SHAREPOINT ON-PREMISE CONFIGURATION 2021 - STEALTHBITS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2021 SharePoint On-Premise Configuration
StealthAUDIT®
Stealthbits Activity Monitor®
TOC
SharePoint On-Premise Configuration Overview 4
SharePoint Compatibility 4
StealthAUDIT SharePoint Scan Options 6
StealthAUDIT SharePoint Activity Auditing 6
SharePoint Agent-Based Scans 6
Firewall Rules for Agent-Based Scans 8
SharePoint Data Collection Configuration for Agent-Based Scans 9
SharePoint Agent-Less Scans 10
Firewall Rules for Agent-Less Scans 11
SharePoint Data Collection Configuration for Agent-Less Scans 12
Activity Monitor Configuration 14
Activity Monitor Activity Agent Deployment 14
Prepare for Activity Monitoring 15
Monitored Host Configuration 15
Firewall Rules for Activity Monitoring 17
StealthAUDIT Integration 18
Identify an Activity Log for StealthAUDIT 18
StealthAUDIT Data Collection Configuration for SharePoint Activity Scans 19
SIEM Integration 20
SharePoint On-Premise Configuration for Access Auditing 22
Configure SharePoint Farm Permissions 23
Configure SharePoint Web Application Permissions 24
Configure SharePoint Database Server Permissions 25
Install the StealthAUDIT SharePoint Agent 25
SharePoint On-Premise Configuration for Activity Monitoring 27
Enable Event Auditing on SharePoint 2013 through SharePoint 2019 27
Doc_ID 715 2
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
StealthAUDIT Connection Profile & Host List 28
SharePoint On-Premises Custom Connection Profile 28
SharePoint Custom Host List 28
More Information 30
Doc_ID 715 3
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SharePoint On-Premise Configuration
Overview
Stealthbits products audit and monitor Microsoft® SharePoint® environments. StealthAUDIT
employs the SharePoint solution to execute Access Auditing (SPAA) and/or Sensitive Data
Discovery Auditing scans against SharePoint on-premise. Through integration with the Activity
Monitor, StealthAUDIT can also execute Activity Auditing (SPAC) scans against SharePoint on-
premise environments. Additionally, the Activity Monitor can be configured to provide activity
data to various SIEM products.
This document describes the necessary settings in SharePoint to allow for successful use of:
l StealthAUDIT v11.5
l Stealthbits Activity Monitor v6.0
If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum
amount of RAM on the server where the Add-on is installed. Each thread requires a minimum of 2
additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time,
then an extra 16 GB of RAM are required (8x2=16).
The sections of this document align to the products as follows:
l StealthAUDIT
l StealthAUDIT Scan Options
l Activity Monitoring for SharePoint
l SharePoint On-Premise Configuration for Access Auditing
l SharePoint On-Premise Configuration for Activity Auditing
l StealthAUDIT Connection Profile & Host List
l Stealthbits Activity Monitor
l Activity Monitoring for SharePoint
l SharePoint On-Premise Configuration for Activity Auditing
SharePoint Compatibility
StealthAUDIT for SharePoint is compatible with the following Microsoft® SharePoint®
environments as targets:
Doc_ID 715 4
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l SharePoint® 2019
l SharePoint® 2016
l SharePoint® 2013
Doc_ID 715 5
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
StealthAUDIT SharePoint Scan Options
Required permissions on the targeted SharePoint environment are dependent upon not only the
type of environment targeted but also the type of data collection scan being executed. There are
two types of Access Auditing (SPAA) and/or Sensitive Data Discovery Auditing scans: agent-based
and agent-less. The Activity Auditing (SPAC) scans can only be executed as agent-less scans from
StealthAUDIT but require the Activity Monitor to have a activity agent deployed in the target
environment.
Agent-Based Type
When StealthAUDIT SharePoint scans are run in agent-based mode, the StealthAUDIT SharePoint
Agent must be installed on the SharePoint Application server which hosts the “Central
Administration” component prior to executing the scans. This is typically the first server stood up
during the SharePoint farm installation process in this mode. The data collection processing is
conducted by the SharePoint Agent for the target environment. The final step in data collection is
to transfer the data collected in the SQLite databases, or Tier 2 databases, on the StealthAUDIT
SharePoint Agent server back to the StealthAUDIT Console server.
NOTE: Agent-based scans can only target on-premise environments.
Agent-Less Type
When SharePoint agent-less scans are run, it means all of the data collection processing is
conducted by the StealthAUDIT Console server across the network. Agent-less scans can target
both on-premise and online environments.
