SHAREPOINT ONLINE CONFIGURATION GUIDE 2021 - STEALTHBITS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2021 SharePoint Online Configuration Guide
StealthAUDIT®
Stealthbits Activity Monitor®
TOC
SharePoint Online Configuration Overview 3
SharePoint Compatibility 3
StealthAUDIT SharePoint Scan Options 4
SharePoint Agent-Less Scans 4
Firewall Rules for Agent-Less Scans 5
SharePoint Data Collection Configuration for Agent-Less Scans 6
Activity Monitor Configuration 7
Activity Monitor Activity Agent Deployment 7
Prepare for Activity Monitoring 7
Monitored Host Configuration 8
Firewall Rules for Activity Monitoring 10
SIEM Integration 10
SharePoint Online Configuration for Access Auditing 12
Configure Modern Authentication for SharePoint Online & OneDrive 12
Register StealthAUDIT with SharePoint as an Application 13
Provision the StealthAUDIT SharePoint Registered Application 13
SharePoint Online Configuration for Activity Monitoring 15
Register Activity Monitor with Microsoft Azure as a Web Application 15
Register Activity Monitor with Microsoft Azure 16
Identify the Client ID & Client Key 16
Grant Permissions for Activity Monitoring in Microsoft Azure 17
StealthAUDIT Connection Profile & Host List 19
SharePoint Online Custom Connection Profile 19
SharePoint Custom Host List 20
More Information 21
Doc_ID 736 2
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SharePoint Online Configuration Overview
Stealthbits products audit and monitor Microsoft® SharePoint® environments. StealthAUDIT
employs the SharePoint solution to execute Access Auditing (SPAA) and/or Sensitive Data
Discovery Auditing scans against SharePoint Online. The Activity Monitor can also monitor
SharePoint Online activity; however, this event data is not supported by StealthAUDIT 11.0.
Additionally, the Activity Monitor can be configured to provide activity data to various SIEM
products.
This document describes the necessary settings in SharePoint to allow for successful use of:
l StealthAUDIT v11.0
l Stealthbits Activity Monitor v6.0
The Sensitive Data Discovery Add-on must be installed on the StealthAUDIT Console server. Each
thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is
configured to scan 8 hosts at a time, then an extra 16 GB of RAM are required (8x2=16).
The sections of this document align to the products as follows:
l StealthAUDIT
l StealthAUDIT Scan Options
l Activity Monitoring for SharePoint
l SharePoint Online Configuration for Access Auditing
l StealthAUDIT Connection Profile & Host List
l Stealthbits Activity Monitor
l Activity Monitoring for SharePoint
l SharePoint Online Configuration for Activity Auditing
SharePoint Compatibility
StealthAUDIT for SharePoint is compatible with the following Microsoft® SharePoint®
environments as targets:
l SharePoint Online®
l OneDrive® for Business (Access Auditing and/or Sensitive Data Discovery Auditing Agent-less
only type scans)
Doc_ID 736 3
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
StealthAUDIT SharePoint Scan Options
Required permissions on the targeted SharePoint environment are dependent upon not only the
type of environment targeted but also the type of data collection scan being executed. There are
two types of Access Auditing (SPAA) and/or Sensitive Data Discovery Auditing scans: agent-based
and agent-less. The Activity Auditing (SPAC) scans can only be executed as agent-less scans from
StealthAUDIT but require the Activity Monitor to have a activity agent deployed in the target
environment.
Agent-Based Type
When StealthAUDIT SharePoint scans are run in agent-based mode, the StealthAUDIT SharePoint
Agent must be installed on the SharePoint Application server which hosts the “Central
Administration” component prior to executing the scans. This is typically the first server stood up
during the SharePoint farm installation process in this mode. The data collection processing is
conducted by the SharePoint Agent for the target environment. The final step in data collection is
to transfer the data collected in the SQLite databases, or Tier 2 databases, on the StealthAUDIT
SharePoint Agent server back to the StealthAUDIT Console server.
NOTE: Agent-based scans can only target on-premise environments.
Agent-Less Type
When SharePoint agent-less scans are run, it means all of the data collection processing is
conducted by the StealthAUDIT Console server across the network. Agent-less scans can target
both on-premise and online environments.
