon radio button and enter both the **Server +name or address** and the **CIFS/NFS server name** for the device. The CIFS/NFS server name can be +left blank to collect activity from the Isilon cluster. If desired, add a **Comment**. Click +**Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![Isilon Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonoptions.webp) + +**Step 4 –** On the Isilon Options page, choose whether or not to automatically enable and configure +auditing on the Isilon cluster. If a manual configuration has been completed, do not enable these +options. + +Follow these steps to use this automated option: + +- Check the **Enable Protocol Access Auditing in OneFS if it is disabled** box. +- Enter the User name and User password to connect to the OneFS Platform API. + + :::note + The User name entered must be an Administrator account on the Dell Isilon device. + ::: + + +- Click Connect to test the connection. If the connection is successful, discovered access zones is + displayed in the **Available** box. +- Access Zones: + + - By default, the **Monitored** box is left empty and all available access zones are monitored. + All activity for the host is collected and placed in a single activity log file per day. + - If access zones are selected, only those access zones are monitored and the activity is placed + in a single activity log file per day. + - Use the arrow buttons to move the desired access zones to the **Monitored** box. + - (_Optional_) Activity log files can be generated for each access zone. In order to generate + one activity log file for each access zone, add only one access zone to this configuration of + the monitored host. Then, add the host again for each access zone to be monitored. When adding + an Isilon host for each access zone, the Dell device name will be the same for each + configuration, but the **CIFS/NFS server name** must have a unique value. + + :::note + Although the Isilon Options page allows multiple access zones to be placed in the + Monitored box for a single Isilon host, when generating separate activity log files for each + access zones, Access Analyzer does not support this configuration. Access Analyzer + integration requires all access zones to be monitored from a single configuration. + ::: + + +Click **Next**. + +![Protocols selection page](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp) + +**Step 5 –** On the Protocols page, select which protocol to monitor. The list of protocols that can +be monitored are All, CIFS, or NIFS. Click **Next**. + +![Configure Operations page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) + +**Step 6 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** options to be monitored. Additional options include: + +:::warning +Suppress Microsoft Office operations on temporary files – Filters out events for +Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary +files are created. With this option enabled, events for these temporary files are ignored. This +feature may delay reporting of activity. +::: + + +Click **Next**. + +![Configure Basic Options](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 7 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an **Account Name** column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to Log the Activity Page Generic](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 8 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 9 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 10 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the text box. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The + following Syslog templates have been provided: + - AlienVault / Generic Syslog + - CEF – Incorporates the CEF message format + - HP Arcsight + - LEEF – Incorporates the LEEF message format + - LogRhythm + - McAfee + - QRadar – Use this template for IBM QRadar integration + - Splunk – Use this template for Splunk integration + - Threat Manager – Use this template for Threat Manager integration. This is the only supported + template for Threat Manager. See the + [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) + for additional information. + - Custom templates can be created. Select the desired template or create a new template by + modifying an existing template within the Syslog Message Template window. The new message + template will be named Custom. +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- The Test button – Sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Dell Isilon added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcisilon.webp) + +The added Dell Isilon/PowerScale host is displayed in the monitored hosts/services table. Once a host has +been added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Dell Isilon/PowerScale + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md) +- [Auditing Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/auditing.md) +- [Unix IDs Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerstore.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerstore.md new file mode 100644 index 0000000000..88dcb1a8e9 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerstore.md @@ -0,0 +1,197 @@ +--- +title: "Dell PowerStore" +description: "Dell PowerStore" +sidebar_position: 30 +--- + +# Dell PowerStore + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell PowerStore host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Dell PowerStore Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell PowerStore Host + +Follow the steps to add a Dell PowerStore host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. The Add New Host +window opens. + +![addagent01](/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp) + +**Step 2 –** On the **Choose Agent** page, select the Agent to monitor the file server. +Click**Next**. + +![powerstoreaddhost01](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost01.webp) + +**Step 3 –** On the Add Host page, select the Dell PowerStore radio button and enter the file server +name. Click **Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![powerstoreaddhost02](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost02.webp) + +**Step 4 –** On the Protocols page, specify the protocols to monitor. The list of protocols that can +be monitored are, All, CIFS, or NFS. Once a protocol is selected, click **Next**. + +![powerstoreaddhost03](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost03.webp) + +**Step 5 –** On the Configure Operations page, select the File Operations and Directory Operations +to be monitored. + +- Suppress reporting of File Explorer's excessive directory traversal activity – Filters out events + of excessive directory traversal in File Explorer. + +Click **Next**. + +![powerstoreaddhost04](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost04.webp) + +**Step 6 –** On the Configure Basic Operations page, choose which settings to enable. Select one of +the following options: + +- Report account names – Adds an Account Name column in the generated TSV files. +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. These columns have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second. + +Click **Next**. + +![powerstoreaddhost05](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost05.webp) + +**Step 7 –** On the Where to log the activity page, select whether to send the activity to either a +Log File or Syslog Server. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![powerstoreaddhost06](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost06.webp) + +**Step 8 –** If Log File is selected on the Where To Log The Activity page, the File Output page can +be configured. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered as the number of + days elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files + for a set amount of Minutes, Hours, or Days. This retention setting applies both to the local + files on the agent's server and to the archived files. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + :::note + While Activity Monitor can have multiple configurations for log file outputs per host, + Access Analyzer can only read one of them. + ::: + + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + + :::note + Access Analyzer does not support log files with the header. + ::: + + +Click **Next**. + +![powerstoreaddhost07](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost07.webp) + +**Step 9 –** If Syslog Server is selected on the Where To Log The Activity page, the Syslog Output +page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![powerstoreaddhost08](/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost08.webp) + +The added Dell PowerStore host is displayed in the monitored hosts/services table. Once a host has been added +for monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) +topic for additional information. + +## Host Properties for Dell PowerStore + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellunity.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellunity.md new file mode 100644 index 0000000000..a4e9797ded --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellunity.md @@ -0,0 +1,229 @@ +--- +title: "Dell Unity" +description: "Dell Unity" +sidebar_position: 40 +--- + +# Dell Unity + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Dell Unity host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Dell Unity Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Dell VNX/Celerra Host + +Follow the steps to add a Dell Unity host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent window](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. + +![Add Host window with Dell Unity selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhostemcunity.webp) + +**Step 3 –** On the Add Host page, select the Dell Unity radio button and enter the **NAS Server +Name** for the device. If desired, add a **Comment**. Click **Next**. + +:::note +All Dell event source types must have the CEE Monitor Service installed on the agent in +order to collect events. Activity Monitor will detect if the CEE Monitor is not installed and +display a warning to install the service. If the CEE Monitor service is installed on a remote +machine, manual configuration is required. See the +[Dell CEE Options Tab](/docs/activitymonitor/9.0/admin/agents/properties/dellceeoptions.md) topic for additional information. +::: + + +![Protocol Monitoring Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp) + +**Step 4 –** On the Protocols page, select which protocols to monitor. The protocols that can be +monitored are All, CIFS, or NIFS. Click **Next**. + +![Configure Operations Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. Additional options include: + +:::warning +Suppress Microsoft Office operations on temporary files – Filters out events for +Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary +files are created. With this option enabled, events for these temporary files are ignored. This +feature may delay reporting of activity. +::: + + +Click **Next**. + +![Configure Basic Options Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an **Account Name** column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the text box. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The + following Syslog templates have been provided: + - AlienVault / Generic Syslog + - CEF – Incorporates the CEF message format + - HP Arcsight + - LEEF – Incorporates the LEEF message format + - LogRhythm + - McAfee + - QRadar – Use this template for IBM QRadar integration + - Splunk – Use this template for Splunk integration + - Threat Manager – Use this template for Threat Manager integration. This is the only supported + template for Threat Manager. See the + [Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) + for additional information. + - Custom templates can be created. Select the desired template or create a new template by + modifying an existing template within the Syslog Message Template window. The new message + template will be named Custom. +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Resolve UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. + - When this option is selected, the user needs to provide credentials in the Auditing tab. If + credentials are not provided, the following warning message is displayed: + - Credentials are required for this feature. Provide the credentials in the Auditing tab. +- The Test button – Sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Dell Unity host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcunity.webp) + +The added Dell Unity host is displayed in the monitored hosts/service table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Dell Unity + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Dell Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md) +- [Unix IDs Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/entraid.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/entraid.md new file mode 100644 index 0000000000..eedd9628cc --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/entraid.md @@ -0,0 +1,162 @@ +--- +title: "Microsoft Entra ID" +description: "Microsoft Entra ID" +sidebar_position: 70 +--- + +# Microsoft Entra ID + +**Understanding Microsoft Entra ID Activity Monitoring** + +The Activity Monitor can be configured to monitor the following Microsoft Entra ID (formerly Azure +AD) changes: + +- Report Sign-In events +- Reports over 800 audit events in different categories, including: + +| | | | +| ----------------------- | ---------------------- | -------------------- | +| Administrative Unit | Application Management | Authentication | +| Authorization | Authorization Policy | Contact | +| Device | Device Configuration | Directory Management | +| Entitlement Management | Group Management | Identity Protection | +| Kerberos Domain | Key Management | Label | +| Permission Grant Policy | Policy | Policy Management | +| Resource Management | Role Management | User Management | + +- Reports on audit events across different services, including: + +| | | | | +| ----------------------------- | -------------------------------- | --------------------- | ------------------- | +| AAD Management UX | Access Reviews | Account Provisioning | Application Proxy | +| Authentication Methods | B2C | Conditional Access | Core Directory | +| Device Registration Service | Entitlement Management | Hybrid Authentication | Identity Protection | +| Invited Users | MIM Service | MyApps | PIM | +| Self-Service Group Management | Self-service Password Management | Terms of Use | | + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding aMicrosoft Entra ID host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Microsoft Entra ID Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/entraid-activity.md) topic +for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Azure Active Directory / Entra ID Host + +Follow the steps to add a Microsoft Entra ID host to be monitored. + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Add Host - Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. + +![Add Host page](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostentraid.webp) + +**Step 3 –** On the Add Host page, select the **Azure Active Directory / Entra ID** radio button and +enter the Primary domain in the **Domain name** field. + +_(Optional)_ Enter a comment for the Microsoft Entra ID host. + +![entraidconnection](/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidconnection.webp) + +**Step 4 –** On the Azure AD / Entra ID Connection page, enter a Tenant ID, Client ID, and Client +Secret. Optional add a Region. Then click **Connect** to grant permissions to read the audit log. +Click **Open Instruction...** for steps on registering the Activity Monitor with Microsoft Entra ID. +Click **Next**. + +![Add Host - Azure AD Operations page](/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidoperations.webp) + +**Step 5 –** On the Azure AD / Entra ID Operations page, select which audit activity to monitor. +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 6 –** On the Where To Log The Activity page, select where to send the activity events: + +- Log file – Sends to a TSV or JSON file +- Syslog Server – Sends to a configured SIEM system +- Netwrix Threat Manager – Sends to Netwrix Threat Manager + +![fileoutputpage](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 7 –** If **Log Files** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. The configurable options are: + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Netwrix Access Analyzer – Enable this option to have Netwrix Access Analyzer collect this monitored + host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +Click **Next**. + +![syslogoutputpage](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Azure Active Directory in Activity Monitor](/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidadded.webp) + +The added Microsoft Entra ID host is displayed in the monitored hosts/service table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Microsoft Entra ID + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Connection Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md new file mode 100644 index 0000000000..3e653517a6 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md @@ -0,0 +1,143 @@ +--- +title: "Exchange Online" +description: "Exchange Online" +sidebar_position: 50 +--- + +# Exchange Online + +Prior to adding an Exchange Online host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[Exchange Online Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/exchange-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Exchange Online Host + +Follow the steps to add an Exchange Online host to be monitored. + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Add Host - Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. + +![Add Host Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/addexchangeonline.webp) + +**Step 3 –** On the Add Host page, select the Exchange Online radio button and enter the domain +name. + +_(Optional)_ Enter a comment for the Exchange Online host. + +![Azure AD Connection - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/connection.webp) + +**Step 4 –** On the Azure AD / Entra ID Connection page, enter Tenant ID, Client ID, Client Secret, +and Region(optional) then click **Connect** to verify the connection.. Click **Open Instruction...** +for steps on registering the Activity Monitor with Microsoft Azure. Click **Next**. + +![operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/operations.webp) + +**Step 5 –** On the Exchange Online Operations page, configure the options found in the following +tabs: + +- Admin Activity +- Mailbox Audit +- DLP +- Other + +These options can be configured again in a Exchange Online host's properties window. See the +[Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) for additional information. Click **Next**. + +![Mailboxes to Exclude](/images/activitymonitor/9.0/admin/monitoredhosts/add/mailboxesexclude.webp) + +**Step 6 –** Click **Add Mailbox** to display the Select User dialog box. Specify the mailboxes that +will be filtered during collection. Click **Next**. + +![usersexclude](/images/activitymonitor/9.0/admin/monitoredhosts/add/usersexclude.webp) + +**Step 7 –** Click **Add User** to display the Select User dialog box. Specify the user or email +that will be filtered during collection. Click **Next**. + +![Where to log activity - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologactivity.webp) + +**Step 8 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. + +![File Output - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 9 –** If **Log Files** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. The configurable options are: + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – Enable + this option to have Netwrix Access Analyzer collect this monitored + host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple outputs per host, Netwrix Access Analyzer + can only read one of them. + +Click **Next**. + +![Syslog Output - Exchange Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 10 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Exchange Online in Activity Monitor](/images/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.webp) + +The added Exchange Online host is displayed in the monitored hosts/service table. Once a host has been added +for monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) +topic for additional information. + +## Host Properties for Exchange Online + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Connection Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/hitachi.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/hitachi.md new file mode 100644 index 0000000000..feeef08ca0 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/hitachi.md @@ -0,0 +1,167 @@ +--- +title: "Hitachi" +description: "Hitachi" +sidebar_position: 60 +--- + +# Hitachi + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Hitachi host to the Activity Monitor, the prerequisites for the target environment +must be met. See the +[Hitachi Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Hitachi NAS Host + +Follow the steps to add a Hitachi host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. Click +**Next**. + +![Add Host page with Hitachi NAS selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhosthitachi.webp) + +**Step 3 –** On the Add Host page, select the Hitachi NAS radio button and enter the **EVS or file +system name** for the device. If desired, add a **Comment**. Click **Next**. + +![Hitachi NAS Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/hitachinasoptions.webp) + +**Step 4 –** On the Hitachi NAS Options page, enter the **Logs path (UNC)** and the **Active Log +file name**. Then enter the credentials to access the HNAS Log files. Click Connect to validate the +connection with the Hitachi device. Click **Next**. + +![Configure Operations page for Hitachi NAS](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationshitachi.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. Click **Next**. + +![Configure Basic Options page for Hitachi NAS](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionshitachi.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where To Log The Activity](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologtheactivity.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Netwrix Access Analyzer + collect this monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Hitachi Host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorhitachi.webp) + +The added Hitachi host is displayed in the monitored hosts/service table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Hitachi + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Hitachi NAS Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/hitachinas.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/nasuni.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/nasuni.md new file mode 100644 index 0000000000..3d0ed43c9e --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/nasuni.md @@ -0,0 +1,207 @@ +--- +title: "Nasuni" +description: "Nasuni" +sidebar_position: 80 +--- + +# Nasuni + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Nasuni Edge Appliance host to the Activity Monitor, the prerequisites for the +target environment must be met. See the +[Nasuni Edge Appliance Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md) topic +for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Nasuni Host + +Follow the steps to add a Nasuni Edge Appliance host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Host page with Nasuni selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnasuni.webp) + +**Step 3 –** On the Add Host page, select the Nasuni radio button and enter the host name or IP +Address of the Nasuni Edge Appliance in the Nasuni Filer textbox. If desired, add a **Comment**. +Click **Next**. + +![Nasuni Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/nasunioptions.webp) + +**Step 4 –** On the Nasuni Options page, enter the **API Key Name** and the **API Key Value**. Click +Connect to validate the connection with the Nasuni device. + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors +- Connect – Click to connect using the selected protocol and validate the connection with NetApp + +Click **Next**. + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate + verification during a TLS session + - Import – Click to browse for a trusted server certificate + - Remove – Click to remove the selected trusted server certificate + - Enable hostname verification – Select this checkbox to ensure that the host name the product + connects to matches the name in the certificate (CN name) +- Click OK to close the window and save the modifications. + +**Step 5 –** On the Configure Operations page, select the **File Operations, Directory Operations**, +and **Link Operations** to be monitored. Additional options include: + +:::warning +Enabling the Suppress subsequent Read operations in the same folder option can result +in Read events not being monitored. +::: + + +- Suppress subsequent Read operations in the same folder – Logs only one Read operation when + subsequent Read operations occur in the same folder. This option is provided to improve overall + performance and reduce output log volume. +- Suppress reporting of File Explorer's excessive directory traversal activity – Filters out events + of excessive directory traversal in File Explorer. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![Configure Basic Options page for Nasuni](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an Account Name column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths – Adds a **UNC Path** column and a **Rename UNC Path** column in the generated + TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. These columns have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to log the activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer  when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![Syslog Output page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Nasuni host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornasuni.webp) + +The added Nasuni host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Nasuni + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Nasuni Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nasuni.md) +- [Unix IDs Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/netapp.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/netapp.md new file mode 100644 index 0000000000..120ca48942 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/netapp.md @@ -0,0 +1,345 @@ +--- +title: "NetApp" +description: "NetApp" +sidebar_position: 90 +--- + +# NetApp + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a NetApp Data ONTAP host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md) +topic or the +[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md) +topic in the for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add NetApp Host + +Follow the steps to add a NetApp Data ONTAP host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Add New Host - Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the storage device. Click +**Next**. + +![Add New Host - Add Host page with NetApp selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnetapp.webp) + +**Step 3 –** On the Add Host page, select the NetApp radio button. Then, in the NetApp Filer/SVM +textbox, enter the following information: + +- Cluster-Mode devices – Enter the NetApp Filer/SVM +- 7-Mode devices – Enter the NetApp DNS name. If using vFilers, then it is necessary to use the + vFiler name here. + +Click **Next**. + +![NetApp Host Connection Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappconnection.webp) + +:::warning +Cluster-Mode is case sensitive. The case of the Filer or SVM name must match exactly to +how it is in NetApp's FPolicy configuration. +::: + + +**Step 4 –** On the NetApp Connection page, enter the following: + +- NetApp Filer or SVM – Enter the name of the NetApp Filer or SVM. The name is case sensitive. +- Management LIF – _(Optional)_ If using Cluster Management LIF, a Management LIF can be specified + if SVM Management LIF is not used (Vserver Tunneling) +- User name – Enter the user name for the credentials to connect to the NetApp server +- User password – Enter the password for the credentials to connect to the NetApp server +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + - HTTP +- Connect – Click to connect using the selected protocol and validate the connection with NetApp + +Click **Next**. + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate + verification during a TLS session + - Import – Click to browse for a trusted server certificate + - Remove – Click to remove selected trusted server certificate + - Enable hostname verification – Select this checkbox to ensure that the host name the product + connects to matches the name in the certificate (CN name) + - Click OK to close the window and save the modifications. + +![NetApp FPolicy Configuration page](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyconfiguration.webp) + +**Step 5 –** On the NetApp Mode FPolicy Configuration page, choose whether or not to automatically +configure FPolicy through Activity Monitor. If that is desired, check the Configure FPolicy option. +Any additional permissions required are listed. Be sure to select the appropriate file protocol to +configure the FPolicy. + +:::warning +NetApp FPolicy Enable and Connect requires the provisioned user account to have full +permissions. For Cluster-mode devices, the credentials are identified as ‘Employing the “Configure +FPolicy” Option’. +::: + + +Additional permissions that are required if enabling **Configure FPolicy** are: + +- Command `vserver fpolicy` - Access level: `All` +- Command `security certificate install` - Access level `All `(Need for FPolicy TLS only) + +Click **Next**. + +**Important Notes** + +:::info +For NetApp Cluster-Mode, create a tailored FPolicy manually. If manually +configuring the FPolicy, do not select the ConfigureFPolicy checkbox. +::: + + +If automatic configuration is selected, proceed to the Configure Privileged Access section after +successfully adding the host. + +![NetApp FPolicy Enable and Connect window](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyenableconnect.webp) + +The options on the Configure Operations page require the provisioned user account to have, at a +minimum, the less privileged permissions. For Cluster-mode devices, the credentials are identified +as ‘Employing the “Enable and connect FPolicy” Option’. + +:::warning +On the NetApp FPolicy Enable and Connect page, choose whether or not to Enable and +connect FPolicy, which will “Ensure everything is active with periodic checks.” +::: + + +Additional permissions that are required if enabling **Enable and connect FPolicy** are: + +- Command `vserver fpolicy disable` - Access level `All` +- Command `vserver fpolicy enable` - Access level `All` +- Command `vserver fpolicy engine-connect` - Access level `All` +- Command `network interface` - Access level `readonly` + +**Important Notes** + +:::info +Enable this functionality. Without this option enabled, it is necessary to +manually connect the FPolicy every time it is disconnected for any reason. For reliable, high +availability file monitoring, use this option. +::: + + +Click **Next**. + +![protocolspage](/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp) + +**Step 6 –** On the Protocols page, select which protocols to monitor. The protocols that can be +monitored are: + +- All +- CIFS +- NFS + +Click **Next**. + +![Configure Operations window for NetApp](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsnetapp.webp) + +**Step 7 –** On the Configure Operations page, select the File Operations and Directory Operations +to be monitored. + +:::note +NetApp Data ONTAP Cluster-Mode Device folders are now readable by checking the Read / List +option listed under Directory Operations. This option is also accessible within the NetApp server’s +properties > Operations tab. +::: + + +If the Configure FPolicy option is enabled, then Activity Monitor updates the FPolicy according to +these settings. If it was not enabled, then the manually configured FPolicy must be set to monitor +these operations. Only operations being monitored by the FPolicy are available to the activity +agent. + +Additional options include: + +:::warning +Enabling the Suppress subsequent Read operations in the same folder option can result +in Read events not being monitored. +::: + + +- Suppress subsequent Read operations in the same folder – Logs only one Read operation when + subsequent Read operations occur in the same folder. This option is provided to improve overall + performance and reduce output log volume. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![Configure Basic Options page for NetApp](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp) + +**Step 8 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the proxy host. Select the desired options: + +- Report account names – Adds an Account Name column in the generated TSV files +- Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + - Access Analyzer 8.1+ is required for this feature + +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 9 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![fileoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 10 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Netwrix Access Analyzer + collect this monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 11 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with NetApp Host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornetapp.webp) + +The added NetApp host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +:::tip +Remember, if automatic configuration of the FPolicy was selected, it is necessary to Configure +Privileged Access. +::: + + +## Configure Privileged Access + +If automatic configuration of the FPolicy is used for NetApp Data ONTAP Cluster-Mode devices, it is +necessary to configure privileged access. Follow the steps to configure privileged access. Remember, +this requires the provisioned user account to have full permissions, identified as the credentials +‘Employing the “Configure FPolicy” Option’. + +**Step 1 –** On to the Monitored Hosts & Services tab, select the desired host and click Edit. The host’s +Properties window opens. + +![NetApp Host Properties FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicytab.webp) + +**Step 2 –** On the FPolicy tab, select the **Privileged Access** tab. Select the Allow privileged +access checkbox and provide the Privileged user name in the textbox. + +:::note +This option is only available if the Configure FPolicy option is enabled. +::: + + +Privileged access must be allowed and configured with appropriate credentials to leverage Access +Analyzer permission (FSAA) scans for this NetApp device + +For information on the other options for this tab, see the [FPolicy Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicy.md) +section. + +## Host Properties for NetApp + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [NetApp Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/netapp.md) +- [FPolicy Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicy.md) +- [Unix IDs Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/nutanix.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/nutanix.md new file mode 100644 index 0000000000..1a103005da --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/nutanix.md @@ -0,0 +1,204 @@ +--- +title: "Nutanix" +description: "Nutanix" +sidebar_position: 100 +--- + +# Nutanix + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Nutanix files host to the Activity Monitor, the prerequisites for the target +environment must be met. See +[Nutanix Files Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md) for more +information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Network Adapter for Nutanix File Server + +Ensure that the correct network adapter is specified in the Network page for an agent before adding +a Nutanix file server to be monitored. + +![nutanixnetworkadapter](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixnetworkadapter.webp) + +The agent registers the IP address of the network adapter in the Nutanix auditing configuration for +activity delivery. Nutanix Files server connects to the agent using the TCP port 4501. See the +[Network Tab](/docs/activitymonitor/9.0/admin/agents/properties/network.md) topic for additional information. + +## Add Nutanix Host + +Follow the steps to add a Nutanix files host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the file server from the +drop-down list. Click **Next**. + +![Add Host](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost02.webp) + +**Step 3 –** On the Add Host page, select the **Nutanix Files** radio button and enter the file +server name. Click **Next**. + +![Nutanix Options](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_04.webp) + +**Step 4 –** On the Nutanix Options page, enter the user name and password. + +:::note +The credentials used on the Nutanix Options page are for the Nutanix user having REST API +access. +::: + + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors +- Connect – Click **Connect** to connect to the Nutanix device using the selected protocol and + validate the connection. + +Click **Next**. + +![Configure Operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_05.webp) + +**Step 5 –** On the Configure Operations page, select the File Operations and Directory Operations +to be monitored. + +Click **Next**. + +![Configure Operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_06.webp) + +**Step 6 –** On the Configure Basic Operations page, choose which settings to enable. The “Log +files” are the activity logs created by the activity agent on the agent's server. Select one of the +following options: + +- Report account names: Adds an Account Name column in the generated TSV files. +- Add C:\ to the beginning of the reported file paths: Adds ‘C:\” to file paths to be displayed like + a Windows file path: + - Display example if checked: C:\Folder\file.txt + - Display example if unchecked: /Folder/file.text +- Report operations with millisecond precision - Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second. + - Access Analyzer 8.1+ is required to use this feature. + +Click **Next**. + +![Where to log the activity](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +Log File or Syslog Server. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![File Output](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_08.webp) + +**Step 8 –** If Log File is selected on the Where To Log The Activity page, configure the File +Output page. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files –Log files will be deleted after the period entered as the number of days + elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. This setting applies to both the local files on the agent's + server and to the archived files. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + :::note + While Activity Monitor can have multiple configurations for log file outputs per host, + Access Analyzer can only read one of them. + ::: + + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + + :::note + Access Analyzer does not support log files with the header. + ::: + + +Click **Next**. + +![Syslog Output](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp) + +**Step 9 –** If Syslog Server is selected on the Where To Log The Activity page, configure the +Syslog Output page. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![nutanixoptions_10](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_10.webp) + +The added Nutanix host is displayed in the monitored hosts/service table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Nutanix + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Nutanix Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nutanix.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/overview.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/overview.md new file mode 100644 index 0000000000..5356611a79 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/overview.md @@ -0,0 +1,34 @@ +--- +title: "Add New Host Window" +description: "Add New Host Window" +sidebar_position: 10 +--- + +# Add New Host Window + +Once an agent has been deployed, you can configure a host to be monitored by clicking the Add Host +button on the Monitored Hosts & Services tab. + +![Add New Host window](/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhost.webp) + +The window opens for all types of hosts that can be monitored with an Activity Agent. See the +following topics for additional information: + +- [Azure Files](/docs/activitymonitor/9.0/admin/monitoredhosts/add/azurefiles.md) +- [CTERA](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ctera-activity.md) +- [Dell Celerra or VNX](/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellcelerravnx.md) +- [Dell Isilon/PowerScale](/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerscale.md) +- [Dell PowerStore](/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellpowerstore.md) +- [Dell Unity](/docs/activitymonitor/9.0/admin/monitoredhosts/add/dellunity.md) +- [Exchange Online](/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md) +- [Hitachi](/docs/activitymonitor/9.0/admin/monitoredhosts/add/hitachi.md) +- [Microsoft Entra ID](/docs/activitymonitor/9.0/admin/monitoredhosts/add/entraid.md) +- [Nasuni](/docs/activitymonitor/9.0/admin/monitoredhosts/add/nasuni.md) +- [NetApp](/docs/activitymonitor/9.0/admin/monitoredhosts/add/netapp.md) +- [Nutanix](/docs/activitymonitor/9.0/admin/monitoredhosts/add/nutanix.md) +- [Panzura](/docs/activitymonitor/9.0/admin/monitoredhosts/add/panzura.md) +- [Qumulo](/docs/activitymonitor/9.0/admin/monitoredhosts/add/qumulo.md) +- [SharePoint](/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepoint.md) +- [SharePoint Online](/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.md) +- [SQL Server](/docs/activitymonitor/9.0/admin/monitoredhosts/add/sqlserver.md) +- [Windows](/docs/activitymonitor/9.0/admin/monitoredhosts/add/windows.md) diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/panzura.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/panzura.md new file mode 100644 index 0000000000..ebf894839d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/panzura.md @@ -0,0 +1,203 @@ +--- +title: "Panzura" +description: "Panzura" +sidebar_position: 110 +--- + +# Panzura + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Threat Prevention +- Netwrix Threat Manager + +## Add Panzura Host + +Prior to adding a Panzura host to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Panzura CloudFS Monitoring](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/panzura-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +Follow the steps to add a Panzura host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device. Click +**Next**. + +![Add Host](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostpanzura.webp) + +**Step 3 –** On the Add Host page, select the **Panzura** radio button and enter the **Panzura filer +name**. Click **Next**. + +![Panzura Properties](/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraoptions.webp) + +**Step 4 –** On the Panzura Options page, enter the **Username**, **Password**, and select the +**Protocol** to be used by the Panzura host. + +- The different protocols that can be selected are: + + - Auto Detect (Default) + - HTTPS + - HTTPS, ignore certificate errors + + Click **HTTPS Options** to open the Trusted server certificate window. + +Click **Next**. + +![Customize Certifiacte Verification](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate + verification during a TLS session + + - Import – Click to browse for a trusted server certificate + - Remove – Click to remove selected trusted server certificate + - Enable hostname verification – Select this checkbox to ensure that the host name the product + connects to matches the name in the certificate (CN name) + - Click OK to close the window and save the modifications + + Click **Connect** to connect to the Panzura device. Click **Next**. + +![Configure Operations](/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraconfigureoperations.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations** and **Directory +Operations** to be monitored. + +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![configurebasicoptionspanzura](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionspanzura.webp) + +**Step 6 –** On the Configure Basic Options page, choose which of the following settings to enable: + +- Add C:\ to the beginning of the reported file paths - Adds ‘C:\” to file paths to be displayed + like a Windows file path: + - Display example if checked – C:\Folder\file.txt + - Display example if unchecked – /Folder/file.text +- Report UNC paths - Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – `[HOST]:/[VOLUME]/[PATH]` + - Example NFS activity – `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision - Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second. + - Access Analyzer 8.1+ is required to use this feature. + +Click **Next**. + +![wheretologgeneric](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![fileoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered as the number of + days elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files + for a set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + +Click **Next**. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![activitymonitorpanzura](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorpanzura.webp) + +The added Panzura host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Panzura + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Panzura Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/panzura.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/qumulo.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/qumulo.md new file mode 100644 index 0000000000..e8e78b303d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/qumulo.md @@ -0,0 +1,167 @@ +--- +title: "Qumulo" +description: "Qumulo" +sidebar_position: 120 +--- + +# Qumulo + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Prevention +- Netwrix Threat Manager + +Prior to adding a Qumulo host to the Activity Monitor, the prerequisites for the target environment +must be met. See the [Qumulo Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add Qumulo Host + +Follow the steps to add a Qumulo host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click **Add**. The Add New Host +window opens. + +![addagent01](/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor the file server from the +drop-down list. Click **Next**. + +![addhostqumulo01](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo01.webp) + +**Step 3 –** On the Add Host page, select the **Qumulo** radio button and enter the file server +name. Click **Next**. + +![addhostqumulo02](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo02.webp) + +**Step 4 –** On the Qumulo Options page, enter the user name and password. + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors +- Connect – Click **Connect** to connect to the Qumulo device using the selected protocol and + validate the connection. + +The following values are shown for information purposes. You can use them to configure auditing in +Qumulo. + +- Syslog Address – Address to configure Qumulo cluster. +- Port – Port to configure Qumulo cluster. + +Click **Next**. + +![nutanixoptions_07](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp) + +**Step 5 –** On the Where To Log The Activity page, select whether to send the activity to either a +Log File or Syslog Server. Click **Next**. + +:::note +An option must be selected before moving to the next step. +::: + + +![addhostqumulo04](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo04.webp) + +**Step 6 –** If Log File is selected on the Where To Log The Activity page, configure the File +Output page. + +- Specify output file path – Specify the file path where TSV log files are saved on the agent's + server. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder + destination. Click **Test** to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered as the number of + days elapses. The default is 10 days. Use the dropdown to specify whether to keep the Log files + for a set number of Hours or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + :::note + While Activity Monitor can have multiple configurations for log file outputs per host, + Access Analyzer can only read one of them. + ::: + + +- Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk. + + :::note + Access Analyzer does not support log files with the header. + ::: + + +Click **Next**. + +![nutanixoptions_09](/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp) + +**Step 7 –** If Syslog Server is selected on the Where To Log The Activity page, configure the +Syslog Output page. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the **Message framing** drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![addhostqumulo06](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo06.webp) + +The added Qumulo host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for Qumulo + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Qumulo Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/qumulo.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepoint.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepoint.md new file mode 100644 index 0000000000..827bc2b616 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepoint.md @@ -0,0 +1,162 @@ +--- +title: "SharePoint" +description: "SharePoint" +sidebar_position: 130 +--- + +# SharePoint + +**Understanding SharePoint Activity Monitoring** + +The Activity Monitor can be configured to monitor the following SharePoint changes: + +- Document is checked out +- Document is checked in +- Object is deleted +- Object is updated +- Child object is deleted +- Child object is undeleted +- Child object is moved +- Search operation is performed +- Security group is created +- Security group is deleted +- Security principal is added to a security group +- Security principal is removed from a security group + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer + +Prior to adding a SharePoint host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[SharePoint On-Premise Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-onprem-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to the SharePoint Application server that hosts the +“Central Administration” component of the SharePoint farm. +::: + + +## Add SharePoint Host + +Follow the steps to add a SharePoint host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent page](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent deployed on the SharePoint Application +server that hosts the “Central Administration” component. Click **Next**. + +![Add Host page with SharePoint selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostsharepoint.webp) + +**Step 3 –** On the Add Host page, select the SharePoint radio button. If desired, add a Comment. +Click **Next**. + +![Add Host - SharePoint Options page](/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointoptions.webp) + +**Step 4 –** On the SharePoint Options page, choose to audit all sites or scope the monitoring to +specific site(s): + +- Enable auditing on selected site collections – Enabling this option will ensure that auditing is + enabled for all monitored site collections with periodic checks +- Audit all sites – Leave textbox for URLs blank + + Scope to specific sites – List URLs for sites to be monitored in the textbox. List should be + semicolon separated. + + - Examples – http://sharpoint.local/sites/marketing, + http://sharepoint.local/sites/personal/user1 + - Then enter the credentials configured as the provisioned activity monitoring account. + +- Enter valid **User Name** and **Password** for a domain account with local administrative + permissions +- Connect – Click Connect to verify the provided credentials + +Click **Next**. + +![Configure Operations page for SharePoint](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationssharepoint.webp) + +**Step 5 –** On the Configure Operations page, select the SharePoint Operations and Permissions +Operations to be monitored. Click **Next**. + +![Where to log the activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 6 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 7 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- Log file format – Select whether the log file will be saved as a JSON or TSV file +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click Finish. + +![Activity Monitor with SharePoint host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsharepoint.webp) + +The added SharePoint host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for SharePoint + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [SharePoint Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/sharepoint.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.md new file mode 100644 index 0000000000..be02c860d0 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.md @@ -0,0 +1,179 @@ +--- +title: "SharePoint Online" +description: "SharePoint Online" +sidebar_position: 140 +--- + +# SharePoint Online + +**Understanding SharePoint Activity Monitoring** + +The Activity Monitor can be configured to monitor the following SharePoint changes: + +- Document is checked out +- Document is checked in +- Object is deleted +- Object is updated +- Child object is deleted +- Child object is undeleted +- Child object is moved +- Search operation is performed +- Security group is created +- Security group is deleted +- Security principal is added to a security group +- Security principal is removed from a security group + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer + +Prior to adding a SharePoint Online host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-online-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add SharePoint Online Host + +Follow the steps to add a SharePoint Online host to be monitored. + +**Step 1 –** In the Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the Agent to monitor SharePoint Online. + +:::warning +The domain name must match the SharePoint Online host name in order to properly +integrate SharePoint Online activity monitoring with Access Analyzer. +::: + + +![Add Host page with SharePoint Online selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp) + +**Step 3 –** On the Add Host page, select the SharePoint Online radio button and enter the Microsoft +Entra ID (formerly Azure AD) domain name. Click **Next**. + +![Add New Host - Azure AD Connection for SharePoint Online](/images/activitymonitor/9.0/admin/monitoredhosts/add/azureadconnection.webp) + +**Step 4 –** On the Azure AD / Entra ID Connection page, enter a Client ID and Client Secret, then +click **Sign-In** to grant permissions to read the auditing and directory data. Click **Open +Instruction...** for steps on registering the Activity Monitor with Microsoft Entra ID. + +- After clicking **Sign-In**, the **Sign in to your account window** opens. +- Sign-in with a Global Administrator account. +- Approve consent for the organization. + + :::note + Activity Monitor does not store credentials. The credentials are used to enable + API access using the Client ID and Secret. + ::: + + +- See the + [SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-online-activity.md) + topic for additional information. + +Click **Next**. + +![SharePoint Online Operations page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileandpagetab.webp) + +**Step 5 –** On the SharePoint Online Operations page, configure the options found in the following +tabs: + +- File and Page +- Folder +- List +- Sharing and Access Request +- Site Permissions +- Site Administration +- Synchronization +- DLP +- Sensitive Label +- Content Explorer +- Other + +These options can be configured again in a SharePoint Online host's properties window. See the +[Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) for additional information. Click **Next**. + +![Where to log the activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 6 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp) + +**Step 7 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. The configurable options are: + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Netwrix Access Analyzer – Enable this option to have Access Analyzer collect this monitored host configuration + + :::info + Identify the configuration to be read by Netwrix Access Analyzer when integration is available. + ::: + + + - While the Activity Monitor can have multiple configurations per host, Netwrix Access Analyzer + can only read one of them. + +Click **Next**. + +![Syslog Output Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 8 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with SharePoint Online host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.webp) + +The added SharePoint Online host is displayed in the monitored hosts/services table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for SharePoint Online + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Connection Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/sqlserver.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/sqlserver.md new file mode 100644 index 0000000000..e44a70adaa --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/sqlserver.md @@ -0,0 +1,172 @@ +--- +title: "SQL Server" +description: "SQL Server" +sidebar_position: 150 +--- + +# SQL Server + +**Understanding SQL Server Activity Monitoring** + +The Activity Monitor provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer + +Prior to adding a SQL Server host to the Activity Monitor, the prerequisites for the target +environment must be met. See the +[SQL Server Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sqlserver-activity.md) topic for +additional information. + +:::tip +Remember, the Activity Agent must be deployed to a Windows server that acts as a proxy for +monitoring the target environment. +::: + + +## Add MS SQL Server Host + +Follow the steps to add a SQL Server host to be monitored. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![chooseagent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor the storage device, then +click **Next**. + +![addhost](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp) + +**Step 3 –** On the **Add Host** page, select **MS SQL Server** and enter the **Server name or +address** for the SQL Server host., then click **Next**. + +![mssqlserveroptionspage](/images/activitymonitor/9.0/admin/monitoredhosts/add/mssqlserveroptionspage.webp) + +**Step 4 –** On the MS SQL Server Options page, configure the following options: + +- Enable Audit automatically — Check the box to enable automatic auditing if it is ever disabled +- Open instruction — Opens the **How to create a SQL Login for Monitoring** page. See the SQL Server + Database section of the + [SQL Server Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sqlserver-activity.md) topic for + additional information. +- User name — Enter the user name for the credentials for the SQL Server +- User password — Enter the password for the credentials for the SQL Server + +Click **Connect** to test the settings, then click **Next**. + +![configureoperations](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperations.webp) + +**Step 5 –** On the Configure Operations page, select which SQL Server events to monitor, then click +**Next**. + +![SQL Server Objects Page](/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverobjects.webp) + +**Step 6 –** On the SQL Server Objects page, click **Refresh**. Select the SQL Server objects to be +monitored. Click **Next**. + +![sqlserverlogontriggerpage](/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp) + +**Step 7 –** On the SQL Server Logon Trigger page, copy and paste the SQL script into a New Query in +the SQL database. Execute the query to create a logon trigger. Netwrix Activity Monitor will monitor +SQL logon events and obtain IP addresses for connections. The script is: + +``` +CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as varchar(max));raiserror(@str,1,1);END +``` + +![SQL Server Logon Success](/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp) + +> Click **Check Status** to see if the trigger is configured properly, then click **Next**. + +![configurebasicoptions](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp) + +**Step 8 –** On the Configure Basic Options page, + +- Period to keep Log files - Activity logs are deleted after the number of days entered. Default is + set to 10 days. + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +Click **Next**. + +![Where To Log The Activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 9 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File (TSV)** or **Syslog Server**, then click **Next**. + +![fileoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp) + +**Step 10 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +![syslogoutput](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp) + +**Step 11 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![activitymonitorsqlserverhost](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp) + +The added SQL Server host is displayed in the monitored hosts/services table. Once a host has been added for +monitoring, configure the desired outputs. See the [Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic +for additional information. + +## Host Properties for SQL Server + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [MS SQL Server Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlserver.md) +- [Logon Trigger Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/logontrigger.md) +- [Tweak Options Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptions.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/add/windows.md b/docs/activitymonitor/9.0/admin/monitoredhosts/add/windows.md new file mode 100644 index 0000000000..7ff4d9561e --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/add/windows.md @@ -0,0 +1,202 @@ +--- +title: "Windows" +description: "Windows" +sidebar_position: 160 +--- + +# Windows + +**Understanding File Activity Monitoring** + +The Activity Monitor can be configured to monitor the following: + +- Ability to collect all or specific file activity for specific values or specific combinations of + values + +It provides the ability to feed activity data to SIEM products. The following dashboards have been +specifically created for Activity Monitor event data: + +- For IBM® QRadar®, see the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) for additional + information. +- For Splunk®, see the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) for + additional information. + +It also provides the ability to feed activity data to other Netwrix products: + +- Netwrix Access Analyzer +- Netwrix Threat Manager + +Prior to adding a Windows host to the Activity Monitor, the prerequisites for the target environment +must be met. See the +[Windows File Server Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/windowsfs-activity.md) +topic for additional information. + +:::tip +Remember, the Activity Agent must be deployed to the server. It cannot be deployed to a proxy +server. +::: + + +## Add Agent's Windows Host + +Follow the steps to add a Windows host to be monitored, if it was not configured when the agent was +deployed. + +**Step 1 –** In Activity Monitor, go to the Monitored Hosts & Services tab and click Add. The Add New Host +window opens. + +![Choose Agent](/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp) + +**Step 2 –** On the Choose Agent page, select the **Agent** to monitor deployed on the Windows file +server. Click **Next**. + +![Add Host page with Windows selected](/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostwindows.webp) + +**Step 3 –** On the Add Host page, select the Agent’s Windows host radio button. Remember, the agent +must be deployed on the Windows file server to be monitored. If desired, add a **Comment**. Click +**Next**. + +![Protocols page](/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp) + +**Step 4 –** On the Protocols page, select which protocols to monitor. The protocols that can be +monitored are: + +- All +- CIFS +- NFS + +Click **Next**. + +![Configure Operations page for Windows host](/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationswindows.webp) + +**Step 5 –** On the Configure Operations page, select the **File Operations**,**Directory +Operations**, **Share Operations** and **VSS Operations** to be monitored. Users may also filter +events by operation type by selecting the radio button: + +- All – Reports both allowed and denied operations +- Allowed only – Reports only allowed operations +- Denied only – Reports only denied operations + +Additional options include: + +:::warning +Enabling the Suppress subsequent Read operations in the same folder option can result +in Read events not being monitored. +::: + + +- Suppress subsequent Read operations in the same folder – Logs only one Read operation when + subsequent Read operations occur in the same folder. This option is provided to improve overall + performance and reduce output log volume. +- Suppress reporting of File Explorer's excessive directory traversal activity – Filters out events + of excessive directory traversal in File Explorer. +- Suppress Permission Change operations with reordered ACL – Prevents tracking events where + permission updates occurred resulting in reordered ACEs (Access Control Entries) but with no other + changes in the ACL (Access Control List). For example, if a user is removed in the security + settings of a file, and then the same user is added back with the same security permissions, the + change is not logged. +- Suppress Inherited Permission Changes – Filters out events for inherited permission changes. This + option is provided to improve overall performance and reduce output activity log volume. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. + +Click **Next**. + +![Configure Basic Options page for Windows](/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionswindows.webp) + +**Step 6 –** On the Configure Basic Options page, choose which settings to enable. The “Log files” +are the activity logs created by the activity agent on the target host. Select the desired options: + +- Report Account Names – Adds an Account Name column in the generated TSV files +- Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files + - This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by + default. The UNC Path is in the following format: + - For CIFS activity – `\\[HOST]\[SHARE]\[PATH]` + - Example CIFS activity – `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - When the option is enabled, the added columns are populated when a file is accessed remotely + through the UNC Path. If a file is accessed locally, these columns are empty. These columns + have also been added as Syslog macros. +- Report operations with millisecond precision – Changes the timestamps of events being recorded in + the TSV log file for better ordering of events if multiple events occur within the same second + +Click **Next**. + +![Where to log activity page](/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp) + +**Step 7 –** On the Where To Log The Activity page, select whether to send the activity to either a +**Log File** or **Syslog Server**. Click **Next**. + +![File Output page](/images/activitymonitor/9.0/admin/monitoredhosts/add/fileouputpage.webp) + +**Step 8 –** If **Log File** is selected on the **Where To Log The Activity** page, the **File +Output** page can be configured. + +- Specify output file path – Specify the file path where log files are saved. Click the ellipses + button (**...**) to open the Windows Explorer to navigate to a folder destination. Click **Test** + to test if the path works. +- Period to keep Log files – Log files will be deleted after the period entered number of days + entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a + set amount of Minutes, Hours, or Days. +- This log file is for Access Analyzer – Enable this option to have Access Analyzer collect this + monitored host configuration + + :::info + Identify the configuration to be read by Access Analyzer when integration is + available. + ::: + + + - While Activity Monitor can have multiple configurations per host, Access Analyzer can only + read one of them. + +Click **Next**. + +![Syslog Output page](/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp) + +**Step 9 –** If Syslog Server is selected on the **Where To Log The Activity** page, the Syslog +Output page can be configured. + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. The Event stream is the activity + being monitored according to this configuration for the monitored host. +- Syslog Protocol – Identify the **Syslog protocol** to be used for the Event stream. The drop-down + menu includes: + + - UDP + - TCP + - TLS + + The TCP and TLS protocols add the Message framing drop-down menu. See the + [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +- The Test button sends a test message to the Syslog server to check the connection. A green check + mark or red will determine whether the test message has been sent or failed to send. Messages vary + by Syslog protocol: + + - UDP – Sends a test message and does not verify connection + - TCP/TLS – Sends test message and verifies connection + - TLS – Shows error if TLS handshake fails + + See the [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md) topic for additional information. + +Click **Finish**. + +![Activity Monitor with Windows Host added](/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorwindows.webp) + +The added Windows file server host is displayed in the monitored hosts/services table. Once a host has been +added for monitoring, configure the desired outputs. See the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for additional information. + +## Host Properties for Windows File Server + +Configuration settings can be edited through the tabs in the host’s Properties window. The +configurable host properties are: + +- [Windows Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/windows.md) +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) + +See the [Host Properties Window](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/output/_category_.json b/docs/activitymonitor/9.0/admin/monitoredhosts/output/_category_.json new file mode 100644 index 0000000000..70c4d56051 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/output/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Output for Monitored Hosts", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "output" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/output/filetsv.md b/docs/activitymonitor/9.0/admin/monitoredhosts/output/filetsv.md new file mode 100644 index 0000000000..5845383b96 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/output/filetsv.md @@ -0,0 +1,46 @@ +--- +title: "File TSV Log File" +description: "File TSV Log File" +sidebar_position: 10 +--- + +# File TSV Log File + +The following information lists all of the columns generated by File Activity Monitor into a TSV log +file, along with descriptions. + +| Column Name(s) | Description | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option | +| Host | Host name of the monitored device | +| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID | +| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) | +| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) | +| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. | +| Rename Path | New name of the path if a rename event occurs | +| Process or IP | Indicates the source of the activity event: - For local Windows activity – Process name (e.g. notepad.exe) - For network Windows activity – IP Address of the user - For NAS device activity – IP Address for the NAS device of the user | +| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. | +| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. | +| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS | +| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \\[SERVER]\[SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt | +| Volume ID | ID of the volume where the event occurred | +| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. | +| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 | +| **File Size** | Size of File | +| **Tags** | _(Windows hosts only)_ Contains 'Copy' for read events that are probably file copies | +| Group ID | _Linux hosts only_ Unique identifier for the File System Group (GID) | +| Group Name | _Linux hosts only_ Name of the File System Group (GID) | +| Process ID | Linux hosts only Name of the File System Group (GID) | + +## Sub-Operation, Old Attributes, and New Attributes Table + +The following table lists details for Sub-Operation, Old Attributes, and New Attributes according to +File Operation. + +| File Operation | Sub-Operation | Old Attributes | New Attributes | +| ------------------------------- | ------------- | --------------------------------------------------------------------- | ---------------------------------------------- | +| Owner was changed | Own | Old owner in SDDL format | New owner in SDDL format | +| Permissions were changed (DACL) | Dac | Old DACL in SDDL format | New DACL in SDDL format | +| Audit was changed (SACL) | Sac | Old SACL in SDDL format | New SACL in SDDL format | +| File attributes were changed | Att | Old attributes as a hexadecimal number (0xNNN) | New attributes as a hexadecimal number (0xNNN) | +| File is read from a shadow copy | VSS | Shadow copy creation time in YYYYMMDDThhmmss format (20180905T123456) | | diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/output/linuxtsv.md b/docs/activitymonitor/9.0/admin/monitoredhosts/output/linuxtsv.md new file mode 100644 index 0000000000..ec8b706a86 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/output/linuxtsv.md @@ -0,0 +1,33 @@ +--- +title: "Linux TSV Log File" +description: "Linux TSV Log File" +sidebar_position: 20 +--- + +# Linux TSV Log File + +The following information lists all of the columns generated by Linux Activity Monitor into a TSV +log file, along with descriptions. + +| | | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Operation Time | Date timestamp of the event in UTC time Column format is dependent on "Report Operations with millisecond precision" option | +| Host | Host name of the monitored device | +| User Sid/Uid | Unique identifier for the File System user: - For CIFS activity – user SID - For NFS activity – UID | +| Operation Type | Type of operation for each event. Reports the following operations: - Add - Delete (Del) - Rename (Ren) - Network Share (SHARE) - Permission Change (Per) - Read (Rea) - Symlink or hardlink (LINK) - Update (Upd) | +| Object Type | The type of object that was affected. Reports events for the following object types: - Folder (FOLD) - File (FILE) - Unknown (UNK) | +| Path | The Path where the event took place. - For Windows – If a path starts with “VSS:” then it is a shadow copy creation event. For example, “VSS:C” is a shadow copy creation of volume C. | +| Rename Path | New name of the path if a rename event occurs | +| Process or IP | Indicates the source of the activity event: - For Local activity – Process name (e.g. notepad.exe) - For Remote network activity – IP Address of the user | +| 1) Sub-Operation 2) Old Attributes 3) New Attributes | Windows hosts only. These columns are filled with details about: - Permission changes (the “Per” operation type) - Attribute Changes (the “Upd” operation type) - Read events from VSS shadow copies See the Sub-Operation, Old Attributes, and New Attributes Table section for additional details. | +| User Name | Username in NTAccount format. This column is dependent upon the “Report account names” option. | +| Protocol | Protocol of the event, i.e. CIFS, NFS, or VSS | +| 1) UNC 2) Rename UNC Path | Network paths of remote activity. These columns are dependent upon the “Report UNC paths” option. - For CIFS activity – Reported with the following format \\[SERVER]\[SHARE]\Folder\File.txt - For NFS activity – Reported with the following format[SERVER]:/[VOLUME]/Folder/File.txt | +| Volume ID | ID of the volume where the event occurred | +| Share Name | Share name where the event occurred. This column is dependent upon the “Report UNC paths” option. | +| Protocol Version | NetApp Data ONTAP Cluster-Mode devices only. Protocol version of the event, i.e. CIFS or NFS. The following values are potentially reported: - For CIFS activity – 1.0, 2.0, 2.1, 3.0, 3.1 - For NFS activity – 2, 3, 4, 4.1, 4.2 | +| File Size | Size of File | +| Tags | Windows hosts only Contains 'Copy' for read events that are probably file copies | +| Group ID | Linux hosts only Unique identifier for the File System Group (GID). | +| Group Name | Linux hosts only Name of the File System Group (GID). | +| Process ID | Linux hosts only Name of the File System Group (GID). | diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md b/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md new file mode 100644 index 0000000000..0eb06a7223 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md @@ -0,0 +1,54 @@ +--- +title: "Output for Monitored Hosts/Services" +description: "Output for Monitored Hosts/Services" +sidebar_position: 30 +--- + +# Output for Monitored Hosts/Services + +Once a host is being monitored the event stream can be sent to multiple outputs. + +![Output Properties Overview](/images/activitymonitor/9.0/admin/monitoredhosts/outputpropertiesoverview.webp) + +Configured outputs are grouped under the host. You can have multiple outputs configured for a host. +The host event outputs are: + +- File – Creates an activity log as a TSV or JSON file for every day of activity +- Syslog – Sends activity events to the configured SIEM server or Netwrix Threat Manager, where + supported + +## Add File Output + +Follow the steps to add a File output. + +**Step 1 –** On the Monitored Hosts & Services tab, select the desired host and click **Add Output**. + +**Step 2 –** Select **File** from the drop-down menu. The Add New Output window opens. + +![addnewoutputfile](/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputfile.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/9.0/admin/outputs/overview.md) topic for additional +information. + +## Add Syslog Output + +Follow the steps to add a Syslog output. + +**Step 1 –** On the Monitored Hosts & Services tab, select the desired host and click **Add Output**. + +**Step 2 –** Select **Syslog** from the drop-down menu. The Add New Output window opens. + +![addnewoutputsyslog](/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputsyslog.webp) + +**Step 3 –** Configure the tab(s) as desired. + +**Step 4 –** Click **Add Output** to save your settings. The Add New Output window closes. + +The new output displays in the table. Click the **Edit** button to open the Output properties window +to modify these settings. See the [Output Types](/docs/activitymonitor/9.0/admin/outputs/overview.md) topic for additional +information. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/output/sharepointjson.md b/docs/activitymonitor/9.0/admin/monitoredhosts/output/sharepointjson.md new file mode 100644 index 0000000000..212b8af530 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/output/sharepointjson.md @@ -0,0 +1,54 @@ +--- +title: "SharePoint JSON Log File" +description: "SharePoint JSON Log File" +sidebar_position: 30 +--- + +# SharePoint JSON Log File + +The JSON log file format is used to send SharePoint activity monitoring data to Access Analyzer +v10.0 consoles. The following information lists all of the attributes generated by SharePoint +Activity Monitor into a JSON log file: + +| Attribute Name | Description | Example | +| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | +| TimeLogged | DateTime/ string | 2019-03-14T18:13:39.00Z | +| ActivityType | Constant “SharePoint” | SharePoint | +| AgentHost | Host name where agent is installed | sphost | +| UserSid | User SID who caused the event | S-1-0-0 | +| UserName | User Name who caused the event | System Account | +| UserID | ID of the user who caused the event | 1073741823 | +| UserLogin | User Login who caused the event | SHAREPOINT\system | +| Protocol | Protocol: HTTP / HTTPS.. | HTTP | +| AbsoluteUrl | Full Url: SiteUrl + DocLocation | http://sphost/Lists/Comments/1\_.000 | +| WebApplication | Web application name | SharePoint – 80 | +| SiteId | Site Id (guid) | 7b2c8d23-a74f-4c3c-985d-2c7facb5ebae | +| SiteUrl | Site Url | http://sphost/sites/mysite | +| WebTitle | Web title | my site | +| DocLocation | Location of an audited object at the time of the audited event | Lists/Comments/1\_.000 | +| ItemId | A Guid that the object whose event is represented by the entry | 2c4174dc-322d-47bc-a420-52968fc3ba6c | +| ItemTitle | Title of the object | Welcome to my blog! | +| ItemType | Type of the object: Document / ListItem / List / Folder / Web / Site | ListItem | +| EventType | An SPAuditEventType that represents the type of event | Update | +| EventSource | A value that indicates whether the event occurred as a result of user action in the SharePoint Foundation user interface (UI) or programmatically. Values: SharePoint / ObjectModel | SharePoint | +| LocationType | Specifies the actual location of a document in a SharePoint document library: Invalid, Url, ClientLocation | Url | +| AppPrincipalId | The ID of the app principal who caused the event. If the value of EventSource is ObjectModel, thenAppPrincipalId holds the ID of the app principal whose context the code that caused the event was running. If there is no app context, the AppPrincipalId is null. | 0 | +| SourceName | The name of the application that caused the event | `` | +| RawEventData | A String that holds XML markup providing data that is specific to the type of event that the entry object represents. | `06C49477-0498-4858-900C-45B595337462 MyDocs/myfile.zip` marker for the list-like settings. Leave +the `<-Different-Values->` marker to preserve the difference in each selected object, or delete it +to remove all divergent elements. When the window closes, only changed properties are saved to all +selected objects, leaving unchanged properties untouched. + +## Table + +The monitored hosts/services table provides the following information: + +- State — State of the monitored host. The two states are Enabled and Disabled. +- Monitored Host – Name or IP Address of the host being monitored +- Report As — How the Monitored Host is being reported as. This can be customized in the host's + properties. +- Details — Displays additional details about the monitored host, such as the Platform and the Log + Path. +- Agent – Name or IP Address of the server where the activity agent is deployed +- Retention – Number of days for which the activity log files are retained +- Log Size – Size of the activity log files +- Status – Indicates the status of activity monitoring for the host. See the Error Propagation topic + for additional information. +- Received Events – Timestamp of the last event received +- Comment – Comment provided by user: + - Often this indicates the desired output, e.g. Access Analyzer. + - This can be useful if adding the same monitored host multiple times with different + configurations for different outputs. + - If a Activity Monitor Agent has been deployed to a Windows server where an activity agent is + deployed, then the Comment identifies the host as "Managed by Activity Monitor", and that + 'monitored host' is not editable. Add the host again for other outputs. + +Hosts can have more than one output. To view a host's outputs, expand the host by clicking the white +arrow to the left of the Monitored Host name. + +For integration with Netwrix Access Analyzer, only one configuration +of a 'monitored host' can be set as the Netwrix Access Analyzer +output. After a 'monitored host' has been added, use the Edit feature to identify the configuration +as being for Netwrix Access Analyzer on the Log Files tab of the +host's Properties window. See the [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md) topic for additional +information. + +## Monitoring Status + +The Status collapsible section located above the Status Bar of the Activity Monitor provides +visibility into a host's monitoring state and history of state changes. Host monitoring status is +depicted in the Monitored Hosts & Services table under the Status column. Users can expand the Status section +to view more information on various status conditions. + +![errorpropogationpopulated](/images/activitymonitor/9.0/admin/monitoredhosts/errorpropogationpopulated.webp) + +Click the **Down Arrow** to expand the Status section. The information listed is dependent on which +host or output is currently selected in the Monitored Hosts & Services table. Users can find information on the +**Current State** of a host, as well as viewing a history of changes in state. + +The possible statuses depend on the type of hosts being monitored. What is common is that the status +can help identify a problem and provide a possible workaround. The following sections provide more +information about device-specific states. + +### Linux Monitoring Status + +For file activity monitoring on Linux, Activity Monitor relies on **auditd** component of the Linux +Auditing System. One of the features of auditd is the immutable mode, which locks the audit +configuration and protects it from being changed. When the immutable mode is enabled, the only way +to change the auditing configuration is to reboot the server. + +Activity Monitor supports the immutable mode. It compares the current auditd configuration with the +desired one. If they differ and the immutable mode is enabled, the product displays a warning in the +status section that a server restart is required. After the reboot, the changes take effect and the +immutable mode is enabled. + +### Qumulo Monitoring Status + +The **No connections from Qumulo clusters** error may be displayed in the status section. This error +indicates that the Qumulo nodes have not yet connected to the agent. This can happen either because +an incorrect address or port is specified in the Audit page of the Qumulo Web Interface, or because +the port (4496 by default) is blocked by a firewall. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/_category_.json b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/_category_.json new file mode 100644 index 0000000000..f7ab5883da --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Host Properties Window", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/auditing.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/auditing.md new file mode 100644 index 0000000000..cb8b0937ce --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/auditing.md @@ -0,0 +1,29 @@ +--- +title: "Auditing Tab" +description: "Auditing Tab" +sidebar_position: 10 +--- + +# Auditing Tab + +The Auditing tab allows users to modify to modify the Isilon Options setting which was populated +with the information entered when the Dell Isilon host is added to the Monitored Hosts & Services list. + +![Auditing Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/auditingtab.webp) + +The **Enable Protocol Access Auditing in OneFS if it is disabled** box allows the activity agent to +automatically enable and configure auditing on the Isilon cluster. If a manual configuration has +been completed, do not enable these options. This option requires credentials for an Administrator +account on the Dell Isilon device and click Connect. + +If the connection is successful, discovered access zones appear in the **Available** box. By +default, all available access zones are monitored. To monitor specific access zones, use the arrow +buttons to move access zones to the **Monitored** box. All activity for this configuration for the +host is collected and placed in a single activity log file per day. This is the supported option for +integration with StealthAUDIT, which requires all access zones to be monitored from a single +configuration. + +To have one activity log file per access zone, create multiple output configurations for the Dell +Isilon device. Add one access zone to each configuration of the monitored host. When adding an +Isilon host for each access zone, the Dell device name will be the same for each configuration, but +the **CIFS/NFS server name** must have a unique value. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md new file mode 100644 index 0000000000..2a82598be2 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md @@ -0,0 +1,28 @@ +--- +title: "Connection Tab" +description: "Connection Tab" +sidebar_position: 20 +--- + +# Connection Tab + +Once a host is added to the monitored hosts/services table, the configuration settings are edited through the +tabs in the host’s Properties window. The Connection tab on a host’s Properties window is specific +to Microsoft Entra ID (formerly Azure AD), Exchange Online, and SharePoint Online hosts. + +![Conneciton Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/azure.webp) + +Configure App Registration information for a Microsoft Entra ID host in the Connection Tab of the +host's Properties window. Click **Open instructions...** for steps on registering the +Activity Monitor. Click **Sign out** to sign out of the Azure account. + +The options that can be configured on the Connection Tab are: + +- Domain +- Azure Cloud +- Tenant ID +- Client ID +- Client Secret +- Region + +Click **OK** to apply changes and exit, or **Cancel** to exit without saving any changes. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md new file mode 100644 index 0000000000..9ad6e090c6 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md @@ -0,0 +1,16 @@ +--- +title: "Dell Tab" +description: "Dell Tab" +sidebar_position: 30 +--- + +# Dell Tab + +The Dell tab on a host’s Properties window displays the Dell Celerra/VNX, Dell Isilon/PowerScale, +Dell PowerStore, or Dell Unity host to be monitored for activity and any host aliases. This tab is +populated with the information entered when the Dell host is added to the monitored hosts/services table. If +desired, specify a different device to be monitored for activity. + +![Dell Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp) + +If changes are made to these configuration options, click **OK** to save the changes. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicy.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicy.md new file mode 100644 index 0000000000..d55811dd54 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicy.md @@ -0,0 +1,73 @@ +--- +title: "FPolicy Tab" +description: "FPolicy Tab" +sidebar_position: 40 +--- + +# FPolicy Tab + +The FPolicy tab allows users to modify FPolicy settings for NetApp devices, privileged access, and +enabling/connecting to cluster nodes. + +![FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicytab.webp) + +On the **FPolicy** tab, the agent can configure and/or enable FPolicy automatically. The recommended +setting is dependent on the type of NetApp device being targeted. The permissions required for each +option are listed. See the +[NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md) +topic or the +[NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md) +topic for additional information. + +At the bottom are two additional tabs with setting options. On this tab, specify the protocols to +monitor by selecting the radio buttons. + +## Privileged Access Tab + +![Privileged Access section in the FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/privilegedaccess.webp) + +The Privileged Access tab is enabled when the Configure FPolicy checkbox is selected at the top. The +Privileged Access tab must be configured if automatic configuration of the FPolicy for NetApp Data +ONTAP Cluster-Mode devices is used. See the +[Configure Privileged Access](/docs/activitymonitor/9.0/admin/monitoredhosts/add/netapp.md#configure-privileged-access) topic for additional +information. + +## Enable and Connect settings Tab + +![Enable and Connect Settings - FPolicy Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettings.webp) + +The Enable and Connect settings tab is enabled when the Enable and connect FPolicy checkbox is +selected. + +:::note +Adding nodes are not needed if set user is using a role that has Network Interface +permissions. +::: + + +![Add or Edit Cluster Node popup window](/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp) + +Add a list of cluster nodes to connect to FPolicy by clicking Add, which opens the Add or Edit +Cluster Node window. Enter at least one cluster node in the textbox. Separate multiple nodes with +either commas (,), semicolons (;), or spaces. Click OK and the node(s) is displayed in the **Node +name** list. + +![Connect to Cluster popup window](/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp) + +Click Discover to open the Connect to cluster window and retrieve nodes from the cluster. + +Specify the Cluster-management LIF and then enter user credentials which will be used to retrieve a +list of the cluster nodes. This credential must have at least read-only rights to run the system +node show command on the cluster. Click Get Nodes. If a successful connection is not achieved, the +message indicates the error. If a successful connection is achieved, the message indicates how many +cluster nodes were discovered. Click OK and all discovered nodes are displayed in the **Node name** +list. + +Use the Remove button to remove the selected node from the list. + +## Resources Required for NetApp Monitoring + +Each individual NetApp filer being monitored impacts local system resources and requires disk space. +These vary based on configuration settings chosen along with user activity. Average FPolicy and +associated Logging service resource consumption may be around 2% CPU usage and 10 MB of RAM. Average +disk space required per daily activity log file retained locally may be around 300 MB per filer. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/hitachinas.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/hitachinas.md new file mode 100644 index 0000000000..b4a8669b30 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/hitachinas.md @@ -0,0 +1,17 @@ +--- +title: "Hitachi NAS Tab" +description: "Hitachi NAS Tab" +sidebar_position: 50 +--- + +# Hitachi NAS Tab + +Once a Hitachi host is added to the monitored hosts/services table, the configuration settings are edited +through the tabs in the host’s Properties window. The Hitachi NAS tab on a host’s Properties window +is specific to Hitachi hosts. + +![Host Properties - Hitachi Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/hitachihostproperties.webp) + +The Hitachi NAS tab allows users to modify settings that were populated with the information entered +when the Hitachi host was added. Additionally, the Path pooling interval can be configured. The Path +pooling interval is set to 15 seconds by default. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md new file mode 100644 index 0000000000..58714f76cb --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md @@ -0,0 +1,61 @@ +--- +title: "Inactivity Alerts Tab" +description: "Inactivity Alerts Tab" +sidebar_position: 60 +--- + +# Inactivity Alerts Tab + +The Inactivity Alerts tab on a host's Properties window is used to configure alerts that are sent +when monitored hosts/services receive no events for a specified period of time. + +![inactivityalertstab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalertstab.webp) + +The configurable options are: + +- Customize inactivity alerting for this host. Otherwise, the agent's settings will be used – Check + this box to enable customization of alert settings for the Monitored Host/Service +- Enable inactivity alerting for this host – Check this box to enable inactivity alerts for the host. +- Length of inactivity – Specify how much time must pass before an inactivity alert is sent out. The + default is **6 hours**. +- Repeat an alert every – Specify how often an alert is sent out during periods of inactivity. The + default is **6 hours**. + +## Syslog Alerts Tab + +Configure Syslog alerts using the Syslog Alerts Tab. + +![Syslog Alerts Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/syslogalertstab.webp) + +The configurable options are: + +- Syslog server in SERVER[:PORT] format – Type the **Syslog server name** with a SERVER:Port format + in the textbox. +- Syslog protocol – Identify the Syslog protocol to be used for the alerts + + - UDP + - TCP + - TLS + +- Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. + +## Email Alerts Tab + +Configure Email alerts using the Email Alerts Tab. + +![Email Alerts Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/emailalertstab.webp) + +The configurable options are: + +- SMTP server in SERVER[:PORT] format – Enter the SMTP server for the email alerts + + - Enable TLS – Check the box to enable TLS encryption + +- User name – *(Optional)* User name for the email alert +- User password – *(Optional)* Password for the username +- From email address – Email address that the alert is sent from +- To email address – Email address that the alert is sent to +- Message subject – Subject line used for the email alert. Click the ellipses (...) to open the + **Message Template** window. +- Message body – Body of the message used for the email alert. Click the ellipses (...) to open the + **Message Template** window. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/logontrigger.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/logontrigger.md new file mode 100644 index 0000000000..88a3419986 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/logontrigger.md @@ -0,0 +1,16 @@ +--- +title: "Logon Trigger Tab" +description: "Logon Trigger Tab" +sidebar_position: 70 +--- + +# Logon Trigger Tab + +The Logon trigger tab on a SQL Server host's properties window is used to configure logon triggers +for SQL activity monitoring. + +![logontriggertab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/logontriggertab.webp) + +Copy and paste the SQL Script into a SQL query and execute to enable the Activity Monitor to obtain +IP addresses of client connections. Click **Check Status** to check if the trigger is properly +configured on the SQL server. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlserver.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlserver.md new file mode 100644 index 0000000000..024f263802 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlserver.md @@ -0,0 +1,27 @@ +--- +title: "MS SQL Server Tab" +description: "MS SQL Server Tab" +sidebar_position: 80 +--- + +# MS SQL Server Tab + +The MS SQL Server tab on SQL Server host's properties window is used to configure properties for +SQL activity monitoring on the host. + +![MS SQL Server Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlservertab.webp) + +The configurable options are: + +- Enable Trace automatically — Check the box to enable the activity monitor to enable Trace + automatically if it is disabled +- Audit polling interval — Configure the interval between audits. The default is **15 seconds**. +- Open instruction... — Click **Open Instruction...** to view steps on how to create a login for + SQL monitoring + + - Certain permissions are required to create a login for SQL monitoring. See the + +- Server name\instance — Server name\instance of the SQL Server to be monitored +- User name — User for the SQL Server +- User password — Password for the SQL Server +- Connect — Click **Connect** to test the settings diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nasuni.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nasuni.md new file mode 100644 index 0000000000..ef629472fe --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nasuni.md @@ -0,0 +1,38 @@ +--- +title: "Nasuni Tab" +description: "Nasuni Tab" +sidebar_position: 90 +--- + +# Nasuni Tab + +After a Nasuni host is added to the monitored hosts/services table, the configuration settings are edited +using the tabs in the Properties window of the host. + +![Nasuni Host Properties - Nasuni Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/nasunitab.webp) + +The **Nasuni** tab allows users to modify settings which were populated with the information entered +when the Nasuni host was added. + +The configurable options are: + +- Nasuni Filer – Enter the name of the filer +- Username – Enter the user name for the Nasuni account +- Password – Enter the password for the user name +- Protocol – Select from the following options in the drop-down list: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Nasuni + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/netapp.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/netapp.md new file mode 100644 index 0000000000..b9a2524fa0 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/netapp.md @@ -0,0 +1,32 @@ +--- +title: "NetApp Tab" +description: "NetApp Tab" +sidebar_position: 100 +--- + +# NetApp Tab + +The NetApp tab on a host’s Properties window allows users to modify settings, which are populated +with the information entered when the NetApp host is added to the monitored hosts/services table. + +![Host Properties NetApp Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/netapptab.webp) + +Modify the targeted NetApp device by specifying a NetApp device to be monitored for activity and +credentials to access it with the Data ONTAP API. + +- Protocol – Select from the following options in the drop-down list: + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + - HTTP +- Connect – Click to connect using the selected protocol and validate the connection with NetApp + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nutanix.