From 605e0f6b59b8eaa1fbeb21c1476dacce0c5fc645 Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Tue, 23 Sep 2025 21:15:01 +0200 Subject: [PATCH 01/15] Update auditor azure files documentation --- .../10.8/admin/monitoringplans/azurefiles.md | 52 ++-- .../10.8/configuration/azurefiles/overview.md | 266 +++++++++++++++--- .../configuration/azurefiles/permissions.md | 41 --- .../supporteddatasources.md | 12 + package-lock.json | 3 +- 5 files changed, 272 insertions(+), 102 deletions(-) delete mode 100644 docs/auditor/10.8/configuration/azurefiles/permissions.md diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index c3e9db2d89..c5b671b675 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -11,28 +11,32 @@ Create monitoring plans for Azure Files to track file and folder changes across ## Prerequisites - **[Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md)** completed -- **Azure Application** registered with required permissions -- **Diagnostic settings** enabled for storage accounts +- **[Azure Application registered](/docs/auditor/10.8/configuration/azurefiles/overview.md#azure-application-registration)** with required [permissions](/docs/auditor/10.8/configuration/azurefiles/overview.md#configure-api-permissions) +- [Diagnostic Settings configured](/docs/auditor/10.8/configuration/azurefiles/overview.md#diagnostic-settings) for storage accounts ## Create Monitoring Plan ### Step 1: Create New Monitoring Plan -1. Navigate to **Home > Monitoring Plans** -2. Click **Create New Monitoring Plan** -3. Provide monitoring plan name -4. Create audit database -5. Configure email notification method +1. In the **Netwrix Auditor**, go to **Home > Monitoring Plans > + Add Plan**. +2. Select **Azure Files**. +3. Configure: + - [Audit database (SQL)](/docs/auditor/10_8/admin/settings/auditdatabase) + - [Notifications (SMTP or Exchange Online)](/docs/auditor/10_8/admin/settings/notifications) + - Plan name and description + - Select **Add item now** + ### Step 2: Add Azure Files Data Source 1. Click **Add Data Source** 2. Select **Azure Files** -3. Configure connection settings: - - **Tenant ID** (use ID, not tenant name) - - **Application ID** - - **Application Secret** - - **Subscription ID** +3. Select Item for Monitoring: +- Option A – Storage Account → Enter **Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret** +- Option B – Subscription → Enter **Subscription Name, Subscription ID, Tenant Name, Application ID, Application Secret** + +**Tip:** If you have multiple storage accounts, use the subscription option for easier management. + ### Step 3: Configure Storage Accounts @@ -41,12 +45,20 @@ Configure storage account settings (requires separate accounts): - **Audit Log Storage Account** - Stores diagnostic logs (must be separate account) - **Resource Group** - Resource group containing the storage accounts -### Step 4: Configure Monitoring Options +### Step 4: Configure Monitoring Scope and Actions + +1. In the **Netwrix Auditor**, double-click your **Azure Files plan**. +2. Enable **Monitor this data source and collect activity data**. + +3. Select actions: + - **Changes (Success/Fail)** → Track file creation, modification, deletion, and failed attempts. + - **Read Access (Success/Fail)** → Track file reads and unauthorized read attempts. + +**Note:** Enabling read access auditing on public shares may generate high event volume. +**Tip:** Only enable read auditing where compliance requires it (e.g., HR, Finance). + +4. Add exclusions → e.g., service accounts that produce excessive logs. -Select monitoring options: -- **Track changes** (successful/failed operations) -- **Monitor read access** (optional - increases audit volume) -- **User monitoring restrictions** (specify users to exclude from monitoring) - **Monitored object types** - Select from: - Files - Folders @@ -64,7 +76,7 @@ Click **Test Connection** to verify: After creating the monitoring plan: 1. **Verify data collection** is working -2. **Configure reports** as needed -3. **Set up alerts** for important events +2. **[Configure reports](/docs/auditor/10_8/admin/reports/overview)** as needed +3. **[Set up alerts](/docs/auditor/10_8/admin/alertsettings/create/)** for important events -For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md). \ No newline at end of file +For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md). diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 839b79f70f..b70f3baf01 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -12,65 +12,253 @@ Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD app - **Azure Files License** - Azure Files is a paid data source requiring specific licensing - **Azure Subscription** with Azure Files storage accounts (Standard and Premium supported) -- **Global Administrator** or **Security Administrator** role in Azure AD -- **Storage Account Contributor** role on target storage accounts -- **Separate Storage Accounts** - Requires separate storage accounts for data and audit logs +- **Admin** permissions in Microsoft Entra ID and Azure Storage +- **Two separate storage accounts:** + + - One for file shares (data) — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) + + - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) ## Configuration Steps Overview 1. **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application -2. **[Permissions Setup](#permissions-setup)** - Assign required permissions +2. **[Configure API Permissions](#configure-api-permissions)** - Assign required permissions for created application in EntraID +3. **[Assign IAM Roles to the App](#assign-iam-roles-to-the-app)**- Assigning roles to Resource Group, Data Storage Account and Log Storage Account 3. **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging ## Azure Application Registration -Create an application in Microsoft Entra ID (Azure AD): +You must register an application so Netwrix Auditor can authenticate to Azure and read audit logs. -1. Navigate to **Azure Active Directory > App registrations** -2. Click **New registration** -3. Configure: - - **Name**: `Netwrix-Auditor-AzureFiles-Monitor` - - **Supported account types**: Accounts in this organizational directory only -4. Click **Register** -5. Go to **Certificates & secrets** > **New client secret** -6. Record these values for Netwrix Auditor: - - **Tenant ID** (use ID, not tenant name) - - **Application (Client) ID** - - **Client Secret** +### Step 1: Create the App Registration -## Diagnostic Settings +1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration**. +2. Enter: + - **Name**: `NetwrixAuditor-AzureFiles` + - **Supported account types** (see below) + - Leave **Redirect URI** blank +3. Click **Register**. -Configure diagnostic settings for each storage account containing file shares: +**Understanding Account Types:** -1. Navigate to **Storage Account > Monitoring > Diagnostic settings** -2. Click **Add diagnostic setting** -3. Configure: - - **Name**: `Netwrix-AzureFiles-Audit` - - **Log Categories**: Select all file service categories: - - StorageRead - - StorageWrite - - StorageDelete - - **Destination**: Archive to storage account (separate audit logs storage account) +- **Accounts in this organizational directory only (Single tenant)** + "All user and guest accounts in your directory can use your application or API. Use this option if your target audience is internal to your organization." + *Recommended for Netwrix Auditor* -## Permissions Setup +- **Accounts in any organizational directory (Multitenant)** + "All users with a work or school account from Microsoft can use your application or API (Office 365)." -### Required Permissions +- **Accounts in any organizational directory and personal Microsoft accounts (Multitenant + MSA)** + "All users with work, school, or personal accounts (Xbox, Skype, Outlook.com)." + +- **Personal Microsoft accounts only** + "Only consumer Microsoft accounts can use the app." + +**Note:** Switching audiences later may cause errors. + + +### Step 2: Gather App Details + +After registration, go to the **Overview** page of your new app and copy: +- **Application (Client) ID** -Assign these permissions to your Azure application: + +### Step 3: Create a Client Secret + +1. In the same app, go to **Manage > Certificates & secrets > Client secrets**. +2. Click **+ New client secret**. +3. Enter a description (e.g., `NetwrixSecret`) and select expiration. +4. Click **Add**. +5. Copy the **secret value** immediately — it won't be shown again. + +Netwrix Auditor uses the **App ID** + **Client Secret** for authentication. + +**At the end of this step, you must have:** +- Application (Client) ID +- Client Secret (Secret Value) + + +## Configure API Permissions + +### Required Permissions **Microsoft Graph API:** -- User.Read -- User.Read.All + +| Permission | Purpose | +|------------|---------| +| `User.Read` | Basic user information | +| `User.Read.All` | Read all users' profiles | + + +### Step 1: Add Permissions + +1. In your app in EntraID, go to **Manage > API permissions > + Add a permission**. +2. Select **Microsoft Graph > Application permissions**. +3. Add: + - **User.Read (default)** + - **User.Read.All** + +- *User.Read* – "Sign in and read user profile." *(default)* +- *User.Read.All* – "Read all users' full profiles." + +--- + +### Step 2: Grant Admin Consent + +Click **Grant admin consent for **. + +**Why this is required:** +- By default, applications cannot query Microsoft Graph for directory-wide information. +- Admin consent allows the app to use **User.Read.All**. +- This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names**. +- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful. + +**At the end of this step, your app has Microsoft Graph API permissions.** + +--- + +## Additional Configuration: Identity-Based Access for Azure Files + +Before assigning IAM roles or diagnostic settings, ensure that **identity-based access** is configured for your **Data Storage Account** (the account that hosts Azure File Shares). + +### Configure in the Azure Portal + +1. Go to your **Storage Account** (with the file shares). +2. Under **Data storage**, select **File shares**. +3. Open **File share settings** and check **Identity-based access**. +4. Ensure it is set to **Configured**. +5. Choose one of the following supported options: + - Active Directory Domain Services (AD DS) + - Microsoft Entra Kerberos (for hybrid identities) + - Microsoft Entra Domain Services (Entra DS) — not supported + +Reference: [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) + +**Why this matters:** +Netwrix Auditor relies on identity-based access to correctly map file operations to real user accounts. Without it: +- Audit logs may not contain accurate user information +- Activity may be shown as system or anonymous accounts + +**At the end of this step, your Data Storage Account must have identity-based access configured with either AD DS or Microsoft Entra Kerberos.