StealthAUDIT SharePoint Activity Auditing
Specific permissions are necessary for Activity Auditing (SPAC) scans, which employ the Activity
Monitor. These scans can only be executed as agent-less scans. See the Activity Monitor
Configuration section for information.
SharePoint Agent-Based Scans
The StealthAUDIT SharePoint Agent is capable of auditing permissions and content, or Access
Auditing (SPAA) and Sensitive Data Discovery Auditing, on SharePoint on-premise servers. It is
installed on the SharePoint Application server which hosts the “Central Administration”
component.
Doc_ID 715 6
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
If limited provisioning of the service account is not required by the organization, then the
following permissions are sufficient for successful agent-based scans:
l Membership in the local Administrator group on the on server where the StealthAUDIT
SharePoint Agent is installed
l Only needed for agent installation
l SharePoint Application Server permissions:
l Local group membership to Backup Operators
l Local group membership to WSS_WPG
l Log on as a Service in the Local Security Policy
l Full Control on the agent install directory
l Example – C:\Program Files\STEALTHbits\StealthAUDIT\SPAA
l SharePoint Farm permissions:
l Membership in the Farm Read group at the farm level
l If the group does not exist already, then you will need to create a new group at that level
and grant it ‘Read’ access. Specifically, it is a group that exists within Central
Administration at the farm administrator level. This group only requires ‘Read’ access
and is not giving farm admin access. Once the group is created, add the service account
that StealthAUDIT will be leveraging to scan SharePoint.
l Web Application permissions:
l Custom Role with Site Collection Auditor at the web application level with the Open Items
permission
l SharePoint Database Server permissions:
l For SharePoint 2013 through SharePoint 2019 – SPDataAccess on the on the SharePoint
Content database and all Configuration databases
NOTE: This permission should be applied on the desired Configuration database and all
Content databases for the SharePoint version.
l DB_Owner on StealthAUDIT database if using Windows Authentication for the Storage Profile
l MySites permissions are based on the SharePointAccess Data Collection configuration option:
l Forcing the service account to become a temporary admin of the personal sites either as
the service account or as a member of the Company Administrators group requires
SharePoint Farm Administrator role or Site Collection Auditor at the web application
housing MySites.
Doc_ID 715 7
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l The skipping inaccessible personal sites option will only scan sites where the service
account has administrative access.
Additional permission models are explained in the Appendices of the SharePoint Permissions
document.
Sensitive Data Discovery Auditing scans also require the 64-bit version of the Sensitive Data
Discovery Add-on be installed on the server hosting the StealthAUDIT SharePoint Agent in order
for Sensitive Data Discovery collections to successfully occur. This requirement is in addition to
having the Sensitive Data Discovery Add-on be installed on the StealthAUDIT Console server. Each
thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is
configured to scan 8 hosts at a time, then an extra 16 GB of RAM are required (8x2=16). See the
StealthAUDIT Sensitive Data Discovery Add-On Installation Guide for additional information.
Add-on Prerequisite: This Sensitive Data Discovery Add-on requires .NET Framework 3.5 to be
installed.
The credentials within the Connection Profile assigned to the SharePoint scans must have the
required rights and firewall rules configured for running Access Auditing (SPAA) and/or Sensitive
Data Discovery Auditing scans.
Firewall Rules for Agent-Based Scans
The following ports must be open for communication between StealthAUDIT and the SharePoint
environment:
Port Protocol Source Direction Target Purpose
1433 TCP StealthAUDIT SharePoint SharePoint SQL
Console SQL Server Database
server Connection
445 TCP StealthAUDIT SharePoint Remote
Console Application Registry
server Server Connection
(Only required
for Web
Application
scoping)
Doc_ID 715 8
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Port Protocol Source Direction Target Purpose
389/636 TCP StealthAUDIT LDAP server Agent
SharePoint Authentication
Agent server
9876* TCP StealthAUDIT StealthAUDIT StealthAUDIT
Console SharePoint SharePoint
server Agent server Agent
Communication
Channel
*Configurable value in the SharePoint Access Auditor Data Collector Wizard.