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nutanix.md new file mode 100644 index 0000000000..63fdbfdd61 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nutanix.md @@ -0,0 +1,43 @@ +--- +title: "Nutanix Tab" +description: "Nutanix Tab" +sidebar_position: 110 +--- + +# Nutanix Tab + +The Nutanix tab allows users to modify settings after a Nutanix host has been configured. Once a +Nutanix host is added to the monitored hosts/services table, the configuration can be edited in the host +Properties. + +![Nutanix Host Properties](/images/activitymonitor/9.0/admin/monitoredhosts/properties/nutanixhostprop01.webp) + +The configurable options are: + +- Nutanix Filer – Enter the name of the filer +- Username – Enter the user name for the Nutanix account with REST API access +- Password – Enter the password for the user name +- Protocol – Select a protocol for the REST API access from the drop-down menu: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Nutanix + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp) + +- HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. + +:::note +Nutanix Files does not report events for activity originating from a server where the +Activity Monitor Agent is installed. + +::: diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md new file mode 100644 index 0000000000..aac4c08b70 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/overview.md @@ -0,0 +1,34 @@ +--- +title: "Host Properties Window" +description: "Host Properties Window" +sidebar_position: 20 +--- + +# Host Properties Window + +Once a host has been added to the Monitored Hosts & Services list, the configuration settings can be modified +through the host’s Properties window. + +![Activity Monitor with Edit button identified ](/images/activitymonitor/9.0/admin/monitoredhosts/properties/hostpropertiesoverview.webp) + +On the Monitored Hosts tab, select the host and click Edit, or right-click on a host and select +**Edit Host** from the right-click menu, to open the host’s Properties window. The tabs vary based +on the type of host selected: + +- [Auditing Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/auditing.md) — Dell Isilon/PowerScale devices only +- [Connection Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/connection.md) — Microsoft Entra ID, Exchange Online, and SharePoint Online only +- [Dell Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/dell.md) — Dell devices only +- [FPolicy Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicy.md) — NetApp devices only +- [Hitachi NAS Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/hitachinas.md) — Hitachi NAS devices only +- [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) +- [Logon Trigger Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/logontrigger.md) — SQL Server hosts only +- [MS SQL Server Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlserver.md) — SQL Server hosts only +- [Nasuni Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nasuni.md) — Nasuni Edge Appliances only +- [NetApp Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/netapp.md) — NetApp devices only +- [Nutanix Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nutanix.md) — Nutanix devices only +- [Panzura Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/panzura.md) — Panzura devices only +- [Qumulo Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/qumulo.md) — Qumulo devices only +- [SharePoint Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/sharepoint.md) — SharePoint only +- [Tweak Options Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptions.md) — SQL Server hosts only +- [Unix IDs Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md) — NetApp devices, Dell devices, and Nasuni Edge Appliances only +- [Windows Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/windows.md) — Windows hosts only diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/panzura.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/panzura.md new file mode 100644 index 0000000000..cd9b0d2dbc --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/panzura.md @@ -0,0 +1,38 @@ +--- +title: "Panzura Tab" +description: "Panzura Tab" +sidebar_position: 120 +--- + +# Panzura Tab + +After a Panzura host is added to the monitored hosts/services table, the configuration settings are edited +using the tabs in the Properties window of the host. + +![panzuratab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/panzuratab.webp) + +The **Panzura** tab allows users to modify settings which were populated with the information +entered when the Panzura host was added. + +The configurable options are: + +- Panzura Filer – Enter the name of the filer +- Username – Enter the user name for the Panzura account +- Password – Enter the password for the user name +- Protocol – Select from the following options in the drop-down list: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Panzura + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/qumulo.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/qumulo.md new file mode 100644 index 0000000000..abde3b5a15 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/qumulo.md @@ -0,0 +1,36 @@ +--- +title: "Qumulo Tab" +description: "Qumulo Tab" +sidebar_position: 130 +--- + +# Qumulo Tab + +The Qumulo tab allows users to modify settings after a Qumulo host has been configured. Once a +Qumulo host is added to the monitored hosts/services table, the configuration can be edited in the host +Properties. + +![Qumulo Host Properties](/images/activitymonitor/9.0/admin/monitoredhosts/properties/qumulohostproperties.webp) + +The configurable options are: + +- Cluster name – Enter the name of the filer +- Username – Enter the user name for the Qumulo user +- Password – Enter the password for the user name +- Protocol – Select one of the following protocols from the drop-down menu: + + - Auto Detect + - HTTPS + - HTTPS, ignore certificate errors + +- Connect – Click to connect using the selected protocol and validate the connection with Qumulo + +![Trusted Server Certificate popup window](/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp)- +HTTPS Options – Opens the Trusted server certificate window to customize the certificate +verification during a TLS session + +- Import – Click to browse for a trusted server certificate +- Remove – Click to remove the selected trusted server certificate +- Enable hostname verification – Select this checkbox to ensure that the host name the product + connects and matches the name in the certificate (CN name) +- Click **OK** to close the window and save the modifications. diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/sharepoint.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/sharepoint.md new file mode 100644 index 0000000000..aba47f2739 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/sharepoint.md @@ -0,0 +1,32 @@ +--- +title: "SharePoint Tab" +description: "SharePoint Tab" +sidebar_position: 140 +--- + +# SharePoint Tab + +The SharePoint tab on a host’s Properties window allows users to modify settings that are populated +with the information entered when the SharePoint host is added. + +![SharePoint Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/sharepointtab.webp) + +The configurable options are: + +- Enable auditing on selected site collections - Check the box to enable auditing on selected site + collections. Enabling this option will ensure that auditing is enabled for all monitored site + collections with periodic checks. +- Choose to audit all sites or scope the monitoring to specific site(s): + + - Audit all sites – Leave textbox for URLs blank + - Scope to specific sites – List URLs for sites to be monitored in the textbox. List should be + semicolon separated. For example: + +**http://sharepoint.local/sites/marketing; http://sharepoint.local/sites/personal/user1** + +- Audit polling interval – Select the interval for how often the activity agent will request new + events from SharePoint. Number of seconds between polling request, set to 15 seconds by default +- User name - Enter the user name for the domain account with local admin permissions +- User password - Enter the password for the user name + +- Connect – Click Connect to validate the connection with SharePoint diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptions.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptions.md new file mode 100644 index 0000000000..d0ae6d2035 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptions.md @@ -0,0 +1,12 @@ +--- +title: "Tweak Options Tab" +description: "Tweak Options Tab" +sidebar_position: 150 +--- + +# Tweak Options Tab + +The Tweak Options tab on a SQL Server host's properties window is used to configure extended events +operations for SQL activity monitoring. + +![Tweak Options Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptionstab.webp) diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md new file mode 100644 index 0000000000..2c2dfc3f86 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/unixids.md @@ -0,0 +1,30 @@ +--- +title: "Unix IDs Tab" +description: "Unix IDs Tab" +sidebar_position: 160 +--- + +# Unix IDs Tab + +The Unix IDs tab provides configuration options to translate Unix IDs (UID) to SIDs. This tab +applies to NetApp devices, Dell devices, and Nasuni Edge Appliances. + +When activity is performed on an NFS resource, UIDs are returned for that activity event. Depending +on the operating system, the UID can be mapped to Active Directory accounts using the uidNumber +attribute in Active Directory. The activity agent resolves the Active Directory SID based on the UID +from the activity event. + +![Unix ID Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/unixid.webp) + +The options are: + +- Translate Unix IDs to SIDs – Enables all controls on the page +- Search in container (DN) – Default naming context of the agent's domain +- Search scope – Select from the following radio buttons: + - This container and its descendants + - This container only +- Search - Search using the following specifications: + - by an attribute – Specify an LDAP filter. This attribute cannot be empty. + - with a custom filter – Use the %UID% macro for a Unix ID value + - Provide UID for test/Test – Test button performs a search in the specified container with the + scope and the filter, replacing %UID% with 0 for the test diff --git a/docs/activitymonitor/9.0/admin/monitoredhosts/properties/windows.md b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/windows.md new file mode 100644 index 0000000000..97ff0873d2 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/monitoredhosts/properties/windows.md @@ -0,0 +1,14 @@ +--- +title: "Windows Tab" +description: "Windows Tab" +sidebar_position: 170 +--- + +# Windows Tab + +The Windows tab on a host's Properties window is specific to Windows hosts. + +![Host Properties - Windows Tab](/images/activitymonitor/9.0/admin/monitoredhosts/properties/windows.webp) + +Select whether to report the host name as either a **NETBIOS name** or a **Fully qualified domain +name**. The Host Name can be previewed to see how it appears depending on the option selected. diff --git a/docs/activitymonitor/9.0/admin/outputs/_category_.json b/docs/activitymonitor/9.0/admin/outputs/_category_.json new file mode 100644 index 0000000000..79eee1ab1e --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Output Types", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/accountexclusions/_category_.json b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/_category_.json new file mode 100644 index 0000000000..a4c6e98173 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Account Exclusions Tab", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "accountexclusions" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md new file mode 100644 index 0000000000..76954fb874 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md @@ -0,0 +1,182 @@ +--- +title: "Account Exclusions Tab" +description: "Account Exclusions Tab" +sidebar_position: 10 +--- + +# Account Exclusions Tab + +The Account Exclusions tab on an output Properties window is where monitoring scope by account name +can be modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. The tab varies based on the type of host selected. + +## For Exchange Online Hosts + +The tab contains the following settings: + +![Account Exclusions tab for Exchange Online](/images/activitymonitor/9.0/admin/outputs/accountexclusions_exchangeonline.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the + [Specify Unix Account Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifyunixaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Linux Hosts + +The tab contains the following settings: + +![linux](/images/activitymonitor/9.0/admin/outputs/linux.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the + [Specify Unix Account Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifyunixaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For NAS Device Hosts + +The tab contains the following settings: + +![Account Exclusions tab for NAS Hosts](/images/activitymonitor/9.0/admin/outputs/nasdevices.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add Unix Account – Opens the Specify Unix Account window to add an account for exclusion. See the + [Specify Unix Account Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifyunixaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Hosts + +The tab contains the following settings: + +![Account Exclusions tab for SharePoint hosts](/images/activitymonitor/9.0/admin/outputs/sharepoint.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Add SharePoint Account – Opens the Specify account window to add an account for exclusion. See the + [Specify Account Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysharepointaccount.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SQL Server Hosts + +The tab contains the following settings: + +![sqlhosts](/images/activitymonitor/9.0/admin/outputs/sqlhosts.webp) + +- Add Sql User – Opens the Specify Sql User name window to add an account for exclusion. See the + [Specify Sql User Name Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysqluser.md) topic for additional information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, no accounts are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Windows File Server Hosts + +The tab contains the following settings: + +![Account Exlcusions tab for Windows Hosts](/images/activitymonitor/9.0/admin/outputs/windows.webp) + +- Add Windows Account – Opens the Specify account or group window to add an account for exclusion. + See the [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for additional + information. +- Remove – Removes the selected account from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Process group membership when filtering – Indicates if group memberships is processed when + filtering accounts + +The table lists accounts that are being excluded from monitoring, displaying columns for Account +Name and Account Type. By default, the Windows File Server monitoring is excluding the following +accounts: + +- NT Authority\IUSR +- NT Authority\SYSTEM +- NT Authority\LOCAL SERVICE +- NT Authority\NETWORK SERVICE + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysharepointaccount.md b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysharepointaccount.md new file mode 100644 index 0000000000..0caf42a1e7 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysharepointaccount.md @@ -0,0 +1,23 @@ +--- +title: "Specify Account Window" +description: "Specify Account Window" +sidebar_position: 10 +--- + +# Specify Account Window + +The Specify account window is opened from a field where a SharePoint account is needed. + +![Specify Account popup window](/images/activitymonitor/9.0/admin/outputs/window/sharepointspecifyaccount.webp) + +There are two options for specifying an account: + +- SharePoint System Accounts – Check the boxes for the desired system accounts: SHAREPOINT\system, + -1, S-1-0-0 (Null SID) +- Custom – Enter the account in the textbox. Multiple accounts can be added using a semicolon (;). + + - For System Service Accounts – Enter the SID for system service accounts + - For Local User Accounts – Enter either the user name or SID for the local account + +Click **OK**. The Specify account window closes, and the account is added to the field where the +window was opened. diff --git a/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysqluser.md b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysqluser.md new file mode 100644 index 0000000000..f72a6d524d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifysqluser.md @@ -0,0 +1,15 @@ +--- +title: "Specify Sql User Name Window" +description: "Specify Sql User Name Window" +sidebar_position: 30 +--- + +# Specify Sql User Name Window + +The Specify Sql User name window is opened from a field where a SQL Server account is needed. + +![specifysqlusernamewindow](/images/activitymonitor/9.0/admin/outputs/window/specifysqlusernamewindow.webp) + +Enter the SQL Server user name into the text box. Multiple user names can be added using a semicolon +(;), a comma (,), or a space. Then click OK. The Specify Sql User name window closes, and the +account is added to the field where the window was opened. diff --git a/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifyunixaccount.md b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifyunixaccount.md new file mode 100644 index 0000000000..7f0a42eb62 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifyunixaccount.md @@ -0,0 +1,15 @@ +--- +title: "Specify Unix Account Window" +description: "Specify Unix Account Window" +sidebar_position: 40 +--- + +# Specify Unix Account Window + +The Specify Unix Account or group window is opened from a field where a Unix account is needed. + +![Specify Unix Account popup window](/images/activitymonitor/9.0/admin/outputs/window/unixspecifyunixaccount.webp) + +Type the UID for the desired account in the textbox. Multiple UIDs can be added using a semicolon +(;), a comma (,), or a space. Then click OK. The Specify Unix Account window closes, and the account +is added to the field where the window was opened. diff --git a/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md new file mode 100644 index 0000000000..15e3fe7d08 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md @@ -0,0 +1,29 @@ +--- +title: "Specify Account or Group Window" +description: "Specify Account or Group Window" +sidebar_position: 20 +--- + +# Specify Account or Group Window + +The Specify account or group window is opened from a field where a Windows account is needed. + +![Specify Account or Group popup window](/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp) + +Follow the steps to use this window. + +**Step 1 –** Select the Domain from the drop-down menu. + +**Step 2 –** Enter the Account in the textbox. + +- Accounts can be entered in NTAccount format, UPN format, or SID format. +- Use the ellipsis (…) button to open the Select Users, Computers, Service Accounts, or Groups + window to browse for an account. + +**Step 3 –** Then click Resolve. A message displays indicating whether or not the account could be +resolved. + +**Step 4 –** If successful, click OK. + +The Specify account or group window closes, and the account is added to the field where the window +was opened. diff --git a/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md b/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md new file mode 100644 index 0000000000..aa95f6aa72 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md @@ -0,0 +1,38 @@ +--- +title: "Additional Properties Tab" +description: "Additional Properties Tab" +sidebar_position: 20 +--- + +# Additional Properties Tab + +The Additional Properties tab on an output Properties window is where comments and displayed host +name can be modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. + +![Additional Properties](/images/activitymonitor/9.0/admin/outputs/additionalpropertiestab.webp) + +The options are: + +- Report hostname as – The value entered here will customize the hostname that is reported for the + event in the activity log outputs +- Comment – The value entered here will appear in the Comments column in the Monitored Hosts & Services tab + table. + +Often, the Additional Properties Tab is used to indicate the purpose of the output, e.g. for Netwrix +Access Analyzer . This can be useful if using multiple outputs with +different configurations for different purposes. For example, a SharePoint site could be added as a +host and configured for Netwrix Access Analyzer data collection. It +can be added again with different monitoring options and be configured for SIEM notification. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +**Integration with Netwrix Threat Prevention for NAS Monitoring** + +If a Threat Prevention Agent has been deployed to the same Windows proxy server where and activity +agent is deployed to monitor NAS devices, then the **Comment** column in the monitored hosts/services table +identifies the host as being “Managed by Threat Prevention”, and that ‘monitored host’ configuration +is not editable through the Activity Monitor Console. Simply add the host again for other outputs. diff --git a/docs/activitymonitor/9.0/admin/outputs/gidexclusions/_category_.json b/docs/activitymonitor/9.0/admin/outputs/gidexclusions/_category_.json new file mode 100644 index 0000000000..7f90b35438 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/gidexclusions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "GID Exclusions Tab", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "gidexclusions" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/gidexclusions/addeditgid.md b/docs/activitymonitor/9.0/admin/outputs/gidexclusions/addeditgid.md new file mode 100644 index 0000000000..6071172afe --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/gidexclusions/addeditgid.md @@ -0,0 +1,14 @@ +--- +title: "Add or Edit GID Window" +description: "Add or Edit GID Window" +sidebar_position: 10 +--- + +# Add or Edit GID Window + +The Add or Edit GID window is opened from a field where a Linux group is needed. + +![addoreditgidwindow](/images/activitymonitor/9.0/admin/outputs/window/addoreditgidwindow.webp) + +Type the GID for the desired group in the textbox. Then click OK. The Add or Edit GID window closes, +and the group is added to the field where the window was opened. diff --git a/docs/activitymonitor/9.0/admin/outputs/gidexclusions/gidexclusions.md b/docs/activitymonitor/9.0/admin/outputs/gidexclusions/gidexclusions.md new file mode 100644 index 0000000000..db7e1cf684 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/gidexclusions/gidexclusions.md @@ -0,0 +1,35 @@ +--- +title: "GID Exclusions Tab" +description: "GID Exclusions Tab" +sidebar_position: 30 +--- + +# GID Exclusions Tab + +The GID Exclusions tab on an output Properties window is where monitoring scope by group can be +modified. These settings are initially configured when the output is added. + +Select an output for a Linux host on the Monitored Hosts & Services tab and click **Edit** to open the output +Properties window. + +![gidexclusionstab](/images/activitymonitor/9.0/admin/outputs/gidexclusionstab.webp) + +The tab contains the following settings: + +- Add – Opens the Add or Edit GID window to add a group for exclusion. See the + [Add or Edit GID Window](/docs/activitymonitor/9.0/admin/outputs/gidexclusions/addeditgid.md) topic for additional information. +- Remove – Removes the selected group from exclusion. Confirmation is not requested. + + :::warning + If an account is removed by group, use the **Cancel** button to discard the change. + ::: + + +- Edit – Opens the Add or Edit GID window to edit a selected group for exclusion. See the + [Add or Edit GID Window](/docs/activitymonitor/9.0/admin/outputs/gidexclusions/addeditgid.md) topic for additional information. + +The table lists groups that are being excluded from monitoring, displayed in the GID column. By +default, no groups are being excluded. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/logfiles.md b/docs/activitymonitor/9.0/admin/outputs/logfiles.md new file mode 100644 index 0000000000..a24ba54ba3 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/logfiles.md @@ -0,0 +1,261 @@ +--- +title: "Log Files Tab" +description: "Log Files Tab" +sidebar_position: 40 +--- + +# Log Files Tab + +The Log Files tab on an output Properties window is where the activity log settings can be modified. +These settings are initially configured when the output is added. + +Select a File output from either the Monitored Domains tab or the Monitored Hosts & Services tab and click +**Edit** to open the output Properties window. The tab varies based on the type of domain/host +selected. + +## For Active Directory Domains + +The tab contains the following settings: + +![logfilesactivedirectory](/images/activitymonitor/9.0/admin/outputs/logfilesactivedirectory.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. The Active Directory activity log settings also affect log size by controlling the + information recorded per event. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +- Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event + reporting is enabled, which means the agent will send out status messages every five minutes to + verify whether the connection is still active. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For File Server and NAS Device Hosts + +The tab contains the following settings: + +![Log File Tab - Windows File servers and NAS devices hosts](/images/activitymonitor/9.0/admin/outputs/windowsfilenasdevices.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + + - For integration with Netwrix Access Analyzer File System + Solution, this value must be higher than the number of days between the 0.Collection > 1-FSAC + System Scans Job scans. See the + [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) + for additional information. + - For integration with Netwrix Threat Prevention NAS monitoring, this setting only controls the + log retention period for NAS devices, as Netwrix Threat Prevention does not read Windows file + server activity from Activity Monitor. + +- Report account names – Indicates if an Account Name column is added in the activity log files +- Add header to Log files – Indicates if headers are added in the activity log filesAdd header to + Log files – Indicates if headers are added in the activity log files + + :::note + This is needed to feed data into Splunk in a Syslog output. However, Netwrix Access + Analyzer does not support log files with headers. Therefore, do + not select this option for a File output designed for Netwrix Access Analyzer. + ::: + + +- Report UNC paths – Indicates if a UNC Path column and a Rename UNC Path column are added in the + activity log files. This option corresponds to the REPORT_UNC_PATH parameter in the INI file. When + the option is enabled, the added columns are populated when a file is accessed remotely through + the UNC Path. If a file is accessed locally, these columns are empty. + + - The UNC Path is in the following format: + + - For CIFS activity – The path is in `\\[HOST]\[SHARE]\[PATH]` format, e.g. + `\\ExampleHost\TestShare\DocTeam\Temp.txt` + - For NFS activity – The path is in `[HOST]:/[VOLUME]/[PATH] `format, e.g. + `ExampleHost:/ExampleVolume/DocTeam/Temp.txt` + + :::note + When this option is selected, a warning message might be displayed. + ::: + + +- Report operations with millisecond precision – Indicates the timestamps of events being recorded + in the activity log file has been changed for better ordering of events if multiple events occur + within the same second +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Linux Hosts + +The tab contains the following settings: + +![Log Files Tab for Linux Hosts](/images/activitymonitor/9.0/admin/outputs/linux.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- Add header to Log files – Indicates if headers are added in the activity log filesAdd header to + Log files – Indicates if headers are added in the activity log files + + :::note + This is needed to feed data into Splunk in a Syslog output. However, Netwrix Access + Analyzer does not support log files with headers. Therefore, do + not select this option for a File output designed for Netwrix Access Analyzer. + ::: + + +- Add C:\ to the beginning of the reported file paths – Adds C:\ to the beginning of the reported + file paths in the activity log file +- Report UNC paths – Indicates if a UNC Path column and a Rename UNC Path column are added in the + activity log files. This option corresponds to the REPORT_UNC_PATH parameter in the INI file. When + the option is enabled, the added columns are populated when a file is accessed remotely through + the UNC Path. If a file is accessed locally, these columns are empty. +- Report operations with millisecond precision – Indicates the timestamps of events being recorded + in the activity log file has been changed for better ordering of events if multiple events occur + within the same second +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Microsoft Entra ID, SharePoint Online, and SQL Server Hosts + +The tab contains the following settings: + +![Log File Tab - Azure Active Directory](/images/activitymonitor/9.0/admin/outputs/azuread.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Hosts + +The tab contains the following settings: + +![Log File Tab - SharePoint On-Premises hosts](/images/activitymonitor/9.0/admin/outputs/sharepointonprem.webp) + +- Log file path – Identifies the full path of the activity log files on the activity agent server. + The date timestamp is appended to the file name automatically. +- Log file format – Indicates the file type used for the activity log. The default is JSON. See + [SharePoint JSON Log File](/docs/activitymonitor/9.0/admin/monitoredhosts/output/sharepointjson.md) topic and the + [SharePoint TSV Log File](/docs/activitymonitor/9.0/admin/monitoredhosts/output/sharepointtsv.md) topic for additional information. +- Period to keep Log files – Activity logs are deleted after the number of days entered. The default + is 10 days. + + :::note + This setting effects activity log retention whether or not the archiving feature is + enabled. + ::: + + + :::info + Keep a minimum of 10 days of activity logs. Raw activity logs should be + retained to meet an organization’s audit requirements. + ::: + + +- This log file is for Netwrix Access Analyzer (StealthAUDIT) – + Indicates whether Netwrix Access Analyzer collect the data from this + configured output + + :::note + While the Activity Monitor can have multiple configurations per host, Netwrix Access + Analyzer can only read one of them. + ::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/objects.md b/docs/activitymonitor/9.0/admin/outputs/objects.md new file mode 100644 index 0000000000..5893ef1b78 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/objects.md @@ -0,0 +1,21 @@ +--- +title: "Objects Tab" +description: "Objects Tab" +sidebar_position: 50 +--- + +# Objects Tab + +The Objects tab on an output Properties window is where monitoring scope by SQL Server objects can +be modified. These settings are initially configured when the output is added. + +Select an output for a SQL Server host on the Monitored Hosts & Services tab and click **Edit** to open the +output Properties window. + +![Objects Tab](/images/activitymonitor/9.0/admin/outputs/objectstab.webp) + +The **Refresh** button populates the list of SQL Server objects for the selected host. By default, +all objects are checked and will be monitored. Check and uncheck objects as desired. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/operations/_category_.json b/docs/activitymonitor/9.0/admin/outputs/operations/_category_.json new file mode 100644 index 0000000000..77005a0b76 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/operations/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Operations Tab", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "operations" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/operations/operations.md b/docs/activitymonitor/9.0/admin/outputs/operations/operations.md new file mode 100644 index 0000000000..a259d240dd --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/operations/operations.md @@ -0,0 +1,344 @@ +--- +title: "Operations Tab" +description: "Operations Tab" +sidebar_position: 60 +--- + +# Operations Tab + +The Operations tab on an output Properties window is where monitoring scope by operation can be +modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. The tab varies based on the type of host selected. + +## For Linux Hosts + +The tab contains the following settings and features: + +![linux](/images/activitymonitor/9.0/admin/outputs/linux.webp) + +Use the options in the Operations tab to filter the list of available audit activities. The options +are: + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Microsoft Entra ID Hosts + +The tab contains the following settings and features: + +![Host Properties - Azure AD Operations tab](/images/activitymonitor/9.0/admin/outputs/azureadoperationstab.webp) + +- Monitor Sign-Ins activity – Indicates if user sign-ins activity is monitored +- Monitor Audit activity – Indicates if audit for all operations is monitored +- Service – Filter the table by Service using the drop-down menu +- Category – Filter the table by Category using the drop-down menu +- Operation – Filter the table by Operation using the textbox + +The table lists operations being monitored, displaying columns for Service, Category, and Operation. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Nasuni Hosts + +The tab contains the following settings and features: + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List +- Link Operations – Scope by link operation events: Add, Delete +- Suppress reporting of File Explorer's excessive directory traversal activity – When you open a + folder, Windows File Explorer tends to read all sub-folders to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read / List option for Directory Operations is + selected. +- Suppress reporting of File Explorer's excessive file read activity – When you open a folder, + Windows File Explorer tends to read files in the folder to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read option for File Operations is selected. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. +- Suppress operations on common temporary files – Filters out events for common temporary files. + With this option enabled, events for these common temporary files are ignored. +- Suppress duplicate operations for [VALUE] seconds + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Nutanix Hosts + +The tab contains the following settings and features: + +![operations](/images/activitymonitor/9.0/admin/outputs/operations.webp) + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission change + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Qumulo Hosts + +The tab contains the following settings and features: + +![qumulooutputproperties](/images/activitymonitor/9.0/admin/outputs/qumulooutputproperties.webp) + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List +- Share Operations – Scope by share operation events: Add, Delete, Update, Read / Connect +- Suppress operations on common temporary files – Filters out events for common temporary files. + With this option enabled, events for these common temporary files are ignored. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Host + +The tab contains the following settings and features: + +![Operations Tab for SharePoint](/images/activitymonitor/9.0/admin/outputs/sp.webp) + +- SharePoint operations – Scope by SharePoint operation events: Check-Out, View, Update, Child + Delete, Undelete, Copy, Audit Mask Change, Child Move, Custom, Check-In, Delete, Profile Change, + Schema Change, Workflow, Move, Search, File Fragment Write +- Permission Operations – Scope by permission operation events: Creation of a user group, Addition + of a new member to a group, creation of a new role, Changing a role, Changing the permissions of a + user or group, Turning off inheritance of security settings, Granting App Permissions, Deletion of + a group, Deletion of a member from a group, Removal of a role, Turning off inheritance of role, + Turning on inheritance of security settings, Deletion of audited events, Revoking App Permissions + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Online Host + +The tab contains a subset of tabs. Each tab has a **Select All** check box to include all events for +that tab. + +![Operations Tab for SharePoint Online Properties](/images/activitymonitor/9.0/admin/outputs/operationstab.webp) + +You can scope by the following events: + +| Tab | Event | +| -------------------------- | --------------------------------------------- | +| Content Explorer | Accessed item | +| DLP | Designated false positive | +| DLP | Matched DLP rule | +| DLP | Undone DLP action | +| File and Page | Accessed File | +| File and Page | Accessed File (ext) | +| File and Page | Changed compliance policy label | +| File and Page | Changed record status to locked | +| File and Page | Changed record status to unlocked | +| File and Page | Checked in file | +| File and Page | Checked out file | +| File and Page | Copied file | +| File and Page | Deleted file | +| File and Page | Deleted file from recycle bin | +| File and Page | Deleted file from second-stage recycle bin | +| File and Page | Deleted record compliance policy label | +| File and Page | Detected document sensitivity mismatch | +| File and Page | Detected malware in file | +| File and Page | Discarded file checkout | +| File and Page | Downloaded file | +| File and Page | Modified file | +| File and Page | Modified file (ext) | +| File and Page | Moved file | +| File and Page | Performed search query | +| File and Page | Prefetched page | +| File and Page | Previewed file | +| File and Page | Recycled all minor versions of file | +| File and Page | Recycled all versions of file | +| File and Page | Recycled version of file | +| File and Page | Renamed file | +| File and Page | Restored file | +| File and Page | Uploaded file | +| File and Page | View signaled by client | +| File and Page | Viewed page | +| File and Page | Viewed page (ext) | +| Folder | Copied folder | +| Folder | Created folder | +| Folder | Deleted folder | +| Folder | Deleted folder from recycle bin | +| Folder | Deleted folder from second-stage recycle bin | +| Folder | Modified folder | +| Folder | Moved folder | +| Folder | Renamed folder | +| Folder | Restored folder | +| List | Created list | +| List | Created list column | +| List | Created list column | +| List | Created list content type | +| List | Created list item | +| List | Created site column | +| List | Created site content type | +| List | Deleted list | +| List | Deleted list column | +| List | Deleted list content type | +| List | Deleted list item | +| List | Deleted site column | +| List | Deleted site content type | +| List | Recycled list item | +| List | Restored list | +| List | Restored list item | +| List | Updated list | +| List | Updated list column | +| List | Updated list content type | +| List | Updated list item | +| List | Updated site column | +| List | Updated site content type | +| Other | Other events | +| Sensitive Label | Applied sensitivity label to file | +| Sensitive Label | Applied sensitivity label to site | +| Sensitive Label | Changed sensitivity label applied to file | +| Sensitive Label | Removed sensitivity label from file | +| Sensitive Label | Removed sensitivity label from site | +| Sharing and Access Request | Accepted access request | +| Sharing and Access Request | Accepted sharing invitation | +| Sharing and Access Request | Added permission level to site collection | +| Sharing and Access Request | Blocked sharing invitation | +| Sharing and Access Request | Created a company shareable link | +| Sharing and Access Request | Created access request | +| Sharing and Access Request | Created an anonymous link | +| Sharing and Access Request | Created secure link | +| Sharing and Access Request | Created sharing invitation | +| Sharing and Access Request | Deleted secure link | +| Sharing and Access Request | Denied access request | +| Sharing and Access Request | Removed a company shareable link | +| Sharing and Access Request | Removed an anonymous link | +| Sharing and Access Request | Shared file, folder, or site | +| Sharing and Access Request | Unshared file, folder, or site | +| Sharing and Access Request | Updated access request | +| Sharing and Access Request | Updated an anonymous link | +| Sharing and Access Request | Updated sharing invitation | +| Sharing and Access Request | Used a company shareable link | +| Sharing and Access Request | Used an anonymous link | +| Sharing and Access Request | Used secure link | +| Sharing and Access Request | User added to secure link | +| Sharing and Access Request | User removed from secure link | +| Sharing and Access Request | Withdrew sharing invitation | +| Site Administration | Added allowed data location | +| Site Administration | Added exempt user agent | +| Site Administration | Added geo location admin | +| Site Administration | Allowed user to create groups | +| Site Administration | Canceled site geo move | +| Site Administration | Changed a sharing policy | +| Site Administration | Changed device access policy | +| Site Administration | Changed exempt user agents | +| Site Administration | Changed network access policy | +| Site Administration | Completed site geo move | +| Site Administration | Created Sent To connection | +| Site Administration | Created site collection | +| Site Administration | Deleted orphaned hub site | +| Site Administration | Deleted Sent To connection | +| Site Administration | Deleted site | +| Site Administration | Enabled document preview | +| Site Administration | Enabled legacy workflow | +| Site Administration | Enabled Office on Demand | +| Site Administration | Enabled result source for People Searches | +| Site Administration | Enabled RSS feeds | +| Site Administration | Joined site to hub site | +| Site Administration | Registered hub site | +| Site Administration | Removed allowed data location | +| Site Administration | Removed geo location admin | +| Site Administration | Renamed site | +| Site Administration | Scheduled site geo move | +| Site Administration | Set host site | +| Site Administration | Set storage quota for geo location | +| Site Administration | Unjoined site from hub site | +| Site Administration | Unregistered hub site | +| Site Permissions | Added site collection admin | +| Site Permissions | Added user or group to SharePoint group | +| Site Permissions | Broke permission level inheritance | +| Site Permissions | Broke sharing inheritance | +| Site Permissions | Created group | +| Site Permissions | Deleted group | +| Site Permissions | Modified access request setting | +| Site Permissions | Modified 'Members Can Share' setting | +| Site Permissions | Modified permissions level on site collection | +| Site Permissions | Modified site permissions | +| Site Permissions | Removed permission level from site collection | +| Site Permissions | Removed site collection admin | +| Site Permissions | Removed user or group from SharePoint group | +| Site Permissions | Requested site admin permissions | +| Site Permissions | Restored sharing inheritance | +| Site Permissions | Updated group | +| Synchronization | Allowed computer to sync files | +| Synchronization | Blocked computer from syncing files | +| Synchronization | Downloaded file changes to computer | +| Synchronization | Downloaded files to computer | +| Synchronization | Uploaded file changes to document library | +| Synchronization | Uploaded files to document library | + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SQL Server Hosts + +The tab contains the following settings and features: + +![sql](/images/activitymonitor/9.0/admin/outputs/sql.webp) + +- DML operations – Scope by DML operation events: Select, Update, Merge, Insert, Delete, Execute +- Audit operations – Scope by audit operation events: Login, Logout, Login Failed, Error +- Permission operations – Scope by permission operation events: Grant, Deny, Revoke, Alter Role +- Suppress subsequent logon/logout events from the same user in [VALUE] minutes interval + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Windows File Server Hosts + +The tab contains the following settings and features: + +![Operations Tab for File System](/images/activitymonitor/9.0/admin/outputs/fs.webp) + +- Operation Type – Scope events by operation type: + + - All – Both allowed and denied operations + - Allowed only – Only allowed operations + - Denied only – Only denied operations + +- File Operations – Scope by file operation events: Add, Delete, Rename, Permission change, Read, + Update +- Directory Operations – Scope by directory operation events: Add, Delete, Rename, Permission + change, Read / List +- Share Operations – Scope by share operation events: Add, Delete, Update, Permission change +- VSS Operations – Scope by VSS operation events: Snapshot add, Snapshot delete, Read +- Suppress reporting of File Explorer's excessive directory traversal activity – When you open a + folder, Windows File Explorer tends to read all sub-folders to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read / List option for Directory Operations is + selected. +- Suppress reporting of File Explorer's excessive file read activity – When you open a folder, + Windows File Explorer tends to read files in the folder to display proper icons and meta-data. + This activity occurs without the explicit intent of the user. This option tries to suppress such + automatic activity. It is only available when the Read option for File Operations is selected. +- Suppress Permission Change operations with reordered ACL – Prevents tracking events where + permission updates occurred resulting in reordered ACEs, but with no other changes in the ACL +- Suppress Inherited Permissions Changes – Prevents tracking events where changes for inherited + permissions occurred. This option is provided to improve overall performance and reduce output log + volume. +- Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office + temporary files. When Microsoft Office files are saved or edited, many temporary files are + created. With this option enabled, events for these temporary files are ignored. +- Suppress operations on common temporary files – Filters out events for common temporary files. + With this option enabled, events for these common temporary files are ignored. +- Suppress duplicate operations for [VALUE] seconds + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +See[Suppress Windows Explorer Activity](/docs/activitymonitor/9.0/admin/outputs/operations/suppress.md) topic for more information. diff --git a/docs/activitymonitor/9.0/admin/outputs/operations/suppress.md b/docs/activitymonitor/9.0/admin/outputs/operations/suppress.md new file mode 100644 index 0000000000..d3f4f6e0f3 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/operations/suppress.md @@ -0,0 +1,72 @@ +--- +title: "Suppress Windows Explorer Activity" +description: "Suppress Windows Explorer Activity" +sidebar_position: 10 +--- + +# Suppress Windows Explorer Activity + +Not all file operations are deliberate. Operating systems and third-party software have the +capability to execute operations on files without explicit user action. While this functionality can +improve user experience, it also presents a challenge to IT teams as it generates a record of +actions that have not been explicitly triggered by users. + +One of the most prominent examples is the Windows File Explorer - the standard application for file +system browsing on the Windows family of operating systems. Over the years, File Explorer has had a +number of improvements and new features. File Explorer displays various information about files to +provide a better user experience. This allows users to view file content without having to open +them. + +File Explorer displays icons for certain file types like executable (.exe) files. Depending on the +View mode, it can display thumbnails of various file formats and meta-data with things like author, +number of pages, image dimensions, etc. Hovering a mouse cursor over a file also provides detailed +information about a file in a tool tip. When working with sub-folders, File Explorer may display a +thumbnail of the files contained within the sub-folder on top of the sub-folder icon. This +additional functionality is executed automatically, mostly without the user's explicit action or +intention. + +As an example, a user may wish to open the MySampleReport.docx document located in the +MyTestDepartment folder. The user opens the folder, locates the file and double-clicks to open it. +From the user's perspective, only two actions were performed: + +1. Open MyTestMyDepartment folder. +2. Open MySampleReport.docx. + +However, File Explorer performs a number of additional operations on behalf of the user: + +- It reads and displays icons for certain files types in MyTestMyDepartment folder. +- It reads the meta-data of the files or sub-folders under the mouse cursor while the user is + locating the document. +- It reads the meta-data and preview if the user accidentally selects an incorrect file. +- It lists the content of all sub-folders and generates thumbnails to be displayed on top of the + sub-folder icon. +- It may create or update Thumbs.db file - a cache of thumbnail images. + +None of these additional file operations, which can be called Preview Reads, are explicitly +initiated by the user. However, the audit log records all of them as originating from the user. + +Preview Reads and similar unintentional automatic operations pose a significant challenge for IT +teams and IT auditing software. At the file system level, preview reads are perceived as normal read +operations, like file copying or opening a file in an application. There exists no distinguishing +factor between explicit user activity and implicit actions by File Explorer. Whether it is a preview +read, opening the file in Notepad, or copying the file, all these operations are perceived as the +same Read operation at the file system level. Therefore, it is not possible to reliably filter +unintentional activity without the risk of suppressing genuine user actions. + +The Activity Monitor employs various techniques to minimize noise. These methods all rely on +identifying patterns in the sequence of events. However, their effectiveness is severely limited, as +research has shown that clear patterns of preview reads activity in File Explorer are lacking. For +the Windows Server, the effectiveness is slightly higher since theActivity Monitor's file system +driver can observe all the low-level details about operations. + +The product provides the following filtering options to reduce File Explorer preview reads: + +- Suppress reporting of File Explorer’s excessive directory traversal activity - This option aims to + identify and suppress preview reads of sub-folders that occur immediately after the parent folder + is opened. +- Suppress reporting of File Explorer’s excessive file read activity - This option attempts to + identify and suppress preview reads of files that occur immediately after the parent folder is + opened. + +Both filtering options prioritize the accuracy of audit data over noise reduction. In other words, +they will report a noise event rather than suppress a genuine user action. diff --git a/docs/activitymonitor/9.0/admin/outputs/overview.md b/docs/activitymonitor/9.0/admin/outputs/overview.md new file mode 100644 index 0000000000..64a89efbc2 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/overview.md @@ -0,0 +1,121 @@ +--- +title: "Output Types" +description: "Output Types" +sidebar_position: 40 +--- + +# Output Types + +Once a domain or a host/service is being monitored the event stream can be sent to multiple outputs. There +are three types of outputs: + +- File – Creates an activity log as a TSV or JSON file for every day of activity + +- Syslog – Sends activity events to the configured SIEM server. + For file servers, this option is also used to send activity events to Netwrix Threat Manager. + +- Netwrix Threat Manager – Sends Active Directory activity events to Netwrix Threat Manager + + :::note + This output type is only available for Monitored Domains + ::: + + +See the [Output for Monitored Domains](/docs/activitymonitor/9.0/admin/monitoreddomains/output/output.md) topic and the +[Output for Monitored Hosts](/docs/activitymonitor/9.0/admin/monitoredhosts/output/output.md) topic for information on adding an output. + +Output configurations vary based on the type of domain/host selected. + +## For Active Directory Domains + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Threat Manager Tab](/docs/activitymonitor/9.0/admin/outputs/threatmanager.md), Netwrix Threat Manager output only + +## For File System Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/9.0/admin/outputs/protocols.md) +- [Account Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Process Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/processexclusions/processexclusions.md), Windows only +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) + +## For Linux Hosts + +In addition to common File System tabs, Linux outputs have the following tabs: + +- [GID Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/gidexclusions/gidexclusions.md) + + +## For Exchange Online Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) +- [Account Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md) +- Application Exclusions Tab +- Mailbox Exclusions Tab +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) + + +## For Microsoft Entra ID Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) + + +## For SharePoint Hosts + +Output Properties window has the following tabs: + +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/pathfiltering.md) +- [Account Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) + +## For SharePoint Online Hosts + +Output Properties window has the following tabs: + +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only + +## For SQL Server Hosts + +Output Properties window has the following tabs: + +- [Account Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) +- [Objects Tab](/docs/activitymonitor/9.0/admin/outputs/objects.md) +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only + +## For Windows File Server Hosts + +Output Properties window has the following tabs: + +- [Account Exclusions Tab](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/accountexclusions.md) +- [Additional Properties Tab](/docs/activitymonitor/9.0/admin/outputs/additionalproperties.md) +- [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md), File output only +- [Operations Tab](/docs/activitymonitor/9.0/admin/outputs/operations/operations.md) +- [Path Filtering Tab](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/pathfiltering.md) +- [Protocols Tab](/docs/activitymonitor/9.0/admin/outputs/protocols.md) +- [Syslog Tab](/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md), Syslog output only diff --git a/docs/activitymonitor/9.0/admin/outputs/pathfiltering/_category_.json b/docs/activitymonitor/9.0/admin/outputs/pathfiltering/_category_.json new file mode 100644 index 0000000000..abd798d0ab --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/pathfiltering/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Path Filtering Tab", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "pathfiltering" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md b/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md new file mode 100644 index 0000000000..140c6128cf --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md @@ -0,0 +1,36 @@ +--- +title: "Add or Edit Path Window" +description: "Add or Edit Path Window" +sidebar_position: 10 +--- + +# Add or Edit Path Window + +The Add or Edit Path window is opened from the Path Filtering tab of a monitored host's output +Properties window. + +![addoreditpath](/images/activitymonitor/9.0/admin/outputs/window/addoreditpath.webp) + +- Specify a path to filter during collection – Enter a file path in the textbox or use the ellipsis + (…) to browse for a folder +- Filter Type – Indicates if the filter will be **Included** or **Excluded** + +Then click OK. The Add or Edit Path window closes, and the path is added to the filtering list for +the monitored host. + +## Special Consideration for NAS Device Hosts + +For NAS devices, the activity agent can configured to add ‘C:\’ to the beginning of the path, which +is a requirement for the output that is designated for StealthAUDIT.exe or being read by a Netwrix +Threat Prevention agent. That configuration is on the [Log Files Tab](/docs/activitymonitor/9.0/admin/outputs/logfiles.md). If the option +is enabled for this monitored device, start your paths with C:\. + +## Wildcard + +Wildcard filtering can be configured using the following wildcard characters: + +| Wildcard | Definition | +| -------- | ------------------------------------------------------------ | +| \* | matches zero or more characters (except for "\" or "/") | +| ? | matches any single character (except for "\" or "/") | +| \*\* | matches zero or more characters (useful for directory trees) | diff --git a/docs/activitymonitor/9.0/admin/outputs/pathfiltering/pathfiltering.md b/docs/activitymonitor/9.0/admin/outputs/pathfiltering/pathfiltering.md new file mode 100644 index 0000000000..99a34d988a --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/pathfiltering/pathfiltering.md @@ -0,0 +1,180 @@ +--- +title: "Path Filtering Tab" +description: "Path Filtering Tab" +sidebar_position: 70 +--- + +# Path Filtering Tab + +The Path Filtering tab on an output Properties window is where monitoring scope by file paths can be +modified. Specified paths can be included in or excluded. These settings are initially configured +when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. The tab varies based on the type of host selected. + +## For Linux Hosts + +The tab contains the following settings and features: + +![pathfilteringtab](/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp) + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to + test whether it will be included/excluded based on the path filtering list + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear, as well as a reason for why the indicated path is included or excluded. + Additionally, the path in the list that is applied to the test will be highlight ed: green + highlight for an included path and red highlight for an excluded path. + +- Exclude extensions – Displays a space separated list of file extensions that are excluded +- Exclude streams – Displays a space separated list of streams that are excluded + +The table lists paths that are being filtered, displaying columns for Type, indicating if it is +being Included or Excluded, and Pattern. The order of the list determines what paths are included +and what paths are excluded. + +:::warning +Exclude takes precedence over the Include. For example, if the C:\OpenShare is +excluded, but the C:\OpenShare\Edward is included, the ‘OpenShare’ parent exclusion takes +precedence, and the ‘Edward’ child folder will not be monitored. +::: + + +:::note +If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +added), then all current and new discovered drives will be monitored. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For NAS Device Hosts + +The tab contains the following settings and features: + +![Host Properties - Path Filtering Tab](/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp) + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to + test whether it will be included/excluded based on the path filtering list + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear, as well as a reason for why the indicated path is included or excluded. + Additionally, the path in the list that is applied to the test will be highlight ed: green + highlight for an included path and red highlight for an excluded path. + +- Exclude extensions – Displays a space separated list of file extensions that are excluded +- Exclude streams – Displays a space separated list of streams that are excluded + +The table lists paths that are being filtered, displaying columns for Type, indicating if it is +being Included or Excluded, and Pattern. The order of the list determines what paths are included +and what paths are excluded. + +:::warning +Exclude takes precedence over the Include. For example, if the C:\OpenShare is +excluded, but the C:\OpenShare\Edward is included, the ‘OpenShare’ parent exclusion takes +precedence, and the ‘Edward’ child folder will not be monitored. +::: + + +:::note +If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +added), then all current and new discovered drives will be monitored. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For SharePoint Hosts + +For a SharePoint host, the Path Filtering tab is for including and excluding sites. The tab contains +the following settings and features: + +![Path Filtering Tab for SharePoint Hosts](/images/activitymonitor/9.0/admin/outputs/pathfilteringsharepointhosts.webp) + +- To audit all sites, leave the textbox blank +- To include a specific site, enter the URL +- To exclude a specific site, enter the URL but add a minus sign (-) as a prefix to the URL, for + example: + +**-http://sharepoint.local/sites/marketing** + +Use a semicolon (;) to separate multiple URLs. + +## For Windows File Server Hosts + +The tab contains the following settings and features: + +- Add – Opens the Add or Edit Path window to add a new path to the list. See the + [Add or Edit Path Window](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a path is removed by accident, use the **Cancel** button to discard the change. + ::: + + +- Move Up / Move Down – Since path filters are evaluated in the order specified by the table, these + buttons move the selected path up or down in the list +- Edit – Opens the Add or Edit Path window to modify the selected path. See the + [Add or Edit Path Window](/docs/activitymonitor/9.0/admin/outputs/pathfiltering/addeditpath.md) topic for additional information. +- Add all local drives – Retrieves and adds all local drives to the bottom of the list with a type + of Include +- Type a path below to test whether it will be included or excluded – Enter a path in the textbox to + test whether it will be included/excluded based on the path filtering list + + - Result – Under the text box, a description of whether the indicated path is included or + excluded will appear, as well as a reason for why the indicated path is included or excluded. + Additionally, the path in the list that is applied to the test will be highlight ed: green + highlight for an included path and red highlight for an excluded path. + +- Exclude extensions – Displays a space separated list of file extensions that are excluded +- Exclude streams – Displays a space separated list of streams that are excluded + +The table lists paths that are being filtered, displaying columns for Type, indicating if it is +being Included or Excluded, and Pattern. The order of the list determines what paths are included +and what paths are excluded. + +:::warning +Exclude takes precedence over the Include. For example, if the C:\OpenShare is +excluded, but the C:\OpenShare\Edward is included, the ‘OpenShare’ parent exclusion takes +precedence, and the ‘Edward’ child folder will not be monitored. +::: + + +:::note +If ‘Include’ is not listed under the Filter Type column (or no Include filter paths are +added), then all current and new discovered drives will be monitored. +::: + + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/processexclusions/_category_.json b/docs/activitymonitor/9.0/admin/outputs/processexclusions/_category_.json new file mode 100644 index 0000000000..e0e40e3721 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/processexclusions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Process Exclusions Tab", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "processexclusions" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/processexclusions/addeditprocess.md b/docs/activitymonitor/9.0/admin/outputs/processexclusions/addeditprocess.md new file mode 100644 index 0000000000..215dd6bc2f --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/processexclusions/addeditprocess.md @@ -0,0 +1,20 @@ +--- +title: "Add or Edit Process Window" +description: "Add or Edit Process Window" +sidebar_position: 10 +--- + +# Add or Edit Process Window + +The Add or Edit Process window is opened from the Process Exclusions tab of a monitored host's +output Properties window. + +![Add or Edit Process popup window](/images/activitymonitor/9.0/admin/outputs/window/addoreditprocessprocessexclusions.webp) + +- Process name – Displays the name of the process to be excluded. You can enter a process name in + the textbox or select a process from the Running processes list. +- Filter – Indicates if the filter will be for **All events** or only **Read events** +- Running Processes – Lists all processes currently running on the host + +Then click OK. The Add or Edit Path window closes, and the path is added to the filtering list for +the monitored host. diff --git a/docs/activitymonitor/9.0/admin/outputs/processexclusions/processexclusions.md b/docs/activitymonitor/9.0/admin/outputs/processexclusions/processexclusions.md new file mode 100644 index 0000000000..74b079cab3 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/processexclusions/processexclusions.md @@ -0,0 +1,40 @@ +--- +title: "Process Exclusions Tab" +description: "Process Exclusions Tab" +sidebar_position: 80 +--- + +# Process Exclusions Tab + +The Process Exclusions tab on an output Properties window is where monitoring scope by Windows +processes can be modified. These settings are initially configured when the output is added. + +:::note +Netwrix product processes are excluded by default from activity monitoring. +::: + + +Select an output for a Windows file server host on the Monitored Hosts & Services tab and click **Edit** to +open the output Properties window. + +![Process Exclusions Tab](/images/activitymonitor/9.0/admin/outputs/processexclusions.webp) + +The tab contains the following settings and features: + +- Add – Opens the Add or Edit Process window to add a new process to the list. See the + [Add or Edit Process Window](/docs/activitymonitor/9.0/admin/outputs/processexclusions/addeditprocess.md) topic for additional information. +- Remove – Removes the selected path from the list. Confirmation is not requested. + + :::warning + If a process is removed by accident, use the **Cancel** button to discard the + change. + ::: + + +- Edit – Opens the Add or Edit Process window to modify the selected process. See the + [Add or Edit Process Window](/docs/activitymonitor/9.0/admin/outputs/processexclusions/addeditprocess.md) topic for additional information. + +The table lists process that will be excluded, displaying columns for Process Name and Events. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/protocols.md b/docs/activitymonitor/9.0/admin/outputs/protocols.md new file mode 100644 index 0000000000..f8b18ab844 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/protocols.md @@ -0,0 +1,23 @@ +--- +title: "Protocols Tab" +description: "Protocols Tab" +sidebar_position: 90 +--- + +# Protocols Tab + +The Protocols tab on an output Properties window is where monitoring scope by protocol can be +modified. These settings are initially configured when the output is added. + +Select an output from the Monitored Hosts & Services tab and click **Edit** to open the output Properties +window. + +![Protocols Tab](/images/activitymonitor/9.0/admin/outputs/protocolstab.webp) + +The tab contains the following settings: + +- Protocols – Indicates if **All** protocols, only **CIFS** protocols, or only **NFS** protocols are + included + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/syslog/_category_.json b/docs/activitymonitor/9.0/admin/outputs/syslog/_category_.json new file mode 100644 index 0000000000..f02dff6af7 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/syslog/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Syslog Tab", + "position": 100, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "syslog" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md b/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md new file mode 100644 index 0000000000..8e748ef3b7 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md @@ -0,0 +1,209 @@ +--- +title: "Message Template Window" +description: "Message Template Window" +sidebar_position: 10 +--- + +# Message Template Window + +The Message Template window is opened from the ellipsis (…) button for the Syslog Message Template +field on the Syslog tab of the output Properties window. + +![Message Template window](/images/activitymonitor/9.0/admin/outputs/window/syslogmessagetemplate.webp) + +You can select a preconfigured template from the drop-down menu or create a custom template. The +available preconfigured templates vary based on the type of domain/host selected. + +## For Monitored Domains + +Monitored Domains Syslog outputs have the following preconfigured Templates: + +- V 1.0 for AlienVault SIEM +- V 1.0 for Generic CEF SIEM – Incorporates the CEF message format +- V 1.0 for Generic LEEF SIEM – Incorporates the LEEF message format +- V 1.0 for Generic SYSLOG SIEM +- V 1.0 for HP ArcSight SIEM +- V 1.0 for LogRhythm SIEM +- V 1.0 for McAfee ESM SIEM +- V 1.0 for IBM QRadar SIEM +- V 1.0 for Splunk SIEM +- V 2.0 for IBM QRadar SIEM 7.2.4 +- V 2.0 for Splunk SIEM + +Custom templates can be created. Select the desired template or create a new template by modifying +an existing template within the Message Template window. The new message template will be named +Custom. Macro variables are also available to customize the Syslog message template. + +**Macro Variables for Monitored Domains** + +Macros are text strings that are replaced with actual values at run time. The following Macro +variables are available to customize the Syslog message template: + +| Variable | Definition | +| ------------------------------ | ------------------------------------------------------------------------------------ | +| %AFFECTED_OBJECT_ACCOUNT_NAME% | Affected Object Name | +| %AFFECTED_OBJECT_SID% | Affected Object SID | +| %ATTRIBUTE_NAME% | Attribute Name | +| %ATTRIBUTE_VALE% | New Attribute Value | +| %BLOCKED_EVENT% | True if the operation was denied, False otherwise | +| %CLASS_NAME% | Class Name | +| %COMPANY% | Company Name | +| %DN% | Distinguished Name of the Affected Object | +| %ERTYPE_ID% | Event Type ID | +| %EVENT_CODE% | Code | +| %EVENT_NAME% | Event Name | +| %EVENT_SOURCE_NAME% | Event Source Name | +| %EVENT_SOURCE_TYPE% | Event Source Type | +| %EVENTNAMETRANSLATED% | Translated Event Name | +| %EVENTS_COUNT% | Consolidated Events Count | +| %HOST% | Message Source Hostname | +| %OLD_ATTRIBUTE_VALUE% | Old Attribute Value | +| %OPERATION% | Operation Performed | +| %ORIGINATING_CLIENT% | Originating Client | +| %ORIGINATING_SERVER% | Originating Server | +| %ORIGINATING_SERVERIP% | Originating Server IP Address | +| %ORIGINATINGCLIENTHOST% | Originating Server Host Name | +| %ORIGINATINGCLIENTIP% | Originating Client IP Address | +| %ORIGINATINGCLIENTMAC% | Originating Client MAC | +| %ORIGINATINGCLIENTPROTOCOL% | Originating Client Protocol | +| %PERMISSIONS_SDDL_DESCRIPTION% | Windows only: Permission change details in readable format | +| %PERPETRATOR% | Perpetrator | +| %PERPETRATOR_NAME% | Perpetrator Name | +| %PERPETRATOR_SID% | Perpetrator SID | +| %USERNAME% | 'Username' part of the %PERPETRATOR_NAME% field if it is in 'DOMAIN\Username' format | +| %PRODUCT% | Product Name | +| %PRODUCT_VERSION% | Product Version | +| %SETTING_NAME% | Setting Name | +| %SUCCESS% | Success | +| %STATUS% | Status | +| %SYSLOG_DATE% | Current Date Time in Syslog Format | +| %SYSLOG_EVENTID% | Syslog Event ID | +| %TARGETHOST% | Target Host | +| %TARGETHOSTIP% | Target Host IP | +| %TIME_STAMP% | Date Timestamp of Event | +| %TIME_STAMP_UTC% | Date Timestamp of Event in UTC | + +## For Monitored Hosts/Services + +Monitored Hosts/Services Syslog outputs have the following preconfigured Templates: + +- AlienVault / Generic Syslog +- CEF – Incorporates the CEF message format +- HP Arcsight +- LEEF – Incorporates the LEEF message format +- LogRhythm +- McAfee +- QRadar – Use this template for IBM QRadar integration. See the + [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) topic for + additional information. +- Splunk – Use this template for Splunk integration. See the Configure the + [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) topic for additional + information. +- Netwrix Threat Manager (StealthDEFEND) – Use this template for Netwrix Threat Manager integration. + This is the only supported template for Threat Manager. + +Custom templates can be created. Select the desired template or create a new template by modifying +an existing template within the Message Template window. The new message template will be named +Custom. Macro variables are also available to customize the Syslog message template. + +**Macro Variables** + +Macros are text strings that are replaced with actual values at run time. Not all macro variables +are applicable to all environment types. The following Macro variables are available to customize +the Syslog message template: + +| Environment | Variable | Definition | +| ------------------------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | +| SharePoint Online | %ABSOLUTE_URL% | Absolute URL of the affected object | +| SharePoint Online | %ACCESS% | Access granted by the sharing operation | +| SharePoint | %APPPRINCIPAL_ID% | App Principal ID | +| File Servers & NAS Devices | %ATTRIBUTE_NAME% | Rename events only: Fixed string: Filename | +| File Servers & NAS Devices | %ATTRIBUTE_VALUE% | Rename events only: New file path | +| File Servers & NAS Devices SharePoint | %BLOCKED_EVENT% | True if the operation was denied, False otherwise | +| SharePoint SharePoint Online | %CLIENT_IP% | IP address of the user | +| File Servers & NAS Devices SharePoint SharePoint Online | %COMPANY% | Fixed string: Netwrix | +| SharePoint Online | %CUSTOM_EVENT% | Custom Event information | +| SharePoint Online | %DEST_FILE_EXT% | New file extension of copied or moved file | +| SharePoint Online | %DEST_FILENAME% | Name of the file that is copied or moved | +| SharePoint Online | %DEST_RELATIVE_PATH% | URL of the destination folder where a folder is copied or moved | +| SharePoint Online | %DLP_EXCEPTION% | Reasons why a policy no longer applies and any information about false positive or override | +| SharePoint Online | %DLP_POLICY% | Policy(s) that triggered the event | +| SharePoint Online | %DLP_SENSITIVE% | Indicates whether the event contains the value of the sensitive data type (true/false) | +| SharePoint SharePoint Online | %DOC_LOCATION% | A relative URL of the file or document accessed by the user | +| SharePoint SharePoint Online | %EVENT_DATA% | - For SharePoint, raw event data - Fore SharePoint Online, additional event data | +| File Servers & NAS Devices | %EVENT_NAME% | Operation type: Read/Create/Update/Delete/Access Rights Change/ Rename/ ``. The same as %OPERATION% | +| SharePoint SharePoint Online | %EVENT_SOURCE% | Originating source of the event (SharePoint or ObjectModel) | +| File Servers & NAS Devices | %EVENT_SOURCE_NAME% | Domain name | +| SharePoint SharePoint Online | %EVENT_TYPE% | Event type | +| File Servers & NAS Devices | %FILE_NAME% | File name | +| File Servers & NAS Devices | %FILE_PATH% | Full path | +| File Servers & NAS Devices | %FILE_SIZE% | Size of File | +| File Servers & NAS Devices | %FILE_TYPE% | File extension | +| SharePoint | %FULL_PATH% | Full Path | +| File Servers & NAS Devices SharePoint SharePoint Online | %HOST% | Hostname of Agent | +| SharePoint Online | %ID% | Unique ID of the audit record | +| File Servers & NAS Devices | %IO_TYPE% | Type of I/O: Filesystem/VSS | +| SharePoint | %ITEM_ID% | Item ID | +| SharePoint SharePoint Online | %ITEM_TITLE% | Item title | +| SharePoint SharePoint Online | %ITEM_TYPE% | Item type (File, Folder, Web, Site, Tenant, DocumentLibrary, Page) | +| SharePoint Online | %LIST_ID% | ID of the List | +| SharePoint Online | %LIST_ITEM_ID% | ID of the List Item | +| SharePoint Online | %LIST_NAME% | Name of the List | +| SharePoint Online | %LIST_URL% | URL of the List | +| SharePoint | %LOCATION_TYPE% | Location type of the SharePoint document location | +| SharePoint Online | %MACHINE_DOMAIN_INFO% | Information about device sync operation | +| SharePoint Online | %MACHINE_ID% | Information about device sync operation | +| SharePoint Online | %NEW_DOC_LOCATION% | A relative URL to which the object is copied or moved | +| File Servers & NAS Devices | %NEW_FILE_NAME% | Rename event only: New file name | +| File Servers & NAS Devices | %NEW_FILE_PATH% | Rename event only: New full path | +| File Servers & NAS Devices | %NEW_FILE_TYPE% | New File Extension | +| File Servers & NAS Devices | %OBJECT_TYPE% | Object type: FILE/FOLD/UNK | +| File Servers & NAS Devices | %OLD_ATTRIBUTE_VALUE% | Rename only: Old file path | +| File Servers & NAS Devices | %OPERATION% | Operation type: Read/Create/Update/Delete/Access Rights Change/Rename/Unknown | +| SharePoint Online | %ORGANIZATION_ID% | Organization tenant ID | +| File Servers & NAS Devices | %ORIGINATING_CLIENT% | IP Address of originating client or process name | +| File Servers & NAS Devices | %ORIGINATING_CLIENT_HOST% | Hostname of originating client | +| File Servers & NAS Devices | %ORIGINATING_SERVER% | Hostname of monitored host | +| File Servers & NAS Devices | %ORIGINTAING_SERVER_IP% | IP Address of monitored host | +| SharePoint | %PARAM% | Parameters that come with the event | +| SharePoint | %PATH% | Truncated path | +| File Servers & NAS Devices | %PERMISSIONS_SDDL_DESCRIPTION% | Windows events only: Permission change details in readable format | +| File Servers & NAS Devices | %PERMISSIONS_SDDL_DIFF% | Windows events only: Permission change details in SDDL format, '`` ``' | +| File Servers & NAS Devices | %PERPETRATOR% | User name | +| File Servers & NAS Devices SharePoint SharePoint Online | %PRODUCT% | Fixed string: Activity Monitor | +| File Servers & NAS Devices SharePoint SharePoint Online | %PRODUCT_VERSION% | Product Version | +| File Servers & NAS Devices SharePoint SharePoint Online | %PROTOCOL% | Protocol type: CIFS/NFS/VSS/FTP/HDFS/HTTP/HTTPS/Unknown | +| File Servers & NAS Devices | %PROTOCOL_VERSION% | NetApp Data ONTAP Cluster-Mode device events only: Protocol Version | +| File Servers & NAS Devices | %RENAMEUNCPATH% | Rename events only: New UNC path / New NFS export path | +| SharePoint Online | %RESULT_STATUS% | Succeeded, PartiallySucceeded, Failed, True, or False | +| SharePoint Online | %SCOPE% | online or onprem | +| SharePoint Online | %SHARING_ID% | Unique ID of the sharing operation | +| SharePoint SharePoint Online | %SITE_ID% | ID of the Site | +| SharePoint Online | %SITE_NAME% | Name of the Site | +| SharePoint SharePoint Online | %SITE_URL% | URL of the Site | +| SharePoint Online | %SOURCE% | Source (SharePoint, SharePointFileOperation, …) | +| SharePoint Online | %SOURCE_FILE_EXT% | File extension | +| SharePoint Online | %SOURCE_FILENAME% | File or folder name | +| SharePoint | %SOURCE_NAME% | Source Name | +| SharePoint Online | %SOURCE_RELATIVE_PATH% | URL of the folder that contains the file accessed by the user | +| File Servers & NAS Devices SharePoint SharePoint Online | %SUCCESS% | True if the operation was allowed, False otherwise | +| File Servers & NAS Devices SharePoint SharePoint Online | %SYSLOG_DATE% | Timestamp of event (server time, Syslog format: MMM dd HH:mm:ss) | +| File Servers & NAS Devices | %TAGS% | Operation Tags. Reports 'Copy' for events that are probable copies | +| SharePoint Online | %TARGET_NAME% | UPN or name of the target user or group that a resource was shared with | +| SharePoint Online | %TARGET_TYPE% | Type of target user or group that a resource was shared with (Member, Guest, Group, or Partner) | +| File Servers & NAS Devices SharePoint SharePoint Online | %TIME_STAMP% | Timestamp of event (server time, format: yyyy-MM-dd HH:mm:ss.zzz) | +| SharePoint Online | %TIME_STAMP_OFFSET% | Timestamp of event with timezone offset (server time, format: yyyy-MM-ddTHH:mm:ss.zz+HH:mm) | +| File Servers & NAS Devices SharePoint SharePoint Online | %TIME_STAMP_UTC% | Timestamp of event (UTC, format: yyyy-MM-dd HH:mm:ss.zzz) | +| SharePoint Online | %TIME_STAMP_Z% | Timestamp of event (UTC, format: yyyy-MM-ddTHH:mm:ss.zzZ) | +| File Servers & NAS Devices | %UNCPATH% | UNC path / NFS export path | +| SharePoint Online | %UPDATE_TYPE% | Added, Removed, or Updated | +| SharePoint Online | %USER_AGENT% | User client or browser | +| SharePoint SharePoint Online | %USER_ID% | - For SharePoint, ID of the SharePoint user - For SharePoint Online, UPN of the user who performed the operation | +| SharePoint SharePoint Online | %USER_LOGIN% | - For SharePoint, SharePoint User Login / Encoded Claim - For SharePoint Online, An alternative ID of the user. "DlpAgent" for DLP events. | +| SharePoint SharePoint Online | %USER_NAME% | SharePoint user name | +| File Servers & NAS Devices SharePoint | %USER_SID% | User SID or UID | +| SharePoint Online | %USER_TYPE% | Type of the user performed the operation | +| SharePoint Online | %VERSION% | New version of the document/version of deleted document | +| SharePoint | %WEB_APPLICATION_NAME% | Title of the SharePoint Web Application | +| SharePoint SharePoint Online | %WEB_TITLE% | Title of the Site Collection | +| SharePoint Online | %WORKLOAD% | Office 356 service where the activity occurred | diff --git a/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md b/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md new file mode 100644 index 0000000000..49e9be7f76 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/syslog/syslog.md @@ -0,0 +1,203 @@ +--- +title: "Syslog Tab" +description: "Syslog Tab" +sidebar_position: 100 +--- + +# Syslog Tab + +The Syslog tab on an output Properties window is where the SIEM integration settings can be +modified. These settings are initially configured when the output is added. For a monitored hosts/services +output, this tab can also be used for integration with Netwrix Threat Manager. + +Select a Syslog output from either the Monitored Domains tab or the Monitored Hosts & Services tab and click +**Edit** to open the output Properties window. The tab varies based on the type of domain/host +selected. + +## For Active Directory Domains + +The tab contains the following settings: + +![syslogactivedirectory](/images/activitymonitor/9.0/admin/outputs/syslogactivedirectory.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event + reporting is enabled, which means the agent will send out status messages every five minutes to + verify whether the connection is still active. + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Linux Hosts + +The tab contains the following settings: + +![sysloglinux](/images/activitymonitor/9.0/admin/outputs/sysloglinux.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10001. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. + + - UPD is the only protocol supported for Threat Manager. + +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Add C:\ to the beginning of the reported file paths – Indicates a Windows-style drive path (C:\) + is added to the beginning of the NAS file paths in the activity data stream, e.g. + `C:\Folder\file.txt` + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Microsoft Entra ID, SharePoint Online, and SQL Server Hosts + +The tab contains the following settings: + +![syslogentraid](/images/activitymonitor/9.0/admin/outputs/syslogentraid.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For NAS Device Hosts + +The tab contains the following settings: + +![syslognas](/images/activitymonitor/9.0/admin/outputs/syslognas.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10000. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. + + - UPD is the only protocol supported for Threat Manager. + +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Add C:\ to the beginning of the reported file paths – Indicates a Windows-style drive path (C:\) + is added to the beginning of the NAS file paths in the activity data stream, e.g. + `C:\Folder\file.txt` +- Resolve UNC paths + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. + +## For Windows File Server Hosts + +The tab contains the following settings: + +![syslogwindows](/images/activitymonitor/9.0/admin/outputs/syslogwindows.webp) + +- Syslog server in SERVER:PORT format – Server name of the SIEM server and the communication port + being used between the applications. The format must be SERVER:PORT, e.g. newyorksrv20:10000. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10001. + +- Syslog protocol – Identifies which protocol is used for the Event stream. The drop-down menu + includes: UDP, TCP, and TLS. + + - UPD is the only protocol supported for Threat Manager. + +- Message framing – The TCP and TLS Syslog protocols require Message framing to be set. The + drop-down menu includes: LS (ASCII 10) delimiter, CR (ASCII 13) delimiter, CRLF (ASCII 13, 10) + delimiter, NUL (ASCII 0) delimiter, and Octet Count (RFC 5425). +- Syslog message template – Template that controls what data is sent in the event stream. The + ellipsis (…) button opens the Syslog Message Template window. See the + [Message Template Window](/docs/activitymonitor/9.0/admin/outputs/syslog/messagetemplate.md) topic for additional information. +- Resolve UNC paths + +The Test button sends a test message to the Syslog server to check the connection. A green check +mark or red x will indicate whether the test message has been sent or failed to send. Test messages +vary by Syslog protocol: + +- UDP protocol – Sends a test message and does not verify connection +- TCP protocol – Sends test message and verifies connection +- TLS protocol – Sends test message and verifies connection and shows an error if TLS handshake + fails + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/outputs/threatmanager.md b/docs/activitymonitor/9.0/admin/outputs/threatmanager.md new file mode 100644 index 0000000000..6c8b71842b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/outputs/threatmanager.md @@ -0,0 +1,39 @@ +--- +title: "Threat Manager Tab" +description: "Threat Manager Tab" +sidebar_position: 110 +--- + +# Threat Manager Tab + +The Threat Manager tab on an output Properties window is where the connection between Activity +Monitor and Netwrix Threat Manager can be modified. These settings are initially configured when the +output is added. + +An App Token created by Netwrix Threat Manager is used to authenticate connection between the +applications. See the App Tokens Page topic of the +[Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend) for +additional information. + +Select a Threat Manager output from the Monitored Domains tab and click **Edit** to open the output +Properties window. + +![threatmanager](/images/activitymonitor/9.0/admin/outputs/threatmanager.webp) + +The tab contains the following settings: + +- Server in SERVER:PORT format – Server name of the Netwrix Threat Manager application server and + the communication port being used between the applications. The format must be SERVER:PORT, e.g. + newyorksrv10:10001. + + - The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the + organization’s environment can resolve the name format used. + - The default port for Netwrix Threat Manager is 10001. + +- App Token – App Token generated on the App Tokens page of the Netwrix Threat Manager console. +- Enable periodic AD Status Check event reporting – Indicates periodic AD Status Check event + reporting is enabled, which means the agent will send out status messages every five minutes to + verify whether the connection is still active. + +Click **OK** to commit the modifications. Click **Cancel** to discard the modifications. The output +Properties window closes. diff --git a/docs/activitymonitor/9.0/admin/overview.md b/docs/activitymonitor/9.0/admin/overview.md new file mode 100644 index 0000000000..aee308ac09 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/overview.md @@ -0,0 +1,36 @@ +--- +title: "Administration" +description: "Administration" +sidebar_position: 40 +--- + +# Administration + +The Activity Monitor Console is used to deploy and manage activity agents, configure host +monitoring, and search events within activity log files. + +![Activity Monitor with Navigation tabs identified](/images/activitymonitor/9.0/admin/activitymonitormain.webp) + +There are up to three tabs at the top left of the window: + +- Agents – Deploy activity / AD agents and manage settings. This is the only tab available until an + agent is installed. See the [Agent Information](/docs/activitymonitor/9.0/install/agents/agents.md) topic for additional + information +- Monitored Domains – Configure activity monitoring per host (appears after the first Active + Directory agent is deployed). See the [Monitored Domains Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/overview.md) topic + for additional information. +- Monitored Hosts & Services – Configure activity monitoring per host (appears after first activity agent is + deployed). See the [Monitored Hosts & Services Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/overview.md) +- Search – Magnifying glass icon used to search activity log files (appears after first activity + agent is deployed) + + - See the [Search Feature](/docs/activitymonitor/9.0/admin/search/overview.md) topic for additional information. + +In the Status bar at the bottom of the console is the following information: + +- Version – Version number for the Activity Monitor +- License information – Identifies the organization associated with the license. See the + [Install Application](/docs/activitymonitor/9.0/install/application.md) topic for additional information. +- Trace Level – Creates Trace Logs to provide troubleshooting information. See the + [Trace Logs](/docs/activitymonitor/9.0/troubleshooting/tracelogs.md) topic for additional information. +- Collect Logs – Collects Trace Logs produced by Trace level diff --git a/docs/activitymonitor/9.0/admin/search/_category_.json b/docs/activitymonitor/9.0/admin/search/_category_.json new file mode 100644 index 0000000000..2d95527c49 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Search Feature", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/activedirectory/_category_.json b/docs/activitymonitor/9.0/admin/search/activedirectory/_category_.json new file mode 100644 index 0000000000..0f8206778d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/activedirectory/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Active Directory Search Query", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activedirectory" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/activedirectory/activedirectory.md b/docs/activitymonitor/9.0/admin/search/activedirectory/activedirectory.md new file mode 100644 index 0000000000..6c9544708d --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/activedirectory/activedirectory.md @@ -0,0 +1,139 @@ +--- +title: "Active Directory Search Query" +description: "Active Directory Search Query" +sidebar_position: 10 +--- + +# Active Directory Search Query + +You can search domain activity that has been monitored and recorded to a File output. When you +select **Active Directory** from the magnifying glass drop-down menu, a New Search tab opens with +the applicable query filters. + +![Search - Active Directory New Search Tab](/images/activitymonitor/9.0/admin/search/query/activedirectorynewsearchtab.webp) + +The filters are separated into the following categories: + +- General +- Object Changes +- LSASS Guardian +- LDAP Queries +- Authentication + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category addresses who, what, where, and when an object, user, host, or domain +controller is affected by the events selected in the other categories. The time frame filter must be +configured for every search query. + +![Active Directory Search - General Filter](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Event Source – Set which query categories will be used. The drop-down menu displays a checkbox + list of categories. +- Event Result – Filter the data for a specific event result: Any, Success, or Failure +- Event Block – Filter the data for a specific event result related to blocking: Any, Allowed, or + Blocked +- Agent Hosts – Filter the data for a specific agent +- Agent Domains – Filter the data for a specific domain +- Affected Object Name – Filter the data for a specific affected object name +- Affected Object Class – Filter the data for a specific affected object class +- User – Filter the data for a specific user, or perpetrator of the event + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- From Hosts – Filter the data for a specific originating host of the event +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## Object Changes Category + +The Object Changes category scopes the query by objects with change activity. + +![Object Changes Filter](/images/activitymonitor/9.0/admin/search/query/objectchangesfilters.webp) + +This section has the following filters: + +- Account Changes – Filter the data by the type of account change: All, Account Locked, Account + Unlocked, Account Disabled, Account Enabled, Password Changed +- Membership Changes – Filter the data by the type of group membership change: All, Group Members + Added, Group Members Removed, Group Members Changed +- Object Changes – Filter the data by the type of group membership change: All, Object Moved, Object + Renamed, Object Added, Object Modified, Object Deleted +- New Object Name – Filter the data for a specific new object name +- Old Object Name – Filter the data for a specific old object name +- Attribute Name – Filter the data for a specific attribute name +- Attribute Value – Filter the data for a specific attribute value + +## LSASS Guardian Category + +The LSASS Guardian category scopes the query by LSASS Guardian activity. + +![LSASS Guardian Filters](/images/activitymonitor/9.0/admin/search/query/lsassguardianfilters.webp) + +This section has the following filters: + +- Process Name – Filter the data for a specific process name +- Process ID – Filter the data for a specific process ID +- Events – Filter the data by the type of event: All, Create Handle, Duplicate Handle + +## LDAP Queries Category + +The LDAP Queries category scopes the query by LDAP query activity. + +![LDAP Queries Filter](/images/activitymonitor/9.0/admin/search/query/ldapqueriesfilters.webp) + +This section has the following filters: + +- Query – Filter the data for a specific LDAP query +- Connection – Filter the data by the type of connection : Any, Secure, Nonsecure + +## Authentication Category + +The Authentication category scopes the query by authentication activity. + +![Authentication Filters](/images/activitymonitor/9.0/admin/search/query/authenticationfilters.webp) + +This section has the following filters: + +- Target Host – Filter the data for a specific host +- Authentication – Filter the data by the type of authentication: All, Kerberos, NTLM +- NTLM Logon Type – Filter the data by the type of NTLM Logon: All, Interactive, Network, Service, + Generic, Transitive Interactive, Transitive Network, Transitive Service +- NTLM Version – Filter the data by the type of NTLM version: Any, V1, V2 +- Encryption – Filter the data for a specific encryption +- SPN – Filter the data for a specific service principal name (SPN) +- Accounts – Filter the data by the type of account: Any, Existing, Nonexistent +- Ticket Type – Filter the data by the type of ticket type: Any, AS, TGS +- Search For – Filter the data by the selected item: Previous passwords usage only, Forged PAC only diff --git a/docs/activitymonitor/9.0/admin/search/activedirectory/activedirectory_1.md b/docs/activitymonitor/9.0/admin/search/activedirectory/activedirectory_1.md new file mode 100644 index 0000000000..429dc0dfc0 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/activedirectory/activedirectory_1.md @@ -0,0 +1,58 @@ +--- +title: "Active Directory Search Results" +description: "Active Directory Search Results" +sidebar_position: 10 +--- + +# Active Directory Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per AD agent. +You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![Active Directory Search Results](/images/activitymonitor/9.0/admin/search/results/activedirectorysearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Server where the Agent is deployed +- Host – Target host where the event was recorded +- Host Name – Name of the target host +- Host IP – IP address of the target host +- Host MAC – Network adapter identifier +- User – Security principal of the account that triggered the event +- User SID – Security Identifier of the account used in the event +- User Name –  Name for the security principal that triggered the event +- User Class – Active Directory class of the affected object +- Blocked – Indicates the Agent blocked the event from occurring +- Success – Indicates the event completed successfully +- Event Source – Location of Monitored host where event occurred +- Event Type – Indicates the type of event +- Affected Object – Active Directory distinguished name for the affected object +- Affected Object SID – Security Identifier of the object/account affected by the event +- Affected Object Name – Name of the Affected Object +- Protocol – Protocol(s) used for the monitored operation +- Query Filter – LDAP filter used in the operation +- Secured Query – Indicates if LDAP connection is secured or not +- Query Objects – Number of returned objects produced by the LDAP request +- Process Name – Contains process name that is monitored. Currently this is only lsass.exe. +- PID – Process Identifier generated for each active process +- Old Name – Value prior to the monitored change +- New Name – Value after the monitored change +- Authentication Type – Indicates type of authentication event. Possible values: Kerberos, NTLM. +- Target Host – Name of the originating host +- Target IP – IP address of the originating host +- Authentication Protocol – Indicates authentication protocol. Possible values: Unknown, Kerberos, + KerberosTgs, KerberosAs, NTLM, NTLMv1, NTLMMixed, NTLMv2. +- NTLM Logon Type – Indicates type of protocol used to authenticate a connection between client and + server +- Ticket Encryption – Indicates encryption type used in request part of the Kerberos ticket +- PAC – RID for the group that does not have access +- SPN – Detects attempts to obtain a list of Service Principal Name values +- User Exists –  Indicates if user exists +- N2 Password – Indicates if an invalid password matches the user’s password history + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/admin/search/entraid/_category_.json b/docs/activitymonitor/9.0/admin/search/entraid/_category_.json new file mode 100644 index 0000000000..a074277bbf --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/entraid/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Microsoft Entra ID Search Query", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "entraid" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/entraid/entraid.md b/docs/activitymonitor/9.0/admin/search/entraid/entraid.md new file mode 100644 index 0000000000..19147abcbc --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/entraid/entraid.md @@ -0,0 +1,136 @@ +--- +title: "Microsoft Entra ID Search Query" +description: "Microsoft Entra ID Search Query" +sidebar_position: 40 +--- + +# Microsoft Entra ID Search Query + +You can search activity in Microsoft Entra ID (Azure AD) that has been monitored and recorded to a +File output. When you select **Azure AD / Entra ID** from the magnifying glass drop-down menu, a New +Search tab opens with the applicable query filters. + +![Search Query - Entra ID](/images/activitymonitor/9.0/admin/search/query/searchquery.webp) + +The filters are separated into the following categories: + +- General +- User +- Audit Events +- Target Resource +- Sign-in Events +- Location + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![Search Query - General Filter](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Source – Set which query categories will be used. The drop-down menu displays a checkbox list of + categories. +- Event Result – Filter the data for a specific event result: Any, Success, or Failure +- Reason +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![Search Query - User](/images/activitymonitor/9.0/admin/search/query/userfilters.webp) + +This section has the following filters: + +- Name or ID +- IP Address +- Client App or Browser +- Client OS + +## Audit Events Category + +The Audit Events category scopes the query by the event type of the activity. + +![Search Query - Audit Events](/images/activitymonitor/9.0/admin/search/query/auditeventsfilters.webp) + +This section has the following filters: + +- Service – Filter the data by the Microsoft Entra ID service: All, AAD Management UX, Access + Reviews, Account Provisioning, Application Proxy, Authentication Methods, B2C, Conditional Access, + Core Directory, Device Registration Service, Entitlement Management, Hybrid Authentication, + Identity Protection, Invited Users, MIM Service, MyApps, PIM, Self-service Group Management, + Self-service Password Management, Terms of Use +- Category – Filter the data by the category type of activity: All, AdministrativeUnit, + ApplicationManagement, Authentication, Authorization, AuthorizationPolicy, Contact, Device, + DeviceConfiguration, DirectoryManagement, EntitlementManagement, GroupManagement, + IdentityProtection, KerberosDomain, KeyManagement, Label, Other, PermissionGrantPolicy, Policy, + PolicyManagement, ResourceManagement, RoleManagement, UserManagement +- Type – Filter the data by the type of activity: All, Add, Delete, Update, Assign, Unassign +- Operation + +## Target Resource Category + +The Target Resource category scopes the query by the target of the activity. + +![Search Query - Target Resource](/images/activitymonitor/9.0/admin/search/query/targetresourcefilters.webp) + +This section has the following filters: + +- Target +- Property +- Modifications – Filter the data to a specific type of modification: All, No changes, Has attribute + changes + +## Sign-in Events Category + +The Sign-in Events category scopes the query by the sign-in event. + +![Search Query - Sign-in Events](/images/activitymonitor/9.0/admin/search/query/signinevents.webp) + +This section has the following filters: + +- Risk +- Conditional Access + +## Location Category + +The Location category scopes the query by the location of the user. + +![Search Query - Location](/images/activitymonitor/9.0/admin/search/query/locationfilters.webp) + +This section has the following filters: + +- City +- State +- Country diff --git a/docs/activitymonitor/9.0/admin/search/entraid/entraid_1.md b/docs/activitymonitor/9.0/admin/search/entraid/entraid_1.md new file mode 100644 index 0000000000..eca85a7094 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/entraid/entraid_1.md @@ -0,0 +1,52 @@ +--- +title: "Microsoft Entra ID Search Results" +description: "Microsoft Entra ID Search Results" +sidebar_position: 10 +--- + +# Microsoft Entra ID Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![Azure Active Directory - Search Results](/images/activitymonitor/9.0/admin/search/results/searchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- Result – Indicates whether the event resulted in a Success or Failure +- Result Reason – If an event resulted in a Failure, the reason for it will be listed in the Result + Reason column +- User – Indicates user account associated with the event +- IP Address – Indicates the IP Address associated with the event +- Application – Indicates the Application associated with the event +- Service – Indicates the Service associated with the event +- Category – Indicates the Category associated with the event. Categories returned from search + queries can be configured using the Category filter drop-down. +- Operation - Indicates the Operation associated with the event. Operations returned from search + queries can be configured using the Operation filter drop-down. +- Type – Indicates the Type associated with the event. Types returned from search queries can be + configured using the Type filter drop-down. +- Target(s) – Indicates the Target(s) of the event +- Modified – Indicates modifications associated with the event +- Client App – Indicates the Client App associated with the event +- OS – Indicates the OS associated with the event +- Browser – Indicates the browser associated with the event +- City – Indicates the City associated with the event +- State – Indicates the State associated with the event +- Country – Indicates the Country associated with the event +- Coordinates – Indicates the Coordinates associated with the event +- Interactive – Indicates whether the event was an Interactive event +- Risk – Indicates the level of Risk associated with events +- Conditional Access – Indicates whether Conditional Access was applied to the event +- Conditional Policy – Indicates whether a Conditional Policy was applied to the event +- Details – If applicable, provides additional information associated with the event that is not + provided by the other Results columns + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/admin/search/exchangeonline/_category_.json b/docs/activitymonitor/9.0/admin/search/exchangeonline/_category_.json new file mode 100644 index 0000000000..b1c8e07fad --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/exchangeonline/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Exchange Online Search Query", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "exchangeonline" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/exchangeonline/exchangeonline.md b/docs/activitymonitor/9.0/admin/search/exchangeonline/exchangeonline.md new file mode 100644 index 0000000000..6b380a1d4a --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/exchangeonline/exchangeonline.md @@ -0,0 +1,105 @@ +--- +title: "Exchange Online Search Query" +description: "Exchange Online Search Query" +sidebar_position: 50 +--- + +# Exchange Online Search Query + +You can search Exchange Online activity that has been monitored and recorded to a File output. When +you select **Exchange Online** from the magnifying glass drop-down menu, a New Search tab opens with +the applicable query filters. + +![Exchange Online - Search Quary Bar](/images/activitymonitor/9.0/admin/search/query/searchquerybar.webp) + +The filters are separated into the following categories: + +- General Category +- User Category +- Target Category +- DLP Category + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters.You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![Exchange Online - General Category](/images/activitymonitor/9.0/admin/search/query/general.