diff --git a/docs/auditor/10.8/addon/azuresql/_category_.json b/docs/auditor/10.8/addon/azuresql/_category_.json new file mode 100644 index 0000000000..0814b4ceb8 --- /dev/null +++ b/docs/auditor/10.8/addon/azuresql/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Azure SQL Managed Instance Audit", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/auditor/10.8/addon/azuresql/deployment.md b/docs/auditor/10.8/addon/azuresql/deployment.md new file mode 100644 index 0000000000..94414b2562 --- /dev/null +++ b/docs/auditor/10.8/addon/azuresql/deployment.md @@ -0,0 +1,374 @@ +--- +title: "Deployment" +description: "Deployment" +sidebar_position: 10 +--- + +## Azure Application Registration + +To integrate with Microsoft Entra ID, you need to create a separate application registration in the Azure portal + +### Step 1: Create the App Registration + +1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration** +2. Enter: + - **Name**: Name: `NetwrixAuditor-AzureFiles` (this is an example — you can use any descriptive name for the app) + - **Supported account types** Accounts in this organizational directory only + - Leave **Redirect URI** blank +3. Click **Register** + +**Account Types references:** + +- **[Supported account types – Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/v2-supported-account-types)** + +- **[Identity and account types for single- and multitenant apps](https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types)** + + + +### Step 2: Gather App Details + +After registration, go to the **Overview** page of your new app and copy: +- **Application (Client) ID** + + +### Step 3: Create a Client Secret + +1. In the same app, go to **Manage > Certificates & secrets > Client secrets** +2. Click **+ New client secret** +3. Enter a description (e.g., `NetwrixSecret`) and select expiration +4. Click **Add** +5. Copy the **secret value** immediately — it won't be shown again + +Netwrix Auditor uses the **App ID** + **Client Secret** for authentication + +**At the end of this step, you should have:** +- Application (Client) ID +- Client Secret (Secret Value) + + +## Configure API Permissions + + +**Microsoft Graph API permissions:** + + +### Step 1: Add API Permissions (Optional) + +1. In your app in EntraID, go to **Manage > API permissions > + Add a permission** +2. Select **Microsoft Graph > Application permissions** +3. Add appropriate Microsoft APIs based on your requirements + +### Step 2: Grant Admin Consent + +Click **Grant admin consent for TenantName** + +**Why this is required:** +- By default, applications cannot query Microsoft Graph for directory-wide information +- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful + +**At the end of this step, your app has granted Microsoft Graph API permissions** + + +## Configure Azure Storage Account for Log Storage + +Azure SQL Managed Instance requires an Azure Storage Account with Blob container for audit log storage + +### Step 1: Create a Resource Group (if needed) + +1. In Azure Portal, search for Resource groups +2. Click + Create +3. Configure: + - **Subscription**: Your Azure subscription + - **Resource group name**: rg-netwrix-sqlmi (or your naming convention) + - **Region**: Same region as your SQL Managed Instance +4. Click **Review** + **Create**, then **Create** + +### Step 2: Create a Storage Account + +1. Search for **Storage accounts** and click **+ Create** + +2. On the **Basics** tab: + - **Subscription**: Your subscription + - **Resource group**: Select the created resource group + - **Storage account name**: Must be globally unique (e.g., `stnetwrixsqlmi001`) + - **Region**: Same as SQL Managed Instance for optimal performance + - **Performance**: Standard (sufficient for audit logs) + - **Redundancy**: Locally-redundant storage (LRS) or higher based on requirements + +3. On the **Advanced** tab (optional): + - **Secure transfer required**: Enabled + - **Minimum TLS version**: Version 1.2 + +4. Click **Review + Create**, then **Create** + +### Step 3: Create a Blob Container + +1. Navigate to the deployed **Storage Account** +2. In the left menu, select **Containers** (under *Data storage*) +3. Click **+ Container** +4. Configure: + - **Name**: `audit-logs` (consistent naming) + - **Public access level**: Private (no anonymous access) +5. Click **Create** + +### Step 4: Enable System-Assigned Managed Identity for SQL MI + +1. Navigate to your **SQL Managed Instance** +2. Go to **Identity** under *Settings* +3. On the **System-assigned** tab: + - Set **Status** to **On** + - Click **Save** +4. Note the **Object ID** for the managed identity + +### Step 5: Assign Storage Permissions + +Assign the **Storage Blob Data Owner** role to the SQL Managed Instance: + +1. In the **Storage Account**, go