SharePoint Data Collection Configuration for
Agent-Based Scans
To employ the agent-based type of scan for collecting SharePoint data, navigate to the desired
SharePoint > 0.Collection > …_SystemScans job(s) and open the SharePoint Access Auditor Data
Collector Wizard from the job’s query. The following configuration settings are required to
employ agent-based scans:
l Agent Settings wizard page
l Check the Enable Agent Service Scans options must be selected to run agent-based scans
l Select the radio button for the desired Agent Service Identity:
l Use Job Credentials when job has same credentials as agent services
l Use default Service Principal Name when agent services use local machine credentials
l Use Custom Identity for other agent service credential scenarios
l Specify identity in the format spn:name or upn:name
l The token %HOST% may be substituted for the host name
Other configuration settings which directly relate to permission options:
Doc_ID 715 9
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l SharePoint data collection settings wizard page
l Collect Personal Sites > Skip inaccessible personal sites option requires the service account
to be provisioned prior to the scan to scan personal sites
l Collect Personal Sites > Force scan account as admin of inaccessible personal sites option
requires the service account to be a SharePoint Global Administrator (online) or Farm
Admin (on-premise)
l Collect Personal Sites > Force Company Administrator as admin of inaccessible personal
sites option requires the service account to be a SharePoint Global Administrator (online) or
Farm Admin (on-premise)
See the SPAA Query Configuration section of the StealthAUDIT User Guides v11.5 for additional
information.
NOTE: Sensitive Data Discovery Auditing scans are configured on the DLP Audit Settings and
Select DLP Criteria wizard pages of the SharePoint Access Auditor Data Collector Wizard from the
1-SPSEEK_SystemScans Job.
SharePoint Agent-Less Scans
The SharePoint agent-less scan architecture is capable of auditing permissions and content, or
Access Auditing (SPAA) and Sensitive Data Discovery Auditing, on SharePoint on-premise and
SharePoint Online. It is also capable of Activity Auditing (SPAC) on SharePoint on-premise.
The SharePoint agent-less scan architecture requires permissions to be configured on the
specified server:
l SharePoint 2013 through SharePoint 2019
l SharePoint Application Server permissions:
l Local group membership to Backup Operators
l Local group membership to WSS_WPG
l SharePoint Farm permissions:
l Membership in the Farm Read group at the farm level
l If the group does not exist already, then you will need to create a new group at that
level and grant it ‘Read’ access. Specifically, it is a group that exists within Central
Administration at the farm administrator level. This group only requires ‘Read’ access
Doc_ID 715 10
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
and is not giving farm admin access. Once the group is created, add the service
account that StealthAUDIT will be leveraging to scan SharePoint.
l Web Application permissions:
l Custom Role with Site Collection Auditor at the web application level with the Open
Items permission
l SharePoint Database Server permissions:
l For SharePoint 2013 through SharePoint 2019 – SPDataAccess on the on the SharePoint
Content database and all Configuration databases
NOTE: This permission should be applied on the desired Configuration database and all
Content databases for the SharePoint version.
l MySites permissions are based on the SharePointAccess Data Collection configuration
option:
l Forcing the service account to become a temporary admin of the personal sites either as
the service account or as a member of the Company Administrators group requires
SharePoint Farm Administrator role or Site Collection Auditor at the web application
housing MySites.
l The skipping inaccessible personal sites option will only scan sites where the service
account has administrative access.
Sensitive Data Discovery Auditing scans also require the Sensitive Data Discovery Add-on be
installed on the StealthAUDIT Console server. Each thread requires a minimum of 2 additional GB
of RAM per host. For example, if the job is configured to scan 8 hosts at a time, then an extra 16
GB of RAM are required (8x2=16). See the StealthAUDIT Sensitive Data Discovery Add-On
Installation Guide for additional information.
The credentials within the Connection Profile assigned to the SharePoint scans must have the
required rights and firewall rules configured for running Access Auditing (SPAA) and/or Sensitive
Data Discovery Auditing scans.
Firewall Rules for Agent-Less Scans
The following ports must be open for communication between StealthAUDIT and the SharePoint
on-premise environment:
Port Protocol Source Direction Target Purpose
1433 TCP StealthAUDIT SharePoint SharePoint SQL
Doc_ID 715 11
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Port Protocol Source Direction Target Purpose
Console SQL Server Database
server Connection
445 TCP StealthAUDIT SharePoint Remote Registry
Console Application Connection
server Server
389/636 TCP StealthAUDIT LDAP server Authentication
Console
server
80 TCP StealthAUDIT SharePoint StealthAUDIT
Console Application Communication
server Server Channel
If the StealthAUDIT Console server is separated from the SharePoint environment by firewalls,
then it is also necessary to add firewall rules to accommodate the custom web application ports
that are used. Otherwise the StealthAUDIT Console is not able to connect to the SharePoint
environment.