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Source – Filter the data by the source type: All, Admin Audit, Mailbox Access, DLP, Sensitivity + Label, Other + + :::note + Disabling a source that is also a category will hide that category from the query + options. + ::: + + +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![Exchange Online Search - User Filter](/images/activitymonitor/9.0/admin/search/query/user.webp) + +This section has the following filters: + +- Name or UPN – Filter the data by name or User Principal Name (UPN) +- User Type – Filter the data by the type of user: All, Regular, Reserved, Admin, DcAdmin, System, + Application, ServicePrincipal, CustomPolicy, SystemPolicy, Unknown +- IP Address – Filter the data by IP address. +- Client App or Browser – Filter the data by specified client application or browser. + +## Target Category + +The Target category scopes the query by the target of the file. + +![Exchange Online Search - Target Filter](/images/activitymonitor/9.0/admin/search/query/target.webp) + +This section has the following filters: + +- Object +- Mailbox +- Accessed Mail + +## DLP Category + +The DLP category scopes the query by the DLP policy. + +![Exchange Online Search - DLP Filter](/images/activitymonitor/9.0/admin/search/query/dlp.webp) + +This section has the following filters: + +- Policy Name diff --git a/docs/activitymonitor/9.0/admin/search/exchangeonline/exchangeonline_1.md b/docs/activitymonitor/9.0/admin/search/exchangeonline/exchangeonline_1.md new file mode 100644 index 0000000000..f4ad663c59 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/exchangeonline/exchangeonline_1.md @@ -0,0 +1,33 @@ +--- +title: "Exchange Online Search Results" +description: "Exchange Online Search Results" +sidebar_position: 10 +--- + +# Exchange Online Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![Exchange Online - Search Results](/images/activitymonitor/9.0/admin/search/results/searchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- Operation - Operation associated with event +- User – Indicates user account associated with the event +- User Type - Type of user associated with event +- External – Indicates whether external sharing is associated with the event +- IP Address – Indicates the IP Address associated with the event +- Object - Object associated with event +- Mailbox - The mailbox associated with the event +- Modified - Indicates whether a modification is associated with the event +- DLP Policy - If applicable, indicates the DLP Policy associated with the event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/admin/search/file/_category_.json b/docs/activitymonitor/9.0/admin/search/file/_category_.json new file mode 100644 index 0000000000..2d6c8a01bf --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/file/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Search Query", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "file" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/file/file.md b/docs/activitymonitor/9.0/admin/search/file/file.md new file mode 100644 index 0000000000..c8d1b17e0b --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/file/file.md @@ -0,0 +1,73 @@ +--- +title: "File Search Query" +description: "File Search Query" +sidebar_position: 20 +--- + +# File Search Query + +You can search Windows file server and NAS device activity that has been monitored and recorded to a +File output. When you select **File** from the magnifying glass drop-down menu, a New Search tab +opens with the applicable query filters. + +![Search UI Options Toolbar](/images/activitymonitor/9.0/admin/search/query/searchuitop.webp) + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## Query Filter Options + +The sections have the following filters: + +- Events time range – The time frame filter must be configured for every search query: + + - From – Set the date and timestamp for the start of the activity range. The drop-down menu + opens a calendar. + - To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. + +- File Path – Filter the data for a specific file path where activity has occurred +- Hosts – Filter the data for a specific target host of the event +- Source – Filter the data for a specific source of the activity: + + - For local Windows activity, filter by a process name like notepad.exe + - For network Windows activity, filter by the IP Address of the user + - For NAS device activity, filter by the IP Address for the NAS device of the user + +- User/Group – Filter the data for a specific user, or perpetrator of the event. You can also filter + by a group. + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- GID +- Types – Filter the data for a specific event result: All, Success, Fail +- Operations – Filter the data by the type of file operation: Read, Add, Update, Delete, Rename, + Permissions. The Operations checkbox at the top acts as select/deselect all option. +- I/O Type – Filter the data by the type of input/output: Filesystem, Shadow copy (VSS). The I/O + Type checkbox at the top acts as select/deselect all option. +- Object Type – Filter the data by the type of file object: File, Folder, Link, Share. The Object + Types checkbox at the top acts as select/deselect all option. +- Search limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. diff --git a/docs/activitymonitor/9.0/admin/search/file/file_1.md b/docs/activitymonitor/9.0/admin/search/file/file_1.md new file mode 100644 index 0000000000..6e70de1e46 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/file/file_1.md @@ -0,0 +1,78 @@ +--- +title: "File Search Results" +description: "File Search Results" +sidebar_position: 10 +--- + +# File Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![File Search Results UI](/images/activitymonitor/9.0/admin/search/results/filesearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Host – Monitored host where the event occurred +- Operation – Type of the activity event which was monitored +- User – User account that performed the activity event +- Object – Type of object the activity event occurred upon: + + - File + - Folder + - Unknown + +- Path – Path where the operation occurred +- New Path – For rename operation events only, the path’s new location/name +- UNC Path – UNC path employed by a remote user to access the share, folder, and/or file +- New UNC Path – For rename operation events only, the UNC path’s new location/name employed by a + remote user +- Source – Indicates the source of the activity event + + - For local Windows activity – Process name (e.g. notepad.exe) + - For network Windows activity – IP Address of the user + - For NAS device activity – IP Address for the NAS device of the user + +- Share Name – Name of share where the activity event occurred. This includes NFS. +- I/O Type – Displays the input/output type +- Protocol – Communication protocol used to access the share, folder, and/or file: + + - CIFS + - NFS + - VSS + - HTTP + +- Protocol Version – Displays the Protocol Version for NetApp Data ONTAP Cluster-Mode device. This + field is empty for all other servers/devices. +- File Size — Displays the file size +- Tags — _(Windows Only)_ Operation tags. Reports 'Copy' for events that are probably copies. +- Group — Displays the Group Name or ID (GID) + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. + +## Permissions Changes + +When the results data grid displays information about permissions changes, additional information is +made available. + +![Search Results with Permissions listed in the Operations Column](/images/activitymonitor/9.0/admin/search/results/filesearchresultspermissionsimage.webp) + +A link displays in the **Operation** column of the results data grid. Click the Permissions Change +link to open the Permissions Change Details window. + +![File Search Results Permissions link popup window](/images/activitymonitor/9.0/admin/search/results/permissionslpopupwindow.webp) + +The window displays details about the changes of the security descriptor with information from the +new line added to a DACL: + +- Change – Type of change which occurred (Added, Removed, etc.) +- Trustee – SAM account name of the affected object +- Type – Type of permission applied (Allow/Deny) +- Access Rights – Rights associated with the type of permission change +- Inheritance – Indicates how the permission change is inherited diff --git a/docs/activitymonitor/9.0/admin/search/linux/_category_.json b/docs/activitymonitor/9.0/admin/search/linux/_category_.json new file mode 100644 index 0000000000..427a7451c6 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/linux/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Linux Search Query", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "linux" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/linux/linux.md b/docs/activitymonitor/9.0/admin/search/linux/linux.md new file mode 100644 index 0000000000..005e362d76 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/linux/linux.md @@ -0,0 +1,66 @@ +--- +title: "Linux Search Query" +description: "Linux Search Query" +sidebar_position: 30 +--- + +# Linux Search Query + +You can search Linux file server and NAS device activity that has been monitored and recorded to a +File output. When you select **Linux** from the magnifying glass drop-down menu, a New Search tab +opens with the applicable query filters. + +![Linux Search Query](/images/activitymonitor/9.0/admin/search/query/linuxsearchquerybar.webp) + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## Query Filter Options + +The sections have the following filters: + +- Events time range – The time frame filter must be configured for every search query: + + - From – Set the date and timestamp for the start of the activity range. The drop-down menu + opens a calendar. + - To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. + +- File Path – Filter the data for a specific file path where activity has occurred +- Hosts – Filter the data for a specific target host of the event +- Source – Filter the data for a specific source of the activity +- User/Group – Filter the data for a specific user, or perpetrator of the event. You can also filter + by a group. + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- GID +- Types – Filter the data for a specific event result: All, Success, Fail +- Operations – Filter the data by the type of file operation: Read, Add, Update, Delete, Rename, + Permissions. The Operations checkbox at the top acts as select/deselect all option. +- I/O Type – Filter the data by the type of input/output: Filesystem, Shadow copy (VSS). The I/O + Type checkbox at the top acts as select/deselect all option. +- Object Type – Filter the data by the type of file object: File, Folder, Link, Share. The Object + Types checkbox at the top acts as select/deselect all option. diff --git a/docs/activitymonitor/9.0/admin/search/linux/linux_1.md b/docs/activitymonitor/9.0/admin/search/linux/linux_1.md new file mode 100644 index 0000000000..ac975d3d8a --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/linux/linux_1.md @@ -0,0 +1,43 @@ +--- +title: "Linux Search Results" +description: "Linux Search Results" +sidebar_position: 10 +--- + +# Linux Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per Linux +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![linuxsearchresults](/images/activitymonitor/9.0/admin/search/results/linuxsearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Host – Monitored host where the event occurred +- Operation – Type of the activity event which was monitored +- User – User account that performed the activity event +- Object – Type of object the activity event occurred upon: + + - File + - Folder + - Unknown + +- Path – Path where the operation occurred +- New Path – For rename operation events only, the path’s new location/name +- UNC Path – UNC path employed by a remote user to access the share, folder, and/or file +- New UNC Path – For rename operation events only, the UNC path’s new location/name employed by a + remote user +- Source – Indicates the source of the activity event +- Share Name – Name of share where the activity event occurred. This includes NFS. +- I/O Type – Displays the input/output type +- Protocol — Will be LOCAL for Linux Activity +- Protocol Version — This field is empty for Linux Activity +- GID — Group ID associated with event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/admin/search/overview.md b/docs/activitymonitor/9.0/admin/search/overview.md new file mode 100644 index 0000000000..f52d47c288 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/overview.md @@ -0,0 +1,99 @@ +--- +title: "Search Feature" +description: "Search Feature" +sidebar_position: 50 +--- + +# Search Feature + +The search feature consolidates and compartmentalizes search results based on events, time, objects, +users, hosts, etc. Search results populate based on which query filters are chosen. Results may then +be sorted, filtered, and/or exported into a CSV file or JSON file, depending on the type data. + +![Search Tab](/images/activitymonitor/9.0/admin/search/searchtab.webp) + +:::note +Search results are pulled from the File output of the monitored host or domain. +::: + + +To open the search feature, click the magnifying glass icon and select from the following options: + +- File – Search for monitored file activity on Windows servers and NAS devices. See the File Search + Query topic for additional information. +- Active Directory – Search for monitored domain activity. See the Active Directory Search Query + topic for additional information. +- Azure AD / Entra ID – Search for monitored tenant activity in Microsoft Entra ID (formerly Azure + AD). See the Microsoft Entra ID Search Query topic for additional information. +- SharePoint – Search for monitored SharePoint activity. See the SharePoint Search Query topic for + additional information. +- SharePoint Online – Search for monitored SharePoint Online activity. See the SharePoint Online + Search Query topic for additional information. +- Exchange Online – Search for monitored Exchange Online activity. See the Exchange Online Search + Query topic for additional information. +- SQL Server – Search for monitored SQL Server activity. See the SQL Server Search Query topic for + additional information. +- Linux – Search for monitored file activity on Linux servers. See the Linux Search Query topic for + additional information. + +Queries that may be useful to an organization include the following: + +- Who accessed a particular folder/file on X day or during Y date range? +- Who renamed a particular folder/file on X day or during Y date range? +- Who deleted a particular folder/file on X day or during Y date range? +- Who created a particular folder/file? +- What did user X do on day Y? +- What did user X do between days Y and Z? +- Administrator activity details? + +Follow the steps to use the search feature. + +**Step 1 –** Click the magnifying glass icon and select the source type. + +**Step 2 –** Set the desired filters and click **Search**. + +**Step 3 –** Filter and Sort the results in the table as desired. + +**Step 4 –** Export the results table if desired. + +## Filter + +The drop-down menu for a column header in the search results data grid provides the option to filter +the search results further. + +![Operations Filter Dropdown Menu](/images/activitymonitor/9.0/admin/search/operationssdropdownfiltermenu.webp) + +Choose between checking/unchecking the desired field values from the list of available values and +typing in the search textbox. The Clear filter option removes all filters from the selected column. +A filter icon appears on the header where filters have been applied. Multiple columns can be +filtered in the search results data grid. + +:::note +The columns that can be filtered will vary depending on what results are. +::: + + +## Sort + +Clicking on any column header in the search results data grid sorts the results alphanumerically for +that column, and an arrow shows next to the column name indicating the sort to be ascending or +descending order. + +![Sort Options](/images/activitymonitor/9.0/admin/search/sort.webp) + +The drop-down menu on the column header has options to Sort A to Z or Sort Z to A for the selected +column. Sorting can only occur for one column at a time. + +:::note +The columns that can be sorted will vary depending on what results are. +::: + + +## Export + +The search results data grid can be exported to a CSV/JSON file. + +![Export Button](/images/activitymonitor/9.0/admin/search/exportbutton.webp) + +Once the search results are configured as desired, click the Export button located at the top left +corner of the window. Set the name and location of the CSV/JSON file. diff --git a/docs/activitymonitor/9.0/admin/search/sharepoint/_category_.json b/docs/activitymonitor/9.0/admin/search/sharepoint/_category_.json new file mode 100644 index 0000000000..0baabb2daa --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sharepoint/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SharePoint Search Query", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sharepoint" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/sharepoint/sharepoint.md b/docs/activitymonitor/9.0/admin/search/sharepoint/sharepoint.md new file mode 100644 index 0000000000..e85036f7e4 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sharepoint/sharepoint.md @@ -0,0 +1,162 @@ +--- +title: "SharePoint Search Query" +description: "SharePoint Search Query" +sidebar_position: 60 +--- + +# SharePoint Search Query + +You can search SharePoint activity that has been monitored and recorded to a File output. When you +select **SharePoint** from the magnifying glass drop-down menu, a New Search tab opens with the +applicable query filters. + +![SharePoint New Search Tab](/images/activitymonitor/9.0/admin/search/query/sharepointnewsearchtab.webp) + +The filters are separated into the following categories: + +- General +- Audit +- Move/Delete/Copy/Checkin +- Delete +- Search +- Permissions + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters.You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category addresses who, what, where, and when an object, user, host, or domain +controller is affected by the events selected in the other categories. The time frame filter must be +configured for every search query. + +![General Category - SharePoint](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Event Type – Filter the data by the event type: All, CheckOut, CheckIn, View, Delete, Update, + ProfileChange, ChildDelete, SchemaChange, Undelete, Workflow, Copy, Move, AuditMaskChange, Search, + ChildMove, FileFragmentWrite, SecGroupCreate, SecGroupDelete, SecGroupMemberAdd, + SecGroupMemberDel, SecRoleDefCreate, SecRoleDefDelete, SecRoleDefModify, SecRoleDefBreakInherit, + SecRoleBindUpdate, SecRoleBindInherit, SecRoleBindBreakInherit, EventsDeleted, AppPermissionGrant, + AppPermissionDelete, Custom + + :::note + Disabling an event type that is also a category will hide that category from the query + options. + ::: + + +- Item Type – Filter the data by the type of SharePoint item: All, Document, ListItem, List, Folder, + Web, Site +- Protocol – Filter the data by the protocol: Any, HTTP, HTTPS +- Agent Hosts – Filter the data for a specific agent +- Agent Domains – Filter the data for a specific domain +- Item +- Source Name +- Site – Filter the data for a specific SharePoint site +- Document Location +- Web Application – Filter the data for a specific SharePoint web application +- Web Title +- User – Filter the data for a specific user, or perpetrator of the event + + - Specify account or group (...) – The ellipsis button beside the User textbox opens the Specify + account or group window. Use this window to resolve the account for the user. See the + [Specify Account or Group Window](/docs/activitymonitor/9.0/admin/outputs/accountexclusions/specifywindowsaccount.md) topic for + additional information. + +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. +- Event Source – Filter the data by the source: Any, SharePoint, ObjectModel +- Location Type – Filter the data by the type of location: Any, Url, ClientLocation + +## Audit Category + +The Audit category scopes the query by audit mask activity. + +![SharePoint Search - Audit filter section](/images/activitymonitor/9.0/admin/search/query/auditmask.webp) + +This section has the following filters: + +- Audit Mask – Filter the data by the audit mask type: All, None, CheckOut, CheckIn, View, Delete, + Update, ProfileChange, ChildDelete, SchemaChange, SecurityChange, Undelete, Workflow, Copy, Move, + Search + +## Move/Delete/Copy/Checkin Category + +The Move/Delete/Copy/Checkin category scopes the query by file move and version activity. + +![SharePoint Search Query - Move/Delete/Copy/Checkin Filters](/images/activitymonitor/9.0/admin/search/query/movedeletecopycheckinfilters.webp) + +This section has the following filters: + +- Child Document Location +- New Child Document Location +- Version + +## Delete Category + +The Delete category scopes the query by type of delete activity. + +![SharePoint Search Query - Delete FIlters](/images/activitymonitor/9.0/admin/search/query/delete.webp) + +This section has the following filters: + +- Delete Type – Filter the data by the type of deletion: Any, MovedToRecycle, DeletedCompletely + +## Search Category + +The Search category scopes the query by search activity. + +![SharePoint Search Query - Search Filters](/images/activitymonitor/9.0/admin/search/query/searchfilters.webp) + +This section has the following filters: + +- Search Query +- Search Constraint + +## Permissions Category + +The Permissions category scopes the query by permission change activity. + +![SharePoint Search Query - Permissions Filters](/images/activitymonitor/9.0/admin/search/query/permissionsfilters.webp) + +This section has the following filters: + +- Group +- Trustee +- Trustee Type – Filter the data by the type of trustee: Any, Group, User +- Role +- Update Type – Filter the data by the type of update: All, Added, Removed, Updated +- Permission – Filter the data by the permission: All, EmptyMask, ViewListItems, AddListItems, + EditListItems, DeleteListItems, CancelCheckout, ManagePersonalViews, ManageLists, + AnonymousSearchAccessList, AnonymousSearchAccessWebLists, Open, ViewFormPages, ViewPages, + AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, ViewUsageData, CreateSSCSite, + ManageSubwebs, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, + UpdatePersonalWebParts, ManageWeb, FullMask, UseClientIntegration, UseRemoteAPIs, ManageAlerts, + CreateAlerts, EditMyUserInfo, EnumeratePermissions, ApproveItems, OpenItems, ViewVersions, + DeleteVersions, CreateGroups diff --git a/docs/activitymonitor/9.0/admin/search/sharepoint/sharepoint_1.md b/docs/activitymonitor/9.0/admin/search/sharepoint/sharepoint_1.md new file mode 100644 index 0000000000..3a3da6e432 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sharepoint/sharepoint_1.md @@ -0,0 +1,34 @@ +--- +title: "SharePoint Search Results" +description: "SharePoint Search Results" +sidebar_position: 10 +--- + +# SharePoint Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![SharePoint Search - Results](/images/activitymonitor/9.0/admin/search/results/sharepointsearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent Host – Agent used to collect event information +- Event Type – Indicates the type of event +- User – User account that performed the activity event +- User Login – User login associated with the event +- Protocol – Protocol used for the monitored operation +- Absolute URL - Indicates the Absolute URL associated with the event +- Web Application – Indicates the web application associated with the event +- Site URL – Site URL associated with the event +- Web Title - If applicable, indicates the Web Title associated with the event +- Doc Location – If applicable, indicates the location of the document associated with the event +- New Doc Location – If applicable, indicates the new location of the document associated with the + event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/admin/search/sharepointonline/_category_.json b/docs/activitymonitor/9.0/admin/search/sharepointonline/_category_.json new file mode 100644 index 0000000000..4488e90a1c --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sharepointonline/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SharePoint Online Search Query", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sharepointonline" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/sharepointonline/sharepointonline.md b/docs/activitymonitor/9.0/admin/search/sharepointonline/sharepointonline.md new file mode 100644 index 0000000000..a7d5a28dd0 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sharepointonline/sharepointonline.md @@ -0,0 +1,148 @@ +--- +title: "SharePoint Online Search Query" +description: "SharePoint Online Search Query" +sidebar_position: 70 +--- + +# SharePoint Online Search Query + +You can search SharePoint Online activity that has been monitored and recorded to a File output. +When you select **SharePoint Online** from the magnifying glass drop-down menu, a New Search tab +opens with the applicable query filters. + +![SharePoint Online - Search Quary Bar](/images/activitymonitor/9.0/admin/search/query/sharepointonlinesearchquerybar.webp) + +The filters are separated into the following categories: + +- General +- User +- Location +- Item +- Sharing +- DLP +- Custom + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![SharePoint Online Search - General Filters](/images/activitymonitor/9.0/admin/search/query/generalfilters.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Source – Filter the data by the source type: All, File and Page, Folder, List, Sharing and Access + Request, Site Permissions, Site Administration, Synchronization, DLP, Sensitivity Label, Content + Explorer, Other + + :::note + Disabling a source that is also a category will hide that category from the query + options. + ::: + + +- Workload +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![SharePoint Online Search - User Filter](/images/activitymonitor/9.0/admin/search/query/user.webp) + +This section has the following filters: + +- Name or ID +- Login +- IP Address +- Client App or Browser +- User Type – Filter the data by the type of user: All, Regular, Reserved, Admin, DcAdmin, System, + Application, ServicePrincipal, CustomPolicy, SystemPolicy, Unknown + +## Location Category + +The Location category scopes the query by the location of the file. + +![SharePoint Online Search - Location Filter](/images/activitymonitor/9.0/admin/search/query/location.webp) + +This section has the following filters: + +- URL +- File Name +- File Extension + +## Item Category + +The Item category scopes the query by the item. + +![SharePoint Online Search - Item Filter](/images/activitymonitor/9.0/admin/search/query/item.webp) + +This section has the following filters: + +- Item +- Item Type – Filter the data by the type of item: All, Unknown, File, Folder, Web, Site, Tenant, + DocumentLibrary, Page +- Modifications – Filter the data by the type of item: All, No Changes, Has attribute changes + +## Sharing Category + +The Sharing category scopes the query by the type of sharing. + +![SharePoint Online Search - Sharing Filter](/images/activitymonitor/9.0/admin/search/query/sharing.webp) + +This section has the following filters: + +- Target Account +- Access +- Target Type – Filter the data by the type of target: All, Member, Guest, SharePointGroup, + SecurityGroup, Partner, Unknown + +## DLP Category + +The DLP category scopes the query by the DLP policy. + +![SharePoint Online Search - DLP Filter](/images/activitymonitor/9.0/admin/search/query/dlp.webp) + +This section has the following filters: + +- Policy Name + +## Custom Category + +The Custom category scopes the query by custom event activity. + +![SharePoint Online Search - Custom Filter](/images/activitymonitor/9.0/admin/search/query/custom.webp) + +This section has the following filters: + +- Event Data +- Custom Event diff --git a/docs/activitymonitor/9.0/admin/search/sharepointonline/sharepointonline_1.md b/docs/activitymonitor/9.0/admin/search/sharepointonline/sharepointonline_1.md new file mode 100644 index 0000000000..2463e342de --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sharepointonline/sharepointonline_1.md @@ -0,0 +1,49 @@ +--- +title: "SharePoint Online Search Results" +description: "SharePoint Online Search Results" +sidebar_position: 10 +--- + +# SharePoint Online Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![SharePoint Online Search Results](/images/activitymonitor/9.0/admin/search/results/sharepointonlinesearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Source – Indicates the source of the activity event +- Operation - Operation associated with event +- User – User account that performed the activity event +- User Type - Type of user associated with event +- External – Indicates whether external sharing is associated with the event +- IP Address - IP Address associated with event +- Object Url - Object Url associated with event +- Item Type - The type of the item associated with the event +- Item Title - The title of the item associated with the event +- Modified - Indicates whether a modification is associated with the event +- Site - Site where the event occurred +- List - Indicates which list the event is associated with +- Relative URL - Indicates the Relative URL associated with the event +- File Name - The name of the file associated with the event +- Extension - If applicable, indicates the extension of the file associated with the event +- New Relative URL - If applicable, indicates the new relative URL of the file associated with the + event +- New File Name - If applicable, indicates the new name for the file associated with the event +- New Extension - If applicable, indicates the new extension of the file associated with the event +- Workload - Workload associated with the event +- Access - If applicable, indicates what level of access is associated with the event +- Target Account - If applicable, indicates the recipient of the event +- Target Type - If applicable, indicates the type of account of the recipient of the event +- DLP Policy - If applicable, indicates the DLP Policy associated with the event +- Event Data – Data associated with the event +- Custom Event - If the Custom Event filter was configured in the Query bar, it will appear here + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/admin/search/sqlserver/_category_.json b/docs/activitymonitor/9.0/admin/search/sqlserver/_category_.json new file mode 100644 index 0000000000..5588cda134 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sqlserver/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SQL Server Search Query", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "sqlserver" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/admin/search/sqlserver/sqlserver.md b/docs/activitymonitor/9.0/admin/search/sqlserver/sqlserver.md new file mode 100644 index 0000000000..11a4680bb2 --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sqlserver/sqlserver.md @@ -0,0 +1,88 @@ +--- +title: "SQL Server Search Query" +description: "SQL Server Search Query" +sidebar_position: 80 +--- + +# SQL Server Search Query + +You can search SQL Server activity that has been monitored and recorded to a File output. When you +select **SQL Server** from the magnifying glass drop-down menu, a New Search tab opens with the +applicable query filters. + +![SQL Server Search Query](/images/activitymonitor/9.0/admin/search/query/sqlsearchquerytoolbar.webp) + +The filters are separated into the following categories: + +- General +- User +- SQL + +By default, the query is set to return all event activity for the past day. Configuring query +filters will scope results returned. + +Set the filters as desired and click **Search**. The application searches through the appropriate +activity log files and returns the events that match the filters. You can +[Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the column +headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +**Filter Value Entry** + +When the drop-down menu is in front of a query filter, it is used to show or hide the filter entry +field. Field options vary based on the selected query filter: + +- Textbox – Enter the filter value. If the field has a drop-down arrow, then you can select from + values known to the application. +- Gray drop-down menu – Provides options to match the value against on of the following, which vary + based on the filter: + + - Selected values – Filters by the value selected from the drop-down menu for the textbox + - Simple string with wildcards – Filters by the value entered into the textbox, which contains + an asterisk (\*) as the wildcard + - Regular expression – Filters by the Regex entered into the textbox + +## General Category + +The General category scopes the query by the most common types of filters. The time frame filter +must be configured for every search query. + +![General Filters](/images/activitymonitor/9.0/admin/search/query/generalfilter.webp) + +This section has the following filters: + +- From – Set the date and timestamp for the start of the activity range. The drop-down menu opens a + calendar. +- To – Set the date and timestamp for the end of the activity range. The drop-down menu opens a + calendar. +- Event Result – Filter the data for a specific event result: Any, Success, or Failure +- Reason +- Agent Hosts – Filter the data for a specific agent +- Search Limit – Set the maximum number of rows returned in the search results. The default is + 10,000 rows. + +## User Category + +The User category scopes the query by the user, or perpetrator of the activity. + +![userfilter](/images/activitymonitor/9.0/admin/search/query/userfilter.webp) + +This section has the following filters: + +- Name or ID +- IP Address + +## SQL Category + +The SQL category scopes the query by SQL Server activity. + +![SQL Filters](/images/activitymonitor/9.0/admin/search/query/sqlfilters.webp) + +This section has the following filters: + +- Server name +- Database +- Operation – Filter the data by the type of Operation: All, Select, Insert, Update, Delete, merge, + Execute, Login, Logout, Grant, Revoke, Deny, Error, AlterRole +- Application +- Object +- SQL Text diff --git a/docs/activitymonitor/9.0/admin/search/sqlserver/sqlserver_1.md b/docs/activitymonitor/9.0/admin/search/sqlserver/sqlserver_1.md new file mode 100644 index 0000000000..810f3b66ff --- /dev/null +++ b/docs/activitymonitor/9.0/admin/search/sqlserver/sqlserver_1.md @@ -0,0 +1,34 @@ +--- +title: "SQL Server Search Results" +description: "SQL Server Search Results" +sidebar_position: 10 +--- + +# SQL Server Search Results + +When a search has been started, the Search Status table at the bottom displays the percentage +complete according to the size and quantity of the activity log files being searched per activity +agent. You can [Filter](/docs/activitymonitor/9.0/admin/search/overview.md#filter) and [Sort](/docs/activitymonitor/9.0/admin/search/overview.md#sort) the results using the +column headers. Below the Search button is the [Export](/docs/activitymonitor/9.0/admin/search/overview.md#export) option. + +![SQL Server Search Results](/images/activitymonitor/9.0/admin/search/results/sqlsearchresults.webp) + +The results data grid columns display the following information for each event: + +- Event Time – Date timestamp of the event +- Agent – Agent which monitored the event +- Result – Indicates whether the event type was a success +- User – User account that performed the activity event +- IP Address – IP Address of the client host associated with the event +- Client Host – Name of the client host associated with the event +- Application Name – Name of the application associated with the event +- Operation – The type of operation associated with the event +- Database – The type of database associated with the event +- SQL – The SQL Server Query text associated with the event +- Error – Indicates SQL Server Error Code associated with the event +- Message – Description of the error associated with the event +- Category – Category of the error associated with the event + +At the bottom of the search interface, additional information is displayed for selected events in +the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as +applicable to the event) are displayed. diff --git a/docs/activitymonitor/9.0/gettingstarted.md b/docs/activitymonitor/9.0/gettingstarted.md new file mode 100644 index 0000000000..6ee993a1ee --- /dev/null +++ b/docs/activitymonitor/9.0/gettingstarted.md @@ -0,0 +1,57 @@ +--- +title: "Getting Started" +description: "Getting Started" +sidebar_position: 10 +--- + +# Getting Started + +Once Netwrix Activity Monitor is installed, the following workflow enables organizations to quickly +and easily get started with activity monitoring. + +## Requirements + +The Activity Monitor console needs to be installed on a server or workstation. After that agents are deployed to +the target environment and configured to monitor activity. It is necessary to prepare the target +environment and configure the credentials used by the agents. Each supported environment has +different requirements. See the following topics for additional information: + +- Console machine [Requirements ](/docs/activitymonitor/9.0/requirements/overview.md) +- [Activity Agent Server Requirements](/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md) for monitoring: + + - Windows File servers + - NAS devices + - Microsoft Entra ID + - SharePoint On-Premise + - SharePoint Online + - Exchange Online + - SQL Servers + +- [AD Agent Server Requirements](/docs/activitymonitor/9.0/requirements/adagent/adagent.md) for monitoring Active Directory +- [Linux Agent Server Requirements](/docs/activitymonitor/9.0/requirements/linuxagent.md) for monitoring Linux file servers + +## Install & Deploy Agents + +Once the prerequisites are accomplished, you are ready to install the application and deploy agents. +See the following topics for additional information: + +- [Install Application](/docs/activitymonitor/9.0/install/application.md) +- [Agent Information](/docs/activitymonitor/9.0/install/agents/agents.md) +- [Import License Key](/docs/activitymonitor/9.0/install/importlicensekey.md) + +## Configure Monitoring + +After the agents have been deployed, you can configure the monitoring of the target environment. For +Windows File Servers, this can be done at the same time as the agent is deployed, but for all other +target environments it is done after the agent is deployed. You will configure what will be +monitored as well as where the collected data will go (outputs). See the following topics for +additional information: + +- [Monitored Domains Tab](/docs/activitymonitor/9.0/admin/monitoreddomains/overview.md) for Active Directory monitoring +- [Monitored Hosts & Services Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/overview.md) for all other target environments. + +## Search Activity Event Data + +You can query the activity logs created by the activity agents from within the console. Using the +search feature, set filters for the query to view monitored events. See the +[Search Feature](/docs/activitymonitor/9.0/admin/search/overview.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/index.md b/docs/activitymonitor/9.0/index.md new file mode 100644 index 0000000000..d7a1550fc2 --- /dev/null +++ b/docs/activitymonitor/9.0/index.md @@ -0,0 +1,15 @@ +--- +title: "Netwrix Activity Monitor v9.0 Documentation" +description: "Netwrix Activity Monitor v9.0 Documentation" +sidebar_position: 1 +--- + +# Netwrix Activity Monitor v9.0 Documentation + +The Netwrix Activity Monitor deploys agents to target environments to provide real-time monitoring +of activity. It can be configured to provide the event data to other Netwrix products for reporting +and alerting purposes. The Activity Monitor also provides operational efficiencies and visibility +into a wide spectrum of human and machine data interactions with a standardized format that is used +to gain deeper visibility into activity associated with the access, use, and modification of data. + +See the [Getting Started](/docs/activitymonitor/9.0/gettingstarted.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/install/_category_.json b/docs/activitymonitor/9.0/install/_category_.json new file mode 100644 index 0000000000..f87e537fff --- /dev/null +++ b/docs/activitymonitor/9.0/install/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/install/agents/_category_.json b/docs/activitymonitor/9.0/install/agents/_category_.json new file mode 100644 index 0000000000..89391c7ce3 --- /dev/null +++ b/docs/activitymonitor/9.0/install/agents/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Agent Information", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "agents" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/install/agents/agents.md b/docs/activitymonitor/9.0/install/agents/agents.md new file mode 100644 index 0000000000..7dbf19d9a9 --- /dev/null +++ b/docs/activitymonitor/9.0/install/agents/agents.md @@ -0,0 +1,81 @@ +--- +title: "Agent Information" +description: "Agent Information" +sidebar_position: 20 +--- + +# Agent Information + +Activity Monitor agents perform real-time monitoring of events occurring across supported systems and applications. + +A typical deployment consists of multiple agents, each monitoring either the system where it is installed or remote systems, +including in scale-out and fault-tolerant configurations. + +There are two deployment modes: + +1. **The agent monitors the server it is installed on** + +The agent must be deployed on the target system for the following event sources: + +|Event source|Additional requirements| +|------------|-----------------------| +|Windows File Server| | +|Linux File Server| | +|Active Directory domain controllers| The agent must be installed on all domain controllers of the monitored domain.| +|SharePoint On-Premise|The agent must be deployed to the server that hosts the _Central Administration_ component of the SharePoint farm.| + + +2. **The agent monitors remote hosts or services** + +In this mode, the agent is installed on a Windows Server and configured to monitor the following event sources: + +|Event source|Additional requirements| +|------------|-----------------------| +|**File Systems**|| +|Azure Files|| +|CTERA|| +|Dell VNX/Celerra|Dell Common Event Enabler| +|Dell Isilon/PowerScale|Dell Common Event Enabler| +|Dell Unity|Dell Common Event Enabler| +|Dell PowerStore|Dell Common Event Enabler| +|Hitachi NAS|| +|Nasuni|| +|NetApp|| +|NetApp 7-mode|| +|Nutanix Files|| +|Panzura|| +|Qumulo|| +|**Identity & Access Management**|| +|Microsoft Entra ID|| +|**Communication & Messaging**|| +|Exchange Online|| +|SharePoint Online|| +|**Database Operations**|| +|Microsoft SQL Server|| + + +:::info +For file storage, the agent's server should be located close to the monitored NAS device on the network to reduce latency. +::: + +:::info +For Dell devices, the **Dell Common Event Enabler (CEE)** must be installed on the same server as the agent (recommended) or +on another Windows or Linux server. If installed remotely, the CEE must be configured manually to forward activity to the agent. +::: + +To perform centralized agent maintenance from the application console server, WMI must be enabled on the Windows server where the agent is installed. + +You will need the following information to deploy agents from the Console: + +- Server name – Name or an IP Address of the server +- Credentials + - Windows: Account must be a member of the BUILTIN\Administrators group on the target server + - Linux: Account must have permissions to deploy the agent over SSH on the target server + +See the [Agents Tab](/docs/activitymonitor/9.0/admin/agents/overview.md) topic for additional information on how to deploy agents using the Console. + +The Activity Monitor Agent may also be deployed manually. Use one of the following to manually install an agent: + +- [Manually Install the Windows Agent](/docs/activitymonitor/9.0/install/agents/manual.md) +- [Manually Install the Linux Agent](/docs/activitymonitor/9.0/install/agents/manuallinux.md) +- [Manually Install the Agent for Active Directory](/docs/activitymonitor/9.0/install/agents/manualad.md) diff --git a/docs/activitymonitor/9.0/install/agents/manual.md b/docs/activitymonitor/9.0/install/agents/manual.md new file mode 100644 index 0000000000..b92e65324f --- /dev/null +++ b/docs/activitymonitor/9.0/install/agents/manual.md @@ -0,0 +1,169 @@ +--- +title: "Manually Install the Activity Agent" +description: "Manually Install the Activity Agent" +sidebar_position: 10 +--- + +# Manually Install the Activity Agent + +The Netwrix Activity Monitor Agent can be deployed via the console or manually. + +Follow the steps to manually install the agent. + +**Step 1 –** Navigate to the Activity Monitor Console installation path and locate the agent +installation package. The default location is: + +`C:\Program Files\Netwrix\Activity Monitor\Console\Agents\x64\SBFileMonAgent.msi` + +**Step 2 –** Copy the Activity Monitor agent installation package to the target server. + +**Step 3 –** Click the Activity Monitor agent installation package and the Wizard opens. + +![Activity Monitor Agent Setup Wizard - Welcome Page](/images/activitymonitor/9.0/install/agent/welcome_1.webp) + +**Step 4 –** On the welcome page click **Next**. + +![End-User License Agreement Page](/images/activitymonitor/9.0/install/agent/eula.webp) + +**Step 5 –** On the End-User License Agreement page, select the **I accept the terms in the License +Agreement** option and click **Next**. + +![Destination Folder Page](/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp) + +**Step 6 –** (Optional) On the Destination Folder page, click **Change** to change the installation +directory location. + +![Change Destination Folder Page](/images/activitymonitor/9.0/install/agent/changedestination.webp) + +**Step 7 –** Click **OK** on the Change destination folder page to return to the Destination folder +page. Click **Next**. + +![Ready to install Netwrix Activity Monitor Agent 64-bit Page](/images/activitymonitor/9.0/install/agent/readyinstall.webp) + +**Step 8 –** On the Ready to install page, click **Install**. The installation process begins. The +Setup wizard displays the installation status. + +![Completion Page](/images/activitymonitor/9.0/install/agent/complete.webp) + +**Step 9 –** When installation is complete, click Finish. + +## (Optional) Command Line Installation + +If needed, the following command line options can be used with extra logging and install options. +The Activity Monitor Agent command line has the following parameters: + +- `AGENT_PORT` + + - To specify Activity Monitor Agent port. + - Default value: `4498` + - Example: `AGENT_PORT=1234` + +- `AGENTINSTALLLOCATION` + + - To specify the Activity Monitor Agent installation path. + - Default value: `C:\Program Files\Netwrix\Activity Monitor\Agent` + - Example: `AGENTINSTALLLOCATION="D:\AMAgent"` + +- `MANAGEMENT_GROUP` + + - To specify the Activity Monitor Agent Management Group (This allows user to limit users in the + specified group to manage agents, but does not allow users in specified group to install, + upgrade, or uninstall agents). + - Default value: `BUILTIN\Administrators` + - Example: `MANAGEMENT_GROUP=CORP\ActivityMonitorGroup` + +- `/l*v` + + - To include verbose install logging. + - Example: `/l*v "C:\amagent.log"` + + :::note + If installation fails, locate the log file, and search for "Return value 3". The lines + above "Return value 3" should contain information on what caused the installation to fail. + ::: + + +- `/qn` + + - To install the agent in quiet / Unattended Mode (without UI) + +Example: + +``` +msiexec.exe /i C:\SBFileMonAgent.msi AGENT_PORT=1234 AGENTINSTALLLOCATION="D:\AMAgent" MANAGEMENT_GROUP=CORP\ActivityMonitorGroup /l*v c:\amagent.log /qn +``` + +## Add the Activity Agent to the Console + +Before deploying the Activity Monitor agent, ensure all +[Activity Agent Server Requirements](/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md) have been met, including +those for NAS devices when applicable. + +:::note +These steps are specific to deploying activity agents for monitoring file systems, +SharePoint, SQL Server, Azure and Office 365 environments. See the +[Active Directory Agent Deployment](/docs/activitymonitor/9.0/admin/agents/activedirectory.md) section for +instruction on deploying the AD agent. See the +[Linux Agent Deployment](/docs/activitymonitor/9.0/admin/agents/linux.md) topic for instructions on deploying agents +to Linux servers. +::: + + +Follow the steps to deploy the activity agent to a single Windows server. + +**Step 1 –** Open the Activity Monitor Console. + +**Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. + +![Install New Agent Page](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 3 –** Specify the server name where the agent will be deployed. To add multiple server names, +see the [Multiple Activity Agents Deployment](/docs/activitymonitor/9.0/admin/agents/multiple.md) topic for +additional information. Click **Next**. + +![Agent Port Configuration](/images/activitymonitor/9.0/install/agent/portdefault.webp) + +**Step 4 –** Specify the port to be used for the agent. Click **Next**. + +![Credentials to connect to servers](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 5 –** On the Credentials to Connect to the Server(s) page, specify the credentials for the +server to which the agent is deployed. See the +[Single Activity Agent Deployment](/docs/activitymonitor/9.0/admin/agents/single.md) topic for additional +information on credential options. Click **Connect**. + +:::note +When clicking **Connect** while adding the Agent to the Console, the connection may fail. +When clicking Connect, the Activity Monitor verifies not only its ability to manage the agent but +the console's ability to deploy the agent as well. Errors can be ignored if the agent was manually +installed. +::: + + +**Step 6 –** Regardless of the warning messages that the agent cannot be installed or upgraded, +click **Next**. The console will automatically detect the agent as it is already installed. + +![Agent Install Location](/images/activitymonitor/9.0/install/agent/installlocation.webp) + +**Step 7 –** Specify the path of the Activity Monitor Agent, that has already been installed. Click +**Next**. + +![Windows Agent Settings](/images/activitymonitor/9.0/install/agent/windowsagent.webp) + +**Step 8 –** Specify the Activity Monitor Agent Management Group (if desired). Click Finish. + +:::note +The Activity Monitor Agent Management Group allows users in the specified group to manage +agents, but does not allow users in specified group to install, upgrade, or uninstall agents. +::: + + +The Agent is now added to the Activity Monitor. + +During the installation process of the agent, the status will display Installing. If there are any +errors, the Activity Monitor stops the installation and lists the errors in the Agent messages box. + +![Activity Monitor Agent Installed](/images/activitymonitor/9.0/install/agent/consolewithagent.webp) + +When the Activity Monitor agent installation is complete, the status changes to **Installed** and +the activity agent version populates. The next step is to add hosts to be monitored. diff --git a/docs/activitymonitor/9.0/install/agents/manualad.md b/docs/activitymonitor/9.0/install/agents/manualad.md new file mode 100644 index 0000000000..08a8f87329 --- /dev/null +++ b/docs/activitymonitor/9.0/install/agents/manualad.md @@ -0,0 +1,166 @@ +--- +title: "Manually Install the AD Module" +description: "Manually Install the AD Module" +sidebar_position: 30 +--- + +# Manually Install the AD Module + +The AD Module, powered by Threat Prevention, can only be installed on domain controllers. + +Follow the steps to manually deploy the AD Module. + +**Step 1 –** From the Activity Monitor Console machine, copy the AD Agent executable ( +`%ProgramFiles%\Netwrix\Activity Monitor\Console\Agents\SI Agent.exe`) to the domain controller where +you want to install the Agent. Then run the executable. The Netwrix Threat Prevention Windows Agent +Setup wizard opens. + +![Threat Prevention Windows Agent Setup wizard on the Welcome page](/images/activitymonitor/9.0/install/agent/welcome_1.webp) + +**Step 2 –** On the Welcome page, click **Install**. The Setup Progress page is displayed, followed +by another Welcome page. + +![Threat Prevention Windows Agent - Welcome Page](/images/activitymonitor/9.0/install/agent/welcome.webp) + +**Step 3 –** Click **Next**. + +![End-User License Agreement Page](/images/activitymonitor/9.0/install/agent/license.webp) + +**Step 4 –** On the End-User License Agreement page, check the **I accept the terms in the License +Agreement** box and click **Next**. + +![Destination Folder Page](/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp) + +**Step 5 –** _(Optional)_ On the Destination Folder page, change the installation directory +location. + +- To change the default installation directory location, click **Change…**. + +![Change Destination Folder Page](/images/activitymonitor/9.0/install/agent/changedestination.webp) + +> > - Use the Look In field to select the desired installation folder. +> > - When the Folder name is as desired, click **OK**. The wizard returns to the Destination Folder +> > page. +> > - Click **Next**. + +> To use the default installation directory location, skip the previous step and click **Next** on +> the Destination Folder page. + +![CA Certificate Configiration Page](/images/activitymonitor/9.0/install/agent/cacertconfig.webp) + +**Step 6 –** Keep the default radio button selection, Managed by Threat Prevention. + +:::note +The CA Certificate Configuration page is not applicable to the Activity Monitor. +::: + + +![Enterprise Manager Location Information Page](/images/activitymonitor/9.0/install/agent/enterprisemanageram.webp) + +**Step 7 –** On the Enterprise Manager Location Information page, select the **Option** button for a +product to enable communication with it. + +- Select the **SAM configuration file** radio button. +- In the **Address or Path** field, enter the path to the activity agent configuration file for this + host. Remember, the Activity Monitor activity agent must already be deployed on the domain + controller and enabled before installing the AD Agent. The default path is: + `%ProgramFiles%\Netwrix\Netwrix Threat Prevention\SIWindowsAgent\SAMConfig.xml` +- The port configuration only applies to the Enterprise Manager Host option. +- Configure additional Agent options as desired: + + - Safe Mode + + - The Safe Mode option prevents the **Windows AD Events** monitoring module from loading if + the LSASS DLL versions has been modified since the last time the Threat Prevention Windows + Agent service was started. + + - Start Agent Service + + - The **Start Agent Service** option starts the Threat Prevention Windows Agent service + after the installation is complete. If the Threat Prevention Windows Agent service is not + started at the time of installation, the Activity Monitor Agent will start as needed. + + - Create Windows Firewall Rules + + - The **Create Windows Firewall Rules** option creates the rules needed to open this port + during the installation process. If using a third party firewall, uncheck this option and + manually create the necessary firewall rules. + +- When the settings are configured, click **Next**. + +![Select Event Sources Page](/images/activitymonitor/9.0/install/agent/eventsourcesad.webp) + +**Step 8 –** On the Select Event Sources page, select **Windows Active Directory Events** as needed +by the Activity Monitor for the Active Directory solution. Click **Next**. + +![Windows Agent Setup wizard on the Ready page](/images/activitymonitor/9.0/install/agent/readytoinstall.webp) + +**Step 9 –** On the Ready to install Threat Prevention Windows Agent page, click **Install**. The +Setup wizard displays the installation status. + +![Windows Agent Setup wizard on the Operation successful page](/images/activitymonitor/9.0/install/agent/success.webp) + +**Step 10 –** When installation is complete, click **Close**. + +The AD Module (NTP Agent) is now installed on the server. + +## Add the AD Agent to the Console + +Follow the steps to add the Activity Monitor Windows Agent (with the AD Module) to the Console: + +**Step 1 –** Open the Activity Monitor Console. + +**Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 3 –** Click the **install agents on Active Directory domain controllers** link. + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/specifyport.webp) + +**Step 4 –** Specify the port for the Activity Monitor Agent. Click **Next**. + +![Agent Install Location](/images/activitymonitor/9.0/install/agent/installlocation.webp) + +**Step 5 –** Specify the path of the Activity Monitor Agent, that has already been installed. Click +**Next**. + +![Active Directory Connection](/images/activitymonitor/9.0/install/agent/adconnection.webp) + +**Step 6 –** On the Active Directory Connection page, specify the credentials for the domain or +domain controller(s) where the agent is installed. Click **Connect** to verify connection to the +domain. Click **Next**. + +![Domains to Monitor](/images/activitymonitor/9.0/install/agent/domains.webp) + +**Step 7 –** Select the domain of the domain controller(s) where the agent is installed. Click +**Next**. + +![Domain Controllers to Deploy Agent](/images/activitymonitor/9.0/install/agent/domaincontroller.webp) + +**Step 8 –** Select the domain controller(s) where the agent is installed. Click **Test**. + +:::note +When clicking Test while adding the Agent to the Console, the connection may fail. When +clicking Test, the Activity Monitor verifies not only its ability to manage the agent but the +console's ability to deploy the agent as well. Errors can be ignored if the agent was manually +installed. +::: + + +**Step 9 –** Ignore the warning messages that the agent cannot be installed or upgraded and click +**Next**. + +![Windows Agent Settings](/images/activitymonitor/9.0/install/agent/windowsagent.webp) + +**Step 10 –** Specify the Activity Monitor Agent Management Group (if desired). Click **Finish**. + +:::note +The Activity Monitor Agent Management Group allows users in the specified group to manage +agents, but does not allow users in specified group to install, upgrade, or uninstall agents. +::: + + +The console will automatically detect the agent as it is already installed. + +The Agent is now added to the Activity Monitor Console. diff --git a/docs/activitymonitor/9.0/install/agents/manuallinux.md b/docs/activitymonitor/9.0/install/agents/manuallinux.md new file mode 100644 index 0000000000..e19547afb1 --- /dev/null +++ b/docs/activitymonitor/9.0/install/agents/manuallinux.md @@ -0,0 +1,128 @@ +--- +title: "Manually Install the Linux Agent" +description: "Manually Install the Linux Agent" +sidebar_position: 20 +--- + +# Manually Install the Linux Agent + +Follow the steps to manually install the agent. + +**Step 1 –** Transfer the rpm package to the Linux server. + +For example, following is a pscp command: + +``` +pscp.exe -P 22 -p -v "C:\Program Files\Netwrix\Activity +Monitor\Console\Agents\activity-monitor-agentd-9.0.0-1421.rhel.x86_64.rpm" +root@123.456.789.123:/tmp/ +``` + +![pscp Command](/images/activitymonitor/9.0/install/agent/screen1.webp) + +**Step 2 –** Install the Activity Monitor Linux Agent RPM Package on the Linux server. + +For example, the following command can be used: + +``` +sudo yum localinstall activity-monitor-agentd-9.0.0-1421.rhel.x86_64.rpm +``` + +![Install Linux Agent RPM Package on the Linux server](/images/activitymonitor/9.0/install/agent/screen2.webp) + +**Step 3 –** Add firewall rules to the Linux server, and restart firewall service. + +:::note +This should be the same port number specified in the Activity Monitor console for the +Linux agent. Default port is 4498. +::: + + +For example, the following commands can be used: + +``` +sudo firewall-cmd --zone=public --add-port=4498/tcp --permanent +sudo systemctl restart firewalld +sudo firewall-cmd --list-all +``` + +**Step 4 –** Generate the Activity Monitor Agent client certificate on Linux server from the +Activity Monitor Agent install directory. + +The following commands can be used: + +``` +cd /usr/bin/activity-monitor-agentd/ +sudo ./activity-monitor-agentd create-client-certificate --name amagent +``` + +![Generate the Activity Monitor Agent Client Certificate](/images/activitymonitor/9.0/install/agent/screen3.webp) + +**Step 5 –** Copy full certificate output from previous command on the Linux server. + +:::note +This will be needed to add the agent to the console. +::: + + +## Add the Linux Agent to the Console + +Before deploying the Activity agent in a Linux environment, ensure all Prerequisites have been met. +To effectively monitor activity on a Linux host, it is necessary to deploy an agent to the host. +Follow the steps to deploy the agent to the Linux host. See the +[Linux Agent Server Requirements](/docs/activitymonitor/9.0/requirements/linuxagent.md) topic for additional +information. + +Follow the steps to add the agent to the console. + +**Step 1 –** Open the Activity Monitor Console. + +**Step 2 –** On the Agents tab, click **Add Agent**. The Add New Agent(s) window opens. + +![Install New Agent](/images/activitymonitor/9.0/install/agent/installnew.webp) + +**Step 3 –** Specify the server name or IP Address that already has the Linux agent installed. To +add multiple server names, see the Multiple Activity Agents Deployment topic for additional +information. Click **Next**. + +![Specify Agent Port](/images/activitymonitor/9.0/install/agent/specifyagentport.webp) + +**Step 4 –** Specify the port to be used for the agent. Click **Next**. + +![Credentials to Connect to Server.](/images/activitymonitor/9.0/install/agent/credentials.webp) + +**Step 5 –** In Activity Monitor console add the Linux agent using the client certificate option, +and paste the full output of the client certificate information (from Step 3 of ‘Manually Installing +Activity Monitor Linux Agent’) into the client certificate field. Click **Connect**. Then click +**Next**. + +:::note +When clicking Connect while adding the Agent to the Console, the connection may fail. When +clicking Connect, the Activity Monitor verifies not only its ability to manage the agent but the +console's ability to deploy the agent as well. Errors can be ignored if the agent was manually +installed. +::: + + +![Linux Agent Options](/images/activitymonitor/9.0/install/agent/linuxagentoptions.webp) + +**Step 6 –** On the Linux Agent Options page, select which user name to use to run the daemon. To +use root, leave the **Service user name** field blank. Click **Test** to test the connection. + +**Step 7 –** Click **Finish**. The Add New Agent(s) window closes, and the activity agent is +deployed to and installed on the target host. + +:::note +The console will automatically detect the agent as it is already installed. +::: + + +The Agent is now added to the Activity Monitor Console. + +**Step 8 –** On the Agents tab of the console, select the newly added agent. Click **Edit** to view +Agent Properties. + +![Server Properties](/images/activitymonitor/9.0/install/agent/properties.webp) + +**Step 9 –** Specify Linux account credentials (to be able to install, upgrade, and uninstall +agent). Click **Test** to verify. Then press **OK** to save changes. diff --git a/docs/activitymonitor/9.0/install/application.md b/docs/activitymonitor/9.0/install/application.md new file mode 100644 index 0000000000..9945ee3371 --- /dev/null +++ b/docs/activitymonitor/9.0/install/application.md @@ -0,0 +1,48 @@ +--- +title: "Install Application" +description: "Install Application" +sidebar_position: 10 +--- + +# Install Application + +Netwrix Activity Monitor comes with a 10-day trial license to start. If an organization's license +key has been acquired already, which should be provided by a Netwrix Representative, the file should +be saved in the same location where the Activity Monitor will be installed. + +Follow the steps to install the Netwrix Activity Monitor Console. + +**Step 1 –** Run the NetwrixActivityMonitorSetup.msi executable to open the Netwrix Activity Monitor +Setup wizard. + +![Activty Monitor Setup Wizard - Welcome Page](/images/activitymonitor/9.0/install/welcome.webp) + +**Step 2 –** On the Activity Monitor Setup Wizard welcome page, click **Next** . + +![End-User License Agreement Page](/images/activitymonitor/9.0/install/eula.webp) + +**Step 3 –** On the End User License Agreement page, check the I accept the terms in the License +Agreement box and click Next. + +![Destination Folder Page](/images/activitymonitor/9.0/install/destinationfolder.webp) + +**Step 4 –** On the Destination Folder page, select a destination folder for Activity Monitor. The +default destination folder is `C:\Program Files\Netwrix\Activity Monitor\Console\`. Click **Next**. + +![Ready to Install Netwrix Activity Monitor Page](/images/activitymonitor/9.0/install/ready.webp) + +**Step 5 –** Click **Install** to begin installation. + + +**Step 6 –** The installer displays a status page during the installation process. Wait for the next +window to appear when the status is complete. + +![Installation Complete Page](/images/activitymonitor/9.0/install/complete.webp) + +**Step 7 –** Once installation is complete, click Finish. + +The setup wizard closes and the Activity Monitor Console opens. + +The Activity Monitor Console installs with a 10-day, 1-host license key. After completing the +installation, see the [Import License Key](/docs/activitymonitor/9.0/install/importlicensekey.md) topic for instructions on importing +an organization’s license key. diff --git a/docs/activitymonitor/9.0/install/importlicensekey.md b/docs/activitymonitor/9.0/install/importlicensekey.md new file mode 100644 index 0000000000..95b19452f0 --- /dev/null +++ b/docs/activitymonitor/9.0/install/importlicensekey.md @@ -0,0 +1,48 @@ +--- +title: "Import License Key" +description: "Import License Key" +sidebar_position: 40 +--- + +# Import License Key + +The Activity Monitor comes with a temporary 10-day license. Uploading a new license key or importing +a Access Analyzer key can be done from the Activity Monitor Console. If the Activity Monitor Console +is installed on a server where Access Analyzer has already been installed, it reads the license +information from the Access Analyzer installation directory. + +Follow the steps to import a license key file. + +![Activity Monitor Installation with Trial License](/images/activitymonitor/9.0/install/triallicense.webp) + +**Step 1 –** Click the `__Licensed to: __` hyperlink in the lower-left corner of the +Console. Alternatively, click the **View License** link in the yellow warning bar at the top. The +License Information window opens. + +![Trial License Information](/images/activitymonitor/9.0/install/triallicenseinfo.webp) + +**Step 2 –** Click Load New License File and navigate to where the key is located. A Windows file +explorer opens. + +![Open Dialog Box to load New License File](/images/activitymonitor/9.0/install/loadlicense.webp) + +**Step 3 –** Select the `.lic` file and click Open. The selected license key is then read. + +![Activity Monitor License Information](/images/activitymonitor/9.0/install/licenseinfo.webp) + +**Step 4 –** In the License Information window, click **Apply** to import the License Key. + +![Activity Monitor with License](/images/activitymonitor/9.0/install/licenseadded.webp) + +**Step 5 –** The organization's license key is now imported into the Activity Monitor. The Console +returns to the Agents tab and is ready to deploy activity agents. + +:::note +License keys are crafted for companies based on their preference for Active Directory, +Microsoft Entra ID (formerly Azure AD), File System, SharePoint, and SharePoint Online monitoring. +Any environment that is omitted from the license has its corresponding features disabled. +::: + + +Once a key has expired, the Console displays an Open License File… option for importing a new key. +Once a new key is loaded, the Console returns to the Agents tab. diff --git a/docs/activitymonitor/9.0/install/overview.md b/docs/activitymonitor/9.0/install/overview.md new file mode 100644 index 0000000000..c3e32b4012 --- /dev/null +++ b/docs/activitymonitor/9.0/install/overview.md @@ -0,0 +1,30 @@ +--- +title: "Installation" +description: "Installation" +sidebar_position: 30 +--- + +# Installation + +This topic describes the console installation and agent deployment the process for Activity Monitor. +Prior to installing the application, ensure that all requirements have been met. See the +[Requirements ](/docs/activitymonitor/9.0/requirements/overview.md) topic for additional information. + +## Software Compatibility & Versions + +For proper integration between the Activity Monitor and other Netwrix products, it is necessary for +the versions to be compatible. + +| Component | Version | +| ----------------------------------------------------- | ------- | +| Netwrix Activity Monitor | 9.0.x | +| Netwrix Access Analyzer | 12.0.x | +| Netwrix Threat Prevention | 7.5.x | +| Netwrix Threat Manager | 3.0.x | + +## Software Download + +Current customers can log in to the Netwrix Customer Portal to download software binaries and +license keys for purchased products. See the +[Customer Portal Access](https://helpcenter.netwrix.com/bundle/NetwrixCustomerPortalAccess/page/Customer_Portal_Access.html) +topic for information on how to register for a Customer Portal account. diff --git a/docs/activitymonitor/9.0/install/upgrade/_category_.json b/docs/activitymonitor/9.0/install/upgrade/_category_.json new file mode 100644 index 0000000000..f79fb801b7 --- /dev/null +++ b/docs/activitymonitor/9.0/install/upgrade/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Upgrade Procedure", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "upgrade" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/install/upgrade/removeagent.md b/docs/activitymonitor/9.0/install/upgrade/removeagent.md new file mode 100644 index 0000000000..29ce1b0320 --- /dev/null +++ b/docs/activitymonitor/9.0/install/upgrade/removeagent.md @@ -0,0 +1,18 @@ +--- +title: "Remove Agents" +description: "Remove Agents" +sidebar_position: 20 +--- + +# Remove Agents + +On the Agents tab of the Activity Monitor Console, the Remove button allows users to remove the +selected activity agent from the Agents list and/or uninstall the activity agent from the hosting +server. + +![Remove Agents Popup Window](/images/activitymonitor/9.0/install/removeagents.webp) + +To only remove the server from the Agents list, click Remove. To also uninstall the activity agent +from the server, click Uninstall and remove. During the uninstall process, the status will be +Uninstalling. If there are any errors, the list of errors appears in the **Agent messages** box. +When the activity agent uninstall is complete, it is removed from the Agents list. diff --git a/docs/activitymonitor/9.0/install/upgrade/updateadagentinstaller.md b/docs/activitymonitor/9.0/install/upgrade/updateadagentinstaller.md new file mode 100644 index 0000000000..7cf2efcca3 --- /dev/null +++ b/docs/activitymonitor/9.0/install/upgrade/updateadagentinstaller.md @@ -0,0 +1,41 @@ +--- +title: "Update AD Module Installer" +description: "Update AD Module Installer" +sidebar_position: 10 +--- + +# Update AD Module Installer + +Netwrix periodically releases updated AD Module installation packages. Typically these updates are +associated with Microsoft KB’s (hotfixes) which alter the LSASS components interfering with AD +Module instrumentation. + +:::note +The **AD Module** is the same component as the **Netwrix Threat Prevention Agent** used in the Netwrix Threat Prevention product. +::: + +Current customers can log in to the Netwrix Customer Portal to download software binaries and +license keys for purchased products. See the +[Customer Portal Access](https://helpcenter.netwrix.com/bundle/NetwrixCustomerPortalAccess/page/Customer_Portal_Access.html) +topic for information on how to register for a Customer Portal account. Navigate to the Netwrix +Threat Prevention Download section for the 7.5. Download the Threat Prevention Agent binary. + +Then follow the steps to update the AD Module installer used by the Activity Monitor Console. + +**Step 1 –** On the Agents tab, select **Update AD Module Installer**. The Select AD Module +installer package (SI Agent.exe) window opens. + +![Update AD Module Installer](/images/activitymonitor/9.0/install/updateagentinstaller.webp) + +**Step 2 –** Navigate to the location of the latest AD Module / Threat Prevention Agent installation package. Select the +installer and click **Open**. + +![Confirmation Window](/images/activitymonitor/9.0/install/updateagentinstallerpopup.webp) + +**Step 3 –** A confirmation window opens displaying the version information for the selected +installer. Click **Yes** to update to this version or **No** to cancel the operation. A confirmation +window opens displaying the version information for the selected installer. Click **Yes** to update +to this version or **No** to cancel the operation. + +The AD Module installer is update. Use the Install button on the Agents tab to upgrade the deployed +agents that are monitoring Active Directory to the new version. diff --git a/docs/activitymonitor/9.0/install/upgrade/upgrade.md b/docs/activitymonitor/9.0/install/upgrade/upgrade.md new file mode 100644 index 0000000000..658176cd99 --- /dev/null +++ b/docs/activitymonitor/9.0/install/upgrade/upgrade.md @@ -0,0 +1,49 @@ +--- +title: "Upgrade Procedure" +description: "Upgrade Procedure" +sidebar_position: 30 +--- + +# Upgrade Procedure + +The purpose of this chapter is to provide the basic steps needed for upgrading Activity Monitor. See +the [Software Compatibility & Versions](/docs/activitymonitor/9.0/install/overview.md) section for information on integration with +other Netwrix products. + +## Considerations + +While it is strongly recommended to match the versions of both the console and the activity agent, +activity agent(s) V8.0+ can be managed by Activity Monitor Console V9.0+. Older versions of activity +agents will be limited in monitoring capability until upgraded. + +The installation and configuration paths for Netwrix Activity Monitor have been updated from +Activity Monitor 7.1. See the +[Netwrix Activity Monitor Paths](/docs/kb/activitymonitor/netwrix_activity_monitor_(nam)_7.0_paths) knowledge base article +for additional information. + +## Activity Monitor Upgrade Procedure + +Follow the steps to upgrade from an older version of Netwrix Activity Monitor to Netwrix Activity Monitor 9.0. + +:::info +Uninstall of the existing Activity Monitor Console is not required. +::: + +**Step 1 –** Install the Activity Monitor 9.0 on the same machine where the older console resides +following the instructions in the [Install Application](/docs/activitymonitor/9.0/install/application.md) section. +Launch the Activity Monitor Console and navigate to the Agents tab. + + +**Step 2 –** Select the activity agent(s) to be upgraded. The Windows Ctrl-select option can be used +to select multiple activity agents. Then click Upgrade. + +:::info +Update the activity agents in batches to ensure continuity of monitoring. +::: + + +The selected activity agents are updated to V9.0. If a Netwrix Threat Prevention Agent is also installed on +the Windows server for monitoring file systems, the Monitored Hosts & Services tab identifies the host as being +“Managed by Threat Prevention”, and that ‘monitored host’ is not editable. However, multiple outputs +can be configured for hosts. Add the Windows host to the Monitored Hosts & Services tab to monitor file system +for outputs to Access Analyzer, Threat Manager, and/or SIEM products. diff --git a/docs/activitymonitor/9.0/requirements/_category_.json b/docs/activitymonitor/9.0/requirements/_category_.json new file mode 100644 index 0000000000..8a00596580 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Requirements", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/_category_.json new file mode 100644 index 0000000000..f16db16af6 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Activity Agent Server Requirements", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activityagent" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md b/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md new file mode 100644 index 0000000000..9a80e9e829 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md @@ -0,0 +1,233 @@ +--- +title: "Activity Agent Server Requirements" +description: "Activity Agent Server Requirements" +sidebar_position: 10 +--- + +# Activity Agent Server Requirements + +The Activity Agent is installed on Windows servers to monitor Microsoft Entra ID, Network Attached +Storage (NAS) devices, SharePoint farms, SharePoint Online, SQL Server, and Windows file servers. +The server where the agent is deployed can be physical or virtual. The supported operating systems +are: + +- Windows Server 2025 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 + +**RAM, Processor, and Disk Space** + +- RAM – 4 GB minimum +- Processor – x64. 4+ cores recommended; 2 cores minimum +- Disk Space – 1 GB minimum plus additional space needed for activity log files +- Network – a fast low-latency connection to the monitored platforms (file servers, SQL Server), + preferably the same data center + +:::note +Disk usage depends on the monitoring scope, user activity, types of client applications, +and the retention settings. Number of events per user per day may vary from tens to millions. A +single file system event is roughly 300 bytes. +::: + + +Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the +server to a network share. See the [Archiving Tab](/docs/activitymonitor/9.0/admin/agents/properties/archiving.md) topic +for additional information. + +**Additional Server Requirements** + +The following are additional requirements for the agent server: + +- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft + [.NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) + article +- WMI enabled on the machine, which is optional but required for centralized Agent maintenance +- Remote Registry Service enabled +- For monitoring Dell devices, Dell CEE (Common Event Enabler) installed + +**Permissions for Installation** + +The following permission is required to install and manage the agent: + +- Membership in the local Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +**Activity Agent Ports** + +See the [Activity Agent Ports](/docs/activitymonitor/9.0/requirements/activityagent/activityagentports.md) topic for firewall port requirements. + +## Supported File Storage Platforms + +The Activity Monitor provides the ability to monitor Windows and various NAS file servers. + +:::note +For monitoring NAS devices, the Activity Agent must be deployed to a Windows server that acts as a proxy for monitoring the target environment. +::: + + +**Supported Windows File Servers Platforms** + +The Activity Monitor provides the ability to monitor Windows file servers: + +:::note +To monitor a Windows file server, the Activity Agent must be deployed on the server being monitored. +::: + + +- Windows Server 2025 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +See the [Windows File Server Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/windowsfs-activity.md) +topic for target environment requirements. + + + +**Azure Files** + + +See [Azure Files Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md) topic for target +environment requirements. + + + +**CTERA Edge Filter** + +- CTERA Portal 7.5.x+ +- CTERA Edge Filer 7.5.x+ + +See the [CTERA Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ctera-activity.md) topic for target +environment requirements. + +**Dell Celerra® & VNX** + +- Celerra 6.0+ +- VNX 7.1 +- VNX 8.1 + +See the +[Dell Celerra & Dell VNX Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md) +topic for target environment requirements. + +**Dell Isilon/PowerScale** + +- 7.0+ + +See the +[Dell Isilon/PowerScale Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md) +topic for target environment requirements. + +**Dell PowerStore®** + +See the [Dell PowerStore Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md) +topic for target environment requirements. + +**Dell Unity** + +See the [Dell Unity Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md) topic for +target environment requirements. + +**Hitachi** + +- 11.2+ + +See the [Hitachi Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md) topic for target +environment requirements. + +**Nasuni Nasuni Edge Appliances** + +- 8.0+ + +See the [Nasuni Edge Appliance Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md) +topic for target environment requirements. + +**NetApp Data ONTAP** + +- Data ONTAP 8.2+ +- 7-Mode Data ONTAP 7.3+ + +See the following topics for target environment requirements: + +- [NetApp Data ONTAP Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md) +- [NetApp Data ONTAP 7-Mode Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md) + +**Nutanix** + +See the [Nutanix Files Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md) topic for +target environment requirements. + +**Panzura** + +See the [Panzura CloudFS Monitoring](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/panzura-activity.md) topic for target environment +requirements. + +**Qumulo** + +- Qumulo Core 5.0.0.1B+ + +See the [Qumulo Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md) topic for target +environment requirements. + +## Supported Microsoft Entra ID + +The Activity Monitor provides the ability to monitor Microsoft Entra ID: + +See the [Microsoft Entra ID Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/entraid-activity.md) topic +for target environment requirements. + + +## Supported Exchange Online + +The Activity Monitor provides the ability to monitor Exchange Online: + +See the [Exchange Online Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/exchange-activity.md) +topic for target environment requirements. + + +## Supported SharePoint Online + +The Activity Monitor provides the ability to monitor SharePoint Online: + +See the +[SharePoint Online Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-online-activity.md) topic +for target environment requirements. + +## Supported SharePoint On-Premise Platforms + +The Activity Monitor provides the ability to monitor SharePoint On-Premise farms: + +:::note +For monitoring a SharePoint farm, the Activity Agent must be deployed to the SharePoint +Application server that hosts the "Central Administration" component of the SharePoint farm. +::: + +- SharePoint® Server Subscription Edition +- SharePoint® 2019 +- SharePoint® 2016 +- SharePoint® 2013 + +See the [SharePoint On-Premise Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-onprem-activity.md) +topic for target environment requirements. + + +## Supported SQL Server Platforms + +The Activity Monitor provides the ability to monitor SQL Server: + +:::note +For monitoring SQL Server, it is recommended to install the Activity Agent must be +deployed to a Windows server that acts as a proxy for monitoring the target environment. +::: + + +- SQL Server 2022 +- SQL Server 2019 +- SQL Server 2017 +- SQL Server 2016 + +See the [SQL Server Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/activityagent/sqlserver-activity.md) topic for +target environment requirements. + diff --git a/docs/activitymonitor/9.0/requirements/activityagent/activityagentports.md b/docs/activitymonitor/9.0/requirements/activityagent/activityagentports.md new file mode 100644 index 0000000000..ea3f5e93ba --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/activityagentports.md @@ -0,0 +1,224 @@ +--- +title: "Activity Agent Ports" +description: "Activity Agent Ports" +sidebar_position: 10 +--- + +# Activity Agent Ports + +Firewall settings depend on the type of environment being targeted. The following firewall settings +are required for communication between the Agent server and the Netwrix Activity Monitor Console: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------- | -------- | ----- | ------------------- | +| Activity Monitor to Agent Server | TCP | 4498 | Agent Communication | + +The Windows firewall rules need to be configured on the Windows server, which require certain +inbound rules be created if the scans are running in applet mode. These scans operate over a default +port range, which cannot be specified via an inbound rule. For more information, see the Microsoft +[Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) +article. + +There might be a need for additional ports for the target environment. + +## CTERA Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Agent +and the CTERA Portal. + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------- | -------- | ----- | --------------------- | +| Agent Server to CTERA Portal | HTTPS | 443 | CTERA Portal API | +| CTERA Portal to Agent Server | TCP/TLS | 4488 | CTERA Event Reporting | + +## Dell Celerra & Dell VNX Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Dell Isilon/PowerScale Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell Isilon/PowerScale device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Dell PowerStore Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Dell Unity Devices Additional Firewall Rules + +The following firewall settings are required for communication between the CEE server/ Activity +Monitor Activity Agent server and the target Dell device: + +| Communication Direction | Protocol | Ports | Description | +| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | + +## Exchange Online Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API | + +## Microsoft Entra ID Tenant Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API | + +## Nasuni Edge Appliance Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Nasuni Edge Appliance: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | ------------- | ----- | ---------------------- | +| Agent Server to Nasuni | HTTPS | 8443 | Nasuni API calls | +| Nasuni to Activity Agent Server | AMQP over TCP | 5671 | Nasuni event reporting | + +## NetApp Data ONTAP 7-Mode Device Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target NetApp Data ONTAP 7-Mode device: + +| Communication Direction | Protocol | Ports | Description | +| --------------------------------- | ---------------- | ------------------------------------ | ----------- | +| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI | +| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI | +| Activity Agent Server to NetApp | TCP | 135, 139 Dynamic Range (49152-65535) | RPC | +| Activity Agent Server to NetApp | TCP | 445 | SMB | +| Activity Agent Server to NetApp | UDP | 137, 138 | RPC | +| NetApp to Activity Agent Server | TCP | 135, 139 Dynamic Range (49152-65535) | RPC | +| NetApp to Activity Agent Server | TCP | 445 | SMB | +| NetApp to Activity Agent Server | UDP | 137, 138 | RPC | + +\*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in +Activity Monitor. + +:::note +If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode +device must be configured manually. Also, the External Engine will not reconnect automatically in +the case of a server reboot or service restart. +::: + + +## NetApp Data ONTAP Cluster-Mode Device Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target NetApp Data ONTAP Cluster-Mode device: + +| Communication Direction | Protocol | Ports | Description | +| --------------------------------- | ---------------- | ----- | -------------- | +| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI | +| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI | +| NetApp to Activity Agent Server | TCP | 9999 | FPolicy events | + +\*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in +Activity Monitor. + +:::note +If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode +device must be configured manually. Also, the External Engine will not reconnect automatically in +the case of a server reboot or service restart. +::: + + +## Nutanix Devices Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Nutanix device: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------- | -------- | ----- | ----------------------- | +| Activity Agent Server to Nutanix | TCP | 9440 | Nutanix API | +| Nutanix to Activity Agent Server | TCP | 4501 | Nutanix Event Reporting | + +Protect the port with a username and password. The credentials will be configured in Nutanix. + +## Panzura Devices Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Panzura device: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------------------ | ------------- | ----- | ----------------------- | +| Activity Agent Server to Panzura | HTTPS | 443 | Panzura API | +| Panzura filers to to Activity Agent Server | AMQP over TCP | 4497 | Panzura Event Reporting | + +Protect the port with a username and password. The credentials will be configured in Panzura. + +## Qumulo Devices Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target Qumulo device: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | -------- | ----- | ---------------------- | +| Activity Agent Server to Qumulo | TCP | 8000 | Qumulo API | +| Qumulo to Activity Agent Server | TCP | 4496 | Qumulo Event Reporting | + +Protect the port with a username and password. The credentials will be configured in Qumulo. + +## Azure Files Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Blob Storage | + + +## SharePoint Online Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target tenant: + +| Communication Direction | Protocol | Ports | Description | +| -------------------------------------------------- | -------- | ----- | -------------------------------------------------- | +| Activity Agent Server to Microsoft Entra ID Tenant | HTTPS | 443 | Entra ID authentication, Graph API, Office 365 API | + +## SQL Server Additional Firewall Rules + +The following firewall settings are required for communication between the Activity Monitor Activity +Agent server and the target SQL Server: + +| Communication Direction | Protocol | Ports | Description | +| ----------------------------------- | -------- | ----- | ----------------------- | +| SQL Server to Activity Agent Server | TCP | 1433 | Default SQL Server Port | + +If the Activity Monitor cannot connect to the SQL Server, ensure that SQL Server Browsing state is +**Running**. + +## Integration with Netwrix Access Analyzer Additional Firewall Rules + +Firewall settings are dependent upon the type of environment being targeted. The following firewall +settings are required for communication between the agent server and the Access Analyzer Console: + +| Communication Direction | Protocol | Ports | Description | +| ------------------------------- | -------- | ---------- | ------------------------------ | +| Access Analyzer to Agent Server | TCP | 445 | SMB, used for Agent Deployment | +| Access Analyzer to Agent Server | TCP | Predefined | WMI, used for Agent Deployment | diff --git a/docs/activitymonitor/9.0/requirements/activityagent/entraid-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/entraid-activity.md new file mode 100644 index 0000000000..17e5aa1972 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/entraid-activity.md @@ -0,0 +1,225 @@ +--- +title: "Microsoft Entra ID Activity Auditing Configuration" +description: "Microsoft Entra ID Activity Auditing Configuration" +sidebar_position: 30 +--- + +# Microsoft Entra ID Activity Auditing Configuration + +It is necessary to register Activity Monitor as a web application to the targeted Microsoft Entra ID +(formerly Azure AD), in order for Activity Monitor to monitor the environment. This generates the +Client ID and Client Secret needed by the Activity Agent. See +[Microsoft Support](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-prerequisites-azure-portal) +for assistance in configuring the Microsoft Entra ID web application. + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant once you have registered the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It is not possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +## Permissions + +The following permissions are required: + +- Microsoft Graph API + + - Application Permissions: + + - AuditLog.Read.All – Read all audit log data + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +## Register a Microsoft Entra ID Application + +Follow the steps to register Activity Monitor with Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click App +registrations. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information in the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + Entra ID +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the drop + down menu. In the text box, enter the following: + +**Urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. Review the newly created registered +application. Now that the application has been registered, permissions need to be granted to it. + +## Grant Permissions to the Registered Application + +Follow the steps to set up permissions to enable the Activity Monitor to monitor data and collect +logs from Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 3 –** In the top toolbar, click **Add a permission**. + +**Step 4 –** On the Request API permissions blade, select **Microsoft Graph** on the Microsoft APIs +tab. Select the following permissions: + +- Under Application Permissions, select: + + - AuditLog.Read.All – Read all audit log data + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +**Step 5 –** At the bottom of the page, click **Add Permissions**. + +**Step 6 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +Now that the permissions have been granted to it, the settings required for Activity Monitor need to +be collected. + +## Identify the Client ID + +Follow the steps to find the registered application's Client ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** Copy the **Application (client) ID** value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID host in the Activity Monitor. Next identify the +Tenant ID. + +## Identify the Tenant ID + +The Tenant ID is available in two locations within Microsoft Entra ID. + +**Registered Application Overview Blade** + +You can copy the Tenant ID from the same page where you just copied the Client ID. Follow the steps +to copy the Tenant ID from the registered application Overview blade. + +**Step 1 –** Copy the Directory (tenant) ID value. + +**Step 2 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +**Overview Page** + +Follow the steps to find the tenant name where the registered application resides. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** Copy the Tenant ID value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +## Generate the Client Secret Key + +Follow the steps to find the registered application's Client Secret, create a new key, and save its +value when saving the new key. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +:::warning +It is not possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 3 –** In the top toolbar, click **New client secret**. + +**Step 4 –** On the Add a client secret blade, complete the following: + +- Description – Enter a unique description for this secret +- Expires – Select the duration. + + :::note + Setting the duration on the key to expire requires reconfiguration at the time of + expiration. It is best to configure it to expire in 1 or 2 years. + ::: + + +**Step 5 –** Click **Add** to generate the key. + +:::warning +If this page is left before the key is copied, then the key is not retrievable, and +this process will have to be repeated. +::: + + +**Step 6 –** The Client Secret will be displayed in the Value column of the table. You can use the +Copy to clipboard button to copy the Client Secret. + +**Step 7 –** Save this value in a text file. + +This is needed for adding an Microsoft Entra ID in the Activity Monitor. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/exchange-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/exchange-activity.md new file mode 100644 index 0000000000..70d4003a02 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/exchange-activity.md @@ -0,0 +1,287 @@ +--- +title: "Exchange Online Activity Auditing Configuration" +description: "Exchange Online Activity Auditing Configuration" +sidebar_position: 10 +--- + +# Exchange Online Activity Auditing Configuration + +In order to collect logs and monitor Exchange Online activity using the Netwrix Activity Monitor, it +needs to be registered with Microsoft® Entra ID® (formerly Azure AD). + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Additional Requirement** + +In addition to registering the application with Microsoft Entra ID, the following is required: + +- Enable Auditing for Exchange Online + +See the Enable Auditing for Exchange Online topic for additional information. + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant once you have registered the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It is not possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +**Permissions for Microsoft Graph API** + +- Application: + + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +**Permissions for Office 365 Management APIs** + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +## Register a Microsoft Entra ID Application + +Follow the steps to register Activity Monitor with Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click App +registrations. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information in the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + for Exchange +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the drop + down menu. In the text box, enter the following: + +**urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. Review the newly created registered +application. Now that the application has been registered, permissions need to be granted to it. + +## Grant Permissions to the Registered Application + +Follow the steps to grant permissions to the registered application. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 3 –** In the top toolbar, click **Add a permission**. + +**Step 4 –** On the Request API permissions blade, select **Microsoft Graph** on the Microsoft APIs +tab. Select the following permissions: + +- Application: + + - Directory.Read.All – Read directory data + - User.Read.All – Read all users' full profiles + +**Step 5 –** At the bottom of the page, click **Add Permissions**. + +**Step 6 –** In the top toolbar, click **Add a permission**. + +**Step 7 –** On the Request API permissions blade, select Office 365 Management APIs on the +Microsoft APIs tab. Select the following permissions: + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +**Step 8 –** At the bottom of the page, click **Add Permissions**. + +**Step 9 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +Now that the permissions have been granted to it, the settings required for Activity Monitor need to +be collected. + +## Identify the Client ID + +Follow the steps to find the registered application's Client ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** Copy the **Application (client) ID** value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. Next identify the Tenant ID. + +## Identify the Tenant ID + +The Tenant ID is available in two locations within Microsoft Entra ID. + +**Registered Application Overview Blade** + +You can copy the Tenant ID from the same page where you just copied the Client ID. Follow the steps +to copy the Tenant ID from the registered application Overview blade. + +**Step 1 –** Copy the Directory (tenant) ID value. + +**Step 2 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. Next identify the Tenant ID. Next generate the application’s Client Secret +Key. + +**Overview Page** + +Follow the steps to find the tenant name where the registered application resides. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** Copy the Tenant ID value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. Next identify the Tenant ID. Next generate the application’s Client Secret +Key. + +## Generate the Client Secret Key + +Follow the steps to find the registered application's Client Secret, create a new key, and save its +value when saving the new key. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +:::warning +It is not possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 3 –** In the top toolbar, click **New client secret**. + +**Step 4 –** On the Add a client secret blade, complete the following: + +- Description – Enter a unique description for this secret +- Expires – Select the duration. + + :::note + Setting the duration on the key to expire requires reconfiguration at the time of + expiration. It is best to configure it to expire in 1 or 2 years. + ::: + + +**Step 5 –** Click **Add** to generate the key. + +:::warning +If this page is left before the key is copied, then the key is not retrievable, and +this process will have to be repeated. +::: + + +**Step 6 –** The Client Secret will be displayed in the Value column of the table. You can use the +Copy to clipboard button to copy the Client Secret. + +**Step 7 –** Save this value in a text file. + +This is needed for adding a Exchange Online host in the Activity Monitor. See the +[Exchange Online](/docs/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.md) topic for +additional information. + +## Enable Auditing for Exchange Online + +Follow the steps to enable auditing for Exchange Online so the Activity Monitor can receive events. + +**Step 1 –** In the Microsoft Purview compliance portal at +[https://compliance.microsoft.com](https://compliance.microsoft.com/), go to **Solutions** > +**Audit**. Or, to go directly to the Audit page at +[https://compliance.microsoft.com/auditlogsearch](https://compliance.microsoft.com/auditlogsearch). + +**Step 2 –** If auditing is not turned on for your organization, a banner is displayed prompting you +start recording user and admin activity. + +**Step 3 –** Select the **Start recording** user and **admin activity** banner. + +It may take several hours before events appear in the application. The Activity Monitor now has +Exchange Online auditing enabled as needed to receive events. See the Microsoft +[Turn auditing on or off](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide) +article for additional information on enabling or disabling auditing. + +**Alternative Verification Method** + +Use the following command in Exchange Online PowerShell to verify auditing has been enabled: + +``` +Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled +``` + +A value of **True** for the `UnifiedAuditLogIngestionEnabled` property indicates that auditing is +turned on. + +If auditing is turned off, use either the button on the Audit page or the following command: + +``` +Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true +``` + +Auditing is now enabled. You can rerun the previous command to verify this. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/_category_.json new file mode 100644 index 0000000000..56d8e89ce6 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/_category_.json @@ -0,0 +1,6 @@ +{ + "label": "NAS Device Configuration", + "position": 40, + "collapsed": true, + "collapsible": true +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json new file mode 100644 index 0000000000..99bd0e8259 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Azure Files Activity Auditing Configuration", + "position": 5, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "azurefiles-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md new file mode 100644 index 0000000000..2e690155c2 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/azure-files/azurefiles-activity.md @@ -0,0 +1,198 @@ +--- +title: "Azure Files Activity Auditing Configuration" +description: "Azure Files Activity Auditing Configuration" +sidebar_position: 5 +--- + +# Azure Files Activity Auditing Configuration +Activity Monitor can monitor CIFS activity on Azure Files shares. + +The product uses the native auditing capability of Azure Files, which writes audit data to a separate storage account. +This feature requires manual configuration. + +There are several steps in preparing Azure Files for monitoring: + +1. Enable auditing for storage accounts. +2. Register an application in Azure. +3. Assign permissions and RBAC roles. +4. Configure Activity Monitor. + +## Enable auditing for storage accounts + +Auditing in Azure Files is disabled by default. It must be enabled for each storage account to be monitored. + +![Azure Files auditing](/images/activitymonitor/9.0/config/azure-files/azure-files-audit.webp) + +### Logs storage account +You must provide a storage account for audit data. The audit data is written as blobs named `insight-logs` to that storage account. +It must be a different storage account — it cannot be the same account that hosts Azure Files. + +It is recommended to share such a *logs storage account* among multiple *files storage accounts*. +A single account can store nearly unlimited blobs and up to 5 PB of data, which is more than enough for audit logs. +A shared account also helps stay within the Azure limit of 250–500 accounts per region per subscription. + +However, for security reasons, you may choose to use separate *logs storage accounts* so that activity from different accounts is not mixed in the same blob storage. + +The *logs storage account* must be in the same Azure region as the monitored Azure Files storage account, but it does not need +to be in the same resource group or subscription. + +Because the product does not require historical logs, it is recommended to configure an **Azure Lifecycle Management rule** for this storage account +to control storage volume and cost (not documented here). Otherwise, the data will be stored indefinitely. + +### Diagnostic setting + +To enable auditing, you must enable the Diagnostic Setting for each Azure Files storage account to be monitored. + +This can be done for each storage account individually or in bulk using Azure Policy to set Diagnostic Settings +at the management group, subscription, or resource group scope (not documented here). + +1. Open the storage account in the Microsoft Azure portal. + Navigate to **Monitoring > Diagnostic settings > File**. + +2. Click **Add diagnostic setting** to create a new auditing configuration or open an existing one. + +3. Under the **Logs** section, select **audit**, **StorageRead**, **StorageWrite**, and **StorageDelete**. + You can adjust these categories based on your needs; for example, unselect **StorageRead** if you are not interested in read activity. + +4. Under the **Destination details** section, select **Archive to a storage account**, then choose the storage account prepared in Step 1. + +5. Click **Save** to apply the diagnostic changes. + +:::note +It may take up to 90 minutes for the changes to take effect. +::: + +## Register an application in Azure + +Monitoring of Azure Files requires an application to be registered in the Azure portal, assigning it permissions to access the Graph API and +RBAC roles to access storage accounts. + +If you already have an application registered for Activity Monitor for Entra ID, SharePoint Online, or Exchange Online, you can reuse that +registration for Azure Files by assigning additional RBAC roles. + +Follow these steps to register the application in Azure. + +### Open Microsoft Azure portal + +- Azure Public – https://portal.azure.com/ +- Azure for US Government GCC – https://portal.azure.com/ +- Azure for US Government GCC High – https://portal.azure.us/ +- Azure for US Government DoD – https://portal.azure.us/ +- Azure Germany – https://portal.microsoftazure.de/ +- Azure China by 21Vianet – https://portal.azure.cn/ + +Use the search box to locate the **App registrations** page, then select **New registration**. + +### Register an application + +1. Specify **Netwrix Activity Monitor** as the application name. +2. Choose **Accounts in this organizational directory only**. +3. Change the type of Redirect URI to **Public client/native (mobile & desktop)**. +4. Specify `urn:ietf:wg:oauth:2.0:oob` as the value. +5. Click **Register**. + +### Copy Application (client) ID and Tenant (directory) ID + +On the **Overview** page, copy the **Application (client) ID** and **Directory (tenant) ID** values and save them for later. + +### Create a new client secret + +1. Open the **Manage > Certificates & secrets** page. +2. Select **New client secret**. +3. Specify a description and an expiration period. +4. On the **Certificates & secrets** page, copy the **Value** of the created secret and save it for later. + +:::warning +Make sure you copy the **Value**, not the **Secret ID**. +::: + +### Grant API permissions + +Activity Monitor requires the `User.Read.All` permission to resolve user SIDs in activity events to user names. + +1. Open the **API permissions** page. +2. Select **Add a permission** and add the following to the existing **User.Read**: + **Microsoft Graph** + Type: **Application permissions** + Permission: `User.Read.All` +3. Click **Grant admin consent for Your Company**. + +## Assign Azure RBAC roles for storage accounts + +The registered application requires Azure RBAC role assignments to list storage accounts and read audit data. + +Assign the following roles to the registered application: + +- `Reader` – the management plane role. + Allows enumeration of storage accounts and reading of their settings. + +- `Storage Blob Data Reader` – the data plane role. + Allows reading of audit data from the logs storage account(s). + +You can assign these roles at different levels, which grant access to all storage accounts within the selected scope: + +- **Management group** – grants access to all storage accounts under the management group. +- **Subscription** – grants access to all storage accounts under the subscription. +- **Resource group** – grants access to all storage accounts under the resource group. +- **Storage account** – grants access to the specified storage account only. + +![RBAC Roles Scopes](/images/activitymonitor/9.0/config/azure-files/rbac-roles-scopes.webp) + +Choose the appropriate scope, and then follow these steps: + +1. In the Azure portal, open the target scope resource (management group, subscription, resource group, or storage account). +2. Open the **Access control (IAM)** page. +3. Select **Add > Add role assignment**. +4. Select `Reader` on the **Role** page, and then select **Next**. +5. Select the registered application on the **Members** page, and then select **Review + assign**. +6. Select **Add > Add role assignment** again. +7. Select `Storage Blob Data Reader` on the **Role** page, and then select **Next**. +8. Select the registered application on the **Members** page, and then select **Next**. +9. _(Optional)_ Select **Add condition** on the **Conditions** page, change the editor type to **Code**, and enter the following: + + +``` +( + ( + !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) + ) + OR + ( + @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringStartsWith 'insights-logs-' + ) +) +``` + +This condition grants access only to blob containers that store audit data. Access to all other containers is denied. + +10. Select **Review + assign**. + +:::warning +It may take some time for the RBAC assignments to become effective. +::: + +## Configure Activity Monitor + +The last step is adding the Azure Files storage account to Activity Monitor. + +1. On the **Monitored Hosts & Services** page, select **Add Host/Service**. +2. Select the agent that will be monitoring Azure Files, and then select **Next**. +3. Select **Azure Files**, specify the tenant’s domain name, and then select **Next**. +4. On the **Connection** page, specify the Tenant ID (if it was not resolved automatically), Client ID, and Client Secret—values +copied in the previous steps during application registration. +5. Select **Connect**. +The button will verify the connection to Azure, enumerate all storage accounts, and retrieve their settings visible to the registered application. + +:::note +If the product fails to enumerate storage accounts, the RBAC roles were either assigned incorrectly or have not yet become effective. Retry later. +::: + +6. On the **Storage Accounts** page, select the storage accounts to be monitored, and then select **Next**. +7. Complete the wizard by selecting operations and output settings. + +:::info +You can use this wizard multiple times to add newly created storage accounts—already added accounts will be ignored. +::: + +8. Check the status of the added storage accounts on the **Monitored Hosts & Services** page. +Address any audit setting misconfigurations or missing RBAC roles. \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json new file mode 100644 index 0000000000..6f60d370f4 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell Celerra & Dell VNX Activity Auditing Configuration", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "celerra-vnx-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md new file mode 100644 index 0000000000..7268d6eb62 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/celerra-vnx-activity.md @@ -0,0 +1,63 @@ +--- +title: "Dell Celerra & Dell VNX Activity Auditing Configuration" +description: "Dell Celerra & Dell VNX Activity Auditing Configuration" +sidebar_position: 20 +--- + +# Dell Celerra & Dell VNX Activity Auditing Configuration + +An Dell Celerra or VNX device can be configured to audit Server Message Block (SMB) protocol access +events. All audit data can be forwarded to the Dell Common Event Enabler (CEE). The Activity Monitor +listens for all events coming through the Dell CEE and translates all relevant information into +entries in the Log files or syslog messages. + +Complete the following checklist prior to configuring the Activity Monitor to monitor the host. +Instructions for each item of the checklist are detailed within the following sections. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment, gather the following: + + - DNS name of Celerra or VNX CIFS share(s) to be monitored + - Data Mover or Virtual Data Mover hosting the share(s) to be monitored + - Account with access to the CLI + - Download the Dell CEE from: + + - [https://www.dell.com/support](https://www.dell.com/support) + +**Checklist Item 2: Install Dell CEE** + +- Dell CEE can be installed on the same Windows server as the Activity Agent, or on a different + server. If it is installed on the same host, the activity agent can configure it automatically. + + :::info + The latest version of Dell CEE is the recommended version to use with the + asynchronous bulk delivery (VCAPS) feature. + ::: + + +- Important: + + - Open MS-RPC ports between the Dell device and the Windows proxy server(s) where the Dell CEE + is installed + - Dell CEE 8.4.2 through Dell CEE 8.6.1 are not supported for use with the VCAPS feature + - Dell CEE requires .NET Framework 3.5 to be installed on the Windows proxy server + +- See the [Install & Configure Dell CEE](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md) topic for instructions. + +**Checklist Item 3: Dell Device Configuration** + +- Configure the `cepp.conf` file on the Celerra VNX Cluster +- See the + [Connect Data Movers to the Dell CEE Server](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md#connect-data-movers-to-the-dell-cee-server) + topic for instructions. + +**Checklist Item 4: Activity Monitor Configuration** + +- Deploy the Activity Monitor Activity Agent, preferably on the same server where Dell CEE is + installed + + - After activity agent deployment, configure the Dell CEE Options tab of the agent's Properties + window within the Activity Monitor Console + +Checklist Item 5: Configure Dell CEE to Forward Events to the Activity Agent diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md new file mode 100644 index 0000000000..44921fd78f --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md @@ -0,0 +1,207 @@ +--- +title: "Install & Configure Dell CEE" +description: "Install & Configure Dell CEE" +sidebar_position: 10 +--- + +# Install & Configure Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +See the [CEE Debug Logs](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md#cee-debug-logs) section for information on +troubleshooting issues related to Dell CEE. + +After Dell CEE installation is complete, it is necessary to Connect Data Movers to the Dell CEE +Server. + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. + +## Connect Data Movers to the Dell CEE Server + +The `cepp.conf` file contains information that is necessary to connect the Data Movers to the Dell +CEE server. An administrator must create a configuration file which contains at least one event, one +pool, and one server. All other parameters are optional. The `cepp.conf` file resides on the Data +Mover. + +**Step 1 –** Log into the Dell Celerra or VNX server with an administrator account. The +administrative account should have a $ character in the terminal. + +:::note +Do not use a # charter. +::: + + +**Step 2 –** Create or retrieve the `cepp.conf` file. + +If there is not a `cepp.conf` file on the Data Mover(s), use a text editor to create a new blank +file in the home directory named `cepp.conf`. The following is an example command if using the text +editor 'vi' to create a new blank file: + +**$ vi cepp.conf** + +> If a `cepp.conf` file already exists, it can be retrieved from the Data Movers for modification +> with the following command: + +**$ server_file [DATA_MOVER_NAME] -get cepp.conf cepp.conf** + +**Step 3 –** Configure the `cepp.conf` file. For information on the `cepp.conf` file, see the Dell +[Using the Common Event Enabler for Windows Platforms](https://www.dellemc.com/en-us/collaterals/unauth/technical-guides-support-information/products/storage-3/docu48055.pdf) +guide instructions on how to add parameters or edit the values or existing parameters. + +:::note +The information can be added to the file on one line or separate lines by using a space +and a "\"" at the end of each line, except for the last line and the lines that contain global +options: `cifsserver`, `surveytime`, `ft`, and `msrpcuser`. +::: + + +The Activity Monitor requires the following parameters to be set in the `cepp.conf` file: + +- `pool name= ` + - This should equal the name assigned to the configuration container. This container is composed + of the server(s) IP Address or FQDN where the Dell CEE is installed and where the list of + events to be monitored is located. It can be named as desired but must be a pool name. +- `servers= ` + - This should equal the IP Address or FQDN of the Windows server where the Dell CEE is + installed. If several servers are specified, separate them with the vertical bar (|) or a + colon (:). +- `postevents= ` + - The following events are required (separated with the vertical bar): + `CloseModified|CloseUnmodified|CreateDir|CreateFile|DeleteDir|DeleteFile|RenameDir|RenameFile|SetAclDir|SetAclFile ` + - If "Directory Read/List" operations are needed, append `OpenDir` to the list. +- `msrpcuser= ` + + - This should equal the domain account used to run the Dell CEE Monitor and Dell CAVA services + on the Windows server. This parameter is a security measure used to ensure events are only + sent to the appropriate servers. + + All unspecified parameters use the default setting. For most configurations, the default + setting is sufficient. + + Example cepp.conf file format: + +**msrpcuser=[DOMAIN\DOMAINUSER]** + + pool name=[POOL_NAME] \ + +**servers=[IP_ADDRESS1]|[IP_ADDRESS2]|... \** + + postevents=[EVENT1]|[EVENT2]|... + + Example cepp.conf file format for the Activity Monitor: + +**msrpcuser=[DOMAIN\DOMAINUSER running CEE services]** + + pool name=[POOL_NAME for configuration container] \ + +**servers=[IP_ADDRESS where CEE is installed]|... \** + + postevents=[EVENT1]|[EVENT2]|... + + Example of a completed cepp.conf file for the Activity Monitor: + +**msrpcuser=example\user1** + + pool name=pool \ + +**servers=192.168.30.15 \** + + postevents=CloseModified|CloseUnmodified|CreateDir|CreateFile|DeleteDir|DeleteFile|RenameDir|RenameFile|SetAclDir|SetAclFile + +**Step 4 –** Move the `cepp.conf` file to the Data Mover(s) root file system. Run the following +command: + +**$ server_file [DATA_MOVER_NAME]-put cepp.conf cepp.conf** + +:::note +Each Data Mover which runs Celerra Event Publishing Agent (CEPA) must have a `cepp.conf` +file, but each configuration file can specify different events. +::: + + +**Step 5 –** (This step is required only if using the `msrpcuser` parameter) Register the MSRPC user +(see Step 3 for additional information on this parameter). Before starting CEPA for the first time, +the administrator must issue the following command from the Control Station and follow the prompts +for entering information: + +**/nas/sbin/server_user server_2 -add -md5 -passwd [DOMAIN\DOMAINUSER for msrpcuser]** + +**Step 6 –** Start the CEPA facility on the Data Mover. Use the following command: + +**server_cepp [DATA_MOVER_NAME] -service –start** + +Then verify the CEPA status using the following command: + +**server_cepp [DATA_MOVER_NAME] -service –status** + +Once the `cepp.config` file has been configured, it is time to configure and enable monitoring with +the Activity Monitor. See the +[Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) +for additional information. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md new file mode 100644 index 0000000000..167a8b34fe --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/validate.md @@ -0,0 +1,159 @@ +--- +title: "Validate Setup" +description: "Validate Setup" +sidebar_position: 20 +--- + +# Validate Setup + +Once the Activity Monitor agent is configured to monitor the Dell device, the automated +configuration must be validated to ensure events are being monitored. + +## Validate Dell CEE Registry Key Settings + +:::note +See the +[Configure Dell Registry Key Settings](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md#configure-dell-registry-key-settings) +topic for information on manually setting the registry key. +::: + + +After the Activity Monitor activity agent has been configured to monitor the Dell device, it will +configure the Dell CEE automatically if it is installed on the same server as the agent. This needs +to be set manually in the rare situations where it is necessary for the Dell CEE to be installed on +a different server than the Windows proxy server(s) where the Activity Monitor activity agent is +deployed. + +If the monitoring agent is not registering events, validate that the EndPoint is accurately set. +Open the Registry Editor (run regedit). For the synchronous real-time delivery mode (AUDIT), use the +following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration** + +![registryeditorendpoint](/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp) + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthAUDIT@'ip-address-of-the-agent'` + +- For the HTTP protocol,` StealthAUDIT@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** If you changed any of the settings, restart the CEE Monitor service. + +**For Asynchronous Bulk Delivery Mode** + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration** + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthVCAPS@'ip-address-of-the-agent'` +- For the HTTP protocol, `StealthVCAPS@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** Ensure that the FeedInterval parameter is set to a value between 60 and 600; the +MaxEventsPerFeed - between 10 and 10000. + +**Step 5 –** If you changed any of the settings, restart the CEE Monitor service. + +Set the following values under the Data column: + +- Enabled – 1 +- EndPoint – StealthAUDIT + +If this is configured correctly, validate that the Dell CEE services are running. See the Validate +Dell CEE Services are Running topic for additional information. + +## Validate Dell CEE Services are Running + +After the Activity Monitor Activity Agent has been configured to monitor the Dell device, the Dell +CEE services should be running. If the Activity Agent is not registering events and the EndPoint is +set accurately, validate that the Dell CEE services are running. Open the Services (run +`services.msc`). + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +The following services laid down by the Dell CEE installer should have Running as their status: + +- Dell CAVA +- Dell CEE Monitor + +## Dell CEE Debug Logs + +If an issue arises with communication between the Dell CEE and the Activity Monitor, the debug logs +need to be enabled for troubleshooting purposes. Follow the steps. + +**Step 6 –** In the Activity Monitor Console, change the **Trace level** value in the lower right +corner to Trace. + +**Step 7 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Disable monitoring. + +**Step 8 –** Download and install the Debug View tool from Microsoft on the CEE server: + +**> [https://docs.microsoft.com/en-us/sysinternals/downloads/debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview)** + +**Step 9 –** Open the Registry Editor (run regedit). Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration** + +**Step 10 –** Right-click on **Debug** and select Modify. The Edit DWORD Value window opens. In the +Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Debug DWORD Value does not exist, it needs to be added. +::: + + +**Step 11 –** Right-click on **Verbose** and select Modify. The Edit DWORD Value window opens. In +the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Verbose DWORD Value does not exist, it needs to be added. +::: + + +**Step 12 –** Run the Debug View tool (from Microsoft). In the Capture menu, select the following: + +- Capture Win32 +- Capture Global Win32 +- Capture Events + +**Step 13 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Enable monitoring. + +**Step 14 –** Generate some file activity on the Dell device. Save the Debug View Log to a file. + +**Step 15 –** Send the following logs to [Netwrix Support](https://www.netwrix.com/support.html): + +- Debug View Log (from Dell Debug View tool) +- Use the **Collect Logs** button to collect debug logs from the activity agent + +:::info +After the logs have been gathered and sent to Netwrix Support, reset these +configurations. + +::: diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ctera-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ctera-activity.md new file mode 100644 index 0000000000..e3adc627c7 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ctera-activity.md @@ -0,0 +1,189 @@ +--- +title: "CTERA Activity Auditing Configuration" +description: "CTERA Activity Auditing Configuration" +sidebar_position: 10 +--- + +# CTERA Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor file system activity on CTERA Edge Filer +appliances. + +The monitoring process relies on the SMB auditing feature of the CTERA Edge Filer. A local audit log +file is generated by each Edge Filer and audit events from these files are collected by the CTERA +Portal. The CTERA Portal forwards the events from the Edge Filers to the Activity Monitor Agent +through the Messaging and Syslog services. + +![Monitoring Process -CTERA Portal](/images/activitymonitor/9.0/config/ctera/cterasyslogmsg.webp) + +To prepare CTERA for monitoring: + +- Provision an account. +- Enable auditing on the CTERA Edge Filer. +- Enable Messaging and Edge Filer Syslog services on the CTERA Portal. + +## Provision Account + +Netwrix Activity Monitor uses the CTERA Portal API to retrieve information about portals, Edge +Filers, their auditing configurations, and optionally to enable syslog forwarding automatically. To +access the API, Activity Monitor requires an account in the CTERA Portal with the **Read Only +Administrator** role. + +**Step 1 –** Log in to the CTERA Portal web interface. In the global administration view, select +**Users** > **Administrators**. + +**Step 2 –** Click New Admin, specify a username, password, email, and the **Read Only +Administrator** role. + +This credential will then be used when configuring the Activity Monitor Agent to monitor the CTERA +portal. + +## Enable Auditing on CTERA Edge Filer + +The CTERA Edge Filer can generate audit log events for the SMB access. Audit events are stored in a +local file and then forwarded to the CTERA Portal for further processing. The audit log is disabled +by default and must be enabled. + +Follow the steps to enable SMB audit logs. + +**Step 1 –** Log in to the Edge Filer web interface. In the Configuration view, select **Logs** > +**Audit Logs**. + +**Step 2 –** Select the **Enable CIFS/SMB Audit Logs** option. + +**Step 3 –** Specify a share to save the audit logs in the Save log files option. If a share does +not exist, create a new one first. + +:::note +CTERA recommends that SMB Audit logging is saved to a folder that is local on the Edge +Filer and not synced to the cloud. For example, in the root of vol1, which can then be used to +create a share. +::: + + +**Step 4 –** Adjust the **Keep closed files for** parameter. Otherwise, use the default value. + +**Step 5 –** Check all events except the **Read Extended Attributes** event in Events to log list. +If you do not require monitoring of _Directory Read/List_ operations, which typically generate a +high volume of data, uncheck the **List Folder Read Data** event. + +**Step 6 –** Make sure that **Log permission changes in human readable format** is unchecked. + +**Step 7 –** Click **Save**. + +To verify that the auditing is enabled, generate some file activity and check the share specified in +**Step 3**. An audit log should be created in `audit.log.dir/audit.log`. + +See the [Auditing SMB File Access](https://kb.ctera.com/docs/auditing-smb-file-access-5) article in +the CTERA Edge Filer Administrator Guide for additional information. + +## Enable Services on CTERA Portal + +The following services must be enabled and configured on the CTERA Portal: + +- CTERA Messaging Service -– Enables sending notifications to various consumers, including the + Edge Filer Syslog service. +- CTERA Edge Filer Syslog Service – Consolidates audit events from Edge Filers and sends them to the + Activity Monitor Agent and other consumers. + +Both services are disabled by default and must be enabled. The Messaging service must be enabled +first. + +### Enable the Messaging Service + +See the +[Managing the CTERA Messaging Service](https://kb.ctera.com/docs/managing-the-ctera-messaging-service-2) +article in the CTERA Portal Global Administrator Guide for additional information on requirements +and recommendations for production and POC environments. + +**Step 1 –** Before setting up the Messaging Service in the web interface, first initialize the +messaging components with the following CLI command: + +**set /settings/platformServicesSetting/enabled true** + +Initialization takes a few minutes. + +**Step 2 –** Log in to the CTERA Portal web interface. In the global administration view, select +**Services** > **Messaging**. + +**Step 3 –** To add a new messaging server, click **Add Messaging Servers**. Select the servers to +use as messaging servers. Click **Save**. + +:::note +In a production environment, designate three servers as messaging servers. In a small or +test environment, CTERA supports using a single messaging server, typically the main database +server. However, in all other cases, exactly three servers must be assigned as messaging servers. +See the +[Managing the CTERA Messaging Service](https://kb.ctera.com/docs/managing-the-ctera-messaging-service-2) +article for additional information. +::: + + +**Step 4 –** Deploying the messaging service takes a few minutes. The status will change to STARTING +and then to ACTIVE. Wait until the status is ACTIVE before proceeding to the next step. + +:::note +If the status does not change to ACTIVE, the log files need to be collected from +`/usr/local/lib/ctera/work/logs/services` directory. +See the +[CTERA Messaging Service Logs](https://kb.ctera.com/docs/setting-up-the-ctera-messaging-service-2#ctera-messaging-service-logs) +article for additional information. +::: + + +### Enable the Edge Filer Syslog Service + +Ensure the Enable the Messaging Service section is completed before proceeding to enable the Syslog +Service. + +The Edge Filer Syslog Service can be configured in two ways: + +- Automatically by the Activity Monitor using the API from CTERA Portal. +- Manually using the CTERA Portal web interface. + +It is recommended to configure the service automatically. With automatic configuration, the Activity +Monitor Agent will apply the settings and perform periodic checks to ensure correctness. To enable +automatic configuration, use the **Enable Edge Filer Syslog auditing** option in the host properties +and specify credentials to access the CTERA Portal API. + +Follow the steps to configure the Edge Filer Syslog Service manually. + +**Step 1 –** Configure monitoring of the CTERA Portal in the Activity Monitor Console. + +**Step 2 –** Add a CTERA host on the Monitored Hosts & Services tab and specify the portal host name, +username, password, and complete the wizard. + +**Step 3 –** Enable the newly added host. + +**Step 4 –** Copy a TLS certificate file, `certca.pem`, from +`%ProgramData%\Netwrix\Activity Monitor\Agent\Data` folder on the agent's server. + +**Step 5 –** Log in to the CTERA Portal web interface. In the global administration view, select +**Services** > **Edge Filer Syslog**. + +**Step 6 –** Click **Add a Server**. + +**Step 7 –** Specify the **FQDN of the agent** or **IP address** in the Addressfield. + +**Step 8 –** Specify 4488 in the Port field. + +:::note +The default port can be changed in the properties of the agent on the CTERA page. +::: + + +**Step 9 –** Change the protocol to **TCP/TLS**. + +**Step 10 –** Click **Server Certificate** > **Select File** to upload the file collected at Step 2. + +**Step 11 –** Click **Save**. + +**Step 12 –** Click **Enable** in the status bar. + +The status will change to STARTING. If the CTERA Portal manages to connect to the Activity Monitor +Agent, the status changes to ACTIVE. If not, review the error message and check **Logs & Alerts** > +**System Log** for details. + +See the +[Managing the Edge Filer Syslog Service](https://kb.ctera.com/docs/managing-the-edge-filer-syslong-service) +article in the CTERA Portal Global Administrator Guide for additional information. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json new file mode 100644 index 0000000000..c328bb831d --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Hitachi Activity Auditing Configuration", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "hitachi-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md new file mode 100644 index 0000000000..deade0c148 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md @@ -0,0 +1,30 @@ +--- +title: "Configure Access to HNAS Audit Logs on Activity Agent Server" +description: "Configure Access to HNAS Audit Logs on Activity Agent Server" +sidebar_position: 20 +--- + +# Configure Access to HNAS Audit Logs on Activity Agent Server + +Follow the steps to configure access to the HNAS audit logs on the Windows server hosting the +Activity Monitor activity agent. + +**Step 1 –** On the Windows computer, go to Run and type `compmgmt.msc`. + +**Step 2 –** In the right-hand panel, select More Actions > Connect to another computer. + +**Step 3 –** In the Select Computer dialog box, enter the IP Address for EVS for HNAS and then click +OK. + +**Step 4 –** In the Computer Management window, go to Computer Management > System tools > Shared +Folders > Shares. + +**Step 5 –** Select the Security tab and click Advanced. + +**Step 6 –** In the Advanced Security Settings dialog box, select the Audit tab. Click Add or Edit +to select the users and groups to be audited and add the desired user or group. + +**Step 7 –** Select All for Type, and Full Control for Basic permissions. + +Once access has been configured on both the Hitachi device and the Activity Agent server, it is time +to configure and enable monitoring with the Activity Monitor Console. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md new file mode 100644 index 0000000000..216ea99581 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md @@ -0,0 +1,39 @@ +--- +title: "Configure Audit Logs on HNAS" +description: "Configure Audit Logs on HNAS" +sidebar_position: 10 +--- + +# Configure Audit Logs on HNAS + +Follow the steps to configure access to the HNAS audit logs on the Hitachi device. + +**Step 1 –** Open a browser and enter the IP Address for HNAS in the address bar to launch the +Hitachi Storage Navigator (SN). Enter the username and password. + +**Step 2 –** At the Storage Navigator home page, click File Services. + +**Step 3 –** On the File Services screen, click Enable File Service. + +**Step 4 –** On the Enable File Services screen, verify that the CIFS/Windows service is selected. + +**Step 5 –** On the File Services screen, click File System Security. + +**Step 6 –** Click Switch Mode and set the default file system security mode to Mixed (Windows and +UNIX) for all virtual file systems. + +**Step 7 –** Configure the Hitachi NAS Platform audit policy by returning to the File Services page. + +**Step 8 –** Click File System Audit Policies. + +**Step 9 –** Select the correct EVS and click details for the file system to enable auditing. + +**Step 10 –** In the Access via Unsupported Protocols section, select Allow Access (without +auditing). In the Audit Log section, set the maximum log file size to a value of at least 8 MB. It +is recommended to set it to 16 MB. In the Log roll over policy section, select New. The product does +not support the Wrap policy. Click OK to close. + +Once access has been configured on the Hitachi device, it is necessary to configure access to the +HNAS audit logs on the Windows server. See the +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md) topic for +additional information. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md new file mode 100644 index 0000000000..c3e8fee835 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/hitachi-activity.md @@ -0,0 +1,64 @@ +--- +title: "Hitachi Activity Auditing Configuration" +description: "Hitachi Activity Auditing Configuration" +sidebar_position: 60 +--- + +# Hitachi Activity Auditing Configuration + +The Hitachi NAS (HNAS) server can host multiple Enterprise Virtual Servers (EVS). Each EVS has +multiple file systems. Auditing is enabled and configured per file system. This guide explains how +to enable auditing on an HNAS and to configure the Activity Monitor to monitor activity coming from +the Hitachi device auditing. + +The Activity Monitor does not use the EVS or file system name to connect to HNAS. Therefore, all +that is required of the user for HNAS activity collection is the following: + +- Logs path (UNC) + + - Active Log file name – Active Log File name needs with an `.evt` extension, and it should be + the same as in the HNAS configuration. This is usually `audit.evt`. + +- Credentials to access the HNAS log files + + - The only requirement for the credentials is the ability to read files from the `logs` + directory. + +- A polling interval between log collections (15 seconds by default) + + - The Activity Monitor minimizes IO by remembering a file offset where it stopped reading and + continuing from that offset next time. + +:::warning +The following disclaimer is provided by Hitachi: +::: + + +“Because CIFS defines open and close operations, auditing file system object access performed by +clients using other protocols would be costly in terms of system performance, because each I/O +operation would have to be audited as an open operation. **Therefore, when file system auditing is +enabled, by default, only clients connecting through the CIFS protocol are allowed access to the +file system.** Access by clients using other protocols, like NFS, can, however, be allowed. When +such access is allowed, access to file system objects through these protocols is not audited.” + +:::note +File system auditing can be configured to deny access to clients connecting with protocols +that cannot be audited (NFS). Please see the Hitachi +[Server and Cluster Administration Guide](https://support.hds.com/download/epcra/hnas0106.pdf) for +additional information. +::: + + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Hitachi devices. +Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: [Configure Audit Logs on HNAS](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configurelogs.md)** + +Checklist Item 2: +[Configure Access to HNAS Audit Logs on Activity Agent Server](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/hitachi-aac/configureaccesstologs.md) + +**Checklist Item 3: Activity Monitor Configuration** + +- Deploy the Activity Monitor Activity Agent to a Windows proxy server diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json new file mode 100644 index 0000000000..0e292bab7c --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell Isilon/PowerScale Activity Auditing Configuration", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "isilon-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md new file mode 100644 index 0000000000..39bfb11e36 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md @@ -0,0 +1,82 @@ +--- +title: "Install Dell CEE" +description: "Install Dell CEE" +sidebar_position: 10 +--- + +# Install Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +After installation, open MS-RPC ports between the Dell device and the Dell CEE server. See the +[Dell CEE Debug Logs](validate.md#dell-cee-debug-logs) section for information on troubleshooting +issues related to Dell CEE. + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md new file mode 100644 index 0000000000..97f28cdc32 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/isilon-activity.md @@ -0,0 +1,114 @@ +--- +title: "Dell Isilon/PowerScale Activity Auditing Configuration" +description: "Dell Isilon/PowerScale Activity Auditing Configuration" +sidebar_position: 30 +--- + +# Dell Isilon/PowerScale Activity Auditing Configuration + +Dell Isilon/PowerScale can be configured to audit Server Message Block (SMB) and NFS protocol access +events on the Dell Isilon/PowerScale cluster. All audit data can be forwarded to the Dell Common +Event Enabler (CEE). The Activity Monitor listens for all events coming through the Dell CEE and +translates all relevant information into entries in the log files or syslog messages. + +Protocol auditing must be enabled and then configured on a per-access zone basis. For example, all +SMB protocol events on a particular access zone can be audited, while only attempts to delete files +on a different access zone can be audited. + +The audit events are logged and stored on the individual OneFS nodes where the SMB/NFS client +initiated the activity. The stored events are then forwarded by the node to the Dell CEE instance or +concurrently to several instances. At this point, Dell CEE forwards the audit event to a defined +endpoint, such as Activity Monitor agent. + +Complete the following checklist prior to configuring Activity Monitor to monitor the host. +Instructions for each item of the checklist are detailed within the following sections. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment, gather the following: + + - DNS name of Isilon/PowerScale CIFS share(s) to be monitored + - Access Zone(s) containing the CIFS shares to be monitored + - Account with access to the OneFS UI or CLI + - Download the Dell CEE from: + + - [https://www.dell.com/support/home/en-us/](https://www.dell.com/support/home/en-us/) + +:::info +You can achieve higher throughput and fault tolerance by monitoring the +Isilon/PowerScale cluster with more than one pair of Dell CEE and Activity Monitor Agent. The +activity will be evenly distributed between the pairs. +::: + + +**Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/installcee.md)** + +- Dell CEE should be installed on a Windows or a Linux server. + + :::info + Dell CEE can be installed on the same server as the Activity Agent, or on a + different Windows or Linux server. If CEE is installed on the same server, the Activity Agent + can configure it automatically. + ::: + + +- Important: + + - Dell CEE 8.8 is the minimum supported version. It is recommended to use the latest available + version. + - Dell CEE requires .NET Framework 3.5 to be installed on the Windows server + +Checklist Item 3: Configure Auditing on the Dell Isilon/PowerScale Cluster + +- Select method: + + - **_RECOMMENDED:_** Allow the Activity Monitor to configure auditing automatically. + + - Automation completed while the Activity Monitor is configured to monitor the + Isilon/PowerScale device + - Automatically sets CEE Server with the IP Address of the server where CEE is installed + - Automatically sets Storage Cluster Name to exactly match the name known to the Activity + Monitor + - Choose between monitoring all Access Zones or scoping to specific Access Zones + + - [Manually Configure Auditing in OneFS](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md) + + - After configuration, add the Isilon/PowerScale device to be monitored by the Activity + Monitor + +- Important: + + - Value of the **Storage Cluster Name** field must exactly match the name entered for the + monitored host in the Activity Monitor Console. If the Storage Cluster Name cannot be modified + (for example, another 3rd party depends on it), you need to set the Host Aliases parameter in + the Activity Monitor Console. Otherwise, if for some reason the Storage Cluster Name must be + left empty, one can list OneFS cluster node names in the Host Aliases. + + - If the Storage Cluster Name is not empty, set the Host Aliases parameter to its value + - If the Storage Cluster Name is empty, set the Host Aliases to a semicolon-separated list + of OneFS node names + + - Include all Access Zones to be monitored in the auditing configuration + - As soon as the first CEE is installed, Isilon/PowerScale will start to send all activity, + including all previous audit events, to the agent. The start time can be modified to exclude + previously recorded audit events to prevent the agent from becoming overloaded with data. It + can be done using OneFS CLI only with isi audit modify command to edit the start time. + + - Start time command: + + ``` + isi audit settings global modify --cee-log-time [Protocol@2021-04-23 14:00:00] + ``` + + - View progress: + + ``` + isi_for_array isi audit progress view + ``` + + - See the Audit log time adjustment section of the Dell + [File System Auditing with Dell PowerScale and Dell Common Event Enabler](https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h12428-wp-best-practice-guide-isilon-file-system-auditing.pdf) + documentation for additional information. + +Checklist Item 4: Configure Dell CEE to Forward Events to the Activity Agent. See the +[Validate Setup](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md) topic for additional information. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md new file mode 100644 index 0000000000..e9006d0363 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/manualconfiguration.md @@ -0,0 +1,90 @@ +--- +title: "Manually Configure Auditing in OneFS" +description: "Manually Configure Auditing in OneFS" +sidebar_position: 20 +--- + +# Manually Configure Auditing in OneFS + +Manual configuration for auditing is optional for newer versions as the Activity Agent can configure +the auditing automatically using the OneFS API. Follow the steps through the OneFS Storage +Administration Console. + +**Step 1 –** Navigate to the **Cluster Management** tab, and select **Auditing**. + +![settings](/images/activitymonitor/9.0/config/dellpowerscale/settings.webp) + +**Step 2 –** In the Settings section, check the Enable Protocol Access Auditing box. + +**Step 3 –** In the Audited Zones section, add at least one zone to be audited. The **System** zone +is typically used. If the CIFS or NFS shares are accessible through different zones on the OneFS +cluster, include all relevant zones. + +Ensure that OneFS collects only events you are interested in. By default, OneFS may monitor things +like directory reads, which can take up a large amount of space. Configuring the OneFS events that +need monitoring is not done through the Activity Monitor console. Configure OneFS event monitoring +using OneFS CLI with the isi audit modify command for each access zone. Enabling monitoring for only +what is needed for the environment will reduce the data load to the agent. + +Activity Monitor monitors the following events: `close_file_modified`, `close_file_unmodified`, +`create_file`, `create_directory`, `delete_file`, `delete_directory`, `rename_file`, +`rename_directory`, `set_security_file`, `set_security_directory`, and `open_directory` (if you want +to monitor Directory List/Read events). + +For each monitored access zone: + +- Use isi audit settings view `isi --zone ZONENAME` to check current settings. +- Disable reporting of failure and syslog audit events with: + +**isi audit settings modify --zone ZONENAME --clear-audit-failure --clear-syslog-audit-events** + +- Set the success audit events with: + + isi audit settings modify --zone ZONENAME + --audit-success=close_file_modified,close_file_unmodified,create_file,create_directory,delete_file,delete_directory,rename_file,rename_directory,set_security_file,set_security_directory + +![eventforwarding](/images/activitymonitor/9.0/config/dellpowerscale/eventforwarding.webp) + +**Step 4 –** In the Event Forwarding section, add the CEE Server URI value for the Windows or Linux +server hosting CEE. Use either of the following format: + +- `http://[IP ADDRESS]:[PORT]/cee` + +- `http://[SERVER Name]:[PORT]/cee` + + +:::info +When deploying multiple Dell CEE instances at scale, it is recommended that an +accommodating agent must be configured with each CEE instance. If multiple CEE instances send events +to just one agent, it may create an overflow of data and overload the agent. Distributing the +activity stream into pairs will be the most efficient way of monitoring large data sets at scale. +::: + + +**Step 5 –** Also in the Event Forwarding section, set the **Storage Cluster Name** value. It must +be an exact match to the name which is entered in the Activity Monitor for the **Monitored Host** +list. + +This name is used as a ‘tag’ on all events coming through the CEE. This name must exactly match what +is in the Activity Monitor or it does not recognize the events. + +:::info +Use the CIFS DNS name for Dell OneFS. +::: + + +:::note +To use the Activity Monitor with Access Analyzer for Activity Auditing (FSAC) scans, the +name entered here must exactly match what is used for Access Analyzer as a target host. +::: + + +If the Storage Cluster Name cannot be modified (for example, another third-party depends on it), you +need to set the Host Aliases parameter in the Activity Monitor Console: + +- If the Storage Cluster Name is not empty, set the Host Aliases parameter to its value +- If the Storage Cluster Name is empty, set the Host Aliases to a semicolon-separated list of OneFS + node names + +Next, it is time to configure the monitoring agent on the Windows server to monitor the +Isilon/PowerScale device. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md new file mode 100644 index 0000000000..2bd4def69e --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/isilon-powerscale-aac/validate.md @@ -0,0 +1,190 @@ +--- +title: "Validate Setup" +description: "Validate Setup" +sidebar_position: 30 +--- + +# Validate Setup + +Once the Activity Monitor agent is configured to monitor the Dell device, the automated +configuration must be validated to ensure events are being monitored. + +## Validate Dell CEE Registry Key Settings + +After the Activity Monitor activity agent has been configured to monitor the Dell device, it will +configure the Dell CEE automatically if it is installed on the same server as the agent. This needs +to be set manually in the rare situations where it is necessary for the Dell CEE to be installed on +a different server than the Windows proxy server(s) where the Activity Monitor activity agent is +deployed. + +If the monitoring agent is not registering events, validate that the EndPoint is accurately set. +Open the Registry Editor (run regedit). For the synchronous real-time delivery mode (AUDIT), use the +following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration** + +![registryeditorendpoint](/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp) + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthAUDIT@'ip-address-of-the-agent'` + +- For the HTTP protocol,` StealthAUDIT@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** If you changed any of the settings, restart the CEE Monitor service. + +**For Asynchronous Bulk Delivery Mode** + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration** + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthVCAPS@'ip-address-of-the-agent'` +- For the HTTP protocol, `StealthVCAPS@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** Ensure that the FeedInterval parameter is set to a value between 60 and 600; the +MaxEventsPerFeed - between 10 and 10000. + +**Step 5 –** If you changed any of the settings, restart the CEE Monitor service. + +Set the following values under the Data column: + +- Enabled – 1 +- EndPoint – StealthAUDIT + +If this is configured correctly, validate that the Dell CEE services are running. See the Validate +Dell CEE Services are Running topic for additional information. + +## Validate Dell CEE Services are Running + +After the Activity Monitor Activity Agent has been configured to monitor the Dell device, the Dell +CEE services should be running. If the Activity Agent is not registering events and the EndPoint is +set accurately, validate that the Dell CEE services are running. Open the Services (run +`services.msc`). + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +The following services laid down by the Dell CEE installer should have Running as their status: + +- Dell CAVA +- Dell CEE Monitor + +## Dell CEE Debug Logs + +If an issue arises with communication between the Dell CEE and the Activity Monitor, the debug logs +need to be enabled for troubleshooting purposes. Follow the steps. + +**Step 6 –** In the Activity Monitor Console, change the **Trace level** value in the lower right +corner to Trace. + +**Step 7 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Disable monitoring. + +**Step 8 –** Download and install the Debug View tool from Microsoft on the CEE server: + +**> [https://docs.microsoft.com/en-us/sysinternals/downloads/debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview)** + +**Step 9 –** Open the Registry Editor (run regedit). Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration** + +**Step 10 –** Right-click on **Debug** and select Modify. The Edit DWORD Value window opens. In the +Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Debug DWORD Value does not exist, it needs to be added. +::: + + +**Step 11 –** Right-click on **Verbose** and select Modify. The Edit DWORD Value window opens. In +the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Verbose DWORD Value does not exist, it needs to be added. +::: + + +**Step 12 –** Run the Debug View tool (from Microsoft). In the Capture menu, select the following: + +- Capture Win32 +- Capture Global Win32 +- Capture Events + +**Step 13 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Enable monitoring. + +**Step 14 –** Generate some file activity on the Dell device. Save the Debug View Log to a file. + +**Step 15 –** Send the following logs to [Netwrix Support](https://www.netwrix.com/support.html): + +- Debug View Log (from Dell Debug View tool) +- Use the **Collect Logs** button to collect debug logs from the activity agent + +:::info +After the logs have been gathered and sent to Netwrix Support, reset these +configurations. +::: + + +## Linux CEE Debug Log + +The debug log is stored in `/opt/CEEPack/emc_cee_svc.log` file. To enable verbose logging set Debug +and Verbose parameters under **Configuration** to 255 and restart the CEE. + +:::note +Debug logs should only be used for troubleshooting purposes. It's recommended to have +Debug Logs disabled by default. +::: + + +... + +```xml + + +100 +255 +10 +10 +20 +255 +12228 + +2 +5 +86400 + + +/opt/CEEPack/ +100 + + + + +__NOTE:__ All protocol strings are case sensitive. +``` diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md new file mode 100644 index 0000000000..a74a220d97 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nasuni-activity.md @@ -0,0 +1,80 @@ +--- +title: "Nasuni Edge Appliance Activity Auditing Configuration" +description: "Nasuni Edge Appliance Activity Auditing Configuration" +sidebar_position: 70 +--- + +# Nasuni Edge Appliance Activity Auditing Configuration + +Generation of an API Access Key is required for Nasuni activity monitoring. The Nasuni Edge +Appliance generates its own audit trail. An API Access Key is used by the Activity Monitor to form a +network connection to the appliance. Nasuni will then stream event data to the activity agent. See +[Nasuni Support Documentation](https://www.nasuni.com/support/) for additional information. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Nasuni Edge Appliances. +Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: Generate Nasuni API Access Key** + +- Generate an API Access Key for each Nasuni Edge Appliance to be monitored through one of the + following: + + - Nasuni Filer Management Interface + - Nasuni Management Console + +**Checklist Item 2: Activity Monitor Configuration** + +- Deploy the Activity Monitor activity agent to a Windows proxy server + +## Nasuni Filer Management Interface + +Follow the steps to generate a Nasuni API Access Key in the Nasuni Filer Management Interface. + +**Step 1 –** Within the **Configuration** menu, under **USERS & SECURITY**, select API Access Keys. +The API Access Keys page opens. + +**Step 2 –** Click Add API Key button. The Add API Key window opens. + +**Step 3 –** Enter a Name for thekey; for example, the name of the application. + +**Step 4 –** Click Create Key. + +**Step 5 –** In the Successfully Generated API Key window, copy the Key Passcode. + +Both the Key Name and the Key Passcode are required by the Activity Monitor in order to connect to +the Nasuni Edge Appliance. Once the API Key has been generated, it is time to configure and enable +monitoring with the Activity Monitor console. + +:::note +Nasuni API key names are case sensitive. When providing them, ensure they are entered in +the exact same case as generated. +::: + + +## Nasuni Management Console + +Follow the steps to generate a Nasuni API Access Key in the Nasuni Management Console. + +**Step 1 –** Click Filers and select API Keys from the menu on the left. The Filer API Access Key +Settings page opens. + +**Step 2 –** Click New API Key button. The Add API Access Key window opens. + +**Step 3 –** From the Filer drop-down menu, select the desired Nasuni Edge Appliance. Then enter a +Name for the key; for example, the name of the application. + +**Step 4 –** Click Add API Key. + +**Step 5 –** A message appears which includes the Key Passcode; copy the Key Passcode. + +Both the Key Name and the Key Passcode are required by the Activity Monitor in order to connect to +the Nasuni Edge Appliance. Once the API Key has been generated, it is time to configure and enable +monitoring with the Activity Monitor console. + +:::note +Nasuni API key names are case sensitive. When providing them, ensure they are entered in +the exact same case as generated. + +::: diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md new file mode 100644 index 0000000000..eff70052ec --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/nutanix-activity.md @@ -0,0 +1,43 @@ +--- +title: "Nutanix Files Activity Auditing Configuration" +description: "Nutanix Files Activity Auditing Configuration" +sidebar_position: 100 +--- + +# Nutanix Files Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor file activity on Nutanix Files devices. + +A user having REST API access must be created on the Nutanix Files server to monitor the files +server using Activity Monitor. Additional configurations are done automatically by Activity Monitor +using the Nutanix API with the help of this user. + +Follow the steps to create a new user account with Nutanix Prism: + +**Step 1 –** Open Nutanix Prism web portal. + +**Step 2 –** Select **File Server** category. In the list of servers, select the server you want to +audit. + +**Step 3 –** Click **Manage roles**. + +**Step 4 –** In the Manage roles dialog box locate the REST API access user section and click **+New +user**. + +![Manage Roles - File Server](/images/activitymonitor/9.0/config/nutanix/activitynutanix.webp) + +**Step 5 –** Enter local user account name and password, then click **Save** to save the settings. + +**Step 6 –** Click **Close** to close the Manage roles dialog box. + +:::note +The user credentials created here are used when adding a Nutanix file server in Activity +Monitor. +::: + + +:::note +Nutanix Files does not report events for activity originating from a server where the +Activity Monitor Agent is installed. + +::: diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json new file mode 100644 index 0000000000..1496020c88 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration", + "position": 90, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ontap-cluster-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md new file mode 100644 index 0000000000..6926d8d108 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md @@ -0,0 +1,191 @@ +--- +title: "Configure Network" +description: "Configure Network" +sidebar_position: 20 +--- + +# Configure Network + +Activity Monitor requires two communication channels for ONTAP monitoring: + +1. ONTAP API – Activity Monitor Agent connects to ONTAP on port 80 (http) or 443 (https) for access + to ONTAP API (ONTAPI/ZAPI or REST API). +2. FPolicy – Data LIFs of the SVM connect to Activity Monitor Agent on port 9999 for FPolicy + notifications. + +The following sections discuss network configuration required to enable API and FPolicy +communication. + +## ONTAP API + +The ONTAP API access is mandatory; without the API access the agent will not be able to receive and +translate events from FPolicy. The agent uses the API to retrieve information about the SVM: CIFS +settings, list of volumes, list of LIFs. Depending on the configuration, the agent can also retrieve +the state of FPolicy to ensure it is enabled; configure FPolicy and register or unregister itself. + +The API access is needed either through the SVM's LIF or through the cluster management LIF with +_vserver tunneling_ feature. If you want to use the vserver tunneling feature, specify the cluster +management LIF's address in the "Management LIF" parameter in the host's settings in the Activity +Monitor. + +Both classic ONTAPI/ZAPI and the new REST API are supported. Starting with ONTAP 9.13.1, the product +uses REST API by default if it is available. HTTP and HTTPS protocols are supported. For HTTPS, two +modes are supported: strict and ignore errors. For the strict mode, the product allows you to +disable the host name validation in case the agent cannot resolve the FQDN of the LIF. + +Enabling the API access varies depending on ONTAP version. The following sections list common steps +on enabling the API access. Please refer to the NetApp documentation for more details. + +### Management-http Service + +Starting with ONTAP 9.6, data LIFs used for HTTPS communication with the Activity Monitor are +required to use a service policy that includes the `management-https` service. This service enables +HTTPS access to the LIF. + +The following examples offer guidance for managing service policies, but may vary depending on the +NetApp environment’s specific configuration and needs. + +**Step 1** – Display LIFs of the SVM. Take note of the _service policy_ name used by the LIF you +want to be used for API access. + +``` +network interface show -vserver [SVM] -instance +``` + +**Step 2** – Check the services included in the SVM service policy + +``` +network interface service-policy show -policy [POLICY_NAME] +``` + +**Step 3** – Add the `management-https` service if it is missing + +``` +set -privilege advanced +network interface service-policy add-service -service management-https -policy [POLICY_NAME] -vserver [SVM] +``` + +Example: + +``` +set -privilege advanced +network interface service-policy add-service -service management-https -policy default-data-files -vserver testserver +``` + +### Firewall Policy + +For ONTAP 9.5 and older, the following commands can be used to either create a new firewall policy +or modify an existing policy if ONTAPI is blocked. + +#### Create New Firewall HTTP Policy + +Use the following commands with the Cluster Management LIF to create a new firewall HTTP policy: + +``` +system services firewall policy clone -policy data -vserver [ADMIN_SVM_NAME] -destination-policy [FIREWALL_POLICY_NAME] -destination-vserver [SVM_NAME] +system services firewall policy create -vserver [SVM_NAME] -policy [FIREWALL_POLICY_NAME] -service http -allow-list [IP_ADDRESS]/[NETMASK], [IP_ADDRESS]/[NETMASK] +``` + +Example: + +``` +system services firewall policy clone -policy data -vserver myontap -destination-policy enterpriseauditorfirewall -destination-vserver testserver +system services firewall policy create -vserver testserver -policy enterpriseauditorfirewall -service http -allow-list 192.168.30.15/32 +``` + +#### Create New Firewall HTTPS Policy + +Use the following commands with the Cluster Management LIF to create a new firewall HTTPS policy: + +``` +system services firewall policy clone -policy data -vserver [ADMIN_SVM_NAME] -destination-policy [FIREWALL_POLICY_NAME] -destination-vserver [SVM_NAME] +system services firewall policy create -vserver [SVM_NAME] -policy [FIREWALL_POLICY_NAME] -service https -allow-list [IP_ADDRESS]/[NETMASK], [IP_ADDRESS]/[NETMASK] +``` + +Example: + +``` +system services firewall policy clone -policy data -vserver myontap -destination-policy enterpriseauditorfirewall -destination-vserver testserver +system services firewall policy create -vserver testserver -policy enterpriseauditorfirewall -service https -allow-list 192.168.30.15/32 +``` + +#### Apply Firewall Policy to SVM Data LIF + +Use the following command to modify an existing firewall policy: + +``` +network interface modify -vserver [SVM_NAME] -lif [DATA LIF NAME] -firewall-policy [FIREWALL_POLICY_NAME] +``` + +Example: + +``` +network interface modify -vserver testserver -lif datal -firewall-policy enterpriseauditorfirewall +``` + +For more information about creating a firewall policy and assigning it to a LIF, read the +[Configure firewall policies for LIFs](https://docs.netapp.com/us-en/ontap/networking/configure_firewall_policies_for_lifs.html)[ ](https://docs.netapp.com/us-en/ontap/networking/configure_firewall_policies_for_lifs.html) +article. + +#### Validate Firewall Policy + +Run the following command to validate the firewall policy: + +``` +system services firewall policy show -policy [FIREWALL_POLICY_NAME] -service [HTTP_HTTPS] +``` + +Example: + +``` +system services firewall policy show -policy enterpriseauditorfirewall -service http +``` + +Verify that the output is displayed as follows: + +![validatefirewall](/images/activitymonitor/9.0/config/netappcmode/validatefirewall.webp) + +## FPolicy + +The FPolicy framework enables the collection of audit events on the ONTAP side and their transfer to +the agent(s) via the designated Data LIFs. Each LIF establishes its own connection with one or +several agents and sends notifications as soon as the file transaction occurs. The FPolicy +connection is asynchronous and buffered; both ONTAP and Activity Monitor have techniques in place to +make sure that connections are alive and working. The connection can be secured using TLS with +server or mutual authentication. + +ONTAP cluster nodes connect to the agent on port 9999 by default. The port can be changed in the +agent's settings. The agent adds this port to Windows Firewall exclusions automatically. Please +ensure the port is not blocked by other firewalls between ONTAP and the agent. + +### Data-fpolicy-client Service + +Starting with ONTAP 9.8, each data LIF of the SVM must have the **data-fpolicy-client** service +included in its service-policy configuration. This service enables the FPolicy protocol for the LIF. +Use the following commands to ensure that the service is included. + +**Step 1** – Display LIFs of the SVM. Take note of the _service policy_ name used by the data LIFs. + +``` +network interface show -vserver [SVM] -instance +``` + +**Step 2** – Check the services included in the SVM service policy + +``` +network interface service-policy show -policy [POLICY_NAME] +``` + +**Step 3** – Add the **data-fpolicy-client** service if it is missing + +``` +set -privilege advanced +network interface service-policy add-service -service data-fpolicy-client -policy [POLICY_NAME] -vserver [SVM] +``` + +Example: + +``` +set -privilege advanced +network interface service-policy add-service -service data-fpolicy-client -policy default-data-files -vserver testserver +``` diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md new file mode 100644 index 0000000000..b0ba05a883 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md @@ -0,0 +1,937 @@ +--- +title: "Configure FPolicy" +description: "Configure FPolicy" +sidebar_position: 30 +--- + +# Configure FPolicy + +Activity Monitor relies on the NetApp FPolicy framework for monitoring of file access events on +Storage Virtual Machines (SVM). FPolicy needs to be configured for each SVM. + +There are two ways to configure FPolicy: + +- Activity Monitor agent can facilitate the Automatic Configuration of FPolicy for the monitored SVM + using the ONTAP API. This mode is simple, but does not allow you to exclude certain volumes or + shares of the SVM from being monitored. It also requires additional permissions to create and + modify FPolicy. +- Another option is to Manually Configure FPolicy for each SVM. This mode allows you to fine tune + FPolicy by excluding certain volumes or shares from being monitored. It also reduces product + permissions. + +Regardless of the chosen approach for FPolicy configuration, one also needs to perform extra steps +if the FPolicy communication has to be secured with TLS. + +## TLS Authentication Options + +There are two TLS FPolicy Authentication options that can be used: + +- TLS, server authentication – Server only authentication + + - A certificate (Server Certificate) for the Agent server needs to be generated and copied to a + PEM file. The Server Certificate PEM file needs to be saved locally on the Activity Monitor + Console server. + - For manual FPolicy configuration, the Server Certificate needs to be installed on the SVM, and + then server-authentication set. + - For automatic FPolicy configuration, the Activity Monitor manages installation of the Server + Certificate. + +- TLS, mutual authentication – Mutual authentication + + - A certificate (Server Certificate) for the Agent server needs to be generated and copied to a + PEM file. The Server Certificate PEM file needs to be saved locally on the Activity Monitor + Console server. + - A certificate (Client Certificate) for the SVM needs to be copied to a PEM file and saved + locally on the Activity Monitor Console server. + - For manual FPolicy configuration, the Server Certificate needs to be installed on the SVM and + then mutual-authentication set. + - For automatic FPolicy configuration, mutual-authentication set before the configuration + process. The Activity Monitor manages installation of both certificates. + +### Generate Server Certificate + +A certificate (Server Certificate) for the Agent server needs to be generated and copied to a PEM +file. This is required for both of the TLS authentication options. + +The PEM file must contain both Public Key and Private Key parts. A certificate may be self-signed or +issued by a certification authority. Below are the steps for generation of a self-signed certificate +using OpenSSL toolkit. + +Use the following command on the agent server to create the Server Certificate and copy it to a .pem +file: + +``` +openssl.exe req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=[ACTIVITY_AGENT_SERVER_NAME]"  +copy cert.pem+key.pem [CERTIFICATE_FILE_NAME.pem] +del cert.pem key.pem .rnd +``` + +Example: + +``` +openssl.exe req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=testagentserver"  +copy cert.pem+key.pem agentkey.pem +del cert.pem key.pem .rnd +``` + +In this example ` agentkey.pem` would be used as the Server Certificate. Save the Server Certificate +locally on the Activity Monitor Console server. + +### Create PEM File for Client Certificate + +A certificate (Client Certificate) for the SVM needs to be copied to a PEM file. This is required +for the TLS, mutual authentication option. Follow the steps to create the PEM file for the Client +Certificate. + +**Step 1 –** On the SVM , use the following command to show the security certificate details: + +``` +security certificate show -vserver [SVM_NAME] -type server instance +``` + +Example: + +``` +security certificate show -vserver testserver -type server instance +``` + +**Step 2 –** Copy the security certificate details into a text file and copy the public key to a PEM +file. The following variables from security details will be needed to set mutual-authentication +during Part 6 of manual configuration and prior to automatic configuration: + +- SVM +- Common Name +- Certificate Serial +- Public Key Certificate + +**Step 3 –** Copy the value of Public Key Certificate field to a PEM file. The value spans multiple +lines, starts with "`----BEGIN CERTIFICATE-----`" and ends with "`-----END CERTIFICATE-----`". + +The Client Certificate PEM file has been created. + +## Persistent Store + +For ONTAP 9.15.1 and later, enabling the Persistent Store feature is recommended regardless of the +chosen FPolicy configuration approach. The Persistent Store provides resilience and predictable +latency in scenarios such as network delays or bursts of activity events. The feature uses a +dedicated volume for each SVM as a staging buffer before events are sent to the agent. + +Persistent Store requires the following parameters: + +- Volume name – If the volume does not exist, it will be created automatically (recommended). +- Initial volume size – Specifies the starting size of the volume. +- Autosize mode – Options include Off, Grow, or Grow/Shrink. + +The size depends on the time duration for which you want to persist the events and the rate of +events. For example, if you want 30 minutes of events to persist in an SVM with a capacity of 5000 +events per second and the average event record size of 0.6 KB, the required volume size is +`5000 * 30 * 60 * 0.6 KB = 5400000 KB ≈ 5 GB`. + +:::note +To find the approximate event rate, use the FPolicy counter `requests_dispatched_rate`. +::: + + +:::note +For the Persistent Store to automatically create a volume, the SVM must have at least one +local tier (aggregate) assigned. +::: + + +To check that the SVM has assigned local tiers, use the following command: + +**vserver show -vserver [SVM_NAME] -fields aggr-list** + +The command shows currently local tiers. If no tiers are assigned, "-" is displayed. + +To assign local tiers to the SVM use the following command: + +**vserver add-aggregates -vserver [SVM_NAME] -aggregates [AGGREGATE_LIST]** + +Example: + +**vserver add-aggregates -vserver testserver -aggregates aggr1,aggr2** + +:::note +This command is available to cluster administrators at the admin privilege level. +::: + + +It is recommended to allow the volume to be created automatically. In this case, the FPolicy +subsystem manages the volume, maintains the directory structure, and protects it from accidental +deletion by marking it as not mountable. + +If you choose to create the volume manually, ensure the following: + +- The volume is not mounted and has no junction point. +- The snapshot policy for the volume is set to none. + +For additional and up-to-date recommendations on volumes for the Persistent Store, refer to the +NetApp documentation. + +## Manually Configure FPolicy + +This section describes how to manually configure FPolicy. Manual configuration of the FPolicy is +recommended if the policy needs to be scoped to monitor select volumes or shares. It is necessary to +create several FPolicy components and then enable the FPolicy. See the sections corresponding to +each part of this list: + +- Part 1: Install Server Certificate on the SVM (only if using TLS authentication) + + - This is only needed if using either of the TLS, … authentication options. + +- Part 2: Create External Engine + + - The External Engine defines how FPolicy makes and manages connections to external FPolicy + servers like Activity Monitor Agent. + +- Part 3: Create FPolicy Events + + - An FPolicy event defines which protocol(s) to monitor and which file access events to monitor. + +- Part 4: Create Persistent Store (only if Persistent Store is used. RECOMMENDED) + + - A Persistent Store is used as a temporary on-disk storage before the events are sent to + Activity Monitor Agent. + +- Part 5: Create FPolicy Policy + + - The FPolicy policy associates the other three FPolicy components and allows for the + designation of a privileged FPolicy user + - If running the Access Auditing (FSAA), Activity Auditing (FSAC), and/or Sensitive Data + Discovery Auditing scans, then this is the user account credential to be added to the Access + Analyzer Connection Profile. + +- Part 6: Create FPolicy Scope + + - The FPolicy scope creates the filters necessary to perform scans on specific shares or + volumes. + +- Part 7: Set TLS Authentication (optional) + + - This is only needed if using either of the TLS authentication options. + +- Part 8: Enable the FPolicy + + - Once the FPolicy is enabled, the Activity Monitor Agent can be configured to monitor the SVM. + +- Part 9: Connect FPolicy Server / Agent to Cluster Node (optional) + + - This is only needed if there is an issue with connection to the Cluster node or for + troubleshooting a disconnection issue. + +### Part 1: Install Server Certificate on the SVM + +If using the TLS authentication options, it is necessary to install the Server Certificate on the +SVM. + +Use the following command to install the Server Certificate: + +``` +security certificate install type client-ca -vserver [SVM_NAME] +``` + +Example: + +``` +security certificate install type client-ca -vserver testserver +``` + +The command will ask you to provide a public certificate. Copy the public key from the Server +Certificate PEM file, i.e. the block starting with "`-----BEGIN CERTIFICATE-----`" and ending with +"`-----END CERTIFICATE-----`". Paste the block to the terminal window. + +#### Validate Part 1: Server Certificate Install + +Run the following command to validate the Server Certificate is installed: + +``` +security certificate show -vserver [SVM_NAME] -commonname [ACTIVITY_AGENT_SERVER_NAME] -type client-ca instance +``` + +Example: + +``` +security certificate show -vserver testserver -commonname testagentserver -type client-ca instance +``` + +### Part 2: Create External Engine + +The External Engine defines how FPolicy makes and manages connections to external FPolicy servers. + +IMPORTANT: + +- The `-primary-servers` must be the server or servers hosting the Activity Monitor Agent. +- If intending to use the Activity Monitor with Access Analyzer, then the primary server must also + be the proxy server from which the Access Analyzer Access Auditing (FSAC) scans are running, e.g. + the Access Analyzer Console server for local mode or the proxy server if running in any of the + proxy mode options. +- The following values are required: + + - `engine-name StealthAUDITEngine`, the names of the external engine object can be customized + (see below). + - `port 9999`, Port number can be customized, but it is recommended to use 9999. + - `extern-engine-type asynchronous` + - `ssl-option no-auth` + - `send-buffer-size 6291456`, for ONTAP 9.10+ use `send-buffer-size 8388608` + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the external engine: + +``` +set -privilege advanced +vserver fpolicy policy external-engine create -vserver [SVM_NAME] -engine-name StealthAUDITEngine -primary-servers [IP_ADDRESS,…] -port 9999 -extern-engine-type asynchronous -ssl-option no-auth -send-buffer-size 6291456 +``` + +Example: + +``` +set -privilege advanced +vserver fpolicy policy external-engine create -vserver testserver -engine-name StealthAUDITEngine -primary-servers 192.168.30.15 -port 9999 -extern-engine-type asynchronous -ssl-option no-auth -send-buffer-size 6291456 +``` + +#### Validate Part 2: External Engine Creation + +Run the following command to validate the creation of the external engine: + +``` +fpolicy policy external-engine show -vserver [SVM_NAME] -engine-name StealthAUDITEngine -instance +``` + +Verify that the output is displayed as follows: + +``` +Ontap915::> fpolicy policy external-engine show -vserver svm0 -engine-name StealthAUDITEngine -instance +  (vserver fpolicy policy external-engine show) +                                Vserver: svm0 +                                 Engine: StealthAUDITEngine +                Primary FPolicy Servers: 192.168.11.35 +         Port Number of FPolicy Service: 9999 +              Secondary FPolicy Servers: - +                   External Engine Type: asynchronous +  SSL Option for External Communication: no-auth +             FQDN or Custom Common Name: - +           Serial Number of Certificate: - +                  Certificate Authority: - +          Is Resiliency Feature Enabled: false +Maximum Notification Retention Duration: 3m +     Directory for Notification Storage: - +                 External Engine Format: xml +``` + +Relevant NetApp Documentation: To learn more about creating an external engine, please visit the +NetApp website and read the +[vserver fpolicy policy external-engine create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-external-engine-create.html) +article. + +### Part 3: Create FPolicy Event + +An event defines which protocol to monitor and which file access events to monitor. + +IMPORTANT: + +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. +- Access Analyzer and the Activity Monitor are capable of monitoring both NFS and CIFS. However, it + is necessary to create separate events for each protocol. +- The following values are required: + + - `event-name` + + - For CIFS shares – ` StealthAUDITScreeningCifs` for successful events; + `StealthAUDITScreeningFailedCifs` for failed events. + - For NFS shares – `StealthAUDITScreeningNfsV3, StealthAUDITScreeningNfsV4` for successful + events; `StealthAUDITScreeningFailedNfsV3, StealthAUDITScreeningFailedNfsV4` for failed + events. + The names of the event objects can be customized (see Customization of FPolicy Object + Names). + + - `volume-operation true` + - `protocol` – one of the following `cifs`, `nfsv3`, `nfsv4` + - `monitor-fileop-failure` – `true `or `false`, indicates whether failed file operations are + reported. + +- Limiting the file operations to be monitored is an excellent way to limit the performance impact + the FPolicy will have on the NetApp device. The file operations from which to choose are below + with additional filter options: + + - `create` – File create operations + - `create_dir` – Directory create operations + - `close` – File close operations + + - Enable this operation for NFSv4 to capture all read operations + + - `delete` – File delete operations + - `delete_dir` – Directory delete operations + - `link` – Link operations + - `open` – File open operations for CIFS protocol + + - `open-with-delete-intent` – Limits notification to only when an attempt is made to open a + file with the intent to delete it, according to the `FILE_DELETE_ON_CLOSE` flag + specification + + :::note + File open operations are only supported with the `open-with-delete-intent` + filter applied. + ::: + + + - `read` – File read operations + + - `first-read` – Limits notification to only first read operations for CIFS protocol. For + ONTAP 9.2+, this filter can be used for both CIFS and NFS protocols. + + - `rename`– File rename operations + - `rename_dir`– Directory rename operations + - `setattr` – Set attribute operations and permission changes. The following filters are + available for ONTAP 9.0+ to limit events to permission changes only: + + - CIFS: + + - `setattr-with-owner-change` + - `setattr-with-group-change` + - `setattr-with-sacl-change` + - `setattr-with-dacl-change` + + - NFSv3: + + - `setattr-with-owner-change` + - `setattr-with-group-change` + - `setattr-with-mode-change` + + - NFSv4: + + - `setattr-with-owner-change` + - `setattr-with-group-change` + - `setattr-with-mode-change` + - `setattr-with-sacl-change` + - `setattr-with-dacl-change` + + - `symlink` – Symbolic link operations + - `write` – File write operations + + - `first-write` – Limits notification to only first write operations for CIFS protocol. For + ONTAP 9.2+, this filter can be used for both CIFS and NFS protocols. + +- For failed/denied events, the list of supported file operations is limited to the following + values: + + - CIFS: `open` + - NFSv3: + `create, create_dir, read, write, delete, delete_dir, rename, rename_dir, setattr, link` + - NFSv4: + `open, create, create_dir, read, write, delete, delete_dir, rename, rename_dir, setattr, link` + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the FPolicy event for CIFS protocols: + +``` +vserver fpolicy policy event create -vserver [SVM_NAME] -event-name StealthAUDITScreeningCifs -volume-operation true -protocol cifs -file-operations [COMMA_SEPARATED_FILE_OPERATIONS] -filters [COMMA_SEPARATED_FILTERS] +``` + +Example: + +``` +vserver fpolicy policy event create -vserver testserver -event-name StealthAUDITScreeningCifs -volume-operation true -protocol cifs -file-operations create,create_dir,delete,delete_dir,open,read,write,rename,rename_dir,setattr -filters first-read,first-write,open-with-delete-intent,setattr-with-owner-change,setattr-with-group-change,setattr-with-sacl-change,setattr-with-dacl-change +``` + +Use the following command to create the FPolicy event for NFSv3 protocols: + +``` +vserver fpolicy policy event create -vserver [SVM_NAME] -event-name StealthAUDITScreeningNfsV3 -volume-operation true -protocol nfsv3 -file-operations [COMMA_SEPARATED_FILE_OPERATIONS] -filters [COMMA_SEPARATED_FILTERS] +``` + +Example: + +``` +vserver fpolicy policy event create -vserver testserver -event-name StealthAUDITScreeningNfsV3 -volume-operation true -protocol nfsv3 -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,link,symlink -filters first-read,first-write,setattr-with-owner-change,setattr-with-group-change,setattr-with-mode-change +``` + +Use the following command to create the FPolicy event for NFSv4 protocols: + +``` +vserver fpolicy policy event create -vserver [SVM_NAME] -event-name StealthAUDITScreeningNfsV4 -volume-operation true -protocol nfsv4 -file-operations [COMMA_SEPARATED_FILE_OPERATIONS] -filters [COMMA_SEPARATED_FILTERS] +``` + +Example: + +``` +vserver fpolicy policy event create -vserver testserver -event-name StealthAUDITScreeningNfsV4 -volume-operation true -protocol nfsv4 -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,link,symlink,close -filters setattr-with-group-change,setattr-with-mode-change,setattr-with-sacl-change,setattr-with-dacl-change +``` + +#### Validate Part 3: FPolicy Event Creation + +Run the following command to validate the creation of the FPolicy event: + +``` +fpolicy policy event show -vserver [SVM_NAME] -event-name [StealthAUDITScreeningCifs or StealthAUDITScreeningNfsV3 or StealthAUDITScreeningNfsV4 or ...] -instance +``` + +Example: + +``` +fpolicy policy event show -vserver [SVM_NAME] -event-name StealthAUDITScreeningCifs -instance +``` + +Verify that the output is displayed as follows: + +``` +Ontap915::> fpolicy policy event show -vserver svm0 -event-name StealthAUDITScreeningCifs +  (vserver fpolicy policy event show) +                                 Vserver: svm0 +                                   Event: StealthAUDITScreeningCifs +                                Protocol: cifs +                         File Operations: create, create_dir, delete, +                                          delete_dir, open, read, write, +                                          rename, rename_dir, setattr +                                 Filters: first-read, first-write, +                                          open-with-delete-intent, +                                          setattr-with-owner-change, +                                          setattr-with-group-change, +                                          setattr-with-sacl-change, +                                          setattr-with-dacl-change, +                                          setattr-with-mode-change +     Send Volume Operation Notifications: true +Send Failed File Operation Notifications: false +``` + +Relevant NetApp Documentation: To learn more about creating an event, please visit the NetApp +website and read the +[vserver fpolicy policy event create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-event-create.html) +article. + +### Part 4: Create Persistent Store + +The Persistent Store provides a temporary on-disk storage for activity events before they are sent +to Activity Monitor Agent. The Persistent Store is optional but recommended for ONTAP 9.15.1 and +later versions. + +IMPORTANT: + +- Persistent Store is supported for ONTAP 9.15.1 and later versions. +- The SVM used must be the one hosting the CIFS or NFS shares to be monitored. +- There is no need to use an existing volume. A new volume will be created automatically and managed + by the FPolicy subsystem. +- The volume size depends on the duration for which the events persist and the event rate. For + example, if you want 30 minutes of events to persist in an SVM with a capacity of 5000 + events/second and the average event record size of 0.6 KB, the required volume size is + `5000 * 30 * 60 * 0.6 KB = 5400000 KB ≈ 5 GB`. +- For the Persistent Store to create a volume automatically, at least one local tier (aggregate) + must be assigned to the SVM. Use `vserver add-aggregates` to assign local tiers. + + The following values are required: + + - `vserver` – The name of the SVM where you want to create the Persistent Store. + - `persistent-store` – The name of the Persistent Store object. + + - The default name is `StealthAUDITPersistentStore`. + The names of the event objects can be customized (see Customization of FPolicy Object + Names). + + - `volume` – The name of the volume used for event storage. + + - If the volume does not exist, it will be automatically created on an assigned local tier. + This is recommended. + + - `size` – The initial size of the volume. The format is `[KB|MB|GB]`. + + The following values are optional: + + - `autosize-mode` – Specifies the auto size behavior for the volume. Options include `off` + (default), `grow`, or `grow_shrink`. + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the Persistent Store: + +vserver fpolicy persistent-store create -vserver [SVM_NAME] -persistent-store [STORE_NAME] -volume +[VOLUME_NAME] -size [SIZE] -autosize-mode [AUTOSIZE] + +Example: + +vserver fpolicy persistent-store create -vserver testserver -persistent-store +StealthAUDITPersistentStore -volume testserver_ps_vol -size 5GB -autosize-mode grow_shrink + +#### Validate Part 4: Create Persistent Store + +Run the following command to validate the creation of the Persistent Store: + +vserver fpolicy persistent-store show -vserver [SVM_NAME] -persistent-store +StealthAUDITPersistentStore -instance + +Ensure that the output is displayed as follows: + +cluster1::> vserver fpolicy persistent-store show -vserver testserver -persistent-store +StealthAUDITPersistentStore -instance + Vserver: testserver + Persistent Store Name: StealthAUDITPersistentStore + Volume name of the Persistent store: testserver_ps_vol + Size of the Persistent Store: 5GB + Autosize Mode for the Volume: grow_shrink + +Visit the NetApp website and see the +[vserver fpolicy persistent store create](https://docs.netapp.com/us-en/ontap-cli/vserver-fpolicy-persistent-store-create.html) +article for additional information about creating a Persistent Store. + +### Part 5: Create FPolicy Policy + +The FPolicy policy associates the other three FPolicy components and allows for the designation of a +privileged FPolicy user, or the provisioned FPolicy account. If running the Access Auditing (FSAA), +Activity Auditing (FSAC), and/or Sensitive Data Discovery Auditing scans in Access Analyzer, then +this is also the user account credential to be added to the Access Analyzer Connection Profile. + +IMPORTANT: + +- To monitor both CIFS and NFS protocols, two FPolicy Event were created. Multiple events can be + included in the FPolicy policy. +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. +- The External Engine, FPolicy Event, Persistent Store used in this command must be configuration + objects created in the preceding steps. + + The following values are required: + + - `vserver` – The name of SVM. + - `policy-name StealthAUDIT` – The name of the policy object can be customized (see + Customization of FPolicy Object Names). + - `engine` – The name of the External Engine created in Part 2: Create External Engine. + - `events` – A list of FPolicy Event objects created in Part 3: Create FPolicy Event. + - `persistent-store` – The name of the Persistent Store created in Part 4: Create Persistent + Store. Required only if the Persistent Store is used. + + The following values are required for Access Analyzer integration: + + - `privileged-user-name` – Must be a provisioned FPolicy account. + - `allow-privileged-access` – Set to yes. + +:::warning +All parameters are case sensitive. +::: + + +Use the following command to create the FPolicy policy to monitor both CIFS and NFS protocols: + +``` +vserver fpolicy policy create -vserver [SVM_NAME] -policy-name StealthAUDIT -events StealthAUDITScreeningCifs,StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +vserver fpolicy policy create -vserver testserver -policy-name StealthAUDIT -events StealthAUDITScreeningCifs,StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name example\user1 +``` + +Use the following command to create the FPolicy policy to monitor only CIFS protocols: + +``` +vserver fpolicy policy create -vserver [SVM_NAME] -policy-name StealthAUDIT -events StealthAUDITScreeningCifs -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +vserver fpolicy policy create -vserver testserver -policy-name StealthAUDIT -events StealthAUDITScreeningCifs -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name example\user1 +``` + +Use the following command to create the FPolicy policy to monitor only NFS protocols: + +``` +vserver fpolicy policy create -vserver [SVM_NAME] -policy-name StealthAUDIT -events StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +vserver fpolicy policy create -vserver testserver -policy-name StealthAUDIT -events StealthAUDITScreeningNfsV3,StealthAUDITScreeningNfsV4 -engine StealthAUDITEngine -persistent-store StealthAUDITPersistentStore -is-mandatory false -allow-privileged-access yes -privileged-user-name example\user1 +``` + +#### Validate Part 5: FPolicy Policy Creation + +Run the following command to validate the creation of the FPolicy policy: + +``` +fpolicy policy show -vserver [SVM_NAME] -policy-name StealthAUDIT -instance +``` + +``` +Ontap915::> fpolicy policy show -instance +  (vserver fpolicy policy show) +                        Vserver: svm0 +                         Policy: StealthAUDIT +              Events to Monitor: StealthAUDITScreeningCifs, +                                 StealthAUDITScreeningFailedCifs, +                                 StealthAUDITScreeningNfsV3, +                                 StealthAUDITScreeningFailedNfsV3, +                                 StealthAUDITScreeningNfsV4, +                                 StealthAUDITScreeningFailedNfsV4 +                 FPolicy Engine: StealthAUDITEngine +Is Mandatory Screening Required: false +        Allow Privileged Access: no +User Name for Privileged Access: - +    Is Passthrough Read Enabled: false +          Persistent Store Name: - +``` + +Relevant NetApp Documentation: To learn more about creating a policy, please visit the NetApp +website and read the +[vserver fpolicy policy create](https://docs.netapp.com/us-en/ontap-cli/vserver-fpolicy-policy-create.html) +article. + +### Part 6: Create FPolicy Scope + +The FPolicy scope creates the filters necessary to perform scans on specific shares or volumes. It +is possible to set the scope to monitor all volumes or all shares by replacing the volume/share name +variable [SVM_NAME] in the command with an asterisk (\*). + +IMPORTANT: + +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. +- It is not necessary to specify both volumes and shares. One or the other is sufficient. +- If you want to monitor everything, set the "`volumes-to-include`" value to "`*`". + +Use the following command to create the FPolicy scope by specifying volume(s): + +``` +vserver fpolicy policy scope create -vserver [SVM_NAME] -policy-name StealthAUDIT -volumes-to-include [VOLUME_NAME],[VOLUME_NAME] +``` + +Example: + +``` +vserver fpolicy policy scope create -vserver testserver -policy-name StealthAUDIT -volumes-to-include samplevolume1,samplevolume2 +``` + +Use the following command to create the FPolicy scope by specifying share(s): + +``` +vserver fpolicy policy scope create -vserver [SVM_NAME] -policy-name StealthAUDIT -shares-to-include [SHARE_NAME],[SHARE_NAME] +``` + +Example: + +``` +vserver fpolicy policy scope create -vserver testserver -policy-name StealthAUDIT -shares-to-include sampleshare1,sampleshare2 +``` + +#### Validate Part 6: FPolicy Scope Creation + +Run the following command to validate the FPolicy scope creation: + +``` +fpolicy policy scope show -instance +``` + +``` +Ontap915::> fpolicy policy scope show -instance +  (vserver fpolicy policy scope show) +                   Vserver: svm0 +                    Policy: StealthAUDIT +         Shares to Include: * +         Shares to Exclude: - +        Volumes to Include: * +        Volumes to Exclude: - +Export Policies to Include: * +Export Policies to Exclude: - +File Extensions to Include: - +File Extensions to Exclude: - +``` + +Relevant NetApp Documentation: To learn more about creating scope, please visit the NetApp website +and read the +[vserver fpolicy policy scope create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-scope-create.html) +article. + +### Part 7: Set TLS Authentication + +If using the TLS authentication options, it is necessary to set authentication for the type of +authentication. + +#### Set Server-Authentication + +Use the following command to set server-authentication: + +``` +vserver fpolicy policy externalengine modify -vserver [SVM_NAME] -engine-name StealthAUDITEngine -ssl-option server-auth +``` + +Example: + +``` +vserver fpolicy policy externalengine modify -vserver testserver -engine-name StealthAUDITEngine -ssl-option server-auth +``` + +#### Set Mutual-Authentication + +Use the following command to set mutual-authentication: + +``` +vserver fpolicy policy external-engine modify -vserver [SVM_NAME] -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name [COMMON_NAME] -certificate-serial [CERTIFICATE_SERIAL] -certificate-ca [CERTIFICATE_AUTHORITY] +``` + +Example: + +``` +vserver fpolicy policy external-engine modify -vserver testserver -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name testserver -certificate-serial 461AC46521B31321330EBBE4321AC51D -certificate-ca "VeriSign Universal Root Certification Authority" +``` + +#### Validate Mutual-Authentication Is Set + +Run the following command to confirm mutual-authentication is set: + +``` +vserver fpolicy policy external-engine show -fields ssl-option +``` + +### Part 8: Enable the FPolicy + +The FPolicy must be enabled before the Activity Monitor Agent can be configured to monitor the SVM. + +IMPORTANT: + +- The SVM used must be the SVM hosting the CIFS or NFS shares to be monitored. + +Use the following command to enable the FPolicy: + +``` +vserver fpolicy enable -vserver [SVM_NAME] -policy-name StealthAUDIT -sequence-number [INTEGER] +``` + +Example: + +``` +vserver fpolicy enable -vserver testserver -policy-name StealthAUDIT -sequence-number 10 +``` + +#### Validate Part 8: FPolicy Enabled + +Run the following command to validate the FPolicy scope creation: + +``` +vserver fpolicy show +``` + +``` +Ontap915::> fpolicy show +    show                             show-enabled +    show-engine                      show-passthrough-read-connection +Ontap915::> fpolicy show +  (vserver fpolicy show) +                                      Sequence +Vserver       Policy Name               Number  Status   Engine +------------- ----------------------- --------  -------- --------- +svm0          StealthAUDIT                  10  on       StealthAU +                                                         DITEngine +``` + +Relevant NetApp Documentation: To learn more about enabling a policy, please visit the NetApp +website and read the +[vserver fpolicy enable](https://docs.netapp.com/us-en/ontap-cli-9121//vserver-fpolicy-enable.html) +article. + +### Part 9: Connect FPolicy Server / Agent to Cluster Node + +Manually connecting the FPolicy server (or Agent server) to the Cluster Node is only needed if there +is an issue with connection to the Cluster Node or for troubleshooting a disconnection issue. + +Use the following command to connect the `StealthAUDITEngine` that belongs to the `StealthAUDIT` +policy to all Cluster Nodes: + +``` +policy engine-connect -vserver [SVM_NAME] -policy-name StealthAUDIT -node * +``` + +Example: + +``` +policy engine-connect -vserver testserver -policy-name StealthAUDIT -node * +``` + +#### Validate Part 9: Connection to Cluster Node + +Run the following command to validate connection to the Cluster Node: + +``` +fpolicy show-engine -vserver [SVM_NAME] -policy-name StealthAUDIT -node * +``` + +``` +Ontap915::> fpolicy show-engine -vserver svm0 -policy-name StealthAUDIT -node * +  (vserver fpolicy show-engine) +                                   FPolicy           Server         Server +Vserver Policy Name   Node         Server            Status         Type +------- ------------- ------------ ----------------- -------------- ----------- +svm0    StealthAUDIT  Ontap915-01  192.168.11.35     disconnected   primary +``` + +## Automatic Configuration of FPolicy + +The Activity Monitor can automatically configure FPolicy on the targeted SVM. The FPolicy created +will monitor file system activity from all volumes and shares of the SVM. This feature can be +enabled using the **Configure FPolicy. Create or modify FPolicy objects if needed** checkbox on the +FPolicy page in the monitored host's properties in the Activity Monitor. + +Starting ONTAP 9.15.1 and later versions, it is recommended to enable the Persistent Store feature +that stores events on disk before they are sent to the Activity Monitor Agent. This reduces +client-side latency and increases resilience during network delays or bursts of activity. To enable +the Persistent Store, specify a volume name and size on the Persistent Store tab of the FPolicy page +in the monitored host properties. The volume will be automatically created if it does not already +exist. See the Persistent Store topic for additional information on the recommended volume size. + +If using the TLS, mutual authentication option, you will need to create the PEM file for the Client +Certification, which is needed during the monitored host configuration in the Activity Monitor. It +will also be necessary to set mutual authentication on the SVM. + +### Set TLS Mutual-Authentication + +If using the TLS, mutual authentication options, it is necessary to set authentication. + +Use the following command to set mutual-authentication: + +``` +vserver fpolicy policy external-engine modify -vserver [SVM_NAME] -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name [COMMON_NAME] -certificate-serial [CERTIFICATE_SERIAL] -certificate-ca [CERTIFICATE_AUTHORITY] +``` + +Example: + +``` +vserver fpolicy policy external-engine modify -vserver testserver -engine-name StealthAUDITEngine -ssl-option mutual-auth -certificate-common-name testserver -certificate-serial 461AC46521B31321330EBBE4321AC51D -certificate-ca "VeriSign Universal Root Certification Authority" +``` + +#### Validate: Mutual-Authentication + +Run the following command to confirm mutual-authentication is set: + +``` +vserver fpolicy policy external-engine show -fields ssl-option +``` + +## Customization of FPolicy Object Names + +Activity Monitor uses the following FPolicy object names by default: + +- Policy name – `StealthAUDIT` +- External Engine name – `StealthAUDITEngine` +- CIFS Event name – `StealthAUDITScreeningCifs` +- NFS v3 Event name – `StealthAUDITScreeningNfsV3` +- NFS v4 Event name – `StealthAUDITScreeningNfsV4` +- Failed CIFS Event name – `StealthAUDITScreeningFailedCifs` +- Failed NFS v3 Event name – `StealthAUDITScreeningFailedNfsV3` +- Failed NFS v4 Event name – `StealthAUDITScreeningFailedNfsV4` +- Persistent Store name – `StealthAUDITPersistentStore` + +These names can be customized in the monitored host's settings in the Activity Monitor. It can be +useful in two scenarios: + +- You want the names to match the company policies; +- You want to configure FPolicy manually using your custom names, but also want to leverage the + "Enable and Connect FPolicy" feature of the Activity Monitor, so that the product ensures that + FPolicy stays enabled and connected at all times. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md new file mode 100644 index 0000000000..894559daad --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/ontap-cluster-activity.md @@ -0,0 +1,229 @@ +--- +title: "NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration" +description: "NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration" +sidebar_position: 90 +--- + +# NetApp Data ONTAP Cluster-Mode Activity Auditing Configuration + +The Activity Monitor agent employed to monitor NetApp leverages NetApp ONTAP API, and the NetApp +FPolicy framework to monitor file system events. This includes both NetApp 7-Mode and Cluster-Mode +configurations. For more information about FPolicy read the +[What are the two parts of the FPolicy solution ](https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-54FE1A84-6CF0-447E-9AAE-F43B61CA2138.html) +article. + +Activity Monitor requires two communication channels for ONTAP monitoring: + +1. Activity Monitor Agent connects to ONTAP on port 80 or 443 for access to ONTAP API (ONTAPI/ZAPI + or REST API). +2. Data LIFs of the SVM connect to Activity Monitor Agent on port 9999 for FPolicy notifications. + +The ONTAP API access is mandatory; without the API access the agent will not be able to receive and +translate events from FPolicy. Both classic ONTAPI/ZAPI and the new REST API are supported. The +agent uses the API to retrieve information about the storage virtual machines (SVM): CIFS settings, +list of volumes, list of LIFs. Depending on the configuration, the agent can also retrieve the state +of FPolicy to ensure it is enabled; configure FPolicy and register or unregister itself. + +The FPolicy framework enables the collection of audit events on the ONTAP side and their transfer to +the agent(s) via the designated Data LIFs. Each LIF establishes its own connection with one or +several agents and sends notifications as soon as the file transaction occurs. The FPolicy +connection is asynchronous and buffered; both ONTAP and Activity Monitor have techniques in place to +make sure that connections are alive and working. The connection can be secured using TLS with +server or mutual authentication. + +FPolicy may have a significant impact on file system throughput, and it is always a best practice to +monitor performance when enabling FPolicy. + +:::info +Create a tailored FPolicy which only collects the desired activity from the +environment to limit the scope and impact. +::: + + +For scale-out and fault tolerance purposes, the product supports a range of deployment options. A +single agent can receive events from multiple SVMs. Or events from a single SVM can be distributed +among multiple agents. Or a set of SVMs can distribute events among a set of agents. The choice +depends on the fault tolerance requirements and the expected event flow. As a rule of thumb, the +_average_ load on a single agent should not exceed 5000 events per second. + +Starting with ONTAP 9.15.1, the FPolicy Persistent Store provides resilience and predictable latency +during scenarios such as network delays or bursts of activity. The feature uses a dedicated volume +for each SVM as a staging buffer before events are sent to the agent. FPolicy will automatically +create a volume if one does not already exist. + +:::info +Enable the Persistent Store feature and allow it to create a volume +automatically. +::: + + +## Configuration Checklist + +Complete the following checklist prior to configuring the activity monitoring of NetApp Data ONTAP +Cluster-Mode devices. Instructions for each item of the checklist are detailed within the following +sections. + +**Checklist Item 1: Plan Deployment** + +- Gather the following information: + + - Names of the SVM(s) to be monitored + + - FPolicy is configured for each SVM separately + - This should be the SVM(s) hosting the CIFS or NFS shares(s) to be monitored + + - Credentials to access ONTAP to provision a role and account. + - Desired functionality level: + + - _Manual_. A user configures FPolicy manually and ensures it stays enabled. + - _Enable and Connect FPolicy_. The product ensures that FPolicy stays enabled and connected + all the time. RECOMMENDED. + - _Configure FPolicy_. The product configures FPolicy automatically and ensures it stays + enabled and connected all the time. RECOMMENDED. + + - Volumes or shares on each SVM to be monitored + + - Limiting the FPolicy to select volumes or shares is an effective way to limit the + performance impact of FPolicy + + - Successful/failed file operations to be monitored + + - Limiting the FPolicy to specific file operations is an effective way to limit the + performance impact of FPolicy + + - IP Address of the server(s) where the Activity Monitor Agent is deployed + - API enabled in ONTAP: the classic ONTAPI/ZAPI or the new REST API + + - The product supports the REST API for ONTAP 9.13.1 and above. + - Volume names and sizes to be used as a Persistent Store for each SVM. This is recommended. + - The product supports the Persistent Store feature for ONTAP 9.15.1 and later. + - At least one local tier (aggregate) is assigned to the SVM. + + - Encryption and Authentication protocol for FPolicy connection + + - No Authentication (default) + - TLS, server authentication (the SVM authenticates the agent) + - TLS, mutual authentication (both the SVM and the agent authenticate each other) + +Persistent Store provides resilience and predictable latency in scenarios such as network delays or +bursts of activity events. + +It uses a dedicated volume for each SVM as a staging buffer before the events are sent to Activity +Monitor Agent. + +**Checklist Item 2: [Provision ONTAP Account](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md)** + +- Permission names depend on the API used, ONTAPI/ZAPI or REST API. +- The case of domain and username created during the account provisioning process must match exactly + to the credentials provided to the activity agent for authentication to work. +- The credential associated with the FPolicy used to monitor activity must be provisioned with + access to (at minimum) the following CLI or API commands, according to the level of collection + desired: + + - Manual, Collect Activity Events Only (Least Privilege) + + - ONTAPI/ZAPI + + - `version` – Readonly access + - `volume` – Readonly access + - `vserver` – Readonly access + + - REST API + + - `/api/cluster` – Readonly access + - `/api/protocols/cifs/services` – Readonly access + - `/api/storage/volumes` – Readonly access + - `/api/svm/svms` – Readonly access + + - Employ the “Enable and connect FPolicy” Option (Less Privilege) – RECOMMENDED + + - ONTAPI/ZAPI + + - `version` – Readonly access + - `volume` – Readonly access + - `vserver` – Readonly access + - `network interface` – Readonly access + - `vserver fpolicy disable` – All access + - `vserver fpolicy enable` – All access + - `vserver fpolicy engine-connect` – All access + + - REST API + + - `/api/cluster` – Readonly access + - `/api/protocols/cifs/services` – Readonly access + - `/api/storage/volumes` – Readonly access + - `/api/svm/svms` – Readonly access + - `/api/network/ip/interfaces` – Readonly access + - `/api/protocols/fpolicy` – All access + + - Employ the “Configure FPolicy” Option (Automatic Configuration of FPolicy) – RECOMMENDED + + - ONTAPI/ZAPI + + - `version` – Readonly access + - `volume` – Readonly access + - `vserver` – Readonly access + - `network interface` – Readonly access + - `vserver fpolicy` – All access + - `security certificate install` – All access (only if FPolicy uses a TLS connection) + + - REST API + + - `/api/cluster` – Readonly access + - `/api/protocols/cifs/services` – Readonly access + - `/api/storage/volumes` – Readonly access + - `/api/svm/svms` – Readonly access + - `/api/network/ip/interfaces` – Readonly access + - `/api/protocols/fpolicy` – All access + - `/api/security/certificates` – All access (only if FPolicy uses a TLS connection) + + - Access Analyzer Integration requires the addition of the following CLI command: + + - `security login role show-ontapi` – Readonly access + +**Checklist Item 3: [Configure Network](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefirewall.md)** + +- Agent must be able to connect to ONTAP API via a management LIF on ports HTTP (80) or HTTPS (443) + + - NetApp firewall policy may need to be modified. + - LIF's service policy may need to be modified to include `management-https` or + `management-http` services. + - Either of these ports is required. Activity Monitor requires ONTAP API access. + +- ONTAP cluster nodes, which serve the SVM, must be able to connect to the agent on port 9999. + + - LIFs' service policy may need to be modified to include `data-fpolicy-client` service. + - Each data serving node should have its own LIF with the `data-fpolicy-client` service. + - The default port 9999 can be changed in the agent's settings. + +**Checklist Item 4: [Configure FPolicy](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md)** + +- Remember: all FPolicy objects and SVM names are case sensitive. +- FPolicy must be configured for each SVM to be monitored. +- If using TLS, … authentication options, generate needed certificates and PEM files +- Select method: + + - Configure FPolicy Manually – If you want to exclude certain volumes or shares; a tailored + FPolicy decreases the impact on NetApp. + + - Required when the FPolicy account is provisioned for either Least Privileged or Less + Privilege permission model + - If using TLS, … authentication options, set authentication + + - Allow the Activity Monitor to create an FPolicy automatically + + - If using TLS, … authentication options, set authentication + - This option is enabled using the **Configure FPolicy. Create or modify FPolicy objects if + needed** checkbox for each monitored SVM. + - It monitors file system activity on all volumes and shares of the SVM. + - FPolicy configuration is automatically updated to reflect the Activity Monitor + configuration. + - Requires a Privileged Access credential be provided. + +- Enable the Persistent Store to increase the resilience and control the latency in case of network + outages or bursts of activity + +**Checklist Item 5: Activity Monitor Configuration** + +- Deploy the Activity Monitor Agent to a Windows server. +- Configure the Agent to monitor the SVM. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md new file mode 100644 index 0000000000..8689a54726 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/provisionactivity.md @@ -0,0 +1,397 @@ +--- +title: "Provision ONTAP Account" +description: "Provision ONTAP Account" +sidebar_position: 10 +--- + +# Provision ONTAP Account + +This topic describes the steps needed to create a user account with the privileges required to +connect the Activity Monitor Agent to ONTAP API and to execute the API calls required for activity +monitoring and configuration. + +Provisioning this account is a two part process: + +- Part 1: Create Security Role +- Part 2: Create Security Login + +## Part 1: Create Security Role + +This section provides instructions for creating an access-control role. An access-control role +consists of a role name and a set of commands or API endpoints to which the role has access. It also +includes an access level (none, read-only, or all) and a query that applies to the specified command +or API endpoint. + +The permissions needed depends on the functionality level: + +- Least Privileged: ONLY Collect Events – This is the minimal functionality level. A user manually + configures FPolicy and ensures that it stays enabled and connected. The product only collects + events. This functionality level is not recommended as it requires an additional solution that + tracks the state of FPolicy and fixes the problem should ONTAP disconnect or should the policy + become disabled. +- **_RECOMMENDED:_** Less Privileged: Enable/Connect Policy & Collect Events – With this level, the + user still performs the initial FPolicy configuration manually. The product tracks the state of + FPolicy with periodic checks to ensure it stays enabled and connected all the time. +- **_RECOMMENDED:_** Automatically Configure the FPolicy – With this full-blown level, no manual + configuration is needed. The product performs the initial FPolicy configuration; updates FPolicy + to reflect configuration changes; ensures that FPolicy stays enabled and connected all the time. + +No matter which set of permissions you provision, validate the configuration before continuing to +Part 2. See the Validate Part 1: Security Role Configuration topic for additional information. + +If the FPolicy is to be used for both the Activity Monitor and Access Analyzer, the account also +needs to be provisioned with an additional permission. See the Access Analyzer Integration topic for +additional information. + +The commands to create a role and names of permissions depend on the ONTAP API used. The product +supports both the classic ONTAPI/ZAPI and the new REST API. For ONTAPI/ZAPI you need to use +`security login role create` command to create a RBAC access control role. The required commands are +listed in the `cmddirname` parameter. For REST API, use `security login rest-role create` command to +create a REST access control role. The required API endpoint is specified in the `api` parameter. +The following sections provide instructions for both API modes. + +### Least Privileged: ONLY Collect Events + +If the desire is for a least privileged model, the Activity Monitor requires the following +permissions to collect events. + +#### ONTAPI/ZAPI + +- `version` – Readonly access +- `volume` – Readonly access +- `vserver` – Readonly access + +Use the following commands to provision read-only access to all required commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "version" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "volume" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver" -access readonly -query "" -vserver [SVM_NAME]     +``` + +Example: + +``` +security login role create -role enterpriseauditor -cmddirname "version" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditor -cmddirname "volume" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditor -cmddirname "vserver" -access readonly -query "" -vserver testserver +``` + +#### REST API + +- `/api/cluster` – Readonly access +- `/api/protocols/cifs/services` – Readonly access +- `/api/storage/volumes` – Readonly access +- `/api/svm/svms` – Readonly access + +Use the following commands to provision read-only access to all required API endpoints: + +``` +security login rest-role create -role [ROLE_NAME] -api "/api/cluster" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/cifs/services" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/storage/volumes" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/svm/svms" -access readonly -vserver [SVM_NAME] +``` + +Example: + +``` +security login rest-role create -role enterpriseauditorrest -api "/api/cluster" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/cifs/services" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/storage/volumes" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" -access readonly -vserver testserver +``` + +:::note +If the FPolicy account is configured with these permissions, it is necessary to manually +configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md) topic for additional +information. +::: + + +### Less Privileged: Enable/Connect FPolicy & Collect Events + +If the desire is for a less privileged model, the Activity Monitor requires the following +permissions to collect events: + +#### ONTAPI/ZAPI + +- `version` – Readonly access +- `volume` – Readonly access +- `vserver` – Readonly access + + `network interface` – Readonly access + +- `vserver fpolicy disable` – All access +- `vserver fpolicy enable` – All access + + :::tip + Remember, this permission permits the Activity Monitor to enable the FPolicy. If the “Enable + and connect FPolicy” option is employed but the permission is not provided, the agent will + encounter “Failed to enable policy” errors, but it will still be able to connect to the FPolicy. + Since this permission model requires a manual configuration of the FPolicy, then the need to + manually enable the FPolicy will be met. + ::: + + +- `vserver fpolicy engine-connect` – All access + +Use the following command to provision access to all required commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "version" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "volume" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "network interface" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy disable" -access all -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy enable" -access all -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy engine-connect" -access all -query "" -vserver [SVM_NAME] +``` + +Example: + +``` +security login role create -role enterpriseauditorrest -cmddirname "version" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "volume" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "network interface" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy disable" -access all -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy enable" -access all -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy engine-connect" -access all -query "" -vserver testserver +``` + +#### REST API + +- `/api/cluster` – Readonly access +- `/api/protocols/cifs/services` – Readonly access +- `/api/storage/volumes` – Readonly access +- `/api/svm/svms` – Readonly access +- `/api/network/ip/interfaces` – Readonly access +- `/api/protocols/fpolicy` – All access + +Use the following commands to provision read-only access to all required API endpoints: + +``` +security login rest-role create -role [ROLE_NAME] -api "/api/cluster" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/cifs/services" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/storage/volumes" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/svm/svms" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/network/ip/interfaces" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/fpolicy" -access all -vserver [SVM_NAME] +``` + +Example: + +``` +security login rest-role create -role enterpriseauditorrest -api "/api/cluster" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/cifs/services" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/storage/volumes" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/network/ip/interfaces" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/fpolicy" -access all -vserver testserver +``` + +:::note +If the FPolicy account is configured with these permissions, it is necessary to manually +configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md) topic for additional +information. +::: + + +### Automatically Configure the FPolicy + +If the desire is for the Activity Monitor to automatically configure the FPolicy, the security role +requires the following permissions: + +#### ONTAPI/ZAPI + +- `version` – Readonly access +- `volume` – Readonly access +- `vserver` – Readonly access + + `network interface` – Readonly access + +- `vserver fpolicy` – All access +- `security certificate install` – All access + + :::tip + Remember, this permission is only needed for FPolicy TLS connections. + ::: + + +Use the following command to provision access to all required commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "version" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "volume" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "network interface" -access readonly -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "vserver fpolicy" -access all -query "" -vserver [SVM_NAME] +security login role create -role [ROLE_NAME] -cmddirname "security certificate install" -access all -query "" -vserver [SVM_NAME] +``` + +Example: + +``` +security login role create -role enterpriseauditorrest -cmddirname "version" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "volume" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "network interface" -access readonly -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "vserver fpolicy" -access all -query "" -vserver testserver +security login role create -role enterpriseauditorrest -cmddirname "security certificate install" -access all -query "" -vserver testserver +``` + +#### REST API + +- `/api/cluster` – Readonly access +- `/api/protocols/cifs/services` – Readonly access +- `/api/storage/volumes` – Readonly access +- `/api/svm/svms` – Readonly access +- `/api/network/ip/interfaces` – Readonly access +- `/api/protocols/fpolicy` – All access +- `/api/security/certificates` – All access + + Remember, this permission is only needed for FPolicy TLS connections. + +Use the following commands to provision access to all required API endpoints: + +``` +security login rest-role create -role [ROLE_NAME] -api "/api/cluster" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/cifs/services" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/storage/volumes" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/svm/svms" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/network/ip/interfaces" -access readonly -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/protocols/fpolicy" -access all -vserver [SVM_NAME] +security login rest-role create -role [ROLE_NAME] -api "/api/security/certificates" -access all -vserver [SVM_NAME] +``` + +Example: + +``` +security login rest-role create -role enterpriseauditorrest -api "/api/cluster" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/cifs/services" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/storage/volumes" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/svm/svms" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/network/ip/interfaces" -access readonly -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/protocols/fpolicy" -access all -vserver testserver +security login rest-role create -role enterpriseauditorrest -api "/api/security/certificates" -access all -vserver testserver +``` + +:::note +If the FPolicy account is configured with these permissions, the Activity Monitor can +automatically configure the FPolicy. See the [Configure FPolicy](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap-cluster-aac/configurefpolicy.md) topic for +additional information. +::: + + +### Access Analyzer Integration + +If the desire is for FPolicy to be used with both the Activity Monitor and Access Analyzer, then the +following permission is also required: + +- `security login role show-ontapi` – Readonly access + +Use the following command to provision read-only access to security login role show-ontapi commands: + +``` +security login role create -role [ROLE_NAME] -cmddirname "security login role show-ontapi" -access readonly -query "" -vserver [SVM_NAME] +``` + +Example: + +``` +security login role create -role enterpriseauditor -cmddirname "security login role show-ontapi" -access readonly -query "" -vserver testserver +``` + +### Validate Part 1: Security Role Configuration + +For ONTAPI, run the following command to validate the RBAC security role configuration: + +``` +security login role show [ROLE_NAME] +``` + +Example: + +``` +security login role show enterpriseauditor +``` + +Relevant NetApp Documentation: For more information about creating RBAC access control roles, read +the +[security login role create](https://docs.netapp.com/us-en/ontap-cli-9141//security-login-role-create.html) +article. + +For REST API, run the following command to validate the REST security role configuration: + +``` +security login rest-role show [ROLE_NAME] +``` + +Example: + +``` +security login rest-role show enterpriseauditorrest +``` + +For more information about creating REST access control roles, read the +[security login rest-role create](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-rest-role-create.html) +article. + +## Part 2: Create Security Login + +Once the access control role has been created, apply it to a domain account. Ensure the following +requirements are met: + +- The SVM used in the following command must be the same SVM used when creating the access control + role in Part 1. +- All parameters are case sensitive. +- It is recommended to use lowercase for both domain and username. The case of domain and username + created during the account provisioning process must match exactly to the credentials provided to + the Activity Monitor activity agent for authentication to work. +- In the `application` parameter, use `ontapi` for the ONTAPI/ZAPI and `http` for the REST API. + +Use the following command to create the security login for the security role created in Part 1: + +#### ONTAPI/ZAPI +``` +security login create -user-or-group-name [DOMAIN\DOMAINUSER] -application ontapi -authentication-method [DOMAIN_OR_PASSWORD_AUTH] -role [ROLE_NAME] -vserver [SVM_NAME] +``` + +Example: +``` +security login create -user-or-group-name example\user1 -application ontapi -authentication-method domain -role enterpriseauditor -vserver testserver +``` + +#### REST API +``` +security login create -user-or-group-name [DOMAIN\DOMAINUSER] -application http -authentication-method [DOMAIN_OR_PASSWORD_AUTH] -role [ROLE_NAME] -vserver [SVM_NAME] +``` +Example: +``` +security login create -user-or-group-name example\user1 -application http -authentication-method domain -role enterpriseauditor -vserver testserver +``` + +Validate this security login was created. + +### Validate Part 2: Security Login Creation + +Run the following command to validate security login: + +``` +security login show [DOMAIN\DOMAINUSER] +``` + +Example: + +``` +security login show example\user1 +``` + +Verify that the output is displayed as follows: + +![validatesecuritylogincreation](/images/activitymonitor/9.0/config/netappcmode/validatesecuritylogincreation.webp) + +For more information about creating security logins, read the +[security login create](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html) +article. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json new file mode 100644 index 0000000000..2ccca62bc8 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "NetApp Data ONTAP 7-Mode Activity Auditing Configuration", + "position": 80, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "ontap7-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md new file mode 100644 index 0000000000..64cf6f42c9 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md @@ -0,0 +1,177 @@ +--- +title: "Configure FPolicy" +description: "Configure FPolicy" +sidebar_position: 30 +--- + +# Configure FPolicy + +Select a method to configure the FPolicy for NetApp Data ONTAP 7-Mode devices: + +:::info +Manually Configure FPolicy (Recommended Option) – A tailored FPolicy +::: + + +- If using vFilers the FPolicy must be created on the vFiler, and the Activity Monitor must target + the vFiler. This is because FPolicy operates on the affected vFiler. Therefore, when executing + these commands on a vFiler, the commands must be run from a vFiler context (e.g. via the vFiler + run command). +- Allow the Activity Monitor to create an FPolicy automatically. See the Automatic Configuration of + FPolicy topic for additional information. + + - This option is enabled when the Activity Monitor Activity Agent is configured to monitor the + NetApp device on the NetApp FPolicy Configuration page of the Add New Hosts window. + - It monitors all file system activity. + +## Manually Configure FPolicy (Recommended Option) + +This section describes how to manually configure FPolicy. Manual configuration of the FPolicy is +recommended so that the policy can be scoped. It is necessary to create six FPolicy components and +then enable the FPolicy. See the sections corresponding to each part of this list: + +- Part 1: Create FPolicy +- Part 2: Set FPolicy Required to Off +- Part 3: Set FPolicy to Collect Permission Changes +- Part 4: Set FPolicy to Monitor Alternate Data Streams +- Part 5: Set FPolicy to Monitor Disconnected Sessions +- Part 6: Scope FPolicy for Specific Volumes +- Part 7: Enable FPolicy + +If using vFilers the FPolicy must be created on the vFiler, and the Activity Monitor must target the +vFiler. This is because FPolicy operates on the affected vFiler. Therefore, when executing these +commands on a vFiler, the commands must be run from a vFiler context (e.g. via the vFiler run +command). + +Relevant NetApp Documentation: To learn more about configuring file policies, please visit the +NetApp website and read +[na_fpolicy – configure file policies](https://library.netapp.com/ecmdocs/ECMP1196890/html/man1/na_fpolicy.1.html) +article. + +### Part 1: Create FPolicy + +Create the FPolicy on the vFiler. + +IMPORTANT: + +- The policy should be named "StealthAUDIT" +- The only supported policy type is "screen" for file screening. + +Use the following command to create the FPolicy: + +``` +fpolicy create StealthAUDIT screen +``` + +### Part 2: Set FPolicy Required to Off + +If the `FPolicy Required` value is set to on, user requests are denied if an FPolicy server is not +available to implement the policy. If it is set to off, user requests are allowed when it is not +possible to apply the policy to the file because no FPolicy server is available. + +IMPORTANT: + +- The `FPolicy Required` value should be set to **off** + +Use the following command to set the `FPolicy Required` value to off: + +``` +fpolicy options StealthAUDIT required off +``` + +### Part 3: Set FPolicy to Collect Permission Changes + +The cifs_setattr value must be set to on in order for CIFS requests to change file security +descriptors to be screened by the policy. + +IMPORTANT: + +- The `cifs_setattr` value must be set to **on** + +Use the following command to enable the FPolicy to collect permission changes: + +``` +fpolicy options StealthAUDIT cifs_setattr on +``` + +### Part 4: Set FPolicy to Monitor Alternate Data Streams + +The monitor_ads value must be set to on in order for CIFS requests for alternate data streams (ADS) +to be monitored by the policy. + +IMPORTANT: + +- The `monitor_ads` value must be set to **on** + +Use the following command to enable the FPolicy to monitor ADS: + +``` +fpolicy options StealthAUDIT monitor_ads on +``` + +### Part 5: Set FPolicy to Monitor Disconnected Sessions + +The cifs_disconnect_check value must be set to on in order for CIFS requests associated with +disconnected sessions to be monitored by the policy. + +IMPORTANT: + +- The `cifs_disconnect_check` value must be set to **on** + +Use the following command to enable the FPolicy to monitor disconnected sessions: + +``` +fpolicy options StealthAUDIT cifs_disconnect_check on +``` + +### Part 6: Scope FPolicy for Specific Volumes + +The FPolicy can be scoped either to monitor only specified volumes (inclusion) or to not monitor +specific volumes (exclusion). + +IMPORTANT: + +- Choose to scope by including or excluding volumes + +Use the following command to scope the FPolicy by volume: + +``` +fpolicy -volume [INCLUDE OR EXCLUSION] -add StealthAUDIT [VOLUME_NAME],[VOLUME_NAME] +``` + +Inclusion Example: + +``` +fpolicy -volume include -add StealthAUDIT samplevolume1,samplevolume2 +``` + +Exclusion Example: + +``` +fpolicy -volume exclusion -add StealthAUDIT samplevolume1,samplevolume2 +``` + +### Part 7: Enable FPolicy + +The FPolicy must be enabled before the Activity Monitor Activity Agent can be configured to monitor +the NetApp device. + +IMPORTANT: + +- The Activity Monitor must register with the NetApp device as an FPolicy server. By default, it + looks for a policy named `StealthAUDIT`. See the + [Customize FPolicy Policy Name](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md) section for information on using a different + policy name. + +Use the following command to enable the FPolicy to monitor disconnected sessions: + +``` +fpolicy enable StealthAUDIT +``` + +## Automatic Configuration of FPolicy + +The Activity Monitor can automatically configure FPolicy on the targeted NetApp Data ONTAP 7-Mode +device. The FPolicy created monitors all file system activity. This is done when the NetApp device +is assigned to the agent for monitoring. This option is enabled on the NetApp FPolicy Configuration +page of the Add New Host window. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md new file mode 100644 index 0000000000..52ede5e022 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/customizefpolicy.md @@ -0,0 +1,10 @@ +--- +title: "Customize FPolicy Policy Name" +description: "Customize FPolicy Policy Name" +sidebar_position: 40 +--- + +# Customize FPolicy Policy Name + +There may be situations when FPolicy needs to be named something other than StealthAUDIT. +Use **Host properties > FPolicy > Customize FPolicy** page to change the FPolicy object names. \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md new file mode 100644 index 0000000000..2cdbc8a4ce --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md @@ -0,0 +1,35 @@ +--- +title: "Enable HTTP or HTTPS" +description: "Enable HTTP or HTTPS" +sidebar_position: 20 +--- + +# Enable HTTP or HTTPS + +The Activity Monitor Activity Agent must be able to send ONTAPI calls to the vFiler’s data LIF over +HTTP or HTTPS. The following commands will enable the HTTP or HTTPS communication between the vFiler +and the Activity Monitor. + +Use the following command to enable HTTP: + +``` +options httpd.admin.enable on +``` + +Check HTTP Status: + +``` +options httpd.admin.enable +``` + +Use the following command to enable HTTPS: + +``` +options httpd.admin.ssl.enable on +``` + +Check HTTP Status: + +``` +options httpd.admin.ssl.enable +``` diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md new file mode 100644 index 0000000000..e6d8b4881f --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/ontap7-activity.md @@ -0,0 +1,108 @@ +--- +title: "NetApp Data ONTAP 7-Mode Activity Auditing Configuration" +description: "NetApp Data ONTAP 7-Mode Activity Auditing Configuration" +sidebar_position: 80 +--- + +# NetApp Data ONTAP 7-Mode Activity Auditing Configuration + +The Activity Monitor agent employed to monitor NetApp leverages 128-bit encrypted Remote Procedure +Calls (RPC), NetApp ONTAP-API, and NetApp FPolicy to monitor file system events. This includes both +NetApp 7-Mode and Cluster-Mode configurations. To learn more about FPolicy please visit the NetApp +website and read the +[What FPolicy is](https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-54FE1A84-6CF0-447E-9AAE-F43B61CA2138.html) +article. + +If the activity agent is stopped, a notification will be sent to the NetApp device to disconnect and +disable the associated FPolicy policy, but it will not be removed. + +If the network connection is lost between the activity agent and the NetApp device, the NetApp +device is configured with a default timeout to wait for a response. If a response is not received +from the Activity Agent within the timeout, then the NetApp device will disconnect and disable the +FPolicy policy. The Activity Agent will check every minute by default to see if the FPolicy policy +has been disabled and will enable it (if the auto-enable functionality is enabled for the agent). +The default setting to check every minute is configurable. + +The NetApp FPolicy uses a “push” mechanism such that notification will only be sent to the activity +agent when a transaction occurs. Daily activity log files are created only if activity is performed. +No activity log file will be created if there is no activity for the day. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of NetApp Data ONTAP +7-Mode devices. Instructions for each item of the checklist are detailed within the following +topics. + +**Checklist Item 1: Plan Deployment** + +- Gather the following information: + - Names of the vFiler™(s) to be monitored + - DNS name of the CIFS shares(s) to be monitored + +**Checklist Item 2: [Provision FPolicy Account](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md)** + +- Group membership with a role granting access to the following commands: + + ``` + login-http-admin + api-system-api-list + api-system-get-version + api-cifs-share-list-iter-* + api-volume-list-info-iter-* + ``` + +- For Automatic FPolicy creation (Checklist Item 4), group membership with a role granting access to + the following command: + + ``` + api-fpolicy* + ``` + +- To use the “Enable and connect FPolicy” option within the Activity Monitor, group membership with + a role granting access to the following command: + + ``` + cli-fpolicy* + ``` + +- Group membership in: + + - ONTAP Power Users + - ONTAP Backup Operators + +**Checklist Item 3: Firewall Configuration** + +- HTTP (80) or HTTPS (443) +- HTTP or HTTPS protocols need to be enabled on the NetApp filer +- TCP 135 +- TCP 445 +- Dynamic port range: TCP/UDP 137-139 +- See the [Enable HTTP or HTTPS](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/enablehttp.md) topic for instructions. + +**Checklist Item 4: [Configure FPolicy](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/configurefpolicy.md)** + +- If using vFilers: + + - FPolicy operates on the vFiler so the FPolicy must be created on the vFiler + + :::note + Activity Monitor must target the vFiler + ::: + + +- Select method: + + :::info + Configure FPolicy Manually – A tailored FPolicy + ::: + + + - Allow the Activity Monitor to create an FPolicy automatically + - This option is enabled when the Activity Monitor agent is configured to monitor the NetApp + device on the NetApp FPolicy Configuration page of the Add New Hosts window. + - It monitors all file system activity. + +**Checklist Item 5: Activity Monitor Configuration** + +- Deploy the Activity Monitor Activity Agent to a Windows proxy server +- Configure the Activity Agent to monitor the NetApp device diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md new file mode 100644 index 0000000000..f334e6dce4 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/ontap7-aac/provisionactivity.md @@ -0,0 +1,105 @@ +--- +title: "Provision FPolicy Account" +description: "Provision FPolicy Account" +sidebar_position: 10 +--- + +# Provision FPolicy Account + +This topic describes the steps needed to create a user account with the privileges required to +connect the Activity Monitor Activity Agent to the FPolicy engine and to execute the NetApp API +calls required for activity monitoring and configuration. + +Provisioning this account is a three part process: + +- Part 1: Create Role with API/CLI Access +- Part 2: Create a Group & Assign Role +- Part 3: Add User to Group + +Relevant NetApp Documentation: To learn more about node access controls, please visit the NetApp +website and read the +[na_useradmin – Administers node access controls](https://library.netapp.com/ecmdocs/ECMP1511537/html/man1/na_useradmin.1.html) +article. + +## Part 1: Create Role with API/CLI Access + +This section provides instructions for creating a role with access to the following commands: + +``` +login-http-admin +api-system-api-list +api-system-get-version +api-cifs-share-list-iter-* +api-volume-list-info-iter-* +api-fpolicy* +cli-fpolicy* +``` + +:::note +The `api-fpolicy*` command is required for automatic configuration of FPolicy. The +`cli-fpolicy*` command is required to use the “Enable and connect FPolicy” option for a Monitored +Host configuration. +::: + + +The following command needs to be run to create the role. + +Run the following command when provisioning an account for manual configuration of FPolicy; it +includes the "Enable and connect FPolicy" option requirement: + +``` +useradmin role -add [ROLE_NAME] -c "[ROLE_DESCRIPTION]" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,cli-fpolicy* +``` + +Example: + +``` +useradmin role -add activitymonitor -c "Role for Activity Monitor" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,cli-fpolicy* +``` + +Run the following command when provisioning an account for automatic configuration of FPolicy; it +includes the "Enable and connect FPolicy" option requirement: + +``` +useradmin role -add [ROLE_NAME] -c "[ROLE_DESCRIPTION]" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,api-fpolicy*,cli-fpolicy* +``` + +Example: + +``` +useradmin role -add activitymonitor -c "Role for Activity Monitor" -a login-http-admin,api-system-api-list,api-system-get-version,api-cifs-share-list-iter-*,api-volume-list-info-iter-*,api-fpolicy*,cli-fpolicy* +``` + +After the role is created, complete Part 2: Create a Group & Assign Role. + +## Part 2: Create a Group & Assign Role + +Once the role has been created, it must be attached to a group. The following command needs to be +run to create a group and assign the role to it. + +``` +useradmin group -add [GROUP_NAME] -r [ROLE_NAME] +``` + +Example: + +``` +useradmin group -add nwxgroup -r enterpriseauditor +``` + +After the group is created and the role is assigned, complete Part 3: Add User to Group. + +## Part 3: Add User to Group + +The final step is to add the domain user to the new group, Backup Operators group, and Power Users +group. The following command needs to be run to add the user to all three groups. + +``` +useradmin domainuser -add [DOMAIN\USER] -g [GROUP_NAME, WITHIN " MARKS IF MULTIPLE WORDS],"Backup Operators","Power Users" +``` + +Example: + +``` +useradmin domainuser -add example\user1 -g nwxgroup,"Backup Operators","Power Users" +``` diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/panzura-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/panzura-activity.md new file mode 100644 index 0000000000..21593ed15b --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/panzura-activity.md @@ -0,0 +1,123 @@ +--- +title: "Panzura CloudFS Monitoring" +description: "Panzura CloudFS Monitoring" +sidebar_position: 110 +--- + +# Panzura CloudFS Monitoring + +Netwrix Activity Monitor can be configured to monitor file system activity on Panzura CloudFS +file-based storage. + +The monitoring process is based on two technologies: + +- Third Party Vendor Support auditing feature – Delivers audit events to Activity Monitor Agents +- CloudFS API – Used to register Activity Monitor as a consumer of audit events to query and update + auditing settings + +Auditing must be enabled on the master Panzura node and optionally overridden on the subordinate +nodes to support different deployment scenarios depending on the expected load and network latency. +A single agent monitors several Panzura nodes. + +![panzurasingleagntmonitor](/images/activitymonitor/9.0/config/panzura/panzurasingleagntmonitor.webp) + +Audit events are distributed between two agents. Audit settings are overridden on one Panzura node. + +![auditeventstwoagnt_panzura](/images/activitymonitor/9.0/config/panzura/auditeventstwoagnt_panzura.webp) + +The monitoring process relies on the Third Party Vendor Support auditing feature of the Panzura +CloudFS platform, which uses the AMQP protocol for event delivery. Unlike typical uses of the AMQP +protocol that require messaging middleware, the Panzura master and subordinate nodes connect +directly to the Netwrix Activity Monitor Agent, eliminating the need for middleware. + +Netwrix Activity Monitor uses Panzura API to register itself as a consumer of auditing events. It +also uses the API to perform periodic checks to ensure the auditing settings in Panzura are correct. +The credentials to access the API must be specified when a Panzura host is added to Activity Monitor +for monitoring. Additionally, the IP address of the port is 4497 by default and can be customized in +the properties for the Agent. + +:::note +See the [Panzura](/docs/activitymonitor/9.0/admin/monitoredhosts/add/panzura.md) topic for +additional information on Panzura Host. +::: + + +To prepare Panzura CloudFS for monitoring, auditing must be enabled. + +## Enable Auditing in CloudFS + +Auditing in CloudFS can be enabled either automatically or manually. + +:::info +Using the automatic option using the CloudFS API streamlines the configuration +process and ensures that auditing remains enabled and accurate. +::: + + +## Automatic Configuration + +Netwrix Activity Monitor uses the CloudFS API to configure Third Party Vendor Support auditing +option. + +If a master node is targeted, the product will configure the global audit settings and assign to be +pushed to subordinate nodes. If a subordinate node is targeted, the product will configure the local +audit settings to override the global ones. + +The product will also ensure the settings are correct with periodic checks. + +## Manual Configuration + +Follow these steps to enable auditing. + +**Step 1 –** Navigate to **Audit Settings** > **Third Party Support**. + +**Step 2 –** Enable the **Generate Third Party Logs** option. + +**Step 3 –** Enable the **Push to Subordinate(s)** option. + +**Step 4 –** Enter **other** as the Vendor Name. + +**Step 5 –** Under Actions, specify close, create, delete, delxattr, mkdir, move, open, read, +remove, rename, rlclaim, rmdir, setxattr, and writeUnder . + +If you require monitoring of Directory Read/List operations, which typically generate a high volume +of data, also include readdir to the list. + +**Step 6 –** Specify \* in Include Files. + +**Step 7 –** Specify - in Exclude Files. + +**Step 8 –** Finally, add the Panzura host to be monitored in the Activity Monitor Console. + +Auditing is now enabled. + +## Network Configuration + +Activity Monitor agents register themselves as consumers of audit data via the CloudFS API. The +agents pass their IP address and port along with other AMQP parameters. Panzura nodes use this +information to establish connections with the Activity Monitor agents. + +:::note +The address and port used for registration can be found or modified in the agent’s +settings. +::: + + +Follow the steps for network configuration. + +**Step 1 –** Open Activity Monitor Console. + +**Step 2 –** On the Agents tab, select an agent and click **Edit**. + +**Step 3 –** Use the Network tab to select the network interface that will be used for registration. + +**Step 4 –** Use the Panzura tab to modify the port. The default port is 4497. + +The agent will configure the Windows Firewall to allow incoming connections to the specified port +automatically. Use the following table to configure the firewall. + +| Communication Direction | Protocol | Ports | Description | +| --------------------------------------------------- | --------- | ----- | ------------------- | +| Activity Monitor Console to Activity Monitor Agents | TCP | 4498 | Agent communication | +| Activity Monitor Agent to Panzura nodes | TCP/HTTPS | 443 | CloudFS API | +| Panzura nodes to Activity Monitor Agent | TCP/AMQP | 4497 | Audit events | diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json new file mode 100644 index 0000000000..e8053ec6a3 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell PowerStore Activity Auditing Configuration", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "powerstore-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md new file mode 100644 index 0000000000..b873219695 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md @@ -0,0 +1,124 @@ +--- +title: "Enable Auditing for Dell PowerStore" +description: "Enable Auditing for Dell PowerStore" +sidebar_position: 20 +--- + +# Enable Auditing for Dell PowerStore + +Follow the steps to enable auditing on Dell PowerStore. + +- Create an Event Publishing Pool +- Create an Event Publisher +- Enable Event Publishing for the NAS Server OR Enable or Disable Event Publishing for File System + +See the +[Dell PowerStore - File Capabilities](https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h18155-dell-powerstore-file-capabilities.pdf) +white paper for additional information. + +## Create an Event Publishing Pool + +Follow the steps tTo create a new event publishing pool.: + +**Step 1 –** Select **Storage** > **NAS Servers** > **NAS Settings** > **Publishing Pools**. + +**Step 2 –** Click **Create** and specify the name of the pool. + +**Step 3 –** Specify CEE's address or addresses. + +![Create Event Publishing Pool](/images/activitymonitor/9.0/config/dellpowerstore/eventpublishingpool.webp) + +- For SMB shares monitoring (CIFS) enable following Post-Events: – + + - CloseModified + - CloseUnmodified + - CreateDir + - CreateFile + - DeleteDir + - DeleteFile + - OpenFileNoAccess + - RenameDir + - RenameFile + - SetAclDir + - SetAclFile + +- For NFS exports monitoring enable following Post-Events: – + + - CloseModified, + - CloseUnmodified + - CreateDir + - CreateFile + - DeleteDir + - DeleteFile + - FileRead + - FileWrite + - OpenFileNoAccess + - RenameDir + - RenameFile + - SetAclDir + - SetAclFile + - SetSecDir + - SetSecFile + +**Step 4 –** Click **Apply**. + +## Create an Event Publisher + +Follow the steps tTo create a an event publisher.: + +**Step 1 –** Select **Storage** > **NAS Servers** > **NAS Settings** > **Events Publishers**. + +![Events Publishing](/images/activitymonitor/9.0/config/dellpowerstore/nasservers.webp) + +**Step 2 –** Click **Create**. + +![publishingpools](/images/activitymonitor/9.0/config/dellpowerstore/publishingpools.webp) + +**Step 3 –** Specify the name of the publisher. + +**Step 4 –** Select the pool and click **Next**. + +![configeventpublisher](/images/activitymonitor/9.0/config/dellpowerstore/configeventpublisher.webp) + +**Step 5 –** Specify Pre-Events Failure Policy as "Ignore - Consider pre-event acknowledged when +CEPA servers are offline". + +**Step 6 –** Specify Post-Events Failure Policy as "Accumulate - Continue and persist lost events in +an internal circular buffer". + +**Step 7 –** Click **Create Events Publisher**. + +The events publisher is created. + +## Enable Event Publishing for the NAS Server + +Follow the steps tTo enable or disable event publishing for the NAS Server.: + +**Step 1 –** Select **Storage** > **NAS Servers**. + +![NAS Servers](/images/activitymonitor/9.0/config/dellpowerstore/nasserver.webp) + +**Step 2 –** Go to **[NAS SERVER]** > **Security & Events** > **Events Publishing**. + +**Step 3 –** Enable and select the publisher. + +![nasserver1](/images/activitymonitor/9.0/config/dellpowerstore/nasserver1.webp) + +**Step 4 –** You can enable the event publishing for all file systems on the NAS by checking the box +and selecting protocols. + +Dell PowerStore is enabled for auditing. + +## Enable or Disable Event Publishing for File System + +Follow the steps toYou can enable or disable the feature for each file system individually. using +the following: + +**Step 1 –** Select **Storage** > **File Systems** > **[FILE SYSTEM]** > **Security & Events** > +**Events Publishing**. + +![Event Publising Option for File System](/images/activitymonitor/9.0/config/dellpowerstore/fseventpublishing.webp) + +**Step 2 –** Enable and select protocols needed. + +Dell PowerStore is enabled for auditing. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md new file mode 100644 index 0000000000..1a44db4585 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md @@ -0,0 +1,78 @@ +--- +title: "Install Dell CEE" +description: "Install Dell CEE" +sidebar_position: 10 +--- + +# Install Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md new file mode 100644 index 0000000000..1b8e914c01 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/powerstore-activity.md @@ -0,0 +1,77 @@ +--- +title: "Dell PowerStore Activity Auditing Configuration" +description: "Dell PowerStore Activity Auditing Configuration" +sidebar_position: 40 +--- + +# Dell PowerStore Activity Auditing Configuration + +A Dell PowerStore device can be configured to audit Server Message Block (SMB) protocol access +events. All audit data can be forwarded to the Dell Common Event Enabler (CEE). The Netwrix Activity +Monitor listens for all events coming through the Dell CEE and translates all relevant information +into entries in the TSV files or syslog messages. + +If the service is turned off, a notification will be sent to the Dell CEE framework to turn off the +associated Activity Monitor filter, but the policy will not be removed. + +The Dell CEE Framework uses a “push” mechanism so a notification is sent only to the activity agent +when a transaction occurs. Daily activity log files are created only if activity is performed. No +activity log file is created if there is no activity for the day. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Dell PowerStore +devices. Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment + + - See the + [Dell PowerStore: File Capabilities](https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h18155-dell-powerstore-file-capabilities.pdf) + white paper for additional information. + - Download the Dell CEE from: + + - [https://support.emc.com](https://support.emc.com/) + +**Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/installcee.md)** + +- Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity + agent will be deployed + + :::info + The latest version of Dell CEE is the recommended version to use with the + asynchronous bulk delivery (VCAPS) feature. + ::: + + +- Important: + + Open MS-RPC ports between the Dell device and the Windows proxy server(s) where the Dell CEE is + installed + +**Checklist Item 3: Dell PowerStore Device Configuration** + +- Enable auditing on the PowerStore device + + - See the [Enable Auditing for Dell PowerStore](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/powerstore-aac/auditing.md) topic for additional information. + +**Checklist Item 4: Activity Monitor Configuration** + +- Deploy the Activity Monitor activity agent to a Windows proxy server where Dell CEE was installed + + - After activity agent deployment, configure the Dell CEE Options tab of the agent’s Properties + window within the Activity Monitor Console + + - Automatically sets the Dell registry key settings + +Checklist Item 5: Configure Dell CEE to Forward Events to the Activity Agent + +:::note +When Dell CEE is installed on Windows proxy server(s) where the Activity Monitor activity +agent will be deployed, the following steps are not needed. +::: + + +- Ensure the Dell CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. +- Ensure the Dell CAVA service and the Dell CEE Monitor service are running. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md new file mode 100644 index 0000000000..e99c8b54a8 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/qumulo-activity.md @@ -0,0 +1,57 @@ +--- +title: "Qumulo Activity Auditing Configuration" +description: "Qumulo Activity Auditing Configuration" +sidebar_position: 120 +--- + +# Qumulo Activity Auditing Configuration + +The Netwrix Activity Monitor can be configured to monitor activity on Qumulo devices. To prepare +Qumulo to be monitored, an account needs to be provisioned and the audit event format may need to be +modified. + +## Provision Account + +Activity Monitor requires an account with the Observers role to monitor a Qumulo cluster. Follow the +steps to create a new account in the Qumulo web user interface with the Observers role. + +**Step 1 –** Create a new user in **Cluster** > **Local Users & Groups**. + +**Step 2 –** Assign the Observers role to the user using **Cluster** > **Role Management**. + +This credential will then be used when configuring the Activity Agent to monitor the Qumulo device. + +## Verify Audit Event Format + +Qumulo reports audit events in one of two formats: CSV and JSON. While the Netwrix Activity Monitor +supports both, the JSON format is recommended as it provides more detail. In particular, it allows +the product to distinguish between permission change events and attribute change events, presents +granular information for permission changes, and includes user SIDs instead of just usernames. The +advanced filtering of Microsoft Office activity also requires the JSON format. + +The JSON format for audit events was introduced in Qumulo Core 6.0.1. The new format can be enabled +via an SSH session to the Qumulo cluster. + +Follow the steps to verify that audit event format and change the format, if needed. + +**Step 1 –** Connect to the Qumulo cluster with SSH. + +**Step 2 –** Execute the following command to log in: + +```bash +qq --host login -u + +The command will ask for the password. + +__Step 3 –__ Execute the following command to check current format: + +**qq audit_get_syslog_config** + +The format will be shown in the __format__ field. The old format is __csv__; the new format is __json__. + +__Step 4 –__ Execute the following command to change the format, if needed: + +**qq audit_set_syslog_config --json** + +The change willshould be reflected in the __format__ field. +``` diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json new file mode 100644 index 0000000000..41f04f5b3e --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Dell Unity Activity Auditing Configuration", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "unity-activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md new file mode 100644 index 0000000000..34daed915e --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md @@ -0,0 +1,81 @@ +--- +title: "Install Dell CEE" +description: "Install Dell CEE" +sidebar_position: 10 +--- + +# Install Dell CEE + +Dell CEE should be installed on a Windows or a Linux server. The Dell CEE software is not a Netwrix +product. Dell customers have a support account with Dell to access the download. + +:::tip +Remember, the latest version is the recommended version of Dell CEE. +::: + + +:::info +The Dell CEE package can be installed on the Windows server where the Activity +Monitor agent will be deployed (recommended) or on any other Windows or Linux server. +::: + + +Follow the steps to install the Dell CEE. + +**Step 1 –** Obtain the latest CEE install package from Dell and any additional license required for +this component. It is recommended to use the most current version. + +**Step 2 –** Follow the instructions in the Dell +[Using the Common Event Enabler on Windows Platforms](https://www.dell.com/support/home/en-us/product-support/product/common-event-enabler/docs) +guide to install and configure the CEE. The installation will add two services to the machine: + +- EMC Checker Service (Display Name: EMC CAVA) +- EMC CEE Monitor (Display Name: EMC CEE Monitor) + +:::info +The latest version of .NET Framework and Dell CEE is recommended to use with the +asynchronous bulk delivery (VCAPS) feature. +::: + + +After Dell CEE installation is complete, it is necessary to complete the +[Unity Initial Setup with Unisphere](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md). + +## Configure Dell Registry Key Settings + +There may be situations when Dell CEE needs to be installed on a different Windows server than the +one where the Activity Monitor activity agent is deployed. In those cases it is necessary to +manually set the Dell CEE registry key to forward events. + +**Step 1 –** Open the Registry Editor (run regedit). + +![registryeditor](/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp) + +**Step 2 –** Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration** + +**Step 3 –** Right-click on **Enabled** and select Modify. The Edit DWORD Value window opens. + +**Step 4 –** In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value +window closes. + +**Step 5 –** Right-click on **EndPoint** and select Modify. The Edit String window opens. + +**Step 6 –** In the Value data field, enter the StealthAUDIT value with the IP Address for the +Windows proxy server hosting the Activity Monitor activity agent. Use the following format: + +**StealthAUDIT@[IP ADDRESS]** + +Examples: + +**StealthAUDIT@192.168.30.15** + +**Step 7 –** Click OK. The Edit String window closes. Registry Editor can be closed. + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +**Step 8 –** Open Services (run `services.msc`). Start or Restart the EMC CEE Monitor service. + +The Dell CEE registry key is now properly configured to forward event to the Activity Monitor +activity agent. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md new file mode 100644 index 0000000000..9845a39663 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md @@ -0,0 +1,33 @@ +--- +title: "Unity Initial Setup with Unisphere" +description: "Unity Initial Setup with Unisphere" +sidebar_position: 20 +--- + +# Unity Initial Setup with Unisphere + +Follow the steps to configure the initial setup for a Unity device with Unisphere. + +**Step 1 –** Edit the NAS Server > Protection and Events > Events Publishing > Select Pool settings: + +- Add CEPA server – This is the server where CEE is installed. It is recommended that this is also + the server were the Activity Monitor activity agent is deployed. +- Enable the following events for Post Events. + +Required Unity events needed for CIFS Activity: + +![NAM Required Events For CIFS](/images/activitymonitor/9.0/config/dellunity/eventscifs.webp) + +Required Unity events needed for NFS Activity: + +![NAM Required Events For NFS](/images/activitymonitor/9.0/config/dellunity/eventsnfs.webp) + +**Step 2 –** Enable Events Publishing: + +- Edit the FileSystem > Advanced settings: + + - NFS Events Publishing – Enabled (required for NFS protocol monitoring) + - SMB Events publishing – Enabled (required for SMB / CIFS protocol monitoring) + +Once Unity setup is complete, it is time to configure and enable monitoring with the Activity +Monitor. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md new file mode 100644 index 0000000000..6792883a00 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/unity-activity.md @@ -0,0 +1,79 @@ +--- +title: "Dell Unity Activity Auditing Configuration" +description: "Dell Unity Activity Auditing Configuration" +sidebar_position: 50 +--- + +# Dell Unity Activity Auditing Configuration + +A Dell Unity device can be configured to audit Server Message Block (SMB) protocol access events. +All audit data can be forwarded to the Dell Common Event Enabler (CEE). The Netwrix Activity Monitor +listens for all events coming through the Dell CEE and translates all relevant information into +entries in the TSV files or syslog messages. + +If the service is turned off, a notification will be sent to the Dell CEE framework to turn off the +associated Activity Monitor filter, but the policy will not be removed. + +The Dell CEE Framework uses a "push" mechanism so a notification is sent only to the activity agent +when a transaction occurs. Daily activity log files are created only if activity is performed. No +activity log file is created if there is no activity for the day. + +**Configuration Checklist** + +Complete the following checklist prior to configuring activity monitoring of Dell Unity devices. +Instructions for each item of the checklist are detailed within the following topics. + +**Checklist Item 1: Plan Deployment** + +- Prior to beginning the deployment, gather the following: + + - Data Mover or Virtual Data Mover hosting the share(s) to be monitored + - Account with access to the CLI + - Download the Dell CEE from: + + - [https://support.emc.com](https://support.emc.com/) + +**Checklist Item 2: [Install Dell CEE](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/installcee.md)** + +- Dell CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity + agent will be deployed + + :::info + The latest version of Dell CEE is the recommended version to use with the + asynchronous bulk delivery (VCAPS) feature. + ::: + + +- Important: + + - Open MS-RPC ports between the Dell device and the Windows proxy server(s) where the Dell CEE + is installed + - Dell CEE 8.4.2 through Dell CEE 8.6.1 are not supported for use with the VCAPS feature + - Dell CEE requires .NET Framework 3.5 to be installed on the Windows proxy server + +**Checklist Item 3: Dell Unity Device Configuration** + +- Configure initial setup for a Unity device + + - [Unity Initial Setup with Unisphere](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/setupunisphere.md) + +**Checklist Item 4: Activity Monitor Configuration** + +- Deploy the Activity Monitor activity agent to a Windows proxy server where Dell CEE was installed + + - After activity agent deployment, configure the Dell CEE Options tab of the agent's Properties + window within the Activity Monitor Console + + - Automatically sets the Dell registry key settings + +Checklist Item 5: Configure Dell CEE to Forward Events to the Activity Agent + +:::note +When Dell CEE is installed on Windows proxy server(s) where the Activity Monitor activity +agent will be deployed, the following steps are not needed. +::: + + +- Ensure the Dell CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. +- Ensure the Dell CAVA service and the Dell CEE Monitor service are running. +- See the [Validate Setup](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md) topic for instructions. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md new file mode 100644 index 0000000000..a8f5f5176a --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/unity-aac/validate.md @@ -0,0 +1,159 @@ +--- +title: "Validate Setup" +description: "Validate Setup" +sidebar_position: 30 +--- + +# Validate Setup + +Once the Activity Monitor agent is configured to monitor the Dell device, the automated +configuration must be validated to ensure events are being monitored. + +## Validate CEE Registry Key Settings + +:::note +See the +[Configure Dell Registry Key Settings](/docs/activitymonitor/9.0/requirements/activityagent/nas-device-configuration/celerra-vnx-aac/installcee.md#configure-dell-registry-key-settings) +topic for information on manually setting the registry key. +::: + + +After the Activity Monitor activity agent has been configured to monitor the Dell device, it will +configure the Dell CEE automatically if it is installed on the same server as the agent. This needs +to be set manually in the rare situations where it is necessary for the Dell CEE to be installed on +a different server than the Windows proxy server(s) where the Activity Monitor activity agent is +deployed. + +If the monitoring agent is not registering events, validate that the EndPoint is accurately set. +Open the Registry Editor (run regedit). For the synchronous real-time delivery mode (AUDIT), use the +following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration** + +![registryeditorendpoint](/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp) + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthAUDIT@'ip-address-of-the-agent'` + +- For the HTTP protocol,` StealthAUDIT@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** If you changed any of the settings, restart the CEE Monitor service. + +**For Asynchronous Bulk Delivery Mode** + +For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events +(VCAPS), use the following steps. + +**Step 1 –** Navigate to the following windows registry key: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration** + +**Step 2 –** Ensure that the Enabled parameter is set to 1. + +**Step 3 –** Ensure that the EndPoint parameter contains an address string for the Activity Monitor +agent in the following formats: + +- For the RPC protocol, `StealthVCAPS@'ip-address-of-the-agent'` +- For the HTTP protocol, `StealthVCAPS@http://'ip-address-of-the-agent':'port'` + +:::note +All protocol strings are case sensitive. The EndPoint parameter may also contain values +for other applications, separated with semicolons. +::: + + +**Step 4 –** Ensure that the FeedInterval parameter is set to a value between 60 and 600; the +MaxEventsPerFeed - between 10 and 10000. + +**Step 5 –** If you changed any of the settings, restart the CEE Monitor service. + +Set the following values under the Data column: + +- Enabled – 1 +- EndPoint – StealthAUDIT + +If this is configured correctly, validate that the Dell CEE services are running. See the Validate +Dell CEE Services are Running topic for additional information. + +## Validate Dell CEE Services are Running + +After the Activity Monitor Activity Agent has been configured to monitor the Dell device, the Dell +CEE services should be running. If the Activity Agent is not registering events and the EndPoint is +set accurately, validate that the Dell CEE services are running. Open the Services (run +`services.msc`). + +![services](/images/activitymonitor/9.0/config/dellpowerstore/services.webp) + +The following services laid down by the Dell CEE installer should have Running as their status: + +- Dell CAVA +- Dell CEE Monitor + +## CEE Debug Logs + +If an issue arises with communication between the Dell CEE and the Activity Monitor, the debug logs +need to be enabled for troubleshooting purposes. Follow the steps. + +**Step 6 –** In the Activity Monitor Console, change the **Trace level** value in the lower right +corner to Trace. + +**Step 7 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Disable monitoring. + +**Step 8 –** Download and install the Debug View tool from Microsoft on the CEE server: + +**> [https://docs.microsoft.com/en-us/sysinternals/downloads/debugview](https://docs.microsoft.com/en-us/sysinternals/downloads/debugview)** + +**Step 9 –** Open the Registry Editor (run regedit). Navigate to following location: + +**HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration** + +**Step 10 –** Right-click on **Debug** and select Modify. The Edit DWORD Value window opens. In the +Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Debug DWORD Value does not exist, it needs to be added. +::: + + +**Step 11 –** Right-click on **Verbose** and select Modify. The Edit DWORD Value window opens. In +the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes. + +:::note +If the Verbose DWORD Value does not exist, it needs to be added. +::: + + +**Step 12 –** Run the Debug View tool (from Microsoft). In the Capture menu, select the following: + +- Capture Win32 +- Capture Global Win32 +- Capture Events + +**Step 13 –** In the Activity Monitor Console, select all Dell hosts from the Monitored Hosts & Services tab +and Enable monitoring. + +**Step 14 –** Generate some file activity on the Dell device. Save the Debug View Log to a file. + +**Step 15 –** Send the following logs to [Netwrix Support](https://www.netwrix.com/support.html): + +- Debug View Log (from Dell Debug View tool) +- Use the **Collect Logs** button to collect debug logs from the activity agent + +:::info +After the logs have been gathered and sent to Netwrix Support, reset these +configurations. + +::: diff --git a/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-online-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-online-activity.md new file mode 100644 index 0000000000..655a7680c6 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-online-activity.md @@ -0,0 +1,264 @@ +--- +title: "SharePoint Online Activity Auditing Configuration" +description: "SharePoint Online Activity Auditing Configuration" +sidebar_position: 60 +--- + +# SharePoint Online Activity Auditing Configuration + +In order to collect logs and monitor SharePoint Online activity using the Netwrix Activity Monitor, +it needs to be registered with Microsoft® Entra ID® (formerly Azure AD). + +:::note +A user account with the Global Administrator role is required to register an app with +Microsoft Entra ID. +::: + + +**Additional Requirement** + +In addition to registering the application with Microsoft Entra ID, the following is required: + +- Enable Auditing for SharePoint Online + +See the Enable Auditing for SharePoint Online topic for additional information. + +**Configuration Settings from the Registered Application** + +The following settings are needed from your tenant once you have registered the application: + +- Tenant ID – This is the Tenant ID for Microsoft Entra ID +- Client ID – This is the Application (client) ID for the registered application +- Client Secret – This is the Client Secret Value generated when a new secret is created + + :::warning + It is not possible to retrieve the value after saving the new key. It must be + copied first. + ::: + + +**Permissions for Microsoft Graph API** + +- Application: + + - Directory.Read.All – Read directory data + - Sites.Read.All – Read items in all site collections + - User.Read.All – Read all users' full profiles + +**Permissions for Office 365 Management APIs** + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +## Register a Microsoft Entra ID Application + +Follow the steps to register Activity Monitor with Microsoft Entra ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** On the left navigation menu, navigate to **Identity** > **Applications** and click App +registrations. + +**Step 3 –** In the top toolbar, click **New registration**. + +**Step 4 –** Enter the following information in the Register an application page: + +- Name – Enter a user-facing display name for the application, for example Netwrix Activity Monitor + for SharePoint +- Supported account types – Select **Accounts in this organizational directory only** +- Redirect URI – Set the Redirect URI to **Public client/native** (Mobile and desktop) from the drop + down menu. In the text box, enter the following: + +**Urn:ietf:wg:oauth:2.0:oob** + +**Step 5 –** Click **Register**. + +The Overview page for the newly registered app opens. Review the newly created registered +application. Now that the application has been registered, permissions need to be granted to it. + +## Grant Permissions to the Registered Application + +Follow the steps to grant permissions to the registered application. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **API permissions** in the Manage section. + +**Step 3 –** In the top toolbar, click **Add a permission**. + +**Step 4 –** On the Request API permissions blade, select **Microsoft Graph** on the Microsoft APIs +tab. Select the following permissions: + +- Application: + + - Directory.Read.All – Read directory data + - Sites.Read.All – Read items in all site collections + - User.Read.All – Read all users' full profiles + +**Step 5 –** At the bottom of the page, click **Add Permissions**. + +**Step 6 –** In the top toolbar, click **Add a permission**. + +**Step 7 –** On the Request API permissions blade, select **Office 365 Management APIs** on the +Microsoft APIs tab. Select the following permissions: + +- Application Permissions: + + - ActivityFeed.Read – Read activity data for your organization + - ActivityFeed.ReadDlp – Read DLP policy events including detected sensitive data + +**Step 8 –** At the bottom of the page, click **Add Permissions**. + +**Step 9 –** Click **Grant Admin Consent for [tenant]**. Then click **Yes** in the confirmation +window. + +Now that the permissions have been granted to it, the settings required for Activity Monitor need to +be collected. + +## Identify the Client ID + +Follow the steps to find the registered application's Client ID. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** Copy the **Application (client) ID** value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. Next identify the Tenant +ID. + +## Identify the Tenant ID + +The Tenant ID is available in two locations within Microsoft Entra ID. + +**Registered Application Overview Blade** + +You can copy the Tenant ID from the same page where you just copied the Client ID. Follow the steps +to copy the Tenant ID from the registered application Overview blade. + +**Step 1 –** Copy the Directory (tenant) ID value. + +**Step 2 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +**Overview Page** + +Follow the steps to find the tenant name where the registered application resides. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +**Step 1 –** Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). + +**Step 2 –** Copy the Tenant ID value. + +**Step 3 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. Next generate the +application’s Client Secret Key. + +## Generate the Client Secret Key + +Follow the steps to find the registered application's Client Secret, create a new key, and save its +value when saving the new key. + +:::note +The steps below are for registering an app through the Microsoft Entra admin center. These +steps may vary slightly if you use a different Microsoft portal. See the relevant Microsoft +documentation for additional information. +::: + + +:::warning +It is not possible to retrieve the value after saving the new key. It must be copied +first. +::: + + +**Step 1 –** Select the newly-created, registered application. If you left the Overview page, it +will be listed in the **Identity** > **Applications** > **App registrations** > **All applications** +list. + +**Step 2 –** On the registered app blade, click **Certificates & secrets** in the Manage section. + +**Step 3 –** In the top toolbar, click **New client secret**. + +**Step 4 –** On the Add a client secret blade, complete the following: + +- Description – Enter a unique description for this secret +- Expires – Select the duration. + + :::note + Setting the duration on the key to expire requires reconfiguration at the time of + expiration. It is best to configure it to expire in 1 or 2 years. + ::: + + +**Step 5 –** Click **Add** to generate the key. + +:::warning +If this page is left before the key is copied, then the key is not retrievable, and +this process will have to be repeated. +::: + + +**Step 6 –** The Client Secret will be displayed in the Value column of the table. You can use the +Copy to clipboard button to copy the Client Secret. + +**Step 7 –** Save this value in a text file. + +This is needed for adding a SharePoint Online host in the Activity Monitor. + +## Enable Auditing for SharePoint Online + +Follow the steps to enable auditing for SharePoint Online so the Activity Monitor can receive +events. + +**Step 1 –** In the Microsoft Purview compliance portal at +[https://compliance.microsoft.com](https://compliance.microsoft.com/), go to **Solutions** > +**Audit**. Or, to go directly to the Audit page at +[https://compliance.microsoft.com/auditlogsearch](https://compliance.microsoft.com/auditlogsearch). + +**Step 2 –** If auditing is not turned on for your organization, a banner is displayed prompting you +start recording user and admin activity. + +**Step 3 –** Select the **Start recording** user and **admin activity** banner. + +It may take up to 60 minutes for the change to take effect. The Activity Monitor now has SharePoint +Online auditing enabled as needed to receive events. See the Microsoft +[Turn auditing on or off](https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide) +article for additional information on enabling or disabling auditing. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-onprem-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-onprem-activity.md new file mode 100644 index 0000000000..fecb0fa571 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/sharepoint-onprem-activity.md @@ -0,0 +1,50 @@ +--- +title: "SharePoint On-Premise Activity Auditing Configuration" +description: "SharePoint On-Premise Activity Auditing Configuration" +sidebar_position: 50 +--- + +# SharePoint On-Premise Activity Auditing Configuration + +SharePoint Event Auditing must be enabled for each site collection to be monitored by the Netwrix +Activity Monitor and/or audited by Netwrix Access Analyzer. + +## User Requirements + +Following are the SharePoint On-Premise user requirements: + +- Local Administrator on SharePoint server (that hosts Central Administration) +- SharePoint SQL server, which includes login on SharePoint Admin, Config, and all content + databases, with the following role permissions: + + - SharePoint 2013+ + + - SPDataAccess + + - SharePoint 2010 + + - db_owner + +## Enable Event Auditing + +Follow the steps for each site collection within a SharePoint 2013 through SharePoint 2019 farm. + +**Step 1 –** Select Settings > Site settings. + +**Step 2 –** Under Site Collection Administration, click Go to top level site settings. + +**Step 3 –** On the Site Settings page, under Site Collection Administration, select Site collection +audit settings. + +**Step 4 –** On the Configure Audit Settings page, in the Documents and Items section select the +events to be audited. + +**Step 5 –** Still on the Configure Audit Settings page, in the List, Libraries, and Site section +select the events to be audited. + +**Step 6 –** Click OK to save the changes. + +SharePoint will create the audit logs to be monitored by the Netwrix Activity Monitor and/or audited +by Access Analyzer. See the Microsoft +[Configure audit settings for a site collection (SharePoint 2013/2016/2019)](https://support.office.com/en-us/article/Configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2) +article for additional information. diff --git a/docs/activitymonitor/9.0/requirements/activityagent/sqlserver-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/sqlserver-activity.md new file mode 100644 index 0000000000..f735298b95 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/sqlserver-activity.md @@ -0,0 +1,77 @@ +--- +title: "SQL Server Activity Auditing Configuration" +description: "SQL Server Activity Auditing Configuration" +sidebar_position: 70 +--- + +# SQL Server Activity Auditing Configuration + +In order for the Netwrix Activity Monitor to monitor SQL Server activity, a SQL login with certain +server permissions, and must be mapped to user databases. + +## SQL Database Server Permissions + +- ALTER ANY EVENT SESSION + + - Allows agent to start or stop an event session or change an event session configuration. + +- VIEW ANY DEFINITION + + - Allows agent to view the SQL Server object definitions. + +- VIEW SERVER STATE + + - Allows agent to access dynamic management views. + +## Windows Authentication + +Use the following command to create a new login: + +``` +create login [DOMAIN\USER] from WINDOWS +``` + +Use the following command to grant server permissions: + +``` +grant alter any event session to [DOMAIN\USER] +grant view any definition to [DOMAIN\USER] +grant view server state to [DOMAIN\USER] +``` + +Use the following command to create a user in each database: + +``` +declare @s varchar(max)='';select @s=@s+(case when @s<>'' then char(13)+char(10) else '' end)+'use ['+name+'];create user [DOMAIN\USER] for login [DOMAIN\USER];' from sys.databases;exec(@s) +``` + +## SQL Authentication + +Use the following command to create a new login: + +``` +create login [USER] with password='[PUT_PASSWORD_HERE]' +``` + +Use the following command to grant server permissions: + +``` +grant alter any event session to [USER] +grant view any definition to [USER] +grant view server state to [USER] +``` + +Use the following command to create a user in each database: + +``` +declare @s varchar(max)='';select @s=@s+(case when @s<>'' then char(13)+char(10) else '' end)+'use ['+name+'];create user [USER] for login [USER];' from sys.databases;exec(@s) +``` + +## Logon Trigger (Optional) + +The logon trigger is required to obtain IP Addresses of client connections. Run the following script +in order to allow the Activity Monitor to report client IP Addresses. + +``` +CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as varchar(max));raiserror(@str,1,1);END +``` diff --git a/docs/activitymonitor/9.0/requirements/activityagent/windowsfs-activity.md b/docs/activitymonitor/9.0/requirements/activityagent/windowsfs-activity.md new file mode 100644 index 0000000000..b0809653b4 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/activityagent/windowsfs-activity.md @@ -0,0 +1,50 @@ +--- +title: "Windows File Server Activity Auditing Configuration" +description: "Windows File Server Activity Auditing Configuration" +sidebar_position: 80 +--- + +# Windows File Server Activity Auditing Configuration + +In order for the Netwrix Activity Monitor to monitor Windows file server activity, an Activity Agent +must be deployed to the server. It cannot be deployed to a proxy server. However, additional +considerations are needed when targeting a Windows File System Clusters or DFS Namespaces. + +## Windows File System Clusters + +In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all +nodes that comprise the Windows File System Cluster. The credential used to deploy the Activity +Agent must have the following permissions on the server: + +- Membership in the local Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +It is also necessary to enable the Remote Registry Service on the Activity Agent server. + +For integration between the Activity Monitor and Access Analyzer, the credential used by Access +Analyzer to read the activity log files must have also have this permission. + +After the agent has been deployed, it is necessary to modify the HOST parameter in the +`SBTFilemon.ini` file to be the name of the cluster. For integration with Netwrix Access Analyzer +, this must be an exact match to the name of the cluster in the Master Host Table. + +## DFS Namespaces + +In order to monitor activity on DFS Namespaces, an Activity Agent needs to be deployed on all DFS +servers. + +:::note +The FileSystem > 0.Collection > 0-FSDFS System Scans Job in Netwrix Access Analyzer + can be used to identify all DFS servers. +::: + + +The credential used to deploy the Activity Agent must have the following permissions on the server: + +- Membership in the local Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +It is also necessary to enable the Remote Registry Service on the Activity Agent server. + +For integration between the Activity Monitor and Access Analyzer, the credential used by Access +Analyzer to read the activity log files must have also have this permission. diff --git a/docs/activitymonitor/9.0/requirements/adagent/_category_.json b/docs/activitymonitor/9.0/requirements/adagent/_category_.json new file mode 100644 index 0000000000..c84f42629d --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/adagent/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "AD Agent Server Requirements", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "adagent" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/adagent/activity/_category_.json b/docs/activitymonitor/9.0/requirements/adagent/activity/_category_.json new file mode 100644 index 0000000000..05cf87c439 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/adagent/activity/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Active Directory Activity Auditing Configuration", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activity" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/requirements/adagent/activity/activity.md b/docs/activitymonitor/9.0/requirements/adagent/activity/activity.md new file mode 100644 index 0000000000..c3b3af7300 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/adagent/activity/activity.md @@ -0,0 +1,274 @@ +--- +title: "Active Directory Activity Auditing Configuration" +description: "Active Directory Activity Auditing Configuration" +sidebar_position: 10 +--- + +# Active Directory Activity Auditing Configuration + +There are two methods to configure Activity Monitor to provide Active Directory domain activity to +Access Analyzer: + +- API Server +- File Archive Repository + +See the [File Archive Repository Option](/docs/activitymonitor/9.0/requirements/adagent/activity/filearchive.md) topic for additional information on that +option. + +## API Server Option + +In this method, you will be deploying two agents: + +- First, deploy an Activity Agent to a Windows server that will act as the API server. This is a + non-domain controller server. + + :::info + Deploy the API Server to the same server where the Activity Monitor Console + resides. + ::: + + +- Next, deploy the AD Agent to all domain controllers in the target domain. + +Follow the steps to setup integration between Activity Monitor and Access Analyzer through an API +server. + +**Step 1 –** Deploy the Activity Agent to the API server. + +**Step 2 –** Deploy the AD Agent to each domain controller in the target domain. + +The next step is to configure the agent deployed to the API server. + +## Configure API Server Agent + +Follow the steps to configure the agent deployed to the API server. + +**Step 1 –** On the Agents tab of the Activity Monitor Console, select the agent deployed to the +API server. + +**Step 2 –** Click **Edit**. The Agent properties window opens. + +**Step 3 –** Select the **API Server** tab and configure the following: + +- Select the **Enable API access on this agent** checkbox. +- The default **API server port (TCP)** is 4494, but it can be modified if desired. Ensure the + modified port is also used by Access Analyzer. +- Click **Add Application**. The Add or edit API client window opens. +- Configure the following: + + - Provide a descriptive and unique **Application name**, for example `Access Analyzer`. + - Select the **Read** checkbox to grant this permission to this application. + - Click **Generate** to generate the Client ID and Client Secret. + - Copy the Client ID value to a text file. + - Click **Copy** and save the Client Secret value to a text file. + + :::warning + It is not possible to retrieve the value after closing the Add or edit + API client window. It must be copied first. + ::: + + + - By default, the **Secret Expires** in 3 days. That means it must be used in the Access + Analyzer Connection Profile within 72 hours or a new secret will need to be generated. Modify + if desired. + - Click **OK** to save the configuration and close the Add or edit API client window. + +- If the Activity Monitor Console server is not the API Server, then click **Use this console** to + grant the Activity Monitor the ability to manage the API server. +- The IPv4 or IPv6 allowlist allows you to limit access to the API server data to specific hosts. + +**Step 4 –** Click **OK** to save the configuration and close the Agent properties window. + +The next step is to configure the agents deployed to the domain controllers. + +## Configure Domain Controller Agent + +Follow the steps to configure the agent deployed to the domain controller. + +**Step 1 –** On the Agents tab of the Activity Monitor Console, select an agent deployed to domain +controller. + +**Step 2 –** Click **Edit**. The Agent properties window opens. + +**Step 3 –** Select the **Archiving** tab and configure the following: + +- Select the **Enable Archiving for this agent** checkbox. +- Select the **Archive log files on a UNC path** option. Click the **...