to **Access Control (IAM)** +2. Click **+ Add > Add role assignment** +3. On the **Role** tab: + - Search and select **Storage Blob Data Owner** +4. Click **Next** to go to the **Members** tab +5. Select **Assign access to**: *Managed Identity* +6. Click **+ Select members** +7. Choose **SQL Server** and select your **SQL Managed Instance** +8. Click **Select**, then **Review + assign** + + +## Configure Authentication in Azure SQL Managed Instance + +Create a login for the Entra ID application to access audit configuration + +### Step 1: Connect to SQL Managed Instance + +Use SQL Server Management Studio (SSMS) or Azure Data Studio with an account that has: + +- **Azure AD admin** privileges on the SQL MI +- **sysadmin** server role or equivalent permissions + + + +### Step 2: Create Login from External Provider + +Execute the following T-SQL commands: + +```sql +-- Create login using the exact Display Name from Entra ID +CREATE LOGIN [NetwrixSQLMIIntegration] FROM EXTERNAL PROVIDER; + +-- Grant basic connection permission +GRANT CONNECT SQL TO [NetwrixSQLMIIntegration]; + +-- Grant permissions for audit configuration and monitoring +GRANT ALTER ANY SERVER AUDIT TO [NetwrixSQLMIIntegration]; +GRANT VIEW ANY DATABASE TO [NetwrixSQLMIIntegration]; +GRANT VIEW SERVER STATE TO [NetwrixSQLMIIntegration]; +GRANT VIEW SERVER SECURITY AUDIT TO [NetwrixSQLMIIntegration] + +``` + +**Note**: Replace NetwrixSQLMIIntegration with your actual Azure AD application name +The name must match exactly as shown in Entra ID + +## Configure Server-Level Audit + +Set up comprehensive server-level auditing for login events and security changes + +### Step 1: Create Storage Credential + +```sql +USE master; +GO + +-- Create credential for Azure Blob Storage using Managed Identity +IF NOT EXISTS (SELECT * FROM sys.credentials + WHERE name = 'https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs') +BEGIN + CREATE CREDENTIAL [https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs] + WITH IDENTITY = 'Managed Identity'; + PRINT 'Created Managed Identity credential for audit-logs container'; +END +ELSE +BEGIN + PRINT 'Credential already exists for audit-logs container'; +END +GO +``` + +### Step 2: Create Server Audit + +```sql +USE master; +GO + +-- Drop existing audit if it exists (for redeployment scenarios) +IF EXISTS (SELECT * FROM sys.server_audits WHERE name = 'SERVER_AUDIT') +BEGIN + ALTER SERVER AUDIT [SERVER_AUDIT] WITH (STATE = OFF); + DROP SERVER AUDIT [SERVER_AUDIT]; + PRINT 'Existing server audit dropped'; +END + +-- Create the server audit +PRINT 'Creating server audit...'; +CREATE SERVER AUDIT [SERVER_AUDIT] +TO URL ( + PATH = 'https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs', + RETENTION_DAYS = 2 -- Adjust based on your retention requirements +) +WITH ( + QUEUE_DELAY = 1000, -- 1 second delay for better performance + ON_FAILURE = CONTINUE, -- Continue operation if audit fails + AUDIT_GUID = NEWID() -- Unique identifier for audit +); +GO +``` + +### Step 3: Create Server Audit Specification +```sql +-- Drop existing specification if it exists +IF EXISTS (SELECT * FROM sys.server_audit_specifications WHERE name = 'SERVER_AUDIT_SPEC') +BEGIN + ALTER SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC] WITH (STATE = OFF); + DROP SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC]; + PRINT 'Existing server audit specification dropped'; +END + +-- Create comprehensive server audit specification +CREATE SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC] +FOR SERVER AUDIT [SERVER_AUDIT] + ADD (FAILED_LOGIN_GROUP), -- Failed login attempts + ADD (SUCCESSFUL_LOGIN_GROUP), -- Successful logins + ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP), -- Server role membership changes + ADD (SERVER_PRINCIPAL_CHANGE_GROUP), -- Server principal changes (logins) + ADD (LOGIN_CHANGE_PASSWORD_GROUP), -- Password changes + ADD (SERVER_STATE_CHANGE_GROUP), -- Server state changes + ADD (SERVER_OBJECT_CHANGE_GROUP), -- Server object changes + ADD (SERVER_PERMISSION_CHANGE_GROUP), -- Server permission changes + ADD (AUDIT_CHANGE_GROUP), -- Audit configuration changes + ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP) -- Ownership changes +WITH (STATE = OFF); +GO + +-- Enable audit specification first, then audit +ALTER SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC] WITH (STATE = ON); +PRINT 'Server audit specification enabled'; + +ALTER SERVER AUDIT [SERVER_AUDIT] WITH (STATE = ON); +PRINT 'Server audit enabled successfully!'; +GO +``` + +## Configure Database-Level Audit + +Set up database-specific auditing for comprehensive monitoring + +### Database Audit Configuration Script + +```sql +-- Variables - modify these for your environment +DECLARE @DatabaseName