SharePoint Agent-Less Scans
The SharePoint agent-less scan architecture is capable of auditing permissions and content, or
Access Auditing (SPAA) and Sensitive Data Discovery Auditing, on SharePoint on-premise and
SharePoint Online. It is also capable of Activity Auditing (SPAC) on SharePoint on-premise.
The SharePoint agent-less scan architecture requires permissions to be configured on the
specified server:
l SharePoint Online & OneDrive for Business
l Modern Authentication Option:
l Register StealthAUDIT as a SharePoint application to the targeted SharePoint Online
environment – Requires SharePoint Global Administrator role to register and provision
Doc_ID 736 4
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
the application
NOTE: The SharePoint application registration will need to be refreshed annually.
l Legacy Authentication Option:
l SharePoint Administrator Role
l Site Administrator of the root site to be audited
l OneDrive permissions are based on the SharePointAccess Data Collection configuration
option:
l Forcing the service account to become a temporary admin of the personal sites either
as the service account or as a member of the Company Administrators group requires
SharePoint Global Administrator role.
l The skipping inaccessible personal sites option will only scan sites where the service
account has administrative access.
l The service account must be a licensed SharePoint account in order to scan OneDrive
and/or personal sites.
Sensitive Data Discovery Auditing scans also require the Sensitive Data Discovery Add-on be
installed on the StealthAUDIT Console server. Each thread requires a minimum of 2 additional GB
of RAM per host. For example, if the job is configured to scan 8 hosts at a time, then an extra 16
GB of RAM are required (8x2=16). See the StealthAUDIT Sensitive Data Discovery Add-On
Installation Guide for additional information.
The credentials within the Connection Profile assigned to the SharePoint scans must have the
required rights and firewall rules configured for running Access Auditing (SPAA) and/or Sensitive
Data Discovery Auditing scans.
Firewall Rules for Agent-Less Scans
One of the following ports must be open for communication between StealthAUDIT and the
SharePoint Online environment:
Port Protocol Source Direction Target Purpose
80 TCP StealthAUDIT SharePoint HTTP
Console server Online Communication
Environment
443 TCP StealthAUDIT SharePoint HTTPS
Doc_ID 736 5
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Port Protocol Source Direction Target Purpose
Console server Online Communication
Environment
SharePoint Data Collection Configuration for Agent-Less Scans
To employ the agent-less type of scan for collecting SharePoint data, navigate to the desired
SharePoint > 0.Collection > …_SystemScans job(s) and open the SharePoint Access Auditor Data
Collector Wizard from the job’s query. The following configuration settings are required to
employ agent-less scans:
l Agent Settings wizard page – Enable Agent Service Scans option must remain unselected
Other configuration settings which directly relate to permission options:
l SharePoint data collection settings page
l Collect Personal Sites > Skip inaccessible personal sites option requires the service account
to be provisioned prior to the scan to scan OneDrives / personal sites
l Collect Personal Sites > Force scan account as admin of inaccessible personal sites option
requires the service account to be a SharePoint Global Administrator (online) or Farm
Admin (on-premise)
l Collect Personal Sites > Force Company Administrator as admin of inaccessible personal
sites option requires the service account to be a SharePoint Global Administrator (online) or
Farm Admin (on-premise)
See the SPAA Query Configuration section of the StealthAUDIT User Guides v11.0 for additional
information.
NOTE: Sensitive Data Discovery Auditing scans are configured on the DLP Audit Settings and
Select DLP Criteria wizard pages of the SharePoint Access Auditor Data Collector Wizard from the
1-SPSEEK_SystemScans Job.
Doc_ID 736 6
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Activity Monitor Configuration
The Activity Monitor collects activity events from SharePoint Online. There must be a deployed
activity agent on a Windows server to monitor the target environment.
While actively monitoring, the agent generates activity log files which are stored on the agent
server. The Activity Monitor integrates with SIEM products:
l Stealthbits Activity Monitoronly
l Activity Monitor agent writes activity log files on the agent server.
l Activity Monitor Console search feature displays data from the activity log files.
l SIEM Integration
l Activity Monitor activity agent writes activity log files on the activity agent server.
l Activity Monitor sends the event stream to the SIEM product, which is configured on the
Monitored Hosts’ properties > Syslog tab.