SharePoint Data Collection Configuration for
Agent-Less Scans
To employ the agent-less type of scan for collecting SharePoint data, navigate to the desired
SharePoint > 0.Collection > …_SystemScans job(s) and open the SharePoint Access Auditor Data
Collector Wizard from the job’s query. The following configuration settings are required to
employ agent-less scans:
l Agent Settings wizard page – Enable Agent Service Scans option must remain unselected
Other configuration settings which directly relate to permission options:
l SharePoint data collection settings page
l Collect Personal Sites > Skip inaccessible personal sites option requires the service account
to be provisioned prior to the scan to scan OneDrives / personal sites
Doc_ID 715 12
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l Collect Personal Sites > Force scan account as admin of inaccessible personal sites option
requires the service account to be a SharePoint Global Administrator (online) or Farm
Admin (on-premise)
l Collect Personal Sites > Force Company Administrator as admin of inaccessible personal
sites option requires the service account to be a SharePoint Global Administrator (online) or
Farm Admin (on-premise)
See the SPAA Query Configuration section of the StealthAUDIT User Guides v11.5 for additional
information.
NOTE: Sensitive Data Discovery Auditing scans are configured on the DLP Audit Settings and
Select DLP Criteria wizard pages of the SharePoint Access Auditor Data Collector Wizard from the
1-SPSEEK_SystemScans Job.
Doc_ID 715 13
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Activity Monitor Configuration
The Activity Monitor collects activity events from SharePoint on-premise. There must be a
deployed activity agent on the SharePoint Application server which hosts the “Central
Administration” component for the target environment.
While actively monitoring, the agent generates activity log files which are stored on the agent
server. The Activity Monitor integrates with other Stealthbits products as well as SIEM products:
l StealthAUDIT
l Activity Monitor activity agent writes activity log files on the agent server.
l StealthAUDIT data collection can be configured to collect data for a specified number of
days.
RECOMMENDED: The Activity Monitor should be configured to keep more activity log files
than StealthAUDIT is collecting.
l StealthAUDIT Activity Auditing (SPAC) scans target the Application server to collect data
from the activity log files specified as being for StealthAUDIT.
l StealthAUDIT Activity Auditing (SPAC) scans should be scheduled with these settings
considered.
l Stealthbits Activity Monitor only
l Activity Monitor agent writes activity log files on the agent server.
l Activity Monitor Console search feature displays data from the activity log files.
l SIEM Integration
l Activity Monitor activity agent writes activity log files on the activity agent server.
l Activity Monitor sends the event stream to the SIEM product, which is configured on the
Monitored Hosts’ properties > Syslog tab.
Activity Monitor Activity Agent Deployment
Servers targeted for activity agent deployment must have .NET Framework 4.7.2 or higher
installed or the deployment fails. Deploy an activity agent from the Activity Monitor Console. The
credential supplied during deployment must have:
l Group membership in the local Administrators group
Follow the steps to deploy an activity agent.
Step 1 – On the Agents tab, click Add agent to open the Add New Agent(s) window.
Doc_ID 715 14
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Step 2 – On the Install new agent page, enter the Server name to deploy to a single server.
Step 3 – On the Credentials to connect to the server(s) page, provide the provisioned credential.
Remember, Remote Registry Service must be enabled on the host where the activity agent is
deployed.
See the Stealthbits Activity Monitor Installation & Console User Guide for additional information
on deploying and configuring the activity agent.
Prepare for Activity Monitoring
The target environment must be prepared for activity monitoring before the activity agent is
configured. This preparation includes:
l For SharePoint on-premise, configure site collection audit settings
l Configure Firewall
Once this preparation is complete, the activity agent can be configured for monitoring through
the Activity Monitor Console. See the SharePoint On-Premise Configuration for Activity
Monitoring section for details on completing this preparation.
Monitored Host Configuration
After activity agent deployment and the preparations for monitoring have been completed, add
the Monitored Host to the activity agent server. In the Activity Monitor Console, open the Add
New Host window and provide the following information:
l On the Choose Agent page, select the server for the Agent.
l On the Add Host page:
l Select the appropriate Storage device type.
l The SharePoint Application server name/IP Address will appear in the Server name or
address textbox, but will not be editable.
l Optionally add a Comment to indicate intended output.
l On the SharePoint Options page, choose between auditing all sites (leave top textbox blank) or
auditing specific sites (enter URLs in the textbox at the top). Then enter the User name and
User password for the credentials to access SharePoint Central Administration audit logs for
the site collections/web applications being monitored.
Doc_ID 715 15
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l On the Configure Operations page, the following configurations can be modified:
l SharePoint Operations – Check operations on SharePoint activity to be monitored
l Permission Operations – Check operations on permission activity to be monitored
l On the Configure Basic Options page, the following configurations are modified:
l Period to keep Log files - Activity logs are deleted after the number of days entered. Default
is set to 10 days.
RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be
retained to meet an organization’s audit requirements.
l On the Where to Log the Activity page, select whether to send the activity to either a Log File
or Syslog Server.
l Configure the options on either the Log File page, the Syslog Server page, or both, depending
on what options were selected on the Where to Log the Activity page.
l For Log File, the configurable options are:
l Specify output file path – Specify the file path where log files are saved. Click the ellipses
button (...) to open the Windows Explorer to navigate to a folder destination. Click Test
to test if the path works.
l Period to keep Log files – Log files will be deleted after the period entered number of
days entered. The default is 10 days. Use the dropdown to specify whether to keep the
Log files for a set amount of Minutes, Hours, or Days.
l Log file format – Select whether the log file will be saved as a JSON or TSV file
l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this
monitored host configuration
RECOMMENDED: Identify the configuration to be read by StealthAUDIT when integration
is available.
l While the Activity Monitor can have multiple configurations per host, StealthAUDIT
can only read one of them.
l For Syslog, the configurable options are:
l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a
SERVER:Port format in the textbox.
l The server name can be short name, fully qualified name (FQDN), or IP Address, as
long as the organization’s environment can resolve the name format used. The Event
Doc_ID 715 16
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
stream is the activity being monitored according to this configuration for the
monitored host.
l Syslog Protocol – Identify the Syslog protocol to be used for the Event stream. The drop-
down menu includes:
l UDP
l TCP
l TLS
l The TCP and TLS protocols add the Message framing drop-down menu. See the Syslog
Tab section for additional information.
l The Test button sends a test message to the Syslog server to check the connection. A
green check mark or red will determine whether the test message has been sent or failed
to send. Messages vary by Syslog protocol:
l UDP – Sends a test message and does not verify connection
l TCP/TLS – Sends test message and verifies connection
l TLS – Shows error if TLS handshake fails
l See the Syslog Tab section for additional information.
After the monitored host configuration is complete, additional steps are required for
StealthAUDIT, and SIEM integration. After the monitored host configuration is complete,
additional steps are required for StealthAUDIT and SIEM integration. See the StealthAUDIT
Integration and SIEM Integration sections for additional information.
Firewall Rules for Activity Monitoring
Firewall settings are dependent upon the type of environment being targeted. The following
firewall settings are required for communication between activity agent server and the Activity
Monitor Console:
Communication Direction Protocol Ports Description
Activity Monitor to Activity Agent TCP 4498 Activity Agent
Server Communication
Doc_ID 715 17
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
The Windows firewall rules need to be configured on the Windows server, which require certain
inbound rules be created if the scans are running in applet mode. These scans operate over a
default port range, which cannot be specified via an inbound rule. For more information, see the
Microsoft Connecting to WMI on a Remote Computer article.
StealthAUDIT Integration
StealthAUDIT reads the activity log files created by the activity agent which are designated as
being “…for StealthAUDIT” in the monitored host configuration. The credential in the Connection
Profile must have:
l Group membership in the local Administrators group on the activity agent server
Remember, if the activity log files are being archived, then the credential used by StealthAUDIT
to read the activity log files must also have READ and WRITE permissions on the archive location.
StealthAUDIT Activity Auditing scans are collecting data stored in the activity log files by the
activity agents. The following firewall settings are required for communication between the
activity agent server and StealthAUDIT:
Communication Direction Protocol Ports Description
StealthAUDIT to Activity Agent Server TCP 445 SMB
StealthAUDIT to Activity Agent Server TCP Predefined WMI
Identify an Activity Log for StealthAUDIT
While the Activity Monitor can have multiple configurations per host, StealthAUDIT can only read
one of them. Therefore, after the Activity Monitor has been configured to monitor a host, it is
necessary to indicate when that configuration is for StealthAUDIT. Follow the steps to identify the
activity log file to be read by StealthAUDIT.
Step 1 – Within the Activity Monitor Console on the Monitored Hosts tab, select the desired
configuration and click Edit.
Step 2 – On the Log File tab:
Doc_ID 715 18
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l For SharePoint on-premise, ensure the Log file format option is set to JSON.
l Days to keep Log files – Activity logs are deleted after the number of days entered. The default
is 10.
RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be
retained to meet an organization’s audit requirements.
l For StealthAUDIT integration, this value must be higher than the number of days between
the StealthAUDIT Activity Auditing scans.
l Check the This log file is for StealthAUDIT box.
RECOMMENDED: Select the Comments tab and identify this output as being configured for
StealthAUDIT.
Step 3 – Then click OK to save the setting.
StealthAUDIT now reads that activity log file when scanning the associated host.