NVARCHAR(128) = 'YourDatabaseName'; -- Change to your database name +DECLARE @ServerAuditName NVARCHAR(128) = 'SERVER_AUDIT'; -- Must match your server audit name +DECLARE @DatabaseAuditSpecName NVARCHAR(128) = 'DATABASE_AUDIT_SPEC'; + +-- Validate database exists +IF NOT EXISTS (SELECT * FROM sys.databases WHERE name = @DatabaseName) +BEGIN + PRINT 'Database ' + @DatabaseName + ' does not exist!'; + RETURN; +END + +DECLARE @SQL NVARCHAR(MAX); + +-- Switch to target database and create audit specification +SET @SQL = N' +USE [' + @DatabaseName + N']; + +-- Drop existing database audit specification if it exists +IF EXISTS (SELECT * FROM sys.database_audit_specifications + WHERE name = ''' + @DatabaseAuditSpecName + N''') +BEGIN + PRINT ''Dropping existing database audit specification...''; + ALTER DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N'] WITH (STATE = OFF); + DROP DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N']; +END + +PRINT ''Creating database audit specification for: ' + @DatabaseName + N'''; + +CREATE DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N'] +FOR SERVER AUDIT [' + @ServerAuditName + N'] + -- User and Role Management (CreateUserStatement, DropUserStatement, AlterUserStatement) + ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), + + -- Role Operations (CreateRoleStatement, DropRoleStatement, AlterRoleStatement) + ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), + + -- Permission Changes (GrantStatement, RevokeStatement, DenyStatement) + ADD (DATABASE_PERMISSION_CHANGE_GROUP), + + -- Schema Operations (CreateSchemaStatement, DropSchemaStatement) + ADD (SCHEMA_OBJECT_CHANGE_GROUP), + + -- Table Operations (CreateTableStatement, DropTableStatement, AlterTableStatement and etc) + ADD (DATABASE_OBJECT_CHANGE_GROUP), + + -- Ownership Changes (AlterAuthorizationStatement) + ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), + + -- Backup/Restore Operations (BackupStatement, RestoreStatement) + ADD (BACKUP_RESTORE_GROUP), + +WITH (STATE = OFF); + +-- Enable the database audit specification +ALTER DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N'] WITH (STATE = ON); +PRINT ''Database audit specification enabled for: ' + @DatabaseName + N'''; +'; + +EXEC sp_executesql @SQL; + +``` + +## Install and Configure Netwrix Add-on + +Run the Netwrix Auditor Add-on Setup Wizard and follow these configuration steps: + +### Step 1: Netwrix Auditor Server Connection + +**First Screen Configuration:** + +- **Endpoint URL**: URL of your Netwrix Auditor Server +- **Credentials**: Valid credentials with sufficient privileges to register and manage data sources + +### Step 2: Application Settings + +**Microsoft Entra ID Authentication:** + +- **Tenant ID**: Directory (tenant) ID from **[Azure Application Registration](#azure-application-registration)** +- **Client ID**: Application (client) ID from **[Azure Application Registration](#step-2-gather-app-details)** +- **Client Secret**: The secret value you copied in **[Azure Application Registration](#step-3-create-a-client-secret)** + +### Step 3: Target SQL Settings + +**Azure SQL Managed Instance Connection:** + +- **Azure SQL Server URL:** + +```text +your-sql-instance.public..database.windows.net,1433 +``` +- **Database Name**: `master` (for audit collection) +- **Authentication**: Azure Active Directory +- **Blob Path**: Full path to audit logs container + +```text +https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs/ +``` + +### Step 4: Finalize Setup + +1. Review all configuration parameters +2. Click **Run** to complete the setup +3. Monitor the initial synchronization process + + diff --git a/docs/auditor/10.8/addon/azuresql/overview.md b/docs/auditor/10.8/addon/azuresql/overview.md new file mode 100644 index 0000000000..e9e38387ae --- /dev/null +++ b/docs/auditor/10.8/addon/azuresql/overview.md @@ -0,0 +1,65 @@ +--- +title: "Azure SQL Managed Instance" +description: "Azure SQL Managed Instance" +sidebar_position: 70 +--- + +# Azure SQL Managed Instance Audit + +## Overview +This guide provides comprehensive instructions for configuring audit monitoring for Azure SQL Managed Instance using Netwrix Auditor. +The setup involves creating Microsoft Entra ID application registration, configuring Azure Storage for audit logs, setting up database-level auditing, and installing the Netwrix add-on. + +**Download link:** +[https://netwrix.com/go/auditor_addon_azure_sql_mi](https://netwrix.com/go/auditor_addon_azure_sql_mi) + + +## Prerequisites +Before starting the configuration, ensure you have: + +- **Azure Subscription** with appropriate permissions +- **Azure SQL Managed Instance** deployed and accessible +- **Netwrix Auditor Server** installed and running +- **Administrative privileges** in