** button and navigate to + the desired network share on the API server. +- The **User name** and **User password** fields only need to be filled in if the account used to + install the agent does not have access to this share. + + :::tip + Remember, The account used to install the agent on a domain controller is a Domain + Administrator account. + ::: + + +- Click **Test** to ensure a successful connection to the network share. + +**Step 4 –** Click **OK** to save the configuration and close the Agent properties window. + +**Step 5 –** Repeat Steps 1-4 for each agent deployed to domain controller. + +These agent are configured to save the Archive logs to the selected share. + +## Configure Monitored Domain Output + +Follow the steps configure the monitored domain output for Netwrix Access Analyzer. + +**Step 1 –** Select the **Monitored Domains** tab. + +**Step 2 –** Select the desired domain and click **Add Output**. The Add New Ouptut window opens. + +**Step 3 –** Configure the following: + +- Configure the desired number of days for the **Period to keep Log files**. This is the number of + days the log files are kept on the API server configured in the sections above. This needs to be + set to a greater value than the days between Access Analyzer scans. + + - For example, if Access Analyzer runs the **AD_ActivityCollection** Job once a week (every 7 + days), then the Activity Monitor output should be configured to retain at least 10 days of log + files. + +- Check the **This log file is for StealthAUDIT** box. +- Optionally select the **Enable periodic AD Status Check event reporting** checkbox. When enabled, + the agent will send out status messages every five minutes to verify whether the connection is + still active. + +**Step 4 –** Click **Add Output** to save and close the Add New Output window. + +Access Analyzer now has access to the agent log files for this domain. + +## Configure Connection Profile + +Follow the steps to configure the Connection Profile in Access Analyzer. + +:::tip +Remember, the Client ID and Client Secret were generated by the API server and copied to a text +file. If the secret expired before the Connection Profile is configured, it will need to be +re-generated. +::: + + +**Step 1 –** On the **Settings** > **Connection** node of the Access Analyzer Console, select the +Connection Profile for the Active Directory solution. If you haven't yet created a Connection +Profile or desire a specific one for AD Activity, create a new one and provide a unique descriptive +name. + +**Step 2 –** Click **Add User credential**. The User Credentials window opens. + +**Step 3 –** Configure the following: + +- Select Account Type – Select **Web Services (JWT)** +- User name – Enter the Client ID generated by the Activity Monitor API Server +- Access Token – Enter the Client Secret generated by the Activity Monitor API Server + +**Step 4 –** Click **OK** to save and close the User Credentials window. + +**Step 5 –** Click **Save** and then **OK** to confirm the changes to the Connection Profile. + +**Step 6 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** Job +Group. Select the **Settings > Connection** node. + +**Step 7 –** Select the **Select one of the following user defined profiles** option. Expand the +drop-down menu and select the Connection Profile with this credential. + +**Step 8 –** Click **Save** and then **OK** to confirm the changes to the job group settings. + +The Connection Profile will now be used for AD Activity collection. + +## Configure the AD_ActivityCollection Job + +The Access Analyzer requires additional configurations in order to collect domain activity data. +Follow the steps to configure the **AD_ActivityCollection** Job. + +:::note +Ensure that the **.Active Directory Inventory** Job Group has been successfully run +against the target domain. +::: + + +**Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > +**AD_ActivityCollection** Job. Select the **Configure** > **Queries** node. + +**Step 2 –** Click **Query Properties**. The Query Properties window displays. + +**Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard +opens. + +![Active Directory Activity DC wizard Category page](/images/activitymonitor/9.0/config/activedirectory/categoryimportfromnam.webp) + +**Step 4 –** On the Category page, choose **Import from SAM** option and click **Next**. + +![Active Directory Activity DC wizard SAM connection settings page](/images/activitymonitor/9.0/config/activedirectory/namconnection.webp) + +**Step 5 –** On the SAM connection page, the **Port** is set to the default 4494. This needs to +match the port configured for the Activity Monitor API Server agent. + +**Step 6 –** In the **Test SAM host** textbox, enter the Activity Monitor API Server name using +fully qualified domain format. For example, `NEWYORKSRV30.NWXTech.com`. Click **Connect**. + +**Step 7 –** If connection is successful, the archive location displays along with a Refresh token. +Copy the **Refresh token**. This will replace the Client Secret in the Connection Profile in the +last step. + +**Step 8 –** Click **Next**. + +![Active Directory Activity DC wizard Scoping and Retention page](/images/activitymonitor/9.0/config/activedirectory/scope.webp) + +**Step 9 –** On the Scope page, set the Timespan as desired. There are two options: + +- Relative Timespan – Set the number of days of activity logs to collect when the scan is run +- Absolute Timespan – Set the date range for activity logs to collect when the scan is run + +:::info +The threshold should be set to ensure the logs are collected before the Activity +Monitor domain output log retention expires. For example, if Access Analyzer runs the +**AD_ActivityCollection** Job once a week (every 7 days), then the Activity Monitor output should be +configured to retain at least 10 days of log files. +::: + + +**Step 10 –** Set the Retention period as desired. This is the number of days Access Analyzer keeps +the collected data in the SQL Server database. + +**Step 11 –** Click **Next** and then **Finish** to save the changes and close the wizard. + +**Step 12 –** Click **OK** to save the changes and close the Query Properties page. + +**Step 13 –** Navigate to the global **Settings** > **Connection** node to update the User +Credential with the Refresh token: + +- Select the Connection Profile assigned to the **6.Activity** > **0.Collection** Job Group. +- Select the Web Services (JWT) User Credential and click **Edit**. +- Replace the Access Token with the Refresh token generated by the data collector in Step 7. +- Click **OK** to save and close the User Credentials window. +- Click **Save** and then **OK** to confirm the changes to the Connection Profile. + +The query is now configured to target the Activity Monitor API Server to collect domain activity +logs. + +### (Optional) Configure Import of AD Activity into Netwrix Access Information Center + +AD Activity data can be imported into Netwrix Access Information Center by the +**AD_ActivityCollection** Job. However, this is disabled by default. Follow the steps to enable the +importing of AD activity data into the Access Information Center. + +**Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > +**AD_ActivityCollection** Job. + +**Step 2 –** On the job's Overview page, enable the import of AD Events. + +- Click on the **Enable to import AD events into the AIC** parameter. +- On the Parameter Configuration window, select the **Enabled** checkbox and click **Save**. + +**Step 3 –** On the job's Overview page, enable the import of authentication Events. + +- Click on the **Enable to import authentication events into the AIC** parameter. +- On the Parameter Configuration window, select the **Enabled** checkbox and click **Save**. + +**Step 4 –** Optionally, modify the **List of attributes to track for Object Modified changes** and +**Number of days to retain activity data in the AIC** parameters. + +The **AD_ActivityCollection** Job is now configured to import both AD events and authentication +events into the Netwrix Access Information Center. diff --git a/docs/activitymonitor/9.0/requirements/adagent/activity/filearchive.md b/docs/activitymonitor/9.0/requirements/adagent/activity/filearchive.md new file mode 100644 index 0000000000..235cdfabfc --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/adagent/activity/filearchive.md @@ -0,0 +1,171 @@ +--- +title: "File Archive Repository Option" +description: "File Archive Repository Option" +sidebar_position: 10 +--- + +# File Archive Repository Option + +As an alternative to using an API Server, Netwrix Activity Monitor can be configured to store all +archived logs to a network share. This option requires all of the domain logs to be stored in the +same share location in order for Access Analyzer to collect the AD Activity data. + +**Prerequisite** + +Deploy the AD Agent to each domain controller in the target domain. + +## Configure Domain Controller Agent + +Follow the steps to configure the agent deployed to the domain controller. + +:::note +These steps assume the network share where the activity log files will be archived already +exists. +::: + + +**Step 1 –** On the Agents tab of the Activity Monitor Console, select an agent deployed to domain +controller. + +**Step 2 –** Click Edit. The Agent properties window opens. + +**Step 3 –** Select the Archiving tab and configure the following: + +- Check the Enable Archiving for this agent box. +- Select the **Archive log files on a UNC path** option. Click the ... button and navigate to the + desired network share. +- The **User name** and **User password** fields only need to be filled in if the account used to + install the agent does not have access to this share. + + :::tip + Remember, The account used to install the agent on a domain controller is a Domain + Administrator account. This is typically the credential that will be used in the Netwrix Access + Analyzer Connection Profile. However, a least privilege option is + a domain user account with Read access to this share. + ::: + + +- Click **Test** to ensure a successful connection to the network share. + +**Step 4 –** Click OK to save the configuration and close the Agent properties window. + +**Step 5 –** Repeat Steps 1-4 for each agent deployed to domain controller pointing to the same +network share in Step 3 for each agent. + +These agent are configured to save the Archive logs to the selected share. + +## Configure Monitored Domain Output + +Follow the steps configure the monitored domain output for Netwrix Access Analyzer. + +**Step 1 –** Select the **Monitored Domains** tab. + +**Step 2 –** Select the desired domain and click **Add Output**. The Add New Ouptut window opens. + +**Step 3 –** Configure the following: + +- Configure the desired number of days for the **Period to keep Log files**. This is the number of + days the log files are kept on the API server configured in the sections above. This needs to be + set to a greater value than the days between Access Analyzer scans. + + - For example, if Access Analyzer runs the **AD_ActivityCollection** Job once a week (every 7 + days), then the Activity Monitor output should be configured to retain at least 10 days of log + files. + +- Check the **This log file is for Access Analyzer** box. +- Optionally select the **Enable periodic AD Status Check event reporting** checkbox. When enabled, + the agent will send out status messages every five minutes to verify whether the connection is + still active. + +**Step 4 –** Click **Add Output** to save and close the Add New Output window. + +Access Analyzer now has access to the agent log files for this domain. + +## Configure Connection Profile + +Follow the steps to configure the Connection Profile in Access Analyzer. + +**Step 1 –** On the Settings > Connection node of the Access Analyzer Console, select the Connection +Profile for the Active Directory solution. If you haven't yet created a Connection Profile or desire +a specific one for AD Activity, create a new one and provide a unique descriptive name. + +**Step 2 –** Click Add User credential. The User Credentials window opens. + +**Step 3 –** Configure the following: + +- Select Account Type – Select **Active Directory Account** +- Domain – Select the domain where the network share resides +- User name – Enter the account with Read access to the network share +- Provide the account password: + + - Password Storage – Select the password storage location, if it is being stored in a vault, + like CyberArk + - Password / Confirm – Enter the account password in both fields + +**Step 4 –** Click OK to save and close the User Credentials window. + +**Step 5 –** Click **Save** and then **OK** to confirm the changes to the Connection Profile. + +**Step 6 –** Navigate to the Jobs > Active Directory > 6.Activity > 0.Collection Job Group. Select +the **Settings > Connection** node. + +**Step 7 –** Select the **Select one of the following user defined profiles** option. Expand the +drop-down menu and select the Connection Profile with this credential. + +**Step 8 –** Click **Save** and then **OK** to confirm the changes to the job group settings. + +The Connection Profile will now be used for AD Activity collection. + +## Configure the AD_ActivityCollection Job + +Access Analyzer requires additional configurations in order to collect domain activity data. Follow +the steps to configure the **AD_ActivityCollection** Job. + +:::note +Ensure that the .Active Directory Inventory Job Group has been successfully run against +the target domain. +::: + + +**Step 1 –** Navigate to the **Jobs** > **Active Directory** > **6.Activity** > **0.Collection** > +**AD_ActivityCollection** Job. Select the **Configure** > **Queries** node. + +**Step 2 –** Click **Query Properties**. The Query Properties window displays. + +**Step 3 –** On the Data Source tab, select **Configure**. The Active Directory Activity DC wizard +opens. + +![Active Directory Activity DC wizard Category page](/images/activitymonitor/9.0/config/activedirectory/categoryimportfromshare.webp) + +**Step 4 –** On the Category page, choose **Import from Share** option and click **Next**. + +![Active Directory Activity DC wizard Share settings page](/images/activitymonitor/9.0/config/activedirectory/share.webp) + +**Step 5 –** On the Share page, provide the UNC path to the AD Activity share archive location. If +there are multiple archives in the same network share, check the **Include Sub-Directories** box. +Click **Next**. + +![Active Directory Activity DC wizard Scoping and Retention page](/images/activitymonitor/9.0/config/activedirectory/scope.webp) + +**Step 6 –** On the Scope page, set the Timespan as desired. There are two options: + +- Relative Timespan – Set the number of days of activity logs to collect when the scan is run +- Absolute Timespan – Set the date range for activity logs to collect when the scan is run + +:::info +The threshold should be set to ensure the logs are collected before the Activity +Monitor domain output log retention expires. For example, if Access Analyzer runs the +**AD_ActivityCollection** Job once a week (every 7 days), then the Activity Monitor output should be +configured to retain at least 10 days of log files. +::: + + +**Step 7 –** Set the Retention period as desired. This is the number of days Access Analyzer keeps +the collected data in the SQL Server database. + +**Step 8 –** Click **Next** and then **Finish** to save the changes and close the wizard. + +**Step 9 –** Click **OK** to save the changes and close the Query Properties page. + +The query is now configured to target the network share where the Activity Monitor domain activity +logs are archived. diff --git a/docs/activitymonitor/9.0/requirements/adagent/adagent.md b/docs/activitymonitor/9.0/requirements/adagent/adagent.md new file mode 100644 index 0000000000..c1d32aa6f2 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/adagent/adagent.md @@ -0,0 +1,125 @@ +--- +title: "AD Agent Server Requirements" +description: "AD Agent Server Requirements" +sidebar_position: 20 +--- + +# AD Agent Server Requirements + +Active Directory (AD) monitoring can be accomplished through two primary methods: + +- Activity Monitor Agents with the AD Module +- Retrieving activity data from Netwrix Threat Prevention + +Both approaches require the installation of agents on each domain controller within the monitored +domain and are compatible with Netwrix Access Analyzer and Netwrix +Threat Manager, feeding them AD activity data. + +Activity Monitor Agents: This option focuses solely on monitoring AD activity, providing basic +visibility into AD events without additional features. + +![nam_admodule](/images/activitymonitor/9.0/requirements/nam_admodule.webp) + +Netwrix Threat Prevention: Offers a more comprehensive and flexible monitoring experience, including +advanced features like operation blocking and enhanced monitoring capabilities. + +![ntp](/images/activitymonitor/9.0/requirements/ntp.webp) + +These methods provide organizations with a choice between basic AD activity monitoring and a more +versatile, security-enhanced option. + +**Activity Monitor and Threat Prevention Compatibility Matrix** + +| Activity Monitor Version | Threat Prevention (formerly Stealth Intercept) Version | Threat Prevention Version | +| ------------------------ | ------------------------------------------------------ | ------------------------- | +| 7.1 | 7.3 | 7.4 | +| 7.0 | 7.3 | | + +## Requirements + +The AD Agent is deployed to every domain controllers to monitor Active Directory domains. The server +can be physical or virtual. The supported operating systems are: + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +**RAM, Cores, and Disk Space** + +These depend on the amount of activity expected: + +| Environment | Recommended | Minimum | +| ----------- | ----------- | ------- | +| RAM | 8+ GB | 4+ GB | +| Cores | 4+ CPU | 2 CPU | +| Disk Space | 50 GB | 50 GB | + +The disk space requirement covers the following: + +- Agent Size – 150 MB +- Agent Queues – In the event of a network outage, the agent will cache up to 40 GB of event data +- Diagnostic Logging – 1 GB + +Old files are zipped, typical compression ratio is 20. Optionally, old files are moved from the +server to a network share. See the [Archiving Tab](/docs/activitymonitor/9.0/admin/agents/properties/archiving.md) topic +for additional information. + +**Additional Server Requirements** + +The following are additional requirements for the agent server: + +- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft + [.NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) + article +- WMI enabled on the machine, which is optional but required for centralized Agent maintenance + +**Permissions for Installation** + +The following permission is required to install and manage the agent: + +- Membership in the Domain Administrators group +- READ and WRITE access to the archive location for Archiving feature only + +## Supported Active Directory Platforms + +The Activity Monitor provides the ability to monitor Active Directory: + +:::note +For monitoring an Active Directory domain, the AD Agent must be installed on all domain +controllers within the domain to be monitored. +::: + + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +See the [Active Directory Activity Auditing Configuration](/docs/activitymonitor/9.0/requirements/adagent/activity/activity.md) +topic for target environment requirements. + +## AD Agent Compatibility with Non-Netwrix Security Products + +The following products conflict with the agent: + +:::warning +Do not install these products on a server where an agent is deployed. Do NOT install an +agent on a server where these products are installed. +::: + + +- Quest Change Auditor (aka Dell ChangeAuditor) +- PowerBroker Auditor for Active Directory by BeyondTrust + +The following products, which protect LSASS, may prevent the agent from injecting into LSASS, and +thereby prevent monitoring Active Directory events: + +- Cisco AMP for Endpoints Connector +- Avast Business Antivirus + + - Specifically the “Avast self-defense module” + +:::note +These products and other similar products can be configured via a whitelist to allow the +agent to operate. + +::: diff --git a/docs/activitymonitor/9.0/requirements/adagent/threatprevention.md b/docs/activitymonitor/9.0/requirements/adagent/threatprevention.md new file mode 100644 index 0000000000..9cc890344e --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/adagent/threatprevention.md @@ -0,0 +1,53 @@ +--- +title: "Getting Data from NTP for AD Activity Reporting" +description: "Getting Data from NTP for AD Activity Reporting" +sidebar_position: 20 +--- + +# Getting Data from NTP for AD Activity Reporting + +When Netwrix Threat Prevention is configured to monitor a domain, the event data collected by the +policies can be provided to Netwrix Access Analyzer for Active +Directory Activity reporting. This is accomplished by configuring Threat Prevention to send data to +Netwrix Activity Monitor, which in turn creates the activity log files that Access Analyzer +collects. + +:::note +Threat Prevention can only be configured to send event data to one Netwrix application, +either Netwrix Activity Monitor or Netwrix Threat Manager but not both. However, the Activity +Monitor can be configured with outputs for Access Analyzer and Threat Manager +::: + + +Follow these steps to configure this integration. + +:::info +It is a best practice to use the API Server option of the Activity Monitor for +this integration between Threat Prevention and Access Analyzer. +::: + + +**Step 1 –** In the Threat Prevention Administration Console, click **Configuration** > **Netwrix +Threat Manager Configuration** on the menu. The Netwrix Threat Manager Configuration window opens. + +**Step 2 –** On the Event Sink tab, configure the following: + +- Netwrix Threat Manager URI – Enter the name of the Activity Monitor agent host and port, which is + 4499 by default, in the following format: + + `amqp://localhost:4499` + + You must use localhost, even if Activity Monitor and Threat Prevention are installed on + different servers. + +- App Token – Leave this field blank for integration with Activity Monitor +- Policies – The table displays all policies created in Threat Prevention along with a State icon + indicating if the policy is active. Check the **Send** box for the desired policies monitoring the + target domain activity. + +**Step 3 –** Click **Save**. + +All real-time event data from the selected policies are now being sent to Activity Monitor. +Additional policies can be added to this data stream through the Netwrix Threat Manager +Configuration window or by selecting the **Send to Netwrix Threat Manager** option on the Actions +tab of the policy. diff --git a/docs/activitymonitor/9.0/requirements/linuxagent.md b/docs/activitymonitor/9.0/requirements/linuxagent.md new file mode 100644 index 0000000000..8d6575c593 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/linuxagent.md @@ -0,0 +1,76 @@ +--- +title: "Linux Agent Server Requirements" +description: "Linux Agent Server Requirements" +sidebar_position: 30 +--- + +# Linux Agent Server Requirements + +The server where the agent is deployed can be physical or virtual. The supported operating systems +are: + +- Red Hat Enterprise Linux + + - V 9.x + - V 8.x + +- Activity Monitor supports RHEL kernels in FIPS mode compliant with FIPS 140-2 and FIPS 140-3. + +## Target Requirements + +:::note +For monitoring a Linux file server, the The Linux Agent is deployed to Linux servers to be +monitored. It cannot be deployed to a proxy server. +::: + + +## Supported Protocols + +The following protocols are supported for the Linux agent: + +- Local +- Common Internet File System (CIFS) / Server Message Block (SMB) +- Network File System (Mounted Client-Side) + +:::note +Server-Side NFS protocol is not supported. +::: + + +## Permissions for Installation + +The following permission is required by the account used to install and manage the agent: + +- Root privileges with password (or SSH private key) + +For integration between the Activity Monitor and Access Analyzer, the credential used by Access +Analyzer to read the activity log files must have also have this permission. + +:::info +Activity Monitor Agent uses certificates to secure the connection between the Linux Agent and the Console / API Server. +By default, the Agent uses an automatically generated self-signed certificate. The Console and the API Server do not enforce +validity checks on these self-signed agent certificates. + +This self-signed certificate can be replaced with one issued by a Certification Authority. Once replaced, the Console and +the API Server will ensure the validity of the agent’s certificates. + +See the [Certificate](/docs/activitymonitor/9.0/admin/agents/properties/certificate.md) topic for additional information. +::: + + +## Immutable Mode + +For file activity monitoring on Linux, Activity Monitor relies on **auditd** component of the Linux +Auditing System. One of the features of auditd is the **immutable mode** or `-e 2` command, which +locks the audit configuration and protects it from being changed. When the immutable mode is +enabled, the only way to change the auditing configuration is to reboot the server. + +To check if the immutable mode is enabled, use the `auditctl -s` command. If the immutable mode is +active, the command will print `enabled 2`. Alternatively, check for the `-e 2` line in the +`/etc/audit/rules.d/audit.rules` file. + +Activity Monitor supports the immutable mode. It compares the current auditd configuration with the +desired one. If they differ and the immutable mode is enabled, the product displays a warning that a +server restart is required in the status section of the **Monitored Hosts & Services** tab. After the reboot, +the changes take effect and the immutable mode is enabled. + diff --git a/docs/activitymonitor/9.0/requirements/overview.md b/docs/activitymonitor/9.0/requirements/overview.md new file mode 100644 index 0000000000..205e2700d9 --- /dev/null +++ b/docs/activitymonitor/9.0/requirements/overview.md @@ -0,0 +1,78 @@ +--- +title: "Requirements" +description: "Requirements" +sidebar_position: 20 +--- + +# Requirements + +This topic describes the recommended configuration of the servers needed to install the application +in a production environment. Depending on the size of the organization, it is recommended to review +your environment and requirements with a Netwrix engineer prior to deployment to ensure all +exceptions are covered. + +## Architecture Overview + +The following servers are required for installation of the application: + +**Core Components** + +- **Activity Monitor Console** Machine – This is where the management console is installed. + The Console can be installed on several machines to manage the same set of agents. + + :::note + The Activity Monitor Console can be hosted on the same machine as other Netwrix + products. + ::: + + +- **Agents** – There are three deployment scenarios that that differ in their requirements: + + - Activity monitoring of Windows file servers, Network Attached Storage (NAS) devices, Azure Files, Microsoft Entra ID, SharePoint On-premise, + SharePoint Online, Exchange Online, and SQL Server. The agent is deployed on a Windows Server. + See the [Activity Agent Server Requirements](/docs/activitymonitor/9.0/requirements/activityagent/activityagent.md) topic + for additional information. + - Active Directory monitoring – the agent is deployed to every domain controllers to monitor Active Directory + domains. See the [AD Agent Server Requirements](/docs/activitymonitor/9.0/requirements/adagent/adagent.md) topic for additional information. + - Linux monitoring – the agent is deployed to Linux servers to be monitored. See the + [Linux Agent Server Requirements](/docs/activitymonitor/9.0/requirements/linuxagent.md) topic for additional information. + +**Target Environment Considerations** + +The target environment encompasses all servers, devices, or infrastructure to be monitored by +Activity Monitor. Most solutions have additional target requirements. + +## Activity Monitor Console Machine Requirements + +The machine can be a Windows Server or desktop, as well as physical or virtual. The Console can be installed on serveral machines to manage the same agents. +The following Windows Server operating systems are supported: + +- Windows Server 2025 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +The following Windows desktop operating systems are supported: + +- Windows 11 +- Windows 10 + +**RAM, Processor, and Disk Space** + +- RAM – 4 GB minimum +- Processor – x64 +- Disk Space – 1 GB minimum + +**Additional Machine Requirements** + +The following are additional requirements for the Console machine: + +- .NET Framework 4.7.2 installed, which can be downloaded from the link in the Microsoft + [.NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2) + article + +**Permissions for Installation** + +The following permission is required to install and use the application: + +- Membership in the local Administrators group for the Activity Monitor Console machine diff --git a/docs/activitymonitor/9.0/restapi/_category_.json b/docs/activitymonitor/9.0/restapi/_category_.json new file mode 100644 index 0000000000..37dc66e9c5 --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "REST API", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/restapi/overview.md b/docs/activitymonitor/9.0/restapi/overview.md new file mode 100644 index 0000000000..63b6d64e6d --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/overview.md @@ -0,0 +1,29 @@ +--- +title: "REST API" +description: "REST API" +sidebar_position: 60 +--- + +# REST API + +## Overview + +Netwrix Activity Monitor API gives you access to the most information and functionality available in +the console. You can manage agents, monitored hosts and services, AD monitoring using API. + +The REST-style API is provided by the API Server feature which is a component of the Activity +Monitor Agent (Windows only). It is pre-installed with the Agent, disabled by default. + +Like the console, a single API Server can manage many agents. A single API Server can manage the +whole organization. However, one capability requires running the API Server on each and every +Activity Monitor Agent and is the HTTPS access to the log files. + +See the following topics for additional information: + +- [Security and Access Control](/docs/activitymonitor/9.0/restapi/security.md) +- [Schema and Resources](/docs/activitymonitor/9.0/restapi/resources/resources.md) + + - [Agent](/docs/activitymonitor/9.0/restapi/resources/agent.md) + - [Domain](/docs/activitymonitor/9.0/restapi/resources/domain.md) + - [Host](/docs/activitymonitor/9.0/restapi/resources/host.md) + - [Output](/docs/activitymonitor/9.0/restapi/resources/output.md) diff --git a/docs/activitymonitor/9.0/restapi/resources/_category_.json b/docs/activitymonitor/9.0/restapi/resources/_category_.json new file mode 100644 index 0000000000..9a2c4705c7 --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/resources/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Schema and Resources", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "resources" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/restapi/resources/agent.md b/docs/activitymonitor/9.0/restapi/resources/agent.md new file mode 100644 index 0000000000..30ef470331 --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/resources/agent.md @@ -0,0 +1,262 @@ +--- +title: "Agent" +description: "Agent" +sidebar_position: 10 +--- + +# Agent + +| Attribute | Type | Detailed Only | Description | +| ---------------------------------------- | -------- | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| id | string | | Agent ID | +| platformId | string | | Platform of the agent: Windows , Linux | +| url | string | | Self URL | +| host | string | | Host name/address as specified by user | +| netbiosName | string | | NETBIOS name | +| authenticationMethod | string | | The authentication method for connecting to the agent: Password, PublicKey | +| agentPort | int | | The port that is used by the agent. Default: 4498. | +| userName | string | | Account for connecting to the agent. | +| password | string | X | Account password for connecting to the agent. Password is not exposed. | +| privateKey | string | | The private key used when PublicKey authentication method is used. The private key is not exposed. | +| clientCertificate | string | | The agent's client certificate. | +| protocol | string | | The protocol used for connecting to the agent: GRPC | +| domain | string | | Domain name of the agent | +| machineSid | string | | The Machine SID of the Agent Server. | +| osVersion | string | | OS version or version servicepack | +| isDC | bool | | Is Agent a domain controller | +| errorMessage | string | | Description of the failure condition | +| installState | string | | State of Activity Monitor agent: `NotInstalled`, `Unknown`, `Installed`, `Installing`, `Upgrading`, `Uninstalling`, `Outdated`, `Failed`, `ManagedBySI` (last one for Threat Prevention agents) | +| version | string | | Activity Monitor agent version | +| siInstallState | string | | State of Threat Prevention agent: `NotInstalled`, `Unknown`, `Installed`, `Installing`, `Upgrading`, `Uninstalling`, `Outdated`, `Failed`, `ManagedBySI` (last one for Threat Prevention agents) | +| siVersion | string | | Threat Prevention agent version | +| managedBySI | bool | | True if the Threat Prevention Agent configuration is managed by Threat Prevention. Otherwise Activity Monitor managed the Threat Prevention Agent | +| configVersion | string | | A hash of the config file | +| monitoredHostsUrl | string | | URL to the list of agent's hosts | +| monitoredDomainUrl | string | | URL to the domain monitored by the agent, if any | +| warnings | string[] | X | Array of errors/warnings if any | +| ad.safeModeStatus | string | X | `pending`, `approved`. If `pending`, the AD Module is in the safe (not yet loaded) mode. | +| ad.safeModeMessage | string | X | If in the safe mode, contains a reason why the agent switched to the mode. | +| ad.hardeningIsEnabled | bool | X | AD Module hardening is enabled or disabled. | +| ad.safeModeIsEnabled | bool | X | AD Module safe mode is enabled or disabled. | +| ad.dnsResolveIsEnabled | bool | X | AD Module DNS hostname resolution is enabled or disabled. | +| ad.siIpWhitelist | string[] | X | Whitelist of IPs allowed to connect to the AD Module port. | +| archive.IsEnabled | bool | X | Whether the archiving feature is enabled | +| archive.path | string | X | UNC path of the archival location | +| archive.userName | string | X | An account to access the archival location. | +| archive.password | string | X | User password to access the archival location. Password is not exposed. | +| archive.maxLocalSize | string | X | Maximum space the agent is allowed to use on the local drives. | +| fpolicy.port | int | X | NetApp c-mode fpolicy port | +| fpolicy.auth | string | X | `NoAuth`, `Server`, `Mutual` | +| fpolicy.ipWhitelist | string[] | X | IP whitelist | +| fpolicy.clientCertificate | string | X | The Client or CA certificate that is currently set. | +| fpolicy.serverCertificate | string | X | The FPolicy Server certificate that is currently set. Server Certificate is not exposed. | +| minLocalFreeSpace | string | X | Free disk threshold after which the agent stops writing data to the log files | +| cee.vcapsIsEnabled | bool | X | CEE Asynchronous bulk delivery (VCAPS) is enabled or disabled. | +| cee.vcapsInterval | int | X | Interval in seconds on how often events are delivered by CEE. | +| cee.vcapsEvents | int | X | Interval in number of events on how often events are delivered by CEE. | +| cee.httpEnabled | bool | X | CEE HTTP protocol is enabled or disabled | +| cee.rpcEnabled | bool | X | CEE RPC protocol is enabled or disabled | +| cee.ipWhitelist | string[] | X | Whitelist of IPs that are allowed to connect to the agent via http protocol. If blank the agent will accept connections from any host. | +| inactivityAlerts.isEnabled | bool | X | Whether Inactivity Alerting is enabled | +| inactivityAlerts.inactivityInterval | int | X | The time interval to elapse after the Monitored Host stops receiving events. | +| inactivityAlerts.replayInterval | int | X | How often to repeat an alert if the inactivity period is long lasting. | +| inactivityAlerts.inactivityCheckInterval | int | X | The time interval to check the Monitored Host for new events. | +| inactivityAlerts.syslog.server | string | X | The syslog server that is sent inactivity alerts. | +| inactivityAlerts.syslog.protocol | string | X | The syslog server protocol that is used: "UDP" , "TCP" , "TLS" | +| inactivityAlerts.syslog.separator | string | X | The syslog server separator / message framing that is used: "LF ASCII 10" , "CR ASCII 13" , "CRLF ASCII 13, 10" , "NUL ASCII 0" , "Octet Count RFC 5425". Only used for TCP and TLS protocols. | +| inactivityAlerts.syslog.template | string | X | The syslog server template text that is used. | +| inactivityAlerts.email.server | string | X | The email SMTP server that is sent inactivity alerts. | +| inactivityAlerts.email.ssl | bool | X | Email SMTP Server SSL / TLS is enabled or disabled. | +| inactivityAlerts.email.userName | string | X | Email SMTP Server Username. | +| inactivityAlerts.email.password | string | X | Email SMTP Server Password. Password is not exposed. | +| inactivityAlerts.email.from | string | X | Email address of where the inactivity alert is from. | +| inactivityAlerts.email.to | string | X | Email address of where the inactivity alert is sent to. | +| inactivityAlerts.email.subject | string | X | Email message subject of the inactivity alert. | +| inactivityAlerts.email.body | string | X | Email message body of the inactivity alert. | +| apiServerIsEnabled | bool | | API Server is enabled or disabled | +| apiServerPort | int | | API Server TCP/IP port | +| apiServerIpWhitelist | string[] | X | Whitelist of IPs allowed to connect to the API Server port. | +| apiServerMgmtConsole | string | X | NETBIOS name of the Console machine that manages the agent list of the API Server (only available for agent(s) that are running the api server) | +| traceLevel | string | X | The logging trace level of the agent. | +| externalNicName | string | X | The selected network interface that is used for connections. If blank, the agent will auto-detect the network interface to use. | +| comment | string | | The agent's set comment. | +| etwLogEnabled | bool | | If true or enabled the windows agent will produce extended debugging data (ETW) logs from the windows driver when Trace logging is enabled for the agent. | +| linux.serviceUsername | string | X | The linux agent's service username that is used to run the agent service / daemon. If blank, root user is used. | +| networkProxy.address | string | X | HTTP Proxy Server set in SERVER[:PORT] format. If blank HTTP Proxy is disabled. | +| networkProxy.useDefaultCredentials | bool | X | If enabled the proxy server authenticates as the agent's machine account. | +| networkProxy.bypassProxyOnLocal | bool | X | If enabled the agent will bypass the proxy server for local addresses. | +| networkProxy.userName | string | X | The Proxy Server Username | +| networkProxy.password | string | X | The Proxy Server Password. Password is not exposed. | +| networkProxy.bypassList | string[] | X | List of regular expressions that describe URIs that do not use the proxy server when accessed. | +| dns.isEnabled | bool | X | Local DNS caching service is enabled or disabled. | +| dns.listenPort | int | X | Port used by the DNS caching service. | +| dns.parallelism | int | X | Parallelism level to use while processing DNS requests. | +| dns.perfStatsTimeDebug | TimeSpan | X | Period to dump performance statistics on debug level. | +| dns.perfStatsTimeInfo | TimeSpan | X | Period to dump performance statistics on info level. | +| dns.forwardDnsServer | string[] | X | List of DNS servers specified to be used for lookups. If blank, the default DNS servers of the agent are used. | +| dns.cacheFile | string | X | The DNS cache buffer filename that is used. | +| dns.successTtl | TimeSpan | X | How long to cache successful lookup results before attempting the search again. | +| dns.failedTtl | TimeSpan | X | How long to cache a failed lookup result before attempting the search again. | +| dns.clientWaitTimeout | TimeSpan | X | The amount of the DNS service is allowed to process a request before sending a not found response. If no results are received the lookup operation continues in the background. | +| dns.refreshThreshold | TimeSpan | X | An interval between expired items in the cache check. | +| dns.maxCacheSize | int | X | The max size of the dns service buffer file. | +| dns.uselessAge | TimeSpan | X | The DNS service does not resolve names for events older then the set time period. | +| dns.maxAttemptsToResolve | int | X | Maximum attempts that the DNS service will use to resolve addresses. If 0 is set, the DNS service will resolve addresses infinitely. | +| dns.suffix | string | X | The DNS suffix identifies the domain name that is appended to an unqualified host name to obtain a fully qualified domain name (FQDN) suitable for a dns name query. | +| adUsers.domainControllers | string[] | X | List of Domain Controllers to be used for user lookups. If blank, the default behavior is used. | +| adUsers.lookupTimeout | TimeSpan | X | The amount of time the agent will wait for the query results. If no results are received , the agent reports an empty username in the events, but continues the lookup operation in the background. | +| adUsers.successCacheTtl | TimeSpan | X | How long to cache successful lookup results before attempting the lookup from Active Directory again. | +| adUsers.failedCacheTtl | TimeSpan | X | How long to cache failed lookup results before attempting the lookup from Active Directory again. | +| adUsers.maxCacheSize | int | X | The max size of the cache buffer file. | +| panzura.port | int | X | Agent port used for Panzura. | +| panzura.useCredentials | bool | X | Protection of Panzura port is enabled or disabled. | +| panzura.username | string | X | Panzura's MQ username used for port protection. | +| panzura.password | string | X | Panzura's MQ password used for port protection. Password is not exposed. | +| panzura.ipWhitelist | string[] | X | Whitelist of IP addresses of Panzura nodes that are allowed to connect to the Agent's Panzura port. If blank, connections from any host are accepted. | +| nutanix.port | int | X | Agent port used for Nutanix. | +| nutanix.ipWhitelist | string[] | X | Whitelist of IP addresses of Nutanix nodes that are allowed to connect to the Agent's Nutanix port. If blank, connections from any host are accepted. | +| qumulo.port | int | X | Agent port used for Qumulo. | +| qumulo.ipWhitelist | string[] | X | Whitelist of IP addresses of Qumulo nodes that are allowed to connect to the Agent's Qumulo port. If blank, connections from any host are accepted. | +| ctera.port | int | X | Agent port used for Ctera. | +| ctera.ipWhitelist | string[] | X | Whitelist of IP addresses of CTERA portals that are allowed to connect to the Agent's CTERA port. If blank, connections from any host are accepted. | + +**Response Example** + +``` +{ +    "warnings": [], +    "archive": { +        "isEnabled": false, +        "path": "\\\\KDVM01\\SBACTIVITYLOGS", +        "userName": "", +        "maxLocalSize": "5GB" +    }, +    "cee": { +        "vcapsIsEnabled": false, +        "vcapsInterval": 60, +        "vcapsEvents": 100, +        "httpEnabled": false, +        "rpcEnabled": true, +        "ipWhitelist": [] +    }, +    "ad": { +        "safeModeStatus": null, +        "safeModeMessage": null, +        "hardeningIsEnabled": false, +        "safeModeIsEnabled": true, +        "dnsResolveIsEnabled": true, +        "siIpWhitelist": [] +    }, +    "minLocalFreeSpace": "64MB", +    "fpolicy": { +        "port": 9999, +        "auth": "NoAuth", +        "ipWhitelist": [], +        "clientCertificate": "", +        "serverCertificate": "" +    }, +    "inactivityAlerts": { +        "isEnabled": false, +        "inactivityInterval": 360, +        "replayInterval": 360, +        "inactivityCheckInterval": 1, +        "syslog": { +            "server": "", +            "protocol": "UDP", +            "separator": "Lf", +            "template": "<14>1 %TIME_STAMP_UTC% %AGENT% %PRODUCT% - NO_DATA - [origin ip=\"%INACTIVE_SERVER_IP%\"][noactivity@33334 host=\"%INACTIVE_SERVER%\" lastEvent=\"%LAST_EVENT_TIME_STAMP_UTC%\" activityType=\"%ACTIVITY_TYPE%\"] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours." +        }, +        "email": { +            "server": "", +            "ssl": false, +            "userName": "", +            "from": "", +            "to": "", +            "subject": "[Activity Monitor] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours", +            "body": "There were no activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours.\n  \nHost:                 %INACTIVE_SERVER%\n  Activity Type: %ACTIVITY_TYPE%\n  Period of inactivity: %INACTIVITY_PERIOD_HOURS% hours / %INACTIVITY_PERIOD_MINUTES% minutes\n  Last event received:  %LAST_EVENT_TIME_STAMP_UTC% (UTC)\n  Last event received:  %LAST_EVENT_TIME_STAMP% (agent time)\n  Agent:                %AGENT%\n  \n  \n  %PRODUCT% %PRODUCT_VERSION%\n" +        } +    }, +    "panzura": { +        "port": 4497, +        "useCredentials": false, +        "username": "guest", +        "ipWhitelist": [] +    }, +    "nutanix": { +        "port": 4501, +        "ipWhitelist": [] +    }, +    "qumulo": { +        "port": 4496, +        "ipWhitelist": [] +    }, +    "ctera": { +        "port": 4499, +        "ipWhitelist": [] +    }, +    "linux": { +        "serviceUsername": "" +    }, +    "apiServerIpWhitelist": [], +    "apiServerMgmtConsole": "KDVM01", +    "traceLevel": "Info", +    "externalNicName": "", +    "dns": { +        "isEnabled": false, +        "listenPort": 4503, +        "parallelism": 4, +        "perfStatsTimeDebug": "00:01:00", +        "perfStatsTimeInfo": "00:10:00", +        "forwardDnsServer": [], +        "cacheFile": "dns.cache", +        "successTtl": "01:00:00", +        "failedTtl": "00:01:00", +        "clientWaitTimeout": "00:00:01.8000000", +        "refreshThreshold": "00:00:01", +        "maxCacheSize": 1000000, +        "uselessAge": "1.00:00:00", +        "maxAttemptsToResolve": 30, +        "suffix": "" +    }, +    "adUsers": { +        "domainControllers": [], +        "lookupTimeout": "00:00:02", +        "successCacheTtl": "10:00:00", +        "failedCacheTtl": "00:01:00", +        "maxCacheSize": 300000 +    }, +    "networkProxy": { +        "address": "", +        "useDefaultCredentials": false, +        "bypassProxyOnLocal": false, +        "userName": "", +        "bypassList": [] +    }, +    "id": "AGENT0", +    "platformId": "windows", +    "url": "https://127.0.0.1:4494/api/v1/agents/AGENT0", +    "host": "KDVM01", +    "netbiosName": "KDVM01", +    "authenticationMethod": "Password", +    "userName": "KDUD1\\Administrator", +    "clientCertificate": "", +    "protocol": "GRPC", +    "domain": "KDUD1", +    "machineSid": "S-1-5-21-3126412784-2087258618-1984987930-1105", +    "osVersion": "10.0.14393.0", +    "isDC": false, +    "errorMessage": "", +    "installState": "Installed", +    "version": "7.1.164", +    "siInstallState": "NotInstalled", +    "siVersion": "", +    "managedBySI": false, +    "configVersion": "xVdvRQnWGvifzQ8Q9rpfVj227Jo=", +    "monitoredHostsUrl": "https://127.0.0.1:4494/api/v1/agents/AGENT0/hosts", +    "monitoredDomainUrl": "https://127.0.0.1:4494/api/v1/agents/AGENT0/domain", +    "apiServerIsEnabled": true, +    "apiServerPort": 4494, +    "comment": "", +    "agentPort": 4498 +} +``` diff --git a/docs/activitymonitor/9.0/restapi/resources/domain.md b/docs/activitymonitor/9.0/restapi/resources/domain.md new file mode 100644 index 0000000000..ecf67dfcca --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/resources/domain.md @@ -0,0 +1,99 @@ +--- +title: "Domain" +description: "Domain" +sidebar_position: 20 +--- + +# Domain + +| Attribute | Type | Detailed Only | Description | +| -------------- | -------- | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| id | string | | Domain ID | +| url | string | | Self URL | +| name | string | | Domain NETBIOS name | +| managedBySI | bool | | Whether the monitoring configuration is managed by Threat Prevention or Activity Monitor | +| outputs | output[] | | Domain outputs. Domain outputs are common for all the domain controllers. However, there are several agent-specific settings, like `archivePath`. Do get agent-specific outputs use `api/v1/agents/«agentId»/domain`. | +| outputsUrl | string | | URL to domain outputs | +| agentsUrl | string | | URL to domain controllers | +| masterAgentId | string | | ID of the Master agent - the one whose configuration is considered the master one. | +| masterAgentUrl | string | | URL to the Master agent. | +| policies | policy[] | | Domain Policies. The list of policies for the domain. | + +**Response Example** + +``` +{ +    "id": "KDUD1", +    "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +    "name": "KDUD1", +    "managedBySI": false, +    "outputs": [ +        { +            "id": "69cce1100fce406192d1d8553083af43", +            "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs/69cce1100fce406192d1d8553083af43", +            "domainId": "KDUD1", +            "domainUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +            "agentsIds": [], +            "isEnabled": true, +            "type": "LogFile", +            "logFile": { +                "format": "Json", +                "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\KDUD1_Log_.json", +                "archivePath": "\\\\KDVM01\\SBACTIVITYLOGS\\KDDC01\\KDUD1_69cce110-0fce-4061-92d1-d8553083af43\\KDUD1_Log_.json", +                "periodToRetainLog": 10, +                "reportUserName": false, +                "reportUncPath": false, +                "addCToPath": true, +                "reportMilliseconds": true, +                "stealthAudit": true +            }, +            "comment": "", +            "managedBy": "", +            "altHost": "" +        }, +        { +            "id": "cd34eb7a0c1d40c097b56056af2afd73", +            "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs/cd34eb7a0c1d40c097b56056af2afd73", +            "domainId": "KDUD1", +            "domainUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +            "agentsIds": [], +            "isEnabled": true, +            "type": "Syslog", +            "syslog": { +                "reportUncPath": false, +                "addCToPath": true, +                "server": "1.2.3.4:514", +                "protocol": "UDP", +                "separator": "Lf", +                "template": "%SYSLOG_DATE% %HOST% LEEF:1.0|%COMPANY%|%PRODUCT%|%PRODUCT_VERSION%|%EVENT_SOURCE_TYPE%%CLASS_NAME%%EVENTNAMETRANSLATED%%SUCCESS%%BLOCKED_EVENT%|cat=%EVENTNAMETRANSLATED%\tdevTimeFormat=yyyy-MM-dd HH:mm:ss.SSS\tdevTime=%TIME_STAMP%\tSettingName=%SETTING_NAME%\tdomain=%EVENT_SOURCE_NAME%\tusrName=%PERPETRATOR_NAME%\tsrc=%ORIGINATINGCLIENTIP%\tdst=%ORIGINATING_SERVERIP%\tDistinguishedName=%DN%\tAffectedObject=%AFFECTED_OBJECT_ACCOUNT_NAME%\tClassName=%CLASS_NAME%\tOrigServer=%ORIGINATING_SERVER%\tSuccess=%SUCCESS%\tBlocked=%BLOCKED_EVENT%\tAttrName=%ATTRIBUTE_NAME%\tAttrNewValue=%ATTRIBUTE_VALUE%\tAttrOldValue=%OLD_ATTRIBUTE_VALUE%\tOperation=%OPERATION%" +            }, +            "comment": "", +            "managedBy": "", +            "altHost": "" +        }, +        { +            "id": "bee61b424f214f7583e9cece222b8f41", +            "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs/bee61b424f214f7583e9cece222b8f41", +            "domainId": "KDUD1", +            "domainUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1", +            "agentsIds": [], +            "isEnabled": true, +            "type": "Amqp", +            "amqp": { +                "server": "5.6.7.8:10001", +                "userName": "StealthINTERCEPT", +                "queue": "", +                "exchange": "StealthINTERCEPT", +                "vhost": "" +            }, +            "comment": "", +            "managedBy": "", +            "altHost": "" +        } +    ], +    "outputsUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1/outputs", +    "agentsUrl": "https://127.0.0.1:4494/api/v1/domains/KDUD1/agents", +    "masterAgentId": "AGENT1", +    "masterAgentUrl": "https://127.0.0.1:4494/api/v1/agents/AGENT1" +} +``` diff --git a/docs/activitymonitor/9.0/restapi/resources/host.md b/docs/activitymonitor/9.0/restapi/resources/host.md new file mode 100644 index 0000000000..68d698d4cd --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/resources/host.md @@ -0,0 +1,480 @@ +--- +title: "Host" +description: "Host" +sidebar_position: 30 +--- + +# Host + +| Attribute | Type | Detailed Only | Description | +| ---------------------------------------- | -------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| id | string | | ID of the host. | +| url | string | | Self URL | +| host | string | | Host name/Address as specified by a user | +| type | string | | `Windows`,`NetApp`,`Celerra`,`Isilon`,`Hitachi`,`SharePoint`,`Unity`,`Nasuni`, `Panzura`, `SharePointOnline`, `AzureAD`, `Linux`, `SqlServer` | +| userName | string | | An account to connect the host to | +| password | string | X | Account password to connect the host to. Password is not exposed. | +| autoConfigureAuditing | bool | | Automatically enable the auditing on the device, if supported | +| monitorAuditingStatus | bool | | Constantly verify that the auditing is enabled, fix if needed | +| hostAliases | string[] | | List of server names for NAS if they are different from the set name of the host. | +| outputs | output[] | | Array of host's outputs | +| inactivityAlerts.isEnabled | bool | | Whether Inactivity Alerting is enabled | +| inactivityAlerts.useCustomSettings | bool | | Whether to use custom host settings, or inherit from agent settings. | +| inactivityAlerts.inactivityInterval | int | | The time interval to elapse after the Monitored Host stops receiving events. | +| inactivityAlerts.replayInterval | int | | How often to repeat an alert if the inactivity period is long lasting. | +| inactivityAlerts.inactivityCheckInterval | int | | The time interval to check the Monitored Host for new events. | +| inactivityAlerts.syslog.server | string | | The syslog server that is sent inactivity alerts. | +| inactivityAlerts.syslog.protocol | string | | The syslog protocol that is used: "UDP" , "TCP" , "TLS" | +| inactivityAlerts.syslog.separator | string | | The syslog server separator / message framing that is used: "LF ASCII 10" , "CR ASCII 13" , "CRLF ASCII 13, 10" , "NUL ASCII 0" , "Octet Count RFC 5425". Only used for TCP and TLS protocols. | +| inactivityAlerts.syslog.template | string | | The syslog message template text. | +| inactivityAlerts.email.server | string | | The email or SMTP server or IP that is used to send host inactivity alerts. | +| inactivityAlerts.email.ssl | bool | | Email SMTP Server SSL / TLS is enabled or disabled. | +| inactivityAlerts.email.userName | string | | The email or SMTP server user name. | +| inactivityAlerts.email.password | string | X | The email or SMTP server password. Password is not exposed. | +| inactivityAlerts.email.from | string | | Email address of where the inactivity alert is from. | +| inactivityAlerts.email.to | string | | Email address of where the inactivity alert is sent to. | +| inactivityAlerts.email.subject | string | | Email message subject of the inactivity alert. | +| inactivityAlerts.email.body | string | | Email message body of the inactivity alert. | +| uidTranslate.isEnabled | bool | | NFS UID translation to Windows SID is enabled or disabled. | +| uidTranslate.domainController | string | | The name of the forest or a Domain Controller. Used for Active Directory searches. | +| uidTranslate.port | int | | The port used for Active Directory searches. | +| uidTranslate.options | string | | The set options used for Active Directory searches. | +| uidTranslate.container | string | | The Active Directory container set to be searched. | +| uidTranslate.scope | string | | The scope of the Active Directory search. | +| uidTranslate.filter | string | | The filter of the Active Directory search. | +| hitachi.uncLogPath | string | | The path of the hitachi audit event log file. | +| hitachi.logFileName | string | | The filename of the hitachi audit event log. | +| hitachi.pollingInterval | TimeSpan | | The interval of polling the log for new events. | +| api.protocol | string | | The API Protocol being used: "AutoDetect", "HTTPS", "HTTPSIgnoreErrors", "HTTP". | +| api.certificate | string | | The text output of the HTTPS certificate. | +| api.hostNameVerification | bool | | If certificate hostname verification is enabled or disabled. | +| api.channel | string | | The communication method being used: "AutoDetect", "ONTAPI", "REST" (only used for netapp hosts) | +| netapp.managementLif | string | | The Management LIF of the netapp host. Disabled / Empty by default. | +| netapp.nfs3EventName | string | | The fpolicy Event Name for successful NFSv3 Events. Default: "StealthAUDITScreeningNfsV3" | +| netapp.nfs3FailedEventName | string | | The fpolicy Event Name for failed NFSv3 Events. Default: "StealthAUDITScreeningFailedNfsV3" | +| netapp.nfs4FailedEventName | string | | The fpolicy Event Name for failed NFSv4 Events. Deafult: "StealthAUDITScreeningFailedNfsV4" | +| netapp.nfs4EventName | string | | The fpolicy Event Name for successful NFSv4 Events. Default: "StealthAUDITScreeningNfsV4" | +| netapp.cifsEventName | string | | The fpolicy Event Name for successful CIFS Events. Default: "StealthAUDITScreeningCifs" | +| netapp.cifsFailedEventName | string | | The fpolicy Event Name for failed CIFS Events. Default: "StealthAUDITScreeningCifs" | +| netapp.policyName | string | | The fpolicy Policy Name used for the Activity Monitor. Default: "StealthAUDIT" | +| netapp.externalEngineName | string | | The fpolicy External Engine Name used for the Activity Monitor. Default: "StealthAUDITEngine" | +| netapp.persistentStore.volume | string | | Name of the volume to use for the Persistent Store feature.| +| netapp.persistentStore.size | long | | Initial size of the volume for the Persistent Store feature.| +| netapp.persistentStore.autoSize | string | | `off` (default), `grow`, or `grow_shrink`.| +| sharePoint.pollingInterval | TimeSpan | | The polling interval set for sharepoint on premise hosts. | +| spo.azure.domain | string | | The Azure Active Directory domain being monitored for SharePoint Online. | +| spo.azure.azureCloud | string | | The selected Azure Cloud being used: "Azure", "Azure for US Government GCC", "Azure for Government GCC High", "Azure for US Government DoD", "Azure Germany", "Azure China by 21Vianet" | +| spo.azure.tenantId | string | | The azure Tenant ID | +| spo.azure.tenantName | string | | The azure Tenant Name | +| spo.azure.clientId | string | | The azure Tenant Client ID. | +| spo.azure.clientSecret | string | X | The azure Client Secret. Client Secret is not exposed. | +| spo.azure.region | string | | The azure Region. | +| azureAd.azure.domain | string | | The Azure Active Directory domain being monitored. | +| azureAd.azure.azureCloud | string | | The selected Azure Cloud being used: "Azure", "Azure for US Government GCC", "Azure for Government GCC High", "Azure for US Government DoD", "Azure Germany", "Azure China by 21Vianet" | +| azureAd.azure.tenantId | string | | The azure Tenant ID | +| azureAd.azure.tenantName | string | | The azure Tenant Name | +| azureAd.azure.clientId | string | | The azure Tenant Client ID. | +| azureAd.azure.clientSecret | string | X | The azure Client Secret. Client Secret is not exposed. | +| azureAd.azure.region | string | | The azure Region. | +| exchangeOnline.azure.domain | string | | The Azure Active Directory domain being monitored for Exchange Online. | +| exchangeOnline.azure.azureCloud | string | | The selected Azure Cloud being used: "Azure", "Azure for US Government GCC", "Azure for Government GCC High", "Azure for US Government DoD", "Azure Germany", "Azure China by 21Vianet" | +| exchangeOnline.azure.tenantId | string | | The azure Tenant ID | +| exchangeOnline.azure.tenantName | string | | The azure Tenant Name | +| exchangeOnline.azure.clientId | string | | The azure Tenant Client ID. | +| exchangeOnline.azure.clientSecret | string | X | The azure Client Secret. Client Secret is not exposed. | +| exchangeOnline.azure.region | string | | The azure Region. | +| sql.pollingInterval | string | | The interval for polling SQL log for new events. | +| sql.tweakOptions | string[] | | Extended Events tweaking options for SQL hosts. | +| outputsUrl | string | | URL to the host's outputs | +| agentsUrl | string | | URL to the agents that are monitoring the host | +| status.updatedAt | DateTime | | A timestamp when the status has changed to this value. | +| status.type | string | | OK, Error, or Warning - indicates a type of the status. | +| status.summary | string | | A user-friendly summary string of the status. May be empty for the OK type, non-empty otherwise. | +| status.details | string | | A user-friendly message that describes the status. May be empty. | +| status.helpUrl | string | | A URL to a documentation or KB article about the issue. May be empty. | +| statusHistoryUrl | string | | URL to the status history of the host. | +| stats.receivedAt | DateTime | | Timestamp indicating the last time the Agent received something from the Host. | +| stats.receivedCount | long | | Total number of events received by the agent for the Host. | +| stats.lastEventTime | DateTime | | The most recent timestamp among all recent events received for the Host. File servers and other event sources can deliver events out of order. For example, each node of PowerScale cluster has its log and delivery cadence. This field shows the MAX(timestamp) for recent events. | + +**Response Example** + +``` +{ +    "autoConfigureAuditing": false, +    "monitorAuditingStatus": false, +    "hostAliases": [], +    "inactivityAlerts": { +        "isEnabled": false, +        "useCustomSettings": false, +        "inactivityInterval": 360, +        "replayInterval": 360, +        "inactivityCheckInterval": 1, +        "syslog": { +            "server": "", +            "protocol": "UDP", +            "separator": "Lf", +            "template": "<14>1 %TIME_STAMP_UTC% %AGENT% %PRODUCT% - NO_DATA - [origin ip=\"%INACTIVE_SERVER_IP%\"][noactivity@33334 host=\"%INACTIVE_SERVER%\" lastEvent=\"%LAST_EVENT_TIME_STAMP_UTC%\" activityType=\"%ACTIVITY_TYPE%\"] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours." +        }, +        "email": { +            "server": "", +            "ssl": false, +            "userName": "", +            "from": "", +            "to": "", +            "subject": "[Activity Monitor] No activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours", +            "body": "There were no activity events from %INACTIVE_SERVER% for %INACTIVITY_PERIOD_HOURS% hours.\n  \nHost:                 %INACTIVE_SERVER%\n  Activity Type: %ACTIVITY_TYPE%\n  Period of inactivity: %INACTIVITY_PERIOD_HOURS% hours / %INACTIVITY_PERIOD_MINUTES% minutes\n  Last event received:  %LAST_EVENT_TIME_STAMP_UTC% (UTC)\n  Last event received:  %LAST_EVENT_TIME_STAMP% (agent time)\n  Agent:                %AGENT%\n  \n  \n  %PRODUCT% %PRODUCT_VERSION%\n" +        } +    }, +    "id": "Windows-kdvm01", +    "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01", +    "host": "KDVM01", +    "type": "Windows", +    "userName": "", +    "outputs": [ +        { +            "id": "b08e3c84905b4aed8718f42d2ecc523d", +            "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/b08e3c84905b4aed8718f42d2ecc523d", +            "hostId": "Windows-kdvm01", +            "hostUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01", +            "agentsIds": [ +                "AGENT0" +            ], +            "logsUrl": "https://127.0.0.1:4494/api/v1/logs/b08e3c84905b4aed8718f42d2ecc523d", +            "isEnabled": true, +            "type": "LogFile", +            "logFile": { +                "format": "Tsv", +                "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\KDVM01_Log_.tsv", +                "archivePath": "", +                "periodToRetainLog": 10, +                "reportUserName": false, +                "reportUncPath": false, +                "addCToPath": true, +                "reportMilliseconds": true, +                "stealthAudit": true +            }, +            "fileFilter": { +                "allowed": true, +                "denied": true, +                "cifs": true, +                "nfs": true, +                "read": true, +                "dirRead": false, +                "create": true, +                "dirCreate": true, +                "rename": true, +                "dirRename": true, +                "delete": true, +                "dirDelete": true, +                "update": true, +                "permission": true, +                "dirPermission": true, +                "attribute": true, +                "dirAttribute": true, +                "readOptimize": false, +                "shareAdd": false, +                "shareDelete": false, +                "shareUpdate": false, +                "sharePermission": false, +                "streamRead": true, +                "streamUpdate": true, +                "streamDelete": true, +                "streamAdd": true, +                "includePaths": [], +                "excludePaths": [], +                "excludeExtensions": [ +                    ".TMP", +                    ".RCV", +                    ".DS_STORE", +                    ".POLICY", +                    ".MANIFEST", +                    ".LACCDB", +                    ".LDB" +                ], +                "excludeProcesses": [ +                    "SBTService.exe", +                    "FPolicyServerSvc.exe", +                    "CelerraServerSvc.exe", +                    "FSACLoggingSvc.exe", +                    "HitachiService.exe", +                    "SIWindowsAgent.exe", +                    "SIGPOAgent.exe", +                    "LogProcessorSrv.exe", +                    "SearchIndexer.exe", +                    "WindowsSearch.exe", +                    "StealthAUDIT", +                    "MonitorService35.exe", +                    "MonitorService40.exe", +                    "MonitorService45.exe", +                    "Configuration.exe", +                    "ConfigurationAgent.exe", +                    "ConfigurationAgent.Grpc.Host.exe" +                ], +                "excludeReadProcesses": [], +                "excludeAccounts": [ +                    "S-1-5-17", +                    "S-1-5-18", +                    "S-1-5-19", +                    "S-1-5-20" +                ], +                "filterGroups": false, +                "officeFiltering": false, +                "pathFilters": [ +                    "-**\\~$*.DOC", +                    "-**\\~$*.DOCX", +                    "-**\\~$*.ODT", +                    "-**\\~$*.PPT", +                    "-**\\~$*.PPTX", +                    "-**\\~$*.PUB", +                    "-**\\~$*.RTF", +                    "-**\\~$*.TXT", +                    "-**\\~$*.WPS", +                    "-**\\~$*.XLSX", +                    "-**\\~$*.XSN", +                    "-**\\~$*.XML", +                    "-**\\~$*.DOCM", +                    "-**\\~$*.DOTX", +                    "-**\\~$*.DOTM", +                    "-**\\~$*.DOT", +                    "-**\\~$*.MHT", +                    "-**\\~$*.HTM", +                    "-**\\~$*.XLSM", +                    "-**\\~$*.XLSB", +                    "-**\\~$*.XLTX", +                    "-**\\~$*.XLTM", +                    "-**\\~$*.XLAM", +                    "-**\\~$*.ODS", +                    "-**\\~$*.PPTM", +                    "-**\\~$*.POTX", +                    "-**\\~$*.POTM", +                    "-**\\~$*.POT", +                    "-**\\~$*.THMX", +                    "-**\\~$*.PPSX", +                    "-**\\~$*.PPSM", +                    "-**\\~$*.PPS", +                    "-**\\~$*.ODP", +                    "-**\\~$*.PDF", +                    "-**\\~$*.XPS", +                    "-**\\.TEMPORARYITEMS\\**", +                    "-**\\~SNAPSHOT\\**", +                    "-**\\WATSONRC.DAT", +                    "-**\\DESKTOP.INI", +                    "-C:\\Windows\\**", +                    "-C:\\Program Files\\**", +                    "-C:\\Program Files (x86)\\**", +                    "-C:\\ProgramData\\**", +                    "-C:\\Documents and Settings\\**", +                    "-C:\\Users\\**" +                ], +                "discardPreviewSubfolderReads": true, +                "discardPreviewSubfolderReadsInterval": 10, +                "discardPreviewFileReads": false, +                "discardPreviewFileReadsInterval": 60, +                "discardPreviewFileReadsFilenames": [ +                    "*.exe", +                    "*.url", +                    "*.lnk" +                ], +                "duplicateReadsInterval": 60 +            }, +            "comment": "", +            "managedBy": "", +            "windows": { +                "vssCreation": true, +                "vssDeletion": true, +                "vssActivity": true, +                "discardReorderedAcl": true, +                "discardInheritedAcl": false +            }, +            "status": { +                "updatedAt": "2024-09-16T17:32:24.9987211Z", +                "type": "OK" +            }, +            "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/b08e3c84905b4aed8718f42d2ecc523d/statusHistory", +            "altHost": "", +            "stats": { +                "reportedAt": "2024-09-16T16:33:13.803Z", +                "reportedCount": 0, +                "lastEventTime": "2024-09-16T16:33:13.803Z", +                "filesCount": 2, +                "filesSize": 1440, +                "archiveFilesCount": 0, +                "archiveFilesSize": 0 +            } +        }, +        { +            "id": "f20aa0a8b7de4961b8ea9016b0d5d579", +            "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/f20aa0a8b7de4961b8ea9016b0d5d579", +            "hostId": "Windows-kdvm01", +            "hostUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01", +            "agentsIds": [ +                "AGENT0" +            ], +            "isEnabled": true, +            "type": "Syslog", +            "syslog": { +                "reportUncPath": false, +                "addCToPath": true, +                "server": "192.168.2.1:514", +                "protocol": "UDP", +                "separator": "Lf", +                "template": "%SYSLOG_DATE% %HOST% LEEF:1.0|%COMPANY%|%PRODUCT%|%PRODUCT_VERSION%|%EVENT_SOURCE_TYPE%%CLASS_NAME%%EVENT_NAME%%SUCCESS%%BLOCKED_EVENT%|cat=%EVENT_NAME%\tdevTimeFormat=yyyy-MM-dd HH:mm:ss.SSS\tdevTime=%TIME_STAMP%\tSettingName=%SETTING_NAME%\tdomain=%EVENT_SOURCE_NAME%\tusrName=%PERPETRATOR%\tsrc=%ORIGINATING_CLIENT_IP%\tdst=%ORIGINATING_SERVER_IP%\tDistinguishedName=%FILE_PATH%\tAffectedObject=\tClassName=%CLASS_NAME%\tOrigServer=%ORIGINATING_SERVER%\tSuccess=%SUCCESS%\tBlocked=%BLOCKED_EVENT%\tAttrName=%ATTRIBUTE_NAME%\tAttrNewValue=%ATTRIBUTE_VALUE%\tAttrOldValue=%OLD_ATTRIBUTE_VALUE%\tOperation=%OPERATION%" +            }, +            "fileFilter": { +                "allowed": true, +                "denied": true, +                "cifs": true, +                "nfs": true, +                "read": true, +                "dirRead": false, +                "create": true, +                "dirCreate": true, +                "rename": true, +                "dirRename": true, +                "delete": true, +                "dirDelete": true, +                "update": true, +                "permission": true, +                "dirPermission": true, +                "attribute": true, +                "dirAttribute": true, +                "readOptimize": false, +                "shareAdd": false, +                "shareDelete": false, +                "shareUpdate": false, +                "sharePermission": false, +                "streamRead": true, +                "streamUpdate": true, +                "streamDelete": true, +                "streamAdd": true, +                "includePaths": [], +                "excludePaths": [], +                "excludeExtensions": [ +                    ".TMP", +                    ".RCV", +                    ".DS_STORE", +                    ".POLICY", +                    ".MANIFEST", +                    ".LACCDB", +                    ".LDB" +                ], +                "excludeProcesses": [ +                    "SBTService.exe", +                    "FPolicyServerSvc.exe", +                    "CelerraServerSvc.exe", +                    "FSACLoggingSvc.exe", +                    "HitachiService.exe", +                    "SIWindowsAgent.exe", +                    "SIGPOAgent.exe", +                    "LogProcessorSrv.exe", +                    "SearchIndexer.exe", +                    "WindowsSearch.exe", +                    "StealthAUDIT", +                    "MonitorService35.exe", +                    "MonitorService40.exe", +                    "MonitorService45.exe", +                    "Configuration.exe", +                    "ConfigurationAgent.exe", +                    "ConfigurationAgent.Grpc.Host.exe" +                ], +                "excludeReadProcesses": [], +                "excludeAccounts": [ +                    "S-1-5-17", +                    "S-1-5-18", +                    "S-1-5-19", +                    "S-1-5-20" +                ], +                "filterGroups": false, +                "officeFiltering": false, +                "pathFilters": [ +                    "-**\\~$*.DOC", +                    "-**\\~$*.DOCX", +                    "-**\\~$*.ODT", +                    "-**\\~$*.PPT", +                    "-**\\~$*.PPTX", +                    "-**\\~$*.PUB", +                    "-**\\~$*.RTF", +                    "-**\\~$*.TXT", +                    "-**\\~$*.WPS", +                    "-**\\~$*.XLSX", +                    "-**\\~$*.XSN", +                    "-**\\~$*.XML", +                    "-**\\~$*.DOCM", +                    "-**\\~$*.DOTX", +                    "-**\\~$*.DOTM", +                    "-**\\~$*.DOT", +                    "-**\\~$*.MHT", +                    "-**\\~$*.HTM", +                    "-**\\~$*.XLSM", +                    "-**\\~$*.XLSB", +                    "-**\\~$*.XLTX", +                    "-**\\~$*.XLTM", +                    "-**\\~$*.XLAM", +                    "-**\\~$*.ODS", +                    "-**\\~$*.PPTM", +                    "-**\\~$*.POTX", +                    "-**\\~$*.POTM", +                    "-**\\~$*.POT", +                    "-**\\~$*.THMX", +                    "-**\\~$*.PPSX", +                    "-**\\~$*.PPSM", +                    "-**\\~$*.PPS", +                    "-**\\~$*.ODP", +                    "-**\\~$*.PDF", +                    "-**\\~$*.XPS", +                    "-**\\.TEMPORARYITEMS\\**", +                    "-**\\~SNAPSHOT\\**", +                    "-**\\WATSONRC.DAT", +                    "-**\\DESKTOP.INI", +                    "-C:\\Windows\\**", +                    "-C:\\Program Files\\**", +                    "-C:\\Program Files (x86)\\**", +                    "-C:\\ProgramData\\**", +                    "-C:\\Documents and Settings\\**", +                    "-C:\\Users\\**" +                ], +                "discardPreviewSubfolderReads": true, +                "discardPreviewSubfolderReadsInterval": 10, +                "discardPreviewFileReads": false, +                "discardPreviewFileReadsInterval": 60, +                "discardPreviewFileReadsFilenames": [ +                    "*.exe", +                    "*.url", +                    "*.lnk" +                ], +                "duplicateReadsInterval": 60 +            }, +            "comment": "", +            "managedBy": "", +            "windows": { +                "vssCreation": true, +                "vssDeletion": true, +                "vssActivity": true, +                "discardReorderedAcl": true, +                "discardInheritedAcl": false +            }, +            "status": { +                "updatedAt": "2024-09-16T17:32:24.9987211Z", +                "type": "OK" +            }, +            "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs/f20aa0a8b7de4961b8ea9016b0d5d579/statusHistory", +            "altHost": "", +            "stats": { +                "reportedCount": 0 +            } +        } +    ], +    "outputsUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/outputs", +    "agentsUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/agents", +    "status": { +        "updatedAt": "2024-09-16T17:32:24.9987211Z", +        "type": "OK" +    }, +    "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm01/statusHistory", +    "stats": { +        "receivedCount": 0, +        "lastEventTime": "2024-09-16T16:33:13.803Z" +    } +} +``` diff --git a/docs/activitymonitor/9.0/restapi/resources/output.md b/docs/activitymonitor/9.0/restapi/resources/output.md new file mode 100644 index 0000000000..5d881c9d1b --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/resources/output.md @@ -0,0 +1,462 @@ +--- +title: "Output" +description: "Output" +sidebar_position: 40 +--- + +# Output + +| Attribute | Type | Detailed Only | Description | +| -------------------------- | ---------------- | ------------- | -------------------------------------------------------------------------------------------------------- | +| id | string | | ID of the output. | +| url | string | | Self URL | +| hostId | string | | ID of the host that owns the output. | +| hostUrl | string | | URL of the host that owns the output. | +| agentsIds | string[] | | List of Agent IDs of the agents managing the output. | +| domainId | string | | AD only: ID of the owning domain | +| domainUrl | string | | AD only: Link to the owning domain | +| logsUrl | string | | Link to the file output log files (for the local agent only, that has the API Server running) | +| isEnabled | bool | | Whether or not the output is enabled. If disabled, no activity is forwarded to it. | +| type | string | | `LogFile`,`Syslog`,`Amqp` | +| logFile | FileOutput | | Log file settings | +| syslog | SyslogOutput | | Syslog settings | +| amqp | AmqpOutput | | AMQP/DEFEND settings | +| fileFilter | FileFilter | | Filtering settings for file activity | +| sharePointFilter | SharePointFilter | | Filtering settings for SharePoint | +| comment | string | | User's comment | +| managedBy | string | | Name of a product that manages this output, if not self managed by NAM Agent. Values: `Threat Prevention`| +| windows | WindowsOptions | | Windows filtering settings | +| status.updatedAt | DateTime | | A timestamp when the status has changed to this value. | +| status.type | string | | OK, Error, or Warning - indicates a type of the status. | +| status.summary | string | | A user-friendly summary string of the status. May be empty for the OK type, non-empty otherwise. | +| status.details | string | | A user-friendly message that describes the status. May be empty. | +| statusHistoryUrl | string | | URL of the output's status history. | +| altHost | string | | A hostname that is reported in the activity events instead of the real hostname. | +| stats.reportedAt | DateTime | | Timestamp indicating the last time when an event was reported to the Output. | +| stats.reportedCount | long | | Total number of events reported to the Output. | +| stats.lastEventTime | DateTime | | The most recent timestamp among all reported events to the Output. | +| stats.filesCount | int | | Number of log files on the agent's server. | +| stats.filesSize | long | | Total size of log files on the agent's server. | +| stats.archiveFilesCount | int | | Number of log files in the archival location. | +| stats.archiveFilesSize | long | | Total size of log files in the archival location. | +| stats.archiveLastEventTime | DateTime | | The most recent timestamp in the recently archived log file. | + +## FileOutput + +| Attribute | Type | Detailed Only | Description | +| ------------------ | ------ | ------------- | ------------------------------------------------------------------------------------- | +| format | string | | `Tsv`, `Json` | +| path | string | | Log file path on the agent's drive. Timestamp is added before the extension. | +| archivePath | string | | Log file path in the archival location (UNC path) | +| periodToRetainLog | int | | Number of days to keep the log files alive both on the local drive and in the archive | +| reportUserName | bool | | Resolve and report user name | +| reportUncPath | bool | | Report UNC paths in addition to local/native paths | +| addCToPath | bool | | Prepend the path `C:\` and change the forward slashes to backslashes. | +| reportMilliseconds | bool | | Report events' time with milliseconds | +| stealthAudit | bool | | The file was marked for consumption by Access Analyzer | + +## SyslogOutput + +| Attribute | Type | Detailed Only | Description | +| ------------- | ------ | ------------- | --------------------------------------------------------------------- | +| server | string | | Hostname/address of the syslog server in the format HOST:PORT. | +| protocol | string | | `UDP`, `TCP`, `TLS` | +| separator | string | | `Lf`,Cr, `CrLf`, `Nul`, `Rfc5425` | +| reportUncPath | bool | | Report UNC paths in addition to local/native paths | +| addCToPath | bool | | Prepend the path `C:\` and change the forward slashes to backslashes. | +| template | string | | Text of the syslog template that is currently set to be used. | + +## AmqpOutput + +| Attribute | Type | Detailed Only | Description | +| --------- | ------ | ------------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| server | string | | Hostname/address of the AMQP server or the Threat Manager server and the port in the SERVER:PORT format | +| userName | string | | User name for the AMQP connection, if needed. ForThreat Managerintegration, use an empty string. | +| password | string | | Password / App Token for the AMQP connection. Password / App Token is not exposed. | +| queue | string | | Message queue name to post events to. ForThreat Manager integration, use an empty string. | +| exchange | string | | Exchange name to post events to. For Threat Manager integration, use "StealthINTERCEPT" for domain outputs or "AM" for host outputs. | +| vhost | string | | Virtual Host name, if needed. ForThreat Managerintegration, use an empty string. | +| caCertificate| string | | Certificate Autority certificate to validate the TLS connection. | +| protocol | string | | `TCP` (default) or `TLS`. | +| hostNameVerification | bool | | Whether or not verify the hostname during the TLS handshake. | + +## FileFilter + +| Attribute | Type | Detailed Only | Description | +| ------------------------------------ | -------- | ------------- | ------------------------------------------------------------------------------- | +| allowed | bool | | | +| denied | bool | | | +| cifs | bool | | | +| nfs | bool | | | +| read | bool | | | +| dirRead | bool | | | +| create | bool | | | +| dirCreate | bool | | | +| rename | bool | | | +| dirRename | bool | | | +| delete | bool | | | +| dirDelete | bool | | | +| update | bool | | | +| permission | bool | | | +| dirPermission | bool | | | +| attribute | bool | | | +| dirAttribute | bool | | | +| readOptimize | bool | | Suppress subsequent read operations in the same folder, by the same user. | +| shareAdd | bool | | | +| shareDelete | bool | | | +| shareUpdate | bool | | | +| sharePermission | bool | | | +| streamRead | bool | | Reads of Alternate Data Streams. | +| streamUpdate | bool | | Updates of Alternate Data Streams. | +| streamDelete | bool | | Deletes of Alternate Data Streams. | +| streamAdd | bool | | Adds of Alternate Data Streams. | +| includePaths | string[] | | Depreciated. This has been replaced by 'pathFilters'. | +| excludePaths | string[] | | Depreciated. This has been replaced by 'pathFilters'. | +| excludeExtensions | string[] | | | +| excludeProcesses | string[] | | | +| excludeReadProccesses | string[] | | | +| excludeAccounts | string[] | | | +| filterGroups | bool | | Process group membership when filtering. | +| officeFiltering | bool | | Suppress Microsoft Office and other applications operations on temporary files. | +| pathFilters | string[] | | List of paths to include and exclude. | +| discardPreviewSubfolderReads | bool | | | +| discardPreviewSubfolderReadsInterval | int | | | +| discardPreviewFileReads | bool | | | +| discardPreviewFileReadsInterval | int | | | +| discardPreviewFileReadsFilenames | string[] | | | +| duplicateReadsInterval | int | | | + +## SharePointFilter + +| Attribute | Type | Detailed Only | Description | +| --------------- | -------- | ------------- | ----------- | +| operations | string[] | | | +| includeUrls | string[] | | | +| excludeUrls | string[] | | | +| excludeAccounts | string[] | | | + +## WindowsOptions + +| Attribute | Type | Detailed Only | Description | +| ------------------- | ---- | ------------- | ----------- | +| vssCreation | bool | | | +| vssDeletion | bool | | | +| vssActivity | bool | | | +| discardReorderedAcl | bool | | | +| discardInheritedAcl | bool | | | + +**Response Example** + +``` +{ +    "id": "fcf4ad5d951548f0af10a8909c9cc284", +    "url": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm02/outputs/fcf4ad5d951548f0af10a8909c9cc284", +    "hostId": "Windows-kdvm02", +    "hostUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm02", +    "agentsIds": [ +        "AGENT2" +    ], +    "isEnabled": false, +    "type": "LogFile", +    "logFile": { +        "format": "Tsv", +        "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\KDVM02_Log_.tsv", +        "archivePath": "", +        "periodToRetainLog": 10, +        "reportUserName": false, +        "reportUncPath": false, +        "addCToPath": true, +        "reportMilliseconds": true, +        "stealthAudit": true +    }, +    "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": true, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "attribute": true, +        "dirAttribute": true, +        "readOptimize": false, +        "shareAdd": false, +        "shareDelete": false, +        "shareUpdate": false, +        "sharePermission": false, +        "streamRead": true, +        "streamUpdate": true, +        "streamDelete": true, +        "streamAdd": true, +        "includePaths": [], +        "excludePaths": [], +        "excludeExtensions": [ +            ".TMP", +            ".RCV", +            ".DS_STORE", +            ".POLICY", +            ".MANIFEST", +            ".LACCDB", +            ".LDB" +        ], +        "excludeProcesses": [ +            "SBTService.exe", +            "FPolicyServerSvc.exe", +            "CelerraServerSvc.exe", +            "FSACLoggingSvc.exe", +            "HitachiService.exe", +            "SIWindowsAgent.exe", +            "SIGPOAgent.exe", +            "LogProcessorSrv.exe", +            "SearchIndexer.exe", +            "WindowsSearch.exe", +            "StealthAUDIT", +            "MonitorService35.exe", +            "MonitorService40.exe", +            "MonitorService45.exe", +            "Configuration.exe", +            "ConfigurationAgent.exe", +            "ConfigurationAgent.Grpc.Host.exe" +        ], +        "excludeReadProcesses": [], +        "excludeAccounts": [ +            "S-1-5-17", +            "S-1-5-18", +            "S-1-5-19", +            "S-1-5-20" +        ], +        "filterGroups": false, +        "officeFiltering": false, +        "pathFilters": [ +            "-**\\~$*.DOC", +            "-**\\~$*.DOCX", +            "-**\\~$*.ODT", +            "-**\\~$*.PPT", +            "-**\\~$*.PPTX", +            "-**\\~$*.PUB", +            "-**\\~$*.RTF", +            "-**\\~$*.TXT", +            "-**\\~$*.WPS", +            "-**\\~$*.XLSX", +            "-**\\~$*.XSN", +            "-**\\~$*.XML", +            "-**\\~$*.DOCM", +            "-**\\~$*.DOTX", +            "-**\\~$*.DOTM", +            "-**\\~$*.DOT", +            "-**\\~$*.MHT", +            "-**\\~$*.HTM", +            "-**\\~$*.XLSM", +            "-**\\~$*.XLSB", +            "-**\\~$*.XLTX", +            "-**\\~$*.XLTM", +            "-**\\~$*.XLAM", +            "-**\\~$*.ODS", +            "-**\\~$*.PPTM", +            "-**\\~$*.POTX", +            "-**\\~$*.POTM", +            "-**\\~$*.POT", +            "-**\\~$*.THMX", +            "-**\\~$*.PPSX", +            "-**\\~$*.PPSM", +            "-**\\~$*.PPS", +            "-**\\~$*.ODP", +            "-**\\~$*.PDF", +            "-**\\~$*.XPS", +            "-**\\.TEMPORARYITEMS\\**", +            "-**\\~SNAPSHOT\\**", +            "-**\\WATSONRC.DAT", +            "-**\\DESKTOP.INI", +            "-C:\\Windows\\**", +            "-C:\\Program Files\\**", +            "-C:\\Program Files (x86)\\**", +            "-C:\\ProgramData\\**", +            "-C:\\Documents and Settings\\**", +            "-C:\\Users\\**" +        ], +        "discardPreviewSubfolderReads": true, +        "discardPreviewSubfolderReadsInterval": 10, +        "discardPreviewFileReads": false, +        "discardPreviewFileReadsInterval": 60, +        "discardPreviewFileReadsFilenames": [ +            "*.exe", +            "*.url", +            "*.lnk" +        ], +        "duplicateReadsInterval": 60 +    }, +    "comment": "", +    "managedBy": "", +    "windows": { +        "vssCreation": true, +        "vssDeletion": true, +        "vssActivity": true, +        "discardReorderedAcl": true, +        "discardInheritedAcl": false +    }, +    "status": { +        "updatedAt": "2024-10-01T18:46:00.6768171Z", +        "type": "OK", +        "summary": "OK", +        "details": "OK" +    }, +    "statusHistoryUrl": "https://127.0.0.1:4494/api/v1/hosts/Windows-kdvm02/outputs/fcf4ad5d951548f0af10a8909c9cc284/statusHistory", +    "altHost": "", +    "stats": { +        "reportedAt": "2024-09-30T18:49:12.282Z", +        "reportedCount": 12, +        "lastEventTime": "2024-09-30T18:49:12.282Z", +        "filesCount": 1, +        "filesSize": 2204, +        "archiveFilesCount": 0, +        "archiveFilesSize": 0 +    } +} +``` + +## File + +| Attribute | Type | Detailed Only | Description | +| ------------ | -------- | ------------- | ----------------------------------------------------------------------------------------------- | +| id | string | | Activity Log File ID. | +| size | int | | File size in bytes | +| localPath | string | | File path on the local disk | +| isZip | bool | | Is it a Zip archive | +| isArchived | bool | | Determines whether the file is on a local drive of the agent or moved to the archival location. | +| type | string | | `Tsv`, `Json` | +| updatedAt | DateTime | | Last time the file was updated | +| activityFrom | DateTime | | Activity events in the file are not younger than the date. | +| activityTo | DateTime | | Activity events in the file are not older than the date. | +| outputId | string | | ID of the output that produced the file. | +| contentUrl | string | | Link to the file content. MIME type `application/x-msdownload` | + +**Response Example** + +``` +[ +    { +        "id": "localhost_Log_20190410_000000.tsv", +        "size": 81658576, +        "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190410_000000.tsv", +        "isZip": false, +        "isArchived": false, +        "type": "Tsv", +        "updatedAt": "2019-04-10T17:45:07.2211753Z", +        "activityFrom": "2019-04-05T18:16:57", +        "activityTo": "2019-04-10T17:45:07", +        "outputId": "9c90791891774715bdb3415823790d7c", +        "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190410_000000.tsv" +    }, +    { +        "id": "localhost_Log_20190401_000000.tsv.zip", +        "size": 11, +        "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190401_000000.tsv.zip", +        "isZip": true, +        "isArchived": false, +        "type": "Tsv", +        "updatedAt": "2019-04-10T02:03:48.8899252Z", +        "activityFrom": "0001-01-01T00:00:00", +        "activityTo": "2019-04-10T02:03:48.8879242Z", +        "outputId": "9c90791891774715bdb3415823790d7c", +        "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190401_000000.tsv.zip" +    }, +  { +    "id": "localhost_Log_20190405.tsv.zip", +    "size": 295102, +    "localPath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_9c907918-9177-4715-bdb3-415823790d7c\\localhost_Log_20190405.tsv.zip", +    "isZip": true, +    "isArchived": true, +    "type": "Tsv", +    "updatedAt": "2019-04-05T20:59:55.1462518Z", +    "activityFrom": "2019-04-05T18:16:57", +    "activityTo": "2019-04-05T20:59:55", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/archive/get/WRKST0100/WRKST0100_9c907918-9177-4715-bdb3-415823790d7c/localhost_Log_20190405.tsv.zip" +  } +] + +``` + +## Policy + +| Attribute | Type | Detailed Only | Read-Only | Description | +| ----------- | -------- | ------------- | --------- | ------------------------------------------------------------------------------------- | +| id | string | | X | Policy ID. | +| url | string | | X | Self URL. | +| name | string | | | Policy name. | +| description | string | | | Policy description. | +| path | string | | | Policy location. | +| guid | string | | X | Policy GUID. | +| isEnabled | bool | | | Whether the policy is enabled. | +| updatedAt | DateTime | | X | When the policy was last modified. | +| xml | string | | | Policy body in XML format. It's the same format used by Threat Prevention Powershell. | + +**Response Example** + +``` +[ +    { +        "id": "1000", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1000", +        "name": "SAM AD Changes", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "56abcb01-0248-4f9c-8e61-aaeb8a30b5ff", +        "isEnabled": true, +        "updatedAt": "2024-08-22T19:05:31.22", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n        Object Added\r\n        Object Modified\r\n        Object Deleted\r\n        Object Moved/Renamed\r\n      \r\n    \r\n    \r\n      \r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1001", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1001", +        "name": "SAM Authentication", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "b3d5397b-ef67-4d72-860c-4efa311ad37f", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n        \r\n        \r\n        \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1002", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1002", +        "name": "SAM Ldap Monitor", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "b119a08c-5304-45b1-b981-22023a113690", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n      \r\n    \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      false\r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1003", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1003", +        "name": "SAM LSASS Guardian", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "409b77be-f0c2-4ba9-9fb9-d17d2c19084a", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n        MsMpEng.exe\r\n        svchost.exe\r\n        VsTskMgr.exe\r\n        WmiPrvSE.exe\r\n        scan64.exe\r\n        mcshield.exe\r\n      \r\n    \r\n    3\r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    }, +    { +        "id": "1004", +        "url": "https://127.0.0.1:4494/api/v1/domains/KDUD1/policies/1004", +        "name": "SAM Replication", +        "description": "", +        "path": "Policies\\Auditing", +        "guid": "e6feb176-8a14-4a61-914b-6c864babd55a", +        "isEnabled": false, +        "updatedAt": "2024-08-22T19:05:31.251", +        "xml": "\r\n\r\n  \r\n  \r\n  \r\n    \r\n      \r\n      \r\n    \r\n    \r\n      false\r\n      \r\n      \r\n      \r\n    \r\n    \r\n      \r\n      \r\n    \r\n  \r\n" +    } +] +``` diff --git a/docs/activitymonitor/9.0/restapi/resources/resources.md b/docs/activitymonitor/9.0/restapi/resources/resources.md new file mode 100644 index 0000000000..8234d03ee4 --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/resources/resources.md @@ -0,0 +1,1918 @@ +--- +title: "Schema and Resources" +description: "Schema and Resources" +sidebar_position: 20 +--- + +# Schema and Resources + +The 9.0 API model consists of the following resources: + +- Agent – Represents an Activity Monitor Agent. API allows you to view existing agents and their + status, register, modify, or remove agents. You can list all the agents or the agents of a domain + (AD-monitoring agents on the domain controllers). + Children: Host, Domain + See the [Agent](/docs/activitymonitor/9.0/restapi/resources/agent.md) topic for additional information. + +- Host – Represents a host or service monitored by the product (Windows, NetApp, SharePoint, SQL + Server, etc.). It is a Monitored Host/Service in the Console. You can list all the hosts of the agent, or + just all the hosts. The API Provides access to the settings of the host and its status; allows you + to create new hosts, modify, enable/disable, or delete existing. Typical properties include a + hostname, credentials to access API, connection settings. A Host is associated with at least one + Output. Each Host can have multiple child Outputs, and each Output has its own unique filter + settings. + Children: Output + See the [Host](/docs/activitymonitor/9.0/restapi/resources/host.md) topic for additional information. + +- Domain – It is a Monitored Domain in the Console. The API provides summary information about each + monitored domain. Similar to host, the domain also has one or more output. These outputs are + common for all AD-monitoring agents of the domain. Each domain controller has the same log file + settings, syslog, and AMQP. + Children: Output, Agent + See the [Domain](/docs/activitymonitor/9.0/restapi/resources/domain.md) topic for additional information. + +- Output – A log file or Syslog or AMQP destination for the activity data. Typical + properties of the **Output** include log file settings (path, retention etc.), syslog settings + (server, UDP/TCP, message template etc.), path filtering (include C:, exclude C:\temp), operations + (Write File, Create File, Delete File, Create Share etc.), account filtering (exclude + DOMAIN\service-account1), protocol (CIFS, NFS), etc. + Children: File + See the [Output](/docs/activitymonitor/9.0/restapi/resources/output.md) topic for additional information. + +- File - Represents a log file created by a File Output - an actual .tsv, .json, or .zip file stored on + the agent or on a network share. A file can be downloaded. + +- Policy - Represents an Active Directory nonitoring policy. The API allows you to create new + policies, list, modify, and delete existing. + + + +Data is transmitted as JSON objects or as JSON Merge Patch for PATCH requests. Dates are formatted +in UTC using the `YYYY-MM-DDTHH:MM:SS` DateTime format. Security-sensitive data like passwords, +certificates, and access tokens are not returned by the GET requests but can be set using POST and +PATCH requests. + +## API + +The API supports the following: + +- GET – Returns a single resource or a list of resources. Additional parameters can be included in + the URL. A successful response returns a `200 OK `status. +- POST – Creates a new resource. The request body contains a JSON object, content type + `application/json`. A successful response returns a `201 Created` status. +- PATCH – Modifies a subset of attributes of the resource. The request body contains the change in + the JSON Merge Patch format + ([https://tools.ietf.org/html/rfc7396](https://tools.ietf.org/html/rfc7396)), content type + `application/merge-patch+json`. A successful response returns a `200 OK` status. +- DELETE – Deletes the resource. A successful response returns a `204 No Content status.