** + +## Assign IAM Roles to the App **Storage Account Roles:** -- Reader (Resource Group level) -- Storage File Data Privileged Reader -- Storage Blob Data Reader (for audit logs) -### Assign Permissions +| Role | Scope | Purpose | +|------|--------|---------| +| `Reader` | Resource Group | List storage accounts | +| `Storage File Data Privileged Reader` | Storage Account | Read file share data | +| `Storage Blob Data Reader` | Storage Account | Access audit logs | + +You must assign Azure IAM roles so that Netwrix Auditor can: +- Discover file shares in your resource group +- Read metadata from your data storage account +- Access audit logs from your log storage account + +**These IAM roles are mandatory.** + +### Step 1: Assign Reader Role on Resource Group + +1. In the Azure Portal, go to your **Resource Group**. +2. Open **Access control (IAM)**. +3. Click **+ Add > Add role assignment**. +4. Select role: **Reader**. + - "View everything, but not make any changes." +5. Click **Next**. +6. Under **Members**, click **+ Select members**. +7. In the search window, find and select the **App you registered earlier**. +8. Click **Select → Review + assign**. + +--- + +### Step 2: Assign Storage File Data Privileged Reader on Data Storage Account + +1. In the Azure Portal, go to your **Data Storage Account**. +2. Navigate to **Access control (IAM) > + Add role assignment**. +3. Select role: **Storage File Data Privileged Reader**. + - "Allows read access to file shares and directory/file metadata, including NTFS ACLs." +4. Click **Next**. +5. Under **Members**, click **+ Select members**. +6. Search for and select the **App you registered earlier**. +7. Click **Select → Review + assign**. + +--- + +### Step 3: Assign Storage Blob Data Reader on Log Storage Account + +1. In the Azure Portal, go to your **Log Storage Account**. +2. Navigate to **Access control (IAM) > + Add role assignment**. +3. Select role: **Storage Blob Data Reader**. + - "Allows read access to Azure Storage blob containers and data." +4. Click **Next**. +5. Under **Members**, click **+ Select members**. +6. Search for and select the **App you registered earlier**. +7. Click **Select → Review + assign**. + + +### Notes & Best Practices + +- Data and log storage accounts can be in different resource groups. +- Supported identity sources: AD DS, Microsoft Entra Kerberos +- Not supported: Microsoft Entra Domain Services +- Supported protocol: SMB + +**At the end of this step, your app should have:** +- Reader (Resource Group) +- Storage File Data Privileged Reader (Data Storage Account) +- Storage Blob Data Reader (Log Storage Account) + +## Diagnostic Settings + +Azure Files does not generate audit events by default. +You must configure **Diagnostic Settings** to send file activity logs to your **Log Storage Account**. + +### Step 1: Open Diagnostic Settings + +1. In the Azure Portal, go to your **Data Storage Account**. +2. Navigate to **Monitoring > Diagnostic settings**. +3. On the **"Select any of the resources to view diagnostic settings"** screen, choose **File**. + - Netwrix Auditor only supports **File** diagnostic settings. +4. Click **+ Add diagnostic setting**. + +### Step 2: Configure General Settings + +1. Enter a name (e.g., `NetwrixAuditorLogs`). +2. Under **Category groups**, select **Audit**. + - Only the **Audit** category group is supported by Netwrix Auditor. + +### Step 3: Configure Destination + +1. Under **Destination details**, check **Archive to a storage account**. + - This is the **only supported option** for Netwrix Auditor. +2. Select your **Log Storage Account**. +3. Confirm the correct **subscription** and **storage account**. + +**Note:** Azure requires **two separate storage accounts**: +- One for file shares (data) +- One for audit logs + +### Step 4: Save the Configuration + +Click **Save**. +Azure Files audit logs will now be archived into your **Log Storage Account**. + +**At the end of this step, you should have:** +- A Diagnostic Setting under the File resource type +- Audit category group selected +- Destination set to Archive to a storage account +- Logs archiving into the Log Storage Account + + +## Checklist + +- [Azure Application registered](#azure-application-registration) with App ID + Secret +- [API permissions](#configure-api-permissions) (User.Read, User.Read.All) granted +- [Identity-based access configured](#additional-configuration-identity-based-access-for-azure-files) for Data Storage Account (AD DS or Entra Kerberos) +- [IAM roles assigned](#assign-iam-roles-to-the-app) (Reader, Storage File Data Privileged Reader, Storage Blob Data Reader) +- [Diagnostic Settings configured](#diagnostic-settings) to log to a Log Storage Account -1. **Graph API**: In Azure AD application > **API permissions** > **Add permission** > **Microsoft Graph** > Select permissions > **Grant admin consent** -2. **Storage**: In **Storage Account > Access control (IAM)** > **Add role assignment** > Assign required roles ## Next Steps @@ -80,4 +268,4 @@ After completing the Azure Files configuration: 2. **Create Monitoring Plan**: Configure Azure Files monitoring in Netwrix Auditor 3. **Validate Data Collection**: Confirm audit events are being collected -For detailed instructions on creating the monitoring plan, see the [Azure Files Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/azurefiles.md) documentation. \ No newline at end of file +For detailed instructions on creating the monitoring plan, see the [Azure Files Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/azurefiles.md) documentation. diff --git a/docs/auditor/10.8/configuration/azurefiles/permissions.md b/docs/auditor/10.8/configuration/azurefiles/permissions.md deleted file mode 100644 index 6fa91dd35e..0000000000 --- a/docs/auditor/10.8/configuration/azurefiles/permissions.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: "Azure Files Permissions" -description: "Required permissions for Azure Files monitoring" -sidebar_position: 2 ---- - -# Azure Files Permissions - -Required permissions for Azure Files monitoring with Netwrix Auditor. - -## Microsoft Graph API Permissions - -| Permission | Purpose | -|------------|---------| -| `User.Read` | Basic user information | -| `User.Read.All` | Read all users' profiles | - -### Assign Graph API Permissions - -1. Navigate to **Azure Active Directory > App registrations** -2. Select your Netwrix Auditor application -3. Go to **API permissions** > **Add a permission** -4. Select **Microsoft Graph > Application permissions** -5. Select required permissions: `User.Read` and `User.Read.All` -6. Click **Grant admin consent for [Your Organization]** - -## Storage Account Permissions - -| Role | Scope | Purpose | -|------|--------|---------| -| `Reader` | Resource Group | List storage accounts | -| `Storage File Data Privileged Reader` | Storage Account | Read file share data | -| `Storage Blob Data Reader` | Storage Account | Access audit logs | - -### Assign Storage Permissions - -1. **Resource Group**: Navigate to **Resource Group > Access control (IAM)** > **Add role assignment** > Assign **Reader** role to your application -2. **Storage Account**: Navigate to **Storage Account > Access control (IAM)** > **Add role assignment** > Assign required roles: - - **Storage File Data Privileged Reader** - - **Storage Blob Data Reader** - diff --git a/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md b/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md index 14ddbd9afc..ded0508759 100644 --- a/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md +++ b/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md @@ -33,6 +33,18 @@ Auditor supports monitoring the following AD FS operating system versions: See the [AD FS](/docs/auditor/10.8/configuration/activedirectoryfederatedservices/overview.md) topic for additional information. +## Azure Files + +Auditor supports monitoring Azure Files with the following requirements: + +- Azure Storage Account with File Shares (SMB protocol) +- identity sources: + - Active Directory Domain Services (AD DS) + - Microsoft Entra Kerberos + +See the [Azure Files](/docs/auditor/10.8/configuration/azurefiles/overview.md) topic for additional +information. + ## Exchange Auditor supports monitoring the following Exchange Server versions: diff --git a/package-lock.json b/package-lock.json index 3cc82422c5..8efc821097 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17,6 +17,7 @@ "@docusaurus/preset-classic": "^3.8.1", "@docusaurus/theme-mermaid": "^3.8.1", "@mdx-js/react": "^3.0.0", + "cross-env": "^7.0.3", "prism-react-renderer": "^2.3.0", "react": "^18.3.1", "react-dom": "^18.3.1", @@ -27,7 +28,6 @@ "@docusaurus/module-type-aliases": "^3.8.1", "@docusaurus/types": "^3.8.1", "@mdx-js/mdx": "^3.1.0", - "cross-env": "^7.0.3", "husky": "^9.1.7", "ora": "^8.2.0", "table": "^6.9.0", @@ -8042,7 +8042,6 @@ "version": "7.0.3", "resolved": "https://registry.npmjs.org/cross-env/-/cross-env-7.0.3.tgz", "integrity": "sha512-+/HKd6EgcQCJGh2PSjZuUitQBQynKor4wrFbRg4DtAgS1aWO+gU52xpH7M9ScGgXSYmAVS9bIJ8EzuaGw0oNAw==", - "dev": true, "license": "MIT", "dependencies": { "cross-spawn": "^7.0.1" From 21e532e8f7c5842719fceaff8424afecf0aa5044 Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Tue, 23 Sep 2025 21:30:48 +0200 Subject: [PATCH 02/15] Azure Auditor Update2 --- .../10.8/configuration/azurefiles/overview.md | 132 +++++++++--------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index b70f3baf01..8f1b393515 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -6,7 +6,7 @@ sidebar_position: 1 # Azure Files Configuration Overview -Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD application registration, permissions, and diagnostic settings. +Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD application registration, permissions, and diagnostic settings ## Prerequisites @@ -28,16 +28,16 @@ Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD app ## Azure Application Registration -You must register an application so Netwrix Auditor can authenticate to Azure and read audit logs. +You must register an application so Netwrix Auditor can authenticate to Azure and read audit logs ### Step 1: Create the App Registration -1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration**. +1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration** 2. Enter: - **Name**: `NetwrixAuditor-AzureFiles` - **Supported account types** (see below) - Leave **Redirect URI** blank -3. Click **Register**. +3. Click **Register** **Understanding Account Types:** @@ -46,15 +46,15 @@ You must register an application so Netwrix Auditor can authenticate to Azure an *Recommended for Netwrix Auditor* - **Accounts in any organizational directory (Multitenant)** - "All users with a work or school account from Microsoft can use your application or API (Office 365)." + "All users with a work or school account from Microsoft can