StealthAUDIT Data Collection Configuration for
SharePoint Activity Scans
To employ Activity Auditing (SPAC) scans, navigate to the SharePoint > 0.Collection > 1-SPAC_
SystemScans Job and open the SharePoint Access Auditor Data Collector Wizard from the job’s
query. Configure the following settings:
l Activity Date Scope wizard page
l Scan Filters – These options indicate the number of days of activity details are collected and
retained within StealthAUDIT.
l Remember, the schedule for which the 1-SPAC_SystemScans Job is set must be less than
the number of days configured for activity log retention by the Activity Monitor activity
agent.
RECOMMENDED: Retain a minimum of 10 days of activity log files and schedule the job to
execute as often as possible within the organization, usually daily.
l Activity Log Locations wizard page – Optionally configure log locations to avoid needing
Remote Registry access in order to locate the activity log files.
See the SPAA Query Configuration section of the StealthAUDIT User Guides v11.5 for additional
information.
Doc_ID 715 19
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SIEM Integration
The Activity Monitor can be configured to stream events to various SIEM products.
NOTE: The Activity Monitor can be configured for multiple outputs for a host, e.g. for
StealthAUDIT, StealthINTERCEPT, StealthDEFEND, or SIEM products. Add a new output for the
same host to the Monitored Host tab in the Activity Monitor Console to customize the activity
data to be sent to a SIEM product.
RECOMMENDED: Add a Comment to identify the product for which the output aligns. Comments
can be added when the new output is configured on the Add Hosts page or when the host
properties are edited on the Comments tab.
After the Activity Monitor has been configured to monitor a host, it is necessary to select a syslog
template to be used for communicating with the SIEM product. The following Syslog templates
have been provided:
l AlienVault
l HP Arcsight
l LogRythm
l McAfee
l QRadar
l Splunk
l CEF (generic CEF message format)
l LEEF (generic LEEF message format)
NOTE: Stealthbits has created apps for IBM® QRadar® and Splunk® which are available through
their app exchanges. See the Stealthbits File Activity Monitor App for QRadar User Guide or the
Stealthbits File Activity Monitor App for Splunk User Guide for additional information.
Follow these steps to configure the Activity Monitor to stream event data to a SIEM product.
Step 1 – Within the Activity Monitor Console on the Monitored Hosts tab, select the desired
configuration and click Edit. Select the Syslog tab.
Step 2 – Type the server name for the SIEM product in a [SERVER]:[PORT] format in the textbox.
Step 3 – Select the desired Syslog protocol from the drop-down menu.
Step 4 – Click the ellipsis (…) to open the Syslog Message Template window.
Step 5 – Select the desired template from the Template drop-down menu. If desired, the
message can be modified, which creates a “Custom” template.
Doc_ID 715 20
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
Step 6 – Click OK to save the selection and close the Syslog Message Template window.
Remember, it is recommended to select the Comments tab and identify this output as being
configured for the SIEM product, e.g. SIEM.
Step 7 – Then click OK to save the changes and close the host’s properties window.
The template is assigned as the Syslog message template for the selected monitored host. The
SIEM product begins receiving event stream data.
Doc_ID 715 21
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SharePoint On-Premise Configuration
for Access Auditing
In order for StealthAUDIT to execute Access Auditing (SPAA) and/or Sensitive Data Discovery
Auditing scans, the credential must have the following permissions on the target host:
l SharePoint 2013 through SharePoint 2019
l Agent-based scans:
l Membership in the local Administrator group on the on server where the StealthAUDIT
SharePoint Agent is installed
l SharePoint Application Server permissions:
l Local group membership to Backup Operators
l Local group membership to WSS_WPG
l Log on as a Service in the Local Security Policy
l Full Control on the agent install directory, example – C:\Program
Files\STEALTHbits\StealthAUDIT\SPAA
l SharePoint Farm permissions:
l Membership in the Farm Read group at the farm level
l Web Application permissions:
l Custom Role with Site Collection Auditor at the web application level with the Open
Items permission
l SharePoint Database Server – SPDataAccess permission on the desired Configuration
database and all Content databases
l DB_Owner on StealthAUDIT database if using Windows Authentication for the Storage
Profile
l MySites permissions are based on the SharePointAccess Data Collection configuration
option:
l Forcing the service account to become a temporary admin of the personal sites either
as the service account or as a member of the Company Administrators group requires
SharePoint Farm Administrator role or Site Collection Auditor at the web application
housing MySites.
Doc_ID 715 22
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l The skipping inaccessible personal sites option will only scan sites where the service
account has administrative access.