Azure portal and SQL Managed Instance +- **Network connectivity** between Azure SQL MI and storage account + + +## Architecture Overview + +[Azure SQL MI] --> [Audit Logs] --> [Azure Blob Storage] --> [Netwrix Add-on] --> [Netwrix Auditor] + + +The solution uses: +- **Microsoft Entra ID** for authentication +- **Azure Blob Storage** for audit log storage +- **Managed Identity** for secure access +- **Server and Database level auditing** for comprehensive coverage + +# **Limitations and Considerations** + +- **Single Instance Support**: This add-on version supports monitoring one Azure SQL Managed Instance per installation +- **Processing Delay**: There may be a delay between events occurring and appearing in Netwrix Auditor + + +# Support and Feedback + + +This Azure SQL Managed Instance add-on is a **free integration solution** for Netwrix Auditor. + +**Your feedback matters.** Suggest features or improvements for Netwrix Auditor and vote for your favorites in the **[Netwrix Community](https://community.netwrix.com/c/products/auditor/ideas/93)**. + +Please share your feedback on: + +- Functionality and features +- Documentation and setup process +- Additional requirements or use cases + + + +# Additional Resources + + +**Microsoft Documentation** +- [Create a storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create) +- [Azure SQL Managed Instance auditing](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure) +- [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index c3e9db2d89..09567f634f 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -1,56 +1,66 @@ --- -title: "Azure Files Monitoring Plan" +title: "Azure Files" description: "Create and configure Azure Files monitoring plans in Netwrix Auditor v10.8" sidebar_position: 85 --- -# Azure Files Monitoring Plan +# Azure Files -Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts. +Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts ## Prerequisites +- **[Azure Application registered](/docs/auditor/10.8/configuration/azurefiles/overview.md#azure-application-registration)** with required **[permissions](/docs/auditor/10.8/configuration/azurefiles/overview.md#configure-api-permissions)** +- **[Diagnostic Settings configured](/docs/auditor/10.8/configuration/azurefiles/overview.md#diagnostic-settings)** for storage accounts - **[Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md)** completed -- **Azure Application** registered with required permissions -- **Diagnostic settings** enabled for storage accounts + ## Create Monitoring Plan ### Step 1: Create New Monitoring Plan -1. Navigate to **Home > Monitoring Plans** -2. Click **Create New Monitoring Plan** -3. Provide monitoring plan name -4. Create audit database -5. Configure email notification method +1. In the **Netwrix Auditor**, go to **Home > Monitoring Plans > + Add Plan** +2. Select **Azure Files** +3. Configure: + - [Audit database (SQL)](/docs/auditor/10_8/admin/settings/auditdatabase) + - [Notifications (SMTP or Exchange Online)](/docs/auditor/10_8/admin/settings/notifications) + - Plan name and description + - Select **Add item now** -### Step 2: Add Azure Files Data Source -1. Click **Add Data Source** -2. Select **Azure Files** -3. Configure connection settings: - - **Tenant ID** (use ID, not tenant name) - - **Application ID** - - **Application Secret** - - **Subscription ID** +### Step 2: Add Item for Monitoring + +- Option A – Storage Account → Enter **Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret** +- Option B – Subscription → Enter **Subscription Name, Subscription ID, Tenant Name, Application ID, Application Secret** + +**Tip:** If you have multiple storage accounts, use the subscription option for easier management + + +### Step 3: Configure Monitoring Scope and Actions + +1. In the **Netwrix Auditor**, double-click your **Azure Files plan** +2. Enable **Monitor this data source and collect activity data** + +3. Select actions: + + - **Changes (Success/Fail)** → Track file creation, modification, deletion, and failed attempts + - **Successful** - Use this option to track changes to your data. It helps to find out who made changes to your files, including their creation and deletion + - **Failed** - Use this option to detect suspicious activity on Azure Files. It helps to identify potential intruders who tried to modify or delete files, etc., but failed to do it + + - **Read Access (Success/Fail)** → Track file reads and unauthorized read attempts + - **Successful** - Show successful attempts to read files + - **Failed** - Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.Enabling this option on public shares will result in a high number of events generated on Azure Files and the amount of data written to the Long-Term Archive -### Step 