use your application or API (Office 365)" - **Accounts in any organizational directory and personal Microsoft accounts (Multitenant + MSA)** - "All users with work, school, or personal accounts (Xbox, Skype, Outlook.com)." + "All users with work, school, or personal accounts (Xbox, Skype, Outlook.com)" - **Personal Microsoft accounts only** - "Only consumer Microsoft accounts can use the app." + "Only consumer Microsoft accounts can use the app" -**Note:** Switching audiences later may cause errors. +**Note:** Switching audiences later may cause errors ### Step 2: Gather App Details @@ -65,13 +65,13 @@ After registration, go to the **Overview** page of your new app and copy: ### Step 3: Create a Client Secret -1. In the same app, go to **Manage > Certificates & secrets > Client secrets**. -2. Click **+ New client secret**. -3. Enter a description (e.g., `NetwrixSecret`) and select expiration. -4. Click **Add**. -5. Copy the **secret value** immediately — it won't be shown again. +1. In the same app, go to **Manage > Certificates & secrets > Client secrets** +2. Click **+ New client secret** +3. Enter a description (e.g., `NetwrixSecret`) and select expiration +4. Click **Add** +5. Copy the **secret value** immediately — it won't be shown again -Netwrix Auditor uses the **App ID** + **Client Secret** for authentication. +Netwrix Auditor uses the **App ID** + **Client Secret** for authentication **At the end of this step, you must have:** - Application (Client) ID @@ -93,40 +93,40 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication. ### Step 1: Add Permissions 1. In your app in EntraID, go to **Manage > API permissions > + Add a permission**. -2. Select **Microsoft Graph > Application permissions**. +2. Select **Microsoft Graph > Application permissions** 3. Add: - **User.Read (default)** - **User.Read.All** - *User.Read* – "Sign in and read user profile." *(default)* -- *User.Read.All* – "Read all users' full profiles." +- *User.Read.All* – "Read all users' full profiles" --- ### Step 2: Grant Admin Consent -Click **Grant admin consent for **. +Click **Grant admin consent for TenantName** **Why this is required:** -- By default, applications cannot query Microsoft Graph for directory-wide information. -- Admin consent allows the app to use **User.Read.All**. -- This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names**. -- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful. +- By default, applications cannot query Microsoft Graph for directory-wide information +- Admin consent allows the app to use **User.Read.All** +- This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names** +- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful -**At the end of this step, your app has Microsoft Graph API permissions.** +**At the end of this step, your app has Microsoft Graph API permissions** --- ## Additional Configuration: Identity-Based Access for Azure Files -Before assigning IAM roles or diagnostic settings, ensure that **identity-based access** is configured for your **Data Storage Account** (the account that hosts Azure File Shares). +Before assigning IAM roles or diagnostic settings, ensure that **identity-based access** is configured for your **Data Storage Account** (the account that hosts Azure File Shares) ### Configure in the Azure Portal -1. Go to your **Storage Account** (with the file shares). -2. Under **Data storage**, select **File shares**. -3. Open **File share settings** and check **Identity-based access**. -4. Ensure it is set to **Configured**. +1. Go to your **Storage Account** (with the file shares) +2. Under **Data storage**, select **File shares** +3. Open **File share settings** and check **Identity-based access** +4. Ensure it is set to **Configured** 5. Choose one of the following supported options: - Active Directory Domain Services (AD DS) - Microsoft Entra Kerberos (for hybrid identities) @@ -160,46 +160,46 @@ You must assign Azure IAM roles so that Netwrix Auditor can: ### Step 1: Assign Reader Role on Resource Group -1. In the Azure Portal, go to your **Resource Group**. -2. Open **Access control (IAM)**. -3. Click **+ Add > Add role assignment**. -4. Select role: **Reader**. - - "View everything, but not make any changes." -5. Click **Next**. -6. Under **Members**, click **+ Select members**. -7. In the search window, find and select the **App you registered earlier**. -8. Click **Select → Review + assign**. +1. In the Azure Portal, go to your **Resource Group** +2. Open **Access control (IAM)** +3. Click **+ Add > Add role assignment** +4. Select role: **Reader** + - "View everything, but not make any changes" +5. Click **Next** +6. Under **Members**, click **+ Select members** +7. In the search window, find and select the **App you registered earlier** +8. Click **Select → Review + assign** --- ### Step 2: Assign Storage File Data Privileged Reader on Data Storage Account -1. In the Azure Portal, go to your **Data Storage Account**. -2. Navigate to **Access control (IAM) > + Add role assignment**. -3. Select role: **Storage File Data Privileged Reader**. - - "Allows read access to file shares and directory/file metadata, including NTFS ACLs." -4. Click **Next**. -5. Under **Members**, click **+ Select members**. -6. Search for and select the **App you registered earlier**. -7. Click **Select → Review + assign**. +1. In the Azure Portal, go to your **Data Storage Account** +2. Navigate to **Access control (IAM) > + Add role assignment** +3. Select role: **Storage File Data Privileged Reader** + - "Allows read access to file shares and directory/file metadata, including NTFS ACLs" +4. Click **Next** +5. Under **Members**, click **+ Select members** +6. Search for and select the **App you registered earlier** +7. Click **Select → Review + assign** --- ### Step 3: Assign Storage Blob Data Reader on Log Storage Account -1. In the Azure Portal, go to your **Log Storage Account**. -2. Navigate to **Access control (IAM) > + Add role assignment**. -3. Select role: **Storage Blob Data Reader**. - - "Allows read access to Azure Storage blob containers and data." -4. Click **Next**. -5. Under **Members**, click **+ Select members**. -6. Search for and select the **App you registered earlier**. -7. Click **Select → Review + assign**. +1. In the Azure Portal, go to your **Log Storage Account** +2. Navigate to **Access control (IAM) > + Add role assignment** +3. Select role: **Storage Blob Data Reader** + - "Allows read access to Azure Storage blob containers and data" +4. Click **Next** +5. Under **Members**, click **+ Select members** +6. Search for and select the **App you registered earlier** +7. Click **Select → Review + assign** ### Notes & Best Practices -- Data and log storage accounts can be in different resource groups. +- Data and log storage accounts can be in different resource groups - Supported identity sources: AD DS, Microsoft Entra Kerberos - Not supported: Microsoft Entra Domain Services - Supported protocol: SMB @@ -216,33 +216,33 @@ You must configure **Diagnostic Settings** to send file activity logs to your ** ### Step 1: Open Diagnostic Settings -1. In the Azure Portal, go to your **Data Storage Account**. -2. Navigate to **Monitoring > Diagnostic settings**. -3. On the **"Select any of the resources to view diagnostic settings"** screen, choose **File**. - - Netwrix Auditor only supports **File** diagnostic settings. -4. Click **+ Add diagnostic setting**. +1. In the Azure Portal, go to your **Data Storage Account** +2. Navigate to **Monitoring > Diagnostic settings** +3. On the **"Select any of the resources to view diagnostic settings"** screen, choose **File** + - Netwrix Auditor only supports **File** diagnostic settings +4. Click **+ Add diagnostic setting** ### Step 2: Configure General Settings -1. Enter a name (e.g., `NetwrixAuditorLogs`). -2. Under **Category groups**, select **Audit**. - - Only the **Audit** category group is supported by Netwrix Auditor. +1. Enter a name (e.g., `NetwrixAuditorLogs`) +2. Under **Category groups**, select **Audit** + - Only the **Audit** category group is supported by Netwrix Auditor ### Step 3: Configure Destination -1. Under **Destination details**, check **Archive to a storage account**. - - This is the **only supported option** for Netwrix Auditor. +1. Under **Destination details**, check **Archive to a storage account** + - This is the **only supported option** for Netwrix Auditor 2. Select your **Log Storage Account**. -3. Confirm the correct **subscription** and **storage account**. +3. Confirm the correct **subscription** and **storage account** -**Note:** Azure requires **two separate storage accounts**: +**Note:** Azure requires **two separate storage accounts:** - One for file shares (data) - One for audit logs ### Step 4: Save the Configuration Click **Save**. -Azure Files audit logs will now be archived into your **Log Storage Account**. +Azure Files audit logs will now be archived into your **Log Storage Account** **At the end of this step, you should have:** - A Diagnostic Setting under the File resource type From 732769fd36bb9c568a245d7c047ee0ff1567285d Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Wed, 24 Sep 2025 07:36:43 +0200 Subject: [PATCH 03/15] Auditor azure files update3 --- .../10.8/configuration/azurefiles/overview.md | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 8f1b393515..ab9c5f18dd 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -42,7 +42,7 @@ You must register an application so Netwrix Auditor can authenticate to Azure an **Understanding Account Types:** - **Accounts in this organizational directory only (Single tenant)** - "All user and guest accounts in your directory can use your application or API. Use this option if your target audience is internal to your organization." + "All user and guest accounts in your directory can use your application or API. Use this option if your target audience is internal to your organization" *Recommended for Netwrix Auditor* - **Accounts in any organizational directory (Multitenant)** @@ -80,9 +80,8 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication ## Configure API Permissions -### Required Permissions -**Microsoft Graph API:** +**Microsoft Graph API permissions:** | Permission | Purpose | |------------|---------| @@ -101,7 +100,6 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication - *User.Read* – "Sign in and read user profile." *(default)* - *User.Read.All* – "Read all users' full profiles" ---- ### Step 2: Grant Admin Consent @@ -115,7 +113,6 @@ Click **Grant admin consent for TenantName** **At the end of this step, your app has Microsoft Graph API permissions** ---- ## Additional Configuration: Identity-Based Access for Azure Files @@ -143,7 +140,7 @@ Netwrix Auditor relies on identity-based access to correctly map file operations ## Assign IAM Roles to the App -**Storage Account Roles:** +**IAM Roles:** | Role | Scope | Purpose | |------|--------|---------| @@ -156,7 +153,7 @@ You must assign Azure IAM roles so that Netwrix Auditor can: - Read metadata from your data storage account - Access audit logs from your log storage account -**These IAM roles are mandatory.