Activity Monitor Activity Agent Deployment
Servers targeted for activity agent deployment must have .NET Framework 4.7.2 or higher
installed or the deployment fails. Deploy an activity agent from the Activity Monitor Console. The
credential supplied during deployment must have:
l Group membership in the local Administrators group
Follow the steps to deploy an activity agent.
Step 1 – On the Agents tab, click Add agent to open the Add New Agent(s) window.
Step 2 – On the Install new agent page, enter the Server name to deploy to a single server.
Step 3 – On the Credentials to connect to the server(s) page, provide the provisioned credential.
Remember, Remote Registry Service must be enabled on the host where the activity agent is
deployed.
See the Stealthbits Activity Monitor Installation & Console User Guide for additional information
on deploying and configuring the activity agent.
Prepare for Activity Monitoring
Doc_ID 736 7
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
The target environment must be prepared for activity monitoring before the activity agent is
configured. This preparation includes:
l For SharePoint Online, configure access to the infrastructure
l Configure Firewall
Once this preparation is complete, the activity agent can be configured for monitoring through
the Activity Monitor Console. See the SharePoint Online Configuration for Activity Monitoring
section for details on completing this preparation.
Monitored Host Configuration
After activity agent deployment and the preparations for monitoring have been completed, add
the Monitored Host to the activity agent server. In the Activity Monitor Console, open the Add
New Host window and provide the following information:
l On the Choose Agent page, select the server for the Agent.
l On the Add Host page:
l Select the appropriate Storage device type.
l Then enter the Azure Active Directory domain name in the textbox.
l Optionally add a Comment to indicate intended output.
l On the Azure AD Connection page, enter the enter the Client ID and Client Secret, then click
Sign In
NOTE: The Activity Monitor must be registered with Microsoft® Azure® in order to sign in.
l On the SharePoint Online Operations page, configure the options found in the following tabs:
File and Page, Folder, List, Sharing and Access Request, Site Permissions, Site Administration,
Synchronization, DLP, Sensitive Label, Content Explorer, and Other.
l On the Configure Basic Options page, the following configurations are modified:
l Period to keep Log files - Activity logs are deleted after the number of days entered. Default
is set to 10 days.
RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be
retained to meet an organization’s audit requirements.
l On the Where to Log the Activity page, select whether to send the activity to either a Log File
or Syslog Server.
Doc_ID 736 8
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l Configure the options on either the Log File page, the Syslog Server page, or both, depending
on what options were selected on the Where to Log the Activity page.
l For Log File, the configurable options are:
l Specify output file path – Specify the file path where log files are saved. Click the ellipses
button (...) to open the Windows Explorer to navigate to a folder destination. Click Test
to test if the path works.
l Period to keep Log files – Log files will be deleted after the period entered number of
days entered. The default is 10 days. Use the dropdown to specify whether to keep the
Log files for a set amount of Minutes, Hours, or Days.
l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this
monitored host configuration
RECOMMENDED: Identify the configuration to be read by StealthAUDIT when integration
is available.
l While the Activity Monitor can have multiple configurations per host, StealthAUDIT
can only read one of them.
l For Syslog, the configurable options are:
l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a
SERVER:Port format in the textbox.
l The server name can be short name, fully qualified name (FQDN), or IP Address, as
long as the organization’s environment can resolve the name format used. The Event
stream is the activity being monitored according to this configuration for the
monitored host.
l Syslog Protocol – Identify the Syslog protocol to be used for the Event stream. The drop-
down menu includes:
l UDP
l TCP
l TLS
l The TCP and TLS protocols add the Message framing drop-down menu. See the Syslog
Tab section for additional information.
l The Test button sends a test message to the Syslog server to check the connection. A
green check mark or red will determine whether the test message has been sent or failed
to send. Messages vary by Syslog protocol:
Doc_ID 736 9
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l UDP – Sends a test message and does not verify connection
l TCP/TLS – Sends test message and verifies connection
l TLS – Shows error if TLS handshake fails
l See the Syslog Tab section for additional information.
After the monitored host configuration is complete, additional steps are required for and SIEM
integration. See the SIEM Integration section for additional information.
Firewall Rules for Activity Monitoring
Firewall settings are dependent upon the type of environment being targeted. The following
firewall settings are required for communication between activity agent server and the Activity
Monitor Console:
Communication Direction Protocol Ports Description
Activity Monitor to Activity Agent TCP 4498 Activity Agent
Server Communication
The Windows firewall rules need to be configured on the Windows server, which require certain
inbound rules be created if the scans are running in applet mode. These scans operate over a
default port range, which cannot be specified via an inbound rule. For more information, see the
Microsoft Connecting to WMI on a Remote Computer article.