3: Configure Storage Accounts +**Note:** Enabling read access auditing on public shares may generate high event volume -Configure storage account settings (requires separate accounts): -- **File Share Storage Account** - Contains the file shares to monitor -- **Audit Log Storage Account** - Stores diagnostic logs (must be separate account) -- **Resource Group** - Resource group containing the storage accounts +**Tip:** Only enable read auditing where compliance requires it (e.g., HR, Finance) -### Step 4: Configure Monitoring Options +4. Add exclusions → e.g., service accounts that produce excessive logs -Select monitoring options: -- **Track changes** (successful/failed operations) -- **Monitor read access** (optional - increases audit volume) -- **User monitoring restrictions** (specify users to exclude from monitoring) - **Monitored object types** - Select from: - - Files - - Folders - - Shares + - Files + - Folders + - Shares - **Monitored actions** - Configure which file operations to track ### Step 5: Test Connection @@ -64,7 +74,7 @@ Click **Test Connection** to verify: After creating the monitoring plan: 1. **Verify data collection** is working -2. **Configure reports** as needed -3. **Set up alerts** for important events +2. **[Configure reports](/docs/auditor/10_8/admin/reports/overview)** as needed +3. **[Set up alerts](/docs/auditor/10_8/admin/alertsettings/create/)** for important events -For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md). \ No newline at end of file +For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md) diff --git a/docs/auditor/10.8/configuration/azurefiles/_category_.json b/docs/auditor/10.8/configuration/azurefiles/_category_.json index 23eacd1365..6dfdf735b3 100644 --- a/docs/auditor/10.8/configuration/azurefiles/_category_.json +++ b/docs/auditor/10.8/configuration/azurefiles/_category_.json @@ -1,4 +1,10 @@ { "label": "Azure Files", - "position": 15 -} \ No newline at end of file + "position": 15, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md b/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md new file mode 100644 index 0000000000..a448d58472 --- /dev/null +++ b/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md @@ -0,0 +1,23 @@ +--- +title: "Monitored Object Types, Actions, and Attributes" +description: "Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor 10.8" +sidebar_position: 2 +--- + +Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor 10.8 + +| Action | File | Folder | Share | +|--------|------|--------|-------| +| Added | + | + | + | +| Add (failed attempt) | + | + | – | +| Modified | + | + | + | +| Modify (failed attempt) | + | + | – | +| Moved | + | + | – | +| Move (failed attempt) | + | + | – | +| Read | + | – | – | +| Read (failed attempt) | + | + | – | +| Renamed | + | + | – | +| Renamed (failed attempt) | – | – | – | +| Removed | + | + | + | +| Remove (failed attempt) | – | – | – | +| Copied | – | – | – | diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 839b79f70f..62fbda9aaf 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -6,71 +6,232 @@ sidebar_position: 1 # Azure Files Configuration Overview -Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD application registration, permissions, and diagnostic settings. ## Prerequisites - **Azure Files License** - Azure Files is a paid data source requiring specific licensing - **Azure Subscription** with Azure Files storage accounts (Standard and Premium supported) -- **Global Administrator** or **Security Administrator** role in Azure AD -- **Storage Account Contributor** role on target storage accounts -- **Separate Storage Accounts** - Requires separate storage accounts for data and audit logs +- **Admin** permissions in Microsoft Entra ID and Azure Storage +- **Two separate storage accounts:** -## Configuration Steps Overview + - One for file shares (data) — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) -1. **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application -2. **[Permissions Setup](#permissions-setup)** - Assign required permissions -3. **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging + - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) + +- [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) is configured for data storage account in Azure Files + + Supported options: + - Active Directory Domain Services (AD DS) + - Microsoft Entra Kerberos (for hybrid identities) + - Microsoft Entra Domain Services (Entra DS) — not supported + + **Netwrix Auditor** relies on **identity-based access** to correctly map file operations to real user accounts. Without it: + - Audit logs may not contain accurate user information + - Activity may be shown as system or anonymous accounts + +## Configuration Scope