NOTE: Requires the StealthAUDIT SharePoint Agent to be installed on the Application server
that hosts the “Central Administration” component.
l Agent-less scans:
l SharePoint Application Server permissions:
l Local group membership to Backup Operators
l Local group membership to WSS_WPG
l SharePoint Farm permissions:
l Membership in the Farm Read group at the farm level
l Web Application permissions:
l Custom Role with Site Collection Auditor at the web application level with the Open
Items permission
l SharePoint Database Server – SPDataAccess permission on the desired Configuration
database and all Content databases:
l MySites permissions are based on the SharePointAccess Data Collection configuration
option:
l Forcing the service account to become a temporary admin of the personal sites either
as the service account or as a member of the Company Administrators group requires
SharePoint Farm Administrator role or Site Collection Auditor at the web application
housing MySites.
l The skipping inaccessible personal sites option will only scan sites where the service
account has administrative access.
Configure SharePoint Farm Permissions
Follow the steps to configure the SharePoint Farm level permissions on SharePoint 2010 through
SharePoint 2019 farms.
Step 1 – In the SharePoint Central Administration Center, navigate to the Security section.
Step 2 – Select the Manage the farm administrators group option under Users.
Step 3 – If the Farm Read group exists, add the service account to that group. If the Farm Read
group has been deleted, it is necessary to create a new group with Read privileges at the Farm
level:
Doc_ID 715 23
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
l Select More under the Groups section.
l Select New Group from the New drop-down menu.
l Ensure the group has the Read – Can view pages and list items and download documents
permission.
l Add the service account to this new group.
The service account has Read level access at the Farm level.
Configure SharePoint Web Application
Permissions
Follow the steps to configure the SharePoint web application level permissions on SharePoint
2010 through SharePoint 2019 farms.
Step 1 – In the SharePoint Central Administration Center, navigate to the Application
Management section.
Step 2 – Select Manage web applications option under Web Applications.
Step 3 – Create a new policy for the desired web application. Follow these steps:
l Click Permission Policy. The Manage Permission Policy Levels window opens.
l Click Add Permission Policy Level. Select the following:
l Check the Site Collection Auditor permission.
l Check the Open Items box in the Site Permissions Grant column.
l Click Save.
Step 4 – Repeat Step 3 for each web application in scope. It is recommended to give these
policies the same name.
Step 5 – Add the service account to the newly created roles. Follow these steps:
l Select a web application with the newly created role.
l Click User Policy. The Policy for Web Application window opens.
l Click Add Users. Leave all zones select and click Next.
l Add the service account in the Users textbox. Check the newly created role with site collection
auditor in the Permissions section. Click Finish.
Step 6 – Repeat Step 5 for each web application in scope.
Doc_ID 715 24
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
The service account is provisioned as a Site Collection Auditor on all web applications to be
audited.
Configure SharePoint Database Server
Permissions
Follow the steps to configure the SharePoint database server permissions on SharePoint 2010
through SharePoint 2019 farms.
Step 1 – Navigate to the SharePoint database server user configuration via SQL Management
Studio.
Step 2 – Provision the service account to have:
l On SharePoint 2013 through SharePoint 2019 – SPDataAccess Database role membership
l This database role membership needs to be configured on:
l SharePoint Configuration database (ShaerPoint_Config)
l All SharePoint Content databases housing web application data (by default the content
databases begin with WSS_Content_, but they can be customized)
The service account is provisioned with SharePoint database permissions.
Install the StealthAUDIT SharePoint Agent
Follow the steps to install the SharePoint Agent on the Application server that hosts the “Central
Administration” component of the targeted SharePoint farm(s).
Step 1 – Run the StealthAUDITSPAA.exe executable and the StealthAUDIT SharePoint Agent
Setup Wizard will open.
Step 2 – Navigate to the End-User License Agreement page, check the I accept the terms in the
License Agreement box and click Next.
Step 3 – Optional change the installation directory on the Destination Folder page. Click Next to
install to the default folder or click Change to select a different location.
Step 4 – On the Configure Service Security page, enter the User Name and Password for the
SharePoint Service Account.
Step 5 – Navigate to the StealthAUDIT SharePoint Agent page, click Install to start installation.
Then click Finish to close the wizard.
Doc_ID 715 25
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
The StealthAUDIT SharePoint Agent is installed. Remember, Sensitive Data Discovery Auditing
scans also require the 64-bit version of the Sensitive Data Discovery Add-on be installed on the
server hosting the StealthAUDIT SharePoint Agent in order for Sensitive Data Discovery
collections to successfully occur.
Doc_ID 715 26
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
SharePoint On-Premise Configuration
for Activity Monitoring
SharePoint Event Auditing must be enabled for each site collection to be monitored by the
Activity Monitor and/or audited by StealthAUDIT. The following sections provide instructions for
the specific version of SharePoint.