` + +**GET /api/v1/agents** + +Lists all the agents managed by the API server. If the client has no `Read` permission, returns only +the current agent. + +- Permission – Read or Access activity data +- Response – Array of Agent + +**Permission: Read or Access activity data** + +Response: Array of Agent + +Response Example: + +``` +[ +  { +    "warnings": [], +    "safeModeStatus": "", +    "safeModeMessage": "", +    "archiveIsEnabled": false, +    "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS", +    "archiveUserName": "", +    "archiveMaxLocalSize": "5GB", +    "fpolicyPort": 9999, +    "fpolicyAuth": "NoAuth", +    "fpolicyIpWhitelist": [], +    "minLocalFreeSpace": "64MB", +    "ceeVcapsIsEnabled": false, +    "ceeVcapsInterval": 60, +    "ceeVcapsEvents": 100, +    "alertsIsEnabled": false, +    "alertsInactivityInterval": 360, +    "alertsReplayInterval": 360, +    "alertsInactivityCheckInterval": 10, +    "alertsSyslog": { +      "server": "", +      "protocol": "UDP", +      "separator": null +    }, +    "alertsEmail": { +      "server": "", +      "ssl": false, +      "userName": "", +      "from": "", +      "to": "", +      "subject": "" +    }, +    "hardeningIsEnabled": false, +    "safeModeIsEnabled": true, +    "dnsResolveIsEnabled": false, +    "siIpWhitelist": [], +    "apiServerIpWhitelist": [], +    "apiServerMgmtConsole": "WRKST0100", +    "id": "AGENT0", +    "url": "https://localhost:4494/api/v1/agents/AGENT0", +    "host": "192.168.1.124", +    "netbiosName": "VAGRANT-2016", +    "userName": "test01\\administrator", +    "domain": "TEST01", +    "machineSid": "S-1-5-21-1367674131-2422966069-737923105-1001", +    "osVersion": "6.2.9200.0", +    "isDC": false, +    "errorMessage": "", +    "installState": "Installed", +    "version": "4.1.119", +    "siInstallState": "Installed", +    "siVersion": "6.0.0.388", +    "managedBySI": false, +    "configVersion": "UFZXT9Fijt5mZ6GNOaoclaVMRy4=", +    "monitoredHostsUrl": "https://localhost:4494/api/v1/agents/AGENT0/hosts", +    "monitoredDomainUrl": "https://localhost:4494/api/v1/agents/AGENT0/domain", +    "apiServerIsEnabled": false, +    "apiServerPort": 4494 +  }, +  { +    "warnings": [], +    "safeModeStatus": null, +    "safeModeMessage": null, +    "archiveIsEnabled": false, +    "archivePath": "", +    "archiveUserName": "", +    "archiveMaxLocalSize": "5GB", +    "fpolicyPort": 9999, +    "fpolicyAuth": "NoAuth", +    "fpolicyIpWhitelist": [], +    "minLocalFreeSpace": "64MB", +    "ceeVcapsIsEnabled": false, +    "ceeVcapsInterval": 60, + "ceeVcapsEvents": 100, +    "alertsIsEnabled": false, +    "alertsInactivityInterval": 360, +    "alertsReplayInterval": 360, +    "alertsInactivityCheckInterval": 10, +    "alertsSyslog": { +      "server": "", +      "protocol": "UDP", +      "separator": null +    }, +    "alertsEmail": { +      "server": null, +      "ssl": false, +      "userName": null, +      "from": null, +      "to": null, +      "subject": "" +    }, +    "hardeningIsEnabled": false, +    "safeModeIsEnabled": true, +    "dnsResolveIsEnabled": false, +    "siIpWhitelist": [ +      "127.0.0.1", +      "::1" +    ], +    "apiServerIpWhitelist": null, +    "apiServerMgmtConsole": null, +    "id": "AGENT1", +    "url": "https://localhost:4494/api/v1/agents/AGENT1", +    "host": "nonexistent", +    "netbiosName": "nonexistent", +    "userName": "", +    "domain": "", +    "machineSid": "", +    "osVersion": "", +    "isDC": false, +    "errorMessage": "Cannot detect if an agent is installed. The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)", +    "installState": "Failed", +    "version": null, +    "siInstallState": "Failed", +    "siVersion": "", +    "managedBySI": false, +    "configVersion": null, +    "monitoredHostsUrl": "https://localhost:4494/api/v1/agents/AGENT1/hosts", +    "monitoredDomainUrl": "https://localhost:4494/api/v1/agents/AGENT1/domain", +    "apiServerIsEnabled": false, +    "apiServerPort": 4494 +  }, +  { +    "warnings": [], +    "safeModeStatus": "", +    "safeModeMessage": "", +    "archiveIsEnabled": false, +    "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS", +    "archiveUserName": "wrkst0100\\testuser", +    "archiveMaxLocalSize": "5GB", +    "fpolicyPort": 9999, +    "fpolicyAuth": "Server", +    "fpolicyIpWhitelist": [], +    "minLocalFreeSpace": "64MB", +    "ceeVcapsIsEnabled": false, +    "ceeVcapsInterval": 60, +    "ceeVcapsEvents": 100, +    "alertsIsEnabled": true, +    "alertsInactivityInterval": 360, +    "alertsReplayInterval": 360, +    "alertsInactivityCheckInterval": 10, +    "alertsSyslog": { +      "server": "12", +      "protocol": "UDP", +      "separator": null +    }, +    "alertsEmail": { +      "server": "", +      "ssl": false, +      "userName": "", +      "from": "", +      "to": "", +      "subject": "" +    }, +    "hardeningIsEnabled": false, +    "safeModeIsEnabled": true, +    "dnsResolveIsEnabled": false, +    "siIpWhitelist": [ +      "127.0.0.1", +      "::1" +    ], +    "apiServerIpWhitelist": [], +    "apiServerMgmtConsole": "WRKST0100", +    "id": "AGENT3", +    "url": "https://localhost:4494/api/v1/agents/AGENT3", +    "host": "WRKST0100", +    "netbiosName": "WRKST0100", +    "userName": "", +    "domain": "LOGIC-LAB", +    "machineSid": "", +    "osVersion": "6.2.9200.0", +    "isDC": false, +    "errorMessage": "", +    "installState": "Installed", +    "version": "4.1.119", +    "siInstallState": "NotInstalled", +    "siVersion": "", +    "managedBySI": false, +    "configVersion": "efkL3mKD8BJF/LtD/SC+ClS/xuE=", +    "monitoredHostsUrl": "https://localhost:4494/api/v1/agents/AGENT3/hosts", +    "monitoredDomainUrl": "https://localhost:4494/api/v1/agents/AGENT3/domain", +    "apiServerIsEnabled": false, +    "apiServerPort": 4494 +  } +] + +``` + +**POST /api/v1/agents** + +Adds a new agent but does not install it. The host attribute must be unique. + +- Permission – Modify agents +- Response Body – Agent +- Response – 201, Agent + +**Permission: Modify agents** + +Response Body: Agent + +**Response: 201, Agent** + +Required attributes: + +- host +- platformId + + - Values: + + - windows + - rhel8 (Redhat Enterprise Linux version 8 and 9 use the same "rhel8" platformId) + +- authenticationMethod + + - Values: + + - Password + - PublicKey + +- userName +- password +- privateKey (only required if PublicKey authenticationMethod is used) + +Request Body Example: + +``` +{ +    "host" : "SBNJQASAMDEV04", +    "platformId" : "windows", +    "authenticationMethod" : "Password", +    "userName" : "TESTDOMAIN\\TestUser1", +    "password" : "password123$" +} +``` + +**POST /api/v1/agents/«agentId»/deploy** + +Installs, upgrades, or uninstalls a single agent that is already added to the console. + +- Permission – `Modify agents` +- Response – 200 +- Required attributes: + + - operation + +Permission: `Modify agents` + +**Response: 200** + +Required attributes: + +**operation** + +The following attributes can be set: + +- operation + + - Values + + - install + - uninstall + +- install.adModule + + - Default – False + +- install.upgrade + + - Default – True + +- install.installPath +- install.managementGroup +- uninstall.remove + + - Default – False + +Request Body Structure: + +``` +{ +    "operation" : "string", +    "install" : { +        "adModule" : bool, +        "upgrade" : bool, +        "installPath" : "string", +        "managementGroup" : "string" +    }, +    "uninstall" : { +        "remove" : bool +    } +} +``` + +**POST /api/v1/agents/deploy** + +Installs, upgrades, or uninstalls a set of agents that are already added to the console. + +- Permission – Modify agents +- Response – 200 + +**Permission: Modify agents** + +Response: 200 + +**Required attributes** + +- operation +- agentsIds + +The following attributes can be set: + +- operation + + - Values + + - install + - uninstall + +- agentsIds +- install.adModule + + - Default – False + +- install.upgrade + + - Default – True + +- install.installPath +- install.managementGroup +- uninstall.remove + + - Default – False + +Request Body Structure: + +``` +{ +    "operation" : "string",  +    "agentsIds" : [ "string",  "string", "string", ... ], +    "install" : { +        "adModule" : bool, +        "upgrade" : bool, +        "installPath" : "string", +        "managementGroup" : "string" +    }, +    "uninstall" : { +        "remove" : bool +    } +} +``` + +**GET /api/v1/agents/«agentId»** + +Returns the agent by ID. If not found or no rights - 404. + +- Permission – Read or Access activity data +- Response – Agent (with or without details) + +**Permission: Read or Access activity data** + +Response: Agent (with or without details) + +**PATCH /api/v1/agents/«agentId»** + +Modifies a subset of attributes of the specified agent. + +- Permission – Modify agents +- Body: Content type – `application/merge-patch+json`, changes to the Agent in the JSON Merge Patch + format +- Response – 200, Agent + +**Permission: Modify agents** + +Body: Content type: `application/merge-patch+json`, changes to the Agent in the JSON Merge Patch +format + +**Response: 200, Agent** + +The following attributes can be modified: + +- `archive.isEnabled` +- `archive.path` +- `archive.password` +- `archive.userName` +- `archive.maxLocalSize` – Expected format: number of bytes +- `fpolicy.port` +- `fpolicy.auth` - `NoAuth` (default), `Server`, or `Mutual`. +- `fpolicy.ipWhitelist` +- `fpolicy.clientCertificate` +- `fpolicy.serverCertificate` – Must include a private key. +- `minLocalFreeSpace` – Expected format: number of bytes +- `cee.vcapsIsEnabled` +- `cee.vcapsInterval` +- `cee.vcapsEvents` +- `cee.httpEnabled` +- `cee.rpcEnabled` +- `cee.ipWhitelist` +- `inactivityAlerts.isEnabled` +- `inactivityAlerts.inactivityInterval` +- `inactivityAlerts.replayInterval` +- `inactivityAlerts.inactivityCheckInterval` +- `inactivityAlerts.syslog.server` – Must be a valid hostname of ip4/ip6 address. +- `inactivityAlerts.syslog.protocol` – `UDP` (default), `TCP`, or `TLS`. +- `inactivityAlerts.syslog.separator` – `Lf` (default), `Cr`, `CrLf`, `Nul`, or `Rfc5425`. +- `inactivityAlerts.syslog.template` +- `inactivityAlerts.email.server` – Must be a valid hostname of ip4/ip6 address. +- `inactivityAlerts.email.ssl` +- `inactivityAlerts.email.userName` +- `inactivityAlerts.email.password` +- `inactivityAlerts.email.from` +- `inactivityAlerts.email.to` +- `inactivityAlerts.email.subject` +- `inactivityAlerts.email.body` +- `ad.hardeningIsEnabled` +- `ad.safeModeIsEnabled` +- `ad.dnsResolveIsEnabled` +- `ad.siIpWhitelist` +- `panzura.port` +- `panzura.useCredentials` +- `panzura.username` +- `panzura.password` +- `panzura.ipWhitelist` +- `nutanix.port` +- `nutanix.ipWhitelist` +- `qumulo.port` +- `qumulo.ipWhitelist` +- `ctera.port` +- `ctera.ipWhitelist` +- `linux.serviceUsername` +- `dns.isEnabled` +- `dns.listenPort` +- `dns.parallelism` +- `dns.perfStatsTimeDebug` +- `dns.perfStatsTimeInfo` +- `dns.forwardDnsServer` +- `dns.cacheFile` +- `dns.successTtl` +- `dns.failedTtl` +- `dns.clientWaitTimeout` +- `dns.refreshThreshold` +- `dns.maxCacheSize` +- `dns.uselessAge` +- `dns.maxAttemptsToResolve` +- `dns.suffix` +- `adUsers.domainControllers` +- `adUsers.lookupTimeout` +- `adUsers.successCacheTtl` +- `adUsers.failedCacheTtl` +- `adUsers.maxCacheSize` +- `networkProxy.address` +- `networkProxy.useDefaultCredentials` +- `networkProxy.bypassProxyOnLocal` +- `networkProxy.userName` +- `networkProxy.password` +- `networkProxy.bypassList` +- `apiServerIpWhitelist` +- `apiServerMgmtConsole` +- `host` – Must be a unique and valid hostname or ip4/ip6 address. +- `userName` +- `password` +- `privateKey` +- `comment` +- `etwLogEnabled` +- `agentPort` +- `traceLevel` – `Trace`, `Debug`, `Info`, `Warning`, or `Error` +- `externaNicName` – Must be a valid NIC name of the agent. Use an empty string for auto detect. + +**DELETE /api/v1/agents/«AgentId»** + +Removes the agent without uninstalling it. + +- Permission – Modify agents +- Response – 204 + +**Permission: Modify agents** + +Response: 204 + +**GET /api/v1/domains** + +Returns an array of monitored domains, or only the current domain if the client has no `Read` +permission. + +- Permission – Read or Access activity data +- Response – Array of Domain + +**Permission: Read or Access activity data** + +Response: Array of Domain + +Response Example: + +``` +[ +  { +    "id": "TEST01", +    "url": "https://localhost:4494/api/v1/domains/TEST01", +    "name": "TEST01", +    "managedBySI": false, +    "outputs": [ +      { +        "id": "657eaa95f0804608acef581e728868e2", +        "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/657eaa95f0804608acef581e728868e2", +        "domainId": "TEST01", +        "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +        "agentsIds": [], +        "isEnabled": true, +        "type": "LogFile", +        "logFile": { +          "format": "Json", +          "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\192.168.1.124_Log_.json", +          "archivePath": "", +          "daysToRetain": 10, +          "reportUserName": false, +          "reportUncPath": false, +          "addCToPath": true, +          "reportMilliseconds": false, +          "stealthAudit": true +        }, +        "syslog": null, +        "amqp": null, +        "fileFilter": null, +        "sharePointFilter": null, +        "comment": "", +        "managedBy": "", +        "windows": null +      }, +      { +        "id": "fe9eb58ef02e40b8ab4a3e02e51a9d95", +        "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/fe9eb58ef02e40b8ab4a3e02e51a9d95", +        "domainId": "TEST01", +        "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +        "agentsIds": [], +        "isEnabled": true, +        "type": "Amqp", +        "logFile": null, +        "syslog": null, +        "amqp": { +          "server": "127.0.0.1:10001", +          "userName": "StealthINTERCEPT", +          "queue": "StealthINTERCEPT", +          "vhost": "" +        }, +        "fileFilter": null, + "sharePointFilter": null, +        "comment": "", +        "managedBy": "", +        "windows": null +      } +    ], +    "outputsUrl": "https://localhost:4494/api/v1/domains/TEST01/outputs", +    "agentsUrl": "https://localhost:4494/api/v1/domains/TEST01/agents", +    "masterAgentId": "AGENT0", +    "masterAgentUrl": "https://localhost:4494/api/v1/agents/AGENT0" +  } +] + +``` + +**GET /api/v1/domains/«domainId»** + +Returns the domain by its ID, or a 404 error if it is not found or the client lacks sufficient +permissions. + +- Permission – Read or Access activity data +- Response – Domain + +**Permission: Read or Access activity data** + +Response: Domain + +**GET /api/v1/agents/«agentId»/domain** + +Returns a domain monitored by the specified agent, or a 404 error if the domain is not found, the +client lacks the necessary permissions, or the agent is not monitoring AD activity. + +This endpoint is useful to get `Output` settings specific to the agent. Domain outputs are logical, +they are described once and used by all the domain controllers to create actual files/syslog/amqp +messages. However, there are some output fields that are different on each agent. For example, the +`archivePath`. If you need such agent-specific fields, use this endpoint. + +- Permission – Read or Access activity data +- Response – Domain + +**Permission: Read or Access activity data** + +Response: Domain + +**GET /api/v1/domains/«domainId»/agents** + +Returns the domain controllers (agents) monitoring the specified domain, or a 404 error if the +domain is not found or the client lacks the necessary permissions. + +- Permission – Read or Access activity data +- Response – Array of Agent + +**Permission: Read or Access activity data** + +Response: Array of Agent + +**GET /api/v1/domains/«domainId»/outputs** + +Returns the configured outputs for the specified domain, or 404 if no rights for the domain or the +domain was not found. + +- Permission – Read or Access activity data +- Response – Array of Output + +**Permission: Read or Access activity data** + +Response: Array of Output + +Response Example: + +``` +[ +  { +    "id": "657eaa95f0804608acef581e728868e2", +    "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/657eaa95f0804608acef581e728868e2", +    "domainId": "TEST01", +    "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +    "agentsIds": [], +    "isEnabled": true, +    "type": "LogFile", +    "logFile": { +      "format": "Json", +      "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\192.168.1.124_Log_.json", +      "archivePath": "", +      "daysToRetain": 10, +      "reportUserName": false, +      "reportUncPath": false, +      "addCToPath": true, +      "reportMilliseconds": false, +      "stealthAudit": true +    }, +    "syslog": null, +    "amqp": null, +    "fileFilter": null, +    "sharePointFilter": null, +    "comment": "", +    "managedBy": "", +    "windows": null +  }, +  { +    "id": "fe9eb58ef02e40b8ab4a3e02e51a9d95", +    "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/fe9eb58ef02e40b8ab4a3e02e51a9d95", +    "domainId": "TEST01", +    "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +    "agentsIds": [], +    "isEnabled": true, +    "type": "Amqp", +    "logFile": null, + "syslog": null, +    "amqp": { +      "server": "127.0.0.1:10001", +      "userName": "StealthINTERCEPT", +      "queue": "StealthINTERCEPT", +      "vhost": "" +    }, +    "fileFilter": null, +    "sharePointFilter": null, +    "comment": "", +    "managedBy": "", +    "windows": null +  } +] + +``` + +**GET /api/v1/domains/«domainId»/outputs/«outputId»** + +Returns the output for the specified domain, or a 404 error if the domain is not found or the client +lacks the necessary permissions. + +- Permission –Read or Access activity data +- Response – Output + +**Permission: Read or Access activity data** + +Response: Output + +Response Example: + +``` +{ +  "id": "657eaa95f0804608acef581e728868e2", +  "url": "https://localhost:4494/api/v1/domains/TEST01/outputs/657eaa95f0804608acef581e728868e2", +  "domainId": "TEST01", +  "domainUrl": "https://localhost:4494/api/v1/domains/TEST01", +  "agentsIds": [], +  "isEnabled": true, +  "type": "LogFile", +  "logFile": { +    "format": "Json", +    "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\192.168.1.124_Log_.json", +    "archivePath": "", +    "daysToRetain": 10, +    "reportUserName": false, +    "reportUncPath": false, +    "addCToPath": true, +    "reportMilliseconds": false, +    "stealthAudit": true +  }, +  "syslog": null, +  "amqp": null, +  "fileFilter": null, +  "sharePointFilter": null, +  "comment": "", +  "managedBy": "", +  "windows": null +} + +``` + +**POST /api/v1/domains/«domainId»/outputs** + +Adds a new output for the specified domain. + +- Permission – Modify hosts +- Response – 201, Output + +**Permission: Modify hosts** + +Response: 201, Output + +Required attributes: + +- type + - Values (Case Sensitive) + - LogFile + - Syslog + - Amqp +- syslog.server (Required only if Syslog is set to type) +- amqp.server (Required only if Amqp is set to type) + +Request Body Structure: + +``` +{           +    "type" : "string", +    "syslog" : { +        "server" : "string" +    }, +    "amqp" : { +        "server" : "string" +    } +} +``` + +**GET /api/v1/hosts** + +Returns a combined list of hosts monitored by all agents. If the client lacks Read permission, only +the hosts of the current agent are returned. + +- Permission – Read or Access activity data +- Response – Array of Host + +**Permission: Read or Access activity data** + +Response: Array of Host + +**GET /api/v1/hosts/«hostId»** + +Returns the specified host. If not found or no rights - 404. + +- Permission – Read or Access activity data +- Response – Host + +**Permission: Read or Access activity data** + +Response: Host + +Response Example: + +``` +{ +  "autoConfigureAuditing": false, +  "monitorAuditingStatus": false, +  "id": "Windows-wrkst0100", +  "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +  "host": "WRKST0100", +  "type": "Windows", +  "altHost": "", +  "userName": "", +  "outputs": [ +    { +      "id": "9c90791891774715bdb3415823790d7c", +      "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/9c90791891774715bdb3415823790d7c", +      "hostId": "Windows-wrkst0100", +      "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +      "agentsIds": [ +        "AGENT3" +      ], +      "logsUrl": "https://localhost:4494/api/v1/logs/9c90791891774715bdb3415823790d7c", +      "isEnabled": false, +      "type": "LogFile", +      "logFile": { +        "format": "Tsv", +        "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_.tsv", +        "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_9c907918-9177-4715-bdb3-415823790d7c\\localhost_Log_.tsv", +        "daysToRetain": 11111, +        "reportUserName": false, +        "reportUncPath": false, +        "addCToPath": true, +        "reportMilliseconds": false, +        "stealthAudit": true +      }, +      "syslog": null, +      "amqp": null, +      "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": true, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "readOptimize": false, +        "includePaths": [ +          "C:" +        ], +        "excludePaths": [], +        "excludeExtensions": [], +        "excludeProcesses": [], +        "excludeReadProccesses": [], +        "excludeAccounts": [], +        "filterGroups": false, +        "officeFiltering": true +      }, +      "sharePointFilter": null, +      "comment": "", +      "managedBy": "", +      "windows": { +        "vssCreation": true, +        "vssActivity": true, + "discardReorderedAcl": true, +        "discardInheritedAcl": false +      } +    }, +    { +      "id": "a556d7c3666d46babe895f2b9ce1316b", +      "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/a556d7c3666d46babe895f2b9ce1316b", +      "hostId": "Windows-wrkst0100", +      "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +      "agentsIds": [ +        "AGENT3" +      ], +      "logsUrl": "https://localhost:4494/api/v1/logs/a556d7c3666d46babe895f2b9ce1316b", +      "isEnabled": false, +      "type": "LogFile", +      "logFile": { +        "format": "Tsv", +        "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\WRKST0100_E_Activity_Log_.Tsv", +        "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_a556d7c3-666d-46ba-be89-5f2b9ce1316b\\WRKST0100_E_Activity_Log_.Tsv", +        "daysToRetain": 3, +        "reportUserName": false, +        "reportUncPath": false, +        "addCToPath": true, +        "reportMilliseconds": false, +        "stealthAudit": false +      }, +      "syslog": null, +      "amqp": null, +      "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": false, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "readOptimize": false, +        "includePaths": [ +          "E:" +        ], +        "excludePaths": [], +        "excludeExtensions": [], +        "excludeProcesses": [ +          "SBTService.exe", +          "FSAC", +          "FPolicyServerSvc.exe", +          "CelerraServerSvc.exe", +          "FSACLoggingSvc.exe", +          "HitachiService.exe", +          "SIWindowsAgent.exe", +          "SIGPOAgent.exe", +          "SIWorkstationAgent.exe", +          "StealthAUDIT", +          "LogProcessorSrv.exe", +          "SearchIndexer.exe", +          "WindowsSearch.exe" +        ], +        "excludeReadProccesses": [], +        "excludeAccounts": [ +          "S-1-5-17", +          "S-1-5-18", +          "S-1-5-19", +          "S-1-5-20" +        ], +        "filterGroups": false, +        "officeFiltering": false +      }, +      "sharePointFilter": null, +      "comment": "Updates on E:", +      "managedBy": "", +      "windows": { +        "vssCreation": true, +        "vssActivity": true, +        "discardReorderedAcl": true, +        "discardInheritedAcl": true +      } +    }, +    { +      "id": "e7c98bc9e96a41d0813b35858a0475bd", +      "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/e7c98bc9e96a41d0813b35858a0475bd", +      "hostId": "Windows-wrkst0100", +      "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +      "agentsIds": [ +        "AGENT3" +      ], +      "logsUrl": "https://localhost:4494/api/v1/logs/e7c98bc9e96a41d0813b35858a0475bd", +      "isEnabled": false, +      "type": "Syslog", +      "logFile": null, +      "syslog": { +        "reportUncPath": false, +        "addCToPath": true, +        "server": "192.168.1.1", +        "protocol": "UDP", +        "separator": "Lf" +      }, +      "amqp": null, +      "fileFilter": { +        "allowed": true, +        "denied": true, +        "cifs": true, +        "nfs": true, +        "read": false, +        "dirRead": false, +        "create": true, +        "dirCreate": true, +        "rename": true, +        "dirRename": true, +        "delete": true, +        "dirDelete": true, +        "update": true, +        "permission": true, +        "dirPermission": true, +        "readOptimize": false, +        "includePaths": [ +          "O:" +        ], +        "excludePaths": [], +        "excludeExtensions": [], +        "excludeProcesses": [ +          "SBTService.exe", +          "FSAC", +          "FPolicyServerSvc.exe", +          "CelerraServerSvc.exe", +          "FSACLoggingSvc.exe", +          "HitachiService.exe", +          "SIWindowsAgent.exe", +          "SIGPOAgent.exe", +          "SIWorkstationAgent.exe", +          "StealthAUDIT", +          "LogProcessorSrv.exe", +          "SearchIndexer.exe", +          "WindowsSearch.exe" +        ], +        "excludeReadProccesses": [], +        "excludeAccounts": [ +          "S-1-5-17", +          "S-1-5-18", +          "S-1-5-19", +          "S-1-5-20" +        ], +        "filterGroups": false, +        "officeFiltering": false +      }, +      "sharePointFilter": null, +      "comment": "SIEM feed", +      "managedBy": "", +      "windows": { +        "vssCreation": false, +        "vssActivity": false, +        "discardReorderedAcl": true, +        "discardInheritedAcl": false +      } +    } +  ], +  "outputsUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs", +  "agentsUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/agents" +} + +``` + +**GET /api/v1/hosts/«hostId»/statusHistory** + +Returns a journal of status changes for the host, ordered by time in descending order. + +- Permission – Read +- Response – Array of Status + +**Permission: Read** + +Response: Array of Status + +**GET /api/v1/agents/«agentId»/hosts** + +Returns a list of hosts for the specified agent. If the agent is not found or the client lacks the +necessary permissions, a 404 error is returned. + +- Permission – Read or Access activity data +- Response – Array of Host + +**Permission: Read or Access activity data** + +Response: Array of Host + +**POST /api/v1/agents/«agentId»/hosts** + +Adds a new Host to be monitored by the specified agent. A host is added with at least one output. + +- Permission – Modify hosts +- Response Body – Host +- Response – 201, Host + +**Permission: Modify hosts** + +Response Body: Host + +**Response: 201, Host** + +Required Attributes: + +- type + - Values (Case Sensitive): + - AzureAD + - Celerra + - Ctera + - ExchangeOnline + - Hitachi + - Isilon + - Nasuni + - NetApp + - Nutanix + - Panzura + - PowerStore + - Qumulo + - SharePoint + - SharePointOnline + - SqlServer + - Unity + - Windows + - Linux +- host +- outputs + +Request Body Example: + +``` +{ +    "type" : "Windows", +    "host" : "SBNJQASAMDEV03", +    "outputs" : [ +        { +            "type" : "LogFile" +        } +    ] +} +``` + +**PATCH /api/v1/hosts/«hostId»** + +Modifies the host on all the agents that monitor the host. + +- Permission – Modify hosts +- Body – Content type: `application/merge-patch+json`, changes to the Host resource in the JSON + Merge Patch format +- Response – 200, Host + +**Permission: Modify hosts** + +Body: Content type: `application/merge-patch+json`, changes to the Host resource in the JSON Merge +Patch format + +**Response: 200, Host** + +The following attributes can be modified: + +- `host` ¬ must be a valid hostname or ip4/ip6 address +- `autoConfigureAuditing` +- `monitorAuditingStatus` +- `hostAliases` +- `userName` +- `password` +- `inactivityAlerts.isEnabled` +- `inactivityAlerts.useCustomSettings` +- `inactivityAlerts.inactivityInterval` +- `inactivityAlerts.replayInterval` +- `inactivityAlerts.inactivityCheckInterval` +- `inactivityAlerts.syslog.server` +- `inactivityAlerts.syslog.protocol` +- `inactivityAlerts.syslog.separator` +- `inactivityAlerts.syslog.template` +- `inactivityAlerts.email.server` +- `inactivityAlerts.email.ssl` +- `inactivityAlerts.email.userName` +- `inactivityAlerts.email.password` +- `inactivityAlerts.email.from` +- `inactivityAlerts.email.to` +- `inactivityAlerts.email.subject` +- `inactivityAlerts.email.body` +- `uidTranslate.isEnabled` +- `uidTranslate.domainController` +- `uidTranslate.port` +- `uidTranslate.options` +- `uidTranslate.container` +- `uidTranslate.scope` +- `uidTranslate.filter` +- `hitachi.uncLogPath` +- `hitachi.logFileName` +- `hitachi.pollingInterval` +- `spo.azure.domain` +- `spo.azure.azureCloud` +- `spo.azure.tenantId` +- `spo.azure.tenantName` +- `spo.azure.clientId` +- `spo.azure.clientSecret` +- `spo.azure.region` +- `azureAd.azure.domain` +- `azureAd.azure.azureCloud` +- `azureAd.azure.tenantId` +- `azureAd.azure.tenantName` +- `azureAd.azure.clientId` +- `azureAd.azure.clientSecret` +- `azureAd.azure.region` +- `exchangeOnline.azure.domain` +- `exchangeOnline.azure.azureCloud` +- `exchangeOnline.azure.tenantId` +- `exchangeOnline.azure.tenantName` +- `exchangeOnline.azure.clientId` +- `exchangeOnline.azure.clientSecret` +- `exchangeOnline.azure.region` +- `sharePoint.pollingInterval` +- `api.protocol` +- `api.certificate` +- `api.hostNameVerification` +- `api.channel` +- `sql.pollingInterval` +- `sql.tweakOptions` +- `netapp.nfs3EventName` +- `netapp.nfs3FailedEventName` +- `netapp.nfs4FailedEventName` +- `netapp.nfs4EventName` +- `netapp.cifsEventName` +- `netapp.cifsFailedEventName` +- `netapp.policyName` +- `netapp.externalEngineName` + +**PATCH /api/v1/agents/«agentId»/hosts/«hostId»** + +Modifies the host on the specified agent only. The method is useful to set agent-specific settings. + +- Permission – Modify hosts +- Body – Content type: `application/merge-patch+json`, changes to the Host resource in the JSON + Merge Patch format +- Response – 200, Host + +**Permission: Modify hosts** + +Body: Content type: `application/merge-patch+json`, changes to the Host resource in the JSON Merge +Patch format + +**Response: 200, Host** + +The following attributes can be modified: + +- `host` - must be a valid hostname or ip4/ip6 address +- `autoConfigureAuditing` +- `monitorAuditingStatus` +- hostAliases +- `userName` +- `password` +- `inactivityAlerts.isEnabled` +- `inactivityAlerts.useCustomSettings` +- `inactivityAlerts.inactivityInterval` +- `inactivityAlerts.replayInterval` +- `inactivityAlerts.inactivityCheckInterval` +- `inactivityAlerts.syslog.server` +- `inactivityAlerts.syslog.protocol` +- `inactivityAlerts.syslog.separator` +- `inactivityAlerts.syslog.template` +- `inactivityAlerts.email.server` +- `inactivityAlerts.email.ssl` +- `inactivityAlerts.email.userName` +- `inactivityAlerts.email.password` +- `inactivityAlerts.email.from` +- `inactivityAlerts.email.to` +- `inactivityAlerts.email.subject` +- `inactivityAlerts.email.body` +- `uidTranslate.isEnabled` +- `uidTranslate.domainController` +- `uidTranslate.port` +- `uidTranslate.options` +- `uidTranslate.container` +- `uidTranslate.scope` +- `uidTranslate.filter` +- `hitachi.uncLogPath` +- `hitachi.logFileName` +- `hitachi.pollingInterval` +- `spo.azure.domain` +- `spo.azure.azureCloud` +- `spo.azure.tenantId` +- `spo.azure.tenantName` +- `spo.azure.clientId` +- `spo.azure.clientSecret` +- `spo.azure.region` +- `azureAd.azure.domain` +- `azureAd.azure.azureCloud` +- `azureAd.azure.tenantId` +- `azureAd.azure.tenantName` +- `azureAd.azure.clientId` +- `azureAd.azure.clientSecret` +- `azureAd.azure.region` +- `exchangeOnline.azure.domain` +- `exchangeOnline.azure.azureCloud` +- `exchangeOnline.azure.tenantId` +- `exchangeOnline.azure.tenantName` +- `exchangeOnline.azure.clientId` +- `exchangeOnline.azure.clientSecret` +- `exchangeOnline.azure.region` +- `sharePoint.pollingInterval` +- `api.protocol` +- `api.certificate` +- `api.hostNameVerification` +- `api.channel` +- `sql.pollingInterval` +- `sql.tweakOptions` +- `netapp.nfs3EventName` +- `netapp.nfs3FailedEventName` +- `netapp.nfs4FailedEventName` +- `netapp.nfs4EventName` +- `netapp.cifsEventName` +- `netapp.cifsFailedEventName` +- `netapp.policyName` +- `netapp.externalEngineName` + +**DELETE /api/v1/hosts/«hostId»** + +Removes the host from being monitored from all the agents. + +- Permission – Modify hosts +- Response – 204 + +**Permission: Modify hosts** + +Response: 204 + +**DELETE /api/v1/agents/«agentId»/hosts/«hostId»** + +Removes the host from being monitored from the specified agent. + +- Permission – Modify hosts +- Response – 204 + +**Permission: Modify hosts** + +Response: 204 + +**GET /api/v1/hosts/«hostId»/outputs** + +Returns a list of outputs for the specified host. If the host is not found or the client lacks the +necessary permissions, a 404 error is returned. + +- Permission – Read or Access activity data +- Response – Array of Output + +**Permission: Read or Access activity data** + +Response: Array of Output + +**POST /api/v1/hosts/«hostId»/outputs** + +Adds a new output for the specified host on all agents that monitor the host. + +- Permission – Modify hosts +- Response – 201, Output + +**Permission: Modify hosts** + +Response: 201, Output + +Required Attributes: + +- type + - Values (Case Sensitive) + - LogFile + - Syslog + - Amqp +- syslog.server (Required only if Syslog is set to type) +- amqp.server (Required only if Amqp is set to type) + +Request Body Structure: + +``` +{           +    "type" : "string", +    "syslog" : { +        "server" : "string" +    }, +    "amqp" : { +        "server" : "string" +    } +} +``` + +**POST /api/v1/agents/«agentId»/hosts/«hostId»/outputs** + +Adds a new output for the specified host on the specified agent only. The method may be useful to +have agent-specific outputs but is not recommended. + +- Permission – Modify hosts +- Response – 201, Output + +**Permission: Modify hosts** + +Response: 201, Output + +Required attributes: + +- type + - Values (Case Sensitive) + - LogFile + - Syslog + - Amqp +- syslog.server (Required only if Syslog is set to type) +- amqp.server (Required only if Amqp is set to type) + +Request Body Structure: + +``` +{           +    "type" : "string", +    "syslog" : { +        "server" : "string" +    }, +    "amqp" : { +        "server" : "string" +    } +} +``` + +**GET /api/v1/hosts/«hostId»/outputs/«outputId»** + +Returns the specified output of the host. If the host or output is not found, or the client lacks +the necessary permissions, a 404 error is returned. + +- Permission – Read or Access activity data +- Response – Output + +**Permission: Read or Access activity data** + +Response: Output + +Response Example: + +``` +{ +  "id": "a556d7c3666d46babe895f2b9ce1316b", +  "url": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100/outputs/a556d7c3666d46babe895f2b9ce1316b", +  "hostId": "Windows-wrkst0100", +  "hostUrl": "https://localhost:4494/api/v1/hosts/Windows-wrkst0100", +  "agentsIds": [ +    "AGENT3" +  ], +  "logsUrl": "https://localhost:4494/api/v1/logs/a556d7c3666d46babe895f2b9ce1316b", +  "isEnabled": false, +  "type": "LogFile", +  "logFile": { +    "format": "Tsv", +    "path": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\WRKST0100_E_Activity_Log_.Tsv", +    "archivePath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_a556d7c3-666d-46ba-be89-5f2b9ce1316b\\WRKST0100_E_Activity_Log_.Tsv", +    "daysToRetain": 3, +    "reportUserName": false, +    "reportUncPath": false, +    "addCToPath": true, +    "reportMilliseconds": false, +    "stealthAudit": false +  }, +  "syslog": null, +  "amqp": null, +  "fileFilter": { +    "allowed": true, +    "denied": true, +    "cifs": true, +    "nfs": true, +    "read": false, +    "dirRead": false, +    "create": true, +    "dirCreate": true, +    "rename": true, +    "dirRename": true, +    "delete": true, +    "dirDelete": true, +    "update": true, +    "permission": true, +    "dirPermission": true, +    "readOptimize": false, +    "includePaths": [ +      "E:" +    ], +    "excludePaths": [], +    "excludeExtensions": [], +    "excludeProcesses": [ +      "SBTService.exe", +      "FSAC", +      "FPolicyServerSvc.exe", +      "CelerraServerSvc.exe", +      "FSACLoggingSvc.exe", +      "HitachiService.exe", +      "SIWindowsAgent.exe", +      "SIGPOAgent.exe", +      "SIWorkstationAgent.exe", +      "StealthAUDIT", +      "LogProcessorSrv.exe", +      "SearchIndexer.exe", +      "WindowsSearch.exe" +    ], +    "excludeReadProccesses": [], +    "excludeAccounts": [ +      "S-1-5-17", +      "S-1-5-18", +      "S-1-5-19", +      "S-1-5-20" +    ], +    "filterGroups": false, +    "officeFiltering": false +  }, +  "sharePointFilter": null, +  "comment": "Updates on E:", +  "managedBy": "", +  "windows": { +    "vssCreation": true, +    "vssActivity": true, +    "discardReorderedAcl": true, +    "discardInheritedAcl": true +  } +} + +``` + +**GET /api/v1/hosts/«hostId»/outputs/«outputId»/statusHistory** + +Returns a journal of status changes for the output, ordered by time in descending order. + +- Permission – Read +- Response – Array of Status + +**Permission: Read** + +Response: Array of Status + +**PATCH /api/v1/hosts/«hostId»/outputs/«outputId»** + +Modifies the specified output on all the agents that monitor the host. + +- Permission – Modify hosts +- Body – content type: `application/merge-patch+json`, changes to the Output resource in the JSON + Merge Patch format + +**Permission: Modify hosts** + +Body: content type: `application/merge-patch+json`, changes to the Output resource in the JSON Merge +Patch format + +**Response: 200, Output** + +The following attributes can be modified: + +- `comment` +- `isEnabled` +- `managedBy` +- `type` ¬ for `LogFile`, the `logFile` attribute must be set; for `Syslog` ¬ the `syslog` + attribute; for `Amqp` ¬ the `amqp` attribute. +- `windows.discardInheritedAcl` +- `windows.discardReorderedAcl` +- `windows.vssActivity` +- `windows.vssCreation` +- `amqp.server` - must be a a vaild hostname or ip4/ip6 address. +- `amqp.userName` +- `amqp.password` +- `amqp.vhost` +- `amqp.queue` +- `fileFilter.cifs` +- `fileFilter.nfs` +- `fileFilter.create` +- `fileFilter.delete` +- `fileFilter.dirCreate` +- `fileFilter.dirDelete` +- `fileFilter.dirPermission` +- `fileFilter.dirRead` +- `fileFilter.dirRename` +- `fileFilter.excludeExtensions` +- `fileFilter.excludeProcesses` +- `fileFilter.excludeReadProccesses` +- `fileFilter.filterGroups` +- `fileFilter.officeFiltering` +- `fileFilter.permission` +- `fileFilter.read` +- `fileFilter.readOptimize` +- `fileFilter.rename` +- `fileFilter.update` +- `logFile.addCToPath` +- `logFile.archivePath` +- `logFile.daysToRetain` +- `logFile.format` - `Tsv` or `Json` +- `logFile.path` +- `logFile.reportMilliseconds` +- `logFile.reportUncPath` +- `logFile.reportUserName` +- `logFile.stealthAudit` +- `syslog.protocol` - `UDP` (default), `TCP`, `TLS` +- `syslog.addCToPath` +- `syslog.reportUncPath` +- `syslog.separator` - `Lf` (default), `Cr`, `CrLf`, `Nul`, or `Rfc5425` +- `syslog.server` - must be a vaild hostname or ip4/ip6 address. + +For File System hosts: + +- `fileFilter.excludeAccounts` +- `fileFilter.includePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.excludePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.pathFilters` ¬ An ordered array of strings where each element has `{+/-}path` format. + `+` means include path, `-` means exclude path. `?`, `*`, and `**` wildcards are supported. + Example: `['+c:/windows/**', '-c:/temp/**']` + +For SharePoint hosts: + +- `sharePointFilter.excludeAccounts` +- `sharePointFilter.excludeUrls` +- `sharePointFilter.includeUrls` +- `sharePointFilter.operations` - `CheckOut`, `CheckIn`, `View`, `Delete`, `Update`, + `ProfileChange`, `ChildDelete`, `SchemaChange`, `Undelete`, `Workflow`, `Copy`, `Move`, + `AuditMaskChange`, `Search`, `ChildMove`, `FileFragmentWrite`, `SecGroupCreate`, `SecGroupDelete`, + `SecGroupMemberAdd`, `SecGroupMemberDel`, `SecRoleDefCreate`, `SecRoleDefDelete`, + `SecRoleDefModify`, `SecRoleDefBreakInherit`, `SecRoleBindUpdate`, `SecRoleBindInherit`, + `SecRoleBindBreakInherit`, `EventsDeleted`, `AppPermissionGrant`, `AppPermissionDelete`, `Custom` + +**PATCH /api/v1/agents/«agentId»/hosts/«hostId»/outputs/«outputId»** + +Modifies the specified output on the specified agent only. The method may be useful to set +agent-specific attributes. + +- Permission – Modify hosts +- Body – content type: `application/merge-patch+json`, changes to the Output resource in the JSON + Merge Patch format +- Response – 200, Output + +**Permission: Modify hosts** + +Body: content type: `application/merge-patch+json`, changes to the Output resource in the JSON Merge +Patch format + +**Response: 200, Output** + +The following attributes can be modified: + +- `comment` +- `isEnabled` +- `managedBy` +- `type` - for `LogFile`, the `logFile` attribute must be set; for `Syslog` ¬ the `syslog` + attribute; for `Amqp` ¬ the `amqp` attribute. +- `windows.discardInheritedAcl` +- `windows.discardReorderedAcl` +- `windows.vssActivity` +- `windows.vssCreation` +- `amqp.server` ¬ must be a a vaild hostname or ip4/ip6 address. +- `amqp.userName` +- amqp.password +- `amqp.vhost` +- `amqp.queue` +- `fileFilter.cifs` +- `fileFilter.nfs` +- `fileFilter.create` +- `fileFilter.delete` +- `fileFilter.dirCreate` +- `fileFilter.dirDelete` +- `fileFilter.dirPermission` +- `fileFilter.dirRead` +- `fileFilter.dirRename` +- `fileFilter.excludeExtensions` +- `fileFilter.excludeProcesses` +- `fileFilter.excludeReadProccesses` +- `fileFilter.filterGroups` +- `fileFilter.officeFiltering` +- `fileFilter.permission` +- `fileFilter.read` +- `fileFilter.readOptimize` +- `fileFilter.rename` +- `fileFilter.update` +- `logFile.addCToPath` +- `logFile.archivePath` +- `logFile.daysToRetain` +- `logFile.format` - `Tsv` or `Json` +- `logFile.path` +- `logFile.reportMilliseconds` +- `logFile.reportUncPath` +- `logFile.reportUserName` +- `logFile.stealthAudit` +- `syslog.protocol` - `UDP` (default), `TCP`, `TLS` +- `syslog.addCToPath` +- `syslog.reportUncPath` +- `syslog.separator` - `Lf` (default), `Cr`, `CrLf`, `Nul`, or `Rfc5425` +- `syslog.server` - must be a vaild hostname or ip4/ip6 address. + +For File System hosts: + +- `fileFilter.excludeAccounts` +- `fileFilter.includePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.excludePaths` ¬ Depreciated. Has been replaced by 'pathFilters'. +- `fileFilter.pathFilters` ¬ an ordered array of strings where each element has `{+/-}path` format. + `+` means include path, `-` means exclude path. `?`, `*`, and `**` wildcards are supported. + Example: `['+c:/windows/**', '-c:/temp/**']` + +For SharePoint hosts: + +- `sharePointFilter.excludeAccounts` +- `sharePointFilter.excludeUrls` +- `sharePointFilter.includeUrls` +- `sharePointFilter.operations` - `CheckOut`, `CheckIn`, `View`, `Delete`, `Update`, + `ProfileChange`, `ChildDelete`, `SchemaChange`, `Undelete`, `Workflow`, `Copy`, `Move`, + `AuditMaskChange`, `Search`, `ChildMove`, `FileFragmentWrite`, `SecGroupCreate`, `SecGroupDelete`, + `SecGroupMemberAdd`, `SecGroupMemberDel`, `SecRoleDefCreate`, `SecRoleDefDelete`, + `SecRoleDefModify`, `SecRoleDefBreakInherit`, `SecRoleBindUpdate`, `SecRoleBindInherit`, + `SecRoleBindBreakInherit`, `EventsDeleted`, `AppPermissionGrant`, `AppPermissionDelete`, `Custom` + +**GET /api/v1/hosts/«hostId»/agents** + +Returns a list of agents monitoring the specified host. + +- Permission – Read or Access activity data +- Response – Array of Agent + +**Permission: Read or Access activity data** + +Response: Array of Agent + +**GET /api/v1/logs/«outputId»?includeLocal=true&includeArchived=false** + +Returns a list of files produced by the specified output. + +**Parameters:** + +| Name | Type | Default | Description | +| --------------- | ---- | ------- | ---------------------------------------------- | +| includeLocal | bool | true | Return log files on a local drive of the agent | +| includeArchived | bool | false | Return log files in the archival location | + +- Permission – Read or Access activity data +- Response – Array of File + +**Permission: Read or Access activity data** + +Response: Array of File + +Response Example: + +``` +[ +  { +    "id": "localhost_Log_20190419.tsv", +    "size": 20619226, +    "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190419.tsv", +    "isZip": false, +    "isArchived": false, + "type": "Tsv", +    "updatedAt": "2019-04-19T10:17:32.0546644Z", +    "activityFrom": "2019-04-15T14:30:51", +    "activityTo": "2019-04-19T10:17:32", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190419.tsv" +  }, +  { +    "id": "localhost_Log_20190419.tsv.zip", +    "size": 1413338, +    "localPath": "C:\\ProgramData\\Netwrix\\Activity Monitor\\Agent\\ActivityLogs\\localhost_Log_20190419.tsv.zip", +    "isZip": true, +    "isArchived": false, +    "type": "Tsv", +    "updatedAt": "2019-04-19T10:17:32.0546644Z", +    "activityFrom": "2019-04-15T14:30:51", +    "activityTo": "2019-04-19T10:17:32", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/get/localhost_Log_20190419.tsv.zip" +  }, +  { +    "id": "localhost_Log_20290410.tsv.zip", +    "size": 16861634, +    "localPath": "\\\\WRKST0100\\SBACTIVITYLOGS\\WRKST0100\\WRKST0100_9c907918-9177-4715-bdb3-415823790d7c\\localhost_Log_20290410.tsv.zip", +    "isZip": true, +    "isArchived": true, +    "type": "Tsv", +    "updatedAt": "2019-04-10T02:01:42.4996667Z", +    "activityFrom": "2019-04-05T18:16:57", +    "activityTo": "2019-04-10T02:01:45", +    "outputId": "9c90791891774715bdb3415823790d7c", +    "contentUrl": "https://localhost:4494/api/v1/logs/archive/get/WRKST0100/WRKST0100_9c907918-9177-4715-bdb3-415823790d7c/localhost_Log_20290410.tsv.zip" +  } +] + +``` + +**GET /api/v1/domains/«domainId»/policies** + +Returns an array of existing policies for the specified domain. + +- Permission – Read +- Response – Array of Policies + +**Permission: Read** + +Response: Array of Policies + +Response Example: + +``` +[ +  { +    "id": "10013", +    "url": "https://localhost:4494/api/v1/domains/TEST01/policies/10013", +    "name": "LDAP Monitor", +    "description": "", +    "path": "Policies\\Auditing", +    "guid": "8f5e4870-6d28-4f32-af18-2e6e6ed623ce", +    "isEnabled": true, +    "updatedAt": "2019-04-19T10:17:32.0546644Z" +  }, +  { +    "id": "10014", +    "url": "https://localhost:4494/api/v1/domains/TEST01/policies/10014", +    "name": "Authentication Monitor", +    "description": "", +    "path": "Policies\\Auditing", +    "guid": "8f5e4870-6d28-4f32-af18-2e6e6ed623cf", +    "isEnabled": true, +    "updatedAt": "2019-04-19T10:17:32.0546644Z" +  } + ] + +``` + +**POST /api/v1/domains/«domainId»/policies** + +Creates a new policy for the specified domain using the provided XML. ID and GUID attributes in the +XML are ignored, and new values are assigned. + +**Permission: Policy change** + +Input: + +- Content type ¬ application/json, Body: Policy, `xml` is required. Other fields, if set, replace + values in XML. +- Content type ¬ application/xml, Body: XML of the policy to be created + +**Response: 201, Policy** + +Required attributes: + +- xml + +**PATCH /api/v1/domains/«domainId»/policies/«policyId»** + +Modifies attributes of the policy. If XML is updated, ID and GUID attributes in the XML are ignored, +and existing values are preserved. + +**Permission: Policy change** + +Input: + +- Content type: application/merge-patch+json, Body: JSON Merge Patch of Policy. + +**Response: 200, Policy** + +Response Example: + +``` +  { +    "id": "10014", +    "url": "https://localhost:4494/api/v1/domains/TEST01/policies/10014", +    "name": "Authentication Monitor", +    "description": "", +    "path": "Policies\\Auditing", +    "guid": "8f5e4870-6d28-4f32-af18-2e6e6ed623cf", +    "isEnabled": false, +    "updatedAt": "2019-06-19T10:11:12Z" +    "xml": "......" +  } + +``` + +Request body example: + +``` +{ +  "isEnabled": false +} +``` + +**DELETE /api/v1/domains/«domainId»/policies/«policyId»** + +Deletes the specified policy. + +- Permission – Policy change +- Response – 204 + +**Permission: Policy change** + +Response: 204 diff --git a/docs/activitymonitor/9.0/restapi/security.md b/docs/activitymonitor/9.0/restapi/security.md new file mode 100644 index 0000000000..8584763f91 --- /dev/null +++ b/docs/activitymonitor/9.0/restapi/security.md @@ -0,0 +1,84 @@ +--- +title: "Security and Access Control" +description: "Security and Access Control" +sidebar_position: 10 +--- + +# Security and Access Control + +## Security + +The REST-style API is exposed via TLS v1.2, with a self-signed certificate by default. The port is +customizable, 4494 by default. The IP whitelist can be used to restrict access to the port. + +You can use the Activity Monitor Console to allow applications to access the API, change +permissions, or revoke access. The console generates unique Client ID and Secret for each +application. + +### Authentication + +OAuth 2.0 client-credentials grant is used for authentication. A pair of Client ID and Secret are +used to obtain an access token from the access token URL: `https://localhost:4494/api/v1/token`. +Token expiration intervals are not configurable. + +| Type | Expires in | +| ------------- | ---------- | +| Client Secret | 72 hours | +| Access Token | 7 days | +| Refresh Token | never | + +It is considered a best practice to use short expiration periods for OAuth 2.0 tokens, like 1 hour +for the access token. A shorter period allows you to revoke the access quicker if needed. In case of +Activity Monitor, the Agent is both the authentication server and the resource server. Therefore, it +can validate the token on each and every access to a resource. So, for Activity Monitor long +expiration periods do not make the protocol less secure. + +A client is expected to pass the access token in the `Authorization` request header. + +:::note +**Use a client library that is secure and fully implements the OAuth 2.0 protocol.** The +sample below shows just a piece of OAuth 2 interaction. +::: + + +``` +curl -X POST -d "client_id=&client_secret=&grant_type=client_credentials" https://:4494/api/v1/token --insecure +{"access_token":"AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAZpRDOzeUzUikVK9ydmsV1QAAAAACAAAAAAAQZgAAAAEAACAAAAAFzYG4Tasvowq939pou5ADE883Ns2DV-X6_S20RMDcwAAAAAAOgAAAAAIAACAAAAB1IcZrZavgp2Ab63P +8kbCr7NwopOsfz0SeSaXjKVhVC-AAAACix_0klwXoiwiqTZTlaUXCqn9MkquZC84ew9E0-E_vu6FNJ6NDLj7MGCPR-mCi4MRmwr6TYtZ_XfAXRtSh66gbABv-gTnmimruLRWxN2is5twUl563kGpHqnbKydqPNgOy4gXxgR_V08kFut2qPxZ +LsN14yK8Prp1paaQy4-mhONaFIrVx7bOmVIdfVnjEYjwIRdd9QjQEY3wJtnDIEBWi2s-6uYo8tcCEztPiraBpLJC3Tib8NQYu_YxwbzeRun_h2KZOMewLzkfZGS2h9SvvnlxECQ0G5PEfslnAEwC7VEAAAAAxZTm06tyRQNMbw_bLr4FiZi0 +y-QipaafBBRtm83q-l6bG9bQ-C1Hr19-0H6KgzDb3_JJWxxNmGdD-wG95wjlD","token_type":"bearer","expires_in":604799,"refresh_token":"AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAZpRDOzeUzUikVK9ydmsV1QAAAA +ACAAAAAAAQZgAAAAEAACAAAAAocNSP3GFuJ0RK_1dsX5uSR4dmiqzhV7-LYhc9sYbF2gAAAAAOgAAAAAIAACAAAABQuudDm06II62U6vM2u9CczyRa1siP-H3WfP6iDYOmh-AAAADjzqzTweG14Gngd68rC3BX4GA4kBR5FA8JVVly3KHUS2 +Q-SD9q4S9C3yLZxv2k_zGr2YA_bVdfZ78vRCUYC3QgbpJTjzYPWnPNW5RsqLLtd47h6THU5Wc0RkoBG4c8gB569Jvl0WkAG3xJFHitbUQISYbSosd-cIW4JZkHzcT3zkPgAtLkNyhqQd1g1jgCzP63MCAFq1AN2NB2wLCk_jNRi8aypxR1Ty +F5HpSlZ6QzVNycMNeckayAEOCAUAXwx_tBVhqvUwn7YEF_bT2WYoW9boU_IUzWKtO8R5MXsVR6aEAAAAATVk3stUcghjkgv6abuLddE9Hf2S0o9Gpmp4UPallX6dIbAvm10f-De1aTU-jG7LJMdAv2PKVyuGiyUzI-DE0K"} + +``` + +### Authorization + +A user assigns permissions to a client application. Permissions can be combined. + +Activity Monitor 9.0 permissions: + +| Permission | Description | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------- | +| Access activity data | Provides minimal access rights to list and download the log files. | +| Read | Read-only access to all the information about all agents, domains, and hosts. Does not allow one to download the log files. | +| Policy change | Add, modify, and delete the AD monitoring policies. | +| Modify host | Add, modify, enable, disable, and delete Hosts and their Outputs. | +| Modify agent | Add, modify, and delete agents. | + +An unauthorized request fails with `401 Unauthorized` (instead of `403 Forbidden`) when the resource is +specified explicitly, by ID. For collections, the API Server removes unauthorized resources from +results. + +`Access activity data` is special. It provides limited information only about the agent which hosts +the API server, limited monitored domain information, limited monitored hosts/services information, and +outputs - just enough to get information about the log files. See "Detailed Only" column in the next +section for the list of attributes not included into the limited information. + +Here is how the permissions affect the returned resources: + +| Permission\Resource | Agent | Host | Domain | Output | Policy | Log File | +| -------------------- | ------------------------------ | -------------------------------------- | --------------------------------------- | ---------------------------------------- | ------ | ----------------------- | +| Read | All agents, all info | All hosts, all info | All domains, all info | All | All | None | +| Access activity data | Only this agent. Limited info. | This agent's hosts only. Limited info. | This agent's domain only. Limited info. | Outputs of this agent's hosts and domain | None | All files of this agent | diff --git a/docs/activitymonitor/9.0/siem/_category_.json b/docs/activitymonitor/9.0/siem/_category_.json new file mode 100644 index 0000000000..97ac249831 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SIEM Integrations", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/siem/overview.md b/docs/activitymonitor/9.0/siem/overview.md new file mode 100644 index 0000000000..d21156690a --- /dev/null +++ b/docs/activitymonitor/9.0/siem/overview.md @@ -0,0 +1,22 @@ +--- +title: "SIEM Integrations" +description: "SIEM Integrations" +sidebar_position: 70 +--- + +# SIEM Integrations + +Netwrix activity monitoring solutions enable organizations to successfully, efficiently, +and affordably monitor file access and permission changes across Windows and Network Attached +Storage (NAS) file systems in real-time. Using preconfigured Netwrix Activity Monitor Apps, +users can quickly understand all file activities as a whole, for specific resources or users, as +well as patterns of activity indicative of threats such as crypto ransomware or data exfiltration +attempts. With full control over the data, users can create custom searches, all while enabling apps +to correlate file system activity with any log source. + +Preconfigured Netwrix Activity Monitor Apps are: + +- Splunk - See the [File Activity Monitor App for Splunk](/docs/activitymonitor/9.0/siem/splunk/overview.md) topic for additional + information +- QRadar - See the [Netwrix File Activity Monitor App for QRadar](/docs/activitymonitor/9.0/siem/qradar/overview.md) topic for + additional information diff --git a/docs/activitymonitor/9.0/siem/qradar/_category_.json b/docs/activitymonitor/9.0/siem/qradar/_category_.json new file mode 100644 index 0000000000..82c7f803f7 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Netwrix File Activity Monitor App for QRadar", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/siem/qradar/app/_category_.json b/docs/activitymonitor/9.0/siem/qradar/app/_category_.json new file mode 100644 index 0000000000..58035c056d --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Activity Monitor App for QRadar", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "app" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/siem/qradar/app/about.md b/docs/activitymonitor/9.0/siem/qradar/app/about.md new file mode 100644 index 0000000000..7b577b29f0 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/about.md @@ -0,0 +1,13 @@ +--- +title: "About Dashboard" +description: "About Dashboard" +sidebar_position: 70 +--- + +# About Dashboard + +The About dashboard provides information about the application. + +![About Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/aboutdashboard.webp) + +Information on how to obtain a license for the applicable Netwrix software is included. diff --git a/docs/activitymonitor/9.0/siem/qradar/app/app.md b/docs/activitymonitor/9.0/siem/qradar/app/app.md new file mode 100644 index 0000000000..a6762fd75f --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/app.md @@ -0,0 +1,44 @@ +--- +title: "File Activity Monitor App for QRadar" +description: "File Activity Monitor App for QRadar" +sidebar_position: 10 +--- + +# File Activity Monitor App for QRadar + +Netwrix Activity Monitor App for QRadar (File Activity Monitor tab) contains several +predefined dashboards: File Activity (Home), Ransomware, Permission Changes, Deletions, User +Investigation, and Host Investigation. There is also an About dashboard with additional information +and a Settings interface for configuring the QRadar SEC token. + +![file_activity_monitor_app](/images/activitymonitor/9.0/siem/qradar/file_activity_monitor_app.webp) + +The User Investigation and Host Investigation dashboards only appear when a search is conducted. +This can be done by clicking a hyperlink within the Username or Destination IP columns of a table +card. Alternatively, type the complete user name or host IP Address in the Search box on the right +side of the navigation bar. + +## Table Card Features + +Within the dashboards are several cards with a tabular format. Each of these cards have the +following features: + +- Only five pages of data will be loaded at a time. Applying the Search or Sort features or moving + beyond the five ‘loaded’ pages will result in a “Processing” banner being temporarily displayed + over the table while the server is directly queried for the necessary data. +- Search data entries for the Username, Destination IP, and File Path columns by typing in the + Search box in the upper-right corner of the card: + + - Any entries with a match will remain in the table, all non-matching entries will be filtered + out. + - Total number of entries “Showing” will adjust for the filtered total. + - Search can also apply to the Operation column, but only for exact matches. + +- Sort can be applied to one column at a time by clicking on the desired column header. +- Show 10, 25, 100, or All entries in the table. Only visible entries can be exported. +- Result data currently visible within the table page displayed can be exported from the dashboard: + + - Copy – Copy to clipboard in order to paste to another application + - CSV – Export to a Comma Separated Value file + - Excel – Export to an Excel Workbook file + - Print – Send currently displayed table to printer diff --git a/docs/activitymonitor/9.0/siem/qradar/app/deletions.md b/docs/activitymonitor/9.0/siem/qradar/app/deletions.md new file mode 100644 index 0000000000..828f3c9d5b --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/deletions.md @@ -0,0 +1,25 @@ +--- +title: "Deletions Dashboard" +description: "Deletions Dashboard" +sidebar_position: 40 +--- + +# Deletions Dashboard + +The Deletions dashboard contains the following cards: + +![Deletions Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/deletionsdashboard.webp) + +- Activity – Timeline of all deletion events over the specified time interval +- Top Users – Displays up-to the top five users associated with deletion events over the specified + time interval +- Latest Events – Tabular format of all deletion events which occurred over the specified time + interval + + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/9.0/siem/qradar/app/home.md b/docs/activitymonitor/9.0/siem/qradar/app/home.md new file mode 100644 index 0000000000..a0855f8b25 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/home.md @@ -0,0 +1,36 @@ +--- +title: "Home Dashboard" +description: "Home Dashboard" +sidebar_position: 10 +--- + +# Home Dashboard + +The File System Activity Home dashboard contains the following cards: + +![Home Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/homedashboard.webp) + +- Active Users – Number of distinct users recorded performing any type of file activity to/from any + host over the specified time interval +- Active Servers – Number of distinct servers accessed (destination IP Addresses) with any type of + file activity recorded over the specified time interval +- Open Offenses – Number of ransomware offenses detected within QRadar from the file activity event + data + + - The value for this card is a hyperlink to the [Ransomware Dashboard](/docs/activitymonitor/9.0/siem/qradar/app/ransomware.md). + +- File Activity – Timeline of all file activity over the specified time interval +- Top Users – Displays up-to the top five users associated with file activity over the specified + time interval +- Top Servers – Displays up-to the top five servers (destination IP Addresses) associated with file + activity over the specified time interval +- Latest Events – Tabular format of all file activity events which occurred over the specified time + interval + + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/9.0/siem/qradar/app/hostinvestigation.md b/docs/activitymonitor/9.0/siem/qradar/app/hostinvestigation.md new file mode 100644 index 0000000000..7bc4275f67 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/hostinvestigation.md @@ -0,0 +1,40 @@ +--- +title: "Host Investigation Dashboard" +description: "Host Investigation Dashboard" +sidebar_position: 60 +--- + +# Host Investigation Dashboard + +The Host Investigation dashboard only appears when a search is conducted. This can be done by +clicking a hyperlink within the Destination IP column of a table card. Alternatively, type the +complete host IP Address in the Search box on the right side of the navigation bar. + +![Home Investigation Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp) + +The Host Investigation dashboard contains the following cards: + +- Total Actions – Number of all file activity events associated with the host over the specified + time interval +- Users – Number of usernames associated with the host over the specified time interval +- Resources – Number of distinct files associated with the host over the specified time interval +- File Activity – Timeline of all events associated with the host over the specified time interval + + - The graph values can be toggled on an off by clicking on individual elements in the legend. + +- Details of File Activity – Tabular format of all file activity events associated with the host + which occurred over the specified time interval + + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +- Destination Host Offenses – QRadar offenses associated with the host which occurred over the + specified time interval + + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/9.0/siem/qradar/app/permissionchanges.md b/docs/activitymonitor/9.0/siem/qradar/app/permissionchanges.md new file mode 100644 index 0000000000..1ddc441a97 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/permissionchanges.md @@ -0,0 +1,28 @@ +--- +title: "Permission Changes Dashboard" +description: "Permission Changes Dashboard" +sidebar_position: 30 +--- + +# Permission Changes Dashboard + +The Permission Changes Dashboard for QRadar shows information on changes made to permissions using +various metrics. + +![Permission Changes Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/permissionchangesdashboard.webp) + +The Permission Changes dashboard contains the following cards: + +- Activity – Timeline of all permission change events over the specified time interval +- Top Users – Displays up-to the top five users associated with permission change events over the + specified time interval +- Latest Events – Tabular format of all permission change events which occurred over the specified + time interval + + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/9.0/siem/qradar/app/ransomware.md b/docs/activitymonitor/9.0/siem/qradar/app/ransomware.md new file mode 100644 index 0000000000..154d56d939 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/ransomware.md @@ -0,0 +1,37 @@ +--- +title: "Ransomware Dashboard" +description: "Ransomware Dashboard" +sidebar_position: 20 +--- + +# Ransomware Dashboard + +The Ransomware Dashboard for QRadar shows a list of suspected ransomware events. + +![Ransomware Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/ransomwaredashboard.webp) + +The Ransomware dashboard contains the following cards: + +- Offenses – List of offenses detected within QRadar from the file activity data as a potential + ransomware attack + + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +- Details of Ransomware Attack – Tabular format of all file activity events for the selected offense + which occurred over the specified time interval + + - Only visible after clicking Search on an offense + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +- Breakdown of File Types – Pie chart of the top eight file extensions of the affected files for the + selected offense + + - Only visible after clicking Search on an offense + +The offenses generated within QRadar are based upon the Netwrix: Ransomware Detected rule that +is packaged with this application. In order to adjust this rule to better suit an organization’s +needs, please refer to the IBM QRadar +[Rule management](https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_qradar_rul_mgt.html) +article on how to modify rules. diff --git a/docs/activitymonitor/9.0/siem/qradar/app/userinvestigation.md b/docs/activitymonitor/9.0/siem/qradar/app/userinvestigation.md new file mode 100644 index 0000000000..6e0f22f3bd --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/app/userinvestigation.md @@ -0,0 +1,36 @@ +--- +title: "User Investigation Dashboard" +description: "User Investigation Dashboard" +sidebar_position: 50 +--- + +# User Investigation Dashboard + +The User Investigation dashboard only appears when a search is conducted. This can be done by +clicking a hyperlink within the Username column of a table card. Alternatively, type the complete +user name in the Search box on the right side of the navigation bar. + +![User Investigation Dashboard for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp) + +The User Investigation dashboard contains the following cards: + +- Total Actions – Number of all file activity events associated with the user over the specified + time interval +- File Servers – Number of destination IP Addresses associated with the user over the specified time + interval +- Resources – Number of distinct files associated with the user over the specified time interval +- File Activity – Timeline of all events associated with the user over the specified time interval + - The graph values can be toggled on an off by clicking on individual elements in the legend. +- Details of File Activity – Tabular format of all file activity events associated with the user + which occurred over the specified time interval + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. +- Destination Host Offenses – QRadar offenses associated with the destination IP Addresses accessed + by the user during the specified time interval + - See the [Table Card Features ](/docs/activitymonitor/9.0/siem/qradar/app/app.md#table-card-features) topic for additional + information. + +The time interval is identified in the upper-right corner with the Start and End boxes. This is set +by default to the “past day,” or 24 hours. To search within a different interval, either manually +type the desired date and time or use the calendar buttons to set the desired date and time +interval. Then click Search to refresh the card data. diff --git a/docs/activitymonitor/9.0/siem/qradar/offenses.md b/docs/activitymonitor/9.0/siem/qradar/offenses.md new file mode 100644 index 0000000000..d121c01d6d --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/offenses.md @@ -0,0 +1,19 @@ +--- +title: "Offenses" +description: "Offenses" +sidebar_position: 30 +--- + +# Offenses + +The Activity Monitor App for QRadar feeds a couple of QRadar Offenses. + +![Netwrix Offenses in QRadar](/images/activitymonitor/9.0/siem/qradar/stealthbitsoffenses.webp) + +While the [Ransomware Dashboard](/docs/activitymonitor/9.0/siem/qradar/app/ransomware.md) reports on incidents of Ransomware attacks +monitored by Netwrix Threat Prevention, the following offenses may be generated by the Netwrix Activity Monitor App. + +| QRadar Offense | Definition | +| ---------------------------------------- | ---------------------------------------------------------------------------- | +| INTERCEPT: File System Attacks (By User) | Significant number of file changes made by an account in a short time period | +| Netwrix: Ransomware Detected | Threshold-based Ransomware Rule | diff --git a/docs/activitymonitor/9.0/siem/qradar/overview.md b/docs/activitymonitor/9.0/siem/qradar/overview.md new file mode 100644 index 0000000000..dad5896184 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/overview.md @@ -0,0 +1,84 @@ +--- +title: "Netwrix File Activity Monitor App for QRadar" +description: "Netwrix File Activity Monitor App for QRadar" +sidebar_position: 10 +--- + +# Netwrix File Activity Monitor App for QRadar + +Netwrix File Activity monitoring solutions enable organizations to successfully, efficiently, and +affordably monitor file access and permission changes across Windows and Network Attached Storage +(NAS) file systems in real-time. Using the preconfigured  Netwrix File Activity Monitor App for +QRadar, users can quickly understand all file activities as a whole, for specific resources or +users, as well as patterns of activity indicative of threats such as crypto ransomware or data +exfiltration attempts. With full control over the data, users can create custom searches, all while +enabling QRadar to correlate file system activity with any log source. + +This document describes how to integrate Netwrix products with the Netwrix File Activity Monitor App +for QRadar found in the IBM X-Force Exchange. Any Netwrix products can be configured to monitor file +system activity and send the monitored events to QRadar. After installing this app, ensure that +either the Activity Monitor, Threat Prevention, or Access Analyzer has been configured to send +events to QRadar. See the [Netwrix Technical Knowledge Center](https://helpcenter.netwrix.com/) on +the Netwrix website for additional information. + +## App Installation in QRadar + +Download the [Netwrix File Activity Monitor App for +QRadar](https://exchange.xforce.ibmcloud.com/hub/extension/STEALTHbits Technologies:STEALTHbits File Activity Monitor) from the [IBM X-Force App Exchange](https://exchange.xforce.ibmcloud.com/hub). +After downloading the Stealthbits File Activity Monitor App for QRadar, follow the steps to install +it within QRadar. + +**Step 1 –** Click on the Admin tab within QRadar. + +**Step 2 –** Under System Configuration, click Extensions Management. + +**Step 3 –** Click **Add** in the top-right corner of the window. Navigate to the location where you +downloaded the app, and select it. Check the Install Immediately checkbox, and then click Add. + +**Step 4 –** When the Validating Install window is finished processing, check the Overwrite option. +Then click **Install**. + +**Step 5 –** Close the Extensions Management window, and then select the File Activity Monitor tab +within QRadar. + +The File Activity Monitor tab will appear within QRadar. It is necessary for the QRadar SEC token to +be saved to the Settings interface of the **File Activity Monitor** App. See the +[Settings](/docs/activitymonitor/9.0/siem/qradar/settings.md) topic for additional information. + +## Initial Configuration of the QRadar App + +Follow the steps to configure QRadar to receive data from Netwrix products. + +**Step 1 –** Determine the IP Address of the QRadar Console, e.g. run the _ifconfig_ command. This +information is required for the following sections: + +- See the Syslog Tab section of the Netwrix Activity Monitor User Guide for information on + how to configure the Netwrix Activity Monitor to send data to QRadar. +- See the SIEM Tab section of the Netwrix Threat Prevention Admin Console User Guide for information on how + to configure Threat Prevention to send data to QRadar. + +**Step 2 –** Navigate to the **Admin** tab in the QRadar web interface and click Data Sources. + +**Step 3 –** Select Log Sources. + +**Step 4 –** View the Log Sources list. If the data source was not automatically created, click Add +and enter the following information: + +- Log Source Name – Enter a descriptive name to identify the data source +- Log Source Description – Enter a description of the data source +- Log Source Type – Netwrix Threat Prevention + - Use this source type for both the Netwrix Activity Monitor and Netwrix Threat Prevention. + +**Step 5 –** Test that the configuration is working correctly. Check the Log Activity page inside of +the web console for QRadar. There should be logs of events that are generated as soon as QRadar +starts receiving data. If there are no events, use a packet sniffer to ensure that packets are being +sent correctly between the hosts, and diagnose any possible network issues. + +- Protocol Configuration – Select Syslog +- Log Source Identifier – Enter the host name or IP Address of the host where the Netwrix + Activity Monitor agent OR Threat Prevention is installed +- Then click Save. Remember, prior to using the Netwrix File Activity Monitor App for QRadar, the + related Netwrix product must be configured to send data to QRadar. + +The  Netwrix File Activity Monitor App for QRadar can now display activity data from either the + Netwrix Activity Monitor or Netwrix Threat Prevention. diff --git a/docs/activitymonitor/9.0/siem/qradar/settings.md b/docs/activitymonitor/9.0/siem/qradar/settings.md new file mode 100644 index 0000000000..d6760cd22d --- /dev/null +++ b/docs/activitymonitor/9.0/siem/qradar/settings.md @@ -0,0 +1,15 @@ +--- +title: "Settings" +description: "Settings" +sidebar_position: 20 +--- + +# Settings + +Use the gear icon next to the **Search** box to open the **Settings** interface. It is necessary for +the QRadar SEC token to be saved to the **Settings** interface. + +![Settings for Netwrix Activity Monitor App for QRadar](/images/activitymonitor/9.0/siem/qradar/settings.webp) + +The **More information** link will open the IBM Knowledge Center with information on generating the +QRadar SEC token. Once the token is generated, copy and paste it here and click Save. diff --git a/docs/activitymonitor/9.0/siem/splunk/_category_.json b/docs/activitymonitor/9.0/siem/splunk/_category_.json new file mode 100644 index 0000000000..e9b549fb3f --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Activity Monitor App for Splunk", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/siem/splunk/app/_category_.json b/docs/activitymonitor/9.0/siem/splunk/app/_category_.json new file mode 100644 index 0000000000..dd71e85b85 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/app/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File Activity Monitor App for Splunk", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "app" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/siem/splunk/app/app.md b/docs/activitymonitor/9.0/siem/splunk/app/app.md new file mode 100644 index 0000000000..f44cddf87b --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/app/app.md @@ -0,0 +1,18 @@ +--- +title: "File Activity Monitor App for Splunk" +description: "File Activity Monitor App for Splunk" +sidebar_position: 10 +--- + +# File Activity Monitor App for Splunk + +Netwrix File Activity Monitor App for Splunk contains several predefined dashboards: File +Activity (Overview), Ransomware, Permission Changes, and Deletions. + +![file_activity_monitor_app](/images/activitymonitor/9.0/siem/splunk/file_activity_monitor_app.webp) + +The date time search feature uses the default Splunk search features. + +The timeframe interval is identified in the upper-left corner of each dashboard. The drop-down menu +provides additional options. To search within a different interval, choose a new option from the +menu. Then click **Submit** to refresh the card data. diff --git a/docs/activitymonitor/9.0/siem/splunk/app/deletions.md b/docs/activitymonitor/9.0/siem/splunk/app/deletions.md new file mode 100644 index 0000000000..7a67f53482 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/app/deletions.md @@ -0,0 +1,20 @@ +--- +title: "Deletions Dashboard" +description: "Deletions Dashboard" +sidebar_position: 40 +--- + +# Deletions Dashboard + +View deletion information in the Deletions Dashboard for Splunk. + +![Deletions Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/deletionsdashboard.webp) + +The Deletions dashboard contains the following cards: + +- Activity – Timeline of all deletion events in the specified timeframe +- Top Users – Displays up-to the top five users related to deletion events which have been recorded + in the specified timeframe +- Latest Events – Tabular format of all deletion events recorded in the specified timeframe + +The specified timeframe is set by default to the Last 24 hours, or past day. diff --git a/docs/activitymonitor/9.0/siem/splunk/app/overview.md b/docs/activitymonitor/9.0/siem/splunk/app/overview.md new file mode 100644 index 0000000000..bafd3690dc --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/app/overview.md @@ -0,0 +1,25 @@ +--- +title: "Overview Dashobard" +description: "Overview Dashobard" +sidebar_position: 10 +--- + +# Overview Dashobard + +View general information on the Overview Dashboard for Splunk. + +![Overview Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/overviewdashboard.webp) + +The File System Activity Overview dashboard contains the following cards: + +- Active Users – Number of users involved with file system events in the specified timeframe +- Active Servers – Number of servers involved with file system events in the specified timeframe +- File Activity – Timeline of all file system events in the specified timeframe +- Top Users – Displays up-to the top five users addresses related to file system events which have + been recorded in the specified timeframe +- Top Servers – Displays up-to the top five client IP addresses/host names related to file system + events which have been recorded in the specified timeframe +- Latest Events – Tabular format of all file system change events which have been recorded in the + specified timeframe + +The specified timeframe is set by default to the Last 24 hours, or past day. diff --git a/docs/activitymonitor/9.0/siem/splunk/app/permissionchanges.md b/docs/activitymonitor/9.0/siem/splunk/app/permissionchanges.md new file mode 100644 index 0000000000..8a1e47e6ba --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/app/permissionchanges.md @@ -0,0 +1,20 @@ +--- +title: "Permission Changes Dashboard" +description: "Permission Changes Dashboard" +sidebar_position: 30 +--- + +# Permission Changes Dashboard + +View information on permissions changes on the through the Permission Changes Dashboard for Splunk. + +![Permission Changes Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/permissionchangesdashboard.webp) + +The Permission Changes dashboard contains the following cards: + +- Activity – Timeline of all permission change events in the specified timeframe +- Top Users – Displays up-to the top five users related to permission change events which have been + recorded in the specified timeframe +- Latest Events – Tabular format of all permission change events recorded in the specified timeframe + +The specified timeframe is set by default to the Last 24 hours, or past day. diff --git a/docs/activitymonitor/9.0/siem/splunk/app/ransomware.md b/docs/activitymonitor/9.0/siem/splunk/app/ransomware.md new file mode 100644 index 0000000000..062c50fecf --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/app/ransomware.md @@ -0,0 +1,21 @@ +--- +title: "Ransomware Dashboard" +description: "Ransomware Dashboard" +sidebar_position: 20 +--- + +# Ransomware Dashboard + +View information on ransomware using the Ransomware Dashboard for Splunk. + +![Ransomware Dashboard for Netwrix Activity Monitor App for Splunk](/images/activitymonitor/9.0/siem/splunk/dashboard/ransomwaredashboard.webp) + +The Ransomware dashboard contains the following cards: + +- Number of Potential Perpetrators – Number of users involved with events tied to outliers +- Number of Outliers – Number of outliers by count of file/folder update events +- Outliers by Count of File/Folder Updates – Graph of expected values for count of file/folder + update events (blue area) and calculated outliers (red dots) +- Outliers by Count of File/Folder Updates Details – Breakdown of outliers by users involved in each + outlier and percent of events by user +- Outlier Events – Tabular format of all file system change events related to outliers diff --git a/docs/activitymonitor/9.0/siem/splunk/overview.md b/docs/activitymonitor/9.0/siem/splunk/overview.md new file mode 100644 index 0000000000..6c1ac1a719 --- /dev/null +++ b/docs/activitymonitor/9.0/siem/splunk/overview.md @@ -0,0 +1,87 @@ +--- +title: "File Activity Monitor App for Splunk" +description: "File Activity Monitor App for Splunk" +sidebar_position: 20 +--- + +# File Activity Monitor App for Splunk + +Netwrix File Activity monitoring solutions enable organizations to successfully, efficiently, +and affordably monitor file access and permission changes across Windows and Network Attached +Storage (NAS) file systems in real-time. Using the preconfigured Netwrix File Activity Monitor +App for Splunk, users can quickly understand all file activities as a whole, for specific resources +or users, as well as patterns of activity indicative of threats such as crypto ransomware or data +exfiltration attempts. With full control over the data, users can create custom searches, all while +enabling Splunk to correlate file system activity with any log source. + +This document describes how to integrate Netwrix products with the Netwrix File Activity +Monitor App for Splunk found in Splunkbase. Any Netwrix product can be configured to monitor file +system activity and send the monitored events to Splunk. After installing this app, ensure that +either theActivity Monitor, Threat Prevention, or Access Analyzer has been configured to send events +to Splunk. See the product user guide on the +[Netwrix Technical Knowledge Center](https://helpcenter.netwrix.com/) for additional information. + +## App Installation in Splunk + +After downloading the Netwrix File Activity Monitor App for Splunk from [Splunkbase](https://splunkbase.splunk.com/), follow the +[guide](https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons) provided by +Splunk to install the app. + +:::note +In order to use the Ransomware dashboard within the app, install +[Splunk User Behavior Analytics](https://www.splunk.com/en_us/products/premium-solutions/user-behavior-analytics.html) +(any version) and the [Machine Learning Toolkit](https://splunkbase.splunk.com/app/2890/) app for +Splunk (version 2.0.0+). +::: + + +The Netwrix: File Activity Monitor tab will appear within the Splunk web interface. Once +installation of the Netwrix File Activity Monitor App for Splunk is complete, it must be +configured to receive data from either theActivity Monitor or Threat Prevention. + +## Initial Configuration of the Splunk App + +Follow the steps to configure Splunk to receive data from Netwrix products. + +**Step 1 –** Determine the IP Address of the Splunk Console, e.g. run the ifconfig command. This +information is required for the following sections: + +- See the Syslog Tab section in the + [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) + for information on how to configure the Activity Monitor to send data to QRadar. +- See the SIEM Tab section in the + [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) + for information on how to configure Threat Prevention to send data to QRadar. + +**Step 2 –** Navigate to the Settings menu in the Splunk web interface and click Data Inputs. + +**Step 3 –** Select UDP. + +**Step 4 –** Click New and add a new data input with Port 514. If another Splunk UDP input is +already using 514, another value (515 or higher) can be used as long as it is not blocked by the +network. Remember to configure the port within the Netwrix product configuration to align with +this change. + +**Step 5 –** Click Next. + +**Step 6 –** Under Input Settings, enter the following information: + +- Source Type – Enter one of the following options: + - For data coming from the Netwrix Activity Monitor – NAM + - For data coming from Threat Prevention – ThreatPrevention +- App context – Select Search and Reporting +- Host – Select IP +- Index – Select Default + +**Step 7 –** Review and save the new settings. Remember, prior to using the Netwrix File +Activity Monitor App for Splunk, the related Netwrix products must be configured to send data to +Splunk. + +**Step 8 –** Test that the configuration is working correctly. Check the **Search and Reporting** +app inside of the web console for Splunk (search for **NAM or ThreatPrevention**). There should be +logs of events which are generated as soon as Splunk starts receiving data. If there are no events, +use a packet sniffer to ensure that packets are being sent correctly between the hosts, and diagnose +any possible network issues. + +The Netwrix File Activity Monitor App for Splunk can now display activity data from either the +Netwrix Activity Monitor or Netwrix Threat Prevention. diff --git a/docs/activitymonitor/9.0/troubleshooting/_category_.json b/docs/activitymonitor/9.0/troubleshooting/_category_.json new file mode 100644 index 0000000000..53642bd87a --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Troubleshooting and Maintenance", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/troubleshooting/antivirusexclusions.md b/docs/activitymonitor/9.0/troubleshooting/antivirusexclusions.md new file mode 100644 index 0000000000..1ea8abd565 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/antivirusexclusions.md @@ -0,0 +1,75 @@ +--- +title: "Antivirus Exclusions" +description: "Antivirus Exclusions" +sidebar_position: 30 +--- + +# Antivirus Exclusions + +Windows activity monitoring and performance of the Activity Agent may be negatively affected by +antivirus protections. Add the following components to antivirus exclusions in order to avoid +potential performance degradation. + +## Directories + +The following directories can be added to antivirus exclusions: + +- `` — Agent installation directory. Default path is + `%ProgramFiles%\Netwrix\Activity Monitor\Agent`. The agent stores binaries and install files in + this location. +- `` — Agent configuration directory. Default path is + `%ProgramData%\Netwrix\Activity Monitor\Agent`. The agent stores configuration, and debug log + files in this location. +- `\ActivityLogs` — Default location for collected activity files. If files are stored in + a separate location, specify the user-designated directory instead of the default location. +- `\Data` — Various temporary data files, which may be actively updated. + +## Binary Files + +The following binary files can be added to antivirus exclusions: + +- Common Exclusions + + - `\net472\FSACLoggingSvc.exe` — Logging service. Forwards events to files, syslog, AMQP. + - `\ConfigurationAgent.Grpc.Host.exe` — Netwrix Activity Monitor Agent service + + +- Active Directory Monitoring + + - `\MonitorService.exe` — Active Directory monitoring service + - `%ProgramFiles%\Netwrix\Netwrix Threat Prevention\SIWindowsAgent.exe` — Active Directory Module + service. + +- Dell Celerra/VNX, Isilon/PowerScale, PowerStore, and Unity Monitoring + + - `\net472\CelerraServerSvc.exe` — Dell Monitoring service + +- Hitachi Monitoring + + - `\net472\HitachiService.exe` — Hitachi HNAS monitoring service + +- Microsoft Entra ID, SharePoint Online, and Exchange Online Monitoring + + - `\MonitorService.exe` — Microsoft Entra ID monitoring service + +- NetApp Monitoring + + - `\net472\FPolicyServerSvc.exe` — NetApp Monitoring service + +- Nasuni, Panzura, Nutanix Files, Qumulo, CTERA, Cohesity SmartFiles Monitoring + + - `\MonitorService.exe` — NAS monitoring service + +- SharePoint Monitoring + + - `\net472\MonitorService.exe` — SharePoint 2016, 2019, Subscription monitoring service + - `\net40\MonitorService.exe` — SharePoint 2013 monitoring service + +- SQL Server Monitoring + + - `\net472\MonitorService.exe` — SQL Server monitoring service + +- Windows Monitoring + + - `%SystemRoot%\System32\drivers\SBTFSF.sys` — The File System filter driver + - `%ProgramFiles%\Stealthbits\StealthAUDIT\FSAC\SBTService.exe` — Windows File System monitoring service. diff --git a/docs/activitymonitor/9.0/troubleshooting/backuprestore/_category_.json b/docs/activitymonitor/9.0/troubleshooting/backuprestore/_category_.json new file mode 100644 index 0000000000..129e47789f --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/backuprestore/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Backup & Restoration", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentbackup.md b/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentbackup.md new file mode 100644 index 0000000000..a0deae0209 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentbackup.md @@ -0,0 +1,59 @@ +--- +title: "Agent Backup" +description: "Agent Backup" +sidebar_position: 10 +--- + +# Agent Backup + +Follow the steps to back up the configuration, passwords, Active Directory event data file, and +activity log files for Activity Monitor Agents deployed on file system servers, SharePoint servers, +and domain controllers. + +**Configuration** + +**Step 1 –** Back up the `SBTFileMon.ini` file. The default location is + +**C:\ProgramData\Netwrix\Activity Monitor\Agent\SBTFileMon.ini** + +The location of the `SBTFileMon.ini` is determined by the registry value: + +`HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters`, value `ConfigPath`. + +**Step 2 –** Back up passwords + +> Passwords are stored in the `SBTFileMon.ini` file in an encrypted form using DPAPI. They can only +> be decrypted on the same Windows server. To be able to restore the configuration of a different +> server, back up the passwords separately. This includes the following: + +- Credentials for Agent +- Credentials for Monitored Hosts/Services +- Credentials for Archive + +**Active Directory Event Data File** + +**Step 3 –** On a domain controller, back up the `SAMConfig.xml` file. The default location is: + +**C:\Program Files\Netwrix\Netwrix Threat Prevention\SIWindowsAgent** + +The location of the file is determined by the registry value +`HKLM\SOFTWARE\Netwrix\Netwrix Threat Prevention`, value `Installdir`. Append +`SIWindowsAgent` to the value of `Installdir`. + +**Activity Log Files** + +**Step 4 –** Back up the log files stored on the local drive and on the archival network share. The +default folder is + +**C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs** + +:::note +Keep in mind that` C:\ProgramData` folder may be hidden. Navigate to it by typing +`%ALLUSERSPROFILE%` in the File Explorer. +::: + + +The location of the files depend on the configuration and whether the archiving is enabled. See the +[Archiving Tab](/docs/activitymonitor/9.0/admin/agents/properties/archiving.md) topic for additional information. + +All key components necessary for data recovery have now been backed up for the agents. diff --git a/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentrestore.md b/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentrestore.md new file mode 100644 index 0000000000..52f1a33797 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentrestore.md @@ -0,0 +1,37 @@ +--- +title: "Agent Restoration" +description: "Agent Restoration" +sidebar_position: 20 +--- + +# Agent Restoration + +Follow the steps to restore the configuration, Active Directory configuration file, and activity log +files for Activity Monitor Agents deployed on file system servers, SharePoint servers, and domain +controllers. + +:::warning +Restore the agent before restoring the console to ensure connectivity and monitoring +functionality +::: + + +**Step 1 –** Reinstall the Activity Monitor Agents. + +**Step 2 –** Replace the `SBFileMon.ini` file with the backed up configuration file. + +**Step 3 –** Replace the `SAMConfig.xml` file with the backed up Active Directory event data file. + +**Step 4 –** Disable all activity monitoring on the Monitored Hosts & Services and Monitored Domains page. + +**Step 5 –** Use the Console to update the passwords if the agent is restored on a different server. + +**Step 6 –** Use the Console to update the archive password, or the archive location if the location +is moved. + +**Step 7 –** Restore the log files with the backed up activity log files. + +**Step 8 –** Enable all activity monitoring. + +The configuration, Active Directory event data file, and activity log files are now restored on the +Activity Monitor Agents. diff --git a/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolebackup.md b/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolebackup.md new file mode 100644 index 0000000000..f0e06eeb35 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolebackup.md @@ -0,0 +1,25 @@ +--- +title: "Console Backup" +description: "Console Backup" +sidebar_position: 30 +--- + +# Console Backup + +Follow the steps to back up the list of agents managed on the Activity Monitor Console. + +**Step 1 –** Back up the configuration file: + +**%ALLUSERSPROFILE%\Netwrix\Activity Monitor\Console\Agents.ini** + +**Step 2 –** Back up the license file: + +**%ALLUSERSPROFILE%\Netwrix\Activity Monitor\Console\FileMonitor.lic** + +**Step 3 –** Back up passwords. + +Credentials for the agents are stored in the `Agents.ini` file in an encrypted form using PSAPI. +They can only be decrypted on the same Windows workstation. To be able to restore the configuration +on a different workstation, back up the passwords separately. + +All key components necessary for data recovery have now been backed up for the console. diff --git a/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolerestore.md b/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolerestore.md new file mode 100644 index 0000000000..3bdb18b487 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolerestore.md @@ -0,0 +1,19 @@ +--- +title: "Console Restoration" +description: "Console Restoration" +sidebar_position: 40 +--- + +# Console Restoration + +Follow the steps to restore the list of agents managed on the Activity Monitor Console. + +**Step 1 –** Restore `Agents.ini` file. + +**Step 2 –** Restore `FileMonitor.lic` file. + +**Step 3 –** Start the console. + +**Step 4 –** Update the passwords if the console is restored on a different workstation. + +The Activity Monitor Console can now connect to deployed agents. diff --git a/docs/activitymonitor/9.0/troubleshooting/backuprestore/overview.md b/docs/activitymonitor/9.0/troubleshooting/backuprestore/overview.md new file mode 100644 index 0000000000..05f8e8a7e8 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/backuprestore/overview.md @@ -0,0 +1,26 @@ +--- +title: "Backup & Restoration" +description: "Backup & Restoration" +sidebar_position: 50 +--- + +# Backup & Restoration + +The Netwrix Activity Monitor is comprised of the following components: + +- Activity Monitor Console - Controls configuration settings. See the + [Administration](/docs/activitymonitor/9.0/admin/overview.md) topic for additional information. +- Deployed Agents - Monitor targeted servers and domains. See the + [Agent Information](/docs/activitymonitor/9.0/install/agents/agents.md) topic for additional information. + +The configuration settings are stored on individual agents, and the console stores which agents have +been deployed. Agents also store activity log files of monitored environments, which can optionally +be stored on a network share. This document describes the process for backing up and restoring the +Activity Monitor Console and the activity agents. + +The sections in this document are: + +- [Agent Backup](/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentbackup.md) +- [Agent Restoration](/docs/activitymonitor/9.0/troubleshooting/backuprestore/agentrestore.md) +- [Console Backup](/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolebackup.md) +- [Console Restoration](/docs/activitymonitor/9.0/troubleshooting/backuprestore/consolerestore.md) diff --git a/docs/activitymonitor/9.0/troubleshooting/credentialpasswords.md b/docs/activitymonitor/9.0/troubleshooting/credentialpasswords.md new file mode 100644 index 0000000000..00d3422b22 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/credentialpasswords.md @@ -0,0 +1,84 @@ +--- +title: "Update Credential Passwords" +description: "Update Credential Passwords" +sidebar_position: 10 +--- + +# Update Credential Passwords + +Credential passwords occasionally need to be updated due to various reasons, such as security +policies that require passwords to be reset on a regular basis. The following types of credentials +may be impacted by password changes or security policies: + +- Agent and Domain Controller User Account +- Archive User Account +- Panzura MQ Protection +- Monitored Host User Account +- Active Directory Domain / DC User Account +- Agent Inactivity Alerts Email Credentials +- Monitored Host Inactivity Alerts Email Credentials + +## Agent and Domain Controller User Account + +The Active Directory Domain / DC User Account is used to run the actions performed by the agent. The +account can be updated in the agent properties under the **Connection** tab. + +:::note +If the AD monitoring account is changed, all accounts on the domain controllers will need +to be updated as well. +::: + + +![Agent User Account Credentials](/images/activitymonitor/9.0/troubleshooting/agentuseraccount.webp) + +See the [Connection Tab](/docs/activitymonitor/9.0/admin/agents/properties/connection.md) topic for additional information. + +## Archive User Account + +The Archive User Account is used to store log files from the agent and store them on a remote server +or share. The credentials can be updated in the agent properties under the **Archiving** tab. + +![Archive User Account Credentials](/images/activitymonitor/9.0/troubleshooting/archiveuseraccount.webp) + +See the [Archiving Tab](/docs/activitymonitor/9.0/admin/agents/properties/archiving.md) topic for additional information. + +## Panzura MQ Protection + +The Panzura MQ Protection Credentials are used to send activity to the Activity Monitor agent. The +credentials can be updated in the agent properties under the **Panzura** tab. + +![Panzura MQ Protection Account Credentials](/images/activitymonitor/9.0/troubleshooting/panzuramqprotectionaccount.webp) + +See the [Panzura Tab](/docs/activitymonitor/9.0/admin/agents/properties/panzura.md) topic for additional information. + +## Monitored Host User Credentials + +The Monitored Host User Credentials is used to connect to the monitored host device and send +activity to the agent. The credentials can be updated in monitored host properties. Select a host +under the **Monitored Host** tab. Then, click the **Edit** button to update the account credentials. + +![Monitored Host User Account](/images/activitymonitor/9.0/troubleshooting/monitoredhostuseraccount.webp) + +See the [Nutanix Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/nutanix.md) topic for additional +information. + +## Agent Inactivity Alerts Email Account + +The Agent Inactivity Alerts Email Account is used to automate email alerts for inactivity detected +by the agent. It can be updated in agent properties under **Inactivity Alerts** tab then Email +Alerts. This can also be changed in the monitored host properties. + +![agentinactivityalertsemailcredentials](/images/activitymonitor/9.0/troubleshooting/agentinactivityalertsemailcredentials.webp) + +See the [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/agents/properties/inactivityalerts.md) topic for additional +information. + +## Monitored Host Inactivity Alerts Email Account + +The Monitored Host Inactivity Alerts Email Account are used to automate email alerts for inactivity +detected by the monitored host. The credentials can be updated in the monitored **Host Properties**. + +![Monitored Host Inactivity Alerts Email Credentials Page](/images/activitymonitor/9.0/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp) + +See the [Inactivity Alerts Tab](/docs/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalerts.md) topic for +additional information. diff --git a/docs/activitymonitor/9.0/troubleshooting/overview.md b/docs/activitymonitor/9.0/troubleshooting/overview.md new file mode 100644 index 0000000000..cf675f1bf8 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/overview.md @@ -0,0 +1,16 @@ +--- +title: "Troubleshooting and Maintenance" +description: "Troubleshooting and Maintenance" +sidebar_position: 50 +--- + +# Troubleshooting and Maintenance + +This section provides an overview of troubleshooting and maintenance steps and processes for +Activity Monitor. See the following topics for additional information: + +- [Update Credential Passwords](/docs/activitymonitor/9.0/troubleshooting/credentialpasswords.md) +- [Trace Logs](/docs/activitymonitor/9.0/troubleshooting/tracelogs.md) +- [Antivirus Exclusions](/docs/activitymonitor/9.0/troubleshooting/antivirusexclusions.md) +- [Performance Monitoring](/docs/activitymonitor/9.0/troubleshooting/performancemonitoring.md) +- [Backup & Restoration](/docs/activitymonitor/9.0/troubleshooting/backuprestore/overview.md) diff --git a/docs/activitymonitor/9.0/troubleshooting/performancemonitoring.md b/docs/activitymonitor/9.0/troubleshooting/performancemonitoring.md new file mode 100644 index 0000000000..1d10293ce7 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/performancemonitoring.md @@ -0,0 +1,346 @@ +--- +title: "Performance Monitoring" +description: "Performance Monitoring" +sidebar_position: 40 +--- + +# Performance Monitoring + +This topic provides a list of Activity Monitor performance counters and standard system-wide +performance counters (Memory and CPU usage, TCP disconnections, etc) that are recommended for +Activity Monitor performance monitoring. These performance counters can help diagnose performance +issues. + +## Performance Counters + +The following performance counters are provided by Activity Monitor. + +| Category | Recommended | Counter | Description | +| ------------------ | ----------- | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| NetApp | ✔ | Activity Monitor - NetApp\Events Received | Number of events received from NetApp | +| NetApp | ✔ | Activity Monitor - NetApp\Events Received/sec | Rate at which events are received from NetApp | +| NetApp | ✔ | Activity Monitor - NetApp\Events Reported | Number of events passed the filters and being reported to outputs | +| NetApp | ✔ | Activity Monitor - NetApp\Events Reported/sec | Rate at which events are reported to outputs | +| NetApp | ✔ | Activity Monitor - NetApp\Session Negotiated | Number of connections established with ONTAP cluster nodes | +| NetApp | ✔ | Activity Monitor - NetApp\Active Connections | Number of active connections with ONTAP cluster nodes | +| NetApp | | Activity Monitor - NetApp\Outage Files | Number of outage (resilience) files processed | +| NetApp | ✔ | Activity Monitor - NetApp\Overloaded | Number of times the agent was overloaded and had to limit the rate of events. This counter may increase from time to time when processing large batches of events. But if it keeps increasing, it is a sure sign that the agent is not coping with the load. Consider moving some SVMs to another agent or spreading the load from one SVM across multiple agents. | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Received | Number of events received from CEE | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Received/sec | Rate at which events are received from CEE | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Reported | Number of events passed the filters and being reported to outputs | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Events Reported/sec | Rate at which events are reported to outputs | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Queue Size | Number of events received from CEE and waiting in queue to be processed | +| VNX, Isilon, Unity | ✔ | Activity Monitor - Dell\Receive Throttling | Delay, in milliseconds, introduced to manage the queue | +| Outputs | ✔ | Activity Monitor - Outputs\Events Reported | Total number of events reported | +| Outputs | ✔ | Activity Monitor - Outputs\Events Reported/sec | Rate at which events are reported | +| Outputs | | Activity Monitor - Outputs\Events Reported to Files | Total number of events reported to log files | +| Outputs | | Activity Monitor - Outputs\Events Reported to Syslog | Total number of events reported to syslog servers | +| Outputs | | Activity Monitor - Outputs\Events Reported to AMQP | Total number of events reported to AMQP servers (not used currently) | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs | Number of attempts, both successful and failed, to resolve SIDs to names | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs/sec | Rate at which SIDs are resolved to names | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs Failures | Number of failed attempts to resolve SIDs to names | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs Avg Time | The moving average length of time, in microseconds, per a SID to name translation | +| Outputs | ✔ | Activity Monitor - Outputs\Resolved SIDs Max Time | The moving maximum length of time, in microseconds, per a SID to name translation | +| Outputs | | Activity Monitor - Outputs\Translated UIDs | Number of attempts, both successful and failed, to translate UIDs to SIDs | +| Outputs | | Activity Monitor - Outputs\Translated UIDs/sec | Rate at which UIDs are translated to SIDs | +| Outputs | | Activity Monitor - Outputs\Translated UIDs Failures | Number of failed attempts to translate UIDs to SIDs | +| Outputs | | Activity Monitor - Outputs\Translated UIDs Avg Time | The moving average length of time, in microseconds, per a UID to SID translation | +| Outputs | | Activity Monitor - Outputs\Translated UIDs Max Time | The moving maximum length of time, in microseconds, per a UID to SID translation | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries | Number of DNS queries, both successful and failed | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries/sec | Rate at which DNS queries are executed | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries Failures | Number of failed DNS queries | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries Avg Time | The moving average length of time, in microseconds, per a DNS query | +| Outputs | ✔ | Activity Monitor - Outputs\DNS Queries Max Time | The moving maximum length of time, in microseconds, per a DNS query | + +:::note +DNS and AD queries typically contribute the most to the processing time. Since the +resolution occurs in real time, slow responses can affect throughput (A 100ms DNS response limits +the throughput to 10 events per second). Observing average and maximum values of DNS Queries Time, +Resolved SIDs Time, and Translated UIDs Time allows you to estimate the response time. +::: + + +## Recommended System Performance Counters + +In addition to the Activity Monitor performance counters, it is recommended to use the following +performance counters: + +| Counter | Notes | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Processor(\_Total)\% Processor Time | The percentage of elapsed time that the processor spends to execute a non-Idle thread. | +| Memory\Available MBytes | The amount of physical memory, in Megabytes, immediately available for allocation to a process or for system use. | +| Paging File(\_Total)\% Usage | The percentage of the paging file that is currently in use. | +| TCPv4\Connections Reset | The rate of reset TCPv4 connections | +| TCPv4\Segments Received/sec | The quantity of segments received via TCPv4 per second. | +| TCPv4\Segments Retransmitted/Sec | Quantity of segments retransmitted via TCPv4 per second. | +| TCPv6\Segments Received/sec | The quantity of segments received via TCPv6 per second. | +| TCPv6\Segments Retransmitted/Sec | Quantity of segments retransmitted via TCPv6 per second. | +| Network Interface(\*)\Bytes Received/sec | From all network adapters: The rate at which bytes are received. | +| Network Interface(\*)\Bytes Sent/sec | From all network adapters: The rate at which bytes are sent. | +| Network Interface(\*)\Output Queue Length | From all network adapters: The length of the output packet queue (in packets). | +| Network Interface(\*)\Packets Received Discarded | From all network adapters: The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. | +| Network Interface(\*)\Packets Received Errors | From all network adapters: The number of inbound packets that contained errors. As a result, the errored packets were not delivered to a higher-layer protocol. | +| Process(ConfigurationAgent.Grpc.Host)\% Processor Time | For Agent: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(ConfigurationAgent.Grpc.Host)\Elapsed Time | For Agent: The duration from when the process was started until the time it terminated. | +| Process(ConfigurationAgent.Grpc.Host)\Handle Count | For Agent: The number of operating system handles the process has opened. | +| Process(ConfigurationAgent.Grpc.Host)\Thread Count | For Agent: The set of threads that are running in the associated process. | +| Process(ConfigurationAgent.Grpc.Host)\Private Bytes | For Agent: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(ConfigurationAgent.Grpc.Host)\Working Set | For Agent: The associated process's physical memory usage, in bytes. | +| Process(ConfigurationAgent)\% Processor Time | For Agent version 6.0 and earlier: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(ConfigurationAgent)\Elapsed Time | For Agent version 6.0 and earlier: The duration from when the process was started until the time it terminated. | +| Process(ConfigurationAgent)\Handle Count | For Agent version 6.0 and earlier: The number of operating system handles the process has opened. | +| Process(ConfigurationAgent)\Thread Count | For Agent version 6.0 and earlier: The set of threads that are running in the associated process. | +| Process(ConfigurationAgent)\Private Bytes | For Agent version 6.0 and earlier: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(ConfigurationAgent)\Working Set | For Agent version 6.0 and earlier: The associated process's physical memory usage, in bytes. | +| Process(SBTService)\% Processor Time | For Windows Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(SBTService)\Elapsed Time | For Windows Monitoring: The duration from when the process was started until the time it terminated. | +| Process(SBTService)\Handle Count | For Windows Monitoring: The number of operating system handles the process has opened. | +| Process(SBTService)\Thread Count | For Windows Monitoring: The set of threads that are running in the associated process. | +| Process(SBTService)\Private Bytes | For Windows Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(SBTService)\Working Set | For Windows Monitoring: The associated process's physical memory usage, in bytes. | +| Process(FPolicyServerSvc)\% Processor Time | For NetApp Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(FPolicyServerSvc)\Elapsed Time | For NetApp Monitoring: The duration from when the process was started until the time it terminated. | +| Process(FPolicyServerSvc)\Handle Count | For NetApp Monitoring: The number of operating system handles the process has opened. | +| Process(FPolicyServerSvc)\Thread Count | For NetApp Monitoring: The set of threads that are running in the associated process. | +| Process(FPolicyServerSvc)\Private Bytes | For NetApp Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(FPolicyServerSvc)\Working Set | For NetApp Monitoring: The associated process's physical memory usage, in bytes. | +| Process(HitachiService)\% Processor Time | For Hitachi Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(HitachiService)\Elapsed Time | For Hitachi Monitoring: The duration from when the process was started until the time it terminated. | +| Process(HitachiService)\Handle Count | For Hitachi Monitoring: The number of operating system handles the process has opened. | +| Process(HitachiService)\Thread Count | For Hitachi Monitoring: The set of threads that are running in the associated process. | +| Process(HitachiService)\Private Bytes | For Hitachi Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(HitachiService)\Working Set | For Hitachi Monitoring: The associated process's physical memory usage, in bytes. | +| Process(CelerraServerSvc)\% Processor Time | For Dell Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(CelerraServerSvc)\Elapsed Time | For Dell Monitoring: The duration from when the process was started until the time it terminated. | +| Process(CelerraServerSvc)\Handle Count | For Dell Monitoring: The number of operating system handles the process has opened. | +| Process(CelerraServerSvc)\Thread Count | For Dell Monitoring: The set of threads that are running in the associated process. | +| Process(CelerraServerSvc)\Private Bytes | For Dell Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(CelerraServerSvc)\Working Set | For Dell Monitoring: The associated process's physical memory usage, in bytes. | +| Process(FSACLoggingSvc)\% Processor Time | For Logging Service: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(FSACLoggingSvc)\Elapsed Time | For Logging Service: The duration from when the process was started until the time it terminated. | +| Process(FSACLoggingSvc)\Handle Count | For Logging Service: The number of operating system handles the process has opened. | +| Process(FSACLoggingSvc)\Thread Count | For Logging Service: The set of threads that are running in the associated process. | +| Process(FSACLoggingSvc)\Private Bytes | For Logging Service: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(FSACLoggingSvc)\Working Set | For Logging Service: The associated process's physical memory usage, in bytes. | +| Process(MonitorService)\% Processor Time | For Other, Different Device Monitoring: The percentage of elapsed time that all of process threads used the processor to execution instructions. | +| Process(MonitorService)\Elapsed Time | For Other, Different Device Monitoring: The duration from when the process was started until the time it terminated. | +| Process(MonitorService)\Handle Count | For Other, Different Device Monitoring: The number of operating system handles the process has opened. | +| Process(MonitorService)\Thread Count | For Other, Different Device Monitoring: The set of threads that are running in the associated process. | +| Process(MonitorService)\Private Bytes | For Other, Different Device Monitoring: The total amount of memory that a process has allocated, not including memory shared with other processes. | +| Process(MonitorService)\Working Set | For Other, Different Device Monitoring: The associated process's physical memory usage, in bytes. | + +## Register Performance Counters + +The Activity Monitor performance counters are not registered by default and must be registered +manually. + +Follow the steps to register the Activity Monitor performance counters on each SAM Agent server. + +**Step 1 –** Run `cmd.exe` as Administrator. + +**Step 2 –** Change current directory to the agent installation folder +(`C:\Program Files\Netwrix\Activity Monitor\Agent`). + +**cd "C:\Program Files\Netwrix\Activity Monitor\Agent"** + +**Step 3 –** Register the performance counters manifest file. + +**lodctr /M:PerfCounters.man** + +Expected output: Info: Successfully installed performance counters in +`C:\Program Files\Netwrix\Activity Monitor\Agent\PerfCounters.man` + +**Step 4 –** Restart the services: + +**sc stop SBFileMonAgentSvc** + +sc stop FPolicyServerSvc + +**sc stop CelerraServerSvc** + +sc stop SBTLoggingSvc + +**sc start SBFileMonAgentSvc** + +## Collect Performance Data + +The performance data can be observed or saved using any tool capable of collecting performance +counters. For example, Performance Monitor. + +:::note +The following script is only compatible with PowerShell 5.X and previous versions. Using +PowerShell 7.X requires Windows Performance Monitor to be configured to collect performance +counters. +::: + + +Below is a PowerShell script that collects the counters every second and stores them in +`perfcounters_SERVERNAME_TIMESTAMP.csv` files. The expected file size per day is about 50MB. + +Run the script on each agent server using the following command: + +**powershell -file AM.PerfCollect.ps1** + +To stop the script press **Ctrl+C**. + +Script (save it to AM.PerfCollect.ps1): + +```powershell +$sampleInterval = 1 + +**$maxSamples = 0** + +$outputFile = "perfcounters_$($env:COMPUTERNAME)_$(Get-Date -Format "yyyy_MM_dd_HH_mm_ss").csv" + +**$counters =** + +@( + +**"\Processor(_Total)\% Processor Time"** + +,"\Memory\Available MBytes" + +**,"\Paging File(_Total)\% Usage"** + +,"\TCPv4\Connections Reset" + +**,"\TCPv4\Segments Received/sec"** + +,"\TCPv4\Segments Retransmitted/Sec" + +**,"\TCPv6\Connections Reset"** + +,"\TCPv6\Segments Received/sec" + +**,"\TCPv6\Segments Retransmitted/Sec"** + +,"\Network Interface(*)\Bytes Received/sec" + +**,"\Network Interface(*)\Bytes Sent/sec"** + +,"\Network Interface(*)\Output Queue Length" + +**,"\Network Interface(*)\Packets Received Discarded"** + +,"\Network Interface(*)\Packets Received Errors" + +**,"\Activity Monitor - NetApp\Events Received"** + +,"\Activity Monitor - NetApp\Events Received/sec" + +**,"\Activity Monitor - NetApp\Events Reported"** + +,"\Activity Monitor - NetApp\Events Reported/sec" + +**,"\Activity Monitor - NetApp\Session Negotiated"** + +,"\Activity Monitor - NetApp\Active Connections" + +**,"\Activity Monitor - NetApp\Outage Files"** + +,"\Activity Monitor - Dell\Events Received" + +**,"\Activity Monitor - Dell\Events Received/sec"** + +,"\Activity Monitor - Dell\Events Reported" + +**,"\Activity Monitor - Dell\Events Reported/sec"** + +,"\Activity Monitor - Dell\Queue Size" + +**,"\Activity Monitor - Dell\Receive Throttling"** + +,"\Process(FPolicyServerSvc)\% Processor Time" + +**,"\Process(FPolicyServerSvc)\Elapsed Time"** + +,"\Process(FPolicyServerSvc)\Handle Count" + +**,"\Process(FPolicyServerSvc)\Thread Count"** + +,"\Process(FPolicyServerSvc)\Private Bytes" + +**,"\Process(FPolicyServerSvc)\Working Set"** + +,"\Process(FSACLoggingSvc)\% Processor Time" + +**,"\Process(FSACLoggingSvc)\Elapsed Time"** + +,"\Process(FSACLoggingSvc)\Handle Count" + +**,"\Process(FSACLoggingSvc)\Thread Count"** + +,"\Process(FSACLoggingSvc)\Private Bytes" + +**,"\Process(FSACLoggingSvc)\Working Set"** + +,"\Process(CelerraServerSvc)\% Processor Time" + +**,"\Process(CelerraServerSvc)\Elapsed Time"** + +,"\Process(CelerraServerSvc)\Handle Count" + +**,"\Process(CelerraServerSvc)\Thread Count"** + +,"\Process(CelerraServerSvc)\Private Bytes" + +**,"\Process(CelerraServerSvc)\Working Set"** + +) + +**$variables = @{** + +SampleInterval = $sampleInterval + +**Counter = $counters** + +} + +**if ($maxSamples -eq 0) {** + +$variables.Add("Continuous", 1)} + +**else {** + +$variables.Add("MaxSamples", "$maxSamples") + +**}** + +Write-Host "Collecting performance counters to $outputFile... Press Ctrl+C to stop." + +Get-Counter @variables | Export-Counter -FileFormat csv -Path $outputFile -Force +``` + +## Unregister Performance Counters + +When performance monitoring is not needed anymore, unregister the Activity Monitor performance +counters. + +Follow the steps to unregister the Activity Monitor performance counters on each SAM Agent server. + +**Step 1 –** Run `cmd.exe` as Administrator. + +**Step 2 –** Change current directory to the agent installation folder. + +**cd "C:\Program Files\Netwrix\Activity Monitor\Agent"** + +**Step 3 –** Unregister the performance counters manifest file. + +**unlodctr /M:PerfCounters.man** + +Expected output: Info: Successfully uninstalled the performance counters from the counter definition +XML file PerfCounters.man. + +**Step 4 –** Restart the services: + +**sc stop SBFileMonAgentSvc** + +sc stop FPolicyServerSvc + +**sc stop CelerraServerSvc** + +sc stop SBTLoggingSvc + +**sc start SBFileMonAgentSvc** + +Once the services have been restarted, the Activity Monitor performance counters are unregistered. diff --git a/docs/activitymonitor/9.0/troubleshooting/tracelogs.md b/docs/activitymonitor/9.0/troubleshooting/tracelogs.md new file mode 100644 index 0000000000..fe71fa1c23 --- /dev/null +++ b/docs/activitymonitor/9.0/troubleshooting/tracelogs.md @@ -0,0 +1,45 @@ +--- +title: "Trace Logs" +description: "Trace Logs" +sidebar_position: 20 +--- + +# Trace Logs + +While activity agents store activity logs on the servers where they are deployed, the Activity +Monitor creates Trace Logs that aid in troubleshooting issues. The Trace level option set in the +drop-down list in the lower right corner of the Activity Monitor Console determines the kind of +information kept in the activity agent and monitored hosts/services logs. + +![Activity Monitor with location of trace logs](/images/activitymonitor/9.0/troubleshooting/tracelogs.webp) + +The selected log level applies to all hosts added to the **Agents** list (if not specified in agent +properties). Select from the following trace log levels: + +- Trace – Records everything that happens, most verbose level of logging +- Debug – Records all debug messages, in addition to info messages +- Info – Records information on the steps that occur, in addition to warn messages, and is the + recommended setting +- Warning – Records all warnings that occur, in addition to error messages +- Error – Records all errors that occur, in addition to fatal messages +- Fatal – Records only when catastrophic system failures / crashes occur + +When the log level is changed in the Activity Monitor Console, the new log level is propagated and +applied immediately to all of the activity agents that do not have custom trace setting. + +:::note +Trace level can be adjusted in the Agent Properties for the selected agent. See the +[Archiving Tab](/docs/activitymonitor/9.0/admin/agents/properties/archiving.md) topic for additional information. +::: + + +![Collect Logs button](/images/activitymonitor/9.0/troubleshooting/collectlogsbutton.webp) + +The Activity Monitor Console has a function to copy Trace Logs from the activity agents to the +Console machine. Click the Collect Logs button to open the log collection dialog and select Start to +begin the log collection. + +![Copying the log files popup window](/images/activitymonitor/9.0/troubleshooting/collectlogswindow.webp) + +Specific agents or console can be selected. After log collection is successful the logs are +compressed into a zip file and file explorer opens with the zip file selected. diff --git a/sidebars/activitymonitor/9.0.js b/sidebars/activitymonitor/9.0.js new file mode 100644 index 0000000000..7b1f64de61 --- /dev/null +++ b/sidebars/activitymonitor/9.0.js @@ -0,0 +1,17 @@ +// DIAGNOSTIC TEST: const generateKBSidebar = require('../../src/utils/generateKBSidebar'); + +module.exports = { + sidebar: [ + { + type: 'autogenerated', + dirName: '.', + }, + // DIAGNOSTIC TEST: Comment out entire KB section + // { + // type: 'category', + // label: 'Knowledge Base', + // collapsed: true, + // items: generateKBSidebar('activitymonitor') + // }, + ], +}; diff --git a/src/config/products.js b/src/config/products.js index ba9a1c4239..8278686364 100644 --- a/src/config/products.js +++ b/src/config/products.js @@ -106,10 +106,16 @@ export const PRODUCTS = [ categories: ['Other'], icon: '', versions: [ + { + version: '9.0', + label: '9.0', + isLatest: true, + sidebarFile: './sidebars/activitymonitor/9.0.js', + }, { version: '8.0', label: '8.0', - isLatest: true, + isLatest: false, sidebarFile: './sidebars/activitymonitor/8.0.js', }, { diff --git a/static/images/activitymonitor/9.0/admin/activitymonitormain.webp b/static/images/activitymonitor/9.0/admin/activitymonitormain.webp new file mode 100644 index 0000000000..cd75b3dc6c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/activitymonitormain.