SIEM Integration
The Activity Monitor can be configured to stream events to various SIEM products.
NOTE: The Activity Monitor can be configured for multiple outputs for a host, e.g. for or SIEM
products. Add a new output for the same host to the Monitored Host tab in the Activity Monitor
Console to customize the activity data to be sent to a SIEM product.
RECOMMENDED: Add a Comment to identify the product for which the output aligns. Comments
can be added when the new output is configured on the Add Hosts page or when the host
properties are edited on the Comments tab.
After the Activity Monitor has been configured to monitor a host, it is necessary to select a syslog
template to be used for communicating with the SIEM product. The following Syslog templates
have been provided:
Doc_ID 736 10
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l LEEF (generic LEEF message format)
Follow these steps to configure the Activity Monitor to stream event data to a SIEM product.
Step 1 – Within the Activity Monitor Console on the Monitored Hosts tab, select the desired
configuration and click Edit. Select the Syslog tab.
Step 2 – Type the server name for the SIEM product in a [SERVER]:[PORT] format in the textbox.
Step 3 – Select the desired Syslog protocol from the drop-down menu.
Step 4 – Click the ellipsis (…) to open the Syslog Message Template window.
Step 5 – Select the desired template from the Template drop-down menu. If desired, the
message can be modified, which creates a “Custom” template.
Step 6 – Click OK to save the selection and close the Syslog Message Template window.
Remember, it is recommended to select the Comments tab and identify this output as being
configured for the SIEM product, e.g. SIEM.
Step 7 – Then click OK to save the changes and close the host’s properties window.
The template is assigned as the Syslog message template for the selected monitored host. The
SIEM product begins receiving event stream data.
Doc_ID 736 11
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SharePoint Online Configuration for Access
Auditing
In order for StealthAUDIT to execute Access Auditing (SPAA) and/or Sensitive Data Discovery
Auditing scans, the credential must have the following permissions for the target SharePoint
Online & OneDrive for Business environment:
l Modern Authentication Option:
l Register StealthAUDIT as a SharePoint application to the targeted SharePoint Online
environment — Requires SharePoint Global Administrator role to register and provision the
application
l Legacy Authentication Option:
l SharePoint Administrator Role
l Site Administrator of the root site to be audited
l OneDrives permissions are based on the SharePointAccess Data Collector configuration
option:
l Forcing the service account to become a temporary admin of the personal sites either as
the service account or as a member of the Company Administrators group requires
SharePoint Global Administrator role.
l The skipping inaccessible personal sites option will only scan sites where the service
account has administrative access. See the SharePoint Online Configuration for Access
Auditing section for additional information.
l Service account must be a licensed SharePoint account in order to scan OneDrive and/or
personal sites
NOTE: The SharePoint application registration will need to be refreshed annually.
Configure Modern Authentication for SharePoint Online &
OneDrive
Configure Modern Authentication for SharePoint Online and OneDrive by first registering
StealthAUDIT as a SharePoint, and then provision the registered application. This requires
SharePoint Global Administrator role.
NOTE: The SharePoint application registration will need to be refreshed annually.
Doc_ID 736 12
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Register StealthAUDIT with SharePoint as an Application
Follow the steps to register StealthAUDIT as a SharePoint application.
Step 1 – Navigate to the SharePoint Application Registration page:
https://[tenant].sharepoint.com/_layouts/15/appregnew.aspx
Step 2 – Click Generate to create the Client Id and Client Secret.
Step 3 – In the Title field, name the app StealthAUDITApp.
Step 4 – In the App Domain field, enter www.localhost.com.
Step 5 – In the Redirect URL field, enter https://www.localhost.com.
Step 6 – Click Create.
CAUTION: Do not leave the following page without copying the Client Id and Client Secret.
Step 7 – Copy the Client Id and Client Secret to be used to provision the app and used in the
StealthAUDIT Connection Profile. Click OK.
StealthAUDIT is a registered SharePoint application.
Provision the StealthAUDIT SharePoint Registered Application
Follow the steps to provision the registered application for StealthAUDIT.