Overview + +- **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application +- **[Configure API Permissions](#configure-api-permissions)** - Assign required permissions for created application in EntraID +- **[Assign IAM Roles to the App](#assign-iam-roles-to-the-app)**- Assigning roles to Resource Group, Data Storage Account and Log Storage Account +- **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging ## Azure Application Registration -Create an application in Microsoft Entra ID (Azure AD): +You should register an application so Netwrix Auditor can authenticate to Azure and read audit logs + +### Step 1: Create the App Registration + +1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration** +2. Enter: + - **Name**: Name: `NetwrixAuditor-AzureFiles` (this is an example — you can use any descriptive name for the app) + - **Supported account types** (see below) + - Leave **Redirect URI** blank +3. Click **Register** + +**Account Types references:** + +- **[Supported account types – Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/v2-supported-account-types)** + +- **[Identity and account types for single- and multitenant apps](https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types)** + +**Note:** Switching audiences later may cause errors + + +### Step 2: Gather App Details + +After registration, go to the **Overview** page of your new app and copy: +- **Application (Client) ID** + + +### Step 3: Create a Client Secret + +1. In the same app, go to **Manage > Certificates & secrets > Client secrets** +2. Click **+ New client secret** +3. Enter a description (e.g., `NetwrixSecret`) and select expiration +4. Click **Add** +5. Copy the **secret value** immediately — it won't be shown again + +Netwrix Auditor uses the **App ID** + **Client Secret** for authentication + +**At the end of this step, you must have:** +- Application (Client) ID +- Client Secret (Secret Value) + + +## Configure API Permissions + + +**Microsoft Graph API permissions:** + + +### Step 1: Add Permissions + +| Permission | Purpose | +|------------|---------| +| `User.Read` | Basic user information. Sign in and read user profile. *(default)* | +| `User.Read.All` | Read all users' profiles. Required to resolve SIDs into usernames in reports | + + +1. In your app in EntraID, go to **Manage > API permissions > + Add a permission**. +2. Select **Microsoft Graph > Application permissions** +3. Add: + - **User.Read (default)** + - **User.Read.All** + +- *User.Read* – "Sign in and read user profile." *(default)* +- *User.Read.All* – "Read all users' full profiles" -1. Navigate to **Azure Active Directory > App registrations** -2. Click **New registration** -3. Configure: - - **Name**: `Netwrix-Auditor-AzureFiles-Monitor` - - **Supported account types**: Accounts in this organizational directory only -4. Click **Register** -5. Go to **Certificates & secrets** > **New client secret** -6. Record these values for Netwrix Auditor: - - **Tenant ID** (use ID, not tenant name) - - **Application (Client) ID** - - **Client Secret** + +### Step 2: Grant Admin Consent + +Click **Grant admin consent for TenantName** + +**Why this is required:** +- By default, applications cannot query Microsoft Graph for directory-wide information +- Admin consent allows the app to use **User.Read.All** +- This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names** +- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful + +**At the end of this step, your app has granted Microsoft Graph API permissions** + + +## Assign IAM Roles to the App + +| Role | Scope | Purpose | +|------|--------|---------| +| `Reader` | Resource Group | List storage accounts | +| `Storage File Data Privileged Reader` | Storage Account | Read file shares data | +| `Storage Blob Data Reader` | Log Storage Account | Access audit logs | + + +**IAM Roles:** + +You mshould assign Azure IAM roles so that Netwrix Auditor can: +- Discover file shares in your resource group +- Read metadata from your data storage account +- Access audit logs from your log storage account + +**These IAM roles are mandatory** + +### Step 1: Assign Reader Role on Resource Group + +1. In the Azure Portal, go to your **Resource Group** +2. Open **Access control (IAM)** +3. Click **+ Add > Add role assignment** +4. Select role: **Reader** + - "View everything, but not make any changes" +5. Click **Next** +6. Under **Members**, click **+ Select members** +7. In the search window, find and select the **App you registered earlier** +8. Click **Select → Review + assign** + + +### Step 2: Assign Storage File Data Privileged Reader on Data Storage Account + +1. In the Azure Portal, go to your **Data Storage Account** +2. Navigate to **Access control (IAM) > + Add role assignment** +3. Select