For StealthAUDIT Activity Auditing (SPAC) scans, the audit logs generated by SharePoint must be
retained for more days than the number of days between the StealthAUDIT scans.
RECOMMENDED: For the Activity Monitor, select all events to be monitored in both the
Documents and Items section and the List, Libraries, and Site section.
Once SharePoint Event Auditing has been enabled, StealthAUDIT can collect the logs for Activity
Auditing (SPAC) scans and/or the SharePoint farm can be added to the Monitored Hosts tab of
the Activity Monitor Console. See the Monitored Host Configuration section for additional
information.
Enable Event Auditing on SharePoint 2013
through SharePoint 2019
Follow the steps for each site collection within a SharePoint 2013 through SharePoint 2019 farm.
Step 1 – Select Settings > Site settings.
Step 2 – Under Site Collection Administration, click Go to top level site settings.
Step 3 – On the Site Settings page, under Site Collection Administration, select Site collection
audit settings.
Step 4 – On the Configure Audit Settings page, in the Documents and Items section select the
events to be audited.
Step 5 – Still on the Configure Audit Settings page, in the List, Libraries, and Site section select
the events to be audited.
Step 6 – Click OK to save the changes.
SharePoint will create the audit logs to be monitored by the Activity Monitor and/or audited by
StealthAUDIT. See the Microsoft Configure audit settings for a site collection (SharePoint
2013/2016/2019) article for additional information.
Doc_ID 715 27
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
StealthAUDIT Connection Profile &
Host List
Once the target environment has been configured for auditing, it is necessary to create a custom
Connection Profile and a custom Host List within StealthAUDIT.
SharePoint On-Premises Custom
Connection Profile
Within in StealthAUDIT, create a Connection Profile for the target hosts with the credentials
configured. It should align to the target host list to be created next. For Access Auditing (SPAA)
and/or Sensitive Data Discovery Auditing scans, the Connection Profile needs to contain the
account provisioned for Access Auditing (SPAA). For Activity Auditing (SPAC) scans, the
Connection Profile needs to contain the credential with access to read the activity log files that
the Activity Monitor activity agent creates.
For a domain account, set the following information on the User Credentials window:
l Select Account Type – Active Directory Account
l Domain – Select from the drop-down menu or type in the textbox
l User name – Type the user name
l Password Storage – Application (unless the credential is stored within the CyberArk Enterprise
Password Vault)
l Password – [For the provided user account]
l Confirm – Re-type the password
See the Connection section of the StealthAUDIT User Guides v11.5 for instructions on creating a
Connection Profile.
Apply the Connection Profile to the host inventory query and to the SharePoint > 0.Collection Job
Group.
SharePoint Custom Host List
Create a custom host list containing the target hosts for which the Connection Profile just created
contains credentials. For SharePoint on-premise, the target host needs to be the SharePoint
Application server that hosts the “Central Administration” component.
Doc_ID 715 28
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
If the target hosts are located within a specific OU within the domain, then the StealthAUDIT Host
Discovery Wizard can be used. Scope the discovery query task by selecting the Query an Active
Directory server (General) option on the Source page, and then by navigating to the OU on the
Active Directory page. See the Query an Active Directory Server (General) Source Option section
of the StealthAUDIT User Guides v11.5 for additional information.
A custom host list can be manually created by entering the host names, or it can be imported
from either a CSV file or a database table. See the Add Hosts section of the StealthAUDIT User
Guides v11.5 for additional information.
Assign the custom host list to the SharePoint > 0.Collection Job Group.
Doc_ID 715 29
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDStealthAUDIT®
Stealthbits Activity Monitor®
More Information
Identify threats. Secure data. Reduce risk.
Stealthbits, now part of Netwrix is a data security software company focused on protecting an
organization’s credentials and data. By removing inappropriate data access, enforcing security
policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements,
and decrease operations expense.
For information on our products and solution lines, check out our website at
www.stealthbits.com or send an email to our information center at info@stealthbits.com.
If you would like to speak with a Stealthbits Sales Representative, please contact us at
+1.201.447.9300 or via email at sales@stealthbits.com.
Have questions? Check out our online Documentation or our Training Videos (requires login):
https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please
contact Stealthbits Support at +1.201.447.9359 or via email at support@stealthbits.com.
Need formal training on how to use a product more effectively in your organization? Stealthbits is
proud to offer FREE online training to all customers and prospects! For schedule information,
visit: https://www.stealthbits.com/on-demand-training.
Doc_ID 715 30
Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVEDYou can also read