Step 1 – Navigate to the SharePoint Application Invitation Site:
https://[tenant]-admin.sharepoint.com/_
layouts/15/appinv.aspx
Step 2 – Paste the Client Id into the App Id field. Click Lookup. The app information is populated.
Step 3 – In the Permission Request XML, paste the following:
Doc_ID 736 13
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Step 4 – Click Create.
Step 5 – Click Trust It.
The registered StealthAUDIT SharePoint application has been provisioned to scan SharePoint
Online and OneDrive.
Doc_ID 736 14
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SharePoint Online Configuration for Activity
Monitoring
In order to collect logs and monitor SharePoint Online activity using the Activity Monitor, it needs
to be registered with Microsoft® Azure®. This guide explains how to enable auditing on a
SharePoint Online environment and to configure the Activity Monitor to monitor activity coming
from SharePoint Online.
The Azure requirements for activity monitoring of SharePoint Online are:
l Global Administrator role in SharePoint Online
l Client ID
l Client Secret
l Microsoft Graph API/Permissions:
l Application:
l AuditLog.Read.All
l Directory.Read.All
l User.Read.All
l Sites.Read.All
l Delegated:
l offline_access
l openid
l profile
l User.Read
l User.Read.All
l Office 365 Management APIs
l Application Permissions:
l ActivityFeed.Read
l ActivityFeed.ReadDlp
Register Activity Monitor with Microsoft Azure as a Web
Application
Doc_ID 736 15
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
The Activity Monitor must be registered as a web application in Microsoft Azure before initiating
activity monitoring. Registering the Activity Monitor will produce a Client ID and Client Secret,
which are required for configuring the Activity Monitor to target SharePoint Online. See
Microsoft Support for assistance in configuring the Microsoft® Azure™ SharePoint Online web
application.
Register Activity Monitor with Microsoft Azure
Follow the steps to register the Activity Monitor with Microsoft Azure.
Step 1 – Sign into Azure. Navigate to the Azure portal and click on App registrations.
Step 2 – On the App registrations page, click New registration.
Step 3 – On the Register an application page, configure the following options:
l Name – Enter a user-facing display name for the Activity Monitor application
l Supported account types – Select who can use the application or access the API:
l Accounts in this organizational directory only – All internal organization accounts
l Accounts in any organizational directory – All Microsoft business or school accounts
l Accounts in any organizational directory and personal Microsoft accounts – All users with
work, school, or personal accounts
RECOMMENDED: Use the Accounts in this organizational directory only option
l Redirect URI – Set the Redirect URI to Public client/native (mobile & desktop) from the drop
down menu. In the text box, enter the following:
urn:ietf:wg:oauth:2.0:oob
Step 4 – Click Register. The Overview page for the newly registered Activity Monitor will open.
Step 5 – Review the newly created registered application.
Step 6 – Now that the application has been registered, permissions need to be granted to it.
Identify the Client ID & Client Key
Follow the steps to find the registered application’s Client ID and generate the Client Secret.
Step 1 – In the Azure portal, on the left-hand navigation pane, click Azure Active Directory.
Step 2 – In the Azure Active Directory blade, click App Registrations.
Doc_ID 736 16
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Step 3 – Copy the Client ID from the Overview page for the registered application.
NOTE: The Client ID is needed for adding an Azure Active Directory host in the Activity Monitor.
See the Monitored Host Configuration section for additional information.
Step 4 – Select Certificates & secrets in the left-hand navigation pane.
CAUTION: The newly generated Client Secret will not be accessible after leaving the Client &
Secrets page. It is recommended to copy the Client Secret to a location that can be accessed
later when configuring the Azure Active Directory host in the Activity Monitor.
Step 5 – On the Client & secrets page, click the New client secret button located in the Client
secrets section, and the Add a client secret popup opens.
Step 6 – Provide a description for the Client Secret, and select an expiration date.
NOTE: It is best practice to configure the Client Secret to expire in 1 or 2 years.
Step 7 – A Client Secret is generated for the Activity Monitor Client ID. Copy the Client Secret.
The Client ID and Client Secret are now ready to be used to add and configure a SharePoint
Online Activity Monitor host.
Grant Permissions for Activity Monitoring in Microsoft Azure
Follow the steps to set up permissions to enable the Activity Monitor to monitor data and collect
logs for SharePoint Online.