** +**These IAM roles are mandatory** ### Step 1: Assign Reader Role on Resource Group @@ -170,7 +167,6 @@ You must assign Azure IAM roles so that Netwrix Auditor can: 7. In the search window, find and select the **App you registered earlier** 8. Click **Select → Review + assign** ---- ### Step 2: Assign Storage File Data Privileged Reader on Data Storage Account @@ -183,7 +179,6 @@ You must assign Azure IAM roles so that Netwrix Auditor can: 6. Search for and select the **App you registered earlier** 7. Click **Select → Review + assign** ---- ### Step 3: Assign Storage Blob Data Reader on Log Storage Account @@ -204,15 +199,15 @@ You must assign Azure IAM roles so that Netwrix Auditor can: - Not supported: Microsoft Entra Domain Services - Supported protocol: SMB -**At the end of this step, your app should have:** +**At the end of this step, your app should have assigned roles:** - Reader (Resource Group) - Storage File Data Privileged Reader (Data Storage Account) - Storage Blob Data Reader (Log Storage Account) ## Diagnostic Settings -Azure Files does not generate audit events by default. -You must configure **Diagnostic Settings** to send file activity logs to your **Log Storage Account**. +Azure Files does not generate audit events by default +You must configure **Diagnostic Settings** to send file activity logs to your **Log Storage Account** ### Step 1: Open Diagnostic Settings @@ -232,7 +227,7 @@ You must configure **Diagnostic Settings** to send file activity logs to your ** 1. Under **Destination details**, check **Archive to a storage account** - This is the **only supported option** for Netwrix Auditor -2. Select your **Log Storage Account**. +2. Select your **Log Storage Account** 3. Confirm the correct **subscription** and **storage account** **Note:** Azure requires **two separate storage accounts:** From bed0310e7aa101296e354060afa04c6ba66e3394 Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Wed, 24 Sep 2025 07:45:49 +0200 Subject: [PATCH 04/15] Supported version changed --- docs/auditor/10.8/whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/auditor/10.8/whats-new.md b/docs/auditor/10.8/whats-new.md index 12cd4aa68b..e07ef6cd05 100644 --- a/docs/auditor/10.8/whats-new.md +++ b/docs/auditor/10.8/whats-new.md @@ -55,8 +55,8 @@ Expanded user monitoring with additional Active Directory attributes: ### Storage Platform Updates - **Nutanix Files 5.0**: Full support for the latest Nutanix Files version - **Dell Isilon OneFS 9.8 and 9.9**: Enhanced compatibility with newer OneFS versions -- **Dell Unity up to 5.4**: Extended support for Dell Unity storage systems +- **Dell Unity up to 5.5**: Extended support for Dell Unity storage systems - **Isilon/PowerScale 9.10**: Support for the latest PowerScale platform - **Qumulo Core 7.4.1**: Updated support for Qumulo distributed file systems -These enhancements ensure comprehensive monitoring across your hybrid IT infrastructure while providing the visibility needed to detect threats, maintain compliance, and optimize security operations. \ No newline at end of file +These enhancements ensure comprehensive monitoring across your hybrid IT infrastructure while providing the visibility needed to detect threats, maintain compliance, and optimize security operations. From cccb1a0c155bdf54bcbd05196bca92360bd5de58 Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Wed, 24 Sep 2025 08:05:02 +0200 Subject: [PATCH 05/15] Category Json --- .../auditor/10.8/configuration/azurefiles/_category_.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/_category_.json b/docs/auditor/10.8/configuration/azurefiles/_category_.json index 23eacd1365..c2a78c4563 100644 --- a/docs/auditor/10.8/configuration/azurefiles/_category_.json +++ b/docs/auditor/10.8/configuration/azurefiles/_category_.json @@ -1,4 +1,10 @@ { "label": "Azure Files", "position": 15 -} \ No newline at end of file + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} From 190f384d48d0830cf7c29525a96c9b9408f43cce Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Wed, 24 Sep 2025 08:06:48 +0200 Subject: [PATCH 06/15] json azure files --- docs/auditor/10.8/configuration/azurefiles/_category_.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/_category_.json b/docs/auditor/10.8/configuration/azurefiles/_category_.json index c2a78c4563..6dfdf735b3 100644 --- a/docs/auditor/10.8/configuration/azurefiles/_category_.json +++ b/docs/auditor/10.8/configuration/azurefiles/_category_.json @@ -1,6 +1,6 @@ { "label": "Azure Files", - "position": 15 + "position": 15, "collapsed": true, "collapsible": true, "link": { From 8718616ff59def6fc66e31b58dc9b77521b092e2 Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Wed, 24 Sep 2025 09:28:08 +0200 Subject: [PATCH 07/15] Azure files Update 4 --- .../10.8/admin/monitoringplans/azurefiles.md | 2 +- .../azurefiles/monitoredobjects.md | 23 ++++++++++++ .../10.8/configuration/azurefiles/overview.md | 37 ++++++++++--------- .../configuration/azurefiles/permissions.md | 30 +++++++++++++++ .../10.8/configuration/azurefiles/ports.md | 2 +- 5 files changed, 74 insertions(+), 20 deletions(-) create mode 100644 docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md create mode 100644 docs/auditor/10.8/configuration/azurefiles/permissions.md diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index c5b671b675..8e901de004 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -4,7 +4,7 @@ description: "Create and configure Azure Files monitoring plans in Netwrix Audit sidebar_position: 85 --- -# Azure Files Monitoring Plan +# Azure Files Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts. diff --git a/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md b/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md new file mode 100644 index 0000000000..2f5947bcdc --- /dev/null +++ b/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md @@ -0,0 +1,23 @@ +--- +title: "Monitored Object Types, Actions, and Attributes" +description: "Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor 10.8" +sidebar_position: 3 +--- + +Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor 10.8 + +| Action | File | Folder | Share | +|--------|------|--------|-------| +| Added | + | + | + | +| Add (failed attempt) | + | + | – | +| Modified | + | + | + | +| Modify (failed attempt) | + | + | – | +| Moved | + | + | – | +| Move (failed attempt) | + | + | – | +| Read | + | – | – | +| Read (failed attempt) | + | + | – | +| Renamed | + | + | – | +| Renamed (failed attempt) | – | – | – | +| Removed | + | + | + | +| Remove (failed attempt) | – | – | – | +| Copied | – | – | – | diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index ab9c5f18dd..10b180db35 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -6,7 +6,19 @@ sidebar_position: 1 # Azure Files Configuration Overview -Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD application registration, permissions, and diagnostic settings +Netwrix Auditor for Azure Files enables organizations to monitor, audit, and report on activity in **Azure Files shares**. +It provides visibility into who accessed, modified, moved, or deleted files, and whether access attempts were successful or failed. + +#### Key capabilities +- Collects audit logs from Azure Files via diagnostic settings and stores them in the Netwrix Auditor database +- Tracks file and folder operations (add, modify, delete, move, read) including both successful and failed attempts +- Resolves user identities to show who performed each action +- Provides prebuilt reports and search to help identify unauthorized access or suspicious activity +- Supports **Active Directory Domain Services (AD DS)** and **Microsoft Entra Kerberos** for identity-based access auditing + +Netwrix Auditor for Azure Files helps ensure **security, compliance, and accountability** in cloud file storage by giving IT teams clear insight into user activity. + +Configure Azure Files monitoring with Netwrix Auditor by setting up EntraID application registration, permissions, and diagnostic settings ## Prerequisites @@ -19,12 +31,12 @@ Configure Azure Files monitoring with Netwrix Auditor by setting up Azure AD app - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) -## Configuration Steps Overview +## Configuration Scope Overview -1. **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application -2. **[Configure API Permissions](#configure-api-permissions)** - Assign required permissions for created application in EntraID -3. **[Assign IAM Roles to the App](#assign-iam-roles-to-the-app)**- Assigning roles to Resource Group, Data Storage Account and Log Storage Account -3. **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging + **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application + **[Configure API Permissions](#configure-api-permissions)** - Assign required permissions for created application in EntraID + **[Assign IAM Roles to the App](#assign-iam-roles-to-the-app)**- Assigning roles to Resource Group, Data Storage Account and Log Storage Account + **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging ## Azure Application Registration @@ -83,11 +95,6 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication **Microsoft Graph API permissions:** -| Permission | Purpose | -|------------|---------| -| `User.Read` | Basic user information | -| `User.Read.All` | Read all users' profiles | - ### Step 1: Add Permissions @@ -142,12 +149,6 @@ Netwrix Auditor relies on identity-based access to correctly map file operations **IAM Roles:** -| Role | Scope | Purpose | -|------|--------|---------| -| `Reader` | Resource Group | List storage accounts | -| `Storage File Data Privileged Reader` | Storage Account | Read file share data | -| `Storage Blob Data Reader` | Storage Account | Access audit logs | - You must assign Azure IAM roles so that Netwrix Auditor can: - Discover file shares in your resource group - Read metadata from your data storage account @@ -263,4 +264,4 @@ After completing the Azure Files configuration: 2. **Create Monitoring Plan**: Configure Azure Files monitoring in Netwrix Auditor 3. **Validate Data Collection**: Confirm audit events are being collected -For detailed instructions on creating the monitoring plan, see the [Azure Files Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/azurefiles.md) documentation. +For detailed instructions on creating the monitoring plan, see the [Azure Files Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/azurefiles.md) documentation diff --git a/docs/auditor/10.8/configuration/azurefiles/permissions.md b/docs/auditor/10.8/configuration/azurefiles/permissions.md new file mode 100644 index 0000000000..49ac4016dd --- /dev/null +++ b/docs/auditor/10.8/configuration/azurefiles/permissions.md @@ -0,0 +1,30 @@ +--- +title: "Permissions for Azure Files Auditing" +description: "Permission Requirements for Netwrix Auditor 10.8 in Azure Files" +sidebar_position: 2 +--- +To enable auditing of Azure Files, the registered Microsoft EntraID application must be granted the following **permissions**: + +## [Microsoft Graph API permissions](/docs/auditor/10_8/configuration/azurefiles/overview#configure-api-permissions) +| Permission | Purpose | +|------------|---------| +| `User.Read` | Basic user information | +| `User.Read.All` | Read all users' profiles | + + +**User.Read.All - required to resolve SIDs into usernames in reports + +## [Azure IAM roles](/docs/auditor/10_8/configuration/azurefiles/overview#assign-iam-roles-to-the-app) +| Role | Scope | Purpose | +|------|--------|---------| +| `Reader` | Resource Group | List storage accounts | +| `Storage File Data Privileged Reader` | Storage Account | Read file share data | +| `Storage Blob Data Reader` | Log Storage Account | Access audit logs | + +- **Reader** on the **Resource Group** that contains the Data Storage Account +- **Storage File Data Privileged Reader** on the **Data Storage Account** (file shares) +- **Storage Blob Data Reader** on the **Log Storage Account** (audit logs) + + + +These permissions are required for Netwrix Auditor to collect logs, read file share metadata, and present activity with resolved user identities. diff --git a/docs/auditor/10.8/configuration/azurefiles/ports.md b/docs/auditor/10.8/configuration/azurefiles/ports.md index cc746c4e68..98f91c72e4 100644 --- a/docs/auditor/10.8/configuration/azurefiles/ports.md +++ b/docs/auditor/10.8/configuration/azurefiles/ports.md @@ -1,7 +1,7 @@ --- title: "Azure Files Ports and Network Configuration" description: "Network ports and connectivity requirements for Azure Files monitoring" -sidebar_position: 3 +sidebar_position: 4 --- # Azure Files Ports and Network Configuration From dbec747681af8cdcdda7e0a494e698ca16d2c09c Mon Sep 17 00:00:00 2001 From: AleksNWX Date: Wed, 24 Sep 2025 12:36:32 +0200 Subject: [PATCH 08/15] auditor azure files changes --- .../10.8/admin/monitoringplans/azurefiles.md | 27 ++++++++++++------- .../10.8/configuration/azurefiles/overview.md | 16 +++++------ 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index 8e901de004..d912260db5 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -10,9 +10,10 @@ Create monitoring plans for Azure Files to track file and folder changes across ## Prerequisites +- **[Azure Application registered](/docs/auditor/10.8/configuration/azurefiles/overview.md#azure-application-registration)** with required **[permissions](/docs/auditor/10.8/configuration/azurefiles/overview.md#configure-api-permissions)** +- **[Diagnostic Settings configured](/docs/auditor/10.8/configuration/azurefiles/overview.md#diagnostic-settings)** for storage accounts - **[Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md)** completed -- **[Azure Application registered](/docs/auditor/10.8/configuration/azurefiles/overview.md#azure-application-registration)** with required [permissions](/docs/auditor/10.8/configuration/azurefiles/overview.md#configure-api-permissions) -- [Diagnostic Settings configured](/docs/auditor/10.8/configuration/azurefiles/overview.md#diagnostic-settings) for storage accounts + ## Create Monitoring Plan @@ -21,10 +22,10 @@ Create monitoring plans for Azure Files to track file and folder changes across 1. In the **Netwrix Auditor**, go to **Home > Monitoring Plans > + Add Plan**. 2. Select **Azure Files**. 3. Configure: - - [Audit database (SQL)](/docs/auditor/10_8/admin/settings/auditdatabase) - - [Notifications (SMTP or Exchange Online)](/docs/auditor/10_8/admin/settings/notifications) - - Plan name and description - - Select **Add item now** + - [Audit database (SQL)](/docs/auditor/10_8/admin/settings/auditdatabase) + - [Notifications (SMTP or Exchange Online)](/docs/auditor/10_8/admin/settings/notifications) + - Plan name and description + - Select **Add item now** ### Step 2: Add Azure Files Data Source @@ -32,7 +33,7 @@ Create monitoring plans for Azure Files to track file and folder changes across 1. Click **Add Data Source** 2. Select **Azure Files** 3. Select Item for Monitoring: -- Option A – Storage Account → Enter **Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret** +- Option A – Storage Account → Enter **Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret** - Option B – Subscription → Enter **Subscription Name, Subscription ID, Tenant Name, Application ID, Application Secret** **Tip:** If you have multiple storage accounts, use the subscription option for easier management. @@ -51,8 +52,14 @@ Configure storage account settings (requires separate accounts): 2. Enable **Monitor this data source and collect activity data**. 3. Select actions: + - **Changes (Success/Fail)** → Track file creation, modification, deletion, and failed attempts. + - **Successful** - Use this option to track changes to your data. It helps to find out who made changes to your files, including their creation and deletion. + - **Failed** - Use this option to detect suspicious activity on Azure Files. It helps to identify potential intruders who tried to modify or delete files, etc., but failed to do it. + - **Read Access (Success/Fail)** → Track file reads and unauthorized read attempts. + - **Successful** - Show successful attempts to read files. + - **Failed** - Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.Enabling this option on public shares will result in a high number of events generated on Azure Files and the amount of data written to the Long-Term Archive. **Note:** Enabling read access auditing on public shares may generate high event volume. **Tip:** Only enable read auditing where compliance requires it (e.g., HR, Finance). @@ -60,9 +67,9 @@ Configure storage account settings (requires separate accounts): 4. Add exclusions → e.g., service accounts that produce excessive logs. - **Monitored object types** - Select from: - - Files - - Folders - - Shares + - Files + - Folders + - Shares - **Monitored actions** - Configure which file operations to track ### Step 5: Test Connection diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 10b180db35..9a17e4e455 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -33,14 +33,14 @@ Configure Azure Files monitoring with Netwrix Auditor by setting up EntraID appl ## Configuration Scope Overview - **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application - **[Configure API Permissions](#configure-api-permissions)** - Assign required permissions for created application in EntraID - **[Assign IAM Roles to the App](#assign-iam-roles-to-the-app)**- Assigning roles to Resource Group, Data Storage Account and Log Storage Account - **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging +- **[Azure Application Registration](#azure-application-registration)** - Create Azure AD application +- **[Configure API Permissions](#configure-api-permissions)** - Assign required permissions for created application in EntraID +- **[Assign IAM Roles to the App](#assign-iam-roles-to-the-app)**- Assigning roles to Resource Group, Data Storage Account and Log Storage Account +- **[Diagnostic Settings](#diagnostic-settings)** - Configure audit logging ## Azure Application Registration -You must register an application so Netwrix Auditor can authenticate to Azure and read audit logs +You should register an application so Netwrix Auditor can authenticate to Azure and read audit logs ### Step 1: Create the App Registration @@ -118,7 +118,7 @@ Click **Grant admin consent for TenantName** - This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names** - Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful -**At the end of this step, your app has Microsoft Graph API permissions** +**At the end of this step, your app has granted Microsoft Graph API permissions** ## Additional Configuration: Identity-Based Access for Azure Files @@ -143,13 +143,13 @@ Netwrix Auditor relies on identity-based access to correctly map file operations - Audit logs may not contain accurate user information - Activity may be shown as system or anonymous accounts -**At the end of this step, your Data Storage Account must have identity-based access configured with either AD DS or Microsoft Entra Kerberos.** +**At the end of this step, your Data Storage Account mustshould have identity-based access configured with either AD DS or Microsoft Entra Kerberos.** ## Assign IAM Roles to the App **IAM Roles:** -You must assign Azure IAM roles so that Netwrix Auditor can: +You mshould assign Azure IAM roles so that Netwrix Auditor can: - Discover file shares in your resource group - Read metadata from your data storage account - Access audit logs from your log storage account From bf5d1fcfed6172bc1738a35ce6235f11f3e5b31b Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Wed, 24 Sep 2025 13:52:48 +0200 Subject: [PATCH 09/15] Minor changes azure files --- .../10.8/admin/monitoringplans/azurefiles.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index d912260db5..8254c44b6d 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -6,7 +6,7 @@ sidebar_position: 85 # Azure Files -Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts. +Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts ## Prerequisites @@ -19,8 +19,8 @@ Create monitoring plans for Azure Files to track file and folder changes across ### Step 1: Create New Monitoring Plan -1. In the **Netwrix Auditor**, go to **Home > Monitoring Plans > + Add Plan**. -2. Select **Azure Files**. +1. In the **Netwrix Auditor**, go to **Home > Monitoring Plans > + Add Plan** +2. Select **Azure Files** 3. Configure: - [Audit database (SQL)](/docs/auditor/10_8/admin/settings/auditdatabase) - [Notifications (SMTP or Exchange Online)](/docs/auditor/10_8/admin/settings/notifications) @@ -36,7 +36,7 @@ Create monitoring plans for Azure Files to track file and folder changes across - Option A – Storage Account → Enter **Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret** - Option B – Subscription → Enter **Subscription Name, Subscription ID, Tenant Name, Application ID, Application Secret** -**Tip:** If you have multiple storage accounts, use the subscription option for easier management. +**Tip:** If you have multiple storage accounts, use the subscription option for easier management ### Step 3: Configure Storage Accounts @@ -48,23 +48,23 @@ Configure storage account settings (requires separate accounts): ### Step 4: Configure Monitoring Scope and Actions -1. In the **Netwrix Auditor**, double-click your **Azure Files plan**. -2. Enable **Monitor this data source and collect activity data**. +1. In the **Netwrix Auditor**, double-click your **Azure Files plan** +2. Enable **Monitor this data source and collect activity data** 3. Select actions: - - **Changes (Success/Fail)** → Track