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp b/static/images/activitymonitor/9.0/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp new file mode 100644 index 0000000000..a5bb08872f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/activitymonitorwithlinuxagentinstalled.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp b/static/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp new file mode 100644 index 0000000000..c778f290b7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/adagentinstalled.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/adconnectionblank.webp b/static/images/activitymonitor/9.0/admin/agents/add/adconnectionblank.webp new file mode 100644 index 0000000000..e6d5230a5b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/adconnectionblank.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/adconnectionsuccessful.webp b/static/images/activitymonitor/9.0/admin/agents/add/adconnectionsuccessful.webp new file mode 100644 index 0000000000..ffb88ef50b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/adconnectionsuccessful.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp b/static/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp new file mode 100644 index 0000000000..12c926083b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/agentinstalllocation.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp b/static/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp new file mode 100644 index 0000000000..34defaf513 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/clientcertificate.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/credentialsservers.webp b/static/images/activitymonitor/9.0/admin/agents/add/credentialsservers.webp new file mode 100644 index 0000000000..904d4973d4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/credentialsservers.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/dcsdeployagentconnection.webp b/static/images/activitymonitor/9.0/admin/agents/add/dcsdeployagentconnection.webp new file mode 100644 index 0000000000..71c29f578e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/dcsdeployagentconnection.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/dcstodeploytheagenttopage.webp b/static/images/activitymonitor/9.0/admin/agents/add/dcstodeploytheagenttopage.webp new file mode 100644 index 0000000000..5aab11e463 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/dcstodeploytheagenttopage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/domainstomonitorpage.webp b/static/images/activitymonitor/9.0/admin/agents/add/domainstomonitorpage.webp new file mode 100644 index 0000000000..a25191ca85 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/domainstomonitorpage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp b/static/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp new file mode 100644 index 0000000000..feaecb6e30 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/enablewindowsfileactivitymonitoring.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/hostnameoripaddresswindow.webp b/static/images/activitymonitor/9.0/admin/agents/add/hostnameoripaddresswindow.webp new file mode 100644 index 0000000000..12e90ab3a7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/hostnameoripaddresswindow.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/importhostsfromacsvfilewindow.webp b/static/images/activitymonitor/9.0/admin/agents/add/importhostsfromacsvfilewindow.webp new file mode 100644 index 0000000000..b03119035e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/importhostsfromacsvfilewindow.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/installagentsonmultiplehosts.webp b/static/images/activitymonitor/9.0/admin/agents/add/installagentsonmultiplehosts.webp new file mode 100644 index 0000000000..455b2fd398 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/installagentsonmultiplehosts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/linuxagentoptions.webp b/static/images/activitymonitor/9.0/admin/agents/add/linuxagentoptions.webp new file mode 100644 index 0000000000..9e5a74a506 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/linuxagentoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/locationdefault.webp b/static/images/activitymonitor/9.0/admin/agents/add/locationdefault.webp new file mode 100644 index 0000000000..8011d2b1b6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/locationdefault.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/publickey.webp b/static/images/activitymonitor/9.0/admin/agents/add/publickey.webp new file mode 100644 index 0000000000..802e3e9812 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/publickey.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/testaccountconnection.webp b/static/images/activitymonitor/9.0/admin/agents/add/testaccountconnection.webp new file mode 100644 index 0000000000..8a7da5c036 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/testaccountconnection.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/add/windowsagentsettingspage.webp b/static/images/activitymonitor/9.0/admin/agents/add/windowsagentsettingspage.webp new file mode 100644 index 0000000000..1640d88a4c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/add/windowsagentsettingspage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/agentaddedfinalimage.webp b/static/images/activitymonitor/9.0/admin/agents/agentaddedfinalimage.webp new file mode 100644 index 0000000000..19ed011ed3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/agentaddedfinalimage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/agentmessages.webp b/static/images/activitymonitor/9.0/admin/agents/agentmessages.webp new file mode 100644 index 0000000000..5e041f29b6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/agentmessages.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/additionalpropertiestab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/additionalpropertiestab.webp new file mode 100644 index 0000000000..3141a3eda1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/additionalpropertiestab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/addoreditapiclient.webp b/static/images/activitymonitor/9.0/admin/agents/properties/addoreditapiclient.webp new file mode 100644 index 0000000000..3bb5239020 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/addoreditapiclient.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/aduserstab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/aduserstab.webp new file mode 100644 index 0000000000..2061bab96d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/aduserstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/apiservertab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/apiservertab.webp new file mode 100644 index 0000000000..a6ed37834d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/apiservertab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/archiving_tab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/archiving_tab.webp new file mode 100644 index 0000000000..1173f63a47 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/archiving_tab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/archivingtabconfigure.webp b/static/images/activitymonitor/9.0/admin/agents/properties/archivingtabconfigure.webp new file mode 100644 index 0000000000..2de001bcf7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/archivingtabconfigure.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/connectiontab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/connectiontab.webp new file mode 100644 index 0000000000..df7e87ddb8 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/connectiontab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/diskquotatab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/diskquotatab.webp new file mode 100644 index 0000000000..f3145cd306 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/diskquotatab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/dnstab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/dnstab.webp new file mode 100644 index 0000000000..5d8be1e050 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/dnstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/emcceeoptionstab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/emcceeoptionstab.webp new file mode 100644 index 0000000000..2629e0dd5e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/emcceeoptionstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalerts.webp b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalerts.webp new file mode 100644 index 0000000000..653d7a82df Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalerts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalerts.webp b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalerts.webp new file mode 100644 index 0000000000..0e9cbe8b57 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalerts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp new file mode 100644 index 0000000000..8641bbe90b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagebody.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp new file mode 100644 index 0000000000..b969597b8d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertsemailalertsmessagesubject.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalerts.webp b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalerts.webp new file mode 100644 index 0000000000..021b6620a8 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalerts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp new file mode 100644 index 0000000000..fb6d453af8 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/inactivityalertssyslogalertsmessagetemplate.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/linuxagentadditionalpropertiestab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/linuxagentadditionalpropertiestab.webp new file mode 100644 index 0000000000..62b65c4d0d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/linuxagentadditionalpropertiestab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/linuxconnectiontab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/linuxconnectiontab.webp new file mode 100644 index 0000000000..d3fb749194 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/linuxconnectiontab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/linuxtab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/linuxtab.webp new file mode 100644 index 0000000000..6218741328 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/linuxtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp b/static/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp new file mode 100644 index 0000000000..5b1e6b8fb9 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/mainimage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.webp b/static/images/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.webp new file mode 100644 index 0000000000..988a0063c6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/netappfpolicyoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/networkproxytab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/networkproxytab.webp new file mode 100644 index 0000000000..f8db8b53a1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/networkproxytab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/networktab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/networktab.webp new file mode 100644 index 0000000000..7233e97f3c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/networktab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/nutanix.webp b/static/images/activitymonitor/9.0/admin/agents/properties/nutanix.webp new file mode 100644 index 0000000000..e6f78dbc3e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/nutanix.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/panzuratab.webp b/static/images/activitymonitor/9.0/admin/agents/properties/panzuratab.webp new file mode 100644 index 0000000000..6cd261018e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/panzuratab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/qumulo.webp b/static/images/activitymonitor/9.0/admin/agents/properties/qumulo.webp new file mode 100644 index 0000000000..04a3a1b902 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/qumulo.webp differ diff --git a/static/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp b/static/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp new file mode 100644 index 0000000000..026d9d4e03 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/agents/properties/windowsspecifyaccountorgroup.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp new file mode 100644 index 0000000000..945522ee3d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainoutputsadded.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainsdonly.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainsdonly.webp new file mode 100644 index 0000000000..581a23e5e5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/actiivtymonitordomainsdonly.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/activtymonitorblank.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/activtymonitorblank.webp new file mode 100644 index 0000000000..82dd108aa4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/activtymonitorblank.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp new file mode 100644 index 0000000000..8c22095a18 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/attributestab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/classestab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/classestab.webp new file mode 100644 index 0000000000..e5f1033646 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/classestab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp new file mode 100644 index 0000000000..e5e66b413d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/contexttab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp new file mode 100644 index 0000000000..3dcfcc5f92 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeauthenticationselectedaccounts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp new file mode 100644 index 0000000000..aa790dd5bc Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/editaccountsexcludeloginsmachineaccounts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp new file mode 100644 index 0000000000..0839ae95d4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/edithostsexcludeselectedhosts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp new file mode 100644 index 0000000000..5a02ee9f93 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/forgedpac.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp new file mode 100644 index 0000000000..6392048bcb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/globalfilterstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp new file mode 100644 index 0000000000..58838a3ad1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostfrom.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostto.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostto.webp new file mode 100644 index 0000000000..ad0d05d872 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/hostto.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp new file mode 100644 index 0000000000..c2d7f897fe Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesfrom.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp new file mode 100644 index 0000000000..0fc8052214 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ipaddressesto.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldap.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldap.webp new file mode 100644 index 0000000000..6e8876151c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/ldap.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp new file mode 100644 index 0000000000..23fb8dad72 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/objectstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp new file mode 100644 index 0000000000..9e85d978d6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operations.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp new file mode 100644 index 0000000000..49b24cdf70 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp new file mode 100644 index 0000000000..dcba3037f0 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/operationtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/processes.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/processes.webp new file mode 100644 index 0000000000..fe4fca8189 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/processes.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp new file mode 100644 index 0000000000..7b22df0ab4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/servers.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp new file mode 100644 index 0000000000..588b852681 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/serverstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/users.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/users.webp new file mode 100644 index 0000000000..a9ea6c6883 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/users.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp new file mode 100644 index 0000000000..d4e1c5bc90 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/admonitoringconfiguration/userstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/errorpropagation.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/errorpropagation.webp new file mode 100644 index 0000000000..56e22c0823 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/errorpropagation.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/logfiles.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/logfiles.webp new file mode 100644 index 0000000000..5643daf724 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/logfiles.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/sdldapmonitoring.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/sdldapmonitoring.webp new file mode 100644 index 0000000000..f7a26f5d01 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/sdldapmonitoring.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/stealthdefendproperties.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/stealthdefendproperties.webp new file mode 100644 index 0000000000..7fd24e90f2 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/stealthdefendproperties.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoreddomains/syslogudp.webp b/static/images/activitymonitor/9.0/admin/monitoreddomains/syslogudp.webp new file mode 100644 index 0000000000..93e5c65df3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoreddomains/syslogudp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcisilon.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcisilon.webp new file mode 100644 index 0000000000..5cc8820b2d Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcisilon.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcunity.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcunity.webp new file mode 100644 index 0000000000..3e5d96446b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcunity.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp new file mode 100644 index 0000000000..7dc5935dda Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitoremcvnxcelerra.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorhitachi.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorhitachi.webp new file mode 100644 index 0000000000..7e265a108f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorhitachi.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornasuni.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornasuni.webp new file mode 100644 index 0000000000..466f5bcf16 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornasuni.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornetapp.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornetapp.webp new file mode 100644 index 0000000000..4e8150da32 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitornetapp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorpanzura.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorpanzura.webp new file mode 100644 index 0000000000..98dfe08bed Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorpanzura.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsharepoint.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsharepoint.webp new file mode 100644 index 0000000000..7d0286df86 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsharepoint.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp new file mode 100644 index 0000000000..9f5fc33ac8 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorsqlserverhost.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorwindows.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorwindows.webp new file mode 100644 index 0000000000..d09c4fe527 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/activitymonitorwindows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp new file mode 100644 index 0000000000..7574facf30 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addagent01.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addexchangeonline.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addexchangeonline.webp new file mode 100644 index 0000000000..9d264e8f5c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addexchangeonline.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp new file mode 100644 index 0000000000..8fb1682267 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost02.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost02.webp new file mode 100644 index 0000000000..30289306cf Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhost02.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcisilon.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcisilon.webp new file mode 100644 index 0000000000..4766291764 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcisilon.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcvnxcelerra.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcvnxcelerra.webp new file mode 100644 index 0000000000..545dbe2559 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostemcvnxcelerra.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostentraid.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostentraid.webp new file mode 100644 index 0000000000..928573f552 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostentraid.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhosthitachi.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhosthitachi.webp new file mode 100644 index 0000000000..e08c4bf8b7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhosthitachi.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnasuni.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnasuni.webp new file mode 100644 index 0000000000..71522af27b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnasuni.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnetapp.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnetapp.webp new file mode 100644 index 0000000000..a9caf8b9f5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostnetapp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostpanzura.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostpanzura.webp new file mode 100644 index 0000000000..cc23713840 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostpanzura.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo01.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo01.webp new file mode 100644 index 0000000000..68e188951f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo01.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo02.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo02.webp new file mode 100644 index 0000000000..7ba3539041 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo02.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo04.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo04.webp new file mode 100644 index 0000000000..87c378ca44 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo04.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo06.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo06.webp new file mode 100644 index 0000000000..032be4f65a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostqumulo06.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostsharepoint.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostsharepoint.webp new file mode 100644 index 0000000000..90768f32cc Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostsharepoint.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostwindows.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostwindows.webp new file mode 100644 index 0000000000..a018c3df07 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addhostwindows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhost.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhost.webp new file mode 100644 index 0000000000..be26533e56 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhost.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhostemcunity.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhostemcunity.webp new file mode 100644 index 0000000000..17c32250f4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/addnewhostemcunity.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/azureadconnection.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/azureadconnection.webp new file mode 100644 index 0000000000..2dd8b5eaca Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/azureadconnection.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp new file mode 100644 index 0000000000..43efe3f7ef Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/chooseagent.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp new file mode 100644 index 0000000000..415c8e3b45 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionshitachi.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionshitachi.webp new file mode 100644 index 0000000000..b3f66cf1d6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionshitachi.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp new file mode 100644 index 0000000000..7b10976f52 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnasuni.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp new file mode 100644 index 0000000000..01d597486c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionsnetapp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionspanzura.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionspanzura.webp new file mode 100644 index 0000000000..790478d4d6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionspanzura.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionswindows.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionswindows.webp new file mode 100644 index 0000000000..cb5742e96f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configurebasicoptionswindows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperations.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperations.webp new file mode 100644 index 0000000000..384f2a8330 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperations.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp new file mode 100644 index 0000000000..e3898d62b9 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsforemcisilon.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationshitachi.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationshitachi.webp new file mode 100644 index 0000000000..c2d2eb222c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationshitachi.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsnetapp.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsnetapp.webp new file mode 100644 index 0000000000..f2d1c9ab77 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationsnetapp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationssharepoint.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationssharepoint.webp new file mode 100644 index 0000000000..c0595d3194 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationssharepoint.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationswindows.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationswindows.webp new file mode 100644 index 0000000000..7404d6508f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/configureoperationswindows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/connection.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/connection.webp new file mode 100644 index 0000000000..2ce25f402c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/connection.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidadded.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidadded.webp new file mode 100644 index 0000000000..17aee937c5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidadded.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidconnection.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidconnection.webp new file mode 100644 index 0000000000..4835631582 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidconnection.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidoperations.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidoperations.webp new file mode 100644 index 0000000000..6ab7b44d29 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/entraidoperations.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.webp new file mode 100644 index 0000000000..0bce101ee2 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/exchangeonline.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileandpagetab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileandpagetab.webp new file mode 100644 index 0000000000..0c64173207 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileandpagetab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileouputpage.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileouputpage.webp new file mode 100644 index 0000000000..08bd872e42 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileouputpage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp new file mode 100644 index 0000000000..feba302cc0 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutput.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp new file mode 100644 index 0000000000..31eb11c6e5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/fileoutputpage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/hitachinasoptions.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/hitachinasoptions.webp new file mode 100644 index 0000000000..484547cf26 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/hitachinasoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonoptions.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonoptions.webp new file mode 100644 index 0000000000..0237f3a17c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp new file mode 100644 index 0000000000..5d07cff198 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/isilonprotocols.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/mailboxesexclude.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/mailboxesexclude.webp new file mode 100644 index 0000000000..8226653900 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/mailboxesexclude.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/mssqlserveroptionspage.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/mssqlserveroptionspage.webp new file mode 100644 index 0000000000..a282e935cf Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/mssqlserveroptionspage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nasunioptions.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nasunioptions.webp new file mode 100644 index 0000000000..8d3df8900f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nasunioptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappconnection.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappconnection.webp new file mode 100644 index 0000000000..a641f932b0 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappconnection.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyconfiguration.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyconfiguration.webp new file mode 100644 index 0000000000..304d8b0570 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyconfiguration.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyenableconnect.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyenableconnect.webp new file mode 100644 index 0000000000..4e766ce196 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicyenableconnect.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicytab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicytab.webp new file mode 100644 index 0000000000..7e9dfc1d8c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/netappfpolicytab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixnetworkadapter.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixnetworkadapter.webp new file mode 100644 index 0000000000..a8f1e1e6ac Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixnetworkadapter.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_04.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_04.webp new file mode 100644 index 0000000000..a932bbad53 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_04.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_05.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_05.webp new file mode 100644 index 0000000000..bdc2d9b13b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_05.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_06.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_06.webp new file mode 100644 index 0000000000..7b41de1c6e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_06.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp new file mode 100644 index 0000000000..4f68e9f806 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_07.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_08.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_08.webp new file mode 100644 index 0000000000..0fa9437ed9 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_08.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp new file mode 100644 index 0000000000..50279c225f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_09.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_10.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_10.webp new file mode 100644 index 0000000000..423dd23cba Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/nutanixoptions_10.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/operations.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/operations.webp new file mode 100644 index 0000000000..c30a2ce830 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/operations.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraconfigureoperations.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraconfigureoperations.webp new file mode 100644 index 0000000000..c827dae628 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraconfigureoperations.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraoptions.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraoptions.webp new file mode 100644 index 0000000000..9ae0bc86a7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/panzuraoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost01.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost01.webp new file mode 100644 index 0000000000..4add53ea9c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost01.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost02.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost02.webp new file mode 100644 index 0000000000..ba3e7356ac Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost02.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost03.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost03.webp new file mode 100644 index 0000000000..d4288f0607 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost03.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost04.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost04.webp new file mode 100644 index 0000000000..65ed62a1f7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost04.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost05.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost05.webp new file mode 100644 index 0000000000..0116afa8fc Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost05.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost06.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost06.webp new file mode 100644 index 0000000000..83d9fdb851 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost06.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost07.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost07.webp new file mode 100644 index 0000000000..cd6bbd7c6b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost07.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost08.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost08.webp new file mode 100644 index 0000000000..52fa704ddd Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/powerstoreaddhost08.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp new file mode 100644 index 0000000000..42dec449af Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/protocolspage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.webp new file mode 100644 index 0000000000..32a71499ca Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointonline.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointoptions.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointoptions.webp new file mode 100644 index 0000000000..1fc24b5315 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sharepointoptions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp new file mode 100644 index 0000000000..9bea300d3a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggerpage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp new file mode 100644 index 0000000000..0082c7dfeb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverlogontriggersuccess.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverobjects.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverobjects.webp new file mode 100644 index 0000000000..2fb11ea5c2 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/sqlserverobjects.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp new file mode 100644 index 0000000000..803418c1cf Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutput.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp new file mode 100644 index 0000000000..36659deeed Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/syslogoutputpage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp new file mode 100644 index 0000000000..d101f3a008 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/trustedservercertificate.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/usersexclude.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/usersexclude.webp new file mode 100644 index 0000000000..bbbf88e4fc Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/usersexclude.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologactivity.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologactivity.webp new file mode 100644 index 0000000000..da56c6dddf Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologactivity.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp new file mode 100644 index 0000000000..4f68ed13ec Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologgeneric.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologtheactivity.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologtheactivity.webp new file mode 100644 index 0000000000..0760433e51 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/add/wheretologtheactivity.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputfile.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputfile.webp new file mode 100644 index 0000000000..f6c3651b48 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputfile.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputsyslog.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputsyslog.webp new file mode 100644 index 0000000000..5aee504d5e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/addnewoutputsyslog.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/errorpropogationpopulated.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/errorpropogationpopulated.webp new file mode 100644 index 0000000000..0390edaa2a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/errorpropogationpopulated.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/monitoredhoststab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/monitoredhoststab.webp new file mode 100644 index 0000000000..6085b860fa Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/monitoredhoststab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/outputpropertiesoverview.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/outputpropertiesoverview.webp new file mode 100644 index 0000000000..2b040140c4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/outputpropertiesoverview.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/auditingtab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/auditingtab.webp new file mode 100644 index 0000000000..a22353f719 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/auditingtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/azure.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/azure.webp new file mode 100644 index 0000000000..82819c4b8f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/azure.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/emailalertstab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/emailalertstab.webp new file mode 100644 index 0000000000..10de921948 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/emailalertstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp new file mode 100644 index 0000000000..1eb45e7abb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/emctabemcvnxcelerra.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettings.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettings.webp new file mode 100644 index 0000000000..cba95baf96 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettings.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp new file mode 100644 index 0000000000..6eabff07ba Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsaddoreditclusternode.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp new file mode 100644 index 0000000000..0bf135b2b1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/enableorconnectsettingsconnecttocluster.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicytab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicytab.webp new file mode 100644 index 0000000000..94ce8e79b3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/fpolicytab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/hitachihostproperties.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/hitachihostproperties.webp new file mode 100644 index 0000000000..052a065e54 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/hitachihostproperties.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/hostpropertiesoverview.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/hostpropertiesoverview.webp new file mode 100644 index 0000000000..bffb54d8c1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/hostpropertiesoverview.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalertstab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalertstab.webp new file mode 100644 index 0000000000..eadf4ec9c3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/inactivityalertstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/logontriggertab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/logontriggertab.webp new file mode 100644 index 0000000000..4e5a224477 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/logontriggertab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlservertab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlservertab.webp new file mode 100644 index 0000000000..da7597a6e5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/mssqlservertab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/nasunitab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/nasunitab.webp new file mode 100644 index 0000000000..5452bb8fb6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/nasunitab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/netapptab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/netapptab.webp new file mode 100644 index 0000000000..0afac5802f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/netapptab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/nutanixhostprop01.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/nutanixhostprop01.webp new file mode 100644 index 0000000000..c197c361cb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/nutanixhostprop01.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/panzuratab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/panzuratab.webp new file mode 100644 index 0000000000..d535c6b8a0 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/panzuratab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/privilegedaccess.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/privilegedaccess.webp new file mode 100644 index 0000000000..75e2949e6c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/privilegedaccess.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/qumulohostproperties.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/qumulohostproperties.webp new file mode 100644 index 0000000000..91890d4de5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/qumulohostproperties.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/sharepointtab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/sharepointtab.webp new file mode 100644 index 0000000000..900d77a8a6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/sharepointtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/syslogalertstab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/syslogalertstab.webp new file mode 100644 index 0000000000..f2272055e4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/syslogalertstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptionstab.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptionstab.webp new file mode 100644 index 0000000000..3a6996e28f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/tweakoptionstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/unixid.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/unixid.webp new file mode 100644 index 0000000000..db73c69980 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/unixid.webp differ diff --git a/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/windows.webp b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/windows.webp new file mode 100644 index 0000000000..140e2b116b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/monitoredhosts/properties/windows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/accountexclusions_exchangeonline.webp b/static/images/activitymonitor/9.0/admin/outputs/accountexclusions_exchangeonline.webp new file mode 100644 index 0000000000..f06b7a6427 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/accountexclusions_exchangeonline.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/additionalpropertiestab.webp b/static/images/activitymonitor/9.0/admin/outputs/additionalpropertiestab.webp new file mode 100644 index 0000000000..43dba0b9c5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/additionalpropertiestab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/azuread.webp b/static/images/activitymonitor/9.0/admin/outputs/azuread.webp new file mode 100644 index 0000000000..f6550b5017 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/azuread.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/azureadoperationstab.webp b/static/images/activitymonitor/9.0/admin/outputs/azureadoperationstab.webp new file mode 100644 index 0000000000..79e2f0d942 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/azureadoperationstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/fs.webp b/static/images/activitymonitor/9.0/admin/outputs/fs.webp new file mode 100644 index 0000000000..af38071ec5 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/fs.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/gidexclusionstab.webp b/static/images/activitymonitor/9.0/admin/outputs/gidexclusionstab.webp new file mode 100644 index 0000000000..2caa4f3cc3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/gidexclusionstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/linux.webp b/static/images/activitymonitor/9.0/admin/outputs/linux.webp new file mode 100644 index 0000000000..a510abebf9 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/linux.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/logfilesactivedirectory.webp b/static/images/activitymonitor/9.0/admin/outputs/logfilesactivedirectory.webp new file mode 100644 index 0000000000..6077e15871 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/logfilesactivedirectory.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/nasdevices.webp b/static/images/activitymonitor/9.0/admin/outputs/nasdevices.webp new file mode 100644 index 0000000000..8bd50e5b11 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/nasdevices.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/objectstab.webp b/static/images/activitymonitor/9.0/admin/outputs/objectstab.webp new file mode 100644 index 0000000000..e9dd4e1d6f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/objectstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/operations.webp b/static/images/activitymonitor/9.0/admin/outputs/operations.webp new file mode 100644 index 0000000000..1fd379c2ef Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/operations.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/operationstab.webp b/static/images/activitymonitor/9.0/admin/outputs/operationstab.webp new file mode 100644 index 0000000000..7d86b76250 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/operationstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/pathfilteringsharepointhosts.webp b/static/images/activitymonitor/9.0/admin/outputs/pathfilteringsharepointhosts.webp new file mode 100644 index 0000000000..e58b0d2638 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/pathfilteringsharepointhosts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp b/static/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp new file mode 100644 index 0000000000..0cefa085ff Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/pathfilteringtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/processexclusions.webp b/static/images/activitymonitor/9.0/admin/outputs/processexclusions.webp new file mode 100644 index 0000000000..e0c47684d1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/processexclusions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/protocolstab.webp b/static/images/activitymonitor/9.0/admin/outputs/protocolstab.webp new file mode 100644 index 0000000000..f55bd98117 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/protocolstab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/qumulooutputproperties.webp b/static/images/activitymonitor/9.0/admin/outputs/qumulooutputproperties.webp new file mode 100644 index 0000000000..730745d43b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/qumulooutputproperties.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/sharepoint.webp b/static/images/activitymonitor/9.0/admin/outputs/sharepoint.webp new file mode 100644 index 0000000000..4720417b4e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/sharepoint.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/sharepointonprem.webp b/static/images/activitymonitor/9.0/admin/outputs/sharepointonprem.webp new file mode 100644 index 0000000000..4881a5e770 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/sharepointonprem.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/sp.webp b/static/images/activitymonitor/9.0/admin/outputs/sp.webp new file mode 100644 index 0000000000..916a47e630 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/sp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/sql.webp b/static/images/activitymonitor/9.0/admin/outputs/sql.webp new file mode 100644 index 0000000000..d671cfcc97 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/sql.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/sqlhosts.webp b/static/images/activitymonitor/9.0/admin/outputs/sqlhosts.webp new file mode 100644 index 0000000000..32367ec245 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/sqlhosts.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/syslogactivedirectory.webp b/static/images/activitymonitor/9.0/admin/outputs/syslogactivedirectory.webp new file mode 100644 index 0000000000..29fbeb5415 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/syslogactivedirectory.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/syslogentraid.webp b/static/images/activitymonitor/9.0/admin/outputs/syslogentraid.webp new file mode 100644 index 0000000000..306c449ff7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/syslogentraid.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/sysloglinux.webp b/static/images/activitymonitor/9.0/admin/outputs/sysloglinux.webp new file mode 100644 index 0000000000..cfd85f116a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/sysloglinux.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/syslognas.webp b/static/images/activitymonitor/9.0/admin/outputs/syslognas.webp new file mode 100644 index 0000000000..50ad949e3e Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/syslognas.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/syslogwindows.webp b/static/images/activitymonitor/9.0/admin/outputs/syslogwindows.webp new file mode 100644 index 0000000000..ee38f9e642 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/syslogwindows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/threatmanager.webp b/static/images/activitymonitor/9.0/admin/outputs/threatmanager.webp new file mode 100644 index 0000000000..e50a47a572 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/threatmanager.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/addoreditgidwindow.webp b/static/images/activitymonitor/9.0/admin/outputs/window/addoreditgidwindow.webp new file mode 100644 index 0000000000..0a7d961adb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/addoreditgidwindow.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/addoreditpath.webp b/static/images/activitymonitor/9.0/admin/outputs/window/addoreditpath.webp new file mode 100644 index 0000000000..fe4213b8f0 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/addoreditpath.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/addoreditprocessprocessexclusions.webp b/static/images/activitymonitor/9.0/admin/outputs/window/addoreditprocessprocessexclusions.webp new file mode 100644 index 0000000000..8ac9a5ad41 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/addoreditprocessprocessexclusions.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/sharepointspecifyaccount.webp b/static/images/activitymonitor/9.0/admin/outputs/window/sharepointspecifyaccount.webp new file mode 100644 index 0000000000..ae30e21bac Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/sharepointspecifyaccount.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/specifysqlusernamewindow.webp b/static/images/activitymonitor/9.0/admin/outputs/window/specifysqlusernamewindow.webp new file mode 100644 index 0000000000..fcec97d023 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/specifysqlusernamewindow.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/syslogmessagetemplate.webp b/static/images/activitymonitor/9.0/admin/outputs/window/syslogmessagetemplate.webp new file mode 100644 index 0000000000..c2e8b07fe1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/syslogmessagetemplate.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/window/unixspecifyunixaccount.webp b/static/images/activitymonitor/9.0/admin/outputs/window/unixspecifyunixaccount.webp new file mode 100644 index 0000000000..14c165b3d0 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/window/unixspecifyunixaccount.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/windows.webp b/static/images/activitymonitor/9.0/admin/outputs/windows.webp new file mode 100644 index 0000000000..cfd297cdf4 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/windows.webp differ diff --git a/static/images/activitymonitor/9.0/admin/outputs/windowsfilenasdevices.webp b/static/images/activitymonitor/9.0/admin/outputs/windowsfilenasdevices.webp new file mode 100644 index 0000000000..53d2402977 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/outputs/windowsfilenasdevices.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/exportbutton.webp b/static/images/activitymonitor/9.0/admin/search/exportbutton.webp new file mode 100644 index 0000000000..229a2e3a55 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/exportbutton.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/operationssdropdownfiltermenu.webp b/static/images/activitymonitor/9.0/admin/search/operationssdropdownfiltermenu.webp new file mode 100644 index 0000000000..673f742ac3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/operationssdropdownfiltermenu.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/activedirectorynewsearchtab.webp b/static/images/activitymonitor/9.0/admin/search/query/activedirectorynewsearchtab.webp new file mode 100644 index 0000000000..659f00ab04 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/activedirectorynewsearchtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/auditeventsfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/auditeventsfilters.webp new file mode 100644 index 0000000000..5028a00a3a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/auditeventsfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/auditmask.webp b/static/images/activitymonitor/9.0/admin/search/query/auditmask.webp new file mode 100644 index 0000000000..6aad60b981 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/auditmask.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/authenticationfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/authenticationfilters.webp new file mode 100644 index 0000000000..c01521f4d8 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/authenticationfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/custom.webp b/static/images/activitymonitor/9.0/admin/search/query/custom.webp new file mode 100644 index 0000000000..4f06c84167 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/custom.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/delete.webp b/static/images/activitymonitor/9.0/admin/search/query/delete.webp new file mode 100644 index 0000000000..7411e9a754 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/delete.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/dlp.webp b/static/images/activitymonitor/9.0/admin/search/query/dlp.webp new file mode 100644 index 0000000000..73f89810d6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/dlp.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/general.webp b/static/images/activitymonitor/9.0/admin/search/query/general.webp new file mode 100644 index 0000000000..70011cb0f9 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/general.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/generalfilter.webp b/static/images/activitymonitor/9.0/admin/search/query/generalfilter.webp new file mode 100644 index 0000000000..25dce1e3df Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/generalfilter.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/generalfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/generalfilters.webp new file mode 100644 index 0000000000..3a8a398cce Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/generalfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/item.webp b/static/images/activitymonitor/9.0/admin/search/query/item.webp new file mode 100644 index 0000000000..331d0b5659 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/item.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/ldapqueriesfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/ldapqueriesfilters.webp new file mode 100644 index 0000000000..13634fd617 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/ldapqueriesfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/linuxsearchquerybar.webp b/static/images/activitymonitor/9.0/admin/search/query/linuxsearchquerybar.webp new file mode 100644 index 0000000000..2426ff1e25 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/linuxsearchquerybar.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/location.webp b/static/images/activitymonitor/9.0/admin/search/query/location.webp new file mode 100644 index 0000000000..2e9f2e1141 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/location.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/locationfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/locationfilters.webp new file mode 100644 index 0000000000..84bc66aef6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/locationfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/lsassguardianfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/lsassguardianfilters.webp new file mode 100644 index 0000000000..31d34a6a9f Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/lsassguardianfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/movedeletecopycheckinfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/movedeletecopycheckinfilters.webp new file mode 100644 index 0000000000..7e53aa0b6a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/movedeletecopycheckinfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/objectchangesfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/objectchangesfilters.webp new file mode 100644 index 0000000000..194eca028b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/objectchangesfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/permissionsfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/permissionsfilters.webp new file mode 100644 index 0000000000..52796dd350 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/permissionsfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/searchfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/searchfilters.webp new file mode 100644 index 0000000000..4ab184c144 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/searchfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/searchquery.webp b/static/images/activitymonitor/9.0/admin/search/query/searchquery.webp new file mode 100644 index 0000000000..6773937959 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/searchquery.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/searchquerybar.webp b/static/images/activitymonitor/9.0/admin/search/query/searchquerybar.webp new file mode 100644 index 0000000000..7faa0d79cb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/searchquerybar.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/searchuitop.webp b/static/images/activitymonitor/9.0/admin/search/query/searchuitop.webp new file mode 100644 index 0000000000..df3c1bbaa1 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/searchuitop.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/sharepointnewsearchtab.webp b/static/images/activitymonitor/9.0/admin/search/query/sharepointnewsearchtab.webp new file mode 100644 index 0000000000..4b3a5b0559 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/sharepointnewsearchtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/sharepointonlinesearchquerybar.webp b/static/images/activitymonitor/9.0/admin/search/query/sharepointonlinesearchquerybar.webp new file mode 100644 index 0000000000..bd7a0e261c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/sharepointonlinesearchquerybar.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/sharing.webp b/static/images/activitymonitor/9.0/admin/search/query/sharing.webp new file mode 100644 index 0000000000..20d1db3fdb Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/sharing.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/signinevents.webp b/static/images/activitymonitor/9.0/admin/search/query/signinevents.webp new file mode 100644 index 0000000000..c8e07025d6 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/signinevents.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/sqlfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/sqlfilters.webp new file mode 100644 index 0000000000..6adeda275c Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/sqlfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/sqlsearchquerytoolbar.webp b/static/images/activitymonitor/9.0/admin/search/query/sqlsearchquerytoolbar.webp new file mode 100644 index 0000000000..aa2ba8a411 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/sqlsearchquerytoolbar.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/target.webp b/static/images/activitymonitor/9.0/admin/search/query/target.webp new file mode 100644 index 0000000000..aa667e0f04 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/target.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/targetresourcefilters.webp b/static/images/activitymonitor/9.0/admin/search/query/targetresourcefilters.webp new file mode 100644 index 0000000000..f5cd790a62 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/targetresourcefilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/user.webp b/static/images/activitymonitor/9.0/admin/search/query/user.webp new file mode 100644 index 0000000000..ceea8bc277 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/user.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/userfilter.webp b/static/images/activitymonitor/9.0/admin/search/query/userfilter.webp new file mode 100644 index 0000000000..2d7cbe19b3 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/userfilter.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/query/userfilters.webp b/static/images/activitymonitor/9.0/admin/search/query/userfilters.webp new file mode 100644 index 0000000000..8fcd5f0106 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/query/userfilters.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/activedirectorysearchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/activedirectorysearchresults.webp new file mode 100644 index 0000000000..88fce56abc Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/activedirectorysearchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/filesearchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/filesearchresults.webp new file mode 100644 index 0000000000..5e8081ac30 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/filesearchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/filesearchresultspermissionsimage.webp b/static/images/activitymonitor/9.0/admin/search/results/filesearchresultspermissionsimage.webp new file mode 100644 index 0000000000..d67532f928 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/filesearchresultspermissionsimage.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/linuxsearchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/linuxsearchresults.webp new file mode 100644 index 0000000000..fea629a002 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/linuxsearchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/permissionslpopupwindow.webp b/static/images/activitymonitor/9.0/admin/search/results/permissionslpopupwindow.webp new file mode 100644 index 0000000000..9348084a42 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/permissionslpopupwindow.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/searchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/searchresults.webp new file mode 100644 index 0000000000..a31873b2b7 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/searchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/sharepointonlinesearchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/sharepointonlinesearchresults.webp new file mode 100644 index 0000000000..956725d30a Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/sharepointonlinesearchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/sharepointsearchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/sharepointsearchresults.webp new file mode 100644 index 0000000000..4d4a8043b2 Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/sharepointsearchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/results/sqlsearchresults.webp b/static/images/activitymonitor/9.0/admin/search/results/sqlsearchresults.webp new file mode 100644 index 0000000000..f0737cc1ae Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/results/sqlsearchresults.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/searchtab.webp b/static/images/activitymonitor/9.0/admin/search/searchtab.webp new file mode 100644 index 0000000000..d690a5fbac Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/searchtab.webp differ diff --git a/static/images/activitymonitor/9.0/admin/search/sort.webp b/static/images/activitymonitor/9.0/admin/search/sort.webp new file mode 100644 index 0000000000..1097cdf72b Binary files /dev/null and b/static/images/activitymonitor/9.0/admin/search/sort.webp differ diff --git a/static/images/activitymonitor/9.0/config/activedirectory/categoryimportfromnam.webp b/static/images/activitymonitor/9.0/config/activedirectory/categoryimportfromnam.webp new file mode 100644 index 0000000000..eec2b88a36 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/activedirectory/categoryimportfromnam.webp differ diff --git a/static/images/activitymonitor/9.0/config/activedirectory/categoryimportfromshare.webp b/static/images/activitymonitor/9.0/config/activedirectory/categoryimportfromshare.webp new file mode 100644 index 0000000000..2b1ae737c7 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/activedirectory/categoryimportfromshare.webp differ diff --git a/static/images/activitymonitor/9.0/config/activedirectory/namconnection.webp b/static/images/activitymonitor/9.0/config/activedirectory/namconnection.webp new file mode 100644 index 0000000000..083f773ed8 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/activedirectory/namconnection.webp differ diff --git a/static/images/activitymonitor/9.0/config/activedirectory/scope.webp b/static/images/activitymonitor/9.0/config/activedirectory/scope.webp new file mode 100644 index 0000000000..9c06f5986f Binary files /dev/null and b/static/images/activitymonitor/9.0/config/activedirectory/scope.webp differ diff --git a/static/images/activitymonitor/9.0/config/activedirectory/share.webp b/static/images/activitymonitor/9.0/config/activedirectory/share.webp new file mode 100644 index 0000000000..1741b2fc1a Binary files /dev/null and b/static/images/activitymonitor/9.0/config/activedirectory/share.webp differ diff --git a/static/images/activitymonitor/9.0/config/azure-files/azure-files-audit.webp b/static/images/activitymonitor/9.0/config/azure-files/azure-files-audit.webp new file mode 100644 index 0000000000..3082c54da1 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/azure-files/azure-files-audit.webp differ diff --git a/static/images/activitymonitor/9.0/config/azure-files/rbac-roles-scopes.webp b/static/images/activitymonitor/9.0/config/azure-files/rbac-roles-scopes.webp new file mode 100644 index 0000000000..4b7f4410f7 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/azure-files/rbac-roles-scopes.webp differ diff --git a/static/images/activitymonitor/9.0/config/ctera/cterasyslogmsg.webp b/static/images/activitymonitor/9.0/config/ctera/cterasyslogmsg.webp new file mode 100644 index 0000000000..1c7fc4f811 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/ctera/cterasyslogmsg.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerscale/eventforwarding.webp b/static/images/activitymonitor/9.0/config/dellpowerscale/eventforwarding.webp new file mode 100644 index 0000000000..b8e574b326 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerscale/eventforwarding.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerscale/settings.webp b/static/images/activitymonitor/9.0/config/dellpowerscale/settings.webp new file mode 100644 index 0000000000..cfeb3ef259 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerscale/settings.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/configeventpublisher.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/configeventpublisher.webp new file mode 100644 index 0000000000..8ab3d13493 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/configeventpublisher.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/eventpublishingpool.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/eventpublishingpool.webp new file mode 100644 index 0000000000..64e3c2f76e Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/eventpublishingpool.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/fseventpublishing.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/fseventpublishing.webp new file mode 100644 index 0000000000..cbeab87c28 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/fseventpublishing.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/nasserver.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/nasserver.webp new file mode 100644 index 0000000000..41e821e781 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/nasserver.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/nasserver1.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/nasserver1.webp new file mode 100644 index 0000000000..3707a557ec Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/nasserver1.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/nasservers.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/nasservers.webp new file mode 100644 index 0000000000..5494430372 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/nasservers.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/publishingpools.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/publishingpools.webp new file mode 100644 index 0000000000..a4bdb4a910 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/publishingpools.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp new file mode 100644 index 0000000000..a2d260cac4 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/registryeditor.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellpowerstore/services.webp b/static/images/activitymonitor/9.0/config/dellpowerstore/services.webp new file mode 100644 index 0000000000..a2c5e55c46 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellpowerstore/services.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellunity/eventscifs.webp b/static/images/activitymonitor/9.0/config/dellunity/eventscifs.webp new file mode 100644 index 0000000000..46730c7597 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellunity/eventscifs.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellunity/eventsnfs.webp b/static/images/activitymonitor/9.0/config/dellunity/eventsnfs.webp new file mode 100644 index 0000000000..4586a9a2d9 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellunity/eventsnfs.webp differ diff --git a/static/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp b/static/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp new file mode 100644 index 0000000000..98da3adacd Binary files /dev/null and b/static/images/activitymonitor/9.0/config/dellunity/registryeditorendpoint.webp differ diff --git a/static/images/activitymonitor/9.0/config/netappcmode/validatefirewall.webp b/static/images/activitymonitor/9.0/config/netappcmode/validatefirewall.webp new file mode 100644 index 0000000000..30347c152e Binary files /dev/null and b/static/images/activitymonitor/9.0/config/netappcmode/validatefirewall.webp differ diff --git a/static/images/activitymonitor/9.0/config/netappcmode/validatesecuritylogincreation.webp b/static/images/activitymonitor/9.0/config/netappcmode/validatesecuritylogincreation.webp new file mode 100644 index 0000000000..f03895a507 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/netappcmode/validatesecuritylogincreation.webp differ diff --git a/static/images/activitymonitor/9.0/config/nutanix/activitynutanix.webp b/static/images/activitymonitor/9.0/config/nutanix/activitynutanix.webp new file mode 100644 index 0000000000..84a34985fd Binary files /dev/null and b/static/images/activitymonitor/9.0/config/nutanix/activitynutanix.webp differ diff --git a/static/images/activitymonitor/9.0/config/panzura/auditeventstwoagnt_panzura.webp b/static/images/activitymonitor/9.0/config/panzura/auditeventstwoagnt_panzura.webp new file mode 100644 index 0000000000..7bc3bf9bfe Binary files /dev/null and b/static/images/activitymonitor/9.0/config/panzura/auditeventstwoagnt_panzura.webp differ diff --git a/static/images/activitymonitor/9.0/config/panzura/panzurasingleagntmonitor.webp b/static/images/activitymonitor/9.0/config/panzura/panzurasingleagntmonitor.webp new file mode 100644 index 0000000000..2d21397384 Binary files /dev/null and b/static/images/activitymonitor/9.0/config/panzura/panzurasingleagntmonitor.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/adconnection.webp b/static/images/activitymonitor/9.0/install/agent/adconnection.webp new file mode 100644 index 0000000000..dd9063444c Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/adconnection.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/cacertconfig.webp b/static/images/activitymonitor/9.0/install/agent/cacertconfig.webp new file mode 100644 index 0000000000..424b2804e5 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/cacertconfig.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/changedestination.webp b/static/images/activitymonitor/9.0/install/agent/changedestination.webp new file mode 100644 index 0000000000..80d61cd857 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/changedestination.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/complete.webp b/static/images/activitymonitor/9.0/install/agent/complete.webp new file mode 100644 index 0000000000..d3e9015dbc Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/complete.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/consolewithagent.webp b/static/images/activitymonitor/9.0/install/agent/consolewithagent.webp new file mode 100644 index 0000000000..ac856e17d2 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/consolewithagent.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/credentials.webp b/static/images/activitymonitor/9.0/install/agent/credentials.webp new file mode 100644 index 0000000000..c288e225ae Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/credentials.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp b/static/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp new file mode 100644 index 0000000000..568d5078b2 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/destinationfolder_1.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/domaincontroller.webp b/static/images/activitymonitor/9.0/install/agent/domaincontroller.webp new file mode 100644 index 0000000000..c75f50c1fc Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/domaincontroller.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/domains.webp b/static/images/activitymonitor/9.0/install/agent/domains.webp new file mode 100644 index 0000000000..36bf90c68f Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/domains.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/enterprisemanageram.webp b/static/images/activitymonitor/9.0/install/agent/enterprisemanageram.webp new file mode 100644 index 0000000000..e3969f6d03 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/enterprisemanageram.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/eula.webp b/static/images/activitymonitor/9.0/install/agent/eula.webp new file mode 100644 index 0000000000..9cf1941465 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/eula.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/eventsourcesad.webp b/static/images/activitymonitor/9.0/install/agent/eventsourcesad.webp new file mode 100644 index 0000000000..b58bcd4a27 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/eventsourcesad.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/installlocation.webp b/static/images/activitymonitor/9.0/install/agent/installlocation.webp new file mode 100644 index 0000000000..ae3c53eb08 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/installlocation.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/installnew.webp b/static/images/activitymonitor/9.0/install/agent/installnew.webp new file mode 100644 index 0000000000..74233a1aab Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/installnew.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/license.webp b/static/images/activitymonitor/9.0/install/agent/license.webp new file mode 100644 index 0000000000..ad7583d84f Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/license.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/linuxagentoptions.webp b/static/images/activitymonitor/9.0/install/agent/linuxagentoptions.webp new file mode 100644 index 0000000000..d413a2cec3 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/linuxagentoptions.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/portdefault.webp b/static/images/activitymonitor/9.0/install/agent/portdefault.webp new file mode 100644 index 0000000000..2011618066 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/portdefault.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/properties.webp b/static/images/activitymonitor/9.0/install/agent/properties.webp new file mode 100644 index 0000000000..d661340c4a Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/properties.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/readyinstall.webp b/static/images/activitymonitor/9.0/install/agent/readyinstall.webp new file mode 100644 index 0000000000..4871404250 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/readyinstall.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/readytoinstall.webp b/static/images/activitymonitor/9.0/install/agent/readytoinstall.webp new file mode 100644 index 0000000000..f56032404b Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/readytoinstall.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/screen1.webp b/static/images/activitymonitor/9.0/install/agent/screen1.webp new file mode 100644 index 0000000000..411bee37a5 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/screen1.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/screen2.webp b/static/images/activitymonitor/9.0/install/agent/screen2.webp new file mode 100644 index 0000000000..1c4e378d66 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/screen2.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/screen3.webp b/static/images/activitymonitor/9.0/install/agent/screen3.webp new file mode 100644 index 0000000000..2db7f89f9d Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/screen3.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/specifyagentport.webp b/static/images/activitymonitor/9.0/install/agent/specifyagentport.webp new file mode 100644 index 0000000000..2011618066 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/specifyagentport.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/specifyport.webp b/static/images/activitymonitor/9.0/install/agent/specifyport.webp new file mode 100644 index 0000000000..2011618066 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/specifyport.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/success.webp b/static/images/activitymonitor/9.0/install/agent/success.webp new file mode 100644 index 0000000000..5565794682 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/success.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/welcome.webp b/static/images/activitymonitor/9.0/install/agent/welcome.webp new file mode 100644 index 0000000000..d2382fc934 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/welcome.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/welcome_1.webp b/static/images/activitymonitor/9.0/install/agent/welcome_1.webp new file mode 100644 index 0000000000..f48fa50630 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/welcome_1.webp differ diff --git a/static/images/activitymonitor/9.0/install/agent/windowsagent.webp b/static/images/activitymonitor/9.0/install/agent/windowsagent.webp new file mode 100644 index 0000000000..733c582431 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/agent/windowsagent.webp differ diff --git a/static/images/activitymonitor/9.0/install/complete.webp b/static/images/activitymonitor/9.0/install/complete.webp new file mode 100644 index 0000000000..ee52a152a1 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/complete.webp differ diff --git a/static/images/activitymonitor/9.0/install/destinationfolder.webp b/static/images/activitymonitor/9.0/install/destinationfolder.webp new file mode 100644 index 0000000000..bc4f7e91a7 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/destinationfolder.webp differ diff --git a/static/images/activitymonitor/9.0/install/eula.webp b/static/images/activitymonitor/9.0/install/eula.webp new file mode 100644 index 0000000000..a6cb9e9a38 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/eula.webp differ diff --git a/static/images/activitymonitor/9.0/install/licenseadded.webp b/static/images/activitymonitor/9.0/install/licenseadded.webp new file mode 100644 index 0000000000..a1d0f302e7 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/licenseadded.webp differ diff --git a/static/images/activitymonitor/9.0/install/licenseinfo.webp b/static/images/activitymonitor/9.0/install/licenseinfo.webp new file mode 100644 index 0000000000..d15061717b Binary files /dev/null and b/static/images/activitymonitor/9.0/install/licenseinfo.webp differ diff --git a/static/images/activitymonitor/9.0/install/loadlicense.webp b/static/images/activitymonitor/9.0/install/loadlicense.webp new file mode 100644 index 0000000000..72b6c5e98b Binary files /dev/null and b/static/images/activitymonitor/9.0/install/loadlicense.webp differ diff --git a/static/images/activitymonitor/9.0/install/ready.webp b/static/images/activitymonitor/9.0/install/ready.webp new file mode 100644 index 0000000000..fe83ac7956 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/ready.webp differ diff --git a/static/images/activitymonitor/9.0/install/removeagents.webp b/static/images/activitymonitor/9.0/install/removeagents.webp new file mode 100644 index 0000000000..6dd4828276 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/removeagents.webp differ diff --git a/static/images/activitymonitor/9.0/install/triallicense.webp b/static/images/activitymonitor/9.0/install/triallicense.webp new file mode 100644 index 0000000000..9fe249549b Binary files /dev/null and b/static/images/activitymonitor/9.0/install/triallicense.webp differ diff --git a/static/images/activitymonitor/9.0/install/triallicenseinfo.webp b/static/images/activitymonitor/9.0/install/triallicenseinfo.webp new file mode 100644 index 0000000000..e24261cc7a Binary files /dev/null and b/static/images/activitymonitor/9.0/install/triallicenseinfo.webp differ diff --git a/static/images/activitymonitor/9.0/install/updateagentinstaller.webp b/static/images/activitymonitor/9.0/install/updateagentinstaller.webp new file mode 100644 index 0000000000..842edc7f82 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/updateagentinstaller.webp differ diff --git a/static/images/activitymonitor/9.0/install/updateagentinstallerpopup.webp b/static/images/activitymonitor/9.0/install/updateagentinstallerpopup.webp new file mode 100644 index 0000000000..60bfb40f8c Binary files /dev/null and b/static/images/activitymonitor/9.0/install/updateagentinstallerpopup.webp differ diff --git a/static/images/activitymonitor/9.0/install/welcome.webp b/static/images/activitymonitor/9.0/install/welcome.webp new file mode 100644 index 0000000000..fb98f88e10 Binary files /dev/null and b/static/images/activitymonitor/9.0/install/welcome.webp differ diff --git a/static/images/activitymonitor/9.0/requirements/nam_admodule.webp b/static/images/activitymonitor/9.0/requirements/nam_admodule.webp new file mode 100644 index 0000000000..d118ba765c Binary files /dev/null and b/static/images/activitymonitor/9.0/requirements/nam_admodule.webp differ diff --git a/static/images/activitymonitor/9.0/requirements/ntp.webp b/static/images/activitymonitor/9.0/requirements/ntp.webp new file mode 100644 index 0000000000..e0f66b5033 Binary files /dev/null and b/static/images/activitymonitor/9.0/requirements/ntp.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/dashboard/aboutdashboard.webp b/static/images/activitymonitor/9.0/siem/qradar/dashboard/aboutdashboard.webp new file mode 100644 index 0000000000..2e1201c8dc Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/dashboard/aboutdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/dashboard/deletionsdashboard.webp b/static/images/activitymonitor/9.0/siem/qradar/dashboard/deletionsdashboard.webp new file mode 100644 index 0000000000..bfd86b6474 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/dashboard/deletionsdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/dashboard/homedashboard.webp b/static/images/activitymonitor/9.0/siem/qradar/dashboard/homedashboard.webp new file mode 100644 index 0000000000..fdd1722536 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/dashboard/homedashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/dashboard/permissionchangesdashboard.webp b/static/images/activitymonitor/9.0/siem/qradar/dashboard/permissionchangesdashboard.webp new file mode 100644 index 0000000000..40f040c8e3 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/dashboard/permissionchangesdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/dashboard/ransomwaredashboard.webp b/static/images/activitymonitor/9.0/siem/qradar/dashboard/ransomwaredashboard.webp new file mode 100644 index 0000000000..8a50fdd278 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/dashboard/ransomwaredashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp b/static/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp new file mode 100644 index 0000000000..3af2bf1f18 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/dashboard/userinvestigationdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/file_activity_monitor_app.webp b/static/images/activitymonitor/9.0/siem/qradar/file_activity_monitor_app.webp new file mode 100644 index 0000000000..03d2c1220e Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/file_activity_monitor_app.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/settings.webp b/static/images/activitymonitor/9.0/siem/qradar/settings.webp new file mode 100644 index 0000000000..34b91a0f56 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/settings.webp differ diff --git a/static/images/activitymonitor/9.0/siem/qradar/stealthbitsoffenses.webp b/static/images/activitymonitor/9.0/siem/qradar/stealthbitsoffenses.webp new file mode 100644 index 0000000000..b11a7b9ddf Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/qradar/stealthbitsoffenses.webp differ diff --git a/static/images/activitymonitor/9.0/siem/splunk/dashboard/deletionsdashboard.webp b/static/images/activitymonitor/9.0/siem/splunk/dashboard/deletionsdashboard.webp new file mode 100644 index 0000000000..aebc7bdd77 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/splunk/dashboard/deletionsdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/splunk/dashboard/overviewdashboard.webp b/static/images/activitymonitor/9.0/siem/splunk/dashboard/overviewdashboard.webp new file mode 100644 index 0000000000..65e098a748 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/splunk/dashboard/overviewdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/splunk/dashboard/permissionchangesdashboard.webp b/static/images/activitymonitor/9.0/siem/splunk/dashboard/permissionchangesdashboard.webp new file mode 100644 index 0000000000..6fb3781b99 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/splunk/dashboard/permissionchangesdashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/splunk/dashboard/ransomwaredashboard.webp b/static/images/activitymonitor/9.0/siem/splunk/dashboard/ransomwaredashboard.webp new file mode 100644 index 0000000000..79c5022b98 Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/splunk/dashboard/ransomwaredashboard.webp differ diff --git a/static/images/activitymonitor/9.0/siem/splunk/file_activity_monitor_app.webp b/static/images/activitymonitor/9.0/siem/splunk/file_activity_monitor_app.webp new file mode 100644 index 0000000000..413f873bff Binary files /dev/null and b/static/images/activitymonitor/9.0/siem/splunk/file_activity_monitor_app.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/agentinactivityalertsemailcredentials.webp b/static/images/activitymonitor/9.0/troubleshooting/agentinactivityalertsemailcredentials.webp new file mode 100644 index 0000000000..4882fe1250 Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/agentinactivityalertsemailcredentials.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/agentuseraccount.webp b/static/images/activitymonitor/9.0/troubleshooting/agentuseraccount.webp new file mode 100644 index 0000000000..1b77c7a1ef Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/agentuseraccount.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/archiveuseraccount.webp b/static/images/activitymonitor/9.0/troubleshooting/archiveuseraccount.webp new file mode 100644 index 0000000000..0b5ab00bc2 Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/archiveuseraccount.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/collectlogsbutton.webp b/static/images/activitymonitor/9.0/troubleshooting/collectlogsbutton.webp new file mode 100644 index 0000000000..27aef2d84f Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/collectlogsbutton.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/collectlogswindow.webp b/static/images/activitymonitor/9.0/troubleshooting/collectlogswindow.webp new file mode 100644 index 0000000000..e9c85444ba Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/collectlogswindow.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp b/static/images/activitymonitor/9.0/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp new file mode 100644 index 0000000000..52fdea9d0a Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/monitoredhostinactivityalertsemailcredentials.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/monitoredhostuseraccount.webp b/static/images/activitymonitor/9.0/troubleshooting/monitoredhostuseraccount.webp new file mode 100644 index 0000000000..d95bba3efe Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/monitoredhostuseraccount.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/panzuramqprotectionaccount.webp b/static/images/activitymonitor/9.0/troubleshooting/panzuramqprotectionaccount.webp new file mode 100644 index 0000000000..dcb9b19cde Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/panzuramqprotectionaccount.webp differ diff --git a/static/images/activitymonitor/9.0/troubleshooting/tracelogs.webp b/static/images/activitymonitor/9.0/troubleshooting/tracelogs.webp new file mode 100644 index 0000000000..14016245dd Binary files /dev/null and b/static/images/activitymonitor/9.0/troubleshooting/tracelogs.webp differ