Step 1 – Navigate to the Activity Monitor application portal in Microsoft Azure and select API
Permissions from the left-hand navigation menu.
Step 2 – On the API permissions page, click on Add a permission to open the Request API
Permissions window.
Step 3 – Click Microsoft Graph. Select the following Delegated and Application Permissions:
l Application Permissions:
l AuditLog.Read.All
l Directory.Read.All
l User.Read.All
l Delegated Permissions:
l User.Read – added by default
l offline_access
Doc_ID 736 17
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l openid
l profile
Click Add permissions.
Step 4 – On the API Permissions, click the Grant admin consent for [Tenant Name] button
located above the permissions list, next to the Add a permission button, then click Yes in the
confirmation window.
The Activity Monitor now has the necessary permissions configured and granted to monitor
Azure Active Directory activity and collect logs.
Doc_ID 736 18
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
StealthAUDIT Connection Profile & Host List
Once the target environment has been configured for auditing, it is necessary to create a custom
Connection Profile and a custom Host List within StealthAUDIT.
SharePoint Online Custom Connection Profile
Within in StealthAUDIT, create a Connection Profile for the target hosts with the credentials
configured. It should align to the target host list to be created next. For Access Auditing (SPAA)
and/or Sensitive Data Discovery Auditing scans, the Connection Profile needs to contain the
account provisioned for Access Auditing (SPAA). Remember, StealthAUDIT v11.0 does not support
activity event data from the Activity Monitor for SharePoint Online.
For a SharePoint Online account, set the following information on the User Credentials window:
l Modern Authentication option:
l Select Account Type – Azure Active Directory
l Domain – {not a field for this type of credential, defaults to }
l Client ID – Paste Client Id from StealthAUDIT SharePoint App Registration
l Password Storage – Application (uses StealthAUDIT’s configured Profile Security setting as
selected at the Settings > Application node)
l Key – Paste Client Secret from StealthAUDIT SharePoint App Registration
l Legacy Authentication option:
l Select Account Type – StealthAUDIT Task (Local) Account
l Domain – {not a field for this type of credential, defaults to }
l User name – Type the user name
l Input [UserName@Domain] when entering credentials for Connection Profile
l Password Storage – Application (uses StealthAUDIT’s configured Profile Security setting as
selected at the Settings > Application node)
l Password – [For the provided user account]
l Confirm – Re-type the password
See the Connection section of the StealthAUDIT User Guides v11.0 for instructions on creating a
Connection Profile.
Doc_ID 736 19
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Apply the Connection Profile to the host inventory query and to the SharePoint > 0.Collection Job
Group.
SharePoint Custom Host List
Create a custom host list containing the target hosts for which the Connection Profile just created
contains credentials. For SharePoint Online, the target host needs to be the organization’s
SharePoint instance.
If the target hosts are located within a specific OU within the domain, then the StealthAUDIT Host
Discovery Wizard can be used. Scope the discovery query task by selecting the Query an Active
Directory server (General) option on the Source page, and then by navigating to the OU on the
Active Directory page. See the Query an Active Directory Server (General) Source Option section
of the StealthAUDIT User Guides v11.0 for additional information.
A custom host list can be manually created by entering the host names, or it can be imported
from either a CSV file or a database table. See the Add Hosts section of the StealthAUDIT User
Guides v11.0 for additional information.
Assign the custom host list to the SharePoint > 0.Collection Job Group.
Doc_ID 736 20
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
More Information
Identify threats. Secure data. Reduce risk.
Stealthbits, now part of Netwrix is a data security software company focused on protecting an
organization’s credentials and data. By removing inappropriate data access, enforcing security
policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements,
and decrease operations expense.
For information on our products and solution lines, check out our website at
www.stealthbits.com or send an email to our information center at info@stealthbits.com.
If you would like to speak with a Stealthbits Sales Representative, please contact us at
+1.201.447.9300 or via email at sales@stealthbits.com.
Have questions? Check out our online Documentation or our Training Videos (requires login):
https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please
contact Stealthbits Support at +1.201.447.9359 or via email at support@stealthbits.com.
Need formal training on how to use a product more effectively in your organization? Stealthbits is
proud to offer FREE online training to all customers and prospects! For schedule information,
visit: https://www.stealthbits.com/on-demand-training.
Doc_ID 736 21
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDYou can also read