role: **Storage File Data Privileged Reader** + - "Allows read access to file shares and directory/file metadata, including NTFS ACLs" +4. Click **Next** +5. Under **Members**, click **+ Select members** +6. Search for and select the **App you registered earlier** +7. Click **Select → Review + assign** + + +### Step 3: Assign Storage Blob Data Reader on Log Storage Account + +1. In the Azure Portal, go to your **Log Storage Account** +2. Navigate to **Access control (IAM) > + Add role assignment** +3. Select role: **Storage Blob Data Reader** + - "Allows read access to Azure Storage blob containers and data" +4. Click **Next** +5. Under **Members**, click **+ Select members** +6. Search for and select the **App you registered earlier** +7. Click **Select → Review + assign** + + +### Notes & Best Practices + +- Data and log storage accounts can be in different resource groups +- Supported identity sources: AD DS, Microsoft Entra Kerberos +- Not supported: Microsoft Entra Domain Services +- Supported protocol: SMB + +**At the end of this step, your app should have assigned roles:** +- Reader (Resource Group) +- Storage File Data Privileged Reader (Data Storage Account) +- Storage Blob Data Reader (Log Storage Account) ## Diagnostic Settings -Configure diagnostic settings for each storage account containing file shares: +Azure Files does not generate audit events by default +You must configure **Diagnostic Settings** to send file activity logs to your **Log Storage Account** + +### Step 1: Open Diagnostic Settings + +1. In the Azure Portal, go to your **Data Storage Account** +2. Navigate to **Monitoring > Diagnostic settings** +3. On the **"Select any of the resources to view diagnostic settings"** screen, choose **File** + - Netwrix Auditor only supports **File** diagnostic settings +4. Click **+ Add diagnostic setting** + +### Step 2: Configure General Settings + +1. Enter a name (e.g., `NetwrixAuditorLogs`) +2. Under **Category groups**, select **Audit** + - Only the **Audit** category group is supported by Netwrix Auditor + +### Step 3: Configure Destination + +1. Under **Destination details**, check **Archive to a storage account** + - This is the **only supported option** for Netwrix Auditor +2. Select your **Log Storage Account** +3. Confirm the correct **subscription** and **storage account** -1. Navigate to **Storage Account > Monitoring > Diagnostic settings** -2. Click **Add diagnostic setting** -3. Configure: - - **Name**: `Netwrix-AzureFiles-Audit` - - **Log Categories**: Select all file service categories: - - StorageRead - - StorageWrite - - StorageDelete - - **Destination**: Archive to storage account (separate audit logs storage account) +**Note:** Azure requires **two separate storage accounts:** +- One for file shares (data) +- One for audit logs -## Permissions Setup +### Step 4: Save the Configuration -### Required Permissions +Click **Save**. +Azure Files audit logs will now be archived into your **Log Storage Account** -Assign these permissions to your Azure application: +**At the end of this step, you should have:** +- A Diagnostic Setting under the File resource type +- Audit category group selected +- Destination set to Archive to a storage account +- Logs archiving into the Log Storage Account -**Microsoft Graph API:** -- User.Read -- User.Read.All -**Storage Account Roles:** -- Reader (Resource Group level) -- Storage File Data Privileged Reader -- Storage Blob Data Reader (for audit logs) +## Checklist -### Assign Permissions +- [Azure Application registered](#azure-application-registration) with App ID + Secret +- [API permissions](#configure-api-permissions) (User.Read, User.Read.All) granted +- [IAM roles assigned](#assign-iam-roles-to-the-app) (Reader, Storage File Data Privileged Reader, Storage Blob Data Reader) +- [Diagnostic Settings configured](#diagnostic-settings) to log to a Log Storage Account -1. **Graph API**: In Azure AD application > **API permissions** > **Add permission** > **Microsoft Graph** > Select permissions > **Grant admin consent** -2. **Storage**: In **Storage Account > Access control (IAM)** > **Add role assignment** > Assign required roles ## Next Steps @@ -80,4 +241,4 @@ After completing the Azure Files configuration: 2. **Create Monitoring Plan**: Configure Azure Files monitoring in Netwrix Auditor 3. **Validate Data Collection**: Confirm audit events are being collected -For detailed instructions on creating the monitoring plan, see the [Azure Files Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/azurefiles.md) documentation. \ No newline at end of file +For detailed instructions on creating the monitoring plan, see the [Azure Files Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/azurefiles.md) documentation diff --git a/docs/auditor/10.8/configuration/azurefiles/permissions.md b/docs/auditor/10.8/configuration/azurefiles/permissions.md deleted file mode 100644 index 6fa91dd35e..0000000000 --- a/docs/auditor/10.8/configuration/azurefiles/permissions.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: "Azure Files Permissions" -description: "Required permissions for Azure Files monitoring" -sidebar_position: 2 ---- - -# Azure Files Permissions - -Required permissions for Azure Files monitoring with Netwrix Auditor. - -## Microsoft Graph API Permissions - -| Permission | Purpose | -|------------|---------| -| `User.Read` | Basic user information | -| `User.Read.All` | Read all users' profiles | - -### Assign Graph API Permissions - -1. Navigate to **Azure Active Directory > App registrations** -2. Select your Netwrix Auditor application -3. Go to **API permissions** > **Add a permission** -4. Select **Microsoft Graph > Application permissions** -5. Select required permissions: `User.Read` and `User.Read.All` -6. Click **Grant admin consent for [Your Organization]** - -## Storage Account Permissions - -| Role | Scope | Purpose | -|------|--------|---------| -| `Reader` | Resource Group | List storage accounts | -| `Storage File Data Privileged Reader` | Storage Account | Read file share data | -| `Storage Blob Data Reader` | Storage Account | Access audit logs | - -### Assign Storage Permissions - -1. **Resource Group**: Navigate to **Resource Group > Access control (IAM)** > **Add role assignment** > Assign **Reader** role to your application -2. **Storage Account**: Navigate to **Storage Account > Access control (IAM)** > **Add role assignment** > Assign required roles: - - **Storage File Data Privileged Reader** - - **Storage Blob Data Reader** - diff --git a/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md b/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md index 14ddbd9afc..ded0508759 100644 --- a/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md +++ b/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md @@ -33,6 +33,18 @@ Auditor supports monitoring the following AD FS operating system versions: See the [AD FS](/docs/auditor/10.8/configuration/activedirectoryfederatedservices/overview.md) topic for additional information. +## Azure Files + +Auditor supports monitoring Azure Files with the following requirements: + +- Azure Storage Account with File Shares (SMB protocol) +- identity sources: + - Active Directory Domain Services (AD DS) + - Microsoft Entra Kerberos + +See the [Azure Files](/docs/auditor/10.8/configuration/azurefiles/overview.md) topic for additional +information. + ## Exchange Auditor supports monitoring the following Exchange Server versions: diff --git a/docs/auditor/10.8/whats-new.md b/docs/auditor/10.8/whats-new.md index 12cd4aa68b..e07ef6cd05 100644 --- a/docs/auditor/10.8/whats-new.md +++ b/docs/auditor/10.8/whats-new.md @@ -55,8 +55,8 @@ Expanded user monitoring with additional Active Directory attributes: ### Storage Platform Updates - **Nutanix Files 5.0**: Full support for the latest Nutanix Files version - **Dell Isilon OneFS 9.8 and 9.9**: Enhanced compatibility with newer OneFS versions -- **Dell Unity up to 5.4**: Extended support for Dell Unity storage systems +- **Dell Unity up to 5.5**: Extended support for Dell Unity storage systems - **Isilon/PowerScale 9.10**: Support for the latest PowerScale platform - **Qumulo Core 7.4.1**: Updated support for Qumulo distributed file systems -These enhancements ensure comprehensive monitoring across your hybrid IT infrastructure while providing the visibility needed to detect threats, maintain compliance, and optimize security operations. \ No newline at end of file +These enhancements ensure comprehensive monitoring across your hybrid IT infrastructure while providing the visibility needed to detect threats, maintain compliance, and optimize security operations. diff --git a/package-lock.json b/package-lock.json index 3cc82422c5..8efc821097 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17,6 +17,7 @@ "@docusaurus/preset-classic": "^3.8.1", "@docusaurus/theme-mermaid": "^3.8.1", "@mdx-js/react": "^3.0.0", + "cross-env": "^7.0.3", "prism-react-renderer": "^2.3.0", "react": "^18.3.1", "react-dom": "^18.3.1", @@ -27,7 +28,6 @@ "@docusaurus/module-type-aliases": "^3.8.1", "@docusaurus/types": "^3.8.1", "@mdx-js/mdx": "^3.1.0", - "cross-env": "^7.0.3", "husky": "^9.1.7", "ora": "^8.2.0", "table": "^6.9.0", @@ -8042,7 +8042,6 @@ "version": "7.0.3", "resolved": "https://registry.npmjs.org/cross-env/-/cross-env-7.0.3.tgz", "integrity": "sha512-+/HKd6EgcQCJGh2PSjZuUitQBQynKor4wrFbRg4DtAgS1aWO+gU52xpH7M9ScGgXSYmAVS9bIJ8EzuaGw0oNAw==", - "dev": true, "license": "MIT", "dependencies": { "cross-spawn": "^7.0.1"