file creation, modification, deletion, and failed attempts. - - **Successful** - Use this option to track changes to your data. It helps to find out who made changes to your files, including their creation and deletion. - - **Failed** - Use this option to detect suspicious activity on Azure Files. It helps to identify potential intruders who tried to modify or delete files, etc., but failed to do it. + - **Changes (Success/Fail)** → Track file creation, modification, deletion, and failed attempts + - **Successful** - Use this option to track changes to your data. It helps to find out who made changes to your files, including their creation and deletion + - **Failed** - Use this option to detect suspicious activity on Azure Files. It helps to identify potential intruders who tried to modify or delete files, etc., but failed to do it - - **Read Access (Success/Fail)** → Track file reads and unauthorized read attempts. - - **Successful** - Show successful attempts to read files. - - **Failed** - Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.Enabling this option on public shares will result in a high number of events generated on Azure Files and the amount of data written to the Long-Term Archive. + - **Read Access (Success/Fail)** → Track file reads and unauthorized read attempts + - **Successful** - Show successful attempts to read files + - **Failed** - Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.Enabling this option on public shares will result in a high number of events generated on Azure Files and the amount of data written to the Long-Term Archive -**Note:** Enabling read access auditing on public shares may generate high event volume. -**Tip:** Only enable read auditing where compliance requires it (e.g., HR, Finance). +**Note:** Enabling read access auditing on public shares may generate high event volume +**Tip:** Only enable read auditing where compliance requires it (e.g., HR, Finance) -4. Add exclusions → e.g., service accounts that produce excessive logs. +4. Add exclusions → e.g., service accounts that produce excessive logs - **Monitored object types** - Select from: - Files @@ -86,4 +86,4 @@ After creating the monitoring plan: 2. **[Configure reports](/docs/auditor/10_8/admin/reports/overview)** as needed 3. **[Set up alerts](/docs/auditor/10_8/admin/alertsettings/create/)** for important events -For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md). +For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md) From 907c3c767867ffc628d0788e7587dba437c70357 Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Fri, 26 Sep 2025 08:29:28 +0200 Subject: [PATCH 10/15] added example --- docs/auditor/10.8/configuration/azurefiles/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 9a17e4e455..6deb49490d 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -46,7 +46,7 @@ You should register an application so Netwrix Auditor can authenticate to Azure 1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration** 2. Enter: - - **Name**: `NetwrixAuditor-AzureFiles` + - **Name**: Name: `NetwrixAuditor-AzureFiles` (this is an example — you can use any descriptive name for the app) - **Supported account types** (see below) - Leave **Redirect URI** blank 3. Click **Register** From 349020cbe496b842822d120ccb354b3d94e47cb6 Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Fri, 26 Sep 2025 09:18:55 +0200 Subject: [PATCH 11/15] Removed overview desription for collector and changed about indetity access --- .../10.8/configuration/azurefiles/overview.md | 68 +++++-------------- 1 file changed, 16 insertions(+), 52 deletions(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 6deb49490d..bc45b7311b 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -6,19 +6,6 @@ sidebar_position: 1 # Azure Files Configuration Overview -Netwrix Auditor for Azure Files enables organizations to monitor, audit, and report on activity in **Azure Files shares**. -It provides visibility into who accessed, modified, moved, or deleted files, and whether access attempts were successful or failed. - -#### Key capabilities -- Collects audit logs from Azure Files via diagnostic settings and stores them in the Netwrix Auditor database -- Tracks file and folder operations (add, modify, delete, move, read) including both successful and failed attempts -- Resolves user identities to show who performed each action -- Provides prebuilt reports and search to help identify unauthorized access or suspicious activity -- Supports **Active Directory Domain Services (AD DS)** and **Microsoft Entra Kerberos** for identity-based access auditing - -Netwrix Auditor for Azure Files helps ensure **security, compliance, and accountability** in cloud file storage by giving IT teams clear insight into user activity. - -Configure Azure Files monitoring with Netwrix Auditor by setting up EntraID application registration, permissions, and diagnostic settings ## Prerequisites @@ -27,9 +14,20 @@ Configure Azure Files monitoring with Netwrix Auditor by setting up EntraID appl - **Admin** permissions in Microsoft Entra ID and Azure Storage - **Two separate storage accounts:** - - One for file shares (data) — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) + - One for file shares (data) — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) - - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) + - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) + +- [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) is configured for data storage account in Azure Files + + Supported options: + - Active Directory Domain Services (AD DS) + - Microsoft Entra Kerberos (for hybrid identities) + - Microsoft Entra Domain Services (Entra DS) — not supported + + **Netwrix Auditor** relies on **identity-based access** to correctly map file operations to real user accounts. Without it: + - Audit logs may not contain accurate user information + - Activity may be shown as system or anonymous accounts ## Configuration Scope Overview @@ -51,20 +49,11 @@ You should register an application so Netwrix Auditor can authenticate to Azure - Leave **Redirect URI** blank 3. Click **Register** -**Understanding Account Types:** - -- **Accounts in this organizational directory only (Single tenant)** - "All user and guest accounts in your directory can use your application or API. Use this option if your target audience is internal to your organization" - *Recommended for Netwrix Auditor* - -- **Accounts in any organizational directory (Multitenant)** - "All users with a work or school account from Microsoft can use your application or API (Office 365)" +**Account Types references:** -- **Accounts in any organizational directory and personal Microsoft accounts (Multitenant + MSA)** - "All users with work, school, or personal accounts (Xbox, Skype, Outlook.com)" +- **[Supported account types – Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/v2-supported-account-types)** -- **Personal Microsoft accounts only** - "Only consumer Microsoft accounts can use the app" +- **[Identity and account types for single- and multitenant apps](https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types)** **Note:** Switching audiences later may cause errors @@ -121,30 +110,6 @@ Click **Grant admin consent for TenantName** **At the end of this step, your app has granted Microsoft Graph API permissions** -## Additional Configuration: Identity-Based Access for Azure Files - -Before assigning IAM roles or diagnostic settings, ensure that **identity-based access** is configured for your **Data Storage Account** (the account that hosts Azure File Shares) - -### Configure in the Azure Portal - -1. Go to your **Storage Account** (with the file shares) -2. Under **Data storage**, select **File shares** -3. Open **File share settings** and check **Identity-based access** -4. Ensure it is set to **Configured** -5. Choose one of the following supported options: - - Active Directory Domain Services (AD DS) - - Microsoft Entra Kerberos (for hybrid identities) - - Microsoft Entra Domain Services (Entra DS) — not supported - -Reference: [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) - -**Why this matters:** -Netwrix Auditor relies on identity-based access to correctly map file operations to real user accounts. Without it: -- Audit logs may not contain accurate user information -- Activity may be shown as system or anonymous accounts - -**At the end of this step, your Data Storage Account mustshould have identity-based access configured with either AD DS or Microsoft Entra Kerberos.** - ## Assign IAM Roles to the App **IAM Roles:** @@ -251,7 +216,6 @@ Azure Files audit logs will now be archived into your **Log Storage Account** - [Azure Application registered](#azure-application-registration) with App ID + Secret - [API permissions](#configure-api-permissions) (User.Read, User.Read.All) granted -- [Identity-based access configured](#additional-configuration-identity-based-access-for-azure-files) for Data Storage Account (AD DS or Entra Kerberos) - [IAM roles assigned](#assign-iam-roles-to-the-app) (Reader, Storage File Data Privileged Reader, Storage Blob Data Reader) - [Diagnostic Settings configured](#diagnostic-settings) to log to a Log Storage Account From edded5d937d074d13c0663b7e732170456b1e573 Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Fri, 26 Sep 2025 09:29:33 +0200 Subject: [PATCH 12/15] Moved permissions tables to overview and deleted file - permissions --- .../azurefiles/monitoredobjects.md | 2 +- .../10.8/configuration/azurefiles/overview.md | 13 ++++++++ .../configuration/azurefiles/permissions.md | 30 ------------------- .../10.8/configuration/azurefiles/ports.md | 2 +- 4 files changed, 15 insertions(+), 32 deletions(-) delete mode 100644 docs/auditor/10.8/configuration/azurefiles/permissions.md diff --git a/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md b/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md index 2f5947bcdc..a448d58472 100644 --- a/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md +++ b/docs/auditor/10.8/configuration/azurefiles/monitoredobjects.md @@ -1,7 +1,7 @@ --- title: "Monitored Object Types, Actions, and Attributes" description: "Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor 10.8" -sidebar_position: 3 +sidebar_position: 2 --- Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor 10.8 diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index bc45b7311b..62fbda9aaf 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -87,6 +87,12 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication ### Step 1: Add Permissions +| Permission | Purpose | +|------------|---------| +| `User.Read` | Basic user information. Sign in and read user profile. *(default)* | +| `User.Read.All` | Read all users' profiles. Required to resolve SIDs into usernames in reports | + + 1. In your app in EntraID, go to **Manage > API permissions > + Add a permission**. 2. Select **Microsoft Graph > Application permissions** 3. Add: @@ -112,6 +118,13 @@ Click **Grant admin consent for TenantName** ## Assign IAM Roles to the App +| Role | Scope | Purpose | +|------|--------|---------| +| `Reader` | Resource Group | List storage accounts | +| `Storage File Data Privileged Reader` | Storage Account | Read file shares data | +| `Storage Blob Data Reader` | Log Storage Account | Access audit logs | + + **IAM Roles:** You mshould assign Azure IAM roles so that Netwrix Auditor can: diff --git a/docs/auditor/10.8/configuration/azurefiles/permissions.md b/docs/auditor/10.8/configuration/azurefiles/permissions.md deleted file mode 100644 index 49ac4016dd..0000000000 --- a/docs/auditor/10.8/configuration/azurefiles/permissions.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: "Permissions for Azure Files Auditing" -description: "Permission Requirements for Netwrix Auditor 10.8 in Azure Files" -sidebar_position: 2 ---- -To enable auditing of Azure Files, the registered Microsoft EntraID application must be granted the following **permissions**: - -## [Microsoft Graph API permissions](/docs/auditor/10_8/configuration/azurefiles/overview#configure-api-permissions) -| Permission | Purpose | -|------------|---------| -| `User.Read` | Basic user information | -| `User.Read.All` | Read all users' profiles | - - -**User.Read.All - required to resolve SIDs into usernames in reports - -## [Azure IAM roles](/docs/auditor/10_8/configuration/azurefiles/overview#assign-iam-roles-to-the-app) -| Role | Scope | Purpose | -|------|--------|---------| -| `Reader` | Resource Group | List storage accounts | -| `Storage File Data Privileged Reader` | Storage Account | Read file share data | -| `Storage Blob Data Reader` | Log Storage Account | Access audit logs | - -- **Reader** on the **Resource Group** that contains the Data Storage Account -- **Storage File Data Privileged Reader** on the **Data Storage Account** (file shares) -- **Storage Blob Data Reader** on the **Log Storage Account** (audit logs) - - - -These permissions are required for Netwrix Auditor to collect logs, read file share metadata, and present activity with resolved user identities. diff --git a/docs/auditor/10.8/configuration/azurefiles/ports.md b/docs/auditor/10.8/configuration/azurefiles/ports.md index 98f91c72e4..cc746c4e68 100644 --- a/docs/auditor/10.8/configuration/azurefiles/ports.md +++ b/docs/auditor/10.8/configuration/azurefiles/ports.md @@ -1,7 +1,7 @@ --- title: "Azure Files Ports and Network Configuration" description: "Network ports and connectivity requirements for Azure Files monitoring" -sidebar_position: 4 +sidebar_position: 3 --- # Azure Files Ports and Network Configuration From 66441dc0b7b06d90f3fdb41adefe5b06c0130830 Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Fri, 26 Sep 2025 09:41:54 +0200 Subject: [PATCH 13/15] Corrected auditor configuration desription --- .../10.8/admin/monitoringplans/azurefiles.md | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index 8254c44b6d..897fb46465 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -28,25 +28,15 @@ Create monitoring plans for Azure Files to track file and folder changes across - Select **Add item now** -### Step 2: Add Azure Files Data Source +### Step 2: Add Item for Monitoring -1. Click **Add Data Source** -2. Select **Azure Files** -3. Select Item for Monitoring: - Option A – Storage Account → Enter **Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret** - Option B – Subscription → Enter **Subscription Name, Subscription ID, Tenant Name, Application ID, Application Secret** **Tip:** If you have multiple storage accounts, use the subscription option for easier management -### Step 3: Configure Storage Accounts - -Configure storage account settings (requires separate accounts): -- **File Share Storage Account** - Contains the file shares to monitor -- **Audit Log Storage Account** - Stores diagnostic logs (must be separate account) -- **Resource Group** - Resource group containing the storage accounts - -### Step 4: Configure Monitoring Scope and Actions +### Step 3: Configure Monitoring Scope and Actions 1. In the **Netwrix Auditor**, double-click your **Azure Files plan** 2. Enable **Monitor this data source and collect activity data** @@ -62,6 +52,7 @@ Configure storage account settings (requires separate accounts): - **Failed** - Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.Enabling this option on public shares will result in a high number of events generated on Azure Files and the amount of data written to the Long-Term Archive **Note:** Enabling read access auditing on public shares may generate high event volume + **Tip:** Only enable read auditing where compliance requires it (e.g., HR, Finance) 4. Add exclusions → e.g., service accounts that produce excessive logs From c16c37dcd7eee080f27fd0c9e8798fbe61e5abb5 Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Fri, 26 Sep 2025 09:42:50 +0200 Subject: [PATCH 14/15] Changed title --- docs/auditor/10.8/admin/monitoringplans/azurefiles.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md index 897fb46465..09567f634f 100644 --- a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md +++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md @@ -1,5 +1,5 @@ --- -title: "Azure Files Monitoring Plan" +title: "Azure Files" description: "Create and configure Azure Files monitoring plans in Netwrix Auditor v10.8" sidebar_position: 85 --- From 6aaa445c8fd221a7ce6d28e578d74353c2003e0a Mon Sep 17 00:00:00 2001 From: "aleksander.tyrnov" Date: Fri, 26 Sep 2025 12:03:00 +0200 Subject: [PATCH 15/15] Added sql azure add on documentation --- .../10.8/addon/azuresql/_category_.json | 10 + .../auditor/10.8/addon/azuresql/deployment.md | 374 ++++++++++++++++++ docs/auditor/10.8/addon/azuresql/overview.md | 65 +++ 3 files changed, 449 insertions(+) create mode 100644 docs/auditor/10.8/addon/azuresql/_category_.json create mode 100644 docs/auditor/10.8/addon/azuresql/deployment.md create mode 100644 docs/auditor/10.8/addon/azuresql/overview.md diff --git a/docs/auditor/10.8/addon/azuresql/_category_.json b/docs/auditor/10.8/addon/azuresql/_category_.json new file mode 100644 index 0000000000..0814b4ceb8 --- /dev/null +++ b/docs/auditor/10.8/addon/azuresql/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Azure SQL Managed Instance Audit", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/auditor/10.8/addon/azuresql/deployment.md b/docs/auditor/10.8/addon/azuresql/deployment.md new file mode 100644 index 0000000000..94414b2562 --- /dev/null +++ b/docs/auditor/10.8/addon/azuresql/deployment.md @@ -0,0 +1,374 @@ +--- +title: "Deployment" +description: "Deployment" +sidebar_position: 10 +--- + +## Azure Application Registration + +To integrate with Microsoft Entra ID, you need to create a separate application registration in the Azure portal + +### Step 1: Create the App Registration + +1. In the Azure Portal, go to **Microsoft Entra ID > Manage > App registrations > + New registration** +2. Enter: + - **Name**: Name: `NetwrixAuditor-AzureFiles` (this is an example — you can use any descriptive name for the app) + - **Supported account types** Accounts in this organizational directory only + - Leave **Redirect URI** blank +3. Click **Register** + +**Account Types references:** + +- **[Supported account types – Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/v2-supported-account-types)** + +- **[Identity and account types for single- and multitenant apps](https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types)** + + + +### Step 2: Gather App Details + +After registration, go to the **Overview** page of your new app and copy: +- **Application (Client) ID** + + +### Step 3: Create a Client Secret + +1. In the same app, go to **Manage > Certificates & secrets > Client secrets** +2. Click **+ New client secret** +3. Enter a description (e.g., `NetwrixSecret`) and select expiration +4. Click **Add** +5. Copy the **secret value** immediately — it won't be shown again + +Netwrix Auditor uses the **App ID** + **Client Secret** for authentication + +**At the end of this step, you should have:** +- Application (Client) ID +- Client Secret (Secret Value) + + +## Configure API Permissions + + +**Microsoft Graph API permissions:** + + +### Step 1: Add API Permissions (Optional) + +1. In your app in EntraID, go to **Manage > API permissions > + Add a permission** +2. Select **Microsoft Graph > Application permissions** +3. Add appropriate Microsoft APIs based on your requirements + +### Step 2: Grant Admin Consent + +Click **Grant admin consent for TenantName** + +**Why this is required:** +- By default, applications cannot query Microsoft Graph for directory-wide information +- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful + +**At the end of this step, your app has granted Microsoft Graph API permissions** + + +## Configure Azure Storage Account for Log Storage + +Azure SQL Managed Instance requires an Azure Storage Account with Blob container for audit log storage + +### Step 1: Create a Resource Group (if needed) + +1. In Azure Portal, search for Resource groups +2. Click + Create +3. Configure: + - **Subscription**: Your Azure subscription + - **Resource group name**: rg-netwrix-sqlmi (or your naming convention) + - **Region**: Same region as your SQL Managed Instance +4. Click **Review** + **Create**, then **Create** + +### Step 2: Create a Storage Account + +1. Search for **Storage accounts** and click **+ Create** + +2. On the **Basics** tab: + - **Subscription**: Your subscription + - **Resource group**: Select the created resource group + - **Storage account name**: Must be globally unique (e.g., `stnetwrixsqlmi001`) + - **Region**: Same as SQL Managed Instance for optimal performance + - **Performance**: Standard (sufficient for audit logs) + - **Redundancy**: Locally-redundant storage (LRS) or higher based on requirements + +3. On the **Advanced** tab (optional): + - **Secure transfer required**: Enabled + - **Minimum TLS version**: Version 1.2 + +4. Click **Review + Create**, then **Create** + +### Step 3: Create a Blob Container + +1. Navigate to the deployed **Storage Account** +2. In the left menu, select **Containers** (under *Data storage*) +3. Click **+ Container** +4. Configure: + - **Name**: `audit-logs` (consistent naming) + - **Public access level**: Private (no anonymous access) +5. Click **Create** + +### Step 4: Enable System-Assigned Managed Identity for SQL MI + +1. Navigate to your **SQL Managed Instance** +2. Go to **Identity** under *Settings* +3. On the **System-assigned** tab: + - Set **Status** to **On** + - Click **Save** +4. Note the **Object ID** for the managed identity + +### Step 5: Assign Storage Permissions + +Assign the **Storage Blob Data Owner** role to the SQL Managed Instance: + +1. In the **Storage Account**, go to **Access Control (IAM)** +2. Click **+ Add > Add role assignment** +3. On the **Role** tab: + - Search and select **Storage Blob Data Owner** +4. Click **Next** to go to the **Members** tab +5. Select **Assign access to**: *Managed Identity* +6. Click **+ Select members** +7. Choose **SQL Server** and select your **SQL Managed Instance** +8. Click **Select**, then **Review + assign** + + +## Configure Authentication in Azure SQL Managed Instance + +Create a login for the Entra ID application to access audit configuration + +### Step 1: Connect to SQL Managed Instance + +Use SQL Server Management Studio (SSMS) or Azure Data Studio with an account that has: + +- **Azure AD admin** privileges on the SQL MI +- **sysadmin** server role or equivalent permissions + + + +### Step 2: Create Login from External Provider + +Execute the following T-SQL commands: + +```sql +-- Create login using the exact Display Name from Entra ID +CREATE LOGIN [NetwrixSQLMIIntegration] FROM EXTERNAL PROVIDER; + +-- Grant basic connection permission +GRANT CONNECT SQL TO [NetwrixSQLMIIntegration]; + +-- Grant permissions for audit configuration and monitoring +GRANT ALTER ANY SERVER AUDIT TO [NetwrixSQLMIIntegration]; +GRANT VIEW ANY DATABASE TO [NetwrixSQLMIIntegration]; +GRANT VIEW SERVER STATE TO [NetwrixSQLMIIntegration]; +GRANT VIEW SERVER SECURITY AUDIT TO [NetwrixSQLMIIntegration] + +``` + +**Note**: Replace NetwrixSQLMIIntegration with your actual Azure AD application name +The name must match exactly as shown in Entra ID + +## Configure Server-Level Audit + +Set up comprehensive server-level auditing for login events and security changes + +### Step 1: Create Storage Credential + +```sql +USE master; +GO + +-- Create credential for Azure Blob Storage using Managed Identity +IF NOT EXISTS (SELECT * FROM sys.credentials + WHERE name = 'https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs') +BEGIN + CREATE CREDENTIAL [https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs] + WITH IDENTITY = 'Managed Identity'; + PRINT 'Created Managed Identity credential for audit-logs container'; +END +ELSE +BEGIN + PRINT 'Credential already exists for audit-logs container'; +END +GO +``` + +### Step 2: Create Server Audit + +```sql +USE master; +GO + +-- Drop existing audit if it exists (for redeployment scenarios) +IF EXISTS (SELECT * FROM sys.server_audits WHERE name = 'SERVER_AUDIT') +BEGIN + ALTER SERVER AUDIT [SERVER_AUDIT] WITH (STATE = OFF); + DROP SERVER AUDIT [SERVER_AUDIT]; + PRINT 'Existing server audit dropped'; +END + +-- Create the server audit +PRINT 'Creating server audit...'; +CREATE SERVER AUDIT [SERVER_AUDIT] +TO URL ( + PATH = 'https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs', + RETENTION_DAYS = 2 -- Adjust based on your retention requirements +) +WITH ( + QUEUE_DELAY = 1000, -- 1 second delay for better performance + ON_FAILURE = CONTINUE, -- Continue operation if audit fails + AUDIT_GUID = NEWID() -- Unique identifier for audit +); +GO +``` + +### Step 3: Create Server Audit Specification +```sql +-- Drop existing specification if it exists +IF EXISTS (SELECT * FROM sys.server_audit_specifications WHERE name = 'SERVER_AUDIT_SPEC') +BEGIN + ALTER SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC] WITH (STATE = OFF); + DROP SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC]; + PRINT 'Existing server audit specification dropped'; +END + +-- Create comprehensive server audit specification +CREATE SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC] +FOR SERVER AUDIT [SERVER_AUDIT] + ADD (FAILED_LOGIN_GROUP), -- Failed login attempts + ADD (SUCCESSFUL_LOGIN_GROUP), -- Successful logins + ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP), -- Server role membership changes + ADD (SERVER_PRINCIPAL_CHANGE_GROUP), -- Server principal changes (logins) + ADD (LOGIN_CHANGE_PASSWORD_GROUP), -- Password changes + ADD (SERVER_STATE_CHANGE_GROUP), -- Server state changes + ADD (SERVER_OBJECT_CHANGE_GROUP), -- Server object changes + ADD (SERVER_PERMISSION_CHANGE_GROUP), -- Server permission changes + ADD (AUDIT_CHANGE_GROUP), -- Audit configuration changes + ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP) -- Ownership changes +WITH (STATE = OFF); +GO + +-- Enable audit specification first, then audit +ALTER SERVER AUDIT SPECIFICATION [SERVER_AUDIT_SPEC] WITH (STATE = ON); +PRINT 'Server audit specification enabled'; + +ALTER SERVER AUDIT [SERVER_AUDIT] WITH (STATE = ON); +PRINT 'Server audit enabled successfully!'; +GO +``` + +## Configure Database-Level Audit + +Set up database-specific auditing for comprehensive monitoring + +### Database Audit Configuration Script + +```sql +-- Variables - modify these for your environment +DECLARE @DatabaseName NVARCHAR(128) = 'YourDatabaseName'; -- Change to your database name +DECLARE @ServerAuditName NVARCHAR(128) = 'SERVER_AUDIT'; -- Must match your server audit name +DECLARE @DatabaseAuditSpecName NVARCHAR(128) = 'DATABASE_AUDIT_SPEC'; + +-- Validate database exists +IF NOT EXISTS (SELECT * FROM sys.databases WHERE name = @DatabaseName) +BEGIN + PRINT 'Database ' + @DatabaseName + ' does not exist!'; + RETURN; +END + +DECLARE @SQL NVARCHAR(MAX); + +-- Switch to target database and create audit specification +SET @SQL = N' +USE [' + @DatabaseName + N']; + +-- Drop existing database audit specification if it exists +IF EXISTS (SELECT * FROM sys.database_audit_specifications + WHERE name = ''' + @DatabaseAuditSpecName + N''') +BEGIN + PRINT ''Dropping existing database audit specification...''; + ALTER DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N'] WITH (STATE = OFF); + DROP DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N']; +END + +PRINT ''Creating database audit specification for: ' + @DatabaseName + N'''; + +CREATE DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N'] +FOR SERVER AUDIT [' + @ServerAuditName + N'] + -- User and Role Management (CreateUserStatement, DropUserStatement, AlterUserStatement) + ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), + + -- Role Operations (CreateRoleStatement, DropRoleStatement, AlterRoleStatement) + ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), + + -- Permission Changes (GrantStatement, RevokeStatement, DenyStatement) + ADD (DATABASE_PERMISSION_CHANGE_GROUP), + + -- Schema Operations (CreateSchemaStatement, DropSchemaStatement) + ADD (SCHEMA_OBJECT_CHANGE_GROUP), + + -- Table Operations (CreateTableStatement, DropTableStatement, AlterTableStatement and etc) + ADD (DATABASE_OBJECT_CHANGE_GROUP), + + -- Ownership Changes (AlterAuthorizationStatement) + ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), + + -- Backup/Restore Operations (BackupStatement, RestoreStatement) + ADD (BACKUP_RESTORE_GROUP), + +WITH (STATE = OFF); + +-- Enable the database audit specification +ALTER DATABASE AUDIT SPECIFICATION [' + @DatabaseAuditSpecName + N'] WITH (STATE = ON); +PRINT ''Database audit specification enabled for: ' + @DatabaseName + N'''; +'; + +EXEC sp_executesql @SQL; + +``` + +## Install and Configure Netwrix Add-on + +Run the Netwrix Auditor Add-on Setup Wizard and follow these configuration steps: + +### Step 1: Netwrix Auditor Server Connection + +**First Screen Configuration:** + +- **Endpoint URL**: URL of your Netwrix Auditor Server +- **Credentials**: Valid credentials with sufficient privileges to register and manage data sources + +### Step 2: Application Settings + +**Microsoft Entra ID Authentication:** + +- **Tenant ID**: Directory (tenant) ID from **[Azure Application Registration](#azure-application-registration)** +- **Client ID**: Application (client) ID from **[Azure Application Registration](#step-2-gather-app-details)** +- **Client Secret**: The secret value you copied in **[Azure Application Registration](#step-3-create-a-client-secret)** + +### Step 3: Target SQL Settings + +**Azure SQL Managed Instance Connection:** + +- **Azure SQL Server URL:** + +```text +your-sql-instance.public..database.windows.net,1433 +``` +- **Database Name**: `master` (for audit collection) +- **Authentication**: Azure Active Directory +- **Blob Path**: Full path to audit logs container + +```text +https://stnetwrixsqlmi001.blob.core.windows.net/audit-logs/ +``` + +### Step 4: Finalize Setup + +1. Review all configuration parameters +2. Click **Run** to complete the setup +3. Monitor the initial synchronization process + + diff --git a/docs/auditor/10.8/addon/azuresql/overview.md b/docs/auditor/10.8/addon/azuresql/overview.md new file mode 100644 index 0000000000..e9e38387ae --- /dev/null +++ b/docs/auditor/10.8/addon/azuresql/overview.md @@ -0,0 +1,65 @@ +--- +title: "Azure SQL Managed Instance" +description: "Azure SQL Managed Instance" +sidebar_position: 70 +--- + +# Azure SQL Managed Instance Audit + +## Overview +This guide provides comprehensive instructions for configuring audit monitoring for Azure SQL Managed Instance using Netwrix Auditor. +The setup involves creating Microsoft Entra ID application registration, configuring Azure Storage for audit logs, setting up database-level auditing, and installing the Netwrix add-on. + +**Download link:** +[https://netwrix.com/go/auditor_addon_azure_sql_mi](https://netwrix.com/go/auditor_addon_azure_sql_mi) + + +## Prerequisites +Before starting the configuration, ensure you have: + +- **Azure Subscription** with appropriate permissions +- **Azure SQL Managed Instance** deployed and accessible +- **Netwrix Auditor Server** installed and running +- **Administrative privileges** in Azure portal and SQL Managed Instance +- **Network connectivity** between Azure SQL MI and storage account + + +## Architecture Overview + +[Azure SQL MI] --> [Audit Logs] --> [Azure Blob Storage] --> [Netwrix Add-on] --> [Netwrix Auditor] + + +The solution uses: +- **Microsoft Entra ID** for authentication +- **Azure Blob Storage** for audit log storage +- **Managed Identity** for secure access +- **Server and Database level auditing** for comprehensive coverage + +# **Limitations and Considerations** + +- **Single Instance Support**: This add-on version supports monitoring one Azure SQL Managed Instance per installation +- **Processing Delay**: There may be a delay between events occurring and appearing in Netwrix Auditor + + +# Support and Feedback + + +This Azure SQL Managed Instance add-on is a **free integration solution** for Netwrix Auditor. + +**Your feedback matters.** Suggest features or improvements for Netwrix Auditor and vote for your favorites in the **[Netwrix Community](https://community.netwrix.com/c/products/auditor/ideas/93)**. + +Please share your feedback on: + +- Functionality and features +- Documentation and setup process +- Additional requirements or use cases + + + +# Additional Resources + + +**Microsoft Documentation** +- [Create a storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create) +- [Azure SQL Managed Instance auditing](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure) +- [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal)