From 84503c065fdf0349c4afb52f3ff89e86fe1a8a33 Mon Sep 17 00:00:00 2001 From: Luke Hunter Date: Tue, 27 Jan 2026 11:47:38 +0000 Subject: [PATCH 1/5] Created 3.1 docs --- .../3.1/administration/_category_.json | 10 + .../configuration/_category_.json | 10 + .../integrations/_category_.json | 10 + .../integrations/activedirectorysync.md | 241 ++++++++++++++++ .../configuration/integrations/apptoken.md | 65 +++++ .../integrations/credentialprofile.md | 194 +++++++++++++ .../configuration/integrations/email.md | 78 ++++++ .../configuration/integrations/entraidsync.md | 176 ++++++++++++ .../integrations/foldersettings.md | 96 +++++++ .../integrations/netwrixintegrations.md | 216 +++++++++++++++ .../configuration/integrations/overview.md | 31 +++ .../integrations/page/_category_.json | 10 + .../integrations/page/openid/_category_.json | 10 + .../integrations/page/openid/entraidopenid.md | 202 ++++++++++++++ .../integrations/page/openid/openid.md | 73 +++++ .../configuration/integrations/page/page.md | 55 ++++ .../configuration/integrations/page/radius.md | 120 ++++++++ .../configuration/integrations/page/saml.md | 80 ++++++ .../configuration/integrations/siem.md | 102 +++++++ .../integrations/tagmanagement.md | 164 +++++++++++ .../administration/configuration/overview.md | 29 ++ .../configuration/policies/_category_.json | 10 + .../configuration/policies/honeytoken.md | 99 +++++++ .../configuration/policies/overview.md | 74 +++++ .../policies/policiesconfiguration.md | 199 ++++++++++++++ .../systemhealth/_category_.json | 10 + .../configuration/systemhealth/actionqueue.md | 15 + .../configuration/systemhealth/agents.md | 20 ++ .../configuration/systemhealth/backlog.md | 15 + .../configuration/systemhealth/overview.md | 25 ++ .../configuration/systemhealth/services.md | 35 +++ .../systemsettings/_category_.json | 10 + .../configuration/systemsettings/about.md | 23 ++ .../configuration/systemsettings/auditing.md | 35 +++ .../configuration/systemsettings/licensing.md | 40 +++ .../configuration/systemsettings/overview.md | 23 ++ .../systemsettings/systemjobs.md | 99 +++++++ .../systemsettings/useraccess.md | 246 +++++++++++++++++ .../threatdetection/_category_.json | 10 + .../threatdetection/threatconfiguration.md | 171 ++++++++++++ .../threatdetection/threatdetection.md | 61 ++++ .../configuration/threatresponse.md | 106 +++++++ docs/threatmanager/3.1/administration/home.md | 48 ++++ .../investigations/_category_.json | 10 + .../investigations/auditcompliance.md | 45 +++ .../investigations/favorites.md | 43 +++ .../investigations/myinvestigations.md | 28 ++ .../investigations/newinvestigation.md | 68 +++++ .../investigations/options/_category_.json | 10 + .../investigations/options/edit.md | 70 +++++ .../investigations/options/export.md | 137 +++++++++ .../investigations/options/filters.md | 260 ++++++++++++++++++ .../investigations/options/overview.md | 60 ++++ .../investigations/options/subscription.md | 71 +++++ .../administration/investigations/overview.md | 53 ++++ .../predefinedinvestigations.md | 109 ++++++++ .../administration/investigations/reports.md | 128 +++++++++ .../investigations/subscriptionsexports.md | 94 +++++++ .../3.1/administration/overview.md | 122 ++++++++ .../administration/playbooks/_category_.json | 10 + .../playbooks/action/_category_.json | 10 + .../playbooks/action/activedirectory.md | 94 +++++++ .../playbooks/action/entraid.md | 88 ++++++ .../playbooks/action/localhost.md | 76 +++++ .../playbooks/action/overview.md | 31 +++ .../administration/playbooks/action/tag.md | 34 +++ .../playbooks/action/thirdparty.md | 147 ++++++++++ .../playbooks/action/windowsfileserver.md | 44 +++ .../playbooks/action/windowsserver.md | 61 ++++ .../3.1/administration/playbooks/editstep.md | 29 ++ .../3.1/administration/playbooks/export.md | 21 ++ .../3.1/administration/playbooks/import.md | 23 ++ .../administration/playbooks/importsteps.md | 23 ++ .../3.1/administration/playbooks/overview.md | 180 ++++++++++++ .../3.1/administration/playbooks/save.md | 20 ++ .../3.1/administration/playbooks/trigger.md | 27 ++ .../3.1/administration/serviceaccounts.md | 57 ++++ .../administration/threats/_category_.json | 10 + .../activedirectoryobjects/_category_.json | 10 + .../activedirectoryobjects.md | 90 ++++++ .../threats/activedirectoryobjects/group.md | 83 ++++++ .../threats/activedirectoryobjects/host.md | 68 +++++ .../threats/activedirectoryobjects/user.md | 99 +++++++ .../threats/entraidobjects/_category_.json | 10 + .../entraidobjects/entraidapplication.md | 107 +++++++ .../threats/entraidobjects/entraidgroup.md | 134 +++++++++ .../threats/entraidobjects/entraidobjects.md | 88 ++++++ .../threats/entraidobjects/entraidrole.md | 43 +++ .../threats/entraidobjects/entraiduser.md | 149 ++++++++++ .../threats/threatdetails/_category_.json | 10 + .../threats/threatdetails/abnormalbehavior.md | 32 +++ .../threats/threatdetails/overview.md | 177 ++++++++++++ .../3.1/administration/threats/threats.md | 170 ++++++++++++ .../troubleshooting/_category_.json | 10 + .../3.1/administration/troubleshooting/log.md | 40 +++ .../troubleshooting/overview.md | 13 + .../troubleshooting/updatepasswords.md | 37 +++ docs/threatmanager/3.1/gettingstarted.md | 86 ++++++ docs/threatmanager/3.1/index.md | 52 ++++ .../threatmanager/3.1/install/_category_.json | 10 + .../3.1/install/actionservice.md | 119 ++++++++ docs/threatmanager/3.1/install/application.md | 96 +++++++ docs/threatmanager/3.1/install/database.md | 92 +++++++ .../3.1/install/firstlaunch/_category_.json | 10 + .../3.1/install/firstlaunch/firstlaunch.md | 67 +++++ .../3.1/install/firstlaunch/login.md | 21 ++ .../3.1/install/integration/_category_.json | 10 + .../3.1/install/integration/accessanalyzer.md | 91 ++++++ .../install/integration/activitymonitor.md | 22 ++ .../3.1/install/integration/overview.md | 26 ++ .../threatprevention/_category_.json | 10 + .../threatmanagerconfiguration.md | 160 +++++++++++ .../threatprevention/threatprevention.md | 26 ++ docs/threatmanager/3.1/install/overview.md | 120 ++++++++ docs/threatmanager/3.1/install/secure.md | 180 ++++++++++++ .../3.1/install/upgrade/_category_.json | 10 + .../3.1/install/upgrade/upgrade.md | 61 ++++ .../3.1/install/upgrade/upgrade2.8.md | 163 +++++++++++ .../3.1/install/upgrade/upgrade3.0.md | 122 ++++++++ .../3.1/requirements/_category_.json | 10 + .../3.1/requirements/actionservice.md | 42 +++ docs/threatmanager/3.1/requirements/client.md | 15 + .../3.1/requirements/database.md | 43 +++ .../3.1/requirements/overview.md | 54 ++++ .../requirements/permissions/_category_.json | 10 + .../3.1/requirements/permissions/adsync.md | 24 ++ .../requirements/permissions/entraidsync.md | 28 ++ .../3.1/requirements/permissions/overview.md | 14 + docs/threatmanager/3.1/requirements/ports.md | 88 ++++++ docs/threatmanager/3.1/requirements/server.md | 110 ++++++++ .../threatmanager/3.1/threats/_category_.json | 10 + .../3.1/threats/activedirectory.md | 130 +++++++++ docs/threatmanager/3.1/threats/custom.md | 96 +++++++ docs/threatmanager/3.1/threats/entraid.md | 63 +++++ docs/threatmanager/3.1/threats/filesystem.md | 51 ++++ docs/threatmanager/3.1/threats/general.md | 42 +++ docs/threatmanager/3.1/threats/overview.md | 25 ++ sidebars/threatmanager/3.1.js | 16 ++ .../serviceaccounts/dashboard.webp | Bin 0 -> 73724 bytes 139 files changed, 9434 insertions(+) create mode 100644 docs/threatmanager/3.1/administration/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/email.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/overview.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/openid/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/openid/entraidopenid.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/openid/openid.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/page.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/radius.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/page/saml.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/siem.md create mode 100644 docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md create mode 100644 docs/threatmanager/3.1/administration/configuration/overview.md create mode 100644 docs/threatmanager/3.1/administration/configuration/policies/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md create mode 100644 docs/threatmanager/3.1/administration/configuration/policies/overview.md create mode 100644 docs/threatmanager/3.1/administration/configuration/policies/policiesconfiguration.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemhealth/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/systemhealth/actionqueue.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemhealth/agents.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemhealth/backlog.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemhealth/overview.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemhealth/services.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/about.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/overview.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/systemjobs.md create mode 100644 docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md create mode 100644 docs/threatmanager/3.1/administration/configuration/threatdetection/_category_.json create mode 100644 docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md create mode 100644 docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md create mode 100644 docs/threatmanager/3.1/administration/configuration/threatresponse.md create mode 100644 docs/threatmanager/3.1/administration/home.md create mode 100644 docs/threatmanager/3.1/administration/investigations/_category_.json create mode 100644 docs/threatmanager/3.1/administration/investigations/auditcompliance.md create mode 100644 docs/threatmanager/3.1/administration/investigations/favorites.md create mode 100644 docs/threatmanager/3.1/administration/investigations/myinvestigations.md create mode 100644 docs/threatmanager/3.1/administration/investigations/newinvestigation.md create mode 100644 docs/threatmanager/3.1/administration/investigations/options/_category_.json create mode 100644 docs/threatmanager/3.1/administration/investigations/options/edit.md create mode 100644 docs/threatmanager/3.1/administration/investigations/options/export.md create mode 100644 docs/threatmanager/3.1/administration/investigations/options/filters.md create mode 100644 docs/threatmanager/3.1/administration/investigations/options/overview.md create mode 100644 docs/threatmanager/3.1/administration/investigations/options/subscription.md create mode 100644 docs/threatmanager/3.1/administration/investigations/overview.md create mode 100644 docs/threatmanager/3.1/administration/investigations/predefinedinvestigations.md create mode 100644 docs/threatmanager/3.1/administration/investigations/reports.md create mode 100644 docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md create mode 100644 docs/threatmanager/3.1/administration/overview.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/_category_.json create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/_category_.json create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/activedirectory.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/entraid.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/localhost.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/overview.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/tag.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/thirdparty.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/windowsfileserver.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/action/windowsserver.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/editstep.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/export.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/import.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/importsteps.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/overview.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/save.md create mode 100644 docs/threatmanager/3.1/administration/playbooks/trigger.md create mode 100644 docs/threatmanager/3.1/administration/serviceaccounts.md create mode 100644 docs/threatmanager/3.1/administration/threats/_category_.json create mode 100644 docs/threatmanager/3.1/administration/threats/activedirectoryobjects/_category_.json create mode 100644 docs/threatmanager/3.1/administration/threats/activedirectoryobjects/activedirectoryobjects.md create mode 100644 docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md create mode 100644 docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md create mode 100644 docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md create mode 100644 docs/threatmanager/3.1/administration/threats/entraidobjects/_category_.json create mode 100644 docs/threatmanager/3.1/administration/threats/entraidobjects/entraidapplication.md create mode 100644 docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md create mode 100644 docs/threatmanager/3.1/administration/threats/entraidobjects/entraidobjects.md create mode 100644 docs/threatmanager/3.1/administration/threats/entraidobjects/entraidrole.md create mode 100644 docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md create mode 100644 docs/threatmanager/3.1/administration/threats/threatdetails/_category_.json create mode 100644 docs/threatmanager/3.1/administration/threats/threatdetails/abnormalbehavior.md create mode 100644 docs/threatmanager/3.1/administration/threats/threatdetails/overview.md create mode 100644 docs/threatmanager/3.1/administration/threats/threats.md create mode 100644 docs/threatmanager/3.1/administration/troubleshooting/_category_.json create mode 100644 docs/threatmanager/3.1/administration/troubleshooting/log.md create mode 100644 docs/threatmanager/3.1/administration/troubleshooting/overview.md create mode 100644 docs/threatmanager/3.1/administration/troubleshooting/updatepasswords.md create mode 100644 docs/threatmanager/3.1/gettingstarted.md create mode 100644 docs/threatmanager/3.1/index.md create mode 100644 docs/threatmanager/3.1/install/_category_.json create mode 100644 docs/threatmanager/3.1/install/actionservice.md create mode 100644 docs/threatmanager/3.1/install/application.md create mode 100644 docs/threatmanager/3.1/install/database.md create mode 100644 docs/threatmanager/3.1/install/firstlaunch/_category_.json create mode 100644 docs/threatmanager/3.1/install/firstlaunch/firstlaunch.md create mode 100644 docs/threatmanager/3.1/install/firstlaunch/login.md create mode 100644 docs/threatmanager/3.1/install/integration/_category_.json create mode 100644 docs/threatmanager/3.1/install/integration/accessanalyzer.md create mode 100644 docs/threatmanager/3.1/install/integration/activitymonitor.md create mode 100644 docs/threatmanager/3.1/install/integration/overview.md create mode 100644 docs/threatmanager/3.1/install/integration/threatprevention/_category_.json create mode 100644 docs/threatmanager/3.1/install/integration/threatprevention/threatmanagerconfiguration.md create mode 100644 docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md create mode 100644 docs/threatmanager/3.1/install/overview.md create mode 100644 docs/threatmanager/3.1/install/secure.md create mode 100644 docs/threatmanager/3.1/install/upgrade/_category_.json create mode 100644 docs/threatmanager/3.1/install/upgrade/upgrade.md create mode 100644 docs/threatmanager/3.1/install/upgrade/upgrade2.8.md create mode 100644 docs/threatmanager/3.1/install/upgrade/upgrade3.0.md create mode 100644 docs/threatmanager/3.1/requirements/_category_.json create mode 100644 docs/threatmanager/3.1/requirements/actionservice.md create mode 100644 docs/threatmanager/3.1/requirements/client.md create mode 100644 docs/threatmanager/3.1/requirements/database.md create mode 100644 docs/threatmanager/3.1/requirements/overview.md create mode 100644 docs/threatmanager/3.1/requirements/permissions/_category_.json create mode 100644 docs/threatmanager/3.1/requirements/permissions/adsync.md create mode 100644 docs/threatmanager/3.1/requirements/permissions/entraidsync.md create mode 100644 docs/threatmanager/3.1/requirements/permissions/overview.md create mode 100644 docs/threatmanager/3.1/requirements/ports.md create mode 100644 docs/threatmanager/3.1/requirements/server.md create mode 100644 docs/threatmanager/3.1/threats/_category_.json create mode 100644 docs/threatmanager/3.1/threats/activedirectory.md create mode 100644 docs/threatmanager/3.1/threats/custom.md create mode 100644 docs/threatmanager/3.1/threats/entraid.md create mode 100644 docs/threatmanager/3.1/threats/filesystem.md create mode 100644 docs/threatmanager/3.1/threats/general.md create mode 100644 docs/threatmanager/3.1/threats/overview.md create mode 100644 sidebars/threatmanager/3.1.js create mode 100644 static/images/threatmanager/3.1/administration/serviceaccounts/dashboard.webp diff --git a/docs/threatmanager/3.1/administration/_category_.json b/docs/threatmanager/3.1/administration/_category_.json new file mode 100644 index 0000000000..51435b6e32 --- /dev/null +++ b/docs/threatmanager/3.1/administration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Administration", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/_category_.json b/docs/threatmanager/3.1/administration/configuration/_category_.json new file mode 100644 index 0000000000..bed0e5a225 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Configuration Menu", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/_category_.json b/docs/threatmanager/3.1/administration/configuration/integrations/_category_.json new file mode 100644 index 0000000000..5fd5950dee --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Integrations Interface", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md new file mode 100644 index 0000000000..a31b507cba --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md @@ -0,0 +1,241 @@ +--- +title: "Active Directory Sync Page" +description: "Active Directory Sync Page" +sidebar_position: 10 +--- + +# Active Directory Sync Page + +The Active Directory Sync page within the Integrations interface lists the domains that are synced +to theThreat Manager database. The sync operation gets all information about an Active Directory +environment (users, groups, hosts, etc).See the +[Permissions for Active Directory Sync ](/docs/threatmanager/3.1/requirements/permissions/adsync.md) topic for +additional information about the permissions required for Active Directory syncing. + +Use the gear icon in the upper right corner of the console to open the Configuration menu. Then +select **Integrations** to open the Integrations interface. + +Click **Active Directory Sync** in the navigation pane to view a list of the already added Active +Directory domains, if any. Each added domain represents a sync policy. + +![Integrations interface on the Active Directory Sync page](/images/threatmanager/3.0/administration/configuration/integrations/page.webp) + +A service named Active Directory Service continuously runs to collect data for the specified +domain(s). It evaluates the USN value of an object and syncs when the object changes. The table +provides the following information: + +- Name – Name of the domain. This may be either the domain DNS name or domain controller hostname. +- Enabled – icon indicates the enabled state: + + - Checkmark icon – Enabled + - X icon – Disabled + +- Profile – Name of the Credential Profile assigned to the policy. As mentioned earlier, each added + domain represents a sync policy. +- Last Sync Start – Date timestamp when the task started for the most recent sync +- Last Sync Status – Event status for the most recent sync task + +To view policy details or make modifications, select a domain from the table or under Active +Directory Sync in the navigation pane. + +## Add an Active Directory Sync Policy + +:::note +Prior to adding an Active Directory Sync policy, you must first configure a Credential +Profile with credentials properly provisioned for running the sync operation for the domain. See the +[Application Server Requirements](/docs/threatmanager/3.1/requirements/server.md) topic for the permissions. See +the [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a +profile. +::: + + +Follow the steps to add a domain/Active Directory sync policy. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click Add New Integration in the navigation pane. The +Add New Integration window opens. + +![Add New Integration window with Active Directory Sync type selected](/images/threatprevention/7.5/reportingmodule/configuration/integrations/activedirectorysync.webp) + +**Step 3 –** In the Type drop-down menu, select Active Directory Sync. + +**Step 4 –** Enter the following information: + +- Domain – Enter the domain DNS name or domain controller hostname in the required format of + [DOMAIN.COM], e.g. NT-DC03.NWXTech.com +- Credential Profile – Select the Credential Profile by name from the drop-down menu. This was + pre-created in the Credential Profiles page. +- Enabled / Disabled – Toggle indicates if the policy is enabled to run the sync service. By default + it is set to Enabled. +- Max Renew Ticket Age (days) – The value indicates the maximum number of days of the Renew Ticket + Age for the domain. This value must match the domain configuration. See the Microsoft + [Max-Renew-Age attribute](https://docs.microsoft.com/en-us/windows/win32/adschema/a-maxrenewage) + article for additional information. The default value is 7 days; modify the value by typing in the + textbox. +- Max Ticket Age (hours) – The value indicates the maximum number of hours of the Ticket Age for the + domain. This value must match the domain configuration. See the Microsoft + [Max-Ticket-Age attribute](https://docs.microsoft.com/en-us/windows/win32/adschema/a-maxticketage) + article for additional information. The default value is 10 hours; modify the value by typing in + the textbox. +- Use SSL – Check the box to enable SSL for secure communication with the domain. See the Microsoft + [5.1.1.2 Using SSL/TLS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81#5112-using-ssltls) + article for additional information. + +**Step 5 –** Click **Test Connection** to ensure connection to the domain. This will take a moment. +Then a message will appear in the upper right corner of the console indicating a successful or +failed connection.If successful, move on to the next step. If failed, recheck your entries for error +and repeat this step until a successful connection is established. + +**Step 6 –** Click Add. The Add New Integration window closes. + +The domain or domain controller (the Domain value supplied in Step 4) is listed in the Integrations +navigation pane. Repeat the process to add additional domains. + +## Active Directory Sync Policy Details + +Follow the steps to view the details of an Active Directory sync policy. + +**Step 7 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 8 –** On the Integrations interface, click **Active Directory Sync** in the navigation pane +to view a list of the already created Active Directory Sync policies, if any. A policy is +represented by the domain for which it is created. + +**Step 9 –** Select a domain from the table or the navigation pane to view the details of the Active +Directory Sync policy created for that domain. + +![Active Directory Sync details page for a specific domain](/images/threatmanager/3.0/administration/configuration/integrations/details.webp) + +Select the domain from the list to see modification options: + +- Name – The box at the top displays the name of the domain + + - Delete – The delete button in the upper right corner of the box opens the Delete Domain window + to confirm the action + +- Domain Configuration – Displays the sync policy settings entered for the selected domain. These + settings can be modified on this tab. See the Domain Configuration Tab topic for additional + information. +- Sync History – Displays the information on each synchronization event. See the Sync History Tab + topic for additional information. + +### Domain Configuration Tab + +The Domain Configuration tab displays the sync policy settings entered for the selected domain. With +the exception of the domain itself, these settings can be updated as needed. + +![Active Directory Sync details page for a specific domain showing the Domain Configuration tab](/images/threatmanager/3.0/administration/configuration/integrations/domainconfigurationtab.webp) + +The Domain Configuration tab displays the following settings: + +- Domain – Displays the domain DNS name or domain controller hostname in the required format of + [DOMAIN.COM], e.g. NT-DC03.NWXTech.com +- Credential Profile – Displays the Credential Profile by name +- Enabled / Disabled – Toggle indicates if the policy is enabled to run the sync service +- Max Renew Ticket Age (days) – Displays the value indicates the maximum number of days of the Renew + Ticket Age for the domain. This value must match the domain configuration. See the Microsoft + [Max-Renew-Age attribute](https://docs.microsoft.com/en-us/windows/win32/adschema/a-maxrenewage) + article for additional information. + + :::note + This value is required to accurately evaluate the Golden Ticket threat. + ::: + + +- Max Ticket Age (hours) – Displays the value indicates the maximum number of hours of the Ticket + Age for the domain. This value must match the domain configuration. See the Microsoft + [Max-Ticket-Age attribute](https://docs.microsoft.com/en-us/windows/win32/adschema/a-maxticketage) + article for additional information. + + :::note + This value is required to accurately evaluate the Golden Ticket threat. + ::: + + +- Use SSL – Indicates whether you have enabled SSL for secure communication with the domain. See the + Microsoft + [5.1.1.2 Using SSL/TLS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81#5112-using-ssltls) + article for additional information. +- Perform a full scan on next run – Indicates whether the next sync will only look for domain + changes or run a full scan of the domain. By default, this option is enabled for the first sync + executed when a new domain is added; however, it is disabled automatically after the first sync. + This can be used to fully refresh domain information, but is typically not needed for normal + operation. +- Test Connection – Click **Test Connection** to ensure connection to the domain. This will take a + moment. Then a message will appear in the upper right corner of the console indicating a + successful or failed connection. + +The Save button is enabled when any settings are modified. Click it to commit the changes before +leaving the page. + +### Sync History Tab + +The Sync History tab displays the information on each synchronization event. This includes general +information about user, group, and computer objects within the selected domain. + +![Active Directory Sync details page for a specific domain showing the Sync History tab](/images/threatmanager/3.0/administration/configuration/integrations/synchistorytab.webp) + +The table provides the following information: + +- Start Time – Date timestamp when the task started +- End Time – Date timestamp when the task completed +- Users – Number of user objects in the domain +- Users Changed – Number of user objects with changes detected since the last sync +- Groups – Number of group objects in the domain +- Groups Changed – Number of group objects with changes detected since the last sync +- Computers – Number of computer objects in the domain +- Computers Changed – Number of computer objects with changes detected since the last sync +- Status – Event status for the sync task + +The table is designed to display 10 records at a time, by default. However, you can set this to 50, +100, or 1,000 rows with the drop-down menu above the right corner of the table. There is a search +box above the left corner of the table. Page navigation buttons are below the table. You can also +export the data from the current page using the **Export CSV** button. + +## Modify Active Directory Sync Policy + +Follow the steps to modify the Active Directory Sync policy for the selected Active Directory +domain. + +**Step 1 –** On the Integrations interface, click **Active Directory Sync** in the navigation pane +to view a list of the already created Active Directory Sync policies, if any. A policy is +represented by the domain for which it is created. + +**Step 2 –** The Domain Configuration tab opens, where you can make the desired modification. + +:::tip +Remember, the domain cannot be modified. +::: + + +![Active Directory Sync details page for a specific domain showing the Domain Configuration tab](/images/threatmanager/3.0/administration/configuration/integrations/domainconfigurationtab.webp) + +**Step 3 –** To modify the Credential Profile, select the Credential Profile by name from the +drop-down menu. This was pre-created in the Credential Profiles page. + +:::note +If you modify the Credential Profile for a domain, click **Test Connection** to ensure +connection to the domain. This will take a moment. Then a message will appear in the upper right +corner of the console indicating a successful or failed connection. +::: + + +**Step 4 –** Click the toggle to change the Enabled/Disabled state of the policy. + +**Step 5 –** For the Max Renew Ticket Age (days) value, modify the value by typing in the textbox. + +**Step 6 –** For the Max Ticket Age (hours) value, modify the value by typing in the textbox. + +**Step 7 –** Select or deselect the **Use SSL** box for the desired security state for communication +with the domain. + +**Step 8 –** Select the **Perform a full scan on next run** checkbox to force the next sync to run a +full scan of the domain. + +**Step 9 –** The Save button is enabled when any settings are modified. Click it to commit the +changes before leaving the page. + +The changes to the Domain Configuration have been saved. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md b/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md new file mode 100644 index 0000000000..e7fe5066f9 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md @@ -0,0 +1,65 @@ +--- +title: "App Tokens Page" +description: "App Tokens Page" +sidebar_position: 30 +--- + +# App Tokens Page + +The App Tokens page provides the ability to generate and manage the app tokens needed to send data +to Threat Manager. An app token is used by Threat Manager and/or the Activity Monitor to push Active +Directory activity data into the Threat Manager database. An app token is used by Access Analyzer to +push a list of files containing sensitive data into the Threat Manager database. + +![page](/images/threatmanager/3.0/administration/configuration/integrations/page_1.webp) + +It is necessary to generate an app token for each product integration. The App Tokens table displays +the following information for each generated app token: + +- Name – Name of the app token +- Description – Description for the app token +- Enabled – If set to ON, allows access to the generated app token. If set to OFF, disallows access + for the generated app token. + +## Generate an App Token + +Follow the steps to generate an app token. + +**Step 1 –** On the Integrations page, click **Add New Integration**. + +![apptoken](/images/threatmanager/3.0/administration/configuration/integrations/apptoken.webp) + +**Step 2 –** In the Type drop-down menu, select **App Token**. + +**Step 3 –** Enter a Name for the token in the Name field, and a Description for the token in the +Description field. + +:::info +Identify the data source for this app in either the Name or Description fields. +::: + + +**Step 4 –** Click Add to generate the app token. + +The app token is added to the App Tokens list in the Integrations box. + +## View and Copy the App Token + +To view the details for an app token, click on the app token name in the Integrations box. The top +of the page displays the app token name and the description. These can be modified by clicking on +the name or description and entering the desired information. + +![details](/images/threatmanager/3.0/administration/configuration/integrations/details_1.webp) + +Ensure that the app token is enabled for sending data to Threat Manager. In the General box, verify +that the status is set to **ON**. + +Follow the instructions to copy the app token. + +**Step 1 –** In the App Token box, click **Copy Token**.The app token is copied to the clipboard. + +**Step 2 –** Paste the app token to the desired location. + +**Step 3 –** Click **Save** to save any changes to the page. + +Repeat this process to copy any desired app tokens. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md b/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md new file mode 100644 index 0000000000..0b5ee1a641 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md @@ -0,0 +1,194 @@ +--- +title: "Credential Profile Page" +description: "Credential Profile Page" +sidebar_position: 50 +--- + +# Credential Profile Page + +The Credential Profile page within the Integrations interface lists all of the credentials used by +the application to complete tasks. These credentials are securely stored. + +![Integrations interface on the Credential Profile page](/images/threatmanager/3.0/administration/configuration/integrations/page_2.webp) + +The table displays the user name for each profile. To view profile details or make modifications, +select a profile from the table or under Credential Profile in the navigation pane. + +See the [Application Server Requirements](/docs/threatmanager/3.1/requirements/server.md) topic for information on +permission requirements for each type of task. + +**Best Practice Recommendation** + +It is a best practice to: + +- Create one Credential Profile per domain for Active Directory Sync purposes +- Create a Credential Profile with Writer permissions to the shared folder where subscription + exports will be stored + +## Add a Credential Profile + +Follow the steps to add a Credential Profile. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click Add New Integration in the navigation pane. The +Add New Integration window opens. + +![Add New Integration window with Credential Profile type selected](/images/threatprevention/7.5/reportingmodule/configuration/integrations/credentialprofile.webp) + +**Step 3 –** In the Type drop-down menu, select Credential Profile. + +**Step 4 –** Enter the following information: + +- Name – Provide a unique, descriptive name for the Credential Profile +- Description – Provide a description for the Credential Profile +- Platform – Select the account type for the credential: + + - SQL – For SQL Server accounts + - Windows – For local and Active Directory accounts + +- User Name – Enter the account user name in the required format. For Windows accounts, it is: + [DOMAIN]\[USERNAME], e.g. NWXTech\svc-netwrix +- Password – Enter the password for the credential + +**Step 5 –** Click Add. The Add New Integration window closes. + +The Credential Profile is listed in the Integrations navigation pane. Repeat the process to add +additional Credential Profiles. + +## Credential Profile Details + +Follow the steps to view the details of a Credential Profile. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click **Credential Profile** in the navigation pane to +view a list of the already created Credential Profiles, if any. + +**Step 3 –** Select a Credential Profile from the table or the navigation pane to view its details. + +![Integrations interface displaying the details for a Credenital Profile](/images/threatmanager/3.0/administration/configuration/integrations/details_2.webp) + +Select the profile from the list to see details and modification options: + +- Name and Description – The box at the top displays the name and description of the profile + + - Edit – The edit button in the upper right corner of the box changes those fields from + read-only to editable. See the Edit Profile topic for additional information. + - Delete – The delete button in the upper right corner of the box opens the Delete Profile + window to confirm the action + +- Credentials – This section displays the credentials + + - Edit Credential – The edit button to the right of the credentials opens the Credentials + Settings window, where you canupdate the Platform, User Name, or Password. See the Edit + Credential topic for additional information. + - Delete Credential – The delete button to the right of the credentials opens the Delete + Credential window to confirm the action + - Add Credential – This button allows you to add additional credentials to this profile. This + maybe applicable for action tasks. See the Add Additional Credential to a Profile topic for + additional information. + +## Edit Profile + +Follow the steps to edit a Credential Profile name and/or description. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click **Credential Profile** in the navigation pane to +view a list of the already created Credential Profiles, if any. + +**Step 3 –** Select a Credential Profile from the table or the navigation pane. + +**Step 4 –** Click the **Edit** button in the upper right corner of the name and description box. + +![Name and Description box for a Credential Profile in Edit mode](/images/threatprevention/7.5/reportingmodule/configuration/integrations/editprofile.webp) + +**Step 5 –** To modify the profile name, type in the top field. + +**Step 6 –** To modify the profile description, type in the bottom field. + +**Step 7 –** Click the **Save** button. + +The Credential Profile name and/or description have been modified. + +## Edit Credential + +Follow the steps to edit a credential within a Credential Profile. This may be necessary if the +account password needs to be updated. + +**Step 1 –** On the Integrations interface, click **Credential Profile** in the navigation pane to +view a list of the already created Credential Profiles, if any. Select a Credential Profile. + +**Step 2 –** In the Credentials box, click the edit button to the right of the credential. The +Credential Settings window opens. + +![Credential Settings window](/images/threatprevention/7.5/reportingmodule/configuration/integrations/credentialsettingswindow.webp) + +**Step 3 –** To edit the platform type, select either SQL or Windows from the **Platform** drop-down +menu. + +**Step 4 –** To edit the account user name, enter the account user name in the required format of +[DOMAIN]\[USERNAME], e.g. NWXTech\svc-netwrix. + +**Step 5 –** To update the password, enter the account password in the Password field. + +**Step 6 –** Click **Save**. The Credential Settings window closes. + +The credential within the Credential Profile has been modified. + +## Add Additional Credential to a Profile + +Multiple credentials can be added to a single profile. Credential stacking is when you add multiple +credentials to a single profile. While doing certain actions, these credentials will be enumerated +until one is found that is able to execute the task. + +The following areas use stacking: + +- Active Directory Sync + + - Enumerate the credentials in order until one is able to connect to the domain successfully + +- Threat Prevention Integration + + - Enumerate the credentials in order until one is able to connect to theThreat Prevention + database successfully + +- Actions + + - The full list is available to the actions in the $CredentialList parameter + - The $Credential parameter will be populated with the most appropriate credential from the list + + - The domain of the event will be matched against the domain of the credential + - If none match, the first credential in the list is used + +- Honey Tokens + + - The same logic as $Credential from the action section above + +Follow the steps to add a credential to an existing Credential Profile. + +**Step 1 –** On the Integrations interface, click **Credential Profile** in the navigation pane to +view a list of the already created Credential Profiles, if any. + +**Step 2 –** Click Add Credential. The Add Credentials window opens. + +![Add Credentials window](/images/threatmanager/3.0/administration/configuration/integrations/addcredentialswindow.webp) + +**Step 3 –** Enter the following information: + +- Platform – Select the account type for the credential: + + - SQL – For SQL Server accounts + - Windows – For local and Active Directory accounts + +- User Name – Enter the account user name in the required format. For Windows accounts, it is: + [DOMAIN]\[USERNAME], e.g. NWXTech\svc-netwrix +- Password – Enter the password for the credential + +**Step 4 –** Click Save. The Add Credentials window closes. + +The Credential Profile now has multiple credentials. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/email.md b/docs/threatmanager/3.1/administration/configuration/integrations/email.md new file mode 100644 index 0000000000..0a2135258b --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/email.md @@ -0,0 +1,78 @@ +--- +title: "Email Page" +description: "Email Page" +sidebar_position: 60 +--- + +# Email Page + +The Email page within the Integrations interface allows users to configure the application to send +email notifications. + +![Integrations interface on the Email page](/images/threatmanager/3.0/administration/configuration/integrations/page_4.webp) + +The page has the following information: + +- Enabled – Indicates whether email notifications are functioning +- Mail Server – The IP address or server name of the mail server that will be used to send email + notifications +- Port – The Port used by the mail server +- Use TLS – Indicates whether the TLS protocol is in use for email notifications +- Ignore Certificate Errors – Indicates whether certificate errors will be ignored when sending + email +- User Name – The user name of the credentials that will be used when TLS is enabled +- Password – The password for the credentials that will be used when TLS is enabled +- Send From Address – The email address that will be listed as the sender of notifications +- Send Alerts To – The email address(es) that will receive alert notifications, use a semicolon as a + seperator +- Subject – The subject line of the alert notification, which can contain data variables. For + example, [Threat Type] detected by Threat Manager, which would replace the [Threat Type] variable + with the type of threat detected. +- URL – The URL to the application console to be included in the email as a link +- Send Test Email – Click **Send Test Email** to send a test notification to the configured email + address(es) + +## Configure Email Notifications + +Follow the steps to configure email notifications. + +**Step 1 –** On the Integrations interface, click **Email** in the navigation pane. + +![Integrations interface on the Email page showing details](/images/threatmanager/3.0/administration/configuration/integrations/details_4.webp) + +**Step 2 –** Toggle the Enabled button to **ON**, which enables the Send Test Email button. + +**Step 3 –** Enter the following information: + +- Mail Server – Enter the IP address or server name of the mail server that will be used to send + email notifications +- Port – Enter the Port used by the mail server. The default port is 25. +- Use TLS – Toggle the button to **ON** if you wish to enable TLS protocol is in use for email + notifications +- Ignore Certificate Errors –Toggle the button to **ON** if you wish to ensure certificate errors + will be ignored when sending email +- User Name – If applicable, enter the user name of the credentials that will be used when TLS is + enabled +- Password – If applicable, enter the password for the credentials that will be used when TLS is + enabled +- Send From Address – Enter the email address that will be listed as the sender of notifications +- Send Alerts To – Enter the email address(es) that will receive alert notifications, use a + semicolon as a seperator +- Subject – Enter the subject line of the alert notification, which can contain data variables. By + default, this includes the [Threat Type] variable. +- URL – Enter the URL to the application console to be included in the email as a link. By default, + this is set to `http://localhost:8080/` + +:::info +When first configuring email notification, enter your email in the Send Alerts To +field for the connection test completed in Step 4. Once the test is successful, replace your email +with the desired recipients. +::: + + +**Step 4 –** Click **Send Test Email** to send a test notification to the configured email +address(es). Validate the email was sent by checking that the recipient received the email. + +**Step 5 –** Click **Save Settings** to commit the changes. + +Email notifications are now configured. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md b/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md new file mode 100644 index 0000000000..1eb5d9e5c1 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md @@ -0,0 +1,176 @@ +--- +title: "Entra ID Sync Page" +description: "Entra ID Sync Page" +sidebar_position: 20 +--- + +# Entra ID Sync Page + +The Entra ID Sync page within the Integrations interface lists all the Entra ID tenants for which +the application is configured to sync.See the +[Application Permissions for Entra ID Sync](/docs/threatmanager/3.1/requirements/permissions/entraidsync.md)topic +for additional information about the permissions required for Microsoft Entra ID syncing. + +![Entra ID Sync Page](/images/threatmanager/3.0/administration/configuration/integrations/entraidsync.webp) + +Microsoft Entra ID Sync schedules the Azure service to collect Microsoft Entra ID data for the +specified Microsoft Entra ID tenant(s). The Microsoft Entra ID Sync runs continuously, evaluating +the USN value of Microsoft Entra ID objects and syncing whenever an object changes. + +- Name – Name of the Microsoft Entra ID tenant. +- Enabled – icon indicates the enabled state: + + - Checkmark icon – Enabled + - X icon – Disabled + +- Profile – Name of the Credential Profile assigned to the policy +- Last Sync Start – Date timestamp when the task started for the most recent sync +- Last Sync Status – Event status for the most recent sync task + +To view policy details or make modifications, select a tenant from the list or select it in the +navigation pane from the Microsoft Entra ID Sync drop-down. + +## Add an Entra ID Sync Policy + +:::note +Prior to adding a Microsoft Entra ID Sync policy, you must first configure a Credential +Profile with a credential properly provisioned for running Microsoft Entra ID Sync within the +Microsoft Entra ID tenant. See the +[Application Server Requirements](/docs/threatmanager/3.1/requirements/server.md) topic for the permissions. See +the [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a +profile. +::: + + +Follow the steps to add a policy Microsoft Entra ID Sync. + +**Step 1 –** On the Integrations interface, click Add New Integration in the navigation pane. The +Add New Integration window opens. + +![Add New Integration window with Entra ID Sync type selected](/images/threatmanager/3.0/administration/configuration/integrations/addnewinteg.webp) + +**Step 2 –** In the Type drop-down menu, select Entra ID Sync. + +**Step 3 –** Enter the following information: + +- Tenant – Enter the Microsoft Entra ID tenant you want to connect to (ex. domain onmicrosoft.com) +- Azure Cloud – Enter the specified cloud instance of Microsoft Entra ID tenant +- Credential Profile – Select the Credential Profile by name from the drop-down menu. This was + pre-created in the Credential Profiles page. +- Enabled / Disabled – Toggle indicates if the policy is enabled to run the sync service. By default + it is set to Enabled. + +**Step 4 –** Click **Test Connection** to ensure connection to the tenant. This will take a moment. +Then a message will appear in the upper right corner of the console indicating a successful or +failed connection.If successful, move on to the next step. If failed, recheck your entries for error +and repeat this step until a successful connection is established. + +**Step 5 –** Click Add. The Add New Integration window closes. + +The tenant is listed in the Integrations navigation pane. Repeat the process to add additional +tenants. + +## Entra ID Sync Policy Details + +The Microsoft Entra ID Sync policy details can be viewed by selecting the tenant from the table or +the navigation pane. + +![Tenant Configuration tab](/images/threatmanager/3.0/administration/configuration/integrations/entraidsync_tenantconfiguration.webp) + +Select the tenant from the list to see modification options: + +- Name – The box at the top displays the name of the tenant. + + - Delete – The delete button in the upper right corner of the box opensthe Delete Domain window + to confirm the action + +- Tenant Configuration – Displays the sync policy settings entered for the selected tenant. These + settings can be modified on this tab. See the Tenant Configuration Tab topic for additional + information. +- Sync History – Displays the information on each synchronization event. See the Sync History Tab + topic for additional information. + +## Tenant Configuration Tab + +The Tenant Configuration tab displays the sync policy settings entered for the selected tenant. With +the exception of the Tenant and Azure Cloud fields, these settings can be updated as needed. + +![tenantconfigurationtab](/images/threatmanager/3.0/administration/configuration/integrations/tenantconfigurationtab.webp) + +The Tenant Configuration tab displays the following settings: + +- Tenant – Displays the Microsoft Entra ID tenant you want to connect to (ex. domain + onmicrosoft.com) +- Azure Cloud – the specified cloud instance of Microsoft Entra ID tenant +- Select the Credential Profile by name from the drop-down menu. This was pre-created in the + Credential Profiles page. +- Enabled/Disabled – Toggle indicates if the policy is enabled to run the sync service +- Perform a full scan on next run – Indicates whether the next sync will only look for tenant + changes or run a full scan of the tenant. By default, this option is enabled for the first sync + executed when a new tenant is added; however, it is disabled automatically after the first sync. + This can be used to fully refresh tenant information, but is typically not needed for normal + operation. +- Test Connection – Click **Test Connection** to ensure connection to the tenant. This will take a + moment. Then a message will appear in the upper right corner of the console indicating a + successful or failed connection. + +The Save button is enabled when any settings are modified. Click it to commit the changes before +leaving the page. + +## Sync History Tab + +The Sync History tab displays the information on each synchronization event. This includes general +information about user, group, and computer objects within the Entra ID tenant. + +![Entra ID Sync details page for a specific Entra ID tenant showing the Sync History tab](/images/threatmanager/3.0/administration/configuration/integrations/synchistorytab.webp) + +The table provides the following information: + +- Start Time – Date timestamp when the task started +- End Time – Date timestamp when the task completed +- Type – The object class that was being synced +- Total Objects – The total number of objects synced +- Objects Changed – The total number of objects modified since the last sync +- Objects Deleted – The total number of objects that were deleted since the last sync +- Objects Filtered – The total number of objects that were filtered +- Status – Event status for the sync task + +The table is designed to display 50 records at a time, by default. However, you can change it to 100 +or 1,000 rows per page from the Rows per page option given below the right corner of the table. Page +navigation buttons are next to this option. There is a search box above the left corner of the +table. You can also export the data using the **Export to CSV** button above the table. + +## Modify Entra ID Sync Policy + +Follow the steps to modify the Entra ID Sync policy for the selected Microsoft Entra ID tenant. + +**Step 1 –** On the Integrations interface, select the desired Microsoft Entra ID tenant. + +**Step 2 –** On the Tenant Configuration tab, make the desired modification. + +:::tip +Remember, the Tenant and Azure Cloud fields cannot be modified. +::: + + +![tenantconfigurationtab](/images/threatmanager/3.0/administration/configuration/integrations/tenantconfigurationtab.webp) + +**Step 3 –** To modify the Credential Profile, select the Credential Profile by name from the +drop-down menu. This was pre-created in the Credential Profiles page. + +:::note +If you modify the Credential Profile for a Microsoft Entra ID tenant, click **Test +Connection** to ensure connection to the tenant. This will take a moment. Then a message will appear +in the upper right corner of the console indicating a successful or failed connection. +::: + + +**Step 4 –** Click the toggle to change the Enabled/Disabled state of the policy. + +**Step 5 –** Select the **Perform a full scan on next run** checkbox to force the next sync to run a +full scan of the domain. + +**Step 6 –** The Save button is enabled when any settings are modified. Click it to commit the +changes before leaving the page. + +The changes to the Tenant Configuration have been saved. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md b/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md new file mode 100644 index 0000000000..efaa74e05b --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md @@ -0,0 +1,96 @@ +--- +title: "Folder Settings Page" +description: "Folder Settings Page" +sidebar_position: 70 +--- + +# Folder Settings Page + +The Folder Settings page within the Integrations interface allows users to designate the +Investigation exports folder location. Additionally, a shared folder can be provided for +subscription purposes. + +![Integrations interface on the Folder Settings page](/images/threatmanager/3.0/administration/configuration/integrations/page_5.webp) + +By default, Investigation exports are placed in the Downloads folder of the logged in user, on the +machine where that user is accessing the application. When a Local Folder path is designated, all +Investigation exports are also stored in the specified folder on the application server. + +When shared folders are added, they are displayed in a table at bottom of the page. + +![Shared Folder table on the Folders Settings page](/images/threatprevention/7.5/reportingmodule/configuration/integrations/sharedfoldertable.webp) + +The Shared Folders table has the following columns: + +- Display Name – The name of the shared folder as displayed in the application +- Path to the Shared folder – The path to the shared folder where subscription reports are stored +- Credential Profile – Name of the Credential Profile +- Access – The users that can save their subscription exports to the shared folder +- Last Time tested – Date timestamp when the the shared folder was tested to ensure it is configured + correctly + +**Additional Options** + +When you hover over a row within the Shared Folders table, three additional options are displayed: + +![Shared Folder table on the Folders Settings page showing additional options](/images/threatprevention/7.5/reportingmodule/configuration/integrations/additionaloptions.webp) + +- Refresh Arrow – Tests the shared folder configuration +- Edit – Opens the Add New Shared Folder window to edit the configured settings +- Trash – Deletes the shared folder, which prevents the application from using it + +## Designate a Local Folder + +Follow the steps to designate a local folder for Investigation exports. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click **Folder Settings** in the navigation pane. + +![Local Folder settings on the Folder Settings page](/images/threatprevention/7.5/reportingmodule/configuration/integrations/localfolder.webp) + +**Step 3 –** In the Path field, enter a valid folder path on the server where the application is +installed. For example, C:\Reports. + +**Step 4 –** The Save button is enabled when any settings are modified. Click it to commit the +changes before leaving the page. + +Investigation exports will now be saved to the designated local folder on the application server. + +## Add a Shared Folder + +:::note +Prior to adding a shared folder, you must first configure a Credential Profile with Write +access to the shared folder. See the [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic for +additional information on creating a profile. +::: + + +You can specify a shared folder for exporting investigations data from subscriptions through the +Integrations menu. Follow the steps to add a shared folder. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click **Folder Settings** in the navigation pane. + +**Step 3 –** Click **Add Shared Folder**. The Add New Shared Folder window opens. + +![Add New Shared Folder window](/images/threatprevention/7.5/reportingmodule/configuration/integrations/addnewsharedfolderwindow.webp) + +**Step 4 –** Enter the following information: + +- Display Name – Enter a name of the shared folder as displayed in the application +- Credential Profile – Select the Credential Profile by name from the drop-down menu. This was + pre-created in the Credential Profiles page. +- Path – Enter a valid share path with the \\[SERVER NAME]\[PATH TO SHARED FOLDER] format. For + example, \\NT-FS02\Subscriptions. +- Access – Allow specific users to access the folder when configuring subscriptions in the + application. By default, this is set to All users. To limit access, select users from the + drop-down menu. Only users granted application access through the System Settings > User Access + page will be available in the drop-down. + +**Step 5 –** Click **Add**. The Add New Shared Folder window closes. + +The specified shared folder has been configured for subscription exports. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md b/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md new file mode 100644 index 0000000000..b707a02060 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md @@ -0,0 +1,216 @@ +--- +title: "Netwrix Integrations Page" +description: "Netwrix Integrations Page" +sidebar_position: 90 +--- + +# Netwrix Integrations Page + +The Netwrix Integrations page within the Integrations interface lists the products for which the +application is configured to connect. + +![Integrations interface on the Netwrix Integration page](/images/threatmanager/3.0/administration/configuration/integrations/page_3.webp) + +Integrations with other Netwrix products enables you to run Investigations on the event data within +the connected database. When you add a Netwrixintegration, the selection for Default Data Source +identifies which database is the default source for Investigation reports. You can change it by +selecting a different database from the drop-down menu. The table provides the following +information: + +- Name – The name of the integration, as supplied when it was added +- Host – The name of the database host +- Catalog – The name of the database +- Profile – The Name of the Credential Profile assigned to the integration +- Description – Integration description, as supplied when it was added + +To view integration details or make modifications, select an integration from the list or under +Netwrix Integrations in the navigation pane. + +## Add a Netwrix Integration + +:::note +Prior to adding a Netwrix Integration, you must first configure a Credential Profile with +credentials properly provisioned for connecting to the database. See the +[Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic for additional information on creating a +profile. +::: + + +Follow the steps below to add a Netwrix Integration. + +**Step 1 –** On the Integrations interface, click Add New Integration in the navigation pane. The +Add New Integration window opens. + +![Add New Integrations window with the Netwrix Integration type selected](/images/threatmanager/3.0/administration/configuration/integrations/netwrixintegrations.webp) + +**Step 2 –** In the Type drop-down list, select Netwrix Integration. + +**Step 3 –** Enter the following information: + +- Name – Provide a unique, descriptive name of the integration +- Description – Provide an Integration description +- Database Host – Enter the database server hostname (NetBIOS name, FQDN, or IP address) with the + instance name or non-standard port, if applicable, in one of the following formats: + + - No named instance, use `[SQLHostName]`, for example `NT-SQL02` + - Named instance, use `[SQLHostName]\[SQLInstanceName]`, for example `NT-SQL02\Netwrix` + - No named instance with non-standard port, use `[SQLHostName],[PortNumber]`, for example + `NT-SQL02,72` + - Named instance with non-standard port, use `[SQLHostName]\[SQLInstanceName],[PortNumber]`, for + example `NT-SQL02\Netwrix,72` + +- Credential Profile – Select the Credential Profile by name from the drop-down menu. This was + pre-created in the Credential Profiles page. +- Configuration Catalog Name – Enter the name of the configuration database. By default, this is set + to the name of the Threat Prevention database, `NVMonitorConfig`. +- Catalog Name – Enter the name of the database. By default, this is set to the name of the Threat + Prevention database, `NVMonitorData`. +- Integration Service URL – This should not be modified. It is the URL for the service endpoint, by + default `http://localhost:55558`. +- Show Deleted Policies – When this option is checked, deleted policies will show on the Policy Sync + tab of this Netwrix integration. + +**Step 4 –** Click **Test Connection** to ensure connection to the database. This will take a +moment. Then a message will appear in the upper right corner of the console indicating a successful +or failed connection. If successful, move on to the next step. If failed, recheck your entries for +error and repeat this step until a successful connection is established. + +**Step 5 –** Click Add. The Add New Integration window closes. + +The NetwrixIntegration is listed in the Integrations navigation pane. + +:::note +For integration with Netwrix Threat Prevention, you can add both the main `NVMonitorData` +database and the archive database, if one has been configured. +::: + + +## Netwrix Integration Details + +Follow the steps to view the details of a Netwrix product integration. + +**Step 6 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 7 –** On the Integrations interface, click **Netwrix Integrations** in the navigation pane to +view a list of the already integrated Netwrix products. + +**Step 8 –** Select a product from the table or the navigation pane to view the integration details. + +![Integrations interface on the Netwrix Integrations details page](/images/threatmanager/3.0/administration/configuration/integrations/details_3.webp) + +Select the integration from the list to see the details and modification options: + +- Name and Description – The box at the top displays the name and description of the integration + + - Edit – The edit button in the upper right corner of the box changes those fields from + read-only to editable. See the Edit Integration Name and Description topic for additional + information. + - Delete – The delete button in the upper right corner of the box opens the Delete Stealthbits + Integration window to confirm the action + +- Configuration – Displays the settings entered for the selected integration. These settings can be + modified on this tab. See the Configuration Tab topic for additional information. +- Policy Sync – Displays information on the last policy sync executed. See the Policy Sync Tab topic + for additional information. + +### Configuration Tab + +The Configuration tab displays the settings entered for the selected integration. + +![Netwrix Integration Details on the Configuration tab](/images/threatmanager/3.0/administration/configuration/integrations/configurationtab.webp) + +The tab provides the following settings: + +- Database Host – Displays the name of the database host in the supplied format +- Credential Profile – Displays the Credential Profile by name +- Configuration Catalog Name – Displays the name of the configuration database . +- Catalog Name – Displays the name of the database +- Integration Service URL – Displays the URL for the service endpoint. This should not be modified. +- Show Deleted Policies – When this option is checked, deleted policies will show on the Policy Sync + tab of this Netwrix integration. +- Test Connection – Click **Test Connection** to ensure connection to the database. This will take a + moment. Then a message will appear in the upper right corner of the console indicating a + successful or failed connection. + +The Save button is enabled when any settings are modified. Click it to commit the changes before +leaving the page. + +### Policy Sync Tab + +The Policy Sync tab displays information on the last policy sync executed. + +![Netwrix Integration Details on the Policy Sync tab](/images/threatprevention/7.5/reportingmodule/configuration/integrations/policysynctab.webp) + +The tab provides the following information: + +- Last Sync – Displays the date timestamp of the last sync +- Policies – The table displays the following information: + + - Name – The name of the Threat Prevention policy + - Enabled – Indicates if the policy is enabled (true) or disabled (false) + - Report to Database – Indicates if the policy is sending events to the Threat Prevention SQL + database + - Deleted – Indicates if the policy is deleted (true) or not deleted (false) + - Description – The description of the policy as read from Threat Prevention + +## Edit Integration Name and Description + +Follow the steps to edit a Netwrix Integration name and/or description. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click Netwrix Integrations and select the desired +Netwrix Integration. + +**Step 3 –** Click the **Edit** button in the upper right corner of the name and description box. + +![Name and Description box for a Netwrix Integration in Edit mode](/images/threatprevention/7.5/reportingmodule/configuration/integrations/editnetwrixintegration.webp) + +**Step 4 –** Type in the top field to modify the integration name. + +**Step 5 –** Type in the bottom field to modify the integration description. + +**Step 6 –** Click the **Save** button. + +The Netwrix Integration name and/or description have been modified. + +## Modify Netwrix Integration Configuration + +Follow the steps to modify the configuration for the selected integration. + +![Netwrix Integration Details on the Configuration tab](/images/threatmanager/3.0/administration/configuration/integrations/configurationtab.webp) + +**Step 1 –** On the Integrations interface, click Netwrix Integrations and select the desired +Netwrix Integration. + +**Step 2 –** The Configuration tab opens, where you can make the desired modification. + +**Step 3 –** To modify the Database Host, modify the value by typing in the textbox. + +**Step 4 –** To modify the Credential Profile, select the Credential Profile by name from the +drop-down menu. This was pre-created in the Credential Profiles page. + +:::note +If you modify the Credential Profile for a domain, click **Test Connection** to ensure +connection to the database. This will take a moment. Then a message will appear in the upper right +corner of the console indicating a successful or failed connection. +::: + + +**Step 5 –** For the Configuration Catalog Name, modify the value by typing in the textbox. + +**Step 6 –** For the Catalog Name, modify the value by typing in the textbox. + +:::tip +Remember, the Integration Service URL value should not be modified. +::: + + +**Step 7 –** Check or uncheck the Show Deleted Policies box as desired. + +**Step 8 –** The Save button is enabled when any settings are modified. Click it to commit the +changes before leaving the page. + +The changes to the Configuration have been committed. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/overview.md b/docs/threatmanager/3.1/administration/configuration/integrations/overview.md new file mode 100644 index 0000000000..697990492a --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/overview.md @@ -0,0 +1,31 @@ +--- +title: "Integrations Interface" +description: "Integrations Interface" +sidebar_position: 30 +--- + +# Integrations Interface + +The Integrations interface allows you to configure integrations with a variety of Netwrix products +and third-party systems and applications. + +Use the gear icon in the upper right corner of the console to open the Configuration menu. Then +select **Integrations** to open the Integrations interface. + +![interface](/images/threatmanager/3.0/administration/configuration/integrations/interface.webp) + +It contains the following integration pages: + +- [Active Directory Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md) +- [Entra ID Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md) +- [App Tokens Page](/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md) +- [Authentication Provider Page](/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md) +- [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) +- [Email Page](/docs/threatmanager/3.1/administration/configuration/integrations/email.md) +- [Folder Settings Page](/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md) +- [SIEM Page](/docs/threatmanager/3.1/administration/configuration/integrations/siem.md) +- [Netwrix Integrations Page](/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md) +- [Tag Management Page](/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md) + +The Overview page displays a high-level view of all configured integrations. You can return to the +Overview page by selecting the **Integrations** header in the navigation pane. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/_category_.json b/docs/threatmanager/3.1/administration/configuration/integrations/page/_category_.json new file mode 100644 index 0000000000..c48478f5c7 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Authentication Provider Page", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "page" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/_category_.json b/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/_category_.json new file mode 100644 index 0000000000..143aa23275 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "OpenID Authentication Provider", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "openid" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/entraidopenid.md b/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/entraidopenid.md new file mode 100644 index 0000000000..d08066a12f --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/entraidopenid.md @@ -0,0 +1,202 @@ +--- +title: "Microsoft Entra ID Configuration" +description: "Microsoft Entra ID Configuration" +sidebar_position: 10 +--- + +# Microsoft Entra ID Configuration + +For enhanced security, you can integrate Microsoft Entra ID OpenID Connect with Threat Manager using +Proof Key for Code Exchange (PKCE). + +Make sure the following requirements are fulfilled before configuring Microsoft Entra ID +OpenID Connect in Threat Manager. + +- Full Netwrix Threat Manager version 3.0.473+ or RO 3.0.90+ is installed +- Direct users (not groups) are supported in the Access User List +- MSAL.js 2.0 version is supported. See the Microsoft + [MSAL.js 2.0 is now generally available with support for authorization code flow](https://devblogs.microsoft.com/microsoft365dev/msal-js-2-0-supports-authorization-code-flow-is-now-generally-available/) + article for additional information. + +First, you need to register an application for Threat Manager in Microsoft Entra ID and then use the +registered application's information for configuring Microsoft Entra ID OpenID Connect in Threat +Manager. + +## Register and configure an application + +Follow the steps to register and then configure the application. + +**Step 1 –** Login to Microsoft Entra admin center (https://portal.azure.com/) with a user that is +part of the “Global Administrator” role or any role that has rights to register an app, such as the +“Application administrator” role. This is required in order to give consent to certain permissions +in the application. + +**Step 2 –** In the Microsoft Entra admin center, go to Microsoft Entra ID > App registration and +click **New registration**. + +![NTM EntraIDOpenID Connect Application New Registeration page](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/entraidnewregister.webp) + +**Step 3 –** Fill out the Name field, for example, _MyProduct OpenID App._ + +**Step 4 –** Choose one of the options in the **Supported account types** section based on your +needs, for example, _Accounts in this organizational directory only_. + +**Step 5 –** In the Redirect URI section, select the **Single-page application (SPA)** option from +the Select a plateform drop down. + +**Step 6 –** Enter the URL in the following specified format + +`{HTTP/S protocol}://{IP address or DNS name}:{port if needed}/callback` + +- HTTP/S protocol – Use depending on your configuration (http or https) + +- IP address or DNS name – Provide the domain name or IP address, (for example, + threatManager.MyCompany.com or 192.168.74.200) + +- Port – Threat Manager’s default port is 8080, but it could be changed according to your needs + +- End the URL with /callback + +The full Redirect URL will be in one of the following format: + +- https://threatManager.MyCompany.com:8080/callback + +- https://192.168.74.200:8080/callback + +**Step 7 –** Click **Register**. + +**Step 8 –** The Overview page is displayed. Copy the Application (client) ID and Directory (Tenant) +ID and keep them safe. + +![EntraID Application and Tenant IDs page](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/appntenantids.webp) + +**Step 9 –** In the left pane, select **Authentication**. + +**Step 10 –** In the Implicit grant and hybrid section, select the **Access tokens** as necessary to +support the implicit flow, especially for Single-Page Application (SPA). + +![Entra ID SPA Token option](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/entraidtoken.webp) + +**Step 11 –** Click **Save**. + +**Step 12 –** Under the Manage section, select **Token Configuration**. + +**Step 13 –** Click **Add optional claim**. + +**Step 14 –** Select **ID** token type. + +**Step 15 –** In the Claim column, select _onprem_sid_ check box. + +**Step 16 –** Click **Add**. + +**Step 17 –** Click **Add optional claim**. + +**Step 18 –** Select **Access** token type. + +**Step 19 –** Check _onprem_sid_ field. + +**Step 20 –** Click **Add**. + +![Optional Claims added](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/claims.webp) + +## Configure Entra ID OpenID Connect + +Follow the steps to configure Microsoft Entra ID OpenID connect in Threat Manager. + +**Step 1 –** On the Integrations interface, select the OpenID Authentication Provider under the +Authentication Provider node. + +The page for the OpenID provider had two tabs: + +- Configuration +- Users/Groups + +![Entra ID OpenID COnnect Configuration tab](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/entraidconfig.webp) + +## Configuration Tab + +Follow the steps to configure Microsoft Entra ID OpenID Connect in Threat Manager. + +- Default – The default profile applied when a user is assigned multiple authentication profiles. + When off, the profile will be determined in alphabetical order of the profile name. Toggle off and + on as desired. +- Authority – The Microsoft Entra ID OpenID Connect provider authority URL. It should be in the + following format: + `https://login.microsoftonline.com/{Tenant ID}/v2.0` + Use the tenant ID of the registered application. +- Client Id – The ID assigned to the registered application in Microsoft Entra ID. +- Login Type – The login type to use to log into the account. For Microsoft Entra ID, select _Sid_ + from the drop-down list. +- User Source – The source type to use to validate the user from the token. For Microsoft Entra ID, + select _Id Token Parse_ from the drop-down list. +- User Source Field – The field in the token to use for validating the user. For Microsoft Entra ID, + select _onprem_sid_ from the drop-down list. + +## Users/Group Tab + +The Users/Groups tab displays users and groups that are currently assigned to this authentication +profile. To give access to the application to new users, click the New Access button, which opens +the Add Console Access window. To assign this authentication provider to existing users, go to +System Settings > User Access Page. + +![UserGroups tab for an authneication provider](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) + +The table displays the following information: + +- Access rule type – Indicates the access type as _Allow_, which enables console access, or _Deny_, + which disables console access +- Login name – The NTStyle domain name for the user or group account +- Display name – The display name for the user or group account +- Domain name – Name of the domain. This may be either the domain DNS name or domain controller + hostname. +- Role – The role assigned to the user or group for accessing this application +- Authentication Type – Type of MFA authentication assigned to the user or group +- Action – This column has the following icons for conducting actions on the user or group: + + - Edit icon – Allows you to edit the columns in the selected row by enabling drop-down menus. + The edit icon changes to a save icon while in edit mode. + - Trash icon – Opens a Warning window to confirm the action of deleting the user or group. + Removing a user or group removes console access for it. + - Reset MFA button – Forces the user or every user in the group to reconfigure MFA on the next + login. This option is only available if an MFA authentication type is applied to the user or + group. + +## Troubleshooting + +In case the Microsoft Entra ID OpenID Connect configurations do not work and an error is displayed, +you can perform the following steps to troubleshoot the error. + +**Step 1 –** Open any site or tool that provides the possibility to decode a JWT token, for +example,` https://jwt.io/`. + +**Step 2 –** Right click on the Threat Manager login page and select **Inspect**. The Dev Tools page +opens. + +![Dev Tools page](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/devtools.webp) + +**Step 3 –** Click the **Network** tab and check the **Preserve log** check box. + +**Step 4 –** Enter **oidcSignin** in the **Filter** field and select **All** to show all requests. + +**Step 5 –** Click the Microsoft Entra ID OpenID Connect button on the Threat Manager login page. + +**Step 6 –** Log in to Microsoft Entra ID. + +![Dev Tools page](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/putmethod.webp) + +**Step 7 –** On the Dev Tools page, find a request with the PUT method which has the following +format: + +`{HTTP/S protocol}://{NTM IP address or DNS name}:{port if needed}/oidcSignin/{ID}` + +![PayLoad tab](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/payloadtab.webp) + +**Step 8 –** Open the **Payload** tab and copy the value from the Request Payload box. + +**Step 9 –** Open `https://jwt.io/` and insert the **Request Payload** value in the ENCODED VALUE +section. + +![Claim verification](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/claim.webp) + +Check that the field from the claims setting exist and has the value. If claims don’t exist, please +check the claims configuration in Microsoft Entra ID. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/openid.md b/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/openid.md new file mode 100644 index 0000000000..7cc470b93b --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/openid.md @@ -0,0 +1,73 @@ +--- +title: "OpenID Authentication Provider" +description: "OpenID Authentication Provider" +sidebar_position: 20 +--- + +# OpenID Authentication Provider + +OpenID is an open standard for authentication that allows users to log into multiple websites using +a single set of credentials, eliminating the need for multiple usernames and passwords. Unlike +traditional authentication methods, OpenID delegates authentication to a third-party provider, +allowing users to authenticate with their chosen identity provider. + +Follow the instructions to integrate the OpenID authentication provider with Threat Manager. + +![Integrations interface displaying the details for an OpenID authneication provider](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/openid.webp) + +The details page for an OpenID authentication provider has two tabs: + +- Configuration +- Users/Groups + +## Configuration Tab + +Configure the following settings for an OpenID provider on the Configuration tab: + +![Configuration tab for an OpenID authneication provider](/images/threatprevention/7.5/reportingmodule/configuration/integrations/authenticationprovider/configurationopenid.webp) + +- Default – The default profile applied when a user is assigned multiple authentication profiles. + When off, the profile will be determined in alphabetical order of the profile name. Toggle off and + on as desired. +- Authority – The OpenId Connect provider authority URI. Out-going redirection requires the correct + Authority path to be set. Incorrect settings will generally result in a 404 error. +- Client Id – The ID assigned to an application that allows it to request authentication and + interact with the identity provider +- Login Type – The login type to use to log into the account. Use the drop-down menu to select one + of the following: Sam Account Name, User Principal Name, Email Address, or Sid +- User Source – The source type to use to validate the user from the token. Use the drop-down menu + to select one of the following: Introspection, User Info, Token Parse, or Id Token Parse +- User Source Field – The field in the token to use for validating the user + +Click Save to commit the configuration settings. + +## Users/Groups Tab + +The Users/Groups tab displays users and groups that are currently assigned to this authentication +profile. To give access to the application to new users, click the New Access button, which opens +the Add Console Access window. To assign this authentication provider to existing users, go to +System Settings > User Access Page. + +![UserGroups tab for an authneication provider](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) + +The table displays the following information: + +- Access rule type – Indicates the access type as _Allow_, which enables console access, or _Deny_, + which disables console access +- Login name – The NTStyle domain name for the user or group account +- Display name – The display name for the user or group account +- Domain name – Name of the domain. This may be either the domain DNS name or domain controller + hostname. +- Role – The role assigned to the user or group for accessing this application +- Authentication Type – Type of MFA authentication assigned to the user or group +- Action – This column has the following icons for conducting actions on the user or group: + + - Edit icon – Allows you to edit the columns in the selected row by enabling drop-down menus. + The edit icon changes to a save icon while in edit mode. + - Trash icon – Opens a Warning window to confirm the action of deleting the user or group. + Removing a user or group removes console access for it. + - Reset MFA button – Forces the user or every user in the group to reconfigure MFA on the next + login. This option is only available if an MFA authentication type is applied to the user or + group. + +See the [User Access Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md b/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md new file mode 100644 index 0000000000..bb5e45082b --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md @@ -0,0 +1,55 @@ +--- +title: "Authentication Provider Page" +description: "Authentication Provider Page" +sidebar_position: 40 +--- + +# Authentication Provider Page + +The Authentication Provider page provides configuration settings for third-party authentication +providers using RADIUS, OpenID, and SAML integrations. + +Use the gear icon in the upper right corner of the console to open the Configuration menu. Then +select **Integrations** to open the Integrations interface. + +![Integrations interface on the Authentication Provider page](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/page.webp) + +Click **Authentication Provider** in the navigation pane to view a list of already configured +authentication providers, if any. + +The table displays the provider name, as supplied during configuration, and an icon indicating if +the integration is enabled. To view provider details or make modifications, select a provider from +the table or select it from the Credential Profile drop-down in the navigation pane. + +## Add an Authentication Provider + +Follow the steps to add an authentication provider. + +**Step 1 –** On the Integrations interface, click Add New Integration in the navigation pane. The +Add New Integration window opens. + +![Add New Integration window with Authentication Provider type selected](/images/threatprevention/7.5/reportingmodule/configuration/integrations/authenticationprovider/authenticationprovider.webp) + +**Step 2 –** In the Type drop-down list, select Authentication Provider. + +**Step 3 –** Provide a unique name and description for the authentication provider. + +**Step 4 –** Click Add. The Add New Integration window closes. + +The authentication provider is listed in the Integrations navigation pane and the configuration +window for the provider opens. You must configure the provider for use with a supported +authentication provider type, i.e., OpenID, RADIUS, or SAML. + +## Supported Types of Authentication Providers + +On the Integrations interface, select an authentication provider under the Authentication Provider +node in the navigation pane or from the table to configure, view, or modify its details. + +![Integrations interface displaying the details for an Authentication Provider with the type drop-down menu open](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/types.webp) + +The following authentication provider types are supported; you can configure an authentication +provider for any of these: + +- RADIUS – See the [RADIUS Authentication Provider](/docs/threatmanager/3.1/administration/configuration/integrations/page/radius.md) topic for additional information. +- OpenID – See the [OpenID Authentication Provider](/docs/threatmanager/3.1/administration/configuration/integrations/page/openid/openid.md) topic for additional information. +- SAML – See the [SAML Authentication Provider](/docs/threatmanager/3.1/administration/configuration/integrations/page/saml.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/radius.md b/docs/threatmanager/3.1/administration/configuration/integrations/page/radius.md new file mode 100644 index 0000000000..10495c8fe9 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/radius.md @@ -0,0 +1,120 @@ +--- +title: "RADIUS Authentication Provider" +description: "RADIUS Authentication Provider" +sidebar_position: 10 +--- + +# RADIUS Authentication Provider + +The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides +centralized authentication, authorization, and accounting management for users connecting to a +network service. + +![Integrations interface displaying the details for a Radius authneication provider](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/radius.webp) + +The details page for a RADIUS authentication provider has three tabs: + +- Configuration +- Customization +- Users/Groups + +## Configuration Tab + +Configure the following settings for a RADIUS provider on the Configuration tab: + +![Configuration tab for a RADIUS authneication provider](/images/threatprevention/7.5/reportingmodule/configuration/integrations/authenticationprovider/configurationradius.webp) + +- Default – The default profile applied when a user is assigned multiple authentication profiles. + When off, the profile will be determined in alphabetical order of the profile name. Toggle off and + on as desired. +- Server FQDN/IP – The address of the RADIUS proxy +- Port – The port for the RADIUS proxy +- Auth Type – The security protocol used by the RADIUS proxy. Use the drop-down menu to select + either MSCHAPv2 or PAP. +- Shared Secret – A secret shared between the application server and the RADIUS proxy +- User Name Format Type – Active Directory attribute or attributes that will be sent to the RADIUS + authentication provider to identify the user. Some common identification attributes are available + in the drop-down list. If necessary, a custom option is also provided. This option instructs the + application to send a custom value to the RADIUS provider based on the user's Active Directory + attribute, supplied in the Custom Name Format field. +- Custom Name Format – This field appears when the Custom User Name Format Type is selected. It has + a unique syntax as follows: + + - Active Directory Attribute: `{attributename}` + + - Example – `{firstname}_{lastname}` + + - First Character(s) of an Active Directory Attribute: `{3:AttributeName}` – Where "3" is the + number of characters to select + + - Example – `{1:firstname}_{lastname}` + + - Last Character(s) of an Active Directory Attribute: `{AttributeName:3}` – Where "3" is the + number of characters to select + + - Example – `{firstname}_{telephoneNumber:4}` + + - Text values can be hard coded to send a static text value for each user: + + - Example – `MyCompany_{lastname}` + +- Max Retries – The maximum number of times to attempt reconnecting to the RADIUS proxy if unable to + connect +- Timeouts (in seconds) – The default timeout value for RADIUS connection and authentication + requests. The default value is 60 seconds. + +Click Save to commit the configuration settings. + +## Customization Tab + +The Customization tab is unique to RADIUS authentication providers. It contains the following +settings that need to be configured: + +![Customization tab for a Radius authneication provider](/images/threatprevention/7.5/reportingmodule/configuration/integrations/authenticationprovider/customizationtab.webp) + +- Title for MFA Authentication dialog – The title that is displayed to the user when prompted for + MFA +- Text for MFA Authentication dialog – The text description that is displayed to the user when + prompted for MFA +- Send Initial Text – If On, the value in the Initial Auto Response Text is automatically sent to + the RADIUS proxy without user action. Toggle On or Off as desired. +- Initial Auto Response Text – This value is sent to the RADIUS server automatically if the Send + Initial Text option is enabled. For example, this might be “push” to immediately have the user’s + phone app prompt for authorization. +- Prefix for Response Text – This value is added to the start of the responses. The value will vary + according to server. +- Send NAS Identifier – When On, NAS identifiers are transmitted to the RADIUS proxy. This is needed + for certain RADIUS proxy implementations that require it. Toggle On or Off as desired. + +Click Save to save the configuration settings. + +### Users/Groups Tab + +The Users/Groups tab displays users and groups that are currently assigned to this authentication +profile. To give access to the application to new users, click the New Access button, which opens +the Add Console Access window. To assign this authentication provider to existing users, go to +System Settings > User Access Page. + +![UserGroups tab for an authneication provider](/images/threatprevention/7.5/reportingmodule/configuration/integrations/authenticationprovider/usersgroupstab.webp) + +The table displays the following information: + +- Access rule type – Indicates the access type as _Allow_, which enables console access, or _Deny_, + which disables console access +- Login name – The NTStyle domain name for the user or group account +- Display name – The display name for the user or group account +- Domain name – Name of the domain. This may be either the domain DNS name or domain controller + hostname. +- Role – The role assigned to the user or group for accessing this application +- Authentication Type – Type of MFA authentication assigned to the user or group +- Action – This column has the following icons for conducting actions on the user or group: + + - Edit icon – Allows you to edit the columns in the selected row by enabling drop-down menus. + The edit icon changes to a save icon while in edit mode. + - Trash icon – Opens a Warning window to confirm the action of deleting the user or group. + Removing a user or group removes console access for it. + - Reset MFA button – Forces the user or every user in the group to reconfigure MFA on the next + login. This option is only available if an MFA authentication type is applied to the user or + group. + +See the [User Access Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/page/saml.md b/docs/threatmanager/3.1/administration/configuration/integrations/page/saml.md new file mode 100644 index 0000000000..1d71532e81 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/page/saml.md @@ -0,0 +1,80 @@ +--- +title: "SAML Authentication Provider" +description: "SAML Authentication Provider" +sidebar_position: 30 +--- + +# SAML Authentication Provider + +The Security Assertion Markup Language (SAML) is an XML framework for exchanging authentication and +authorization information. It provides functions to describe and transmit security-related +information. This means that you can use one set of credentials to log in to many different +websites. It is much easier to manage one login per user than separate logins for email, Customer +Relationship Management (CRM) software, Active Directory, and more. + +![Integrations interface displaying the details for a SAML authneication provider](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/saml.webp) + +The details page for a SAML authentication provider has two tabs: + +- Configuration +- Users/Groups + +**Prerequisites** + +For users to be able to use SAML, "SMTP" must be set up and an email address must be stored with the +respective users. + +## Configuration Tab + +Configure the following settings for a SAML provider on the Configuration tab: + +![Configuration tab for a SAML authneication provider](/images/threatprevention/7.5/reportingmodule/configuration/integrations/authenticationprovider/configurationsaml.webp) + +- Default – The default profile applied when a user is assigned multiple authentication profiles. + When off, the profile will be determined in alphabetical order of the profile name. Toggle off and + on as desired. +- Login URI – Login URI is a specific web address where users can authenticate themselves to access + a web application or service +- Logout Uri – A logout URI is a specific web address where users are directed to terminate their + authenticated session in a web application or service +- Login Type – The login type to use to log into the account. Use the drop-down menu to select one + of the following: Sam Account Name, User Principal Name, Email Address, or Sid +- User Claim – A user claim is an assertion made by the identity provider about a user, such as + their name, role, or email, that the service provider can use for authorization decisions +- Check Certificate – If enabled, this validates the response certificate to the certificate + provided in the Certificate field. Use the toggle button to enable and disable this setting. +- Certificate – A certificate is a digital credential used to validate the identity of parties and + secure communications between an Identity Provider (IdP) and a Service Provider (SP) + +Click Save to commit the configuration settings. + +## Users/Groups Tab + +The Users/Groups tab displays users and groups that are currently assigned to this authentication +profile. To give access to the application to new users, click the New Access button, which opens +the Add Console Access window. To assign this authentication provider to existing users, go to +System Settings > User Access Page. + +![UserGroups tab for an authneication provider](/images/threatmanager/3.0/administration/configuration/integrations/authenticationprovider/usersgroupssamltab.webp) + +The table displays the following information: + +- Access rule type – Indicates the access type as _Allow_, which enables console access, or _Deny_, + which disables console access +- Login name – The NTStyle domain name for the user or group account +- Display name – The display name for the user or group account +- Domain name – Name of the domain. This may be either the domain DNS name or domain controller + hostname. +- Role – The role assigned to the user or group for accessing this application +- Authentication Type – Type of MFA authentication assigned to the user or group +- Action – This column has the following icons for conducting actions on the user or group: + + - Edit icon – Allows you to edit the columns in the selected row by enabling drop-down menus. + The edit icon changes to a save icon while in edit mode. + - Trash icon – Opens a Warning window to confirm the action of deleting the user or group. + Removing a user or group removes console access for it. + - Reset MFA button – Forces the user or every user in the group to reconfigure MFA on the next + login. This option is only available if an MFA authentication type is applied to the user or + group. + +See the [User Access Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/siem.md b/docs/threatmanager/3.1/administration/configuration/integrations/siem.md new file mode 100644 index 0000000000..905a31fedc --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/siem.md @@ -0,0 +1,102 @@ +--- +title: "SIEM Page" +description: "SIEM Page" +sidebar_position: 80 +--- + +# SIEM Page + +The SIEM page provides configuration settings for forwarding threat information to a SIEM service +such as QRadar or Splunk. Prior to configuring this page, determine the IP address and Port for the +SIEM server. + +Follow the instructions to enable SIEM notifications. + +![siempage](/images/threatmanager/3.0/administration/configuration/integrations/siempage.webp) + +**Step 1 –** In the Integrations box, click **SIEM**. The SIEM window opens. + +**Step 2 –** Enter the following information: + +- Enabled – Sends threat configuration settings to the configured SIEM service if set to ON. The + default is ON. +- Server – The IP address of the SIEM server. This field is blank and turned off by default. +- Type – Select a protocol type from the drop-down list to use when sending a Syslog message to a + SIEM application: + - UDP + - TCP +- Port – The port of the SIEM server. +- Template – Select the desired template from the drop-down list + + - LEEF template – Threat data is sent to the SIEM application in the standard LEEF format + - CEF template – Threat data is sent to the SIEM application in the standard CEF format + - Custom template – Threat data is sent to the SIEM application in a customized format + + :::note + Only one custom template can be implemented. + ::: + + + - Notification template – Threat data is sent to the SIEM application in a basic notification + format: + + `%SYSLOG_DATE%|%HOST%|%COMPANY%|%PRODUCT%|%PRODUCT_VERSION%|%MESSAGE_TYPE%|%MESSAGE%` + +- Template Format – Selecting Custom template from the Template drop-down list enables this box. It + displays the variables in Threat Manager that can be used to create a custom SIEM template: + + - %SYSLOG_DATE% – UTC timestamp of the SIEM message + - %SYSLOG_DATE_ISO% – ISO-formatted UTC timestamp of the SIEM message + - %HOST% – Threat Manager server hostname + - %COMPANY% – Netwrix + - %PRODUCT% – Threat Manager + - %PRODUCT_VERSION% – Threat Manager version + - %THREAT_TIME% – The date and time of the primary event associated with the threat + - %THREATTYPE% – Threat type + - %USERS% – Threat perpetrator(s) + - %COMPUTERS% – Threat host (typically domain controller or file server) + - %FILENAME% – File or share name for file events + - %NEW_FILENAME% – New file name (for rename events) + - %PROCESS% – Process name + - %THREATID% – Threat ID + - %THREATSUMMARY% – Summary of the threat + - %THREATDEFINITION% – Definition of the threat + - %THREATLEVEL% – Threat level of severity + - %THREATPROPERTIES% – Threat properties JSON string + - %THREATTIMEGENERATED% – Date and time the threat was generated (UTC) + - %THREATTIMEGENERATEDTIME% – Time the threat was generated (UTC) + - %THREATTIMEGENERATEDDATE% – Date the threat was generated (UTC) + - %TARGETHOSTDOMAIN% – Active Directory domain of the target host + - %TARGETHOSTTAGS% – Comma-delimited list of target host tags + - %CLIENTDOMAIN% – Active Directory domain of the client host + - %CLIENTTAGS% – Comma-delimited list of client host tags + - %THREATPROCESSNAME% – Name of process running (e.g., for Unusal Process threat) + - %THREATEVENTCOUNT% – The number of events related to the threat + - %THREATEVIDENCE% – Threat evidence JSON string + - %PERPETRATORSAMACCOUNTNAME% – SAMAccountName of the perpetrator + - %PERPETRATORDISTINGUISHEDNAME% – Distinguished name of the perpetrator + - %THREATUSERDISPLAYNAME% – Display name of the perpetrator + - %THREATUSEREMAIL% – Email address of the perpetrator + - %PERPETRATORDOMAIN% – Active Directory domain of the perpetrator + - %PERPETRATORTAGS% – Comma-delimited list of perpetrator tags + - %THREATUSERMANAGERDISPLAYNAME% –Display name of the manager of the perpetrator + - %THREATUSERMANAGEREMAIL% – Email address of the manager of the perpetrator + - %AFFECTEDUSERSAMACCOUNTNAME% – Comma-delimited list of affected User SAMAccount names + - %AFFECTEDUSERDISPLAYNAME% – Comma-delimited list of display names of the affected user + - %AFFECTEDUSERDOMAIN% – Active Directory domain of affected users + - %AFFECTEDUSERTAGS% – Comma-delimted list of tags for affected users + - %PRIMARYEVENTPATH% – Primary event path + - %PRIMARYEVENTHOST% – Primary event host + - %PRIMARYEVENTCLIENT% – Primary event client + - %PRIMARYEVENTCLIENTID% – ID of the client of the primary event + - %PRIMARYEVENTFROMIP% – IP address of the client of the primary event + - %PRIMARYEVENTOPERATION% – Type of event that occurred for the primary event + - %PRIMARYEVENTDOMAIN% – Active Directory domain of the primary event host + - %PRIMARYEVENTTOIP% – IP address of the primary event target host + - %PRIMARYEVENTTOMAC% – MAC address of the primary event target host + +**Step 3 –** Click Send Test Message to send a test email to the configured email address. + +**Step 4 –** Click Save Settings to save the configuration settings. + +SIEM notifications are now configured. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md b/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md new file mode 100644 index 0000000000..9807d9de29 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md @@ -0,0 +1,164 @@ +--- +title: "Tag Management Page" +description: "Tag Management Page" +sidebar_position: 100 +--- + +# Tag Management Page + +The Tag Management page displays all tags that are currently managed by the application, including +out-of-the-box and custom tags. You can add tags and assign objects to those tags. + +![Integrations interface on the Tag Management page](/images/threatmanager/3.0/administration/configuration/integrations/page_6.webp) + +The out-of-the-box tags include: + +- Administrator – An administrator user account +- Automated Account – An account with automated authentication behavior detected +- Computer Account – A computer account +- Domain Admin – An Active Directory domain administrator account +- Domain Controller – An Active Directory domain controller account +- Global Catalog – An Active Directory global catalog object +- Honeypot – Tags objects to be included in Honeypot detection +- Privileged – A member of a sensitive group. These users typically have access to sensitive systems + and data and can execute actions that could impact the security, stability, and operation of the + network or domain. +- Read-Only Domain Controller – A read-only Active Directory domain controller account +- Sensitive – A group that has elevated permissions or administrative rights. A member of these + groups have the ability to perform critical tasks that can affect the security, configuration, and + operation of the entire network or domain. +- Service Account – An Active Directory service account +- Stale – An Active Directory user account marked as stale +- Watchlist – Watchlist users + +:::note +Any users with the Watchlist tag will be displayed on the Threat Manager +[Home Page](/docs/threatmanager/3.1/administration/home.md) Watchlist. +::: + + +The table displays the following information for available tags: + +- Name – The name of the tag +- Description – The description for the tag +- Created – Date timestamp when the tag was created +- Created By – The user account that created the tag +- Members – Number of tagged objects + +## Add New Tags + +Follow the steps to add a custom tag. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 2 –** On the Integrations interface, click Add New Integration in the navigation pane. The +Add New Integration window opens. + +![Add New Integration window with Tag type selected](/images/threatprevention/7.5/reportingmodule/configuration/integrations/tagmanagement.webp) + +**Step 3 –** In the Type drop-down menu, select Tag. + +**Step 4 –** Enter the following information: + +- Name – Provide a unique, descriptive name for the tag +- Description – Provide a description for the tag + +**Step 5 –** Click Add. The Add New Integration window closes. + +The tag is listed in the Integrations navigation pane. It can now be applied to objects. + +## Tag Details Page + +Follow the steps to view the details of a tag. + +**Step 6 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **Integrations** to open the Integrations interface. + +**Step 7 –** On the Integrations interface, click **Tag Managemetn** in the navigation pane to view +a list of tags. + +**Step 8 –** Select a tag from the table or the navigation pane to view its details. + +![Integrations interface displaying the details for a Tag](/images/threatmanager/3.0/administration/configuration/integrations/details_5.webp) + +This page provides the following information: + +- Name – The tag name. Type in the field to modify the name. +- Description – The tag description. Type in the field to modify the description. +- Delete Tag button – This button is only enabled for custom tags. Out-of-the-box tags cannot be + deleted. You will be asked to confirm the action. +- Search box – Search for objects in the Untagged Items box and the Tagged Items box by typing in + the textbox. You can search for user objects, group objects, file objects, or computer objects. +- Types – The drop-down menu provides object type filter options that apply to the search box + results. When a search is not being conducted, the filter types apply to the Tagged Items box. +- Untagged Items box – Displays objects that match the search text. This box is blank when a search + is not performed. +- Tagged Items box – Lists objects with this tag applied + +## Use the Type Filter + +On the tag details window, click the Type drop-down menu to apply a filter. + +:::info +Apply the desired Type filters when searching for objects to tag. +::: + + +![Honeypot tag with the Types drop-down menu open](/images/threatprevention/7.5/reportingmodule/configuration/integrations/typefilters.webp) + +The following types are available: + +- Users – Active Directory user objects +- Groups – Active Directory group objects +- Files – File objects +- Computers – Active Directory computer objects + +The _tagged items_ and _untagged items_ lists on the window will be filtered to the selected object +types. + +## Apply Tags to Objects + +Follow the steps to apply tags to objects. + +![Tag details page showing search results](/images/threatprevention/7.5/reportingmodule/configuration/integrations/searchselect.webp) + +**Step 1 –** On the Integrations interface, click **Tag Managemetn** in the navigation pane to view +a list of tags. + +**Step 2 –** Select a tag from the table or the navigation pane. + +**Step 3 –** On the Tag details page, use the search box to conduct a search for the object name. + +**Step 4 –** Use the Type drop-down menu to apply the desired object type filter to the search +results. + +**Step 5 –** In the Untagged Items box, check the box to the left of the desired object(s). + +**Step 6 –** Click the arrow () between the Untagged Items box and the Tagged Items box to add the +tag to the selected object(s). + +The tag is applied to the selected objects. + +## Remove Tags From Objects + +Follow the steps to remove tags from objects. + +![Tag details page showing search results](/images/threatprevention/7.5/reportingmodule/configuration/integrations/search.webp) + +**Step 1 –** On the Integrations interface, click **Tag Managemetn** in the navigation pane to view +a list of tags. + +**Step 2 –** Select a tag from the table or the navigation pane. + +**Step 3 –** On the Tag details page, use the search box to conduct a search for the object name. + +**Step 4 –** Use the Type drop-down menu to apply the desired object type filter to the search +results. + +**Step 5 –** In the Tagged Items box, check the box to the left of the desired object(s). + +**Step 6 –** Click the arrow (`<`) between the Untagged Items box and the Tagged Items box to remove +the tag from the selected object(s). + +The tag is removed from the selected objects. diff --git a/docs/threatmanager/3.1/administration/configuration/overview.md b/docs/threatmanager/3.1/administration/configuration/overview.md new file mode 100644 index 0000000000..7fc1cb04bd --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/overview.md @@ -0,0 +1,29 @@ +--- +title: "Configuration Menu" +description: "Configuration Menu" +sidebar_position: 20 +--- + +# Configuration Menu + +Use the gear icon in the upper right corner of the console to open the Configuration menu. + +![configurationmenu](/images/threatmanager/3.0/administration/configuration/configurationmenu.webp) + +It contains links to the component configuration and settings interfaces: + +- Threat Detection – Provides an interface to configure threat monitoring. See the + [Threat Detection Page](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md) topic for additional information. +- Threat Response – Provides the ability to designate playbooks, which contain actions that can be + executed in response to detected threats. See the [Threat Response Page](/docs/threatmanager/3.1/administration/configuration/threatresponse.md) topic + for additional information. +- Integrations – Allows you to configure integrations with a variety of Netwrix products and + third-party systems and applications. See the [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md) + topic for additional information. +- Policies – Provides a single location to manage a variety of policy object types that define how + processes and operations in Threat Manager function. See the [Policies Page](/docs/threatmanager/3.1/administration/configuration/policies/overview.md) + topic for additional information. +- System Health – Displays the total number of events for all threat types and a summary for each + job. See the [System Health Interface](/docs/threatmanager/3.1/administration/configuration/systemhealth/overview.md) topic for additional information. +- System Settings – Provides access to system logs, user access controls, licensing, and more. See + the [System Settings Interface](/docs/threatmanager/3.1/administration/configuration/systemsettings/overview.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/configuration/policies/_category_.json b/docs/threatmanager/3.1/administration/configuration/policies/_category_.json new file mode 100644 index 0000000000..90cbccbd17 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/policies/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Policies Page", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md b/docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md new file mode 100644 index 0000000000..0bdc6207bb --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md @@ -0,0 +1,99 @@ +--- +title: "Configure Honeytoken Threats" +description: "Configure Honeytoken Threats" +sidebar_position: 20 +--- + +# Configure Honeytoken Threats + +The first step for configuring Honeytoken threats is to select a good Honeytoken username format. +This is important for a number of reasons. + +- The Honeytoken name should be convincing enough that an adversary would want to use it. +- In order to reduce noise, the username format should not match (in part or in full) another user, + group, or computer account in your environment. +- Token usernames are limited to 20 characters, and follow the validity rules for a regular Active + Directory username. + +The next step is to configure LDAP monitoring for Honeytokens. + +## Configure LDAP Monitoring for Honeytokens + +Adversaries may attempt to perform LDAP reconnaissance for users whose hashes they discover. In +order to detect this activity in Threat Manager, LDAP monitoring must be configured for the +Honeytoken username in Threat Manager or Activity Monitor. + +### Obtain the LDAP Monitoring Configuration String + +Follow the steps to obtain the LDAP monitoring configuration string. + +**Step 1 –** From the Threat Manager homepage, navigate to the Configuration menu and select +Policies. + +**Step 2 –** On the Policies page, expand the Honeytokens list and select the related Honeytoken +policy from the Policies list. Or, select the policy from the Policies table in the Overview box. + +![honeytoken](/images/threatmanager/3.0/administration/configuration/policies/honeytoken.webp) + +**Step 3 –** On the Configuration tab of the policy, fill in the requested information and click +**Copy LDAP Filter**. The Copy LDAP Filter button will automatically copy the exact string that is +required for Activity Monitor or Threat Prevention to the clipboard to configure the LDAP events for +this Honeytoken. + +![ldapfiltercopiedtoclipboard](/images/threatprevention/7.5/admin/policies/eventtype/usecase/ldapfiltercopiedtoclipboard.webp) + +A notification will pop up and the filter will be saved to the clipboard. + +### Configure LDAP Monitoring + +Follow the steps to configure LDAP monitoring for Threat Manager. + +**Step 4 –** In the Threat PreventionAdministration Console , go to **Templates** > **Netwrix Threat +Manager** > **Netwrix Threat Manager for AD LDAP**. + +**Step 5 –** Click the **Event Type** tab. + +![Netwrix Threat Manager for AD LDAP template – Event Type tab with LDAP Query filter](/images/threatprevention/7.5/admin/policies/eventtype/usecase/ldapmonitoringfortm.webp) + +**Step 6 –** Under Event Filters select **LDAP Query**. If the Include LDAP Queries list is empty, +select the other **LDAP Monitoring** event type in the list above. + +**Step 7 –** Scroll to the bottom of the Include LDAP Queries list. + +**Step 8 –** Select the line below the last existing query filter and paste the string copied from +Threat Manager. + +:::tip +Remember, the Honeytoken tab of the +[Netwrix Threat Manager Configuration Window](/docs/threatmanager/3.1/install/integration/threatprevention/threatmanagerconfiguration.md) +must be configured in order to successfully send LDAP monitoring data to Threat Manager. +::: + + +### Configure LDAP Monitoring in the Activity Monitor + +Follow the steps to configure LDAP monitoring within Netwrix Activity Monitor for Netwrix Threat +Manager. + +:::note +LDAP Monitoring is not enabled, it must be enabled in the Monitored Domains tab. +::: + + +![Activity Monitor with SD Only](/images/activitymonitor/8.0/admin/monitoreddomains/actiivtymonitordomainsdonly.webp) + +**Step 9 –** In the Activity Monitor, click on the **Monitored Domains** tab. + +**Step 10 –** Select a domain and click **Edit**. + +![LDAP Monitoring Configuration for Threat Manager](/images/activitymonitor/8.0/admin/monitoreddomains/sdldapmonitoring.webp) + +**Step 11 –** Select the **LDAP Monitor** tab. + +**Step 12 –** Select the **LDAP** tab. + +**Step 13 –** In the “Query” section, double-click the blank line below the last filled in line. + +**Step 14 –** Paste the string copied from Threat Manager and press **Enter**. + +LDAP monitoring has been configured for Threat Manager. diff --git a/docs/threatmanager/3.1/administration/configuration/policies/overview.md b/docs/threatmanager/3.1/administration/configuration/policies/overview.md new file mode 100644 index 0000000000..2fcb6f5a3c --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/policies/overview.md @@ -0,0 +1,74 @@ +--- +title: "Policies Page" +description: "Policies Page" +sidebar_position: 40 +--- + +# Policies Page + +The Policies Page provides an overview of the policies added to the Policies box and their +deployment history. It also provides the ability to add new polices and configure them. + +![page](/images/threatmanager/3.0/administration/configuration/policies/page.webp) + +The Polices table displays the following information: + +- Name – The policy name +- Enabled – A green checkmark indicates that the policy is enabled. A red x indicates that the + policy is disabled +- Hosts – The number of hosts on which the policy is applied +- Last Deployed – The date and timestamp of the last policy deployment +- Schedule – The interval at which the policy will deploy + +The Deployment History table displays the following information: + +- Created – When the policy was applied to a host +- Host – The host on which the policy was applied. If the host exists in the Threat Manager + database, click on the host link to go to the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) +- User Name – The user account associated with the policy. (In the case of a Honeytoken policy, the + user account created by the Honeytoken policy.) +- Policy – The policy name. Click on the policy link to go to the Configuration tab for that policy. + +The Policies page also provides the ability to click on a policy and view information and +configuration options for that policy. See [Policy Configuration](/docs/threatmanager/3.1/administration/configuration/policies/policiesconfiguration.md) for +additional information. + +## Add a Policy for a Honeytoken + +A Honeytoken-type policy adds Honeytokens, which are fake credentials stored in memory. When an +attack scans memory they may try to authenticate or query the domain for information about the +account. Policies for Honeytokens are added on the Policies page. + +:::note +When a Honeytoken name is specified and the policy is enabled, this policy becomes +immediately valid for Honeytoken threat detection. Please refer to +[Configure Honeytoken Threats](/docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md) for Honeytoken naming best practices. +::: + + +Follow the steps to add a policy. + +![addnewpolicy](/images/threatmanager/3.0/administration/configuration/policies/addnewpolicy.webp) + +**Step 1 –** In the Policies box, click Add New Policy. The Add Profile window opens. + +**Step 2 –** In the Type drop-down list, select Honeytoken. + +**Step 3 –** Enter the following information: + +- Name – The name for the policy + + :::note + See [Configure Honeytoken Threats](/docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md) for best practices for naming a + Honeytoken. + ::: + + +- Description – The description for the policy +- Enabled – The policy is set to OFF or disabled by default. Click the red X to set the Honeytoken + to ON and enable it. + +**Step 4 –** Click Add. + +The Honeytoken policy is listed in the Policies box. Repeat the process to add additional policies +for Honeytokens. diff --git a/docs/threatmanager/3.1/administration/configuration/policies/policiesconfiguration.md b/docs/threatmanager/3.1/administration/configuration/policies/policiesconfiguration.md new file mode 100644 index 0000000000..6e2a308733 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/policies/policiesconfiguration.md @@ -0,0 +1,199 @@ +--- +title: "Policy Configuration" +description: "Policy Configuration" +sidebar_position: 10 +--- + +# Policy Configuration + +The Policy Details page displays information about the Honeytoken configuration. + +:::note +Policies for Honeytokens must be enabled by configuring the settings on the Configuration +tab. +::: + + +![detailspage](/images/threatmanager/3.0/administration/configuration/policies/detailspage.webp) + +The Policies box displays the name of the Honeytoken policy. The Policy Information box displays the +Honeytoken policy and a description if specified. Click the Edit button to change the name of the +Honeytoken policy. If the policy name is changed, click the Save button to save the new name. Click +the Delete button to delete the Honeytoken policy. + +The Tabs box contains the following tabs: + +- Configuration Tab +- Hosts Tab +- Deployment Tab +- History Tab + +## Configuration Tab + +The Configuration tab provides information on the selected policy for a Honeytoken. + +![configurationtab](/images/threatmanager/3.0/administration/configuration/policies/configurationtab.webp) + +The Configuration tab contains the following configuration options: + +- Enabled – This option is set to ON or enabled by default. Click the checkmark to set to OFF or + disabled. +- Token Username – The username that is used by the Honeytoken deployment process and threat + detection. This is a static username that will be used for all deployments for this policy. + + :::note + The token username can be changed post-deployment, however tokens under the previous + username will no longer bedetected. + ::: + + + :::info + Do not change the username of a Honeytoken after a successful deployment of + the token to a host. + ::: + + +- Token Password – Specify a password string to be used for the Honeytoken deployment. Passwords + require at minimum one wildcard character. Use '@' to specify random letters and '#" to specify + random numbers. + + :::note + If the Honeytoken script cannot reach the Threat Manager URL, the Honeytoken will + still be deployed but Threat Manager will be unaware of the Honeytoken deployment status. + ::: + + +- Threat Manager URL – Specify the Threat Manager address to be used by the Honeytoken script to + communicate with Threat Manager. Honeytoken hosts must be able to communicate via HTTP REST to + this address in order to report Honeytoken deployment status +- Token Domain – The domain to be used for the deployed Honeytoken. This can be selected from + existing, known domains or a custom domain can be specified. +- Select Credential Profile – Lists Credential Profiles added on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). Select a Credential Profile from the + drop-down list. +- Select Preferrred Action Service – Select the Action Service to be used for Honeytoken deployment. +- Token Time to Reset Password – All Honeytokens for a policy will share common password. This value + specifies how frequently a new password will be generated for the Honeytoken policy. Select a + value using the drop-down menu from the following options: + - 1 Day + - 7 Days + - 14 Days + - 30 Days + - 90 Days +- Test Policy Button– Click the Test Policy button to run an LDAP query for the token username + specified. This generates an event that will be detected by an Active Directory monitoring agent + and sent to Threat Manager. If the event is received by Threat Manager within three minutes, the + button displays Test Succeeded. + + :::note + If Threat Prevention is used for Active Directory event monitoring, then an LDAP + monitoring policy must be enabled and configured to capture LDAP events for Honeytoken users for + the test to be successful. See the + [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) + for additional information. If Activity Monitor is used for Active Directory event monitoring, + then the LDAP Monitor tab in the AD Monitoring Configuration Window must be configured to + capture LDAP events for Honeytoken users for the test to be successful. See the + [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) + for additional information. + ::: + + +:::info +Use the Copy LDAP Filter button to ensure that the LDAP Filter Policy string is +properly configured to capture LDAP events for the Honeytoken policy. +::: + + +- Copy LDAP Filter Button– Clicking the Copy LDAP Filter button will automatically copy to the + clipboard the exact string that is required for Activity Monitor or Threat Prevention to configure + the LDAP events for this Honeytoken. The copied string should then be pasted into the LDAP filter + policy settings for Activity Monitor or Threat Prevention. + + :::note + This is a required configuration in order to detect LDAP-based Honeytoken threats. + ::: + + +Click Save to update the policy settings. Once saved, threats are detected for this Honeytoken user. + +## Hosts Tab + +The Hosts tab provides information on hosts that have policies deployed. The Hosts tab displays the +following information: + +![This screenshot displays the Hosts tab.](/images/threatmanager/3.0/administration/configuration/policies/policieshoststab.webp) + +- Host – The host where the policy was deployed to create Honeytokens +- Token Name – The name of the Honeytoken user +- Token Status: + - Active – The token is currently deployed to the host and has an active process + - Decommissioned – The token is no longer valid and does not have an active process +- Process – The process ID of the process launched for the Honeytoken +- Last Deployed – When the policy was last run and deployed a new token on the host +- Created – The creation date and timestamp for the Honeytoken + +## Deployment Tab + +The Deployment tab provides a variety of methods to deploy Honeytokens to computers. Threat Manager +Action Service can be used to deploy Honeytokens to remote computers, or a PowerShell script can be +downloaded to allow either an external mechanism to deploy Honeytokens or for manual deployment of +the Honeytokens. + +![deploymenttab](/images/threatmanager/3.0/administration/configuration/policies/deploymenttab.webp) + +- PowerShell Script Deployment: + + - Download – Click the Download button to download the Honeytoken deployment script. Running + this script will deploy a Honeytoken and report the status of the deployment to Threat + Manager. + + :::note + The token's current username, domain, and password are automatically injected into + the script as a backup in case the Threat Manager address cannot be accessed by the + Honeytoken script. + ::: + + +- Host Deployment: + - Hosts – Type in the box to search for and select a host. Alternatively, a comma-separated list + can be pasted to this field to import a list of hosts. + - CSV Import Button – Click to open a file explorer window to select a single-column CSV file + containing the host names of computers to add to the host list. + - Deploy Now Button– Click Deploy Now to open the Deployment Status Window and immediately + deploy to all hosts specified in the Hosts list, using the Honeytoken policy preferred Action + Service. + - Schedule – Select a schedule to automatically enable automatic deployment of Honeytokens. Once + a schedule is designated, deployment will be queued immediately and will then follow the + specified schedule. The default schedule is None. + - Hourly + - Daily + - Weekly +- Click **Schedule** to apply the Honeytoken deployment schedule to the policy. + +## Deployment Status Window + +When the Deploy Now button is clicked, Threat Manager will immediately deploy the Honeytoken to all +hosts specified in the Hosts lists, utilizing the preferred action service selected for the +Honeytoken policy on the Configuration tab. + +![honeytokeninprogress](/images/threatmanager/3.0/administration/configuration/policies/honeytokeninprogress.webp) + +Closing this window will not cancel the deployment. + +![honeytokendeploymentwindowcomplete](/images/threatmanager/3.0/administration/configuration/policies/honeytokendeploymentwindowcomplete.webp) + +The window will update when the deployment is complete. The hosts and statuses will be listed, +viewable by clicking the caret. Deployment status for each host may also be viewed on the Policy +History tab. When finished, click **Close** or the gray x to exit the window. + +## History Tab + +The History tab displays audit history for changes to this policy. It contains a table with the +following columns: + +![This screenshot displays the History tab.](/images/threatmanager/3.0/administration/configuration/policies/policieshistorytab.webp) + +- TimeStamp – The timestamp for when the activity occurred +- Message – A description of the activity that occurred +- User – The user associated with the activity +- Host – The host associated with the activity diff --git a/docs/threatmanager/3.1/administration/configuration/systemhealth/_category_.json b/docs/threatmanager/3.1/administration/configuration/systemhealth/_category_.json new file mode 100644 index 0000000000..f7216322de --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemhealth/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "System Health Interface", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/systemhealth/actionqueue.md b/docs/threatmanager/3.1/administration/configuration/systemhealth/actionqueue.md new file mode 100644 index 0000000000..7ca90a97b5 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemhealth/actionqueue.md @@ -0,0 +1,15 @@ +--- +title: "Action Queue" +description: "Action Queue" +sidebar_position: 20 +--- + +# Action Queue + +The Action Queue Overview shows any pending or in-progress actions taken by the Threat Manager +Action Service. + +![actionqueue](/images/threatmanager/3.0/administration/configuration/systemhealth/actionqueue.webp) + +This includes Honeytoken deployments and Threat Response Playbook executions. Any actions in the +action queue may be stopped by clicking the **Stop** button. diff --git a/docs/threatmanager/3.1/administration/configuration/systemhealth/agents.md b/docs/threatmanager/3.1/administration/configuration/systemhealth/agents.md new file mode 100644 index 0000000000..d0955cb163 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemhealth/agents.md @@ -0,0 +1,20 @@ +--- +title: "Agents" +description: "Agents" +sidebar_position: 30 +--- + +# Agents + +The Agents Overview reports which Threat Prevention agents have successfully sent events to Threat +Manager. This requires a minimum version of Threat Prevention7.5. This section may be used to +troubleshoot or diagnose agent issues by indicating the connectivity of the Threat Prevention agent +to the Threat Manager server. + +![System Health Page Agent Overview](/images/threatmanager/3.0/administration/configuration/systemhealth/agentoverview.webp) + +Clicking **Decommission** will remove an agent from the Threat Manager agent list. + +If an active agent has not contacted the Threat Manager server for 10 minutes, it will be placed +into offline mode. This will generate an alert in Threat Manager. In the instance that an agent has +become unresponsive, a magenta alert banner displays, located just below the navigation header. diff --git a/docs/threatmanager/3.1/administration/configuration/systemhealth/backlog.md b/docs/threatmanager/3.1/administration/configuration/systemhealth/backlog.md new file mode 100644 index 0000000000..1ca0bb6a00 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemhealth/backlog.md @@ -0,0 +1,15 @@ +--- +title: "Backlog" +description: "Backlog" +sidebar_position: 10 +--- + +# Backlog + +The Backlog overview displays a summary of all threats and system jobs with the events in queue to +be processed. It also displays other job information depending on the job type. + +![Backlog Overview](/images/threatmanager/3.0/administration/configuration/systemhealth/backlogoverview.webp) + +In Threat Manager, jobs are used for threat evaluation, maintenance tasks, and operational +procedures such as email and SIEM notifications. diff --git a/docs/threatmanager/3.1/administration/configuration/systemhealth/overview.md b/docs/threatmanager/3.1/administration/configuration/systemhealth/overview.md new file mode 100644 index 0000000000..bebcad4090 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemhealth/overview.md @@ -0,0 +1,25 @@ +--- +title: "System Health Interface" +description: "System Health Interface" +sidebar_position: 50 +--- + +# System Health Interface + +The System Health interface displays database statistics and the total number of events for all +threat types and a summary for each job. + +![System Health interface](/images/threatmanager/3.0/administration/configuration/systemhealth/interface.webp) + +:::note +The System Health page only displays threats that are enabled. Jobs that are disabled are +not displayed. +::: + + +The System Health interface contains the following pages: + +- [Backlog](/docs/threatmanager/3.1/administration/configuration/systemhealth/backlog.md) +- [Action Queue](/docs/threatmanager/3.1/administration/configuration/systemhealth/actionqueue.md) +- [Agents](/docs/threatmanager/3.1/administration/configuration/systemhealth/agents.md) +- [Services Page](/docs/threatmanager/3.1/administration/configuration/systemhealth/services.md) diff --git a/docs/threatmanager/3.1/administration/configuration/systemhealth/services.md b/docs/threatmanager/3.1/administration/configuration/systemhealth/services.md new file mode 100644 index 0000000000..813d133692 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemhealth/services.md @@ -0,0 +1,35 @@ +--- +title: "Services Page" +description: "Services Page" +sidebar_position: 40 +--- + +# Services Page + +The Services page displays the services associated with the application server. See the +[Installation](/docs/threatmanager/3.1/install/overview.md) topic for a complete list of application services. + +![System Health interface showing the Services page](/images/threatmanager/3.0/administration/configuration/systemhealth/servicespage.webp) + +The table displays the following information: + +- Name – The name of the host where the service is running +- Type – The type of service +- Status – The icon indicates the status of the service. A green circle indicates the service is + online. A red circle indicates the service is offline. + +## Service Details Page + +Select a service from the table or the navigation pane to view its details. + +![System Health interface displaying the details for a Service](/images/threatmanager/3.0/administration/configuration/systemhealth/servicesdetails.webp) + +The page displays the following information: + +- Name – The name of the host where the service is running +- Created – Date timestamp when the service was installed +- Description – An explanation of what the service does +- Status – Indicates if the service is running +- Capabilities – This table employs the Name and Value columns to display the service capabilities + +In the event of a service outage, an alert is displayed below the navigation header. diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/_category_.json b/docs/threatmanager/3.1/administration/configuration/systemsettings/_category_.json new file mode 100644 index 0000000000..4b3fcbbbd1 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "System Settings Interface", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/about.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/about.md new file mode 100644 index 0000000000..6447ce9894 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/about.md @@ -0,0 +1,23 @@ +--- +title: "About Threat Manager Page" +description: "About Threat Manager Page" +sidebar_position: 50 +--- + +# About Threat Manager Page + +The About Threat Manager page in the System Settings interface provides information about the +application version and third-party licenses. + +![System Settings interfaces on the About Threat Manager page](/images/threatmanager/3.0/administration/configuration/systemsettings/about.webp) + +The About Threat Manager section contains application version information. It also includes the +application copyright information. + +The Third-Party Licenses section contains a list of all third-party licenses in use by the +application. Each component and its license is listed. + +- To view the details for a specific license, click the arrow icon on its left to expand the license + details. +- To view the details for all licenses, click the **Expand All** button. +- To view the third-party's license page, click the corresponding external link icon. diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md new file mode 100644 index 0000000000..b9534fdb23 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md @@ -0,0 +1,35 @@ +--- +title: "Auditing Page" +description: "Auditing Page" +sidebar_position: 10 +--- + +# Auditing Page + +The Auditing page within the System Settings interface contains the Audit History table with +information about all application events. + +![System Settings interface showing the Auditing page](/images/threatmanager/3.0/administration/configuration/systemsettings/interface.webp) + +The Audit History table displays the following information: + +- Log Level – The relative impact of the action. This feature is auto-assigned by the application. +- Log Type – The overall type of activity source of the change: + + - Audit – User-performed action + - System – Change made by the application + - Security – Log into the console + +- Time Stamp – The date timestamp for when the changed occurred +- Description – A summary of the event that occurred +- User Name – The name of the user account that performed the audit event +- IP Address – The IP address for the user's client machine +- Category – The general categorization of the operation that was performed +- Sub-Category – The specific category of the operation +- Status – Indicates whether the event was completed successfully or failed +- Resource – Where applicable, identifies the related resource that was changed or accessed + +The table is designed to display 10 records at a time, by default. However, you can set this to 50, +100, or 1,000 rows with the drop-down menu above the right corner of the table. There is a search +box above the left corner of the table. Page navigation buttons are below the table. You can also +export the data from the current page using the **Export CSV** button. diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md new file mode 100644 index 0000000000..a6816af66d --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md @@ -0,0 +1,40 @@ +--- +title: "Licensing Page" +description: "Licensing Page" +sidebar_position: 30 +--- + +# Licensing Page + +License information is displayed on the Licensing page of the System Settings interface. Threat +Manager comes with a temporary 15-day license. + +![System Settings interfaces on the Licensing page](/images/threatmanager/3.0/administration/configuration/systemsettings/licensing.webp) + +The License Info section displays the following: + +- Customer Info – Name of the licensed customer +- Type – Type of license +- Expires – Expiration date + +The License section provides a method for importing a new license. + +If the license is missing or expired, an alert banner displays, located just below the navigation +header. + +## Import License + +Follow the steps to import a license key file. + +![License section of the Licensing page](/images/threatmanager/3.0/administration/configuration/systemsettings/licensingbrowse.webp) + +**Step 1 –** On the License page of the System Settings interface, click Browse. The Add New +Integration window opens. + +**Step 2 –** Locate the **License Key File** in the File Explorer and click **Open**. The File +Explorer closes and returns to the console. + +**Step 3 –** Refresh the page to confirm that the license has been uploaded properly. + +The License Key is now imported into Threat Manager. The license information is displayed in the +License Info section at the top of the page. diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/overview.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/overview.md new file mode 100644 index 0000000000..2ca7c1ee8e --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/overview.md @@ -0,0 +1,23 @@ +--- +title: "System Settings Interface" +description: "System Settings Interface" +sidebar_position: 60 +--- + +# System Settings Interface + +The System Settings interface provides access to system logs, user access controls, licensing, and +more. + +Use the gear icon in the upper right corner of the console to open the Configuration menu. Then +select **System Settings** to open the System Settings interface. + +![System Settings interface](/images/threatmanager/3.0/administration/configuration/systemsettings/interface.webp) + +It contains the following pages: + +- [Auditing Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md) +- [User Access Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md) +- [Licensing Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md) +- [System Jobs Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/systemjobs.md) +- [About Threat Manager Page](/docs/threatmanager/3.1/administration/configuration/systemsettings/about.md) diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/systemjobs.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/systemjobs.md new file mode 100644 index 0000000000..91119b981b --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/systemjobs.md @@ -0,0 +1,99 @@ +--- +title: "System Jobs Page" +description: "System Jobs Page" +sidebar_position: 40 +--- + +# System Jobs Page + +The System Jobs page within the System Settings interface contains information and configuration +options for the application system jobs. + +![System Settings interface on the System Jobs page](/images/threatmanager/3.0/administration/configuration/systemsettings/page_1.webp) + +The table lists the system maintenance jobs: + +- Report Maintenance – Clears old reports +- Database Maintenance – Clears no longer needed or irrelevant data from the database + +The details for a system job can be viewed by selecting it from the table or the navigation pane. +The information available varies based on the type of job selected. + +## Report Maintenance Job Details Page + +The Report Maintenance job details page has two tabs that provide configuration options and job +health details. + +![System Settings interface on the System Jobs page showing the Report Maintenance job Settings tab](/images/threatmanager/3.0/administration/configuration/systemsettings/reportsettings.webp) + +**Settings Tab** + +The Settings tab has the following configurable settings: + +- Time to Retain Reports – Time period to retain reports. Reports with a created date older than the + retain time will be removed at this interval. By default, this is set to 1 Month. Use the + drop-down menu to select another interval, which includes 1 Day, 1 Week, 1 Month, 3 Months, and 6 + Months as options. +- Time Interval to Run Report Cleanup – The interval to run the Report Cleanup job. At the interval + specified, any reports older than the retention period will be cleaned up. By default, this is set + to 1 Day. Use the drop-down menu to select another interval, which includes 1 Day, 1 Week, and 1 + Month as options. +- Time During the day to run the Cleanup – The time during the day to run the Cleanup script, + happening at the currently configured interval. By default, this is set to midnight, 12:00 AM. Use + the clock menu to select the desired time. + +**Health Tab** + +The Health tab displays the following information: + +![Health tab of the Report Maintenance job details page](/images/threatprevention/7.5/reportingmodule/configuration/systemsettings/reporthealth.webp) + +- Size of Reports Directory – Displays the size of the directory where reports are stored +- Next Run Time – Date timestamp for the next time the job will run + +## Database Maintenance Job Details Page + +The Database Maintenance job details page has two tabs that provide configuration options and job +health details. + +![System Settings interface on the System Jobs page showing the Database Maintenance job Settings tab](/images/threatmanager/3.0/administration/configuration/systemsettings/databasesettings.webp) + +**Settings Tab** + +The settings tab has the following configurable settings: + +- Time to Retain Events – Time period to retain events not related to any threats. Threats with the + "False Positive" status will be removed at this interval. By default, this is set to 1 Week. Use + the drop-down menu to select another interval, which includes 1 Week, 1 Month, 3 Months, and 6 + Months as options. +- Time to Retain Threat Events – Time period to retain events related to any threats. The primary + event for each threat will still be retained. By default, this is set to 1 Month. Use the + drop-down menu to select another interval, which includes 1 Week, 1 Month, 3 Months, 6 Months, and + 1 Year as options. +- Time to Retain Open Threats – Time period to retain threats with the "Open" status. By default, + this is set to 6 Months. Use the drop-down menu to select another interval, which includes 1 + Month, 3 Months, 6 Months, 1 Year, 5 Years, and Forever as options. +- Time to Retain Closed Threats – Time period to retain threats with the "Closed" status. By + default, this is set to 6 Months. Use the drop-down menu to select another interval, which + includes 1 Month, 3 Months, 6 Months, 1 Year, 5 Years, and Forever as options. +- Time to Retain Audit Logs – Time period to retain audit log data. By default, this is set to 6 + Months. Use the drop-down menu to select another interval, which includes 1 Month, 3 Months, 6 + Months, 1 Year, 5 Years, and Forever as options. +- Time to Retain Policy Data – Time period to retain expired policy data. By default, this is set to + 6 Months. Use the drop-down menu to select another interval, which includes 1 Month, 3 Months, 6 + Months, 1 Year, 5 Years, and Forever as options. + +This job is essential for maintaining a healthy and efficient Threat Manager database. You can +choose to store certain data types for longer periods of time. Longer periods will require larger +disk storage space and disk access speeds. + +**Health Tab** + +The Health tab displays the following information: + +![Health tab of the Database Maintenance job details page](/images/threatmanager/3.0/administration/configuration/systemsettings/databasehealth.webp) + +- Database Size – Displays the size of the database file +- Events in queue – Displays the number of events in queue for potential threat detection purposes +- Last Heartbeat – Date timestamp for the last time the agent connection was checked +- Next Run Time – Date timestamp for the next time the job will run diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md new file mode 100644 index 0000000000..4c1fb59ccc --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md @@ -0,0 +1,246 @@ +--- +title: "User Access Page" +description: "User Access Page" +sidebar_position: 20 +--- + +# User Access Page + +The User Access page within the System Settings interface displays users and groups with their +assigned roles for console access. + +![System Settings interface on the User Access page](/images/threatmanager/3.0/administration/configuration/systemsettings/page.webp) + +Roles are assigned by the following methods: + +- Group Membership – Members of the group will be given the role assigned + + :::note + If a user is a member of multiple assigned groups, the group with the highest level of + privilege is assigned + ::: + + +- Direct User Assignment – Assigns a role directly to a user + + :::note + If a user is assigned a role directly, it takes priority over any group membership + roles that have been assigned + ::: + + +The User Access page includes the following sections: + +- Users & Groups – It provides the ability to allow or deny console access and configure + authentication types for users and groups. See the Users & Groups topic for additional + information. +- Settings – It provides the ability to customize the user login page and configure the token + expiration time for authenticated users. See the Settings topic for additional information. + +## Users & Groups + +The Users & Groups section provides the ability to allow or deny console access and configure +authentication types for users and groups. + +![Users and Groups section of the User Access page](/images/threatprevention/7.5/reportingmodule/configuration/systemsettings/usersgroups.webp) + +The table displays the following information: + +- Access rule type – Indicates the access type as _Allow_, which enables console access, or _Deny_, + which disables console access + + :::note + Disabling a user or group disables that level of access. It does not block the user or + group from logging into the console if they have access through another role assignment. + ::: + + +- Login name – The NTStyle domain name for the user or group account +- Display name – The display name for the user or group account +- Domain Name – Name of the domain. This may be either the domain DNS name or domain controller + hostname. For the built-in ADMIN account, the domain is DEFEND Admin. +- Role – The role assigned to the user or group for accessing this application. See the Roles + Defined topic for additional information. +- Authentication Type – Type of MFA authentication assigned to the user or group. See the + Authentication Types Defined topic for additional information. +- Action – This column has the following icons for conducting actions on the user or group: + + - Edit icon – Allows you to edit the columns in the selected row by enabling drop-down menus. + The edit icon changes to a save icon while in edit mode. See the Edit Console Access topic for + additional information. + - Trash icon – Opens a Warning window to confirm the action of deleting the user or group. + Removing a user or group removes console access for it.. Note that the builtin "ADMIN" account + cannot have its access removed until an account besides the builtin "ADMIN" is granted + administrative access to the console. + - Reset MFA button – Forces the user or every user in the group to reconfigure MFA on the next + login. This option is only available if an MFA authentication type is applied to the user or + group. + - Change Password icon – Only available for the built-in ADMIN account. This icon opens the Edit + password for build-in admin window. See the Edit Built-in Admin Password topic for additional + information. + +The **New Access** button opens the Add Console Access window. See the Add Console Access topic for +additional information. + +### Roles Defined + +The following Roles can be assigned to AD users and groups: + +- Administrator – This role provides unrestricted access to all functionality +- Report Administrator – This role can configure/utilize anything on the investigations page + + - No access to Configuration pages + - No access to the Threat Response page + - No access to Playbooks + - Unable to trigger Playbooks from Threats + - Only has access to the investigation pages + - Can create, edit, and assign any investigation + - Can export any investigation + - Can create or modify any subscription + +- Response Managers – This role allows users or groups to run, save, and modify Investigations and + view the Configuration interface. These users can also view Threats and configure and run + Playbooks. +- Responders – This role allows users or groups to run Investigations, view Threats, and trigger + Playgroups from Threats + + - No access to Configuration pages + - Unable to save Investigations or modify exiting Investigations + - No access to the Threat Response page + +- Reviewers – This role allows users or groups to run Investigations and view Threats + + - No access to Configuration pages + - Unable to save Investigations or modify exiting Investigations + - No access to the Threat Response page + - No access to Playbooks + - Unable to trigger Playgroups from Threats + +- Report Reviewer – This role can only utilize investigations that have been directly assigned to + them + + - No access to Configuration pages + - No access to the Threat Response page + - No access to Playbooks + - Unable to trigger Playbooks from Threats + - Only has access to the investigation pages + - Unable to save Investigations or modify exiting Investigations + - Can only see and run saved investigations that have been assigned to them + - Can export reports they have access to + +### Authentication Types Defined + +The following authentication types can be assigned to users and groups: + +- Built-in MFA – This type uses an Active Directory username and password with a one-time password + (OTP) that is configured on the first login by a user via a multi-factor authentication (MFA) + solution (Authenticator, DUO, etc.) +- No MFA – This type uses only an Active Directory username and password for authentication +- Authentication Provider Profiles – This type enables third-party authentication providers using + RADIUS, OpenID, and SAML integrations. Methods of authentication will vary based on the + third-party authentication provider. This must be configure in the Authentication Provider page of + the Integrations interface in order to be available for user assignment. + +See the [Authentication Provider Page](/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md) topic for +additional information. + +### Add Console Access + +:::note +Verify that an Active Directory Sync has completed to ensure that user and group +information is updated. See the [Active Directory Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md) +for additional information. +::: + + +Follow the steps to add console access for a user or group. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **System Settings** to open the System Settings interface. + +**Step 2 –** On the User Access page of the System Settings interface, click New Access. The Add +Console Access window opens. + +![Add Console Access window](/images/threatprevention/7.5/reportingmodule/configuration/systemsettings/addconsoleaccess.webp) + +**Step 3 –** Begin typing a user or group name in the **User Access** box. The drop-down menu will +populate as you type with available options. Select a user or group from the menu. + +**Step 4 –** Select an authentication type from the **Authentication Type** drop-down menu. + +:::tip +Remember, authentication provider profile types are displayed after an integration has been +configured on the Authentication Provider page of the Integrations interface. +::: + + +**Step 5 –** Select a role to assign it to the user or group from the **Role** drop-down menu. + +**Step 6 –** Click Add. The Add Console Access window closes. + +The user or group is added to the table with the assigned role. + +### Edit Console Access + +Follow the steps to change the role assigned to a user or group. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **System Settings** to open the System Settings interface. + +**Step 2 –** On the User Access page of the System Settings interface, click the **Edit** icon for a +user or group. + +![User and Groups section showing the 3 drop-down menus in Edit mode](/images/threatprevention/7.5/reportingmodule/configuration/systemsettings/editaccess.webp) + +**Step 3 –** Use the drop-down menus to modify the Access rule type, Role, and/or Authentication +Type for this user or group. + +**Step 4 –** Click the Save icon, which replaced the Edit icon. + +The modification for the selected user or group is committed. + +### Edit Built-in Admin Password + +Follow the steps to change the password for the built-in ADMIN account. + +**Step 1 –** Use the gear icon in the upper right corner of the console to open the Configuration +menu. Then select **System Settings** to open the System Settings interface. + +**Step 2 –** On the User Access page of the System Settings interface, click the gear icon for the +built-in ADMIN account. The Edit password for built-in admin window opens. + +![Edit password for built-in admin window](/images/threatprevention/7.5/reportingmodule/configuration/systemsettings/editpasswordbuiltinadmin.webp) + +**Step 3 –** Enter the existing password in the **Old Password** field. + +**Step 4 –** Enter the new password in the **New Password** field. + +**Step 5 –** Re-enter the new password in the **Confirm New Password** field. + +**Step 6 –** Click Save. The Edit password for built-in admin window closes. + +The password for the built-in ADMIN account has been updated. + +## Settings + +The Settings section provides the ability to customize the user login page and configure the token +expiration time for authenticated users. + +![Settings section of the User Access page](/images/threatmanager/3.0/administration/configuration/systemsettings/settings.webp) + +- One page login (Login, password, MFA code on one page) – Combines username and password, and + multi-factor authentication on a single page +- Two pages login (MFA code on a different page) – This is the default setting for the login page + + - The first page requires a username and password + - The second page is the multi-factor authentication page + +- Token expiration time – The period of inactivity before the user is required to re-authenticate + for access to the console. Select the desired expiration time from the drop-down menu: + + - 15 Minutes + - 30 Minutes + - 1 Hour + - 4 Hours + +Changing any of these options automatically saves your settings and applies to all users. diff --git a/docs/threatmanager/3.1/administration/configuration/threatdetection/_category_.json b/docs/threatmanager/3.1/administration/configuration/threatdetection/_category_.json new file mode 100644 index 0000000000..730274e926 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/threatdetection/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Threat Detection Page", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "threatdetection" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md b/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md new file mode 100644 index 0000000000..f6ed8c4ead --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md @@ -0,0 +1,171 @@ +--- +title: "Fine Tune a Threat" +description: "Fine Tune a Threat" +sidebar_position: 10 +--- + +# Fine Tune a Threat + +Selecting a threat in the Threats list displays details for that threat. The Threat Description box +displays the name and description of the threat. + +![This screensot displays the Threat Details box.](/images/threatmanager/3.0/administration/configuration/threatdetails.webp) + +The Threat Configuration Box contains a Processing tab, an Exclusions tab, and in some cases a +Settings tab. + +### Processing Tab + +The Processing tab contains the configuration options for processing the threat. + +![This screenshot displays the Processing tab.](/images/threatmanager/3.0/administration/configuration/processingtab.webp) + +**General:** + +- Status – When set to ON, this threat will be detected by Threat Manager. When set to OFF, this + threat will not be detected by Threat Manager. When a threat status is **OFF**and then set to + **ON**, a dialog will display wherein which data will be processed is determined. + +- Threat Level – The relative severity level, or risk level, of the threat. Threat level controls + the visibility of the threat and can be used to sort, filter, and influence various dashboards and + visualizations throughout the console. This setting does not influence the behavior of the threat + response. + - High – Indicates a serious threat that should be investigated immediately. The high threat + level setting can be used as a filter on the [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md). + - Medium – Indicates a potentially serious threat of activities leading to a serious threat that + should be investigated. The medium threat level setting can be used as a filter on the + [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md). + - Low – Indicates activity that is a potential risk or a bad practice. The low threat level + setting can be used as a filter on the [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md). + - Audit – Indicates activity that is not necessarily a threat, but should be monitored. The + audit setting can be used as a filter on the [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md). Some threats will + auto-escalate from audit to a higher level, for example, threats with a high threat event + count or if the perpetrators of the threat are sensitive users. Audit events are also shown on + the [Home Page](/docs/threatmanager/3.1/administration/home.md). + - Informational – Indicates first-time client use or first-time host use, which can be common + events but may also indicate a threat + +**Threat Response:** + +Assigning a threat response designates a playbook to automatically be executed immediately when a +threat of this type is detected. + +- Email Alert – Select On to send email notifications when the threat is detected. Select Off to + turn off email notifications. +- SIEM Alert – Select On to forward threat information to a SIEM service when the threat is + detected. Select Off to turn off forwarding threat information to a SIEM service. +- Run Playbook – Select the playbook that will be used to respond to the threat. + +**Rollup:** + +:::note +Rollup is not available for all threat types. +::: + + +- Enabled – Enables rollups when set to ON. The default state is dependent on the threat type. +- Rollup Time – The timeframe for the rollup. Select a timeframe from the drop-down list: + - 1 Minute + - 5 Minutes + - 15 Minutes + - 30 Minutes + - 1 Hour + - 8 Hours + - 24 Hours + +If rollup is enabled, multiple events from the same perpetrator will be associated with a single +threat. For the given rollup criteria, if additional threat events are received within the selected +rollup time, then the threat events are appended to an existing threat instead of creating a new +threat. For example, if a user creates 1000 ransomware files in the configured rollup timeframe, it +is reported as 1 ransomware threat with 1000 events, whereas without rollup many threats would be +created. The configured threat response (Email, SIEM, or Playbooks) will be triggered only once when +the threat is initially detected regardless of rollup configuration. When a threat rolls up, it will +also update the detection time of the threat, which will push it to the top of the Threats Page +timeline. + +![Image is a flow chart visually explaining how a threat is dealt with with or without Rollup enabled.](/images/threatmanager/3.0/administration/configuration/rollupexplanationgraphic.webp) + +The diagram provides an outline of the rollup process. + +### Exclusions Tab + +The Exclusions tab lists existing exclusions for the threat. Exclusions allow rule-based definitions +to be defined for specific criteria to be excluded from threat detection for the threat type. + +![exclusionstab](/images/threatmanager/3.0/administration/configuration/exclusionstab.webp) + +To view details of an existing exclusion, click the arrow next to the exclusion or the name of the +exclusion. + +**Exclusion Details:** + +- Add New Filter – Click the **Add New Filter** button to include an additional filter rule for the + exclusion. +- Delete Filter – Click the smaller **Delete Icon** to the right of the filter to delete that + filter. +- Save – Click **Save** to save changes made to the exclusion. +- Cancel – Click **Cancel** to close the exclusion details and disregard any changes made to the + exclusion. +- Delete Exclusion – Click the larger **Delete Icon** to the right of the Cancel button below the + filter(s) to delete the exclusion. A confirmation window will confirm deletion. + +Click **Add Exclusion** to Add a new Threat Detection Exclusion. + +#### Add Threat Detection Exclusions + +Follow the steps to add an exclusion to the threat type. + +![This screenshot displays the Add Exclusion for Threat Detection window.](/images/threatmanager/3.0/administration/configuration/addexclusion.webp) + +**Step 1 –** Click Add Exclusion. The Add Exclusion for [Threat Type] window opens. + +**Step 2 –** Select a Name for the exclusion + +**Step 3 –** Select an Attribute from the Attribute drop-down list: + +- User +- Host +- Client +- File + +**Step 4 –** Select an Operator from the Operator drop-down list. + +**Step 5 –** Select a Filter by searching for the value and selecting it from the drop-down list. +Or, manually enter the value for the selected exclusion type in the following format: + +- Computer – [domain]\[hostname] +- Client – [domain]\[hostname] +- User – [domain]\[username] +- File – Folder path and full path to file. This exclusion also supports the asterisk wildcard: \* + +**Step 6 –** (Optional) Click **Add New Filter** to include an additional filter rule for the +exclusion. + +**Step 7 –** Click Saveto save the exclusion details. Click **Cancel** to close the modal and +disregard any changes made to the exclusion. + +The exclusion is added to the Exclusions list and the specified activity will immediately be +excluded from threat detection for the threat type. + +### Settings Tab + +The Settings Tab provides additional threat-specific settings that are required for some threats. + +:::note +The Settings tab is only displayed for threats that require additional settings. +::: + + +![This screenshot displays the Settings tab.](/images/threatmanager/3.0/administration/configuration/settingstab.webp) + +This tab shows the settings that are required for the Forged Ticket threat. + +- Sensitive groups only – When enabled, Forged Ticket threats will only be detected if a group that + was added to the forged ticket is tagged as sensitive. +- Membership cache duration – The number of minutes to cache group membership changes. This value + should equal the longest expected time for one DC to replicate changes. +- Use all groups – When enabled, Forged Ticket threats will be detected whenever a user is detected + with an unexpected token. +- Specific groups – Only detect threats if the specified groups have been injected into a user's + Privilege Account Certificate (PAC). This setting is ignored when the Use all groups setting is + enabled. diff --git a/docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md b/docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md new file mode 100644 index 0000000000..9098217852 --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md @@ -0,0 +1,61 @@ +--- +title: "Threat Detection Page" +description: "Threat Detection Page" +sidebar_position: 10 +--- + +# Threat Detection Page + +The Threat Detection page provides an interface to view and configure threats detected by Threat +Manager. This page provides a Threats list and an overview table that provides a status on all +threats. Clicking on a threat in the Threats list or the Overview table displays details and +configuration options for the threat. + +![Threat Detection page](/images/threatmanager/3.0/administration/configuration/page.webp) + +Custom threats can also be created on this page. + +## Threats Box + +The Threats box displays the threats that are pre-configured with Threat Manager and threats created +with the Investigation page or through the Custom Threat button. Threats that are crossed out are +disabled. + +![Threats Box](/images/threatmanager/3.0/threats/threatsbox.webp) + +The Threats list divides the threats into sections: + +- [Active Directory Threats](/docs/threatmanager/3.1/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.1/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.1/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.1/threats/general.md) +- Threat Detection Page + +Select a threat from the list to display the threat's configuration options to the right of the +Threats box. + +## Overview Table + +The Overview table provides a high-level status of all threats. The table includes the following +information: + +![This screenshot displays the Overview table on the Threat Detection page.](/images/threatmanager/3.0/administration/configuration/overviewtable.webp) + +- Name – The threat name +- Enabled – A green check mark indicates that the threat type is enabled for threat detection. A + gray x indicates that the threat type is not enabled for threat detection. +- Level – The relative severity level, or risk level, of the threat. See the + [Fine Tune a Threat](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md) topic for additional information. +- Email – A green check mark indicates that email notifications will be sent when the threat is + detected. A gray x indicates that emailed notifications are disabled. +- SIEM – A green check mark indicates that threat information will be sent to a SIEM service when + the threat is detected. A gray x indicates that forwarding threat information to a SIEM service is + disabled. +- Playbook – A green check mark indicates that a Playbook is assigned to the threat. This means that + a Playbook will be automatically executed every time a threat of this type is detected. +- Rollup – A green check mark indicates that rollups are enabled. A gray x indicates that rollups + are not enabled. See the [Fine Tune a Threat](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md) topic for additional + information. +- Exclusions – A green check mark indicates that one or more exclusions are present for this threat + type. A gray x indicates that no exclusions are present for this threat. See the + [Fine Tune a Threat](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/configuration/threatresponse.md b/docs/threatmanager/3.1/administration/configuration/threatresponse.md new file mode 100644 index 0000000000..81dad0c4be --- /dev/null +++ b/docs/threatmanager/3.1/administration/configuration/threatresponse.md @@ -0,0 +1,106 @@ +--- +title: "Threat Response Page" +description: "Threat Response Page" +sidebar_position: 20 +--- + +# Threat Response Page + +The Threat Response page provides the ability to create playbooks and add steps which contain +actions that can be executed in response to detected threats. Threat Manager provides preconfigured +actions for different targets. + +Playbooks are a collection of steps that run sequentially in response to a threat. Each step +contains an action that is designated for the threat response. These steps typically integrate with +existing resources in the organization such as email and helpdesk platforms, Active Directory, file +systems, and custom PowerShell scripts. Playbooks can be executed automatically or ad-hoc by a +Threat Manager Administrator when a threat is detected. + +![threatresponse](/images/threatmanager/3.0/administration/configuration/threatresponse.webp) + +:::note +Custom playbooks can be created using the PowerShell Script action. However, this feature +requires advanced scripting knowledge. +::: + + +## Preconfigured Actions + +Threat Manager provides the following out-of-the-box actions: + +### Active Directory Target Actions + +Threat Manager has the following preconfigured Active Directory target actions: + +- Active Directory Group Membership – Adds or removes Active Directory group membership +- Change Password at Next Logon – Forces the user to change their password the next time the user + logs on +- Disable Active Directory Account – Disables the specified account +- Disable Active Directory Computer – Disables the specified computer object in Active Directory +- Reset Password – Resets the password of the specified account +- Revert Permission Change – Reverts a permission change on an Active Directory Object + +### Microsoft Entra ID Target Actions + +Threat Manager has the following preconfigured Entra ID target actions: + +- Entra ID Group Membership – Manages an Entra ID group's membership +- Flag Entra ID User as Confirmed Compromised – Marks a user as confirmed compromised in an Entra + ID tenant +- Disable Entra ID User – Disables a user in an Entra ID tenant +- Reset Entra ID Password – Resets an Entra ID user's password to a specified password +- Revoke Entra ID Sessions – Terminate all active sessions for the perpetrator or affected user to + prevent unauthorized access + +### Local Host Target Actions + +Threat Manager has the following preconfigured Local Host target actions: + +- PowerShell Script – Executes a specified PowerShell script +- Send Email – Sends an email +- Stop Process – Stops a process running locally on the host associated with the threat +- End User Session – Attempts to log the specified user out of any active RDP sessions on the target + client + +### Threat Manager Target Actions + +Threat Manager has the following preconfigured Threat Manager target action: + +- Tag Object – Adds Threat Manager tags to objects associated with a threat +- Manage Blocking Policy – Adds or removes a user from a blocking policy + +### Windows File System Target Actions + +Threat Manager has the following preconfigured Windows File System target actions: + +- Delete File – Deletes the file associated with the threat +- Revert Permission Change – Reverts a permission change on a folder +- Save File Hash – Saves the file hash to the properties of the threat + +### Windows Server Target Actions + +Threat Manager has the following preconfigured Windows Server target actions: + +- Close SMB Session – closes any active SMB sessions for the threat perpetrator on a target host +- Disable user remote desktop access – Disconnects the user from the host and disables their login + rights +- Create Windows Firewall Rule – Adds a Windows Firewall Rule to block inbound or outbound network + protocol traffic for specified hosts + +### Third-Party Applications Target Actions + +Threat Manager has the following preconfigured third-party applications target actions: + +- Create ServiceNow®Incident – Creates an Incident in ServiceNow +- Duo Authentication Push – Sends an Authentication Push to the Duo API +- RADIUS Authentication – Utilizes RADIUS profiles to authenticate user activity +- Microsoft Teams – Posts messages to a Microsoft Teams channel +- Send SYSLOG – Sends a Syslog message to a server +- Set Forescout Property On Host – Adds a property to a Forescout host record +- Slack – Sends a message to Slack +- Twilio® SMS Message – Sends an SMS message through Twilio +- VirusTotal® Report – Scans the file hashes against the VirusTotal API and emails the results +- WebHook – Executes a webhook + +See the [Action Configuration for Playbook Steps](/docs/threatmanager/3.1/administration/playbooks/action/overview.md) topic for +additional information. diff --git a/docs/threatmanager/3.1/administration/home.md b/docs/threatmanager/3.1/administration/home.md new file mode 100644 index 0000000000..e0f829c473 --- /dev/null +++ b/docs/threatmanager/3.1/administration/home.md @@ -0,0 +1,48 @@ +--- +title: "Home Page" +description: "Home Page" +sidebar_position: 10 +--- + +# Home Page + +The Home page provides an "at a glance" overview of the possible threats detected in an +organization's environment for the past 24 hours. + +![homepage](/images/threatmanager/3.0/administration/homepage.webp) + +The daily activity summary bar graphs at the top of the page contains the following items: + +- Active Users – Number of unique active users. The bar graph displays the number of active users in + 1-hour increments. +- Active Hosts – Number of active hosts. The bar graph displays the number of active users in 1-hour + increments. +- Threats – Number of threats detected in the past 24 hours. The bar graph displays the threats + detected over the past 24 in 1-hour increments. +- Audit Events – Number of instances of activity that are not necessarily threats, but should be + monitored +- Monitored Activities – Number of monitored activities. The bar graph displays the number of + monitored activities in 1-hour increments. + +Hover over the trend lines in the bar graphs to view the number of threats that occurred during each +time interval and identify any spikes in activity. + +## Home Page Charts + +The Threats by Severity chart displays all threats by threat level to give a visual representation +of threat severity for the past 24 hours. + +The Threats chart displays each threat type detected in the past 24 hours. Each bar on the Threats +chart filters the threats by an hour-long time frame. The bars are hyperlinks that can be clicked to +display the Threats page. The Threats page shows the threats detected for the selected time frame. + +## Home Page Tables + +The Home page displays the following tables: + +- Notable Users – The Notable Users table displays users that are perpetrators of a threat. Click on + the user to go the User Details page for that user. +- Notable Computers – The Notable Computers table displays computers where threatening activity has + occurred. Click on the computer to go to the Computer Details page. +- Watchlist – The Watchlist table displays users with the Watchlist tag and a count of any + associated threats diff --git a/docs/threatmanager/3.1/administration/investigations/_category_.json b/docs/threatmanager/3.1/administration/investigations/_category_.json new file mode 100644 index 0000000000..d26d105fe4 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Investigations Interface", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/investigations/auditcompliance.md b/docs/threatmanager/3.1/administration/investigations/auditcompliance.md new file mode 100644 index 0000000000..bcb55c6c11 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/auditcompliance.md @@ -0,0 +1,45 @@ +--- +title: "Audit and Compliance Page" +description: "Audit and Compliance Page" +sidebar_position: 50 +--- + +# Audit and Compliance Page + +The Audit and Compliance page in the Investigations interface list of saved out-of-the-box +investigations with applied filters for commonly used Audit and Compliance activity reports. + +![Investigations interface on the Audit and Compliance page](/images/threatmanager/3.0/administration/investigations/auditcompliance.webp) + +The table displays the list of investigations with the following columns: + +- Name – The name of the investigation +- Threat – The check mark indicates that a Threat has been configured for this investigation +- Favorite – The check mark indicates that the investigation has been tagged as a favorite for the + logged in user + +Click an investigation to view it. You can run the query, modify the configuration, add a +subscription, or export the report. See the [Investigation Options](/docs/threatmanager/3.1/administration/investigations/options/overview.md) topic for +additional information on saved investigation options. + +Every report generated by an investigation query displays the same type of information. See the +[Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| AD Changes | All Active Directory changes | One filter statement set:
| +| AD Changes by Domain Admins | All Active Directory changes by Domain Admin>s | Two filter statements set:

AND

| +| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set:
| +| All Events | New Investigation | No filters set | +| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set:
| +| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set:

AND

| +| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set:

AND

| +| LDAP Search | All LDAP search events | One filter statement set:
| +| Privileged Account Activity | All activity by privileged accounts | One filter statement set:
| +| Risky User Activity | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set:
| +| Service Account Activity | All activity by service accounts | One filter statement set:
| +| Watchlist User Activity | All activity by watchlist users | One filter statement set:
| + +You can save additional investigations to this folder. diff --git a/docs/threatmanager/3.1/administration/investigations/favorites.md b/docs/threatmanager/3.1/administration/investigations/favorites.md new file mode 100644 index 0000000000..aab3b95949 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/favorites.md @@ -0,0 +1,43 @@ +--- +title: "Favorites Page" +description: "Favorites Page" +sidebar_position: 40 +--- + +# Favorites Page + +The Favorites page in the Investigations interface lists all saved investigations the logged in user +has identified as a favorite. + +Click **Investigate** in the application header bar to open the Investigations interface. Then click +**Favorites** in the navigation pane. + +![Investigation interface on the Favorites page](/images/threatmanager/3.0/administration/investigations/favorites.webp) + +The table displays the list of favorite investigations with the following columns: + +- Name – The name of the investigation +- Threat – The check mark indicates that a Threat has been configured for this investigation +- Favorite – The check mark indicates that the investigation has been tagged as a favorite for the + logged in user + +This provides quick access to regularly used investigations. If you click the investigation under +Favorites in the navigation pane, it directly opens the investigation. If you click the +investigation in the Favorites table, you are navigated to the folder location in the navigation +pane. Click the investigation there to open it. + +## Add a Favorite Investigation + +There is an empty star icon beside the name of an investigation not identified as a favorite. + +![Empty star showing that investigation is not a favorite](/images/threatmanager/3.0/administration/investigations/favoriteunselectedtm.webp) + +Click the star to add the investigation to your Favorites list. + +## Remove an Investigation from Your Favorites + +There is a yellow star icon beside the name of an investigation identified as a favorite. + +![Favorite investigation star icon selected](/images/threatmanager/3.0/administration/investigations/favoriteselected.webp) + +Click the yellow star to remove the investigation from your Favorites list. diff --git a/docs/threatmanager/3.1/administration/investigations/myinvestigations.md b/docs/threatmanager/3.1/administration/investigations/myinvestigations.md new file mode 100644 index 0000000000..5ad7d3e2b3 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/myinvestigations.md @@ -0,0 +1,28 @@ +--- +title: "My Investigations Page" +description: "My Investigations Page" +sidebar_position: 70 +--- + +# My Investigations Page + +The My Investigations page in the Investigations interface provides a list of saved investigations +created by the application users. + +Click **Investigate** in the application header bar to open the Investigations interface. + +![Investigations interface on the My Investigations page](/images/threatmanager/3.0/administration/investigations/myinvestigations.webp) + +The table displays the list of investigations with the following columns: + +- Name – The name of the investigation +- Threat – The check mark indicates that a Threat has been configured for this investigation +- Favorite – The check mark indicates that the investigation has been tagged as a favorite for the + logged in user + +Click an investigation to view it. You can run the query, modify the configuration, add a +subscription, or export the report. See the [Investigation Options](/docs/threatmanager/3.1/administration/investigations/options/overview.md) topic for +additional information on saved investigation options. + +Every report generated by an investigation query displays the same type of information. See the +[Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/investigations/newinvestigation.md b/docs/threatmanager/3.1/administration/investigations/newinvestigation.md new file mode 100644 index 0000000000..2a127d661d --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/newinvestigation.md @@ -0,0 +1,68 @@ +--- +title: "New Investigation Page" +description: "New Investigation Page" +sidebar_position: 30 +--- + +# New Investigation Page + +The New Investigation page within the Investigations interface enables you to run queries on +available data with desired filters for a specific timeframe. + +![Investigations interface on the New Investigation page](/images/threatmanager/3.0/administration/investigations/interface.webp) + +To generate a new investigation report, configure the filters as desired and set the timeframe. See +the [Filters Section](/docs/threatmanager/3.1/administration/investigations/options/filters.md) topic for additional information. + +Then click **Run Query**. The report data is displayed in the sections below the Filters section. +See the [Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. + +:::note +If you run a query without applying filters, the report sections display all activity by +all users for the designated timeframe, which is set by default to _Last Hour_. +::: + + +The report generated by a New Investigation can be exported. The Schedule Export option is not +available from the New Investigation page. See the [Export Report](/docs/threatmanager/3.1/administration/investigations/options/export.md) topic for +additional information. + +The Save option allows you to save your configured filters to run the investigation again later. + +## Save an Investigation + +To retain filter configuration after running a query and confirming the desired report data is +displayed, follow the steps to save an investigation. + +:::note +This option is available only to users with the Administrator or the Response Managers +roles. +::: + + +**Step 1 –** On the New Investigation page, click **Save** in the upper right corner. The Save +Investigation window opens. + +![saveinvestigation](/images/threatprevention/7.5/reportingmodule/investigations/saveinvestigation.webp) + +**Step 2 –** Enter a unique, descriptive name for this investigation in the **Name** field. + +**Step 3 –** Enter a report description in the **Description** field. + +**Step 4 –** From the Folder drop-down menu, select the location where the investigation will be +saved. The My Investigations folder is the default for custom investigations. + +**Step 5 –** Select a user role from the Owner drop-down menu. All users assigned this role would +own this investigation and they will be able to modify the report. + +**Step 6 –** In the Access box, type to search the user role you want to give access of this +investigation. A list of user roles matching the search string is displayed. Select a single or +multiple user roles. All users belonging to the selected role(s) can view the report. + +**Step 7 –** Click **Save**. The Save Investigation window closes. + +The investigation is saved to the selected folder, and the folder expands in the navigation pane to +display the saved item. Users can open this folder from the navigation pane to access the +investigation. They can run the investigation, schedule exports, or add subscriptions. + +See the [Investigation Options](/docs/threatmanager/3.1/administration/investigations/options/overview.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/investigations/options/_category_.json b/docs/threatmanager/3.1/administration/investigations/options/_category_.json new file mode 100644 index 0000000000..ac363bcbf4 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/options/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Investigation Options", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/investigations/options/edit.md b/docs/threatmanager/3.1/administration/investigations/options/edit.md new file mode 100644 index 0000000000..b09508b4db --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/options/edit.md @@ -0,0 +1,70 @@ +--- +title: "Edit or Duplicate an Investigation" +description: "Edit or Duplicate an Investigation" +sidebar_position: 20 +--- + +# Edit or Duplicate an Investigation + +An investigation can be edited and even duplicated. + +## Edit an Investigation + +Follow the steps to edit an investigation. + +**Step 1 –** Click **Investigate** in the application header bar to open the Investigations +interface. Then click a folder in the navigation pane to access a saved investigation. An +investigation is located in the folder where it was saved. + +**Step 2 –** Modify the filter criteria of the investigation as desired. + +**Step 3 –** Click the Edit option. + +![Edit Investigation with Save page](/images/threatprevention/7.5/reportingmodule/investigations/options/editinvestigationtm.webp) + +**Step 4 –** The Edit option opens the Save Investigation window in edit mode. You can modify the +name, description, and folder of the saved investigation. If you save the investigation to a +different folder, it will be moved from the original location to the new folder. You can also update +the user roles granted ownership and access to the investigation report. + +**Step 5 –** Click **Save**. The Save Investigation window closes. + +The investigation is saved with the modified settings. + +## Duplicate an Investigation + +Follow the steps to duplicate an investigation. + +**Step 1 –** Click **Investigate** in the application header bar to open the Investigations +interface. Then click a folder in the navigation pane to access a saved investigation. An +investigation is located in the folder where it was saved. + +**Step 2 –** Click the three dots at the top and select **Open as new**. The Open as New option +opens the investigation in Duplicate mode. The filter is the same as that of the base investigation. +You can save it as a new investigation. + +**Step 3 –** Modify the investigation filter statement and click **Save**. The Save Investigation +window is displayed. + +![Investigation Open as New option](/images/threatprevention/7.5/reportingmodule/investigations/options/investigationduplicate.webp) + +The Name box displays the investigation name with the word "copy" appended to it. + +**Step 4 –** You can modify the following: + +- Name – The name of the investigation +- Description – An optional description of the investigation +- Folder – The folder in the navigation pane where the investigation is saved + +**Step 5 –** Select a user role from the **Owner** drop-down menu. All users assigned this role +would own this investigation and they will be able to modify the report. + +**Step 6 –** In the Access box, type to search the role you want to give access of this +investigation. A list of user roles matching the search string is displayed. Select a single or +multiple user roles. All users belonging to the selected role(s) can view the report. + +**Step 7 –** Click **Save**. The Save Investigation window closes. + +The duplicated investigation is saved to the selected folder, and the folder expands in the +navigation pane to display the saved item. You can access the investigation from the navigation +pane. diff --git a/docs/threatmanager/3.1/administration/investigations/options/export.md b/docs/threatmanager/3.1/administration/investigations/options/export.md new file mode 100644 index 0000000000..a9e32e468c --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/options/export.md @@ -0,0 +1,137 @@ +--- +title: "Export Report" +description: "Export Report" +sidebar_position: 40 +--- + +# Export Report + +An export puts the report results for an investigation into a desired format. The Export option +provides choices for how you can export the report results for an investigation. The report can be +exported in a specified format and can be downloaded, emailed, or scheduled as desired. + +![Export option in the Investigation interface](/images/threatmanager/3.0/administration/investigations/options/export.webp) + +After running an investigation query, click **Export**. Then select one of the following from the +drop-down menu: + +- Export as CSV – Generates and downloads the report as a CSV file to your Downloads folder +- Export as PDF – Generates and downloads the report as a PDF file to your Downloads folder +- Export as JSON – Generates and downloads the report as a JSON file to your Downloads folder +- Send as Email – Opens the Send as Email window to send the report to recipients + + :::note + This option requires an email server to be configured. + ::: + + +- Schedule Export – Opens the Schedule export window to save a copy of the report to a shared folder + + :::note + This option requires a shared folder to be configured. + ::: + + +Reports will be downloaded to the Downloads folder on your local machine, according to your browser +settings. You can configure a folder on the application server to place copies of all exported +reports. + +See the [Folder Settings Page](/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md) topic for +additional information. + +## Send as Email + +:::note +This option requires an email server to be configured. If this requirement is not met, a +message will appear in the window. See the[Email Page](/docs/threatmanager/3.1/administration/configuration/integrations/email.md) +section for additional information. +::: + + +You can send the report data of an investigation as an attachment to an email. The attachment can be +any of the file formats available for download. Follow the steps to send a report as an email +attachment. + +**Step 1 –** Click **Investigate** in the application header bar to open the Investigations +interface. Then click a folder in the navigation pane to access a saved investigation. An +investigation is located in the folder where it was saved. + +**Step 2 –** After running a query and confirming the report data is displayed in the report +sections, click the **Export** menu and select **Send as Email**. The Send as Email window opens. + +![Send as Email window](/images/threatprevention/7.5/reportingmodule/investigations/options/sendasemail.webp) + +**Step 3 –** Begin typing in the **Recipients** textbox. You can enter a user name or email address. +Available email addresses read from Active Directory that match the text string will populate in the +drop-down menu. Select a recipient. + +**Step 4 –** Repeat Step 3 to add additional recipients. + +**Step 5 –** Modify the subject line as desired in the Email Subject box. The default subject +is: Export of Report '[NAME OF INVESTIGATION]'. + +**Step 6 –** Select the radio button for the desired file format: CSV, PDF, or JSON. + +**Step 7 –** Click **Send**. The Send as Email window closes. + +The recipients will receive the report as an attachment to an email. + +## Scheduled Export + +:::note +This option requires a shared folder to be configured.If this requirement is not met, a +message will appear in the window. See the +[Folder Settings Page](/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md) section for additional +information. +::: + + +You can schedule to save the report data of an investigation to a shared folder. The file format can +be any of the formats available for download. Follow the steps to schedule a report export. + +**Step 1 –** Click **Investigate** in the application header bar to open the Investigations +interface. Then click a folder in the navigation pane to access a saved investigation. An +investigation is located in the folder where it was saved. + +**Step 2 –** After running a query and confirming the report data is displayed in the report +sections, click the **Export** menu and select Scheduled export. The Schedule export window opens. + +The name of the respective investigation is displayed as a link. Click it to view the filter defined +for the investigation. + +![Schedule export window](/images/threatprevention/7.5/reportingmodule/investigations/options/scheduleexport.webp) + +**Step 3 –** By default the schedule is enabled. You can disable it with the toggle button by the +window name. + +**Step 4 –** Modify the text in the Export name field as desired. The default name is: Export for +`{{Investigation_Name}}`. This variable will be replaced with the name of the investigation. The + +button opens a variable menu for the field. + +**Step 5 –** Select a shared folder from the **Publish folder** drop-down menu. Only folders +configured on the Folder Settings page of the Integrations interface will be listed here. + +**Step 6 –** Set a frequency. Options in the Frequency drop-down menu are: Once, Daily, Weekly, and +Monthly. Ensure the frequency does not exceed the "Time to Retain" settings for the System Jobs +configured in the System Settings interface. + +**Step 7 –** Set the start date, time, and timezone for the selected frequency: + +- Start date – This field opens a calender. You can also type a date in the field. +- Time – This field opens a clock. You can also type a date in the field. +- Timezone – This field opens a drop-down menu. Select the desired timezone. + +**Step 8 –** Set the file name in the File name field. The default name +is: `{{Investigation_Name}}_{{Date}}`. This variable will be replaced with the name of the +investigation. The + button opens a variable menu for the field. + +**Step 9 –** Select the file format for the export from the drop-down menu: CSV, PDF, JSON, Excel +Viewing. + +**Step 10 –** Click **Save**. The Schedule export window closes. + +The scheduled export is listed on the Subscriptions and Exports page of the Investigations +interface. + +See the [Subscriptions and Exports Page](/docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md) topic for additional +information. diff --git a/docs/threatmanager/3.1/administration/investigations/options/filters.md b/docs/threatmanager/3.1/administration/investigations/options/filters.md new file mode 100644 index 0000000000..a2fec9b923 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/options/filters.md @@ -0,0 +1,260 @@ +--- +title: "Filters Section" +description: "Filters Section" +sidebar_position: 10 +--- + +# Filters Section + +The Filters section provides options to build a filter statement by selecting the Attribute, +Operator, and Filter value. A time period for the report data is also configured here. If multiple +data sources have been configured, there is also a Source drop-down menu. Filter statements can be +simple with one value statement or complex with multiple value statements. + +![Filters section of an investigation](/images/threatmanager/3.0/administration/investigations/options/filterstm.webp) + +The section has the following options for configuring a filter statement: + +- Source – This menu provides a list of all integrations with the application. If there is only one + data source configured, the Source menudisplays that only. See the + [Netwrix Integrations Page](/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md) topic for + additional information. +- Timeframe – This menu provides several timeframe options as well as a clock and a calendar for + setting a custom range. You must set the timeframe for the data to be returned in the report. If + your report is blank, it is likely due to the timeframe setting. See the Timeframe topic for + additional information. +- Attribute – This menu provides a list of attributes that are available on events in the data + source. See the Filter Attribute Menu topic for additional information. +- Operator – This menu controls how the rule is evaluated by specifying the comparison between the + Attribute and the Filter value. Options vary based on the selected attribute. See the Filter + Operator Menu topic for additional information. +- Filter – Use it to specify the value to evaluate using the operator for the selected attribute +- Add – This appears in a new row of the Filter table, in the Attribute column. Clicking it opens + the Attribute menu to add another filter statement. +- Clear All – This icon removes the respective filter statement + +See the Build a Filter Statement topic for additional information. + +## Timeframe + +You must set a timeframe for an investigation query. When you run a query, the application scans the +available data for activity events that match the set filters for the specified timeframe. By +default, the timeframe is set for the "Last Hour" of activity. + +![Investigations Interface showing the Timeframe drop-down menu](/images/threatprevention/7.5/reportingmodule/investigations/options/timeframe.webp) + +Click the displayed timeframeto open a window, which provides several timeframe options as well as a +clock and a calendar for setting a custom range: + +- Preset timeframes: + + - Last Hour + - Last 4 Hours + - Last 8 Hours + - Last 24 Hours + - Last 5 Days + - Last 7 Days + - Last 14 Days + - Last 30 Days + +- Custom timeframe – Specified by the start and end date and time range set in the clock / calendar + section + +:::note +The timeframe property is saved with the investigation filters. However, it can be +modified to run a query ad hoc with the same filter statement but a different timeframe. +::: + + +**Configure a Custom Timeframe Range** + +Follow the steps to configure a custom timeframe range. + +**Step 1 –** On the Investigations interface, select the desired Investigation or start a new +investigation. + +**Step 2 –** Click the Timeframe displayed in the Filters section. + +**Step 3 –** Set the start date on the left. You can either type it in the box at the top or +navigate through the calendar to select the desired date. + +**Step 4 –** Set the start time on the left. You can either type it in the box at the top or click +the clock icon within the box to get a menu for selecting the hour, minute, and period (AM or PM). + +**Step 5 –** Set the end date on the right. You can either type it in the box at the top or navigate +through the calendar to select the desired date. + +**Step 6 –** Set the end time on the right. You can either type it in the box at the top or click +the clock icon within the box to get a menu for selecting the hour, minute, and period (AM or PM). + +**Step 7 –** Click **Apply**. + +The Timeframe window closes and the custom range is visible in the Filters section. Save the changes +to the selected investigation, unless you are running an ad hoc query. + +## Filter Attribute Menu + +The Attribute menu in the Filters section has the following options grouped by the type of +attribute: + +![attrributemenu](/images/threatprevention/7.5/reportingmodule/investigations/options/attrributemenu.webp) + +- Event ( group header in the menu): + + - Affected Object – The The name of the object in Active Directory that was affected by the + event + - Attribute – The specific property or field of the object that was changed or accessed + - Attribute New Value – The new value that the attribute was changed to after the event + - Attribute Old Value – The value that the attribute had before the event occurred + - Blocked – Indicates whether the operation was prevented by a security measure, such as a + Netwrix agent + - Client – The device, IP address, or host that initiated the event + - Client Type – The type of client initiating the event, such as host, IP address, or device + - Domain – The Active Directory domain where the event occurred + - Event Operation – The specific action that was attempted or performed during the event (e.g., + modify, delete) + - Event Sub-Operation – Additional actions or details related to the primary event operation + - Event Type – The nature or source of the event data, indicating where or how the event + originated + - Perpetrator – The user or service account that initiated the event + - Perpetrator Type – The type of account (e.g., user, service) that carried out the event + - Success – Indicates whether the action associated with the event was successfully completed + - Tag (Direct) – A label or classification directly applied to the object or event + - Tag (Effective) – A label or classification that applies to an object due to inheritance from + a group or policy. For example, if a group has a tag, all its members will inherit that tag + - Target – The specific object, resource, or entity that was the focus of the event + - Target Type – The type or classification of the object, resource, or entity that was targeted + - Time of Day – The exact date and time when the event occurred + +- Active Directory (category group header in the menu): + + - Affected Object Distinguished Name – The full path and name of the object in Active Directory + that was affected by the event + - Certificate Thumbprint – The unique identifier of a certificate used in the event, typically + represented as a hexadecimal string + - Encryption Type – The method or algorithm used to encrypt data during the event (e.g., AES, + RSA) + - LDAP Query Filter – The LDAP search filter used to query the Active Directory for specific + objects or attributes + - Object Class – The type or schema class of the object affected by the event (e.g., user, + group) + - Perpetrator Protocol – The network protocol used by the perpetrator to perform the operation + (e.g., LDAP, Kerberos) + - Pre-Authentication Type – The type of pre-authentication used before the main authentication + (e.g., Kerberos, NTLM) + - Reply Encryption Type – The type of encryption used to secure the response sent back to the + requester + +- Entra ID (category group header in the menu) + + - Correlation Id – A unique identifier used to link related events across different services, + helping to trace and analyze potential security incidents + - Entra Event Id – The specific identifier assigned to an event within Microsoft Entra ID + - Is Interactive – Indicates whether the event involved direct user interaction or if it was a + non-interactive event, like an API call + - Location – The geographical location where the event originated, which can help identify + unusual sign-ins + - Logged By Service – The specific Microsoft Entra service that recorded the event, providing + context on which service was involved in the activity + - Risk Detail – Detailed information about the type of risk detected during the event, such as + leaked credentials or suspicious sign-in patterns. This detail helps administrators understand + the nature of the threat + - Risk Event Type – The category of risk identified, such as "Anonymous IP Address" or + "Unfamiliar Sign-in Properties," which signals potentially compromised activity + - Risk Level Aggregated – The overall risk level assigned after evaluating all related events + and signals, such as "Low" or "High" + - Risk Level During Sign-In – The risk level specifically assessed during the sign-in process, + indicating how likely the sign-in was compromised + - Risk State – The current status of the detected risk, which can be "At Risk," "Dismissed," or + "Remediated," depending on the actions taken + - Target Resource Type – The type of resource or service that was involved in the event, such as + a specific application or database + +- File System (grayed-out category group header in the menu): + + - Extension – The file extension indicating the file type (e.g., .txt, .docx) + - File Path – The The full directory path to where the file is located + - File Size – The The size of the file, typically measured in bytes + - File Tag – A label or classification applied to the file for organizational or security + purposes + +- Integrations (category group header in the menu): + + - Policy – The set of rules or configurations applied within the integration., which may require + Netwrix Threat Preventiondatabase access to be configured on the NetwrixIntegrations page. See + the [Netwrix Integrations Page](/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md) page + for additional information + +## Filter Operator Menu + +The options available for the Operator menu in the Filters section change to match the selected +Attribute. The following is a list of all possible operator options: + +![Operator Menu in the investigations Filters section](/images/threatprevention/7.5/reportingmodule/investigations/options/operatormenu.webp) + +- Equals +- Not Equal To +- Contains +- Does Not Contain +- Starts With +- Ends With + +## Build a Filter Statement + +You can create a filter for a new investigation or modify a filter for a saved investigation. Follow +the steps to build a filter statement. + +**Step 1 –** Navigate to the desired investigation's Filters section. + +![filtersimple](/images/threatprevention/7.5/reportingmodule/investigations/options/filtersimple.webp) + +**Step 2 –** If multiple data sources are configure, select a source from the **Source** drop-down +menu. + +**Step 3 –** Set the timeframe for the event data to be returned in the report. + +**Step 4 –** Select an attribute from the Attribute drop-down menu. + +**Step 5 –** Select an operator from the Operator drop-down menu. + +**Step 6 –** Enter a value in the Filter box. Possible values available from the events will +populate in a drop-down menu as you type. Select the desired value from the drop-down menu. If the +value you type is not available in the drop-down menu, use the Add button to add it to the Filter +box. + +:::note +Adding additional values in the same Filter box will add an OR statement for the +attribute. For example: +::: + + +- When: + + - Attribute = Perpetrator; Operator = Equals; Filter = nwxtech\ad.bruce.wayne, + nwxtech\ad.robin.locksley + +- Then the query will return activity for nwxtech\ad.bruce.wayne OR nwxtech\ad.robin.locksley + +**Step 7 –** To form a complex filter with multiple attributes, click **Add** to insert a new row +and repeat steps 4-6. The AND operator is automatically applied to group multiple rows. For example: + +- When: + + - Attribute = Perpetrator; Operator = Equals; Filter = nwxtech\domain admins + +- AND + + - Attribute = Perpetrator; Operator = Not Equal to; Filter = nwxtech\ad.bruce.wayne + +- Then the query will return activity for all domain admins except nwxtech\ad.bruce.wayne + +:::note +Click the X at the end of a row to remove it from the statement. +::: + + +Once the filter is set, you can generate the report ad hoc by clicking **Run Query**. The allows you +to test if your filter statement is working as desired. Save the investigation for reuse. You can +also add subscriptions or export the report data using the options above the Filters section. + +See the [Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. diff --git a/docs/threatmanager/3.1/administration/investigations/options/overview.md b/docs/threatmanager/3.1/administration/investigations/options/overview.md new file mode 100644 index 0000000000..30cc953118 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/options/overview.md @@ -0,0 +1,60 @@ +--- +title: "Investigation Options" +description: "Investigation Options" +sidebar_position: 10 +--- + +# Investigation Options + +Every investigation has the following options at the top of the page: + +![Investigation interface showing the options at the top of an investigation](/images/threatmanager/3.0/administration/investigations/options/options.webp) + +- Edit – The Edit option opens the Save Investigation window in edit mode. You can modify the name, + description, and folder of the saved investigation. If you save the investigation to a different + folder, it will be moved from the original location to the new folder. You can also update the + user roles granted ownership and access to the investigation report. A My Investigation can also + be saved as a new Threat in the Investigation Settings page. See the + [Edit or Duplicate an Investigation](/docs/threatmanager/3.1/administration/investigations/options/edit.md) topic for additional information. +- Create threat – In addition to preconfigured threats, a user can create a custom threat when + certain events are considered to be dangerous in the environment, for example, when one of the + privileged users makes file changes. See the [Custom Threats](/docs/threatmanager/3.1/threats/custom.md)topic for + additional information. +- Subscriptions – Click the Subscriptions link to open the Subscription to window. You can specify + recipients to receive this report as an email attachment in a specified format. See the + [Add Subscription](/docs/threatmanager/3.1/administration/investigations/options/subscription.md) topic for additional information. +- Export – The Export option provides choices for how you can export the report results for an + investigation. The report can be exported in a specified format and can be downloaded, emailed, or + scheduled as desired. See the [Export Report](/docs/threatmanager/3.1/administration/investigations/options/export.md) topic for additional information. +- Three vertical dot icon has the following options: + + - Copy link – The Copy link option copies the URL of the investigation to your clipboard, so + that you can share it with users who have access to the report + - Open as new – The Open as New option opens the investigation in Duplicate mode. The filter is + the same as that of the base investigation. You can save it as a new investigation. See the + [Edit or Duplicate an Investigation](/docs/threatmanager/3.1/administration/investigations/options/edit.md) topic for additional information. + +- Run Query – The Run Query button pulls available activity data that match the set filters and + timeframe. The data is displayed on the Event Details, Events Over Time, and Top Resources tabs. + See the [Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. +- Filters – The Filters section provides options to build a filter statement by selecting the + Attribute, Operator, and Filter value. A time period for the report data is also configured here. + If multiple data sources have been configured, there is also a Source drop-down menu. See the + [Filters Section](/docs/threatmanager/3.1/administration/investigations/options/filters.md) topic for additional information. + +:::note +For an investigations to return information on user display names, groups, or email +addresses, the Active Directory Service must be running to collect Active Directory data prior to +running an investigation. See the +[Active Directory Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md) topic for +additional information. +::: + + +:::note +For an investigation to return information on Entra ID users, groups, roles and +applications, the Entra ID Service must be running to collect Entra ID data before running an +investigation. See the [Entra ID Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md) topic +for additional information. + +::: diff --git a/docs/threatmanager/3.1/administration/investigations/options/subscription.md b/docs/threatmanager/3.1/administration/investigations/options/subscription.md new file mode 100644 index 0000000000..0fa74c4d79 --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/options/subscription.md @@ -0,0 +1,71 @@ +--- +title: "Add Subscription" +description: "Add Subscription" +sidebar_position: 30 +--- + +# Add Subscription + +A subscription sends the report results for an investigation to recipients via email as an +attachment. Click the Subscriptions link to open the Subscription to window. You can specify +recipients to receive this report as an email attachment in a specified format. + +![Subscription window](/images/threatprevention/7.5/reportingmodule/investigations/options/subscription.webp) + +:::note +This option requires an email server to be configured.If this requirement is not met, a +message will appear in the window. See the[Email Page](/docs/threatmanager/3.1/administration/configuration/integrations/email.md) +section for additional information. +::: + + +## Subscribe to an Investigation + +Follow the steps to subscribe to an investigation. + +**Step 1 –** From the desired investigation, click **Subscriptions**. The Subscription window opens. + +The name of the respective investigation is displayed as a link. Click it to view the filter defined +for the investigation. + +**Step 2 –** By default the subscription is enabled. You can disable it with the toggle button by +the window name. + +**Step 3 –** Modify the subscription name as desired in the Subscription name field. The default +name is: Subscription for `{{Investigation_Name}}`. This variable will be replaced with the name of +the investigation. The + button opens a variable menu for the field. + +**Step 4 –** Enter the email addresses for the recipients of this report subscription in the +Recipients box. + +**Step 5 –** Set the start date, time, and timezone for the selected frequency: + +- Start date – This field opens a calender. You can also type a date in the field. +- Time – This field opens a clock. You can also type a date in the field. +- Timezone – This field opens a drop-down menu. Select the desired timezone. + +**Step 6 –** Set a frequency. Options in the Frequency drop-down menu are: Once, Daily, Weekly, and +Monthly. Ensure the frequency does not exceed the "Time to Retain" settings for the System Jobs +configured in the System Settings interface. + +**Step 7 –** There are two additional settings in the Advanced Options section. Click the arrow to +expand this section. + +**Step 8 –** Modify the email subject line in the Email subject field as desired. The default name +is: Subscription to`{{Investigation_Name}}` at `{{Date}}`. These variables will be replaced with the +name of the investigation and the date of the report. The + button opens a variable menu for the +field. + +**Step 9 –** Set the file name in the File name field. The default name +is: `{{Investigation_Name}}_{{Date}}`. This variable will be replaced with the name of the +investigation. The + button opens a variable menu for the field. + +**Step 10 –** Select the file format for the export from the drop-down menu: CSV, PDF, JSON, Excel +Viewing. + +**Step 11 –** Click **Save**. The Subscription export window closes. + +The subscription is listed on the Subscriptions and Exports page of the Investigations interface. + +See the [Subscriptions and Exports Page](/docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md) topic for additional +information. diff --git a/docs/threatmanager/3.1/administration/investigations/overview.md b/docs/threatmanager/3.1/administration/investigations/overview.md new file mode 100644 index 0000000000..e8da4552bc --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/overview.md @@ -0,0 +1,53 @@ +--- +title: "Investigations Interface" +description: "Investigations Interface" +sidebar_position: 40 +--- + +# Investigations Interface + +The Investigation interface allows administrators to investigate all data available to the +application through a series of customizable filters. These investigations can be saved so they can +be run ad hoc at a later time. Investigations can also be "saved as a threat" which enables +investigation criteria to function as a threat detection mechanism that will be monitored by Threat +Manager like out-of-the-box threats. + +Click **Investigate** in the application header bar to open the Investigations interface. + +![Investigations interface](/images/threatmanager/3.0/administration/investigations/interface.webp) + +The Investigations interface contains the following pages: + +- New Investigation – Enables you to run queries on available data with desired filters for a + specific timeframe. See the [New Investigation Page](/docs/threatmanager/3.1/administration/investigations/newinvestigation.md) topic for additional + information. +- Favorites – Provides a list of saved queries the logged in user has tagged as a Favorite. See the + [Favorites Page](/docs/threatmanager/3.1/administration/investigations/favorites.md) topic for additional information. +- Audit and Compliance – Provides a list of saved out-of-the-box investigations with applied filters + for commonly used Audit and Compliance activity reports. See the + [Audit and Compliance Page](/docs/threatmanager/3.1/administration/investigations/auditcompliance.md) topic for additional information. +- Predefined Investigations – Provides a list of saved out-of-the-box investigations with applied + filters for Applications, Computers, Groups, iNetOrgPerson, Roles and User activity reports. See + the [ Predefined Investigations Page](/docs/threatmanager/3.1/administration/investigations/predefinedinvestigations.md) topic for additional + information. +- My Investigations – Provides a list of saved investigations created by the application users. See + the [My Investigations Page](/docs/threatmanager/3.1/administration/investigations/myinvestigations.md) topic for additional information. +- Subscriptions and Exports – Provides a list of investigations that are either subscribed to or + scheduled for export. See the [Subscriptions and Exports Page](/docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md) topic for + additional information. + +Every investigation has the same options at the top of the page. See the +[Investigation Options](/docs/threatmanager/3.1/administration/investigations/options/overview.md) topic for additional information. + +Every report generated by an investigation query displays the same type of information. See the +[Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. + +## Search for Saved Investigations + +The Investigations interface includes a search field in the navigation pane to find saved +investigations by name. + +![Investigations Search showing matching results](/images/threatmanager/3.0/administration/investigations/searchtm.webp) + +Type in the search box. As you type, a drop-down will populate with saved investigations containing +matches. diff --git a/docs/threatmanager/3.1/administration/investigations/predefinedinvestigations.md b/docs/threatmanager/3.1/administration/investigations/predefinedinvestigations.md new file mode 100644 index 0000000000..fe94a9d61b --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/predefinedinvestigations.md @@ -0,0 +1,109 @@ +--- +title: "Predefined Investigations Page" +description: "Predefined Investigations Page" +sidebar_position: 60 +--- + +# Predefined Investigations Page + +The Predefined Investigations page in the Investigations interface provides a list of saved +out-of-the-box investigations with applied filters for Applications, Computers, Groups, +iNetOrgPerson, Roles and User activity reports. + +![Investigations interface on the Predefined Investigations page](/images/threatmanager/3.0/administration/investigations/predefinedinvestigations.webp) + +The table displays the list of investigations with the following columns: + +- Name – The name of the investigation +- Threat – The check mark indicates that a Threat has been configured for this investigation +- Favorite – The check mark indicates that the investigation has been tagged as a favorite for the + logged in user + +Click an investigation to view it. You can run the query, modify the configuration, add a +subscription, or export the report. See the [Investigation Options](/docs/threatmanager/3.1/administration/investigations/options/overview.md) topic for +additional information on saved investigation options. + +Every report generated by an investigation query displays the same type of information. See the +[Investigation Reports](/docs/threatmanager/3.1/administration/investigations/reports.md) topic for additional information. + +By default, these investigations are grouped in subfolders. Each subfolder page has the same table +as the Predefined Investigations page, scoped to the investigations within that folder. + +## Applications Folder + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| Application Added | Occurs when an a Entra ID Application is added | One filter statement set:
| +| Applications Deleted | Occurs when an a Entra ID Application is added | One filter statement set:
| +| Applications Deleted | Occurs when an a Entra ID Application is added | One filter statement set:
| + +## Computers Folder + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| Computer Added | Created when a computer is added | Two filter statements set:

AND

| +| Computer Deleted | Created when a computer is deleted | Two filter statements set:

AND

| +| Computer Disabled | Created when a computer is disabled | Two filter statements set:

AND

| +| Computer Enabled | Created when a computer is enabled | Two filter statements set:

AND

| +| Computer Password Changed | Created when a computer password is changed | Two filter statements set:

AND

| + +You can save additional investigations to this folder. + +## Groups Folder + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| Group Added | Occurs when a group of any type is created | Two filter statements set:

AND

| +| Group Deleted | Created when a group is removed / deleted | Two filter statements set:

AND

| +| Group Member Added | Created when a member is added to a group | Two filter statements set:

AND

| +| Group Member Removed | Created when one or more members of a group are removed | Two filter statements set:

AND

| +| Group Moved | Occurs when a group is moved from one container to another | Two filter statements set:

AND

| + +You can save additional investigations to this folder. + +## iNetOrgPerson Folder + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| iNetOrgPeson Account Disabled | Created when an iNetOrgPerson account is disabled | Two filter statements set:

AND

| +| iNetOrgPeson Account Enabled | Created when an iNetOrgPerson account is enabled | Two filter statements set:

AND

| +| iNetOrgPeson Added | Created when an iNetOrgPerson User account is added | Two filter statements set:

AND

| +| iNetOrgPeson Deleted | Created when an iNetOrgPerson is deleted | Two filter statements set:

AND

| +| iNetOrgPeson Password Changed | Created when the password is reset or changed by an administrator | Two filter statements set:

AND

| + +You can save additional investigations to this folder. + +## Roles Folder + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| Add Eligible Member to Role | Occurs when an Entra ID Member is made eligible to a Role | One filter statement set:
| +| Add Member to Role | Occurs when an Entra ID Member is added to a Role | One filter statement set:
| +| Remove Eligible Member From Role | Occurs when an Entra ID Member is made not eligible to a Role anymore | One filter statement set:
| +| Remove Memeber from Role | Occurs when an Entra ID Member is removed from a Role | One filter statement set:
| + +## Users Folder + +By default, this folder contains the following saved investigations: + +| Investigation | Description | Filters | +| --- | --- | --- | +| User Account Disabled | Created when a user account is disabled | Two filter statements set:

AND

| +| User Account Enabled | Created when a user account is enabled | Two filter statements set:

AND

| +| User Account Locked | Created when a user account is locked | Two filter statements set:

AND

| +| User Account Unlocked | Created when a user account is unlocked | Two filter statements set:

AND

| +| User Password Change | Created when a user performs a password reset | Three filter statements set:

AND

AND

| +| User Password Reset and Change | Created when a user resets their password or when an administrator changes their password | Two filter statements set:

AND

| +| User Primary Group Changed | Created when a user's group is changed typically from Domain Users to another group | Two filter statements set:

AND

| + +You can save additional investigations to this folder. diff --git a/docs/threatmanager/3.1/administration/investigations/reports.md b/docs/threatmanager/3.1/administration/investigations/reports.md new file mode 100644 index 0000000000..f0770d845a --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/reports.md @@ -0,0 +1,128 @@ +--- +title: "Investigation Reports" +description: "Investigation Reports" +sidebar_position: 20 +--- + +# Investigation Reports + +Every report generated by an investigation query displays the following information: + +- Event Details – Provides a view of all events matching the criteria specified for the + investigation. See the Events Details Section topic for additional information. +- Events Over Time – Provides a bar graph and pie chart for events matching the criteria specified + for the investigation. See the Events Over Time Section topic for additional information. +- Top Resources – Provides summary statistics for perpetrators (users) and targets (hosts) + associated with the events matching the criteria specified for the investigation. See the Top + Resources Section topic for additional information. + +:::note +For an investigations to return information on user display names, groups, or email +addresses, the Active Directory Service must be running to collect Active Directory data prior to +running an investigation. See the +[Active Directory Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md) topic for +additional information. +::: + + +:::note +For an investigation to return information on Entra ID users, groups, roles and +applications, the Entra ID Service must be running to collect Entra ID data before running an +investigation. See the [Entra ID Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md) topic for +additional information. +::: + + +Click **Investigate** in the application header bar to open the Investigations interface. Then +create a new investigation or click a folder in the navigation pane to access a saved investigation. +An investigation is located in the folder where it was saved. + +Enter information in the Filters section, which includes one or more filter statements and a +timeframe, to generate the report. + +## Events Details Section + +The Event Details tab provides a view of all events matching the criteria specified for the +investigation. + +![Events Detaisl section of an investigation report](/images/threatprevention/7.5/reportingmodule/investigations/eventdetails.webp) + +The table displays the following data: + +- TimeStamp – The exact date and time when the event occurred +- Target – The specific object, resource, or entity that was the focus of the event. The name is in + NT style [domain\computer name]. Click the link to view target details. +- User – The name of the user in sAMAccountName format who generated the activity. Click the link to + view user details. +- Perpetrator – The name of the user, group, or entity responsible for carrying out an action. This + name is in sAMAccountName format. Click the link to view perpetrator details. +- Successful – Indicates whether the action associated with the event was successfully completed: + + - True – The operation was successful + - False – The operation failed + +- Blocked – Indicates whether the operation was prevented by a security measure, such as a Netwrix + agent: + + - True – The operation was blocked + - False – The operation was not blocked + +- Operation – The type of activity performed +- Client – The name of the system or entity that initiates an action or request towards a server or + another system. This name is in NT style [domain\computer name]. Click the link to view client + details. +- Description – A summary of the event + +Click the arrow () in the table for a specific event to view additional details. + +See the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) topic and the +[User Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md) topic for additional information. + +## Events Over Time Section + +The Events Over Time section displays a bar graph and pie chart for events matching the criteria +specified for the investigation. + +![Events Over Time section of an Investigations report](/images/threatprevention/7.5/reportingmodule/investigations/eventsovertime.webp) + +- Hover over a time period to view the type of event and number of events logged for that timeframe. +- Hover over the pie chart to view the total number of each type of event. The total number of all + events is displayed in the middle of the pie chart. + +## Top Resources Section + +The Top Resources tab displays summary statistics for perpetrators (users) and targets (hosts) +associated with the events matching the criteria specified for the investigation. + +![Top Resources section of an Investigations report](/images/threatprevention/7.5/reportingmodule/investigations/topresources.webp) + +The tab contains two tables: + +- Top Perpetrators +- Top Targets + +**Top Perpetrators Table** + +The Top Perpetrators table displays information about the perpetrators associated with the events. + +It contains the following columns: + +- User Name – The name of the user in sAMAccountName format who generated the event +- Servers – The number of servers where the user generated events +- Actions – The number of events generated by the user + +Click the link to view perpetrator details. + +**Top Targets Table** + +The Top Targets table displays information about targets associated with the events. + +It contains the following columns: + +- Target Name – The specific object, resource, or entity that was the focus of the event. This name + is in NT style [domain\computer name]. +- Users – The number of users who generated events +- Actions – The number of events generated by all users on the target + +Click the link to view target details.See the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) topic +for additional information. diff --git a/docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md b/docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md new file mode 100644 index 0000000000..e233e0f11f --- /dev/null +++ b/docs/threatmanager/3.1/administration/investigations/subscriptionsexports.md @@ -0,0 +1,94 @@ +--- +title: "Subscriptions and Exports Page" +description: "Subscriptions and Exports Page" +sidebar_position: 80 +--- + +# Subscriptions and Exports Page + +A subscription sends the report results for an investigation to recipients via email as an +attachment. An export puts the report results for an investigation into a desired format. The +Subscriptions and Exports page provides a list of investigations that are either subscribed to or +scheduled for export. + +![Investigations interface on the Subscriptions and Exports page](/images/threatmanager/3.0/administration/investigations/subscriptionsexports.webp) + +The table has the following columns: + +- Mode – Toggle button enables and disables the scheduled report +- Type – Icon indicates the delivery method for the subscription: email or shared folder +- Subscription name – Subscription name of an investigation +- Status – Indicates the subscription status: Scheduled or Disabled +- Investigation – Displays the name of the investigation that is associated with the subscription. +- Last run result – Displays the status of the last scheduled report, which include Never run, + Delivered, Failed to deliver, or Failed to complete +- Schedule – Displays the schedule frequency of the subscription or export +- Last Run on – Date timestamp of the last scheduled report +- Next Run – Date timestamp of the next scheduled report +- Recipients – List of email recipients subscribed to the report +- Shared folder – Display name for the configured shared folder where scheduled exports are stored +- Actions – Menu option per table row. This column does not have a header. It is represented by + three dots and shows up when you hover over a row. + +See the [Add Subscription](/docs/threatmanager/3.1/administration/investigations/options/subscription.md) topic and [Export Report](/docs/threatmanager/3.1/administration/investigations/options/export.md) +topic for additional information. + +## Table Features + +The table has several features accessed through the menu button that appears when you hover over a +column header. + +![Table column menu](/images/threatprevention/7.5/reportingmodule/investigations/tableoptions.webp) + +In addition to the arrow that appears to sort the table in ascending or descending order, the menu +contains the following options: + +- Unsort – Removes all sorting from the table +- Sort by ASC – Sorts the table in ascending order for the selected column +- Sort by DESC – Sorts the table in descending order for the selected column +- Filter – Opens the Table Filter window to build a filter statement for the table +- Hide – Hides the selected column from the table +- Show columns – Opens the Column window with a list of all available columns for the table and a + toggle button to show or hide each column +- Pin to left – Moves the column to the far left of the table and pins it there +- Pin to right – Moves the column to the far right of the table and pins it there +- Unpin – Returns the column to its original location. This option appears if the column has been + pinned. + +## Build a Table Filter Statement + +The Table Filter window opens from the table column menu. + +![Table Filter window](/images/threatprevention/7.5/reportingmodule/investigations/filterwindow.webp) + +Follow the steps to build a filter statement. + +**Step 1 –** Select a table column from the **Columns** drop-down menu. + +**Step 2 –** Select an operator from the **Operator** drop-down menu. Options include: contains, +equals, starts with, ends with, is empty, is not empty, and is any of. + +**Step 3 –** Enter the text string for the filter value in the **Value** box. + +**Step 4 –** To build a complex filter statement, click **Add filter**. A new row appears with an +additional drop-down menu for creating an _AND_ or an _OR_ statement. Then repeat Steps 1-3 for the +row. + +The table is filtered to matches of the filter. + +## Actions Menu + +The Actions column holds a menu with actions that apply to the selected subscription or export. + +![Actions menu](/images/threatprevention/7.5/reportingmodule/investigations/subscriptionsexportsactions.webp) + +The options include: + +- Duplicate – Opens the Subscription to or Schedule export window to configure another subscription + or export for the associated investigation +- Edit –Opens the Subscription to or Schedule export window to modify the current subscription or + export +- Run Now – Runs the subscription or export report immediately +- Turn off – Disables the subscription or export +- Turn on – Enables the subscription or export +- Delete – Deletes the scheduled subscription or export diff --git a/docs/threatmanager/3.1/administration/overview.md b/docs/threatmanager/3.1/administration/overview.md new file mode 100644 index 0000000000..109566b0df --- /dev/null +++ b/docs/threatmanager/3.1/administration/overview.md @@ -0,0 +1,122 @@ +--- +title: "Administration" +description: "Administration" +sidebar_position: 40 +--- + +# Administration + +The navigation header contains the following links on the top left side of the page: + +![headerbarleft](/images/threatmanager/3.0/administration/headerbarleft.webp) + +- Threat Manager – Opens the Home page for the Threat Manager Console +- Threats – Opens the [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md) +- Investigate – Opens the [Investigations Interface](/docs/threatmanager/3.1/administration/investigations/overview.md) + +:::note +For mobile users, only the icons are displayed for the Threats and Investigate links. +::: + + +The header bar contains the following links on the top right side of the page: + +![This screenshot displays the right header bar.](/images/threatmanager/3.0/administration/headerbarright.webp) + +- Search – Enter a user, computer, or group and click the Search icon +- [Configuration Menu](/docs/threatmanager/3.1/administration/configuration/overview.md) – Displays a menu with the configuration pages +- Help – Accesses help +- Logout – Click the person icon and select Logout from the drop-down list to log out of the Threat + Manager Console. The drop-down list also displays the user logged in. + +A magenta alert banner will display below the navigation header if one of the following scenarios +occurs: + +![banneragentunresponsive](/images/threatmanager/3.0/administration/banneragentunresponsive.webp) + +- Service outage +- Agent outage +- License missing or expired + +This banner contains a link to the page relevant to the issue. + +## Home Page + +The Threat Manager [Home Page](/docs/threatmanager/3.1/administration/home.md) provides an “at a glance” overview of the possible threats +detected in an organization's environment for the past 24 hours. This is displayed with interactive +graphs and a rollup count that will allow easy tracking and response capabilities for new threats, +and users with risky activity. + +## Threats Page + +The Threat Manager [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md) is where end users and analysts investigate possible +threats in their environment. This page displays a historical timeline of the detected threats and +advanced filtering that allows users to find threats with ease. An end user can drill down into +threats and view additional details. Threats have a response workflow that enables teams to assign a +user to evaluate the threat, set status updates on the threat, and add any desired comments to the +threat. + +## Investigate Page + +The Threat Manager allows customers to investigate all data previously sent to Threat Manager +through a series of customizable filters designed to discover threats unique to their organization. +These investigations can be saved so they can be run ad hoc at a later time. Investigations can also +be "saved as a threat" which enables investigation criteria to function as a threat detection +mechanism that will be monitored by Threat Manager like out-of-the-box threats. + +## Interactive Chart Elements + +The threat types listed for bar charts are interactive. + +![excludeathreat](/images/threatmanager/3.0/administration/excludeathreat.webp) + +Click a threat to exclude it from the chart. The threat will have a black line through it to show +that it has been excluded. Click the threat again to add it to the chart. + +![trendline](/images/threatmanager/3.0/administration/trendline.webp) + +Hover over a trend line to see the number of threats detected in the selected time increment. + +![bargraphhover](/images/threatmanager/3.0/administration/bargraphhover.webp) + +Hover over a bar graph to view the number of each type of threat created in the time frame. Hover +over slices in a pie chart to view the number of threats for each threat type. + +## Preview Windows + +Anywhere in the Console where a link to a user, group, or host details page is displayed, hover over +the link to display a preview window. + +![hover](/images/threatmanager/3.0/administration/hover.webp) + +Preview windows display cards that provide information about the selected object without having to +navigate off of the current page. These cards provide information about users, groups, and hosts, +including any associated tags. + +## Data Grids + +Data grids provide the ability to search for data and also to configure the presentation of data. + +![This screenshot displays interactive elements in a grid.](/images/threatmanager/3.0/administration/datagrids.webp) + +The top bar in a data grid contains the following options: + +- Search Box – Enter text in the search box to filter data in the table +- Results Per Page – Click the drop-down list to select the number of results displayed per page. + Options include: + - 10 rows + - 50 rows + - 100 rows + - 1000 rows – Displays up to 1000 rows +- Links – Click a link view the user, group, or host details page +- Export CSV – Click this button to export the current rows displayed on the page into a CSV file +- Export All – Some tables contain an Export All button. Click the button to export all returned + data into a CSV file + +The data grids will display multiple authentication events that occur in quick succession in a +single row. This means that if a user has multiple similar authentication events that occur within a +minute, the data grids will display a single row in the table for those events. + +If a data grid displays File System events that contain sensitive data, a Sensitive Data tag will be +displayed in the Description field. The Sensitive Data tag is the only tag that will be displayed in +the Description field. diff --git a/docs/threatmanager/3.1/administration/playbooks/_category_.json b/docs/threatmanager/3.1/administration/playbooks/_category_.json new file mode 100644 index 0000000000..5fd55bfef3 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Playbooks", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/playbooks/action/_category_.json b/docs/threatmanager/3.1/administration/playbooks/action/_category_.json new file mode 100644 index 0000000000..2b2ed5ff18 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Action Configuration for Playbook Steps", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/playbooks/action/activedirectory.md b/docs/threatmanager/3.1/administration/playbooks/action/activedirectory.md new file mode 100644 index 0000000000..cf4d4d1a60 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/activedirectory.md @@ -0,0 +1,94 @@ +--- +title: "Active Directory Target Actions" +description: "Active Directory Target Actions" +sidebar_position: 10 +--- + +# Active Directory Target Actions + +The following actions target Active Directory. + +## Active Directory Group Membership + +The Active Directory Group Membership action provides configuration options to add or remove Active +Directory group membership. + +![adgroupmembership](/images/threatmanager/3.0/administration/playbooks/action/adgroupmembership.webp) + +- Users – Select the users for whom to alter group membership. If not specified, the user who + triggered the threat will be used. +- Action – Select the action to take on the user's group membership. + - Add + - Remove +- Group – Specify the identity of the group to manage. If not specified, the group affected by the + threat will be used. +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Change Password at Next Logon + +The Change Password at Next Logon action forces the user to change their password the next time the +user logs on. + +![changepassword](/images/threatmanager/3.0/administration/playbooks/action/changepassword.webp) + +- Users – Select the users for whom to reset passwords at next logon. If not specified, the user who + triggered the threat will be used. +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Disable Active Directory Account + +The Disable Active Directory Account action disables the specified account. + +![disableadaccount](/images/threatmanager/3.0/administration/playbooks/action/disableadaccount.webp) + +- Active Directory Credentials – Select a credential profile that contains valid Active Directory + credentials. Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. +- Users – Select users to disable. If not specified, the user who triggered the threat will be used. + +## Disable Active Directory Computer + +The Disable Active Directory Computer action disables the specified computer object in Active +Directory. + +![disableadcomputer](/images/threatmanager/3.0/administration/playbooks/action/disableadcomputer.webp) + +- Disable Domain Controllers – When selected, allows domain controllers to be disabled. +- Active Directory Credentials – Select a credential profile that contains valid Active Directory + credentials. Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. +- Computer – Select the computer to disable. If not selected, the host computer will be used. + +## Reset Password + +The Reset Password action resets the password of the specified account. + +![resetpassword](/images/threatmanager/3.0/administration/playbooks/action/resetpassword.webp) + +- Users – Select the users for whom to reset passwords. If not specified, the user who triggered the + threat will be used. +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md) . If not specified, the + action will be run as the credentials of the Action Service. + +## Revert Permission Change + +The Revert Permission Change action reverts a permission change on an Active Directory Object. + +![revertpermissionchange](/images/threatmanager/3.0/administration/playbooks/action/revertpermissionchange.webp) + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the Integrations Interface. If not specified, the action + will be run as the credentials of the Action Service. + +See the [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md) topic for additional +information. diff --git a/docs/threatmanager/3.1/administration/playbooks/action/entraid.md b/docs/threatmanager/3.1/administration/playbooks/action/entraid.md new file mode 100644 index 0000000000..5f09f06147 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/entraid.md @@ -0,0 +1,88 @@ +--- +title: "Entra ID Target Actions" +description: "Entra ID Target Actions" +sidebar_position: 20 +--- + +# Entra ID Target Actions + +The following actions target an Entra ID application. + +## Entra ID Group Membership + +Manages an Entra ID group's membership by adding or removing an object from a group. + +![entraidmembership](/images/threatmanager/3.0/administration/playbooks/action/entraidmembership.webp) + +- Users – Select the users for whom to alter group membership. If not specified, the user who + triggered the threat will be used. + - Perpetrator – The account that initiated the threat + - Users Affected – Users affected by the threat + - Both Perpetrators and Users Affected – The account that initiated the threat and the users + affected by the threat +- Group – Specify the identity of the group to manage. If not specified, the group affected by the + threat will be used. +- Action – Select the action to take on the user's group membership + - Add – Add the user to the specified group + - Remove – Remove the user from the specified group +- Credential – Select a credential profile that contains valid Entra ID credentials. Credential + profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Flag Entra ID User as Confirmed Compromised + +Flag a user as confirmed compromised within your Entra ID tenant. + +![confirmcompromised](/images/threatmanager/3.0/administration/playbooks/action/confirmcompromised.webp) + +- Users – The users to flag as confirmed compromised. If not specified, the user who triggered the + threat will be used. + + - Perpetrator – The account that initiated the threat + - Users Affected – Users affected by the threat + - Both Perpetrators and Users Affected – The account that initiated the threat and the users + affected by the threat + +- Credential – Select a credential profile that will mark the user as confirmed compromised. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Disable Entra ID User + +This actions disables a user in your Entra ID tenant. + +![disableuser](/images/threatmanager/3.0/administration/playbooks/action/disableuser.webp) + +- Users –The users to disable. If not specified, the user who triggered the threat will be used + + - Perpetrator – The account that initiated the threat + - Users Affected – Users affected by the threat + - Both Perpetrators and Users Affected – The account that initiated the threat and the users + affected by the threat + +- Credential – Select a credential profile that will execute this action. Credential profiles are + configured on the [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not + specified, the action will be run as the credentials of the Action Service. + +## Reset Entra ID Password + +Resets an Entra ID user's password to a specified password. If no password is specified, resets a +user's password to a random group of letters, numbers, and special characters. + +![entraidresetpassword](/images/threatmanager/3.0/administration/playbooks/action/entraidresetpassword.webp) + +- New Password – Password will be reset to this value. If not specified, generates a random + password. +- Users – The users that will have their password reset. If not specified, the user who triggered + the threat will be used. + + - Perpetrator – The account that initiated the threat + - Users Affected – Users affected by the threat + - Both Perpetrators and Users Affected – The account that initiated the threat and the users + affected by the threat + +- Credential – Select a credential profile that will execute this action. Credential profiles are + configured on the [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not + specified, the action will be run as the credentials of the Action Service. diff --git a/docs/threatmanager/3.1/administration/playbooks/action/localhost.md b/docs/threatmanager/3.1/administration/playbooks/action/localhost.md new file mode 100644 index 0000000000..ffa3d3294a --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/localhost.md @@ -0,0 +1,76 @@ +--- +title: "Local Host Target Actions" +description: "Local Host Target Actions" +sidebar_position: 30 +--- + +# Local Host Target Actions + +The following actions target the Threat Manager server. + +## PowerShell Script + +The PowerShell Script action executes a specified PowerShell script. This action can be used to +build a custom threat response, using PowerShell, to handle scenarios not covered by other +preconfigured action steps. + +![powershellscriptactionstep](/images/threatmanager/3.0/administration/playbooks/action/powershellscriptactionstep.webp) + +- PowerShell Script – Select the PowerShell script to execute. By default, the PowerShell script + includes a comment section which includes Threat Manager threat variables that can be used in + PowerShell script action steps. +- Credential – Select a credential profile using the drop-down list. This will provide the + PowerShell action step with a PowerShell credential object, based upon the Threat Manager + credential specified for use in the script. For example: + +**$Session = New-PSSession -ComputerName "Computer01" -Credential $Credential** + + Invoke-Command -Session $Session -ScriptBlock `{Write-Host "Hello World"}` + +## Send Email + +The Send Email action sends an email. + +![sendemail](/images/threatmanager/3.0/administration/playbooks/action/sendemail.webp) + +- Subject – The subject of the email +- To – Specify the email addresses receiving the email +- Body – The body of the email. HTML is supported. + +## Stop Process + +The Stop Process action stops a process running locally on the host associated with the threat. + +![stopprocess](/images/threatmanager/3.0/administration/playbooks/action/stopprocess.webp) + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md). If not + specified, the action will be run as the credentials of the Action Service. + +## End User Session + +The End User Session action attempts to log the specified user out of any active RDP sessions on the +target client. + +![endusersession](/images/threatmanager/3.0/administration/playbooks/action/endusersession.webp) + +- Users – The users to log out of RDP sessions. If not specified, only the perpetrator will be used. + Select the users from the drop-down list: + + - Perpetrator – The account that initiated the threat + - Both Users and Perpetrators Affected – The account that initiated the threat and also the + users affected by the threat + +- Computers – The computers to log a user out of a RDP session. If not specified, only the + perpetrator client will be used. Select computers from the drop down list: + + - Perpetrator Client – The computer that initiated the threat + - Host – The host client that initiated the threat + - Both Perpetrator Client and Host – The computer and the host client affected by the threat + +- Credential – The domain credential used to run the action. Domain credentials are populated by + credential profiles that are created on the Integrations page. If not specified, the action will + be run under the credentials of the action. Select the credentials from the drop-down list. See + the [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic for + additional information. diff --git a/docs/threatmanager/3.1/administration/playbooks/action/overview.md b/docs/threatmanager/3.1/administration/playbooks/action/overview.md new file mode 100644 index 0000000000..1c8f3dd092 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/overview.md @@ -0,0 +1,31 @@ +--- +title: "Action Configuration for Playbook Steps" +description: "Action Configuration for Playbook Steps" +sidebar_position: 70 +--- + +# Action Configuration for Playbook Steps + +When adding preconfigured actions as steps in a playbook, the configuration information required +depends upon the action selected. When Add Step is selected on the Playbooks page, a box with the +following information is displayed: + +![genericactionstep](/images/threatmanager/3.0/administration/playbooks/action/genericactionstep.webp) + +- Display Name – Populates with the name of the Action Type selected +- Action Type – A drop-down list containing all preconfigured actions that can be selected to add as + a playbook step +- Add – Click this button to add the step to the playbook +- Continue on Error – Select this checkbox to execute the next step if the current step fails + +Once an Action Type is selected, additional configuration options are displayed. + +Threat Manager has the following preconfigured actions: + +- [Active Directory Target Actions](/docs/threatmanager/3.1/administration/playbooks/action/activedirectory.md) +- [Entra ID Target Actions](/docs/threatmanager/3.1/administration/playbooks/action/entraid.md) +- [Local Host Target Actions](/docs/threatmanager/3.1/administration/playbooks/action/localhost.md) +- [Tag Threat Actions](/docs/threatmanager/3.1/administration/playbooks/action/tag.md) +- [Third-Party Applications Target Actions](/docs/threatmanager/3.1/administration/playbooks/action/thirdparty.md) +- [Windows File System Target Actions](/docs/threatmanager/3.1/administration/playbooks/action/windowsfileserver.md) +- [Windows Server Target Actions](/docs/threatmanager/3.1/administration/playbooks/action/windowsserver.md) diff --git a/docs/threatmanager/3.1/administration/playbooks/action/tag.md b/docs/threatmanager/3.1/administration/playbooks/action/tag.md new file mode 100644 index 0000000000..3e172eeea6 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/tag.md @@ -0,0 +1,34 @@ +--- +title: "Tag Threat Actions" +description: "Tag Threat Actions" +sidebar_position: 40 +--- + +# Tag Threat Actions + +The following action targets Threat Manager. + +### Tag Object + +This action adds tags to objects associated with a threat. + +![tagobject](/images/threatmanager/3.0/administration/playbooks/action/tagobject.webp) + +- Tags – Select the tags to be applied to the object. +- Action – Specify whether to add or remove tags. If not specified, the tag will be added. +- Objects – Select which objects to tag. If not specified, the user who triggered the threat will be + used. + +### Manage Blocking Policy + +This action adds or removes a user from a blocking policy. + +![manageblockingpolicy](/images/threatmanager/3.0/administration/playbooks/action/manageblockingpolicy.webp) + +- Users – The users to have their RDP Session ended. If not specified, the user who triggered the + threat will be used. Select the users from the drop-down list. +- Credential – The domain credential used to run the action. Domain credentials are populated by + credential profiles that are created on the Integrations page. If not specified, the action will + be run under the credentials of the action. Select the credentials from the drop-down list. +- Policy Name - The name of the Threat Prevention blocking policy. +- Operation - Whether to add or remove the user from the blocking policy. diff --git a/docs/threatmanager/3.1/administration/playbooks/action/thirdparty.md b/docs/threatmanager/3.1/administration/playbooks/action/thirdparty.md new file mode 100644 index 0000000000..c19ebf123d --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/thirdparty.md @@ -0,0 +1,147 @@ +--- +title: "Third-Party Applications Target Actions" +description: "Third-Party Applications Target Actions" +sidebar_position: 50 +--- + +# Third-Party Applications Target Actions + +The following actions target third-party applications. + +## Create ServiceNow Incident + +This action creates an incident in ServiceNow®. + +![createservicenow](/images/threatmanager/3.0/administration/playbooks/action/createservicenow.webp) + +- Instance – Specify the ServiceNow instance. Only enter a name and the .servicenow.com instance is + automatically applied. For example, entering "company" will automatically become + company.servicenow.com. +- Message – Specify the optional message to display +- Password – Specify the password for the ServiceNow instance +- Username – Specify the ServiceNow username + +## Duo Authentication Push + +This action sends an authentication push to the Duo API. + +![duoauthenticationpush](/images/threatmanager/3.0/administration/playbooks/action/duoauthenticationpush.webp) + +- Users – Select the users to authenticate. If not specified, the user who triggered the threat will + be used. +- Admin Integration Key – Specify the Duo Admin integration key +- Admin Secret Key – Specify the Duo Admin secret key +- Admin API Hostname – Specify the Duo Admin API hostname +- Auth API Integration Key – Specify the Duo Auth integration key +- Auth API Secret Key – Specify the Duo Auth API secret key +- Auth API Hostname – Specify the Duo Auth API hostname +- Prompt Title – Specify the Duo Prompt title. If not specified, a default title will be used. +- Push Information – Specify the Duo Push information. If not specified, default threat information + will be used. +- Fail On – Select the response on which to fail the action step. If not specified, the step will + fail on "Deny". Select an option from the following: + + - Allow + - Deny + +- User Alias – Select the alias of the user to authorize. If not specified, the user's Activity + Monitor Account Name will be used. Select an option from the following: + + - Display Name + - SAM Account Name + +## Microsoft Teams + +This action posts to a Microsoft Teams channel. + +![microsoftteams](/images/threatmanager/3.0/administration/playbooks/action/microsoftteams.webp) + +- Message – Specify the optional message to display +- URI – Specify the URI for the Microsoft Teams incoming webhook + +## RADIUS Authentication + +This action utilizes RADIUS profiles to authenticate user activity. + +![radiusauthentication](/images/threatmanager/3.0/administration/playbooks/action/radiusauthentication.webp) + +- User Not Found Behavior – Select how to handle a user not configured for RADIUS authentication. If + not specified, the authentication will fail. +- Method – Specify the RADIUS authentication method value required by the authentication provider. + This value will vary depending upon vendor. Example values may include: push, SMS, or phone. +- Users – Select the users to authenticate. If not specified, the perpetrator will be used. +- Timeout Behavior – Select how to handle a timeout. If not specified, the authentication will fail. +- Fail On – Select which authentication type to fail on. This allows configuration to determine when + the action step fails. This is based upon the user response to the RADIUS Authentication request. + If not specified, the action step will fail with a failed authentication. + +## Send Syslog + +This action sends a Syslog message to a server. This action utilizes the current SIEM settings, +specified on the [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md), to send the +threat information via Syslog. + +![sendsyslog](/images/threatmanager/3.0/administration/playbooks/action/sendsyslog.webp) + +## Set Forescout Property On Host + +This action adds a property to a Forescout host record. Forescout collections can be configured to +monitor this property. This allows Threat Manager to integrate with the Forescout platform to enable +the use of the capabilities of Forescout for threat response. + +![forescoutproperty](/images/threatmanager/3.0/administration/playbooks/action/forescoutproperty.webp) + +- Forescout Server IP – The IP address of the Forescout server +- Forescout Property String – The value of the Forescout property string to be added to the host + associated with the Target IP +- Target IP – The resource IP address that will be used to identify the host in Forescout. The + default is Host. +- Forescout Password – Password for the Forescout server + +## Slack + +This action sends a message to Slack. + +![slack](/images/threatmanager/3.0/administration/playbooks/action/slack.webp) + +- Message – The optional message to display +- URI – The URI for the Slack incoming webhook + +## Twilio SMS Message + +This action sends an SMS message through Twilio. + +![twiliosms](/images/threatmanager/3.0/administration/playbooks/action/twiliosms.webp) + +- To – The phone number receiving threat notifications. Include the country code. +- SID – The Twilio SID +- Twilio Number – The phone number provided by Twilio +- Token – The Twilio token +- Message – The optional custom SMS message to send. If a message is not specified, a default SMS + message will be sent. + +## VirusTotal Report + +This action scans the file hashes against the VirusTotal API and emails the results. + +![virustotalreport](/images/threatmanager/3.0/administration/playbooks/action/virustotalreport.webp) + +- Subject – The optional custom email subject. If a subject is not specified, a default email + subject will be used. +- Key – The key provided by VirusTotal +- To – The email addresses receiving the email + +## Webhook + +This action executes a webhook via a HTTP request from Threat Manager. Webhooks are used by a +variety of web applications to trigger actions or receive data from external sources. + +![webhook](/images/threatmanager/3.0/administration/playbooks/action/webhook.webp) + +- Method – The HTTP method for the webhook. Select a method from the drop-down list: + - GET + - POST + - DELETE + - PUT +- URI – The URI for the webhook +- Body – The body of the HTTP request for the webhook diff --git a/docs/threatmanager/3.1/administration/playbooks/action/windowsfileserver.md b/docs/threatmanager/3.1/administration/playbooks/action/windowsfileserver.md new file mode 100644 index 0000000000..aa6341bc7a --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/windowsfileserver.md @@ -0,0 +1,44 @@ +--- +title: "Windows File System Target Actions" +description: "Windows File System Target Actions" +sidebar_position: 60 +--- + +# Windows File System Target Actions + +The following actions target Windows File System. + +## Delete File + +This action deletes the file associated with the threat. + +![deletefile](/images/threatmanager/3.0/administration/playbooks/action/deletefile.webp) + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Revert Permission Change + +The Revert Permission Change action reverts a permission change on an Active Directory Object. + +![revertpermissionchange](/images/threatmanager/3.0/administration/playbooks/action/revertpermissionchange.webp) + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the Integrations Interface. If not specified, the action + will be run as the credentials of the Action Service. + +See the [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md) topic for additional +information. + +## Save File Hash + +This action saves the file hash to the properties of the threat. + +![savefilehash](/images/threatmanager/3.0/administration/playbooks/action/savefilehash.webp) + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. diff --git a/docs/threatmanager/3.1/administration/playbooks/action/windowsserver.md b/docs/threatmanager/3.1/administration/playbooks/action/windowsserver.md new file mode 100644 index 0000000000..f1fb10f00d --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/action/windowsserver.md @@ -0,0 +1,61 @@ +--- +title: "Windows Server Target Actions" +description: "Windows Server Target Actions" +sidebar_position: 70 +--- + +# Windows Server Target Actions + +The following actions target Windows servers. + +## Close SMB Session + +![closesmbsession](/images/threatmanager/3.0/administration/playbooks/action/closesmbsession.webp) + +This action closes any active SMB sessions for the threat perpetrator on a target host. + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Create Windows Firewall Rule + +![windowsfirewall](/images/threatmanager/3.0/administration/playbooks/action/windowsfirewall.webp) + +This action adds a Windows Firewall Rule to block inbound or outbound network protocol traffic for +specified hosts. + +- Direction – Specify the direction of the firewall rule + - Inbound + - Outbound +- Protocol – Specify the network protocol for the firewall rule + - TCP + - UDP + - ICMPv4 + - ICMPv6 +- Blocking Target – Specify the remote address to be blocked by the firewall rule + - Perpetrator Client – The client machine used by a perpetrator for the detected threat + (typically a workstation) + - Host – The host associated with a threat (typically a domain controller or file server) +- Target Host – Specify the location where the windows firewall rule will be created + - Perpetrator Client – The client machine used by a perpetrator for the detected threat + (typically a workstation) + - Threat Host – The host associated with a threat (typically a domain controller or file server) +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. + +## Disable User Remote Desktop Access + +![disableuserremote](/images/threatmanager/3.0/administration/playbooks/action/disableuserremote.webp) + +This action disconnects the user from the host and disables login rights for the user. + +- Credential – Select a credential profile that contains valid Active Directory credentials. + Credential profiles are configured on the + [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md). If not specified, the + action will be run as the credentials of the Action Service. +- Users – Select the users for whom to disable remote desktop access. If not specified, those user + who triggered the threat will be used. diff --git a/docs/threatmanager/3.1/administration/playbooks/editstep.md b/docs/threatmanager/3.1/administration/playbooks/editstep.md new file mode 100644 index 0000000000..876cd4a88c --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/editstep.md @@ -0,0 +1,29 @@ +--- +title: "Edit or Delete a Playbook Step" +description: "Edit or Delete a Playbook Step" +sidebar_position: 10 +--- + +# Edit or Delete a Playbook Step + +Follow the steps to edit a playbook step. + +![playbookstep](/images/threatmanager/3.0/administration/playbooks/playbookstep.webp) + +**Step 1 –** Click the step in the playbook to expand it. + +**Step 2 –** Make any desired changes to the step. + +**Step 3 –** Click Save. + +The playbook step is now updated. + +## Delete a Playbook Step + +Follow the steps to delete a playbook step. + +**Step 1 –** Click the step in the playbook to expand it. + +**Step 2 –** Click Delete. + +The playbook step is deleted. diff --git a/docs/threatmanager/3.1/administration/playbooks/export.md b/docs/threatmanager/3.1/administration/playbooks/export.md new file mode 100644 index 0000000000..fc3545ff3a --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/export.md @@ -0,0 +1,21 @@ +--- +title: "Export a Playbook" +description: "Export a Playbook" +sidebar_position: 40 +--- + +# Export a Playbook + +Playbooks can be exported from the Threat Manager Console. + +Follow the steps to export a playbook. + +![exportplaybook](/images/threatmanager/3.0/administration/playbooks/exportplaybook.webp) + +**Step 1 –** Select the playbook to export. + +**Step 2 –** Click the Export icon. + +**Step 3 –** Select a directory for the downloaded file. + +The playbook is placed in the selected directory. diff --git a/docs/threatmanager/3.1/administration/playbooks/import.md b/docs/threatmanager/3.1/administration/playbooks/import.md new file mode 100644 index 0000000000..7ff769de36 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/import.md @@ -0,0 +1,23 @@ +--- +title: "Import a Playbook" +description: "Import a Playbook" +sidebar_position: 30 +--- + +# Import a Playbook + +Playbooks created in a different location than the Threat Manager installation can be imported to +Threat Manager. This process involves creating a playbook in a JSON file format and then selecting +that file for import to Threat Manager. + +Follow the steps to import a playbook. + +![importbutton](/images/threatmanager/3.0/administration/playbooks/importbutton.webp) + +**Step 1 –** Go to the Playbooks tab and select Import. This opens the Windows File Explorer. + +**Step 2 –** Navigate to the file to import and select it. + +**Step 3 –** This imports the Playbook and adds it to the Playbooks list. + +The imported Playbook is automatically selected and displayed. diff --git a/docs/threatmanager/3.1/administration/playbooks/importsteps.md b/docs/threatmanager/3.1/administration/playbooks/importsteps.md new file mode 100644 index 0000000000..1bfb15a8f4 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/importsteps.md @@ -0,0 +1,23 @@ +--- +title: "Import Action Steps for Playbooks" +description: "Import Action Steps for Playbooks" +sidebar_position: 50 +--- + +# Import Action Steps for Playbooks + +The Threat Response box contains an Import button which provides the ability to import custom +actions into Threat Manager. Imported actions are listed in the Threat Response box and can be added +as Playbook steps. + +Follow the steps to import an action. + +![importbutton](/images/threatmanager/3.0/administration/playbooks/importbutton.webp) + +**Step 1 –** In the Threat Response box, click Import. + +**Step 2 –** Navigate to the action to import and select it. + +**Step 3 –** Click Open. + +The action is displayed in the Actions list. diff --git a/docs/threatmanager/3.1/administration/playbooks/overview.md b/docs/threatmanager/3.1/administration/playbooks/overview.md new file mode 100644 index 0000000000..52972c30e8 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/overview.md @@ -0,0 +1,180 @@ +--- +title: "Playbooks" +description: "Playbooks" +sidebar_position: 60 +--- + +# Playbooks + +The first step in designating steps to run in response to a threat is to add a playbook. A playbook +is used to tie a threat or "trigger type" to the desired step(s) to take in response to that threat. +A threat response can be assigned to a playbook on the +[Threat Detection Page](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md). Once a playbook has been created, +steps that specify the desired action for the threat response are then added. + +:::info +Execute playbooks in a test environment and review the results prior to executing +them in the production environment. +::: + + +When testing or just getting started with playbooks in Threat Manager, trigger playbooks manually +instead of automatically. Once the playbooks have been manually tested and you have familiarity with +Threat Manager threats and threat responses, automatic triggering of playbooks can be enabled. + +## Add a Playbook + +Follow the steps to add a playbook. + +![threatresponse](/images/threatmanager/3.0/administration/playbooks/threatresponse.webp) + +**Step 1 –** In the Threat Response box, click New Playbook. A new playbook called "My Playbook 1" +is created. As additional Playbooks are added, sequential numbers are appended to My Playbook. + +It is recommend to change the name of the playbook immediately after creation for organizational +purposes. + +**Step 2 –** Select the newly-created playbook from the Playbooks tab and click the Edit button. +Rename My Playbook with the desired name and optionally enter a description for the playbook in the +Description field. + +**Step 3 –** Configure the Playbook using the configuration tabs. + +**Step 4 –** Click the Save button. + +The new playbook now has the desired name and steps can be added to the playbook. See the Actions +Tab topic for additional information. + +## Configure a Playbook + +Playbooks are configured using the tabs on the Threat Response page. + +![playbooktabs](/images/threatmanager/3.0/administration/playbooks/playbooktabs.webp) + +The Threat Response page contains the following configuration tabs: + +- General Tab +- Actions Tab +- Follow-Up Tab +- Logs Tab + +### General Tab + +The General Tab contains the Allowed Threats box which allows customization of which threats are +applicable for the selected playbook. + +![generaltab](/images/threatmanager/3.0/administration/playbooks/generaltab.webp) + +The General tab has the following configuration options: + +- Allowed for all threat response – Allows customization of which threats are applicable for this + playbook. (All threats are allowed by default). If a threat is excluded from Allowed Threats, it + will not be available to run ad hoc on the Threat Details page nor available for automated threat + response. +- Send Email on Execution of Playbook – An email notification will be sent after the playbook has + been executed. +- Search Threats – Select the threats that are allowed to be used as a threat response for this + playbook from the drop-down list. + +### Actions Tab + +Once a playbook is created or imported, add steps to the playbook using the Actions tab. Steps are +actions that are taken in response to a threat. See the +[Preconfigured Actions](/docs/threatmanager/3.1/administration/configuration/threatresponse.md#preconfigured-actions) topic for +additional information. + +Follow the instructions to add steps to a Playbook. + +![actionstab](/images/threatmanager/3.0/administration/playbooks/actionstab.webp) + +**Step 1 –** Select the playbook from the Playbooks list in the Threat Response box or on the +Playbooks overview. + +**Step 2 –** Click the Actions tab and then click **Add Step** to open a box to add a step to the +playbook. + +**Step 3 –** Enter the following information in the box: + +![addstep](/images/threatmanager/3.0/administration/playbooks/addstep.webp) + +- Display Name – The desired name for the step +- Action Type – The type of action to take for the threat response. Select the desired action from + the drop-down list. Additional configuration information is required depending upon the type of + action selected. See the [Action Configuration for Playbook Steps](/docs/threatmanager/3.1/administration/playbooks/action/overview.md) topic for + additional information. +- Continue on Error – Select this checkbox to execute the next step if the current step fails + +**Step 4 –** Click Add to add the step to the playbook. + +The step is added to the playbook. + +### Follow-Up Tab + +Follow-Up Playbooks can be configured on the Follow-Up tab. Follow-Up playbooks allow additional +playbooks to run once the playbook has completed. This allows a (Undefined variable: SD.Product +Short Name) administrator to sequence a series of playbooks together as part of a threat response. + +![followuptab](/images/threatmanager/3.0/administration/playbooks/followuptab.webp) + +The Follow-Up tab has the following configuration options: + +- Send Email on Follow-up – Send an email notification when a follow-up playbook runs +- On Fail – If the current playbook fails, run the selected playbook from the drop-down list +- On Success – If the current playbook runs successfully, run the selected playbook from the + drop-down list + +Click **Save** to save the configured settings. + +### Logs Tab + +Click the Logs tab to access the Playbook Execution History table. The table lists all playbook +executions and also provides the ability to search the table. + +![This screenshot displays the Logs tab on the Threat Response page.](/images/threatmanager/3.0/administration/playbooks/logstab.webp) + +The table provides the following information: + +- Threat – The threat type that triggered the playbook + - Click the threat link to open the [Threat Details Page](/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md) and view + information about the threat. +- Threat Detected – The time that the threat was detected +- Time Started – The time that the playbook was executed +- Time Finished – The time that the playbook completed execution +- Status – The status of the playbook execution: + - Queued + - Running + - Complete + - Completed with Errors + - Canceled + - Failed +- View Log – View the log file for the playbook execution. Clicking View Log opens the Action Log + window. + +## Action Log Window + +The Action Log window contains a Logs tab and a Step Details tab. + +## Logs Tab + +The Logs tab displays logs for the playbook execution. + +![This screenshot displays the Logs tab on the Action Log window.](/images/threatmanager/3.0/administration/playbooks/action/logstab.webp) + +The Logs tab displays a table with the following columns: + +- Time – The timestamp for the log +- Level – Type of log message displayed, which indicates the severity of the log message +- Message – Informational text displayed for the log + +## Step Details Tab + +The Step Details tab displays information about the action steps in the playbook execution. + +![This screenshot displays the Step Details tab on the Action Log window.](/images/threatmanager/3.0/administration/playbooks/stepdetailstab.webp) + +The Step Details tab contains a table with the following columns: + +- Action Step – The name of the action step in the playbook +- Status – The status of the action step +- Message – Any informational or output messages from the action step +- Executed On – The host where the playbook ran the action step diff --git a/docs/threatmanager/3.1/administration/playbooks/save.md b/docs/threatmanager/3.1/administration/playbooks/save.md new file mode 100644 index 0000000000..00783b748c --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/save.md @@ -0,0 +1,20 @@ +--- +title: "Save a Playbook Step to My Steps" +description: "Save a Playbook Step to My Steps" +sidebar_position: 20 +--- + +# Save a Playbook Step to My Steps + +Sometimes it may be convenient to save a step so that it can be added to multiple playbooks without +recreating the step. + +Follow the steps to save a step to the My Steps list. + +![playbookstep](/images/threatmanager/3.0/administration/playbooks/playbookstep.webp) + +**Step 1 –** Click the step in the playbook to expand it. + +**Step 2 –** Click Save to My Steps. + +The step is saved to the My Steps list and can be added to other playbooks as needed. diff --git a/docs/threatmanager/3.1/administration/playbooks/trigger.md b/docs/threatmanager/3.1/administration/playbooks/trigger.md new file mode 100644 index 0000000000..1ba659e6a5 --- /dev/null +++ b/docs/threatmanager/3.1/administration/playbooks/trigger.md @@ -0,0 +1,27 @@ +--- +title: "Trigger a Playbook Manually" +description: "Trigger a Playbook Manually" +sidebar_position: 60 +--- + +# Trigger a Playbook Manually + +If a playbook is configured to be allowed for a threat, a Threat Response button will be shown on +the allowed threat. + +Follow the steps to trigger a playbook manually. + +![threatresponsebutton](/images/threatmanager/3.0/administration/playbooks/threatresponsebutton.webp) + +**Step 1 –** Navigate to the Threat Details Page for a user with a threat type associated with a +playbook. + +**Step 2 –** Click the Threat Responsebutton. The Threat Response window opens. The window provides +the ability to respond to the threat by selecting a playbook from the drop-down list. The window +also provides a description of the playbook, the status, and the timestamp for when the playbook was +last executed. + +**Step 3 –** Click Execute to execute the playbook. + +Once the playbook has been executed, the log file can be viewed on the Threat Response page in the +Playbooks Execution History table. diff --git a/docs/threatmanager/3.1/administration/serviceaccounts.md b/docs/threatmanager/3.1/administration/serviceaccounts.md new file mode 100644 index 0000000000..9e764baa32 --- /dev/null +++ b/docs/threatmanager/3.1/administration/serviceaccounts.md @@ -0,0 +1,57 @@ +--- +title: "Service Accounts" +description: "Service Accounts" +sidebar_position: 50 +--- + +# Service Accounts + +In Threat Manager v3.1 is a dashboard for organizations to understand the Service Accounts in their environment. It includes accounts that have a defined servicePrincipalName, account type reflective of a service account, or repeated authentication patterns. + +The dashboard identifies service accounts with machine learning to identify pattern-based authentication. + +![Netwrix Threat Manager Service Accounts Dashboard](/images/threatmanager/3.1/administration/serviceaccounts/dashboard.webp) + +There are three types of service accounts: +- dMSA, gMSA, and sMSA - Group / Delegated / Standalone Managed Service Account +- Accounts marked with servicePrincipalName (SPN) +- Those discovered by machine learning + +## Column Definitions + +### Service Account +The primary identifier for the service account. Displays the account's display name (if available) or NT account name. This column is clickable and links to the detailed user information page. + +### Domain +The Active Directory domain to which the service account belongs. + +### Type +The type of service account. Possible values include: +- **User** (0) - Standard user account used as a service account +- **sMSA** (1) - Standalone Managed Service Account +- **gMSA** (2) - Group Managed Service Account +- **dMSA** (3) - Domain Managed Service Account + +### Enabled +Indicates whether the service account is currently enabled or disabled in Active Directory. + +### Tags +Custom tags associated with the service account for organization and categorization. Displays up to 2 tags visibly with an overflow indicator for additional tags. Each tag includes a name and description (shown on hover). + +### Auth Protocols +Authentication protocols supported or used by the service account (e.g., Kerberos, NTLM). Displays up to 2 protocols visibly with an overflow indicator for additional protocols. + +### Encryption Types +Encryption types supported by the service account for Kerberos authentication (e.g., AES128, AES256, RC4). Displays up to 2 encryption types visibly with an overflow indicator for additional types. + +### SPNs +Service Principal Names associated with the service account. SPNs are unique identifiers that Kerberos uses to associate service instances with service accounts. Displays up to 2 SPNs visibly with an overflow indicator for additional SPNs. + +### Targets +The number of target systems or resources that this service account accesses or authenticates to. + +### Clients +The number of client systems or applications that use this service account for authentication. + +### Created +The date and time when the service account was created in Active Directory. diff --git a/docs/threatmanager/3.1/administration/threats/_category_.json b/docs/threatmanager/3.1/administration/threats/_category_.json new file mode 100644 index 0000000000..e03fe015d5 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Threats Page", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "threats" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/_category_.json b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/_category_.json new file mode 100644 index 0000000000..c2bb33e25c --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Active Directory Object Details Pages", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "activedirectoryobjects" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/activedirectoryobjects.md b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/activedirectoryobjects.md new file mode 100644 index 0000000000..81ef1db686 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/activedirectoryobjects.md @@ -0,0 +1,90 @@ +--- +title: "Active Directory Object Details Pages" +description: "Active Directory Object Details Pages" +sidebar_position: 20 +--- + +# Active Directory Object Details Pages + +Active Directory Object details pages provide details on Active Directory objects including users, +groups,  and hosts (computers). These pages can be used to discover more information about the +various resources related to threats and events in Threat Manager. Pages include: + +- [User Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md) +- [Group Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md) +- [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) + +![threatlist](/images/threatmanager/3.0/administration/threatlist.webp) + +The [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md) contains a threats list with hyperlinks which can be clicked to +access these pages. + +**Common Details Page Elements** + +The User Details, Group Details, and Host Details pages contain some common page elements. + +![page](/images/threatmanager/3.0/administration/threatdetails/page_1.webp) + +Common details page elements include: + +- Profile Card +- Tabs +- Add Tag Button + +## Profile Card + +The profile card displays information about the selected user, group, or host. + +![This screenshot displays a Profile Card.](/images/threatmanager/3.0/administration/threatdetails/profilecard.webp) + +The type information displayed depends on the information available for the user, group, or host. + +**Profile Card Icons** + +The following icons may be displayed in the profile card for user accounts and computers: + +![profileicon](/images/threatmanager/3.0/administration/threatdetails/profileicon.webp) + +1. Non-Synced object icon : This icon appears when an object was not found in a sync but was created + by an event. +2. UBA training hourglass icon : This icon shows that the object is still undergoing its User + Behavior Analytics (UBA) training period. +3. Magnifying Glass Icon : This magnifying glass icon will lead you to the investigation page to + create one for this object. + +## Tabs + +Depending on the selected user, group, or host, the following tabs may be displayed: + +![This screenshot displays the tabs for the Active Directory Objects page. Tabs include Threats, Activity Summary, and Group Membership.](/images/threatmanager/3.0/administration/threatdetails/adobjecttabs.webp) + +- Threats Tab – Displays a chart with threats detected for the user, group, or host +- Activity Summary Tab – Depending on the selected user, group, or host, the page may display the + following information: + - Activity Overview Chart (Past 12 Months) + - Average Activity by Hour Chart + - Average Activity by Day Chart + - Events by Type Chart + - Activity by Host Table + - Activity by Client Table +- Group Membership Tab – For a user, displays a table that lists the groups of which the user is a + member. For a group, displays a table that lists the users that belong to that group. + +## Add Tag Button + +The Add Tag button can be used to assign existing tags to a user, group, or host computer. It also +provides the option to create new tags. + +**Add an Existing Tag** + +Follow the steps to add a tag to a user, group, or computer. + +![addtagbutton](/images/threatmanager/3.0/administration/threatdetails/addtagbutton.webp) + +**Step 1 –** Click the Add Tag button. + +**Step 2 –** Click the desired tag to add from the list of existing tags. + +The selected tag is added to the user, group, or computer. See the +[Tag Management Page](/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md) topic for additional +information. diff --git a/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md new file mode 100644 index 0000000000..65882e3c80 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md @@ -0,0 +1,83 @@ +--- +title: "Group Details Page" +description: "Group Details Page" +sidebar_position: 20 +--- + +# Group Details Page + +The Group Details page provides information about the selected Active Directory group, threats +generated by the group, and group membership. + +![AD Group Details page](/images/threatmanager/3.0/administration/threatdetails/page_3.webp) + +The top of the page displays a group profile card which may contain the following information about +the group: + +- Name +- DN +- Sam Account Name +- Object GUID +- Object Type +- Domain +- Tags, with an option to add additional tags + +The Group Details page has the following tabs: + +- Threats Tab +- Members Tab +- Group Membership Tab + +## Threats Tab + +The Threats tab for a group displays the threats detected for the group by timeframe. + +![Threats tab for on the Group Details page](/images/threatmanager/3.0/administration/threatdetails/threatstab.webp) + +A key for threat types is displayed below the chart. + +## Members Tab + +The Members tab displays information about its members. + +![AD Group Details Members Page](/images/threatmanager/3.0/administration/threatdetails/memberstab.webp) + +![Group Members Tab All Members Page](/images/threatmanager/3.0/administration/threatdetails/memberstaballmembers.webp) + +The Membership tab displays two tables: + +- Direct Member – Lists users who are direct members of the group +- All Members – has the following two tables: + + - Domain Admins – Users responsible for managing and controlling settings within the domain + - Domain Guests – Temporary accounts who need limited access to the domain + +Each table has the following columns: + +- Name – The display name of the member +- Domain – The domain name of the member +- Email – The email address of the member +- Title – The member's job title +- Department – The member's department + +## Group Membership Tab + +The Group Membership tab displays a table that lists the users who are members of the group. + +![Group Membership tab for on the Group Details page](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptab_1.webp) + +![Group Membership Tab Indirect Memberof Page](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptabindirect.webp) + +The Group Membership tab displays the groups that _the group_ is a member of. Here, 'the group' +refers to the group whose details you are viewing. + +The tab has two sub-tabs: + +- Direct Member Of – Lists groups the group is a direct member of +- Indirect Member Of – Lists groups the group is a member of via membership in a nested group + +Each sub-tab displays a table with the following columns: + +- Name - The name of the group. Click the link to view group details. +- Domain - Name of the domain. This may be either the domain DNS name or domain controller hostname. +- Tags - The tag present on the perpetrator, file, or host associated with the event diff --git a/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md new file mode 100644 index 0000000000..4679a6a2fe --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md @@ -0,0 +1,68 @@ +--- +title: "Host Details Page" +description: "Host Details Page" +sidebar_position: 30 +--- + +# Host Details Page + +The Host Details page displays all threats on the selected host. + +![Host Details page](/images/threatmanager/3.0/administration/threatdetails/page_2.webp) + +The top of the page displays a host profile card which may contain the following information about +the host: + +- Host Name +- Distinguished Name (DN) +- NT Name (SAM Account Name) +- DNG Host Name +- Operating System +- Operating System Version +- Object GUID +- Object Type +- Domain +- Tags, with an option to add additional tags + +The page has the following tabs: + +- Threats Tab +- Activity Summary Tab +- Group Membership Tab + +## Threats Tab + +The Threats tab for a host displays the threats for the host by timeframe. + +![Threats tab of the Host Details page](/images/threatmanager/3.0/administration/threatdetails/threatstab.webp) + +The Threats tab contains a bar chart that displays each type of threat on the host and a pie chart +that shows the total number of threats on the host. The Threats List displayed below the Historical +Events section displays all threats that occurred on the host for the selected timeframe. + +## Activity Summary Tab + +The Activity Summary tab displays charts for host activity over different time periods. + +![Activity Summary tab of the Host Details page](/images/threatmanager/3.0/administration/threatdetails/activitysummarytab.webp) + +The Activity Overview (Past 12 Months) shows a color-coded heat map of host activity. Other metrics +include Average Activity by Hour, and Average Activity by Day, and Events by Type. + +## Group Membership Tab + +The Group Membership tab displays the groups the host is a member of. It has the following sub-tabs: + +- Direct Member Of – Lists groups the host is a direct member of +- Indirect Member Of – Lists groups the host is a member of via membership in a nested group + +![groupmembershiptab](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptab.webp) + +![Group Membership Tab Indirect Member of Page](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptabindirect.webp) + +Each table has the following columns: + +- Name – The name of the group. Click the link to view group details. See the + [Group Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md) topic for additional information. +- Domain – Name of the domain. This may be either the domain DNS name or domain controller hostname. +- Tags – The tag present on the perpetrator, file, or host associated with the event diff --git a/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md new file mode 100644 index 0000000000..777c3b236e --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md @@ -0,0 +1,99 @@ +--- +title: "User Details Page" +description: "User Details Page" +sidebar_position: 10 +--- + +# User Details Page + +The Active Directory User Details page provides information about the user including threats +generated by the user, user activity, and group membership for the user. + +![page](/images/threatmanager/3.0/administration/threatdetails/page.webp) + +The top of the page displays a user profile card which may contain the following information about +the user: + +- Name +- DN +- NT Name (SAM Account Name) +- Email +- Object GUID +- Object Type +- Domain +- Tags, with an option to add additional tags + +The page has the following tabs: + +- Threats Tab +- Activity Summary Tab +- Group Membership Tab + +## Threats Tab + +The Threats tab for a user displays the threats for the user by timeframe. + +![Active Directory User Threats tab](/images/threatmanager/3.0/administration/threatdetails/aduserthreats.webp) + +A key for threat types is displayed below the chart. + +## Activity Summary Tab + +The Activity Summary tab displays charts for a user's activity over different time periods. + +![activitysummary](/images/threatmanager/3.0/administration/threatdetails/activitysummary.webp) + +The Activity Overview (Past 12 Months) shows a color-coded heat map of user activity. Other metrics +include, Average Activity by Day, and Events by Type. + +The Activity by Host, Activity by Client, and Activity Details tables are displayed below the +charts. + +**Activity by Host Table** + +The Activity by Host table displays the user's activity by host. + +![activitybyhost](/images/threatmanager/3.0/administration/threatdetails/activitybyhost.webp) + +- Server – Server where the activity occurred +- First Access – First date and time that the server was accessed +- Last Access – Last date and time that the server was accessed +- Number of Events – Total number of activity events on the server + +Use the Search icon to search for data contained in any column. Click the Export CSV button to +export the current rows displayed on the page into a CSV file. + +**Activity by Client Table** + +The Activity by Client table displays the user's activity by host. + +![activitybyclient](/images/threatmanager/3.0/administration/threatdetails/activitybyclient.webp) + +- Client IP – IP address for the client +- Client Name– Client where the activity occurred +- First Access – First date and time that the client was accessed +- Last Access – Last date and time that the client was accessed +- Number of Events – Total number of activity events on the client + +Use the Search icon to search for data contained in any column. Click the Export CSV button to +export the current rows displayed on the page into a CSV file. + +## Group Membership Tab + +The Group Membership tab displays groups in which the user is a member. + +![groupmembership](/images/threatmanager/3.0/administration/threatdetails/groupmembership.webp) + +![Group Membership Indirect Member of Page](/images/threatmanager/3.0/administration/threatdetails/groupmembershipindirect.webp) + +The Group Membership tab displays the groups the user is a member of. It has the following sub-tabs: + +- Direct Member Of – Lists groups the user is a direct member of +- Indirect Member Of – Lists groups the user is a member of via membership in a nested group + +Each table has the following columns: + +- Name – The name of the group. Click the link to view group details. See the + [Group Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md) topic for additional information. +- Domain – Name of the domain. This may be either the domain DNS name or domain controller hostname. +- Tags – The tag present on the perpetrator, file, or host associated with the event diff --git a/docs/threatmanager/3.1/administration/threats/entraidobjects/_category_.json b/docs/threatmanager/3.1/administration/threats/entraidobjects/_category_.json new file mode 100644 index 0000000000..3c781697bd --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/entraidobjects/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Entra ID Object Details Pages", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "entraidobjects" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidapplication.md b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidapplication.md new file mode 100644 index 0000000000..e96f87f570 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidapplication.md @@ -0,0 +1,107 @@ +--- +title: "Application Details Page" +description: "Application Details Page" +sidebar_position: 40 +--- + +# Application Details Page + +The Application Details page provides information about an application registered in Microsoft Entra +ID. + +![Entra ID Application Page](/images/threatmanager/3.0/administration/threatdetails/application.webp) + +The top of the page displays a profile card which may contain the following information about the +application: + +- App ID +- Object ID +- Object Type +- Tenant +- Add Tag button + +The page has the following tabs: + +- Threats Tab +- Activity Summary Tab +- Group Membership Tab +- Roles Tab + +## Threats Tab + +The Threats tab for an application displays the threats for the application by timeframe. + +![Application Threat Tab](/images/threatmanager/3.0/administration/threatdetails/threatstab.webp) + +## Activity Summary Tab + +The Activity Summary tab displays charts for an application's activity over different time periods. + +The Activity Overview (Past 12 Months) shows a color-coded heat map of user activity. + +![Entra ID Application Activity Summary Tab](/images/threatmanager/3.0/administration/threatdetails/activitysummarytab.webp) + +## Group Membership Tab + +The Group Membership tab displays groups in which the application is a member. + +![Entra ID Group Membership Tab](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptab_3.webp) + +The Group Membership tab displays two tables: + +- Direct Member Of – Lists groups the application is a direct member of +- Indirect Member Of – Lists groups the application is a member of via membership in a nested group + +Each table has the following columns: + +- Name – The name of the group. Click the link to view group details. See the + [Group Details Page](/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md) topic for additional information. +- Group Type – The type of group within Microsoft Entra ID +- Membership Type - How the group membership was assigned + +- Security Enabled - Shows whether or not the "Security Enabled" flag is enabled within Microsoft + Entra ID, if enabled it means that this type of group is used to manage user and computer access + to shared resources for a group of users. + +- Role Assignments Allowed - This flag shows whether or not a group can be assigned a role within + Microsoft Entra ID + +- Tags - The tags associated with the group Image + +## Roles Tab + +The role assignments tab displays a table that lists the roles that have been assigned to the Entra +ID application. + +![Entra ID User Role Assignment Eligible page](/images/threatmanager/3.0/administration/threatdetails/entraiduserrolestabeligible.webp) + +![Entra ID User Role Assignment Eligible page](/images/threatmanager/3.0/administration/threatdetails/entraiduserrolestabeligible.webp) + +The Roles tab displays two tables: + +- Eligible Assignments – Lists the roles that the user is eligible for. An eligible assignment + refers to a role assignment that a user or group can activate when needed but is not permanently + active + +- Active Assignments – Lists roles that are currently active and usable to a user. + +The eligible assignments table has the following columns: + +- Role - Roles the user is eligible for +- Scope - Defines the boundary within which the assigned role permissions are valid +- Inherited from - How the eligible assignment was inherited +- Start Time - When the member is eligible for the role +- End Time - When the role eligibility expires +- Privileged - Whether or not the role is privileged (the role has elevated permission or + administrative access to EntraID resources) + +The active assignments table has the following columns: + +- Role - Roles that are currently active +- Scope - Defines the boundary within which the assigned role permissions are valid +- Inherited from - How the eligible assignment was inherited +- Assignment Type - How was the active role assignment assigned +- Start Time - When the member is eligible for the role +- End Time - When the role eligibility expires +- Privileged - Whether or not the role is privileged (the role has elevated permission or + administrative access to EntraID resources) diff --git a/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md new file mode 100644 index 0000000000..d413e5f690 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md @@ -0,0 +1,134 @@ +--- +title: "Group Details Page" +description: "Group Details Page" +sidebar_position: 20 +--- + +# Group Details Page + +The Microsoft Entra ID Group Details page provides information about the group including threats +generated by it's members, a list of members, the groups that the group is part of, the group +owners, and the roles assigned to the group. + +![Entra ID Group Page](/images/threatmanager/3.0/administration/threatdetails/entraidgroup.webp) + +The top of the page displays a profile card which may contain the following information about the +group: + +- Name +- Security Enabled +- Assignable to Role +- Object ID +- Object Type +- Tenant +- Tags + +The page has the following tabs: + +- Threats Tab +- Members Tab +- Group Membership Tab +- Owners Tab +- Roles Tab + +## Threats Tab + +The Threats tab for a user displays the threats for the user by timeframe. + +![Entra ID Group Threats Page](/images/threatmanager/3.0/administration/threatdetails/entraidgroupthreats.webp) + +A key for threat types is displayed below the chart. + +## Members Tab + +The Members tab displays information of Entra ID group members. + +![Entra ID Group Members Tab](/images/threatmanager/3.0/administration/threatdetails/entraidgroupmemberstab.webp) + +The table displays the following columns: + +- Name – The display name of the member within Microsoft Entra ID + +- Domain – The Microsoft Entra ID tenant domain name + +- Email – The email address of the member + +- Title – The member's job title + +- Department – The member's department + +## Group Membership Tab + +The Group Membership tab displays groups in which the group is a member. + +![Entra ID Group - Group Membership Tab](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptab_2.webp) + +![Group Membership Indirect Member of Page](/images/threatmanager/3.0/administration/threatdetails/groupmembershiptabindirect.webp) + +The Group Membership tab displays two tables: + +- Direct Member Of – Lists groups the group is a direct member of + +- Indirect Member Of – Lists groups the group is a member of via membership in a nested group + +Each table has the following columns: + +- Name – The name of the group. Click the link to view group details. See the Group Details Page + topic for additional information +- Group Type – The type of group within Microsoft Entra ID +- Membership Type - How the group membership was assigned +- Security Enabled - Shows whether or not the "Security Enabled" flag is enabled within Microsoft + Entra ID, if enabled it means that this type of group is used to manage user and computer access + to shared resources for a group of users +- Role Assignments Allowed - This flag shows whether or not a group can be assigned a role within + Microsoft Entra ID +- Tags - The tags associated with the group + +## Owners Tab + +The Owners tab shows which objects can manage the group, these are the "owners". + +![Group Membership Owners Tab](/images/threatmanager/3.0/administration/threatdetails/groupmembershipownerstab.webp) + +The table displays the following columns: + +- Name – The display name of the owner +- Type – The type of Entra ID object +- Email – The email associated with the owners object + +## Roles Tab + +The Roles tab displays information about roles assigned to the group. + +![Entra ID Group Roles Tab Page](/images/threatmanager/3.0/administration/threatdetails/entraidgrouprolestab.webp) + +The Roles tab displays two tables: + +- Eligible Assignments – Lists the roles that the group is eligible for. An eligible assignment + refers to a role assignment that a user or group can activate when needed but is not permanently + active + +- Active Assignments – Lists roles that are currently active and usable to the group + +**The eligible assignments table has the following columns** + +- Role - Roles the group is eligible for +- Scope - Defines the boundary within which the assigned role permissions are valid +- Inherited from - How the eligible assignment was inherited +- Start Time - When the group is eligible for the role +- End Time - When the role eligibility expires +- Privileged - If the role is privileged or not. A privileged role in Microsoft Entra ID grants + elevated permissions for high-level administrative tasks. + +**The active assignments table has the following columns** + +![Roles Active Assignment Page](/images/threatmanager/3.0/administration/threatdetails/groupmembershiprolesactiveassignment.webp) + +- Role - Roles that are currently active +- Scope - Defines the boundary within which the assigned role permissions are valid +- Inherited from - How the eligible assignment was inherited +- Assignment Type - How was the active role assignment assigned +- Start Time - When the group is eligible for the role +- End Time - When the role eligibility expires +- Privileged - Whether or not the role is privileged (the role has elevated permission or + administrative access to EntraID resources) diff --git a/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidobjects.md b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidobjects.md new file mode 100644 index 0000000000..f0ab2b7f01 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidobjects.md @@ -0,0 +1,88 @@ +--- +title: "Entra ID Object Details Pages" +description: "Entra ID Object Details Pages" +sidebar_position: 30 +--- + +# Entra ID Object Details Pages + +The Microsoft Entra ID Object details pages provide details on Microsoft Entra ID objects including +users, groups, applications, devices and roles. These pages can be used to discover more information +about the various resources related to threats and events in Threat Manager. Pages include: + +- [User Details Page](/docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md) + +- [Group Details Page](/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md) + +- [Role Details Page](/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidrole.md) + +- [Application Details Page](/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidapplication.md) + +![threatlist](/images/threatmanager/3.0/administration/threatlist.webp) + +The [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md) contains a threats list with hyperlinks which can be clicked to +access these pages. + +**Common Details Page Elements** + +The User Details, Group Details, Application details and Role details pages contain some common page +elements. + +## Profile Card + +The profile card displays information about the selected user, application, group, or role. + +![Entra ID User Profile Card](/images/threatmanager/3.0/administration/threatdetails/entraiduserprofilecard.webp) + +- Name +- UPN +- Manager +- Department +- ObjectID +- Object Type +- Tenant +- On-premises synced accounts (will appear if a synced account exists) +- Assigned tags, with an option to add Tags + +## Tabs + +Depending on the selected user, group, application or role, the following tabs may be displayed: + +![Tabs](/images/threatmanager/3.0/administration/threatdetails/tabs.webp) + +- Threats Tab – Displays a chart with threats detected for a Microsoft Entra ID object +- Activity Summary Tab – Depending on the selected object, the page may display the following + information: + + - Activity Overview Chart (Past 12 Months) + - Average Activity by Hour Chart + - Average Activity by Day Chart + - Events by Type Chart + - Activity by Host Table + - Activity by Client Table + +- Group Membership Tab – For a: + + - user - displays a table that lists the groups of which the user is a member + - group - displays a table that lists the users that belong to that group + +- Roles - roles assigned to the group or user + +## Add Tag Button + +The Add Tag button can be used to assign existing tags to a user, group, or host computer. It also +provides the option to create new tags. + +**Add an Existing Tag** + +Follow the steps to add a tag to a user, group, or computer + +![Existing Tags List](/images/threatmanager/3.0/administration/threatdetails/addtagbutton.webp) + +**Step 1 –** Click the Add Tag button. + +**Step 2 –** Click the desired tag to add from the list of existing tags. + +The selected tag is added to the user, group, application or role. See the +[Tag Management Page](/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md) topic for additional +information. diff --git a/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidrole.md b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidrole.md new file mode 100644 index 0000000000..4b5afb4602 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidrole.md @@ -0,0 +1,43 @@ +--- +title: "Role Details Page" +description: "Role Details Page" +sidebar_position: 30 +--- + +# Role Details Page + +The Role Details page provides information about a role including its description and role +membership. + +![Roles Page](/images/threatmanager/3.0/administration/threatdetails/roles.webp) + +The top of the page displays a profile card which may contain the following information about the +role: + +- Description +- Built-in +- Enabled +- Object ID +- Object Type +- Tenant + +## Members Tab + +The members tab displays two tables: + +- Eligible Assignments – Lists the roles that the user is eligible for. An eligible assignment + refers to a role assignment that a user or group can activate when needed but is not permanently + active. +- Active Assignments – Lists roles that are currently active and usable to a user. + +![Role Members Tab Active Assignement Page](/images/threatmanager/3.0/administration/threatdetails/rolesactiveassignments.webp) + +Both tables have the following columns: + +- Name – The display name of the member +- Type – The object type +- Scope – Defines the boundary within which the assigned role permissions are valid +- Inherited from – How the eligible assignment was inherited +- Assignment Type – How was the active role assignment assigned +- Start Time – When the member is eligible for the role +- End Time – When the role eligibility expires diff --git a/docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md new file mode 100644 index 0000000000..1ce717d3c9 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md @@ -0,0 +1,149 @@ +--- +title: "User Details Page" +description: "User Details Page" +sidebar_position: 10 +--- + +# User Details Page + +The Microsoft Entra ID User Details page provides information about the user including threats +generated by the user, user activity, group membership, and role assignments for the user. + +![Entra ID User Details Page](/images/threatmanager/3.0/administration/threatdetails/entraidpage.webp) + +The top of the page displays a user profile card which may contain the following information about +the user: + +- Name +- UPN +- Manager +- Department +- ObjectID +- Object Type +- Tenant +- On-premises synced accounts (will appear if a synced account exists) +- Tags, with an option to add additional tags + +The page has the following tabs: + +- Threats Tab +- Activity Summary Tab +- Group Membership Tab + +- Roles Tab + +## Threats Tab + +The Threats tab for a user displays the threats for the user by timeframe. + +![threats](/images/threatmanager/3.0/administration/threatdetails/threats.webp) + +A key for threat types is displayed below the chart. + +## Activity Summary Tab + +The Activity Summary tab displays charts for a user's activity over different time periods. + +![Entra ID User ACtivity Summary Tab](/images/threatmanager/3.0/administration/threatdetails/entraidactivitysummarytab.webp) + +The Activity Overview (Past 12 Months) shows a color-coded heat map of user activity. Other metrics +include Average Activity by Day, and Events by Type. + +The Activity by Host and Activity by Client tables are displayed below the charts. + +**Activity by Host Table** + +The Activity by Host table displays the user's activity by host. + +![Entra ID User Activity Summary Tab Activity By Host Table](/images/threatmanager/3.0/administration/threatdetails/entraidactivitybyhost.webp) + +The table has the following columns: + +- Server – Server where the activity occurred +- First Access – First date and time that the server was accessed +- Last Access – Last date and time that the server was accessed +- Number of Events – Total number of activity events on the server + +Use the Search icon to search for data contained in any column. Click the Export button to export +the current rows displayed on the page into a CSV file. + +**Activity by Client Table** + +The Activity by Client table displays the user's activity by client. + +![Entra ID User Activity Summary Tab Activity By Client Table](/images/threatmanager/3.0/administration/threatdetails/entraiduseractivitybyclient.webp) + +The table has the following columns: + +- Client – Client where the activity occurred +- First Access – First date and time that the client was accessed +- Last Access – Last date and time that the client was accessed +- Number of Events – Total number of activity events on the client + +Use the Search icon to search for data contained in any column. Click the Export button to export +the current rows displayed on the page into a CSV file. + +## Group Membership Tab + +The Group Membership tab displays groups in which the user is a member. + +![Entra ID User Group Membership page](/images/threatmanager/3.0/administration/threatdetails/entraidusergroupmembershiptab.webp) + +The Group Membership tab displays the groups the user is a member of. It has the following sub-tabs: + +- Direct Member Of – Lists groups the user is a direct member of +- Indirect Member Of – Lists groups the user is a member of via membership in a nested group + +Each table has the following columns: + +- Name – The name of the group. Click the link to view group details. See the + [Group Details Page](/docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md) topic for additional information. +- Group Type – The type of group within Microsoft Entra ID +- Membership Type - How the group membership was assigned + +- Security Enabled - Shows whether or not the "Security Enabled" flag is enabled within Microsoft + Entra ID, if enabled it means that this type of group is used to manage user and computer access + to shared resources for a group of users. + +- Role Assignments Allowed - This flag shows whether or not a group can be assigned a role within + Microsoft Entra ID + +- Tags - The tags associated with the group Image + +## Roles Tab + +The role assignments tab displays a table that lists the roles that have been assigned to the +Microsoft Entra ID user. + +![Entra ID User Role Assignment Eligible page](/images/threatmanager/3.0/administration/threatdetails/entraiduserrolestabeligible.webp) + +![Entra ID User Roles tab Activity Assignments Page](/images/threatmanager/3.0/administration/threatdetails/entraiduserrolesactiveassignment.webp) + +The Roles tab displays two tables: + +- Eligible Assignments – Lists the roles that the user is eligible for. An eligible assignment + refers to a role assignment that a user or group can activate when needed but is not permanently + active + +- Active Assignments – Lists roles that are currently active and usable to a user. + +The eligible assignments table has the following columns: + +- Role - Roles the user is eligible for +- Scope - Defines the boundary within which the assigned role permissions are valid +- Inherited from - How the eligible assignment was inherited +- Start Time - When the member is eligible for the role +- End Time - When the role eligibility expires +- Privileged - If the role is privileged or not. A privileged role in Microsoft Entra ID grants + elevated permissions for high-level administrative tasks + +The active assignments table has the following columns: + +- Role - Roles that are currently active +- Scope - Defines the boundary within which the assigned role permissions are valid +- Inherited from - How the eligible assignment was inherited +- Assignment Type - How was the active role assignment assigned +- Start Time - When the member is eligible for the role +- End Time - When the role eligibility expires +- Privileged - If the role is privileged or not. A privileged role in Microsoft Entra ID grants + elevated permissions for high-level administrative tasks diff --git a/docs/threatmanager/3.1/administration/threats/threatdetails/_category_.json b/docs/threatmanager/3.1/administration/threats/threatdetails/_category_.json new file mode 100644 index 0000000000..d979e6425f --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/threatdetails/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Threat Details Page", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/threats/threatdetails/abnormalbehavior.md b/docs/threatmanager/3.1/administration/threats/threatdetails/abnormalbehavior.md new file mode 100644 index 0000000000..b51ce6fd34 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/threatdetails/abnormalbehavior.md @@ -0,0 +1,32 @@ +--- +title: "Abnormal Behavior Threat Details" +description: "Abnormal Behavior Threat Details" +sidebar_position: 10 +--- + +# Abnormal Behavior Threat Details + +The Threat Details page for abnormal behavior has a different layout and provides different +information than the Threat Details page for other threat types. It displays information about user +behaviors that deviate from the user's normal behavioral profile. Abnormal behavior detection begins +when a user has been active for a minimum of 30 days, with up to 120 days of activity used to +establish the baseline behavior for a user. + +![abnormalbehavior](/images/threatmanager/3.0/administration/threatdetails/abnormalbehavior.webp) + +The top of the page shows the number of each of the following: + +- Hosts +- Event Types +- Successful Events +- Failed Events +- Abnormalities +- Tagged Resources + +The Abnormality Summary box gives a general description of the abnormal behavior and when it was +detected. The Activity Timeline table displays the activity relating to the abnormality, as well as +activity detected for the user before and after the abnormality occurred. + +- Top 5 Hosts By Activity – Displays the top 5 hosts by activity +- Top 5 Clients By Activity – Displays the top 5 clients by activity +- Event Types – Displays the event types detected for the abnormal behavior diff --git a/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md b/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md new file mode 100644 index 0000000000..e3cdbe3f55 --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md @@ -0,0 +1,177 @@ +--- +title: "Threat Details Page" +description: "Threat Details Page" +sidebar_position: 10 +--- + +# Threat Details Page + +The Threat Details page provides details on the selected threat. View the details for a threat by +selecting the threat from the list on the [Threats Page](/docs/threatmanager/3.1/administration/threats/threats.md) and clicking View Details. + +![threatdetails](/images/threatmanager/3.0/administration/threatdetails/threatdetails.webp) + +The top of the page displays a Threat Overview box, Threat Activity diagram, and an Evidence box. + +The Threat Overview box that contains the following information: + +- Description – Displays the threat type, the user account that generated the threat, a description + of the threat activity and the host against which the threat occurred +- Threat Level – The relative severity level, or risk level, of the threat +- Threat Detected – The date and timestamp for the threat +- Definition – The threat definition is a detailed explanation of the threat providing insight into + why the incident is a potential risk + +The Threat Activity diagram contains a diagram that displays the flow of the threat activity. + +![threatactivity](/images/threatmanager/3.0/administration/threatdetails/threatactivity.webp) + +The Evidence box below the Threat Activity diagram provides specific information about the threat. + +The Threats page displays three buttons in the top right corner: + +![evidencebox](/images/threatmanager/3.0/administration/threatdetails/evidencebox.webp) + +- Unassigned – If the threat has not been assigned to an owner, the button will display as + Unassigned. If a user has been assigned to an owner, the button will display the username. Click + it to open the Workflow Window where assigned user and/or status can be updated. +- Set Status – If no status is set for the threat the button will display as _Set Status_. If a + status has been set for the threat then this button displays the status of the threat. Click it to + open the Workflow Window, where assigned user and/or status can be updated. +- Threat Response – Click to open the Threat Response Window and designate the playbook to response + to the threat. + +## Workflow Window + +The Workflow window displays the owner of a threat, or provides settings to assign an owner to a +threat. + +![Workflow window](/images/threatmanager/3.0/administration/threatdetails/workflow.webp) + +The Workflow window contains the following configuration settings: + +:::note +The information displayed on this page is dependent upon the type of threat selected. +::: + + +- _(Optional)_ Assigned To – Displays the user currently assigned to the threat. Assign or edit the + Assigned User using the drop-down list. The list populates with users granted access to the + console on the User Access page of the System Settings interface. See the User Access Page topic + for additional information. +- Set Status – Select a status for the threat from the drop-down list: + + - Open – Default status for new threats + - Under Investigation – Threats that are currently under or pending investigation by an + administrator + - Closed - Resolved – Legitimate threats that have been contained or dealt with + - Closed - False Positive – Behavior that has been incorrectly identified by Threat Manager as a + threat + + :::note + Abnormal behavior threat detection will be influenced by false positives. Marking + abnormal behavior threats as False Positive will reduce the sensitivity of the abnormality + detection for this perpetrator. + ::: + + +- _(Optional)_ Comment – Add a comment to the threat +- Ignore future threats of this type by (user) – Select this checkbox to ignore threats of this type + from the selected user +- Submit – Click to update the workflow + +In the Threat Activity Diagram, click the user to view the [User Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md) page. Click +the host to view the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) page. + +## Threat Response Window + +The Threat Response window contains the following configuration options: + +![Threat Response window](/images/threatmanager/3.0/administration/threatdetails/threatresponse.webp) + +- Select Playbook – Select a playbook for the threat response +- Description – Description of the playbook that has been selected +- Status – The state of the playbook +- Last Executed – When the playbook was last executed + +The Threat Details Overview contains the following tabs: + +- Event Details Tab +- Related Threats Tab +- Related Activity Tab +- History Tab + +## Event Details Tab + +The Event Details tab shows details for the selected threat. + +![eventdetails](/images/threatmanager/3.0/administration/threatdetails/eventdetails.webp) + +- Time Stamp – The exact date and time when the event occurred +- Target – The specific object, resource, or entity that was the focus of the event +- Perpetrator – The user or service account that initiated the event +- Successful – Indicates whether the action associated with the event was successfully completed + True if the operation was successful. False if the operation failed +- Blocked – Indicates whether the operation was prevented by a security measure, such as a Netwrix + agent True if the operation was blocked by a Netwrix agent. False if not blocked. +- Operation – Type of operation performed +- Client – The device, IP address, or host that initiated the event +- Description – A summary of the event + +Use the Search icon to search for data in the table. Click the + icon in the table to view +additional details about a threat. Click the Export CSV button to export the current rows displayed +on the page into a CSV file. Click the Export All button to export all data returned into a CSV +file. + +## Related Threats Tab + +The Related Threats tab lists other threats generated by the same user that may be related to the +threat listed in the Event Details tab. + +![relatedthreats](/images/threatmanager/3.0/administration/threatdetails/relatedthreats.webp) + +The Related Threats table has the following columns: + +- Time Stamp – Time that the threat was detected +- Threat – Type of threat detected +- Status – Workflow status of the threat: Open, Under investigation, Closed - Resolved, or Closed - + False Positive +- View Details – Click View Details to view the details page for the related threat + +Use the Search icon to search for data in the table. + +## Related Activity Tab + +The Related Activity tab lists activity by the selected user that may be related to the threat. + +![relatedactivity](/images/threatmanager/3.0/administration/threatdetails/relatedactivity.webp) + +- Time Stamp – The exact date and time when the event occurred +- Target – The specific object, resource, or entity that was the focus of the event +- Perpetrator – The user or service account that initiated the event +- Successful – Indicates whether the action associated with the event was successfully completed + True if the operation was successful. False if the operation failed +- Blocked – Indicates whether the operation was prevented by a security measure, such as a Netwrix + agent True if the operation was blocked by a Netwrix agent. False if not blocked. +- Operation – The type of activity performed +- Client – The device, IP address, or host that initiated the event +- Description – A summary of the event + +Use the Search icon to search for data in the table. Click the + icon in the table to view +additional details about a threat. Click the Export CSV button to export the current rows displayed +on the page into a CSV file. Click the Export All button to export all data returned into a CSV +file. + +## History Tab + +The History tab lists updates made to the threat in the Update box and provides a section to add +comments. + +![history](/images/threatmanager/3.0/administration/threatdetails/history.webp) + +The History table has the following columns: + +- Add Comments – Type any desired comments in the box and click Add Comment +- Time Stamp – Exact date and time when the status was updated. +- Message – Displays the content of the comments entered by users or the system +- User – The name of the user who entered the comment diff --git a/docs/threatmanager/3.1/administration/threats/threats.md b/docs/threatmanager/3.1/administration/threats/threats.md new file mode 100644 index 0000000000..e82b57d48a --- /dev/null +++ b/docs/threatmanager/3.1/administration/threats/threats.md @@ -0,0 +1,170 @@ +--- +title: "Threats Page" +description: "Threats Page" +sidebar_position: 30 +--- + +# Threats Page + +The Threats page is where end-users and analysts investigate possible threats in their environment. +This page displays an historical timeline of the detected threats and advanced filtering that allows +users to find threats with ease. + +## All Threats + +The Threats section contains a bar chart and a pie chart. The Threats bar chart displays the number +of each type of threat by date range increments of one week, over a 13-week time span. The Threats +pie chart displays the total number of threats by type of threat. + +![threatspage](/images/threatmanager/3.0/administration/threatspage.webp) + +Hover over the bar chart or pie chart to view the number of threats by threat type. + +## Historical Events + +The Historical Events section provides a drop-down menu to select threats for a specific date range. +Threats can also be filtered by specifying a timeframe. A predefined time span can also be selected +from the menu options in the right pane. + +![historicalevents](/images/threatmanager/3.0/administration/historicalevents.webp) + +These threats are displayed in a list format below the Historical Events section. + +## Threats List + +The Threats list is displayed below the Historical Events section. + +![threatlist](/images/threatmanager/3.0/administration/threatlist.webp) + +The list displays threats that have a threat level of Low, Medium, High, or Audit for the selected +timeframe. Each threat in the list contains a link which opens the +[User Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md) or the [Group Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md) and a +host link which opens the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md). In addition, threats have an +Edit button which opens the Edit Threats window. The View Details button opens the +[Threat Details Page](/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md). + +## Filter Threats + +The left pane of the page, below Historical Events, lists filters that can be selected and applied +to display the threats. The filters listed are based on the threat types detected. Each filter is a +collapsible section that can be hidden or expanded using the arrow. To clear any currently-selected +filters, click the **Clear Filters** button. + +### Type + +The Type section displays the threat types which can be selected for filtering. This list of threats +to filter by is dynamic, depending upon the type of threats detected. See the following topics for +additional information: + +- [Active Directory Threats](/docs/threatmanager/3.1/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.1/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.1/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.1/threats/general.md) + +### Level + +The Level section displays the threat types which can be selected for filtering. Levels are assigned +or configured on the [Threat Detection Page](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatdetection.md). + +### Tags + +The Tags section contains any tags associated with threats that are currently in the filtered time +range. + +#### Sensitive Data + +Sensitive Data tags are displayed in threats containing sensitive data when Access Analyzer and the +Sensitive Data Discovery Add-on are installed in addition to Threat Manager. When installed with the +Sensitive Data Discovery Add-on, Access Analyzer scans for sensitive data using File System +Sensitive Data Discovery Auditing. See the +[Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.1/install/integration/accessanalyzer.md) +topic for additional information. See the File System Solution topic in the +[Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for +additional information on Access Analyzer Sensitive Data Discovery capabilities. + +When a threat event contains sensitive data, a Sensitive Data tag is displayed next to the threat: + +![threatsensitivedatafilter](/images/threatmanager/3.0/administration/threatsensitivedatafilter.webp) + +To view the type of sensitive data contain in a threat, click View Details on the threat containing +a Sensitive Data tag. The type of sensitive data is displayed in the Sensitive Data column. + +The following tables contain a Sensitive Data column: + +- Event Details +- Related Activity +- Activity Details + +**Host** + +Filter on a host by selecting the checkbox next to the host or entering a host name in the search +box. + +**User** + +Filter on a user by selecting the checkbox next to the user or entering a user name in the search +box. + +**Status** + +The Status section may contain the following filters: + +- Open – Default status for new threats +- Under Investigation – Threats that are currently under or pending investigation by an + administrator +- Closed - Resolved – Legitimate threats that have been contained or dealt with +- Closed - False Positive – Behavior that has been incorrectly identified by Threat Manager as a + threat + + :::note + Abnormal behavior threat detection will be influenced by false positives. Marking + abnormal behavior threats as False Positive will reduce the sensitivity of the abnormality + detection for this perpetrator. + ::: + + +**Assignee** + +The Assignee section provides the ability to filter by user. Select one or more users. + +- Unassigned – Threat does not have a user assigned +- Assigned to me – Threat is assigned to the logged in user + +## Edit Threats + +Threats can be edited to assign a user, set a status, or ignore future threats of a specified type +using Threat Manager’s Incident Detection Response (IDR) workflow. + +Follow the steps to edit a threat. + +**Step 1 –** Select a threat from the list and click Edit. The Workflow window opens. + +![editthreats](/images/threatmanager/3.0/administration/editthreats.webp) + +**Step 2 –** Enter the following information: + +- (Optional) Assigned To – Select a user who has a role assigned via the User Access page on the + System Settings interface to assign to a threat to. See the User Access Page topic for additional + information. +- Set Status – Select the status for the threat from the drop-down list. Options include: + + - Open – Default status for new threats + - Under Investigation – Threats that are currently under or pending investigation by an + administrator + - Closed - Resolved – Legitimate threats that have been contained or dealt with + - Closed - False Positive – Behavior that has been incorrectly identified by Threat Manager as a + threat + + :::note + Abnormal behavior threat detection will be influenced by false positives. Marking + abnormal behavior threats as False Positive will reduce the sensitivity of the abnormality + detection for this perpetrator. + ::: + + +- (Optional) Comment – Add a comment to the threat +- Ignore future threats of this type by [domain\user] + +**Step 3 –** Click Submit to save the changes. + +Threats can also be edited from the [Threat Details Page](/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md). diff --git a/docs/threatmanager/3.1/administration/troubleshooting/_category_.json b/docs/threatmanager/3.1/administration/troubleshooting/_category_.json new file mode 100644 index 0000000000..d17aafd894 --- /dev/null +++ b/docs/threatmanager/3.1/administration/troubleshooting/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Troubleshooting", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/administration/troubleshooting/log.md b/docs/threatmanager/3.1/administration/troubleshooting/log.md new file mode 100644 index 0000000000..a3a5ab7474 --- /dev/null +++ b/docs/threatmanager/3.1/administration/troubleshooting/log.md @@ -0,0 +1,40 @@ +--- +title: "Log Files" +description: "Log Files" +sidebar_position: 10 +--- + +# Log Files + +Each component of Threat Manager has a log file that will report errors, warnings, and debug +information depending on the logging level. + +The log location for Threat Manager logs is: + +**C:\ProgramData\Stealthbits\StealthDEFEND** + +Threat Manager has the following logs: + +- Action Service Log – This is the log for the Action Service which is the actual component that + runs PowerShell actions in response to threats. This log is useful for troubleshooting threat + response. +- Active Directory Service Log – This log is responsible for output from the Active Directory + Service. The Active Directory service handles AD Login functions and everything related to the + Active Directory Sync. Reference this log for any issues with AD Logins or AD Syncs. +- Email Service Log – This log contains information relating to all functions of the built-in Email + Notification service in Threat Manager. If you have issues with missing email notifications + reference this log. +- Event Message Service Log – This is the log for the Event Message Service which handles turning + data from Threat Manager and Activity Monitor into an event in the Threat Manager Database. This + service also will do Threat detection for many Active Directory threats. This log is very useful + for issues with incoming data and Active Directory threats. +- Job Service Log – This log is for the Job Service which is the service that schedules a variety of + maintenance actions and all the Python-based threats. If there are issues with threat detection or + problems on the system health page this log should be retrieved for troubleshooting. +- License Service Log – This log contains information for the third party licensing components + utilized by Threat Manager. Reference this log for any issues with licensing. +- Reset Service Log – This log contains a number of pieces of information such as logging into the + Threat Manager application, licensing, and some website functions. This log is very useful for any + AJAX errors or errors that are exposed via the UI. +- SIEM Service Log – This log contains information relating to emailing threat information from + Threat Manager. diff --git a/docs/threatmanager/3.1/administration/troubleshooting/overview.md b/docs/threatmanager/3.1/administration/troubleshooting/overview.md new file mode 100644 index 0000000000..2aa7b0bc3f --- /dev/null +++ b/docs/threatmanager/3.1/administration/troubleshooting/overview.md @@ -0,0 +1,13 @@ +--- +title: "Troubleshooting" +description: "Troubleshooting" +sidebar_position: 70 +--- + +# Troubleshooting + +In case you are experiencing issues with the Netwrix Threat Manager, see the following topics for +additional information: + +- [Log Files](/docs/threatmanager/3.1/administration/troubleshooting/log.md) +- [Updating Passwords](/docs/threatmanager/3.1/administration/troubleshooting/updatepasswords.md) diff --git a/docs/threatmanager/3.1/administration/troubleshooting/updatepasswords.md b/docs/threatmanager/3.1/administration/troubleshooting/updatepasswords.md new file mode 100644 index 0000000000..cb46243272 --- /dev/null +++ b/docs/threatmanager/3.1/administration/troubleshooting/updatepasswords.md @@ -0,0 +1,37 @@ +--- +title: "Updating Passwords" +description: "Updating Passwords" +sidebar_position: 20 +--- + +# Updating Passwords + +This section describes how to update passwords in the Threat Manager console. Passwords in Threat +Manager are configured within Credential Profiles. + +:::note +If an Administrator needs to update passwords in their environment due to password +expiration or for security reasons, all relevant Credential Profiles on the Integrations page must +be updated. +::: + + +## Updating a Credential Profile Password + +Follow the steps below to update passwords for a Credential Profile. + +**Step 1 –** Navigate to the Integrations menu **Settings** > **Integrations**. + +**Step 2 –** Select the account under the **Credential Profile** drop-down list. + +![credentialprofileedit](/images/threatmanager/3.0/administration/troubleshooting/credentialprofileedit.webp) + +**Step 3 –** Click the **Edit** icon. + +![credentialprofilepasswordupdate](/images/threatmanager/3.0/administration/troubleshooting/credentialprofilepasswordupdate.webp) + +**Step 4 –** Enter a new Password for the account. + +**Step 5 –** Click Save. + +A new password has been updated for the Credential Profile. diff --git a/docs/threatmanager/3.1/gettingstarted.md b/docs/threatmanager/3.1/gettingstarted.md new file mode 100644 index 0000000000..e4429d5b57 --- /dev/null +++ b/docs/threatmanager/3.1/gettingstarted.md @@ -0,0 +1,86 @@ +--- +title: "Getting Started with Threat Manager" +description: "Getting Started with Threat Manager" +sidebar_position: 2 +--- + +# Getting Started with Threat Manager + +Once Threat Manager is installed, complete the following configuration to enable users to begin +viewing threat analytics in an organization’s environment. + +After installation, configuration is required for many of Threat Manager's additional capabilities. +This includes the option to configure sensitive data from Netwrix Access Analyzer (formerly +Enterprise Auditor). Features such as Active Directory data collection, email notifications, and +SIEM service integration can be enabled in their respective configuration pages. + +## Send Data to Threat Manager + +Threat Manager threat detection requires file system and/or Active Directory and/or Microsoft Entra +ID activity to be monitored by either the Activity Monitor or Threat Prevention. An agent must be +deployed to the server being monitored, and the products must be configured to stream data to Threat +Manager. + +See the [Integration with Other Netwrix Products](/docs/threatmanager/3.1/install/integration/overview.md) topic for additional +information. + +### File System Activity + +File system activity is monitored by the Activity Monitor or the Threat Prevention file system +policy. Deploy an activity agent to every Windows file server to be monitored and/or to Windows +proxy servers for every NAS device to be monitored. The monitored host must be configured to send +events to Threat Manager. See the +[Netwrix Activity Monitor Integration](/docs/threatmanager/3.1/install/integration/activitymonitor.md) topic for additional +information. + +### Active Directory Activity + +Active Directory activity can be monitored by either the Activity Monitor or Threat Prevention. +Deploy an Active Directory agent to domain controllers in order for Threat Manager to receive Active +Directory events: + +- Activity Monitor – Monitored domain must be configured to stream data through the domain + properties > Threat Manager tab + - See the [Netwrix Activity Monitor Integration](/docs/threatmanager/3.1/install/integration/activitymonitor.md) topic for + additional information. +- Threat Prevention – Threat Prevention Admin Console must be configured to stream data through the + Threat Manager Event Sink feature + - See the [Netwrix Threat Prevention Integration](/docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md) topic + for additional information. + +### Microsoft Entra ID Activity + +Microsoft Entra ID activity can be monitored by Activity Monitor. Deploy an Activity Monitor agent +to a Windows server and configure it to monitor an Microsoft Entra ID tenant to send events to +Threat Manager. The monitored tenant must be configured to send events to Threat Manager. See the +[Netwrix Activity Monitor Integration](/docs/threatmanager/3.1/install/integration/activitymonitor.md) topic for additional +information. + +### Sensitive Data Discovery + +Sensitive data is collected by Access Analyzer. It requires a license for the Access Analyzer File +System Solution with the Sensitive Data Discovery Add-on. Access Analyzer has a custom job which can +be added to the FileSystem > 0.Collection Job Group to stream data after the collection tasks +complete. See the +[Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.1/install/integration/accessanalyzer.md) topic +for additional information. + +## Enable Features in the Threat Manager Console + +The Threat Manager Console has features that require initial configuration to turn them on. These +pages are located under the [Configuration Menu](/docs/threatmanager/3.1/administration/configuration/overview.md): + +- The [Integrations Interface](/docs/threatmanager/3.1/administration/configuration/integrations/overview.md) provides the + ability to add and configure external integrations for Threat Manager including: + - [Active Directory Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md) + - [Entra ID Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md) + - [App Tokens Page](/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md) + - [Authentication Provider Page](/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md) + - [Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) + - [Email Page](/docs/threatmanager/3.1/administration/configuration/integrations/email.md) + - [Folder Settings Page](/docs/threatmanager/3.1/administration/configuration/integrations/foldersettings.md) + - [SIEM Page](/docs/threatmanager/3.1/administration/configuration/integrations/siem.md) + - [Netwrix Integrations Page](/docs/threatmanager/3.1/administration/configuration/integrations/netwrixintegrations.md) + - [Tag Management Page](/docs/threatmanager/3.1/administration/configuration/integrations/tagmanagement.md) +- The [Policies Page](/docs/threatmanager/3.1/administration/configuration/policies/overview.md) provides the ability to add + and configure policies used for threat detection including Honeytoken threats diff --git a/docs/threatmanager/3.1/index.md b/docs/threatmanager/3.1/index.md new file mode 100644 index 0000000000..6174ecadfa --- /dev/null +++ b/docs/threatmanager/3.1/index.md @@ -0,0 +1,52 @@ +--- +title: "Netwrix Threat Manager v3.1 Documentation" +description: "Netwrix Threat Manager v3.1" +sidebar_position: 1 +--- + +# Netwrix Threat Manager v3.1 Documentation + +Threat Manager detects and responds to abnormal behavior and advanced attacks against Active +Directory and File Systems with unprecedented accuracy and speed. Threat Manager provides +programmatic and automated response options when threats are identified. In addition to an extensive +catalog of preconfigured response actions, Threat Manager can be configured to integrate with you +own business processes using integrated PowerShell or webhook facilities. + +Threat Manager can also deliver threat data to administrators in their preferred applications, +including Microsoft Teams, Slack, ServiceNow, and a wide variety of SIEM platforms. + +## Architecture + +The following diagram is a visual representation of Threat Manager architecture. It maps out the +physical implementation of Threat Manager components. + +![Netwrix Threat Manager Architecture diagram](/images/threatmanager/3.0/tmarch.webp) + +## Administration + +Organizations of virtually any size find it to be impossible, even counterproductive, to evaluate +the substantial amount of file access events and Active Directory events occurring within their +environments on any given day. To overcome this challenge and achieve proper visibility into this +otherwise significant blind spot in an organization's cyber security program, Threat Manager® +provides built-in threat analytics to highlight the most unusual behaviors that occur within an +organization each day. Threat Manager also provides a method to deep dive into activity data using a +series of customizable filters to discover threats unique to their organization. + +## Supported Platforms + +Supported platforms include the Active Directory and File system platforms supported for monitoring +by either Netwrix Threat Prevention or Netwrix Activity Monitor. See the following product +documentation for additional information: + +- [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) +- [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) + +## Threat Manager Threats + +Threat Manager monitors the following threats. See each section for information on monitored threat +types. + +- [Active Directory Threats](/docs/threatmanager/3.1/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.1/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.1/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.1/threats/general.md) diff --git a/docs/threatmanager/3.1/install/_category_.json b/docs/threatmanager/3.1/install/_category_.json new file mode 100644 index 0000000000..f87e537fff --- /dev/null +++ b/docs/threatmanager/3.1/install/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Installation", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/install/actionservice.md b/docs/threatmanager/3.1/install/actionservice.md new file mode 100644 index 0000000000..191f2efe52 --- /dev/null +++ b/docs/threatmanager/3.1/install/actionservice.md @@ -0,0 +1,119 @@ +--- +title: "Optionally Install the Action Service on Additional Servers" +description: "Optionally Install the Action Service on Additional Servers" +sidebar_position: 30 +--- + +# Optionally Install the Action Service on Additional Servers + +The Action Service is installed with Threat Manager and is configured in the Threat Manager Console. +The Action Service can also be installed remotely on other servers. This provides the option to run +actions defined in the Console from different locations within an organization. The Action Service +installer is in the zip file with the Threat Manager Console installer. However, it can be +downloaded from within the Threat Manager Console. + +Follow the steps to install the Action Service. + +![install](/images/threatmanager/3.0/install/install.webp) + +**Step 1 –** Run the StealthDEFEND.ActionService MSI installation package and the Threat Manager +Action Service Setup wizard will open. + +![settupprogress](/images/threatmanager/3.0/install/settupprogress.webp) + +**Step 2 –** Click Install to begin the installation. The setup wizard displays installation +progress. + +![completed](/images/threatmanager/3.0/install/completed_1.webp) + +**Step 3 –** When the installation is complete, click Close to exit the installer. + +The Threat Manager action service is now installed on a remote server. + +## Configure a Remote Action Service to Register with Threat Manager + +If an Action Service is installed on a remote machine, it must register with the Threat Manager +server as an Action Service server. This registration is performed by providing the Threat Manager +web console location and credentials via a command line utility. This process will register the host +as an Action Service Server and retrieve a JWT that will be encrypted and stored locally in the +Action Service C:\ProgramData\Stealthbits directory for future communication with the Threat Manager +server via REST requests. The configuration User Name and Password are not stored and are not +required for connection after the initial configuration. Once configured, the Action Service server +will fetch queued actions from Threat Manager to execute locally. + +Follow the steps to configure the Action Service using the command line utility. + +**Step 1 –** Open an administrative command prompt. + +**Step 2 –** Run the following command to launch a wizard that prompts for parameters required to +configure the Action Service: + +``` +\ActionService\ActionService.exe --config +``` + +**Step 3 –** Enter the following information in the wizard: + +- URL or Server – The web address for the Threat Manager console (e.g., + https://ThreatManagerServer.Domain.com:8080). + + :::note + Include http:// or https:// if configured and web port if not using 80 or 443 + ::: + + +- User Name – Specify the user name to connect to the Threat Manager console. It is recommended to + use the Admin account for the user name. +- Threat Manager Password – The password to the user name specified +- Ignore certificate errors – It is recommended to set to True if using a self-signed certificate + for SSL or if other issues with the web certificate are experienced. + +**Step 4 –** The utility will output "Success!" if the Action Service registered correctly. Verify +that the Action Service successfully registered by navigating to the System Health page of the +Threat Manager console. + +**Step 5 –** Exit the command prompt. + +The Action Service is now registered with Threat Manager. + +## Configure a Service Account to Run Actions + +The Action Service that is installed with Threat Manager can be configured to execute as a service +account. In this scenario, any actions run by Threat Manager will be executed as the Service +Account. This, typically, is a simple way to ensure that Playbooks executed by Threat Manager have +the proper permissions required to complete successfully. + +:::note +If an Action Step has been configured to use a specific Credential Profile, the Action +Step will utilize those credentials in the Action Step Script. See the +[Credential Profile Page](/docs/threatmanager/3.1/administration/configuration/integrations/credentialprofile.md) topic +for additional information. +::: + + +Follow the steps to configure the Action Service to run as a service account. + +**Step 1 –** Open Services (`services.msc`). + +![services](/images/threatmanager/3.0/install/services.webp) + +**Step 2 –** Double-click on the Netwrix Threat Manager Action Service. The Threat Manager Action +Service Properties window opens. + +![serviceaccountproperties](/images/threatmanager/3.0/install/serviceaccountproperties.webp) + +**Step 3 –** Click the Log On tab. + +**Step 4 –** Select the This account: radio button and specify the desired Active Directory account +and credentials. If desired, select the Browse button to open the Select User window to select an +account. + +**Step 5 –** Click Apply and then OK. This sets the Action Service to “run as” the specified +account. + +![servicesrestart](/images/threatmanager/3.0/install/servicesrestart.webp) + +**Step 6 –** Restart the Threat Manager Action Service by right-clicking on the Netwrix Threat +Manager Action Service in the Services window and clicking Restart. + +Once restarted, the Threat Manager Action Service will use the specified service account. diff --git a/docs/threatmanager/3.1/install/application.md b/docs/threatmanager/3.1/install/application.md new file mode 100644 index 0000000000..d238bc3ba3 --- /dev/null +++ b/docs/threatmanager/3.1/install/application.md @@ -0,0 +1,96 @@ +--- +title: "Install the Threat Manager Application" +description: "Install the Threat Manager Application" +sidebar_position: 20 +--- + +# Install the Threat Manager Application + +The application can be installed on the same server as the PostgreSQL databases or a different +server. If installed on a different server, the location of the database server must be provided +while installing the application. + +Follow the steps to install the application. + +:::warning +The PostgreSQL database application must be installed before the application is +installed. +::: + + +:::note +These steps assume you have launched the installer through the Netwrix Setup Launcher +(`Netwrix_Setup.exe`). If you are not using it, right-click on `NetwrixThreatManager.exe` and select +Run as administrator. Then skip to Step 2. +::: + + +![Netwrix Setup Launcher showing PostgreSQL Setup completed](/images/threatmanager/3.0/install/postgresqlcheck.webp) + +**Step 1 –** Click **Netwrix Threat Manager Setup**. The Netwrix Threat Manager Setup wizard opens. + +![Netwrix Threat Manager Setup wizard ](/images/threatmanager/3.0/install/installtm3.0.webp) + +**Step 2 –** Click **Install**. + +![Netwrix Threat Manager Setup wizard EULA page](/images/threatmanager/3.0/install/tm3eula.webp) + +**Step 3 –** Read the End User License Agreement and select the I accept the license agreement +checkbox. Click **Next**. + +![Netwrix Threat Manager Setup wizard Install Folder page](/images/threatmanager/3.0/install/folder.webp) + +**Step 4 –** By default, the installation directory is set to: + +- Install Folder – C:\Program Files\STEALTHbits\StealthDEFEND + +Optionally, enter a new path or use the **Browse** button to modify as desired. Click Next. + +![Netwrix Threat Manager Setup wizard Connect to the Database page](/images/threatmanager/3.0/install/database.webp) + +**Step 5 –** On the Database page, ensure the host and port are set correctly. If installing on the +same server where the PostgreSQL database application was installed, this information will be +accurate by default. The default database name is stealthdefend; however, it can be modified as +desired. Click **Test** to validate the connection information. + +For example, if you change the default database name from stealthdefend to threatmanager and click +**Test**. + +![Warning message that the database does not exist, Create?](/images/threatmanager/3.0/install/databasecreatemessage.webp) + +**Step 6 –** If a successful connection is made, a message window displays confirming the database +does not exist and you want to create it. Click **OK** and the window closes. + +**Step 7 –** A "Ready for installation" message appears on the Database page of the wizard and the +Next button is enabled. Click **Next**. + +:::note +If PostgreSQL is installed on a different host, then the connection details should be +updated accordingly. +::: + + +![Netwrix Threat Manager Setup wizard Firewall Rules page](/images/threatmanager/3.0/install/firewallrules.webp) + +**Step 8 –** By default, the **Create Inbound Windows Firewall Rules** checkbox is selected, +indicating that the installer will create these. Deselect the checkbox if you do not want the +installer to automatically create these rules because you have already created them. Click **Next**. + +![Netwrix Threat Manager Setup wizard Completed Successfully page](/images/threatmanager/3.0/install/completed.webp) + +**Step 9 –** The installation process will begin and the Setup wizard will display the progress. +Click Exit when the installation completes successfully. The Netwrix Threat Manager Setup wizard +closes. + +![Netwrix Setup Launcher with Threat Manager Setup check](/images/threatmanager/3.0/install/applicationcheck.webp) + +**Step 10 –** Now that both components have been installed, close the Netwrix Setup Launcher. + +The Threat Manager application is now installed and the database has been created. There are several +post-installation tasks that you may need to complete, depending on your environment. See the +following topics for additional information: + +- [Optionally Install the Action Service on Additional Servers](/docs/threatmanager/3.1/install/actionservice.md) +- [Secure the Threat Manager Console](/docs/threatmanager/3.1/install/secure.md) +- During the first launch, you will set up the built-in Administrator account. See the + [First Launch](/docs/threatmanager/3.1/install/firstlaunch/firstlaunch.md) topic for additional information. diff --git a/docs/threatmanager/3.1/install/database.md b/docs/threatmanager/3.1/install/database.md new file mode 100644 index 0000000000..baa0767752 --- /dev/null +++ b/docs/threatmanager/3.1/install/database.md @@ -0,0 +1,92 @@ +--- +title: "Install the PostgreSQL Database Application" +description: "Install the PostgreSQL Database Application" +sidebar_position: 10 +--- + +# Install the PostgreSQL Database Application + +The PostgreSQL database application can be installed on the same server as the application or a +different server. If it is installed on a different server, the location of the database server must +be provided while installing the application. + +Follow the steps to install the PostgreSQL database application. + +:::warning +The PostgreSQL database application must be installed before the application. +::: + + +:::note +These steps assume you have launched the installer through the Netwrix Setup Launcher +`(Netwrix_Setup.exe`). If you are not using the launcher, right-click on `NetwrixPostgreSQL14.exe` +and select Run as administrator. Then skip to Step 2. +::: + + +![Netwrix Setup Launcher](/images/threatmanager/3.0/install/setuplauncher.webp) + +**Step 1 –** Click PostgreSQL Setup. The Netwrix PostgreSQL Setup wizard opens. + +![Netwrix PostgreSQL Setup wizard](/images/threatmanager/3.0/install/installdb1.webp) + +**Step 2 –** Click Install. + +![Netwrix PostgreSQL Setup wizard on the EULA page](/images/activitymonitor/8.0/install/eula.webp) + +**Step 3 –** Read the End User License Agreement and select the I accept the license agreement +checkbox. Click Next. + +![Netwrix PostgreSQL Setup wizard on the Folder Location page](/images/threatprevention/7.5/install/reportingmodule/folder.webp) + +**Step 4 –** By default, the installation directories are set to: + +- Install Folder – C:\Program Files\Stealthbits\PostgresSQL14 +- Data Folder – C:\ProgramData\Stealthbits\PostgresSQL14 + +Optionally, enter a new path or use the **Browse** buttons to modify as desired. Click Next. + +![Netwrix PostgreSQL Setup wizard on the Successfully Installed page](/images/threatprevention/7.5/install/reportingmodule/completed.webp) + +**Step 5 –** The installation begins and the installer displays a Setup Progress window. Click Exit +when the installation is successful. The Netwrix PostgreSQL Setup wizard closes. + +![Netwrix Setup Launcher showing PostgreSQL Setup completed](/images/threatmanager/3.0/install/postgresqlcheck.webp) + +The PostgreSQL database application is now installed. Now you can install the Threat Manager +application. See the [Install the Threat Manager Application](/docs/threatmanager/3.1/install/application.md) topic for additional +information. + +## Optionally Configure the Postgres.conf File + +PostgreSQL has some unique memory management features that need to be configured specifically based +on the specifications of the database server. PostgreSQL can easily be starved of resources and +enter a failed state if careful consideration and configuration of the `postgres.conf` file is not +taken under consideration. For larger environments or for those experiencing issues with PostgreSQL, +the following changes are suggested. + +:::note +When setting values, specifically when using a Memory unit, case sensitivity is required. +::: + + +The table displays `Postgres.conf` settings and their suggested values. + +| Setting | Suggested Value | Notes | +| ------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------ | +| effective_cache_size | Total Server Memory (MBs) \* .75 | | +| shared_buffers | totalMemory / 4 | shared_buffers on windows needs to be limited to 512MB | +| wal_buffers | 3% of shared_buffers with a min of 32kB and a max of 16MB | | +| checkpoint_timeout | checkpoint_timeout = 30min | | +| max_wal_size | 2048MB | | +| min_wal_size | 1024MB | | +| checkpoint_completion_target | 0.7 | | +| work_mem | work_mem = ((totalMemory - shared_buffers) / (max_connections \* 3) / max_parallel_workers_per_gather) | Limit to 64kB | +| max_connections | 100 | | +| maintenance_work_mem | maintenance_work_mem = totalMemory / 16 | cap maintenance memory at 2GB on servers with lots of memory | +| default_statistics_target | 100 | | +| random_page_cost | if ( disk_is_hdd ) `{ random_page_cost = 4 }` else `{ random_page_cost = 1.1 }` | | +| max_parallel_workers | max_parallel_workers = cpuNum | | +| max_worker_processes | 8 | | +| max_parallel_workers_per_gather | 2 | | +| max_locks_per_transaction | 300 | | diff --git a/docs/threatmanager/3.1/install/firstlaunch/_category_.json b/docs/threatmanager/3.1/install/firstlaunch/_category_.json new file mode 100644 index 0000000000..4cbc985ee7 --- /dev/null +++ b/docs/threatmanager/3.1/install/firstlaunch/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "First Launch", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "firstlaunch" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/install/firstlaunch/firstlaunch.md b/docs/threatmanager/3.1/install/firstlaunch/firstlaunch.md new file mode 100644 index 0000000000..4ec0d12614 --- /dev/null +++ b/docs/threatmanager/3.1/install/firstlaunch/firstlaunch.md @@ -0,0 +1,67 @@ +--- +title: "First Launch" +description: "First Launch" +sidebar_position: 50 +--- + +# First Launch + +The installer places the following icon on the desktop, which opens the Threat Manager console: + +![Desktop icon](/images/threatmanager/3.0/install/desktopicon.webp) + +**Step 1 –** Double-click the **Netwrix Threat Manager Dashboard** icon to open the console for the +first time. + +![First launch showing fields for setting up the builtin Administrator account](/images/threatprevention/7.5/install/reportingmodule/builtinadminpassword.webp) + +There is a built-in ADMIN account used for the initial configuration steps and granting user access. +The User Name is "admin". You will set the password and optionally enable MFA for this account +during first launch. Follow the steps to setup this account. + +**Step 2 –** Specify a password in the **New Password** and **Confirm Password** fields. It must +meet the following minimum requirements: + +- At least one uppercase letter +- At least one lowercase letter +- At least one number +- At least one special character (symbol) +- Have a minimum length of 10 characters + +**Step 3 –** By default, MFA is enabled. Toggle this option off or on as desired. If the Enable MFA +option is set to ON, the application will provide an internally-generated one-time password (OTP) +option for the Administrator account. If the Enable MFA option is set to OFF, only a username and +password will be required to sign in. + +**Step 4 –** Click Set Password. + +The built-in ADMIN account password is now set. + +If the Enable MFA option is set to OFF, no additional configuration is required and the Threat +Manager Console opens. See the [Getting Started with Threat Manager](/docs/threatmanager/3.1/gettingstarted.md) topic for +next steps. + +If the Enable MFA option is set to ON, registration of an MFA authenticator is required. Proceed to +the Configure MFA for the Bultin Administrator Account topic. + +## Configure MFA for the Bultin Administrator Account + +If MFA was enabled for the buildtin Administrator account during first launch, follow the steps to +configure MFA for the account. + +![registerauthenticator](/images/threatprevention/7.5/install/reportingmodule/registerauthenticator.webp) + +**Step 1 –** Register the MFA authenticator. The Register Authenticator prompt will provide +instructions to configure multi-factor authentication with an external or third-party application. + +**Step 2 –** On successful registration with an authenticator, enter the verification code and click +Continue. + +**Step 3 –** A list of recovery codes will be presented in order to restore access to the +application in the event of lost access to the authenticator application or device. Save this list +of codes to access for account recovery, if needed. + +**Step 4 –** Click **Continue**. + +Once MFA is configured for this account, the Threat Manager Console opens. See the +[Getting Started with Threat Manager](/docs/threatmanager/3.1/gettingstarted.md) topic for next steps. diff --git a/docs/threatmanager/3.1/install/firstlaunch/login.md b/docs/threatmanager/3.1/install/firstlaunch/login.md new file mode 100644 index 0000000000..e5d2093009 --- /dev/null +++ b/docs/threatmanager/3.1/install/firstlaunch/login.md @@ -0,0 +1,21 @@ +--- +title: "User Login After First Launch" +description: "User Login After First Launch" +sidebar_position: 10 +--- + +# User Login After First Launch + +Once Threat Manager is installed, users granted access can log into the console using either of the +following methods: + +Log into Threat Manager locally on the default port using default credentials. For example + +- http://localhost:8080 +- http://[MACHINENAME.DOMAIN.COM]:8080 + +Threat Manager can also be accessed through the Web Console. This console can be opened with the +desktop icon laid down by the Netwrix Access Analyzer (formerly Enterprise Auditor) installer on its +server. + +- http://[MACHINENAME.DOMAIN.COM]:8082 diff --git a/docs/threatmanager/3.1/install/integration/_category_.json b/docs/threatmanager/3.1/install/integration/_category_.json new file mode 100644 index 0000000000..635bc3037d --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Integration with Other Netwrix Products", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/install/integration/accessanalyzer.md b/docs/threatmanager/3.1/install/integration/accessanalyzer.md new file mode 100644 index 0000000000..21b4f9e01a --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/accessanalyzer.md @@ -0,0 +1,91 @@ +# Netwrix Access Analyzer (formerly Enterprise Auditor) Integration + +Access Analyzer can be configured to send Sensitive Data to Threat Manager. In Access Analyzer, the +FS_DEFEND_SDD Job exports sensitive data matches collected by the File System Solution Sensitive +Data Discovery Auditing jobs to Threat Manager. For Threat Manager integration with Access Analyzer, +the following job groups must be successfully run before running the FS_DEFEND_SDD Job: + +- FileSystem > 0.Collection Job Group +- FileSystem > 7.Sensitive Data Job Group + +See the File System Solution section of the +[Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for +additional information. + +:::note +The Access Analyzer Sensitive Data Discovery Add-On is required for sensitive data +collection. +::: + + +## Instantiate the FS_DEFEND_SDD Job in Access Analyzer + +Follow the steps to configure the FS_DEFEND_SDD Job to send sensitive data to Threat Manager. See +the Instant Job Wizard section of the +[Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for +instructions to add this instant job to the **Jobs** tree. + +In Access Analyzer, install the FS_DEFEND_SDD Job to the desired location. It is available through +the Instant Job Library under the File System library. + +**Step 1 –** In the Threat Manager Console, generate the app token (endpoint token) to be copied and +pasted into the Connection Profile, and the host name (endpoint) to be used when creating the custom +host list. + +In order for Access Analyzer to send data to Threat Manager, an app token must be created in Threat +Manager. If multiple Access Analyzer Consoles are sending data to Threat Manager, an app token may +be created for each Access Analyzer Console to grant individual access to Threat Manager from each +Console. + +- Navigate to the Configuration > App Tokens page. +- Click the +Add button to create a new app token: +- Enter a name and a unique description for the app token. +- Click Submit. +- In the Token column, click the Key icon to open the token and copy it for use when configuring the + Connection Profile in Access Analyzer. +- In the Host Name column, copy the port for use when creating the custom host list in Access + Analyzer. + +**Step 2 –** In Access Analyzer, create a custom Connection Profile for the FS_DEFEND_SDD Job to +authenticate to Threat Manager. See the Custom Connection Profile for FS_DEFEND_SDD Job topic for +additional information. + +**Step 3 –** In Access Analyzer, create a custom host list. + +- The target host is the Threat Manager Host Name generated on the Manage App Tokens page in the + Threat Manager Console: +- Format – [HOST]:8080 + +**Step 4 –** Assign the custom host list at the FS_DEFEND_SDD > Configure > Hosts node. + +See the FS_DEFEND_SDD Job section of the +[Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) for +additional information. + +:::info +Schedule the FS_DEFEND_SDD Job to run as part of the FileSystem Job, after the +FileSystemOverview Job. The FS_DEFEND_SDD Job should be run after each subsequent sensitive data +collection. +::: + + +## Custom Connection Profile for FS_DEFEND_SDD Job + +The FS_DEFEND_SDD Job requires a custom Connection Profile to authenticate to Threat Manager. The +credential for the Connection Profile must be created with the Web Services (JWT) account type. + +:::tip +Remember, , the Threat Manager App Token is generated within Threat Manager. +::: + + +Create a Connection Profile and set the following information on the User Credentials window: + +- Select Account Type – Web Services (JWT) +- Domain – `{not a field for this type of credential, defaults to }` +- User name – This field should be left blank +- Password Storage: Application – Uses Access Analyzer’s configured Profile Security setting as + selected at the Settings > Other Settings node +- Access Token – Copy and paste the Threat Manager App Token + +The FS_DEFEND_SDD Job must be configured to use this custom Connection Profile. diff --git a/docs/threatmanager/3.1/install/integration/activitymonitor.md b/docs/threatmanager/3.1/install/integration/activitymonitor.md new file mode 100644 index 0000000000..e3c3aa33c5 --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/activitymonitor.md @@ -0,0 +1,22 @@ +--- +title: "Netwrix Activity Monitor Integration" +description: "Netwrix Activity Monitor Integration" +sidebar_position: 10 +--- + +# Netwrix Activity Monitor Integration + +The Activity Monitor can be configured to send file system data and/or Active Directory and/or +Microsoft Entra ID data to Threat Manager. It must be installed and configured to monitor the target +environment. See the +[Netwrix Activity Monitor](https://helpcenter.netwrix.com/category/activitymonitor) documentation +for additional information. + +In order for Threat Manager to receive the event stream data, the Activity Monitor must be +configured to do so. For file system activity events, use the Threat Manager Syslog template for the +desired monitored host configuration. For Active Directory activity events, generate an App Token in +Threat Manager and then use that app token to configure the domain’s output to Threat Manager. + +The Threat Manager DC Sync threat is sourced by the Activity Monitor's Replication AD monitoring +configuration. It is necessary for it to be configured to exclude domain controllers on the Host +(From) filter. diff --git a/docs/threatmanager/3.1/install/integration/overview.md b/docs/threatmanager/3.1/install/integration/overview.md new file mode 100644 index 0000000000..e0f3b5d6a6 --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/overview.md @@ -0,0 +1,26 @@ +--- +title: "Integration with Other Netwrix Products" +description: "Integration with Other Netwrix Products" +sidebar_position: 60 +--- + +# Integration with Other Netwrix Products + +The following Netwrix products can be configured to send data to Threat Manager: + +- [Netwrix Activity Monitor Integration](/docs/threatmanager/3.1/install/integration/activitymonitor.md) – Activity Monitor can be configured to + send file system data and/or Active Directory data to Threat Manager. + - The Active Directory data stream requires a unique App Token to be generated within Threat + Manager. +- [Netwrix Threat Prevention Integration](/docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md) – Threat Prevention can be configured + to send file system data and/or Active Directory data to Threat Manager. + - Requires a unique App Token to be generated within Threat Manager. +- [Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.1/install/integration/accessanalyzer.md) – Access + Analyzer, formerly Netwrix StealthAUDIT, can be configured to send File System Sensitive Data to + Threat Manager + - Requires a unique App Token to be generated within Threat Manager. + +Configure the desired product to feed data into the Threat Manager Console. Depending upon the data +source, a Threat Manager app token may need to be generated. See the +[App Tokens Page](/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md) topic for additional +information. diff --git a/docs/threatmanager/3.1/install/integration/threatprevention/_category_.json b/docs/threatmanager/3.1/install/integration/threatprevention/_category_.json new file mode 100644 index 0000000000..71ef9aa2e1 --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/threatprevention/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Netwrix Threat Prevention Integration", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "threatprevention" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/install/integration/threatprevention/threatmanagerconfiguration.md b/docs/threatmanager/3.1/install/integration/threatprevention/threatmanagerconfiguration.md new file mode 100644 index 0000000000..7973ff6e24 --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/threatprevention/threatmanagerconfiguration.md @@ -0,0 +1,160 @@ +--- +title: "Netwrix Threat Manager Configuration Window" +description: "Netwrix Threat Manager Configuration Window" +sidebar_position: 10 +--- + +# Netwrix Threat Manager Configuration Window + +The Netwrix Threat Manager Configuration window is a global setting to enable integration between +Threat Prevention and Threat Manager. This window is only available to Threat Prevention +administrators. + +**Threat Manager App Token** + +The Threat Manager App Token authenticates connection between Threat Prevention and Threat Manager. +This token is generated in Threat Manager: + +- In Threat Manager, navigate to the **Configuration** > **App Tokens** page +- Generate a new app token +- Copy the token + +## Event Sink Tab + +The Event Sink tab connects Threat Prevention to Threat Manager through a uniform resource +identifier and the Threat Manager App Token. Policy event data is sent to Threat Manager through +this window. + +Follow the steps to configure Threat Prevention to send event data to Threat Manager. + +**Step 1 –** Generate the Threat Manager App Token in Threat Manager. + +**Step 2 –** In Threat Prevention, click **Configuration** > **Netwrix Threat Manager +Configuration** on the menu. The Netwrix Threat Manager Configuration window opens with the Event +Sink tab displayed by default. + +![Netwrix Threat Manager Configuration window - Event Sink tab](/images/threatprevention/7.5/admin/configuration/threatmanagerconfiguration.webp) + +**Step 3 –** In the Netwrix Threat Manager URI box, enter the Threat Manager hostname or IP address +and port in the following format. The default port for Threat Manager is **10001**. + +- amqp://[HOSTNAME | IPADDRESS]:[PORT] + - For an example with the host name – amqp://ExampleHost:10001 + - For an example with the host address – amqp://192.168.9.52:10001 + +:::warning +Do not use localhost for the hostname or 127.0.0.1 for the IP address. +::: + + +**Step 4 –** You can enable SSL for the AMQP event stream. + +As Threat Manager supports TLS/SSL, you can also enable SSL in Threat Prevention to enable +communication with Threat Manager in the secure way. + +- If Threat Manager has TLS enabled, then select the **Enable SSL** checkbox to enable the Agent to + send events to Threat Manager. Else the Agent will throw an error when connecting. +- Select the **Ignore Certificate Errors** checkbox to ignore certificate errors that may arise when + the Agent connects to Threat Manager. If this checkbox is not selected, the Agent will fail to + connect when there are certificate errors. + +**Step 5 –** In the App Token box, enter the App Token generated on the App Tokens page in Threat +Manager. + +**Step 6 –** The Policies area lists all the policies that have been created in Threat Prevention. +The following is displayed for each policy: + +- Send – When this checkbox is selected, the policy sends the event data to Threat Manager directly + from the Agent. This option can also be set by the Send to Netwrix Threat Manager checkbox on the + Actions tab of a policy. +- State – Displays whether the policy is enabled or disabled + The State column does not control the state of the policy. A policy can be enabled or disabled + either on the General tab of the respective policy or through the Policies Node Right-Click Menu. +- Name –Shows the display name of the policy +- Path – Displays the path of the policy within the structure of the Policies node in the left pane. + +**Step 7 –** Click **Save**. + +All real-time event data from the selected Threat Prevention policies is now being sent to Threat +Manager. + +:::note +The Threat Manager URI configuration can also be used to send Threat Prevention policy +data to the Activity Monitor host and port (example: amqp://localhost:4499). Threat Prevention can +only send to either Threat Manager or the Activity Monitor. +::: + + +## Honey Token Tab + +On the Honey Token tab, you specify a samAccountName, which is substituted with the replacement +samAccountName that you provide. The information on this tab is sent to the Threat Prevention Agent. +If the Agent sees an LDAP query using information from the Honey Token of fake accounts, it alters +the LDAP query results to return the Replacement samAccountName. This ensures the account looks like +a real privileged account to lure the perpetrator to it. + +Follow the steps to send the Honey Token to Threat Manager for an LDAP Deception trap. + +**Step 1 –** Configure the Source samAccountName and Replacement samAccountName in a Threat Manager +Honey Token threat. + +To set up a honey token, see the Configure Honeytoken Threats topic in the +[Netwrix Threat Manager Documentation](https://helpcenter.netwrix.com/category/stealthdefend). + +**Step 2 –** In Threat Prevention, click **Configuration** > **Netwrix Threat Manager +Configuration** on the menu. The Netwrix Threat Manager Configuration window opens. + +**Step 3 –** Ensure the Event Sink tab is properly set up to send event data to Threat Manager. + +**Step 4 –** Click the **Honey Token** tab. + +![Netwrix Threat Manager Configuration Window - Honey Tokem tab](/images/threatprevention/7.5/admin/configuration/honeytoken.webp) + +**Step 5 –** Check the **Enable LDAP substitution** checkbox to enable the options on the tab. + +**Step 6 –** Enter the exact match of settings configured for the Threat Manager Honey Token threat +for the following options: + +- Exact Match or Substring +- Source samAccountName +- Replacement samAccountName + +**Step 7 –** Click **Save**. + +The Honey Token is now enabled and integrated with Threat Manager. + +## Forged PAC Tab + +The Forged PAC tab provides the option to include Forged PAC information in the events Threat +Prevention sends to Threat Manager. + +Follow the steps to include the Forged PAC information in events. + +**Step 1 –** Under the Analytics node in the left pane, select the **Forged PAC** analytic. + +**Step 2 –** On the Forged PAC analytics window, select the gear icon on the upper-right corner of +the window to open the Configure Analytics window. + +**Step 3 –** Add or remove the RIDs of groups to be monitored on the Settings tab. See the Forged +PAC Analytic Type topic for additional information. + +**Step 4 –** On the Policy tab, configure the following: + +- General Tab – Use the toggle to **Enable** the policy +- Event Type Tab – Keep the default settings or set as desired for the Authentication event filters +- Actions Tab – Select **Send to Threat Manager** + +**Step 5 –** Click Save once configurations are set. The Configure Analytics window closes. + +**Step 6 –** In Threat Prevention, click **Configuration** > **Netwrix Threat Manager +Configuration** on the menu. The Netwrix Threat Manager Configuration window opens. + +![Netwrix Threat Manager Configuration Window - Forged PAC tab](/images/threatmanager/3.0/install/forgedpac.webp) + +**Step 7 –** Ensure the Event Sink tab is properly set up to send event data to Threat Manager. + +**Step 8 –** On the Forged PAC tab, select the **Include Forged PAC information in events** +checkbox. Click **Save**. + +When a Forged PAC analytic is triggered in Threat Prevention, the event data will be sent to Threat +Manager. diff --git a/docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md b/docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md new file mode 100644 index 0000000000..b5ef636080 --- /dev/null +++ b/docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md @@ -0,0 +1,26 @@ +--- +title: "Netwrix Threat Prevention Integration" +description: "Netwrix Threat Prevention Integration" +sidebar_position: 20 +--- + +# Netwrix Threat Prevention Integration + +Threat Prevention v6.0+ can be configured to send Active Directory data to Threat Manager. This is +done by generating an App Token in Threat Manager and then using that app token when configuring the +Threat Manager Event Sink in Threat Prevention. See the +[Threat Prevention documentation](https://helpcenter.netwrix.com/category/threatprevention) for +additional information. + +:::note +Integration between Threat Prevention and Threat Manager was introduced with the release +of Threat Prevention v6.0 or later and Threat Manager v2.0 or later. +::: + + +The Threat Manager DC Sync threat is sourced by a Threat Prevention AD Replication Monitoring +policy. It is necessary for the policy to be configured to exclude domain controllers on the Host +(From) filter. + +Threat Prevention v7.2+ supports sending events to Threat Manager utilizing Protobuf, which allows +for higher performance event delivery to Threat Manager. diff --git a/docs/threatmanager/3.1/install/overview.md b/docs/threatmanager/3.1/install/overview.md new file mode 100644 index 0000000000..8205a911c6 --- /dev/null +++ b/docs/threatmanager/3.1/install/overview.md @@ -0,0 +1,120 @@ +--- +title: "Installation" +description: "Installation" +sidebar_position: 30 +--- + +# Installation + +Prior to installing Threat Manager, please ensure that all of the prerequisites have been met in +accordance with the [Requirements](/docs/threatmanager/3.1/requirements/overview.md) topic. Additionally, the monitoring +agents need to be deployed through either Netwrix Threat Prevention or Netwrix Activity Monitor and +configured to send data to Threat Manager. + +The Threat Manager installer is packaged with four executable files. + +:::warning +The PostgreSQL database must be installed before installing Threat Manager. +::: + + +**Netwrix_Setup.exe** + +This executable starts a setup launcher containing buttons to install the PostgreSQL database and +the application. The launcher installs these components on the same server. See the installation +details for each components below. + +**NetwrixPostgreSQL14.exe** + +This executable is for installing the PostgreSQL database on a different server from the +application. + +**NetwrixThreatManager.exe** + +This executable is for installing the application and its services: + +- Netwrix Threat Manager Action Service +- Netwrix Threat Manager Active Directory Service +- Netwrix Threat Manager Email Service +- Netwrix Threat Manager Event Service +- Netwrix Threat Manager Integration Service +- Netwrix Threat Manager Job Service +- Netwrix Threat Manager License Service +- Netwrix Threat Manager SIEM Service +- Netwrix Threat Manager Web Service + +The following prerequisites will be installed if they are not present: + +- .NET 8.0.11 +- .NET Desktop Runtime 8.0.11 +- ASP.NET Core 8.0.11 +- VC++ redist v14.28.29914 +- Python v3.10.8x64 + +**NetwrixThreatManager.ActionService.exe** + +This executable is for installing the Netwrix Threat Manager Action Service on additional servers. + +## Software Download + +Current customers can log in to the Netwrix Customer Portal to download software binaries and +license keys for purchased products. See the +[Customer Portal Access](https://helpcenter.netwrix.com/bundle/NetwrixCustomerPortalAccess/page/Customer_Portal_Access.html) +topic for information on how to register for a Customer Portal account. + +## Antivirus Exclusions for PostgreSQL + +If you have any antivirus software installed, you must do the following: + +- Exclude all scanning of the PostgreSQL Data Directories +- Exclude the postgres.exe process from all scans + +Antivirus software can interfere with PostgreSQL's operation because PostgreSQL requires file access +commands in Windows to behave exactly as documented by Microsoft, and many antivirus programs +contain errors or accidental behavior changes that cause these commands to misbehave subtly. + +This is not a problem for most programs because they access files in fairly simple ways. Because +PostgreSQL is continuously reading from and writing to the same set of files from multiple +processes, it tends to trigger programming and design mistakes in antivirus software, particularly +problems related to concurrency. Such problems can cause random and unpredictable errors, or even +data corruption. + +Antivirus software is also likely to dramatically slow down PostgreSQL's operation. For that reason, +you should at least exclude postgres.exe and the data directories so the scanner ignores them. + +## Installation Process + +Follow the steps to install the Threat Manager application on a single server. + +![setuplauncher](/images/threatmanager/3.0/install/setuplauncher.webp) + +**Step 1 –** Right-click on `Netwrix_Setup.exe` and select Run as administrator. The Netwrix Setup +launcher opens. You can now install the following components on the same server: + +- Click PostgreSQL Setup to install the database. See the + [Install the PostgreSQL Database Application](/docs/threatmanager/3.1/install/database.md) topic for additional information. +- Run the Threat Manager Setup to install the application. See the + [Install the Threat Manager Application](/docs/threatmanager/3.1/install/application.md) topic for additional information. + +**Step 2 –** Complete all post-installation tasks that apply to your configured environment: + +- Optional: Install the Action Service on additional servers. See the + [Optionally Install the Action Service on Additional Servers](/docs/threatmanager/3.1/install/actionservice.md) topic for + additional information. +- Configure a remote Action Service to register with Threat Manager. +- Configure a service account to run actions. + +**Step 3 –** Log into the console for the first time. See the [First Launch](/docs/threatmanager/3.1/install/firstlaunch/firstlaunch.md) topic +for additional information. + +**Step 4 –** Configure integration with one or more Netwrix products to feed the desired type of +data into Threat Manager: + +- [Netwrix Activity Monitor Integration](/docs/threatmanager/3.1/install/integration/activitymonitor.md) – Configure Netwrix + Activity Monitor to send file system data and/or Active Directory data and/or Microsoft Entra ID + data to Threat Manager +- [Netwrix Threat Prevention Integration](/docs/threatmanager/3.1/install/integration/threatprevention/threatprevention.md) – Configure Netwrix + Threat Prevention to send Active Directory data to Threat Manager +- [Netwrix Access Analyzer (formerly Enterprise Auditor) Integration](/docs/threatmanager/3.1/install/integration/accessanalyzer.md) + – Configure Netwrix Access Analyzer (formerly Enterprise Auditor) to send Sensitive Data to Threat + Manager diff --git a/docs/threatmanager/3.1/install/secure.md b/docs/threatmanager/3.1/install/secure.md new file mode 100644 index 0000000000..35d9860891 --- /dev/null +++ b/docs/threatmanager/3.1/install/secure.md @@ -0,0 +1,180 @@ +--- +title: "Secure the Threat Manager Console" +description: "Secure the Threat Manager Console" +sidebar_position: 40 +--- + +# Secure the Threat Manager Console + +To support HTTPS, do the following: + +- Import an SSL certificate to the server + +- Configure the Netwrix Threat Manager Web Service and the Netwrix Threat Manager Active Directory + Service with a certificate thumbprint and a new port value + +## Locate and Import the SSL Server Certificate + +Complete the steps to create or obtain a certificate and import it. + +**Step 1 –**  Create or obtain an SSL Server certificate for the Netwrix Threat Manager server and +import it into the Windows Certificate LocalMachine Personal store on the Netwrix Threat Manager +server machine. + +:::warning +Be very careful with the encoding of the thumbprint especially when copy/pasting the +thumbprint from certmgr.msc. This can often cause encoding issues so ensure ANSI encoding when +editing the configuration files discussed in this topic. +::: + + +**Step 2 –**   Copy the thumbprint of the certificate as you will need to utilize it while editing +the configuration files. + +## Web Service Configuration File + +Follow the steps to configure the Web Service Configuration file. + +**Step 1 –**   Open the Web Service configuration file on the Netwrix Threat Manager server. + +**C:\Program Files\STEALTHbits\StealthDEFEND\WebService\appsettings.json** + +**Step 2 –**   Append the **WebService** and **ADService** sections to the end of the file. Remember +to add a trailing comma after the `“EncryptRecording”:false` line. + +``` +{ +    "Jwt":  { +                "CertificateFile":  "C:\\ProgramData\\Stealthbits\\StealthDEFEND\\WebService\\jwtsign.pfx", +                "CertificatePassword":  "CertificatePassword", +                "CertificateThumbprint":  "", +                "Version":  2 +            }, +    "DataDirectory":  null, +    "EncryptRecording":  false, +    "WebService":  { +                       "Port":  8080, +                       "Certificate":  "CertificateThumbprint", +                       "RestApiUri":  "https://ThreatManagerServer.Domain.com:8080" +                   }, +     "ADService":  { +                   "Host": "localhost", +                   "Scheme": "https", +                   "Port": "55556" +                   }  +} +``` + +:::warning +Do not modify the Jwt section of the appsettings.json file. +::: + + +**Step 3 –**   In the WebService and ADService sections, ports are set to 8080 and 55556 +respectively. Make sure these ports are available on your machine. + +**Step 4 –**   Set the **Certificate** value to the value of the certification thumbprint you +imported previously. + +**Step 5 –**   Set the **RestApiUri** value to the URL used to access the application (e.g., +https://ThreatManagerServer.Domain.com:8080). + +**Step 6 –**   Save the configuration file. + +**Step 7 –**   Restart the Web Service. + +**Step 8 –**   Check the Web Service Log File to ensure the Cert was found and loaded properly. You +should see a log file with the output: + +``` +Found cert with subject % and thumbprint 12345ABCDEF54AED1DB59C349CA4D514628DB4D3 +``` + +## Active Directory Service Configuration File + +Follow the steps to configure the Active Directory Service Configuration file. + +**Step 1 –**   Open the Active Directory Service configuration file on the Netwrix Threat Manager +server: + +**C:\Program Files\STEALTHbits\StealthDEFEND\ActiveDirectoryService\appsettings.json** + +**Step 2 –**   Append the **WebService** section to the end of the file. Remember to add a trailing +comma after the `“EncryptRecording”:false` line in the file. + +``` +{ +    "Jwt":  { +                "CertificateFile":  "C:\\ProgramData\\Stealthbits\\StealthDEFEND\\WebService\\jwtsign.pfx", +                "CertificatePassword":  "CertificatePassword", +                "CertificateThumbprint":  "", +                "Version":  2 +            }, +    "DataDirectory":  null, +    "EncryptRecording":  false, +    "WebService":  { +                   "Port":  55556, +                   "Certificate":  "CertificateThumbprint" +                   } +} +``` + +:::warning +Do not modify the Jwt section of the appsettings.json file. +::: + + +**Step 3 –**   In the WebService section, the port is set to 55556. Make sure it is available on +your machine. + +**Step 4 –**   Set the certificate value to that of the certification thumbprint you imported +previously. + +**Step 5 –**   Save the configuration file. + +**Step 6 –**   Restart the Active Directory Service. + +**Step 7 –**   Check the Active Directory Service Log File to ensure the Cert was found and loaded +properly. You should see a log file with the output: + +``` +Found cert with subject % and thumbprint 12345ABCDEF54AED1DB59C349CA4D514628DB4D3 +``` + +## Re-register the Action Service + +While not always necessary it is a good practice to also re-register the Action Service whenever +changing the certificate in use. + +**Step 1 –** Open an administrative command prompt. + +**Step 2 –** Run the following command to launch a wizard that prompts for parameters required to +configure the Action Service: + +``` +\ActionService\ActionService.exe --config +``` + +**Step 3 –** Enter the following information in the wizard: + +- URL or Server – The web address for the Threat Manager console (e.g., + https://ThreatManagerServer.Domain.com:8080). + + :::note + Include http:// or https:// if configured and web port if not using 80 or 443 + ::: + + +- User Name – Specify the user name to connect to the Threat Manager console. It is recommended to + use the Admin account for the user name. +- Threat Manager Password – The password to the user name specified +- Ignore certificate errors – It is recommended to set to True if using a self-signed certificate + for SSL or if other issues with the web certificate are experienced. + +**Step 4 –** The utility will output "Success!" if the Action Service registered correctly. Verify +that the Action Service successfully registered by navigating to the System Health page of the +Threat Manager console. + +**Step 5 –** Exit the command prompt. + +The Action Service is now re-registered with Threat Manager. diff --git a/docs/threatmanager/3.1/install/upgrade/_category_.json b/docs/threatmanager/3.1/install/upgrade/_category_.json new file mode 100644 index 0000000000..2d3c42c812 --- /dev/null +++ b/docs/threatmanager/3.1/install/upgrade/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Upgrade", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "upgrade" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/install/upgrade/upgrade.md b/docs/threatmanager/3.1/install/upgrade/upgrade.md new file mode 100644 index 0000000000..5d0dc107f6 --- /dev/null +++ b/docs/threatmanager/3.1/install/upgrade/upgrade.md @@ -0,0 +1,61 @@ +--- +title: "Upgrade Procedure" +description: "Upgrade Procedure" +sidebar_position: 70 +--- + +# Upgrade Procedure + +This topic describes the steps needed for upgrading Threat Manager to the latest version. + + +## Considerations + +Configure integration with one or more Netwrix products to feed the desired type of data into Threat +Manager: + +- [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) +- [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) +- [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) + +If Netwrix Activity Monitor is used to send data to Threat Manager, the versions of both products +must be compatible. + +:::note +It is not required to upgrade the Activity Monitor to the latest version when upgrading +Threat Manager, but it is recommended to upgrade it in order to take full advantage of the new +features. +::: + + +| Netwrix Activity Monitor Version | Compatibility with Threat Manager v3.1 | +| --- | --- | +| 7.1 | Fully compatible for monitoring of:
  • File System Data
  • Active Directory Data
  • Microsoft Entra ID Data
Threat Manager also supports file copy event type and file size information.
**NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported | +| 7.0 | Fully compatible for monitoring of:
  • File System Data
  • Active Directory Data
  • Microsoft Entra ID Data
Threat Manager also supports file copy event type and file size information.
**NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported. | +| 6.0 | Fully compatible for monitoring of:
  • File system Data
  • Active Directory Data
Threat Manager also supports file copy event type and file size information.
**NOTE:** SharePoint, SharePoint Online, Exchange Online, Microsoft Entra ID, Linux, and SQL monitoring are not supported | + +## Threat Manager Services + +Stop all Threat Manager services. + +**Step 1 –** Go to Services in the Windows Services Management Console (`services.msc`) on the +server where Netwrix Threat Manageris installed. + +**Step 2 –** Right-click on each Threat Manager service and click Stop in the following order: + +- Netwrix Threat Manager Action Service +- Netwrix Threat Manager Active Directory Service +- Netwrix Threat Manager Email Service +- Netwrix Threat Manager Event Service +- Netwrix Threat Manager Integration Service +- Netwrix Threat Manager Job Service +- Netwrix Threat Manager License Service +- Netwrix Threat Manager SIEM Service +- Netwrix Threat Manager Web Service + +## Upgrade Cases + +You can: + +- [Upgrade Threat Manager from 2.8 to 3.0](/docs/threatmanager/3.1/install/upgrade/upgrade3.0.md) +- [Upgrade Threat Manager from 2.6/2.7 To 2.8](/docs/threatmanager/3.1/install/upgrade/upgrade2.8.md) diff --git a/docs/threatmanager/3.1/install/upgrade/upgrade2.8.md b/docs/threatmanager/3.1/install/upgrade/upgrade2.8.md new file mode 100644 index 0000000000..508991e414 --- /dev/null +++ b/docs/threatmanager/3.1/install/upgrade/upgrade2.8.md @@ -0,0 +1,163 @@ +--- +title: "Upgrade Threat Manager from 2.6/2.7 To 2.8" +description: "Upgrade Threat Manager from 2.6/2.7 To 2.8" +sidebar_position: 10 +--- + +# Upgrade Threat Manager from 2.6/2.7 To 2.8 + +Follow the steps to upgrade Threat Manager 2.6/2.7 to 2.8 or to apply a hotfix to Threat Manager. + +**Step 1 –** Install the new version of PostreSQL. + +![postgresql](/images/threatmanager/3.0/install/postgresql.webp) + +:::note +The migration of PostgreSQL 10 to 14 will require a migration of theThreat Manager +database. You may proceed through the migration process in the following menu. +::: + + +**Step 2 –** Configure the following settings: + +- Only transfer events associated with a threat – this option provides a migration of the events + only associated with threats that have been detected +- Show Advanced Settings – Advanced settings contains the following parameters: + + - PG Tools Directory – Path to the directory where PostgreSQL binaries are located + + ![postgresqlcompression](/images/threatmanager/3.0/install/postgresqlcompression.webp) + + - Compression Level – Select the compression level to be applied to the data. It contains the + following options: + + - None – Compression will not be applied to the data + - Low – Lower level of compression requires more disk space to perform the migration, but + takes faster to complete + - Medium – Medium level of compression balances disk space usage and migration speed + - High – Higher level of compression reduces the disk space needed for the migration, but it + increases the time required for completion + + :::note + The compression algorithm option is used on the exported data. It does not affect + either the old or the new database. + ::: + + + ![postgresqlthreads](/images/threatmanager/3.0/install/postgresqlthreads.webp) + + - Number of Threads – Select the number of threads to be applied. Adding more threads can + considerably reduce the time to import data to the target server. It contains the following + options: + + - Reliable – One thread + - Recommended – Number of threads equal to half of the available processor cores + - Performant – Number of threads equal to the number of processor cores + + - Reduce Source Databaze Size – This action will lead to the migration dropping the indexes in + the old databases, prior to performing the migration + + :::note + This setting is not recommended as it will leave the old database in a broken + state, but the data is preserved. Some users may need this option if they do not have enough + free disk space to perform the migration. + ::: + + + If the migration fails, it can be re-run from the installer. + + This option is also reveals a **Delete Source Database** checkbox. After exporting the data + from the old database, the old database will be deleted. + + :::warning + The use of **Delete Source Database** is an extreme option that highly not + recommended. It should only be used if you fully understand its purpose and the actions it + entails. + ::: + + + If the migration fails, user will need to manually import the data into the new database + from the export file. + +**Step 3 –** Click **Validate** to proceed. Then, click **Next** in the bottom right corner. + +:::note +The migration of PostgreSQL 10 to 14 may require significant disk space to perform safely. +The disk space required for the backup does not need to be on the same disk as the database itself. +::: + + +![updatentm](/images/threatmanager/3.0/install/updatentm.webp) + +**Step 4 –** Install the new version of Threat Manager. + +**Step 5 –** Click **Test** on the **Connect to a Threat Manager Database** page. The installer +should see the existing PostgreSQL database and prompt to migrate. + +![postgresqlwarning](/images/threatmanager/3.0/install/postgresqlwarning.webp) + +**Step 6 –** Click **OK**, click **Next**, then click **Test**. You will see the following message. + +![readyformigration](/images/threatmanager/3.0/install/readyformigration.webp) + +**Step 7 –** Click **Next**. + +:::note +Migrating a large database can take about 24 hours or more. During this time Netwrix +Threat Manager will not work. Installing Netwrix Threat Manager 2.8 with a new database, and +directing event streams to that server after the installation is complete, will eliminate downtime. +::: + + +## Clean up Dependencies + +After installation it is necessary to clean up dependencies associated with the previous version of +the Threat Manager. To do this, uninstall the following dependencies: + +- PGSQL10 +- Python 3.7 and below +- .NET Runtime 5 +- ASP.NET Core 5 + +Complete any post-installation tasks required for your configured environment. See the following +topics for additional information: + +- [Optionally Install the Action Service on Additional Servers](/docs/threatmanager/3.1/install/actionservice.md) +- [Secure the Threat Manager Console](/docs/threatmanager/3.1/install/secure.md) + +Clear the cache of the browser that will be used to view the Threat Manager Console prior to +launching Threat Manager. + +## Check for Deprecated App Tokens + +If upgrading from a version prior to 2.8, the app tokens may have been deprecated. This can be +identified by navigating to the Integrations page in Threat Manager. If an app token is deprecated, +it is necessary to create a new one for the application to use. + +### Identify and Update App Tokens + +Follow the steps to identify and create new app tokens. + +**Step 1 –** In the Threat Manager Console, navigate to the Integrations page. + +**Step 2 –** Expand the App Tokens section of the Integrations box and identify any of the app +tokens that have been deprecated during the upgrade. A deprecated app token can be identified by the +presence of a red warning triangle. + +:::note +Non-local action services will need their app tokens updated. Local action services will +be automatically updated. +::: + + +![apptokensdep](/images/threatmanager/3.0/install/apptokensdep.webp) + +**Step 3 –** Take note of the app token name and description and create a new one to be used with +the application. See the +[App Tokens Page](/docs/threatmanager/3.1/administration/configuration/integrations/apptoken.md) topic for additional +information. + +**Step 4 –** Update the application to use the new app token. See the +[Integration with Other Netwrix Products](/docs/threatmanager/3.1/install/integration/overview.md) topic for additional information. + +**Step 5 –** Delete the old, deprecated app token. diff --git a/docs/threatmanager/3.1/install/upgrade/upgrade3.0.md b/docs/threatmanager/3.1/install/upgrade/upgrade3.0.md new file mode 100644 index 0000000000..bc91aaa2f2 --- /dev/null +++ b/docs/threatmanager/3.1/install/upgrade/upgrade3.0.md @@ -0,0 +1,122 @@ +--- +title: "Upgrade Threat Manager from 2.8 to 3.0" +description: "Upgrade Threat Manager from 2.8 to 3.0" +sidebar_position: 20 +--- + +# Upgrade Threat Manager from 2.8 to 3.0 + +The upgrade process from Threat Manager 2.8 to 3.0 involves the following steps: + +- Upgrade PostgreSQL + +- Install Threat Manager 3.0 + +## Upgrade PostgreSQL + +Follow the steps to upgrade from PostgreSQL 14.8.x to 14.13.x. + +**Step 1 –** Run `Netwrix_Setup.exe` as an administrator. The Netwrix Setup Launcher window is +displayed. + +![Netwrix Threat Manager Setup window](/images/threatprevention/7.5/install/upgrade/tm3installation.webp) + +**Step 2 –** Click **PostgreSQL Setup** to upgrade the PostgreSQL version. The following message is +displayed, indicating the currently installed version: + +![Threat Manager Reporting - Upgrade DB Confirmation dialog box](/images/threatprevention/7.5/install/upgrade/upgradedbprompt.webp) + +**Step 3 –** Click **OK** to upgrade. The Netwrix PostgreSQL Setup wizard opens. + +![Netwrix PostgreSQL Setup wizard](/images/threatmanager/3.0/install/installdb1.webp) + +**Step 4 –** Click **Install**. + +![Netwrix PostgreSQL Setup wizard on the EULA page](/images/activitymonitor/8.0/install/eula.webp) + +**Step 5 –** Read the End User License Agreement and select the I accept the license agreement checkbox. Click Next. + +**Step 6 –** The installation begins and the installer displays a Setup Progress window. Click Exit +when the installation is successful to close the wizard. + +PostgreSQL has been upgraded. + +:::note +If you have any antivirus or Endpoint Detection and Response (EDR) software installed on +your machine, make sure you have excluded all of the files from the following directories from all +antivirus scans: +::: + + +- \Program Files\Stealthbits\PostgreSQL14 +- \ProgramData\Stealthbits\PostgreSQL14 +- \Program Files\Stealthbits\StealthDEFEND + +PostgreSQL may fail to start or behave unexpectedly when monitored by any tool. + +## Install Threat Manager 3.0 + +**Step 1 –** Click the Netwrix Threat Manager **Setup** button on the Netwrix Threat Manager setup +window. The following message displays: + +![Existing Threat Manager version message](/images/threatmanager/3.0/install/existingtmvver.webp) + +**Step 2 –** Click **OK**. The following window is displayed: + +![Install Threat Manager 3.0 Page](/images/threatmanager/3.0/install/installtm3.0.webp) + +**Step 3 –** Click **Install**. + +![Install Netwrix Threat Manager 3.0 page](/images/threatmanager/3.0/install/tm3eula.webp) + +**Step 4 –** On the End User License Agreement page, review and accept the licensing agreement and +then click **Next**. + +![Threat Manager 3.0 Defalt Setup Folder](/images/threatmanager/3.0/install/tm3defaultfolder.webp) + +**Step 5 –** By default, the installation directory is set to: + +**C:\Program Files\STEALTHbits\StealthDEFEND\** + +Enter a new path or use the Browse button to modify as desired. Click **Next**. + +![Connect to a Threat Manager Database page](/images/threatmanager/3.0/install/tmdatababse.webp) + +**Step 6 –** On the database page, ensure the host and port are set correctly. + +:::note +If installing on the same server where the PostgreSQL database application was installed, +this information will be accurate by default. The default database name is stealthdefend; however, +it can be modified as desired. +::: + + +**Step 7 –** Click **Test** to validate the connection information. + +**Step 8 –** After successful validation, click **Next**. + +![Firewall Rules Page of Threat Manager Installation wizard](/images/threatmanager/3.0/install/firewallrules.webp) + +**Step 9 –** By default, the installer will Create Inbound Windows Firewall Rules. Deselect the +checkbox if you do not want the installer to automatically create these rules, because you have +already created them. Click **Next**. + +![Threat Manager Installation Progress page](/images/threatmanager/3.0/install/installprogress.webp) + +**Step 10 –** The installation process will begin and the Setup wizard will display the progress. + +![Threat Manager 3.0 Installed Successfully page](/images/threatmanager/3.0/install/completed.webp) + +**Step 11 –** Click **Exit** when the installation completes successfully. The Netwrix Threat +Manager Setup wizard closes. + +**Step 12 –** Now that both components have been installed, close the Netwrix Threat Manager Setup +Launcher. + +Threat Manager 3.0 is now installed, and the database has been upgraded. + +:::info +After successfully upgrading to the latest Threat Manager version, clear your +browser cache for better performance and user experience. + +::: diff --git a/docs/threatmanager/3.1/requirements/_category_.json b/docs/threatmanager/3.1/requirements/_category_.json new file mode 100644 index 0000000000..8a00596580 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Requirements", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/requirements/actionservice.md b/docs/threatmanager/3.1/requirements/actionservice.md new file mode 100644 index 0000000000..44ecbc30d5 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/actionservice.md @@ -0,0 +1,42 @@ +--- +title: "Action Service Requirements" +description: "Action Service Requirements" +sidebar_position: 40 +--- + +# Action Service Requirements + +The Action Service can be installed on additional servers. + +:::tip +Remember, the Action Service is installed on the Threat Manager Console server. +::: + + +The Windows server can be physical or virtual. The following Windows server operating systems are +supported: + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +Additionally the server must meet these requirements: + +- US English language installation + +**RAM, CPU, and Disk Space** + +Minimum hardware requirements: + +- 4 GB RAM +- 1 CPU Core +- 500 MB Total Disk Space + +**Additional Server Requirements** + +The following are additional requirements for the application server: + +- .NET 8.0.11 +- .NET Desktop Runtime 8.0.11 +- ASP.NET Core 8.0.11 +- PowerShell 5.1+ installed diff --git a/docs/threatmanager/3.1/requirements/client.md b/docs/threatmanager/3.1/requirements/client.md new file mode 100644 index 0000000000..971300fdd6 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/client.md @@ -0,0 +1,15 @@ +--- +title: "Client Requirements" +description: "Client Requirements" +sidebar_position: 30 +--- + +# Client Requirements + +Threat Manager is a web service which can be accessed locally or remotely if the server’s firewall +permits it. The supported browsers are: + +- Google Chrome +- Apple Safari +- Microsoft Edge +- Mozilla Firefox diff --git a/docs/threatmanager/3.1/requirements/database.md b/docs/threatmanager/3.1/requirements/database.md new file mode 100644 index 0000000000..d9eb8ce7e2 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/database.md @@ -0,0 +1,43 @@ +--- +title: "Database Server Requirements" +description: "Database Server Requirements" +sidebar_position: 20 +--- + +# Database Server Requirements + +:::note +Use this information when the database server is separate from the application server. +::: + + +The Windows server can be physical or virtual. The following Windows server operating systems are +supported: + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +Additionally the server must meet these requirements: + +- US English language installation + +**Additional Server Requirements** + +The following are additional requirements for the database server: + +- .NET 8.0.11 +- .NET Desktop Runtime 8.0.11 +- ASP.NET Core 8.0.11 +- VC++ redist v14.28.29914 + +**Additional Considerations** + +The following considerations must be accommodated for: + +- When running antivirus scans against the PostgreSQL v14 database, the PostgreSQL data folder must + be excluded from the scans in order to prevent database complications. +- For performance reasons, disable Windows File Indexing on the drive containing the Threat Manager + database. +- Disk Defragmentation jobs should never be performed on the drive containing Threat Manager + PostgreSQL database. This can cause operational issues with the PostgreSQL database. diff --git a/docs/threatmanager/3.1/requirements/overview.md b/docs/threatmanager/3.1/requirements/overview.md new file mode 100644 index 0000000000..cb6e16a73e --- /dev/null +++ b/docs/threatmanager/3.1/requirements/overview.md @@ -0,0 +1,54 @@ +--- +title: "Requirements" +description: "Requirements" +sidebar_position: 20 +--- + +# Requirements + +This topic describes the recommended configuration of the servers needed to install the application +in a production environment. Depending on the size of the organization, it is recommended to review +your environment and requirements with a Netwrix engineer prior to deployment to ensure all +exceptions are covered. + +## Architecture Overview + +The following servers are required for installation of the application: + +**Core Component** + +- Threat Manager Database Server – This is where the Threat Manager PostgreSQL database is + installed. +- Threat Manager Application Server – This is where the v3.1 application is installed. +- Threat Manager Client – Threat Manager is a web service that can be accessed locally or remotely + through a supported browser. +- Threat Manager Action Service Server – Actions automate security responses and connect various + security applications and processes together. The Action Service is installed with Threat Manager + on the application server. However, it can be installed on additional servers. + +See the following topics for server requirements: + +- [Database Server Requirements](/docs/threatmanager/3.1/requirements/database.md) +- [Application Server Requirements](/docs/threatmanager/3.1/requirements/server.md) +- [Action Service Requirements](/docs/threatmanager/3.1/requirements/actionservice.md) +- [Client Requirements](/docs/threatmanager/3.1/requirements/client.md) +- [Ports Requirements](/docs/threatmanager/3.1/requirements/ports.md) + +**Target Environment Considerations** + +The target environment encompasses all servers, devices, or infrastructure being monitored by +Netwrix Threat Prevention or Netwrix Activity Monitor in addition to data collected by Netwrix +Access Analyzer (formerly Enterprise Auditor). + +- Active Directory Activity Data– Active Directory activity data is collected through integration + with Threat Prevention or the Activity Monitor. +- File System Activity Data – File System activity data is collected through integration with Threat + Prevention or the Activity Monitor. +- File System Sensitive Data – File System sensitive data is collected through integration with + Access Analyzer. + +See the following documents for server requirements: + +- [Netwrix Threat Prevention Documentation](https://helpcenter.netwrix.com/category/threatprevention) +- [Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor) +- [Netwrix Access Analyzer Documentation](https://helpcenter.netwrix.com/category/accessanalyzer) diff --git a/docs/threatmanager/3.1/requirements/permissions/_category_.json b/docs/threatmanager/3.1/requirements/permissions/_category_.json new file mode 100644 index 0000000000..c503b19197 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/permissions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Permissions", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/requirements/permissions/adsync.md b/docs/threatmanager/3.1/requirements/permissions/adsync.md new file mode 100644 index 0000000000..1bf4a9750e --- /dev/null +++ b/docs/threatmanager/3.1/requirements/permissions/adsync.md @@ -0,0 +1,24 @@ +--- +title: "Permissions for Active Directory Sync" +description: "Permissions for Active Directory Sync" +sidebar_position: 10 +--- + +# Permissions for Active Directory Sync + +The following permissions are required for the credential used by Threat Manager for Active +Directory Sync. See the +[Entra ID Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md) topic for +additional information about syncing the configured Active Directory domain(s) in Threat Manager. + +| Object Type | Function | Access Requirements | +| ----------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | +| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container | +| Group | Retrieve all groups | Read Access to all group objects in the domain | +| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container | +| User | Retrieve all users | Read all user objects from the domain | +| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container | +| Computer | Retrieve all computer objects | Read all computer objects in the domain | +| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain | +| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain | +| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory | diff --git a/docs/threatmanager/3.1/requirements/permissions/entraidsync.md b/docs/threatmanager/3.1/requirements/permissions/entraidsync.md new file mode 100644 index 0000000000..f26650d07a --- /dev/null +++ b/docs/threatmanager/3.1/requirements/permissions/entraidsync.md @@ -0,0 +1,28 @@ +--- +title: "Application Permissions for Entra ID Sync" +description: "Application Permissions for Entra ID Sync" +sidebar_position: 20 +--- + +# Application Permissions for Entra ID Sync + +The following permissions are required for the credential used by Threat Manager for Microsoft Entra +ID Sync. See the +[Active Directory Sync Page](/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md) +topic for additional information about syncing the configured Microsoft Entra ID tenant(s) in Threat +Manager. + +| Object Type | Function | Access Requirements | +| -------------------------------- | ---------------------------------------------------------- | ------------------------------------------- | +| Administrative Unit | Retrieve all administrative units | AdministrativeUnit.Read.All | +| Application | Retrieve all applications | Application.Read.All | +| Device | Retrieve all devices | Device.Read.All | +| Group | Retrieve all groups | Group.Read.All | +| Group Member | Retrieve all group members | GroupMember.Read.All | +| Identity Risky Service Principal | Retrieve all risky service principals | IdentityRiskyServicePrincipal.Read.All | +| Identity Risky User | Retrieve all risky users | IdentityRiskyUser.Read.All | +| Organization | Retrieve organization information | Organization.Read.All | +| Role Assignment Schedule | Read and write role assignment schedules in the directory | RoleAssignmentSchedule.ReadWrite.Directory | +| Role Eligibility Schedule | Read and write role eligibility schedules in the directory | RoleEligibilitySchedule.ReadWrite.Directory | +| Role Management | Retrieve all role management data | RoleManagement.Read.All | +| User | Retrieve all users | User.Read.All | diff --git a/docs/threatmanager/3.1/requirements/permissions/overview.md b/docs/threatmanager/3.1/requirements/permissions/overview.md new file mode 100644 index 0000000000..4539f7e4be --- /dev/null +++ b/docs/threatmanager/3.1/requirements/permissions/overview.md @@ -0,0 +1,14 @@ +--- +title: "Overview" +description: "Overview" +sidebar_position: 60 +--- + +# Overview + +To sync Active Directory domain(s) and Microsoft Entra ID tenant(s) in Threat Manager you must use +service accounts with the required permissions. See the following topics for details on these +permission. + +- [Permissions for Active Directory Sync ](/docs/threatmanager/3.1/requirements/permissions/adsync.md) +- [Application Permissions for Entra ID Sync](/docs/threatmanager/3.1/requirements/permissions/entraidsync.md) diff --git a/docs/threatmanager/3.1/requirements/ports.md b/docs/threatmanager/3.1/requirements/ports.md new file mode 100644 index 0000000000..0cf79b3473 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/ports.md @@ -0,0 +1,88 @@ +--- +title: "Ports Requirements" +description: "Ports Requirements" +sidebar_position: 50 +--- + +# Ports Requirements + +Netwrix Threat Manager architecture and components interactions are shown in the figure below. + +![threatmanagerserver](/images/threatmanager/3.0/requirements/threatmanagerserver.webp) + +Configure appropriate firewall rules to allow these connections. + +## Data Stream Firewall Rules + +The following firewall settings are required for communication between the Threat Manager server and +applications that provide the data stream: + +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Inbound | UDP | 10000 | Syslog messaging File System event data stream from Activity Monitor agent host(s) | +| Inbound | TCP | 10001 | AMPQ Active Directory event data stream from Activity Monitor agent host(s) Active Directory event data stream from Threat Prevention agent host(s) File System event data stream from Threat Prevention agent host(s) | +| Bidirectional | TCP | 8080 | Access Analyzer Console Host(s) | + +## Application Services Firewall Rules + +The following firewall settings are required for communication for the Threat Manager services: + +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | --------------------------------- | -------------------------------------------------------------------------------- | +| Bidirectional | TCP | 55555 | Active Directory login to the application console | +| Bidirectional | TCP | 55556 | Active Directory login to the application console | +| Bidirectional | TCP | 55557 | Local host communication from the Event Service to the Job Service agent host(s) | +| Bidirectional | TCP | Dynamically Configured on Startup | Local host communication from the Event Service to the Job Service agent host(s) | + +## Database Firewall Rules + +The following firewall settings are required for communication between the Threat Manager server and +the database server, when it is installed on a separate server: + +:::note +These firewall rules are only needed if using a remote PostgreSQL database. That is not +recommended or the default. +::: + + +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | ----- | ------------------------------------------------------------------------------------- | +| Outbound | TCP | 5432 | Local Host and Remote communication from the PostgreSQL to the Threat Manager server. | + +## Application Console Access Firewall Rules + +The following firewall settings are required for accessing the Threat Manager console: + +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | ----- | ---------------------------------------- | +| Bidirectional | TCP | 8080 | Remote access to the application console | + +:::note +Threat Manager requires the default dynamic port range specified by Microsoft (49152 +through 65535) for Windows Server client/server operations. If a firewall or other appliance is +blocking these ports, this server will no longer properly respond to client requests and no longer +support standard IP Stack operations that are required for the operation of this product. +::: + + +## Active Directory Domain Controllers Firewall Rules + +The following firewall settings are required for communication between the Threat Manager server and +Active Directory domain controllers: + +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | ------- | ----------------------------------------------------------------------------------------------------------------------------- | +| Outbound | TCP | 88 | Kerberos-sec | +| Outbound | TCP | 135 | The endpoint mapper tells the client which randomly assigned port a service (FRS, AD replication, MAPI, etc.) is listening on | +| Outbound | TCP | 389 | LDAP | +| Outbound | TCP | 636 | SSL LDAP | +| Outbound | TCP | Various | The port that 135 reports. Used to bulk translate AD object names between formats.(Ephemeral Ports) | + +## Remote Action Service Firewall Rules + +The following firewall settings are required for communication between the Threat Manager server and +the remote Action Service server, when it is installed on additional server(s): + +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | ----- | ------------------------------------------ | +| Outbound | TCP | 8080 | Remote access to the Action Service server | diff --git a/docs/threatmanager/3.1/requirements/server.md b/docs/threatmanager/3.1/requirements/server.md new file mode 100644 index 0000000000..7753919cf5 --- /dev/null +++ b/docs/threatmanager/3.1/requirements/server.md @@ -0,0 +1,110 @@ +--- +title: "Application Server Requirements" +description: "Application Server Requirements" +sidebar_position: 10 +--- + +# Application Server Requirements + +:::warning +Netwrix Threat Manager cannot be installed on the same server as Netwrix Threat Manager +Reporting Module. +::: + + +The Windows server can be physical or virtual. The following Windows server operating systems are +supported: + +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 + +Additionally the server must meet these requirements: + +- US English language installation + +**RAM, CPU, and Disk Space** + +These are dependent upon the total number of daily events sent to Threat Manager. It is suggested to +use the total events for a peak day of the week, by activity. + +| Environment | Enterprise | Extra Large | Large | Medium | Small | Extra Small | +| ---------------- | ---------- | ----------- | ------ | ------ | ----- | ----------- | +| Daily Events | 130 M | 90 M | 45 M | 21 M | 4.5 M | 875 K | +| RAM | 64 GB | 64 GB | 32 GB | 32 GB | 32 GB | 16 GB | +| Cores | 24 | 12 | 8 | 8 | 4 | 4 | +| Daily Disk Usage | 300 GB | 170 GB | 120 GB | 40 GB | 10 GB | 5 GB | +| Total Disk Space | 4 TB | 3 TB | 2 TB | 1 TB | 1 TB | 1 TB | +| IOPS | 8,000 | 5,000 | 3,000 | 2,000 | 1,000 | 500 | + +:::note +All values are based upon a seven day event retention period in Threat Manager. +::: + + +Daily events to be monitored by Threat Manager can typically be discovered by using Netwrix Threat +Prevention or Netwrix Activity Monitor. When planning a deployment where there is currently no +Netwrix agent deployed, it can be more difficult to plan for scale. However, the following are +estimations based on organization size can be used: + +- For fewer than 1,000 active users + + - Generally assume 21 million daily events (Medium environment) + +- For 1,000-10,000 active users + + - Generally assume 45 million daily events (Large environment) + +- For more than 10,000 active users + + - Generally assume at minimum 100 million daily events (Extra Large-Enterprise environment) + +**Minimum hardware requirements** + +- 8 GB RAM +- 4 CPU Cores + +- 150 GB Disk Space + +**Additional Server Requirements** + +The following are additional requirements for the application server: + +- .NET 8.0.11 +- .NET Desktop Runtime 8.0.11 +- ASP.NET Core 8.0.11 +- VC++ redist v14.28.29914 +- Python v3.10.8x64 + +**Additional Considerations when Database is on the Application Server** + +The following considerations must be accommodated for: + +- When running antivirus scans against the PostgreSQL v14 database, the PostgreSQL data folder must + be excluded from the scans in order to prevent database complications. +- For performance reasons, disable Windows File Indexing on the drive containing the Threat Manager + database. +- Disk Defragmentation jobs should never be performed on the drive containing Threat Manager + PostgreSQL database. This can cause operational issues with the PostgreSQL database. + +**Permissions for Installation and Application Use** + +The following permissions are required to install and use the application: + +- Membership in the local Administrators group + +## Virtual Environment Recommendations + +While physical machines are always preferred, we fully support the use of virtual machines. This +section contains special considerations when leveraging virtualization. + +- VMWare® ESX® – If using ESX, the following specifications are recommended: + + - ESX 4.0 / ESXi™ 4.1 or higher + - Virtual Hardware 7 or higher + - All Virtual Machines installed on the same datacenter / rack + +- Virtual Storage Consideration + + - In the server requirements, when separate disks are required for the servers, that should + translate to separate data stores on the VM host machine. diff --git a/docs/threatmanager/3.1/threats/_category_.json b/docs/threatmanager/3.1/threats/_category_.json new file mode 100644 index 0000000000..bed36a5e87 --- /dev/null +++ b/docs/threatmanager/3.1/threats/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Type of Threats", + "position": 4, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} \ No newline at end of file diff --git a/docs/threatmanager/3.1/threats/activedirectory.md b/docs/threatmanager/3.1/threats/activedirectory.md new file mode 100644 index 0000000000..b98b3c0349 --- /dev/null +++ b/docs/threatmanager/3.1/threats/activedirectory.md @@ -0,0 +1,130 @@ +--- +title: "Active Directory Threats" +description: "Active Directory Threats" +sidebar_position: 10 +--- + +# Active Directory Threats + +The following threats are monitored for Active Directory. definition of each threat is given below. + +## AdminSDHolder ACL Tampering + + Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker's permission on a protected object the AdminSDHolder controls. + +## AS-REP Roasted Users + + AS-REP roasting is a technique that allows retrieving password hashes for users that have 'Do not require Kerberos pre-authentication' property selected. Those hashes can then be cracked offline. + +## DCShadow + + DCShadow is a feature of Mimikatz and a technique for elevating a regular workstation account to a domain controller and executing malicious replication against the domain. DCShadow can set arbitrary attributes within Active Directory. + +## DC Sync + + Replication from a non-domain controller account can be evidence of a Mimikatz DCSync attack. Performing a DCSync remotely extracts the NTLM password hash for the account that is the target of the attack. + +:::note +The domain monitoring policy must be configured to exclude domain controllers. See the +[Integration with Other Netwrix Products](/docs/threatmanager/3.1/install/integration/overview.md) topic for additional +information. +::: + + +## Domain Backup Key Compromise + +The Data Protection API (DPAPI) is used by Windows to encrypt user secrets such as saved credentials, browser cookies, website passwords, and other sensitive information. For computers joined to an Active Directory domain, secrets protected by the DPAPI are also encrypted with a domain backup key. This key is stored in Active Directory and enables recovery of DPAPI-protected secrets should the user lose their own backup key. Because the domain backup key cannot be rotated, its exposure is a significant event. + +## Exposed Administrative Credentials + +Highly privileged accounts, groups, and systems have direct or indirect administrative control over the Active Directory forest/domain. Given the sensitive nature of these accounts, they should only be used on domain controllers. Pass-the-Hash attacks are successful because highly privileged credentials are used to access lower security systems. Having access to a privileged user's hash allows attackers to move laterally. + +This threat aligns to best practices for securing Active Directory. If an organization does not enforce limiting privileged account access to only Domain Controllers, this threat should remain disabled to eliminate noise. + +## Golden Ticket + +By obtaining the password hash for the most powerful service account in Active Directory, the KRBTGT account, an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to Active Directory. + +## Forged Ticket + +Definition: Forged Tickets provide a way for an attacker to elevate privileges by injecting additional group membership into their Kerberos tickets, giving them more privileges than they actually have in Active Directory. Threat Manager will compare PAC data in authentication to the user's actual group member and generate a threat when it finds a discrepancy. + +Trigger: Perform Authentication using fabricated/invalid tickets with groups present in the authentication Ticket PAC data that does not match the users Active Directory group membership. + +## GMSA Password Access + +The passwords for Group Managed Service Accounts (GMSA) are stored in BLOB format in the msDS-ManagedPassword attribute of the GMSA account object in Active Directory. It is trivial to convert the BLOB to a useable clear text password. It is suspicious for a user to attempt to read this attribute, as only authorized computer accounts should retrieve a GMSA’s password. + +## GMSA Permissions Assignment + +Permissions to retrieve passwords for Group Managed Service Accounts (GMSA) are typically granted only to the computer account of each computer running the service. The assignment of privileges to non-computer accounts (e.g. human accounts) can be indicative of an adversary's attempt to compromise the GMSA password. + +## Hidden Object + +Changing object Deny Read or Deny List Contents permissions can effectively hide an Active Directory object as it will not be returned in LDAP queries. This causes the object to avoid monitoring and detection, as service accounts used by these solutions will be unable to query the object. + +## Honeytoken + +Honeytokens are fake credentials stored in memory. When an attack scans memory they may try to authenticate or query the domain for information about the account. A Honeytoken threat can be generated by two methods: LDAP or Authentication. An authentication Honeytoken threat is generated when a perpetrator attempts to authenticate with a Honeytoken user account. An LDAP Honeytoken threat is generated when a perpetrator performs an LDAP query against a Honeytoken user account. + +## Insecure UAC Change + +Some changes to User Account Control Flags on Active Directory Objects can potentially expose security risks."PASSWD_CANT_CHANGE", "TRUSTED_FOR_DELEGATION", "USE_DES_KEY_ONLY", and "DONT_REQ_PREAUTH" are particularly risky. + +## Kerberoasting + +Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection. + +## LDAP Reconnaissance + +When an attacker initially compromises a system on a network, they will have few to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack. + +## LSASS Process Injection + +LSASS process injection is a deliberate and common method used by a variety of attacks including: Skeleton Key, MemSSP, and SID History Tampering. By injecting code into the lsass.exe process an attacker can scrape the password hashes directly out of process memory. + +## Pass-The-Ticket + +A Pass-the-Ticket event occurs when a user extracts a valid Kerberos ticket from one system and uses it to authenticate from another system. This allows the attacker to compromise a user's account and use it from any domain-joined computer. + +## Password Spraying + +Password Spraying indicates an attempt to gain access to credentials by using common passwords against large numbers of accounts while also staying below an organization’s defined lockout threshold. + +## Potential BadSuccessor Abuse + +Attackers can manipulate the msDS-ManagedAccountPrecededByLink of a dMSA account to any principal in the domain to leverage the access that account has. + +## Primary Group ID Modification + +Attackers can hide a users group membership by modifying the primaryGroupID to a group then denying read access to the primaryGroupID attribute. In almost all scenarios, the primaryGroupID of every object should be Domain Users or Domain Computers. Domain Controllers will also have the primaryGroupID of Domain Controllers or Read-only Domain controllers. + +## Replication Permissions + +Providing a user with replication permissions allows the user to execute domain replication commands against domain controllers. This type of behavior is common with DCSync and DCShadow threats. + +## Sensitive Group Changes + +Sensitive Group Changes indicate that the membership of a group containing extremely sensitive permissions has been modified. This includes any Active Directory group with the Sensitive tag in Threat Manager, which includes many standard Active Directory Groups such as: Domain Admins, Enterprise Admins, and Schema Admins. + +## Service Account Misuse + +Indicates that a service account was used to log into a machine that is not listed in their service principal names attribute. + +This threat aligns to best practices for securing Active Directory. If an organization does not enforce service accounts to only authenticate to hosts within their servicePrincipalName values, this threat should remain disabled to eliminate noise. + +## SID History Tampering + +Mimikatz or other tools can be used to inject SID History into user accounts. This allows an account to effectively be given permissions, such as Domain Admin, even though it is not actually a member of Domain Admins. + +## SPN Assigned to Privileged User + +An account is only vulnerable to Kerberoasting attacks if it has a service principal name. Service accounts should not have more privileges than required to perform their function. Visit [Netwrix Attack Catalog](https://www.netwrix.com/attack.html) to learn more about this threat. + +## Suspected Domain Controller Impersonation + +When an adversary obtains a Domain Controller account hash, they can authenticate from an unauthorized system, establish a connection to another Domain Controller, and initiate directory replication. This technique bypasses existing replication controls by appearing as legitimate Domain Controller traffic. Detecting Domain Controller accounts authenticating from unauthorized systems enables earlier identification of such attack vectors. + +## Zerologon Exploitation + +CVE-2020-1472 (a.k.a. "Zerologon") is an elevation of privilege vulnerability that allows an unauthenticated attacker to escalate their privileges to domain administrator by exploiting a flaw in the Netlogon Remote Protocol (MS-NRPC). To exploit this vulnerability, an attacker requires only the ability to communicate over the MS-NRPC protocol to a domain controller. diff --git a/docs/threatmanager/3.1/threats/custom.md b/docs/threatmanager/3.1/threats/custom.md new file mode 100644 index 0000000000..c946709fa8 --- /dev/null +++ b/docs/threatmanager/3.1/threats/custom.md @@ -0,0 +1,96 @@ +--- +title: "Custom Threats" +description: "Custom Threats" +sidebar_position: 50 +--- + +# Custom Threats + +In additional to pre-configured threats, Threat Manager provides the ability to create custom +threats. A user can create a custom threat if they consider certain events to be dangerous in their +environment. For example, when one of the privileged users makes file changes. + +Custom threats can be created in one of the following ways: + +- Custom Option on the Threat Detection Page +- Create Threat Option on the Investigation Page + +## Custom Option on the Threat Detection Page + +Follow the steps to create a custom threat. + +**Step 1 –** Click on the gear icon at the top right of the screen. + +**Step 2 –** Select **Threat Detection**. This opens the Threat Detection page. + +**Step 3 –** In the Threats box on the left, click **Custom** . This opens the Investigate page. + +**Step 4 –** On the Investigate page, do one of the following: + +- Select an existing investigation, or +- Save a new one. See the + [New Investigation Page](/docs/threatmanager/3.1/administration/investigations/newinvestigation.md) for additional + information. + +**Step 5 –** In the selected investigation, click the **Create Threat** option. + +![CreateThreat Option](/images/threatmanager/3.0/threats/createthreat.webp) + +The Custom Threat page opens. + +![Create Threat Dialog Box](/images/threatmanager/3.0/threats/createthreatdialogbox.webp) + +**Step 6 –** Severity – The relative severity level, or risk level, of the threat. See the +[Fine Tune a Threat](/docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md) topic for additional +information. + +**Step 7 –** Description – Description of the threat. + +:::note +Click the + sign in the description box to insert the `{{userName}}` macro. The macro will +associate the user that committed the threat. +::: + + +**Step 8 –** Definition – The threat definition is a detailed explanation of the threat providing +insight into why the incident is a potential risk. It appears at the top of the Threat Details page. +See the [Threat Details Page](/docs/threatmanager/3.1/administration/threats/threatdetails/overview.md) topic for additional +information. + +**Step 9 –** The Custom Threat page has two tabs for threat configuration: + +- Threat Response – Assigning a threat response includes the following: + + - SIEM Alert – Check the box to forward threat information to a SIEM service when the threat is + detected. Uncheck it to turn off forwarding threat information to a SIEM service. + - Email Alert – Check the box to send email notifications when the threat is detected. Uncheck + it to turn off email notifications. + - Run Playbook – Select the playbook that will be used to respond to the threat. + +- Threat Settings – Select the Threshold check-box to enable configuration options i.e. the minimum + number of events during a specific time frame which will trigger a threat. + + - Count –The number of times that an event must occur before a threat is generated + - Time – The time period over which the count must occur to generate a threat. Enter a value and + set the units for the time period in the next field. + - Units – The time period units. Options in the drop-down menu include Minutes, Hours, or Days. + - Group By Perpetrator – When checked, the threat criteria is evaluated on a per-user basis. + This means that each perpetrating user's individual activity must match the investigation + criteria in order to generate a threat. The default is unchecked. + +**Exclusions Tab** + +The Exclusions tab lists existing exclusions for the threat. Exclusions allow rule-based definitions +to be defined for specific criteria to be excluded from threat detection for the threat type. + +![Threat Exclusion Tab](/images/threatmanager/3.0/threats/exclusionstab.webp) + +**Step 10 –** Click **Save**. The investigation is now saved as a custom threat. + +## Create Threat Option on the Investigation Page + +For creating a custom threat from an Investigation page, the steps are as follows: + +1. Click Investigate in the application's header bar. +2. select an investigation and follow the steps from the Step 5 in the Custom Option on the Threat + Detection Page section above. diff --git a/docs/threatmanager/3.1/threats/entraid.md b/docs/threatmanager/3.1/threats/entraid.md new file mode 100644 index 0000000000..07bb32192e --- /dev/null +++ b/docs/threatmanager/3.1/threats/entraid.md @@ -0,0 +1,63 @@ +--- +title: "Entra ID Threats" +description: "Entra ID Threats" +sidebar_position: 20 +--- + +# Entra ID Threats + +The following threats are monitored for Microsoft Entra ID. + +## Application Permission Change + +The Application Permission Change is when a sensitive or risky permission is granted to an +application. + +| Application Permission Change | | +| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | Application permissions are usually granted to them at their creation time. In some cases, new permissions are required to be granted at a later stage. An attacker can leverage Microsoft Entra ID applications by adding the new permissions and using them for privilege escalation or persistence in your Microsoft Entra ID tenant. | +| Example | An application is given the "Directory.ReadWrite.All" permission or any permission that requires admin consent. | +| Trigger | A threat is created when an application is granted admin consent to a permission. | + +## Compromised User Activity + +The Compromised User Activity is when a user is marked as "Confirmed Compromised" and that user +takes an action within your Microsoft Entra ID tenant. + +| Compromised User Activity | | +| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | The Compromised User activity threat involves detecting any activity from a user that was marked as "Confirmed Compromised" by Microsoft Entra ID. Any action taken by such users is considered potentially malicious and should be reviewed immediately. | +| Example | A confirmed compromised user grants another user the "global administrator" role. | +| Trigger | A confirmed compromised user performs any action in your Microsoft Entra ID tenant. | + +## Impossible Travel + +The Impossible Travel is when a user logs in from one geographical location and then quickly (and +impossibly) logs in from another far away geographical location. + +| Impossible Travel | | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| Definition | Highlights accounts associated with multiple authentications from different geographical locations in a short period of time. | +| Example | A user logs in from a New York city, then 10 minutes later logs in from Moscow. | +| Trigger | A threat is triggered when a user logs in from two distant locations within a short period of time. | + +## New Applicaton Credentials + +If an application suddenly gets a new set of credentials/client secrets, Threat Manager raises an +alarm as to why these credentials are added. + +| New Application Credentials | | +| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Definition | Application credentials are usually provided at the time of application creation or when a secret is close to its expiry. New credentials can be added on need basis as well. An attacker can leverage Microsoft Entra ID applications by adding new credentials and using them for privilege escalation or persistence within an Microsoft Entra ID tenant. | +| Example | A new client secret was generated for an existing application and used for a cybersecurity product. | +| Trigger | A client secret is added to an application. | + +## Sensitive Role Changes + +Sensitive Role Change is assigning a privilege role to an Microsoft Entra ID object. + +| Sensitive Role Changes | | +| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | The sensitive role changes threat detects when a privileged role is assigned to an Microsoft Entra ID object. The privilege roles have a high level of access to Microsoft Entra ID objects. They can make unauthorized changes which can pose significant security risks. | +| Example | A user gives another user the "Global Administrator" role. | +| Trigger | When an Microsoft Entra ID object is granted a privileged role. | diff --git a/docs/threatmanager/3.1/threats/filesystem.md b/docs/threatmanager/3.1/threats/filesystem.md new file mode 100644 index 0000000000..3f7481ca36 --- /dev/null +++ b/docs/threatmanager/3.1/threats/filesystem.md @@ -0,0 +1,51 @@ +--- +title: "File System Threats" +description: "File System Threats" +sidebar_position: 30 +--- + +# File System Threats + +The following threats are monitored for File System: + +## High Risk Permissions + +High Risk Permissions are those which grant unrestricted access to a file or folder. When high risk +permissions are added or increased on a folder or file, a threat is created. + +| High Risk Permissions | | +| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | The High Risk Permissions threat creates a threat when a high risk trustee (Domain Users, Anonymous Logon, Authenticated Users, and Everyone) is added to the ACL on a folder or file. These permissions are high risk because they grant unrestricted access to a resource. | +| Example | Domain Users are given Read access to a folder. Everyone is given Full Control on a folder which already had Domain Users with Read Access. | +| Trigger | A threat is created when a user adds a high risk trustee (defined above) to a folder or file, which increases the amount of open access. This threat is updated with the total number of folders or files affected due to the inherited permissions. | + +## NTDS.dit File Access + +Unauthorized file system interaction with the NTDS.dit file stored on Active Directory Domain +Controllers will be detected as a threat. + +| NTDS.dit File Access | | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | By accessing the NTDS.dit file, Active Directory's database, an attacker can extract a copy of every user's password hash and subsequently act as any user in the domain. Threat Manager audits all activity related to the NTDS file and VSS copy to notify when an attacker could be accessing the information for an offline attack. | +| Trigger | Perform File or VSS activity against the NTDS.DIT file. | + +## Ransomware + +When a user creates or renames at least 100 files with a known ransomware extension or a name that +resembles common ransom notes, a threat is created for each rename action. + +| Ransomware | | +| ---------- | --------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | Detects file activity that involves a file with a known ransomware extension or a file with a name that resembles common ransom notes. | +| Example | A user created a ".locky" file, and created and renamed more than 100 files with common ransomware extensions. | +| Trigger | Using a pre-defined library of known ransomware extensions, Threat Manager alerts on file create/rename activity with known extensions. | + +## Unusual Processes + +If a user runs a process on a monitored server for the first time, a threat is created. + +| Unusual Processes | | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | The Unusual Processes threat detects if previously unseen processes are launched on critical file servers. | +| Example | A user launches a "python.exe" process that has never been launched by anyone else in the environment. | +| Trigger | Threat Manager records the name of the processes associated with file access activities. Over a learning period (e.g. 30 days), Threat Manager profiles which processes are normal by aggregating data across all file servers. After that, if a new process is identified that has not been seen on any other file servers, a threat will be created. NOTE: This threat is only applicable on Windows file servers when the activity is performed locally. | diff --git a/docs/threatmanager/3.1/threats/general.md b/docs/threatmanager/3.1/threats/general.md new file mode 100644 index 0000000000..a556fa85b7 --- /dev/null +++ b/docs/threatmanager/3.1/threats/general.md @@ -0,0 +1,42 @@ +--- +title: "General Threats" +description: "General Threats" +sidebar_position: 40 +--- + +# General Threats + +The following threats are monitored for File System and Active Directory. + +## Abnormal User Behavior + +Abnormal behavior detection begins when a user has been active for a minimum of 30 days, with up to +120 days of activity used to establish the baseline behavior for a user. Behavior for all users is +evaluated every 15 minutes. If a user deviates significantly from their baseline, a threat is +created. + +| Abnormal Behavior | | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | Indicates that a user's file system or Active Directory behavior has deviated from the user's normal behavioral profile. | +| Example | Sensitive Data Example: A user suddenly accesses far more files containing sensitive content than they normally do. Ransomware Example: New ransomware variants not represented in Threat Manager's pre-defined library will still exhibit abnormal behavior with regard to file access operations, including large volumes of updates, renames and writes. Lateral Movement Example: If a user is accessing an abnormal number of hosts and is performing file activity on a large number of resources, this could be an indicator of suspicious lateral movement. Delete Example: Upon termination, disgruntled employees sometimes delete large volumes of files to cause the organization harm. | +| Trigger | Threat Manager analyzes the following aspects of each user’s behavior and create a threat when abnormalities are detected based on a given user's normal level of activity. File System - Number of Reads - Number of Updates - Number of Deletes - Number of Renames - Number of Permission Changes - Number of Writes - Number of Denied Events - Number of Hosts Accessed - Number of Resources - Number of Files with Sensitive Data Active Directory - Successful Kerberos authentications - Successful NTLM authentications - Failed authentications - Object changes - Object adds - Object deletes - Object renames - Distinct clients used (for AD activity) - Distinct hosts accessed (for AD activity) - LDAP objects queried Outliers are detected through unsupervised clustering of a user's historical activity. | + +## First-Time Client Use + +If a user accesses a share using a new client, a threat is created. + +| First-Time Client Use | | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | The First-Time Client Use threat detects when a user accesses file share data from a client they have never used to access data previously. | +| Example | A user normally uses their own workstation to access file shares. On a given day, the user accesses files from a different workstation, indicating the user’s account may be compromised. | +| Trigger | Threat Manager analyzes user behavior over a learning period (e.g. 30 days) to profile which clients a user normally leverages. Once a new client is used to perform file system activity for the first time for a particular user, Threat Manager creates a threat. | + +## First-Time Host Access + +If a user accesses a host for the first time, a threat is created. + +| First-Time Host Access | | +| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Definition | The First-Time Host Access threat detects when a user performs file activity on a new host they haven’t accessed previously. | +| Example | Most users only interact with a few file servers based on their geographic location, the department they are in, etc. Over a learning period (e.g. 30 days), Threat Manager profiles which hosts a user commonly accesses data on. After the learning period, Threat Manager creates a threat if a new host is accessed for the first time. | +| Trigger | A user accessed an open share on a new host for the first time. | diff --git a/docs/threatmanager/3.1/threats/overview.md b/docs/threatmanager/3.1/threats/overview.md new file mode 100644 index 0000000000..b6b7d5368d --- /dev/null +++ b/docs/threatmanager/3.1/threats/overview.md @@ -0,0 +1,25 @@ +--- +title: "Type of Threats" +description: "Type of Threats" +sidebar_position: 30 +--- + +# Type of Threats + +Netwrix Threat Manager by default provides some pre-configured threats and users can create custom +threats using the Custom option or through the Create Threat option on the Investigation page. The +pre-defined and custom threats are listed in the Threat box. Threats that are crossed out are +disabled threats. + +![Threats Box](/images/threatmanager/3.0/threats/threatsbox.webp) + +The Threats list divides the threats into the following sections: + +- [Active Directory Threats](/docs/threatmanager/3.1/threats/activedirectory.md) +- [Entra ID Threats](/docs/threatmanager/3.1/threats/entraid.md) +- [File System Threats](/docs/threatmanager/3.1/threats/filesystem.md) +- [General Threats](/docs/threatmanager/3.1/threats/general.md) +- [Custom Threats](/docs/threatmanager/3.1/threats/custom.md) + +Select a threat from the list to display the threat's configuration options to the right of the +Threats box. diff --git a/sidebars/threatmanager/3.1.js b/sidebars/threatmanager/3.1.js new file mode 100644 index 0000000000..f9386358cc --- /dev/null +++ b/sidebars/threatmanager/3.1.js @@ -0,0 +1,16 @@ +const generateKBSidebar = require('../../src/utils/generateKBSidebar'); + +module.exports = { + sidebar: [ + { + type: 'autogenerated', + dirName: '.', + }, + { + type: 'category', + label: 'Knowledge Base', + collapsed: true, + items: generateKBSidebar('threatmanager') + }, + ], +}; diff --git a/static/images/threatmanager/3.1/administration/serviceaccounts/dashboard.webp b/static/images/threatmanager/3.1/administration/serviceaccounts/dashboard.webp new file mode 100644 index 0000000000000000000000000000000000000000..294a7136cc5838cbeedeb0f4f7cf1c5c246ddd51 GIT binary patch literal 73724 zcmV)kK%l=;Nk&HW9{~VYMM6+kP&il$000080000#3jk9F09H^qO!giD053nwlmS(f zEZcVLw#miK5$q70|9}Be?(;h$Cg5wl`n&ss*Ux-i*Y|AOfb|JHV(-Dfnr6&?>TUL^ zy|=YH?{{0(Uz@%6w%sy!X0y%SJFBW#Yuyw%x@RV2m$XY9tfhiWNu%efB>SYQimvV% zNnmS?suH%1%;^BrtR6KOOG5Ktw|kq202`3ep>6t&=co{?W1mQ}Z4^0bjHto}Fu)DB zI<;L9L99iUp4xWH%xqFb6|63E>bX6Pz?Sq(k{(4wVFOGWZPT0kU9i?#l0cHKYw9fz ziJIikBKbT5{2!_Z@BxnQrFQ&1!|VR!5T^T+{^2K8A|V@a<^?b(G8sLslv=LRAG)zV3=X|!7g<&X1IaO_6fpF zEytr9gri)5IUO_U0{MlpSL4|>m0j@-6i#ly$yRQ|bOD89ZbN41!^xh&Y=2LnfZ45Q zU1p4}Wry|(hAP-Hoxp7C1Ys%=v~Anem!x-S+cs69<53RXILa&Z{~vk#4~dN=MUrb7 zv*)O1u9tt3YTKIT#J>)l_TNhTUcGzIH;*NH6ksU6umEGM#0BFXGS3i6Z7IMB0(uRl zs|;jeqBJ3?6yPKhuu@~ZU?2-ONhm|~jYOP95&BOFfZMo{ggM?bd+2QgWl*$J{r~$* zihluAXu%2+5I}kF_xpLhKHuNH|H(i4?Wq?5+wGy6)Ne)39R@gb=?b7@3=o}+juk+^ z=U<^92MLrv17sv@w-p^#4i2zD8#QDHhuwx^qtK23>=97-f) za4;smXGDyPQLqMXzu_vGa?2}#pa283v5G3D#sCIZ$xv=H0Sel-VPXH)e+rN!Ig*rm zv1qCW)hCBFf~-uSK%u|?C?W!{v;XTQIl7F0P|^uccBBdnEmdHyV8Ad?(m(~~fs!gH zGn8?l%yc9}NoKYyIMVPO$#4S0KuLxZ9Jy?lRF;mdBOOa6tE|7}zx4Zke{i72{IA%W z%$~e6Gi268X2(3tu_0=iS{)6f9a>JOeFYQQp+jnS=#V*Q#*m>iGk!0?%pIEHq-MN; zj!h9WbIK8f?3^=Z*s~N;v>8Ll%v9O(Za7g-YDhbpY$L-REcd3Xt+=mZnKz`;S0$Mt znrOLWYs0+;=1uu3YI&m8UchF1meclGZM2u+Xu)h(v{dObbINoN6xaWs+GgMEDe4!#t(Lf(NYOuh{n2BD;jEt=8_ujN~{_mTUlW=}I zn63~uq@W;9Xc~wQ1oU=Yu*CywG*GV$%%CDuRz%dSNZ^TrjC8mP@DeMOYXVnwjRu+m z40H=Gz1Ts*RX}rwf;MH0hdg+wF_M+F=};6&YBbzP!M_!R@Xjl2BS~sBXf0fDDROvvN7^H=^kJFwdFM?d8pBAR%xU3`r~n!`dttl#%*~uK)`0oGw-Y zu3(cx0j~v1drn-;Da|dsDRIcmC9nuX3dqAWW{SszPAI`+igA!|+j^QRTPt4MHn zclY+KdH=pGjJrE-MS=ry`~R}hvkaNdw!_)BZToIG+ZxZzp0tO*)V^z%{==eeD{6C| zF++_$Ss9*qd60hUb++xf9LqV7adHHDx7>I`XuO}1_jbJZ-h1!8_uhN&XXM+A_ufxy zb6d)L_kZvEe&27_;v#FSTB!=CK<*F}Ql`@-Q(#6Y+W_;O%^_4Ueqs@S9YUc1uBbwp zG3*nlr1vJ6mRvVuc_uQQDOUp|z#Vi29eq%pf(+9>gaT^(d`D1dlz%;J5uiq*qk2Lu z5Dc0Il_R*moqrZChv0G!$L>e}EkKeawvAMHD?)yXo?QsdB?N#F(YLW<$Nj%$lAQaW zq`FI0>QeV~>DAQKR)e;-Yg+H9W_o%+- z%n;25%**NImdebK@uZfP(n-x+W@nD=kRhMQFh?*QV(}1Wc8U`@bF>miE6P_+eS(Qh zWwsB%%+adyrP$28jG6DicH{}oj%VEyLYp-zB{(S}^$pOSKz%}Q)ICc;LflXgDgWO#Rg2@#q18MpA0lJ{Nk zXCWm=en|Mq*2iOolF=Jk|iy31<)BNfyFq+ZFiX~ zf@SCczN;)Ig=a5sTMA(^xCK9w(m)pV@fP36=L904c3GJKvt}{ne76seFIZ%o{E)j zK(5qrb7%?74G1_F!A`9KZq8ddv`ICq=>!PQ>I|@B<=0@qqOll}AOV2VMswK?k&`$_ z&e#}acfxVQP!~d$8g&|}yFy)4LM<}4(^vQ318duLTido(3Cxf2N#~sFLkqMdAXQ!L znxAc3FV}MZj4(5EbBCFk8TL7WW@ct)W@hHzr!=1Eg<(q#9#zl**T6b*VCFC_k8dTUl+q1xyoLPk{*kq~UoYQ+0X2-#XHS(a;wB;~5 z%${0ds$n=QJX=09OOb3zvQ69Ssy?=^ZTsH;f46Ph=8|Y@lOaj`{j-$peo^sTqcodgr)R}f0)aagW^>o~7HK^24t34WZtG{7* zp8I*;PoF-&_GhO)O?nk(W@ct)RxdnH7*>o(qo98<$}k^sci) z&nldOFfNCwxmWG#-E0}W4JypcynDl(4AZJtnN^sXlVN7uO?Fd7?p}3e#ly1;C#p2= zLarWIE6kiIFu2pcVHmtp@C);9z|^*Fdy`1d{l3W?%uvKG$bl4HJQV5d{{N3I5|FhQ zI>ZtKB$ExO^HSWlZB6p=_QNJUy8EM5aKG;E?(XjH&cDu145ZCjxE;zz|7Agv6t>mi zq+XoJwH(}WMhNTuws8O5ZWklyYK(Z>K2xJ5|M`Eo|Lo^K{tNa6DifmZE;RCbAQ2W1}=bX91zV|oa0q$N(T$%^c}f2x%A%D zr!jZ0l5rv38$4*@m>?xSS-rB`Jw9?-)vhFo10Vk1!ZVc!b zC?<+1vOiU#7}9NFYi7*4@)dVODp@O>Q?PrJAQ4mAIfAr85r)zr&hFC~N6btnIhxVl z<;;1L$&S=C^IpF1M76$yBJk#G8SDdWX>VjJh1RGiiPMHCR|=j)GhW$j$;=RpT4^7} zi)u9%_^#eRbXmIGD`?&HM}}hyyGG=4_?d4d3%{GH^j_oHB*=SRvI;NoXeRs zGnBLQtG7K1J#*)Ht+n)U+vHg;`-TTjXNEmbDz%~9cW1H%%$5E=d*v!L>=FA!E(YsW zL6zI?8c?LkV-;YNCohaM&Iw`8d&Fv@S1BsMs2q`%#*JwJ5&3r)aTIb#6EiOq34dX0 zB|}7Ya1c?$&5SoBnA5lYqODC~bmhUCB)!la8mns_6p^$^2(7e}TVWan$f=OUCJ3f7 z-3k!NvW2X3ZV*)IU;jO6>{yX_fSbt*C(RywegfgPGY)+kWV0j;t% zX0!#iEfLYQ3=JG4J}wM3erzyUuPl(6mVI6%d9K-7LkA4|Y}5Y0kb=IVB2%LqJO5LDe)L#JC(g zx1lrchlF?r(X(ppy+=ZMDPZ-aT1w5i(RH-iilkYWsiX?=M7JDPYErZJY&jN`!MP8v zpWb4jWh);qr#+x!vuIC-M8J>*!T#xFb?&(LV!)?JKV%&3k3{xmbfjI6XtuSe?>pBSOEAT>u|}kHBrlCq zwt(B491gC1YTp{^IA-d%V>QiR=VK_Xee#lLC%!Ztx&~Ro=^T5_OQ|viwCq)8V$7pn z)>)LX^<#;E&RL2MGHki?ZU^fyS{tBi^Rp}>?^Wh-DT}gwwTv(e&|}yn_OLQTb47o` zv}n=*uyv41KEo3yJWeAx%`Ognc%T;w|A-tyz&8}I0ThcEM-(ZdVWFmT_qyO=&3t)3 zEo!rWVm=#|5Qt7e?JHSxhzoyXcm}A`t#XX$P?#v;Q}iLWjL!!kzoluyl|~v_?dfP; z`AVm(#Ab)at|hWH%dwl9PQnpy9t#cypfM?`PFb+Zh&Ab?R_#FdKLBYx}_J=-kQO#SoY+AIsqB(RXS z7dzz2z)h@^EL}nfo`O?+!MTh!{Mj;CU)_zjyP$LT_=R@|3ek4uM3I& zwjMDyqD(P>QQVcun^cfzji^L$(gZ9Vri(5bIcV+}sU}nUVHd^Yv~Gf2wo(^ebWshO zLE-rL@NHn&g8bpcL6}(MLM_~^VK7*Y-c}CiCvxd6?tN+Q=MvI1>{VSHsSYH~CskXi}WKi!ko-5Tt>(l?LW!NZs&* z=I_t`Ma;rWF6Lh@Bq2JUY{WVZlhL~Jl`cYXulvCUQLQf9((G9hVa|usyco1QdN{)~ zFfyUO4EtD2c->d-5~K-grLbssJCaB1L`;Ho-@R9<@3%Q#u+c5873tCF8697rB*_(b zcLN917TLO4h24tl;_GGa(pu@;S4$k`a5t}#_=SHof_0b4-#o%0p769R z(Rcf=YZKXB7se-tT7vS%r^T^dy=ARBwkt8+X12doz_xtEb^V)OfGcuEa&5(X8V!|+_TmaQP{h$0K7^YRI5#zN8{3Ia$Ol0y}WPY zY)vOV%ZM}{?q_7gN_AOzNIXm&;=2$iS}zRL`@lz}zm`=)GlQ+Ul#>}=uN|3flyzNBdFjN*SUu%88vL*J%`|h(m0?R>Tf_8P4#h`f?jf%l!P1jQOe!SB`+stzZ@M%c-)61X=1Gu5bgKB#KiBC@>CkF&6Ig}#X!hT zDrvo1H5$DWk{})q&3fy5VdZW$)yvBVQGvD7NcLCn$&l_gs>AlEye+$d^&_$*ZXGd! z_#<#qjmoMolG;Zgsw$Wh;}atz1i~1Wy?N?5LM;UPeV7o7X#_V zbL(1qsz&8Dhfs#1KUP(E44^utMgQ0ISyRUm8tmZ3%^ifi_TpO{dLOKvCtIiIj*@Y6{ciBEbc5;R}FD@lv*XHTtqzDWKj z2VK%!cWbT0CC&9`vCgPH)fI^_@;H#o2Oz^l^q)&c5(im0a%~{gvFM-*|lVEY+Hzcup5nGES}G^0aUd^LzpxlQTJsh`PjLkY&uX5h65Ns*vh z47KV6RgkIo=-Sh+7ggkgs$lI7(-I}*>@&qsTV1{XA(Gw`LFFjb%9BMLhrH*rQ2zxI z>8T$B)jH;bs0v#&;3y=wfF<4Zvua^uEL}8=xAMdTZX~y`bFi{gh>#?q4JJNO66K2y z%+g%630z$p#pzh8M_IRk-rf>%{)?|To!|C17VOq(5DLQeXDAx|b&z7ay0*$x_b3eW95lH$i7Ux|+G4Cv-?Zx)J zQn>{KBBEL3oHatMr!4`-Md>8`B7iOHH8jNcS-WKSWC8bwHs~%-bflaylc<;oavxSY z-rVHYV?*#Uz-@s7`LkHB-G*NqR0771;;6&NunX`u8Id3@JAM9QfR*6OL;ggO#m#w-Y?C|4SN;!!3$p8^YzgZ{R=~D~k zIAC{?l8JZtGNj{aY)u}yB0bY14?&o(C+L^ON0 z((xXNkPZdFqE7P-v=R}Ib2;c~$|2JYax?OYZ@~h8^E{{tZ};ez3n3!;Ex?DwS6sj# z#h3W%*W6ol9Hvv^Otsinl4mzPf2y}#DVB%F?yk(3g*E-0QeH^84_ev2Vy|QOh;-&= zx1B2EEfb#K0`UKNyg7_ym={q^YG2_^&crikw%qDT+AX;#_fgWJ0`RpHGrj%{>r2>R z`TDr^XaH8a#PNm-)oAI+tjCAgngiEF+gBNF;; z5o9E=zFKCDqRx>TYxW13{f`@Om4unP>6(&_>MWOweIoKfX!oyh0rda3HWVt$%@3Je z2Yq{8c6*7+2CqV*vE8CC$b2(ERE1`hr124TDNkv#4t)(=6ADo@ZlAz2u(uG-wpZz} z!GltDHY;f?uNwF-q83zeZ7}VBmxH}zR~&N4Auq>-%=mrCZ1YTXmov5wP&<-f97*>E zbdfBh*KM%OK`WwoiR5hz+Y)`@t>t42RbUoU`SE(N5E|2-WW zTrjbocUNsEXIv%nZRLlPD4AJ1G)e%TS68N+0Ed23WZ<_+XDBbcpz_2ltaSnYsEnp+ zrQqs4kVra1P;FZPdwB`X>#VHyn8xVuS9(EM4Vw|x@p~@%pkp)mwN{9rO4nQ4XALWJ zuN>H?8SBf|6XXPlE1m?4B)a{i;j<%cw{0@NGxEnYC~dxNYGZ3#fN_A>!&>=_BQn%- zI=i;dt;^{xZFS3+o+dh2mXJzhm@02RF4x|rP((A<=fjhdh6L+c`<0{nG<4pVw3r3k zdo;65OxD^g7u4~Mzk8>4*A>sO9Mh`p!{s&vZ^i$?r6VmjCj>8-J3V6?=xtvur;l&{ z+c3q7Y1Q@tlUKLsuUFIj_wnP1W0Y2G>8T4aEs;|E9F&;ag>tn9g7p|H(8fol;UNq2}yFCfXmRWmqiT0SjIe`k+-=GAxG@vU?x8DH~{b~04G}Hlzu&W9=nbV zvRWQa86%$^N7dAVo~DINh-mcmPb`R1Z_5xns55EdGEjR+k6MYCpJXm%gEbi>zs<)i z9Pg5JG_rfC4};yzL8&lJDPD2V>>+q;pA6DXBQ}3P$nTVD%*G_t;nOU4iIGtj{q^P( zS)|MA@X}ZjSy#}XzsH}|Y9ivLoDvr2Zh?qwnT77ybzn2W)2Vh1klqVTC^_-`QbH$Dr5;5C5cq}}A6 zb*BN2NDO48B&;J8kA~bCk+ktIrM$m-6~S7VoqIu6bwomBnu6tBpcZ7OMsfN2de<51 zty`%QVyD7|zf`4BkYRn7s$So64S2bDotqMsO&)lbYK^>&m3G8tkKI34gCZ9pBO{aO zICYXT&r(+~A|s7(8UXv11`lY8&`W|NvkFE72itJL$bT!-s>l#l%PR~O`4~K&<8n1< zbr~v+YMm#u?gj4Hb*d)``_tw{*18Z&X`t>&2_-Q0u5^L>Y35HiWhv0wvOvOsZ%k9tGt>v-w^~F)- z;Sju+*j*4yH<_PeB6L-0{&9(Gq+Fanf?~4tWP!5QHkt229br zaYN$Xm)l*9-5Ghk_Nw)DI#8&z_TZX}u6n(|gde@F+3FHGJo+Ka3hNa(u$DqI)|YI1 z{OE%*fxgztFZQ803(naR0b+01%0}G##LuUP&ntQP-b$GF`npMfO4{%=_@uL*4T7jg zCA6#|e{oUa@?VqXtcL5a%z$K?BldBU5i96f4#&F_K82ErR{_#5&#?aHjFetVZKBN} ztDTK6v1p|qD5_}kWaMFD#v&4YQ0cwoiCT#@!S=KbXt7YLc1%0zp3BwECoBbh^G_`1 zB7!c1Y`$CUusDk(v!ZH1fTn@m`SW8$ZrA$tcBgn*f4hhX)?5yBfC^tnw6$^_w>Y}w zR!X(*9<##%b=Nd+r$W6rl?+eXAcEiS1klcU=;ydO>%q;HR9ff5o5PBsp|;V2;C?-* z5_s90ufPYu93hI0k5?9wdJ8X&nVYX5vfs}CF1zgEbO4XcQb3mU41J+yz-bJLrYa!U z0_KrlY*&D1#d;M4Xl<4O-VcdV9aB%D|{$cuYj@oM?hP%ti$`!XC%J_7%<7Qv@|k7vH%8Zfw6=%1?vq! zETlWVLGAb&0YU)&5-Q>y>1hOxTdSfToKu17%%6vzCgE|n-jM#5J8u-sw=8GoySU{< zX#Xwo>7Sp0(0gmPivA2{@3M?Gd@XS3a=Y916R7lVTccFk2 zQJ%qLCev9;XJoQ{9onhXuZ)I2Rg%?U>^ee8uzQ@xK+fM$okLN-0RhtQN5Ckwml|hl zVj?og>hMW7>y~VDjzOILQdXH5JcW@+(FKgW49DaCKoJ!Q(5aZ8v;jwKs5&YoMt{ig z4E*x$DlZcKaF^}kiClDppCo6do^*oNfFI!yG|PBqTb`|m6yy0BOAE##;$tX!eD)V- zqYI6sW2**62b9nuMDXjJk?xp&7em^M`-&kzr*(k+=7p!lUY?7gp|+(|F*N?L-P4MS zp;~&97CwTIGJ-9GYG1dcXEDy7cKhSp^=xM$gmJKs%cRG;8ABhEQHIC!w|;23Mirqe z$`fGN=m+RVUS5fg6GWiJ^tWI&g3<87QvlXcAtTyc;cD485-v?>%rtCp|Llv@g15p--WO-Lhv_Xr?>QI@Xx`!{f) zh&a#G0J#@Fi+PC0N<`FXR;s|e9cFfMs|rN`%hkG62%U}ds&n*iHjqo_Pg@AN;9SlL z0aake<-5fOfWS5@HPJ3Y3#3Jp29O+qJ!g>!2%=|^(^@yLxr9*8i{k;_Y?HUSr<-xdZihI8jQ`+I?T0>bvsrOT*6uY7I z^GW-cj3kpueIbt%9lcX&1d);VUs-a#y8ZyX2tynI)ZRyXWO?Eb7lc-q*^I+5gJpYtj(z0WgX z*+c(!m7Vv{5$VYO4ib9U5yvzb`R4qlZZWK{C$N1(?BQ`gg`}6kXXa5!0-UHCIB;lh z2-+2DCxCV?Hk|hCeF}=>D6QdMM1S!9naxO8big0qpcP{j$uSyX(J^+BfMs%(bij)U zX%}rpq8pxuyQ$NNOl4C3?s9Pid8wM7hEZtL(Sy?joEp_U zW?FLoy#W8&I1L_5FLcyiMVKC03@wv$K@L2d5+27`(9Z}UKokRkq2dw3_*KV*u0xaS zkSt#>LTWzg&3q84G|R}La|MTU%j|WL@OPy%8R+vKFtz`LmGFTux|sC^nw#?H^C$Z5T`BaQ9C21d&F8CC6*Sm!N^cBD?#FN_g-6yxc^h zIQ*|JA=&VpDSz22LSYe)=0e_@>}D)!fb{}-hjU_S^*sZ~s}+RsBK zt;&N$#3cviIAD(u8azRFOcH8#?gZ$cn9GFaM0BsTmKYsqS?(TNcL&e^fS&w!@*w6{ z$an*W3)TnM?rN#$y6BauG5YW}y)3T)4Vta(z~MUXb;`!41#cl}(VrFaQj8q8-&L*IK3A(4>d`9r8`Z2Vn79e=byvB zWVdT=R<>NWe4rsIwl9`NueRv4|9>|2?kv6UYt7g~f`r>F5&-?rI z2|_a9h6!VUG2n7@zb&4Ax;!kEu%s^EzoF;HfkHk2nHy*_Xi);P zCUB&~oKq`R(aW}(+u-|fj~6NkzxR%=t5z|{YNr$Fwnz?=A?E8y_>{{{o}uSmT!z`h z<8~yh=hd`$dGTnzSyL8ck zF1Cu5!|Mf>(CdU&Vrk{6WihW5WwcRX3-aVaM8 zQs|f9nU4pT3XfI2n|C$_EevAgDt7rRs7$*nwyf9G?zn20}E5-@VAcM>S)-2zlMnDg(2?3*3S|pU@7^c^uf6Ylq7d~+P$s#o8Yc`dDQCihH zNHOv9a5V#e_!dghaXZ>tUJV@}?rGA-Qw}~bhgtE8`>>XXA=+AIW$Ey0)pMS7I$H}VSxI! zm~}7k-CQ$xia~TZKgcm1VQW-p z-zLE5B#x&iNJ;Q(gX(pP*xZsEyQHoTm9OX`Tem;|P6L){>-i)N>CEM?yZgHSrBlb? zh2y5(F-uV#XjLS~^8B{(y=)P97E6mfIrjMTFH1a+pHZVe6u7vK?jCnyt^&9FQLSt+ zz}exKUCT4uGYt+-dGQ-m@O-Wlwc>nsd_hgWMFf-=F#h{>kCWg>O8eA!KED;{gDEXs zPVd{b^sv{e8l8H~8~V)Hxbl42wXq#TVOI&WKg2(pvm0)m%;)2$u9g$IfEN-h{^l6} zD|JM6HXBSN22m^DnLBav-7Q64ORm{WX7sr4a${r+l~ohg|2V2WAt}1pI3wFsEf#A9 zdot7y5*_Cdi64W`%@S}LM9NkLq$8qLTO@RC`YbU_uM%|QbCi(599|?~e?_ad4<cRu*UBrgL-5+qg+KTX5tdz# zh8}t*h}8aXDBn=7n@OZ#SQiuo754>(S;d#%C2rapX*134x066?86bf6&E0v)m z&=lp1sjTI3Ipy<}w86nKos;3YhMS(~MR@R=I92x#8D>J4FNA2b*f#}XNNZkVq{_8%y4MG(^KLUWSMzmMcnS0swyzb9xRDIR5o+zb%+-tdlSmr@^+TxwSIjTID_&sz?*(l}-L{)0WL{ z3;I3Tc+^wdr&nB~|5|IY{JGqMkhnaZsi?ibTk#a=3te9v?ULFF-7)r`L_E7 zynkL54HQj5nz6nZe=>s3R|ci^-B*>{8>&l=T`E9!{M-mqWzQlf)!pFmN10f1Zz|Xj zF+2a@Uh+>EPkc3%q~P|8hTU}~gXZM`acfZvv{-Zxq@@04bvgL%b6O{#vM@YQ`ZlL1 zVxf1FAYpgj>0tLrKFTBNR>=mFK;>l~ffJ`xV`Dy|ZoO>qvByzXgZoadnF^$zL1G4J z73i1N$_G=3EQ?8_4YDdX6j`>$_!IZjdx8Z2=p;uDX3`}z5*9tEN_6LxP(qxRg|Zsq zU{;pAH>Pl#k#qOauTx0%OnLs7P91Hj%2FA!ObMsL{$|%#z?(7$DC%I((Y9s@hae0C z(jhV{hT*=Y-FUe18GQnSgTsNF<{+#QZE&e1ROFJbU2>Qfoh?i->@2#LalEZ+hkK3= zs%kN8aV#Do1?_Bu{Kd)Ca5~p~;`k%tmm^T6%1PG|E%9)&f`1)rf0T;dvX*_&AJ$eX zD)$?aq}9F&`~o=HjzmQF3+8H}F#>SkOPWwPXTsxHkq?Fj$k7nzIL>o~qy|;n09$J? zJCD0=>Vh!IdoNd{olXCLVdGHl*xwW?D(z@+8a!uaC1IajE%kkyh`w2SEL_BWsFr%) zPedC(4V|o(frl;cW&AS1uRa;t{=N0twp*r7VRi5H8^N)gxC}*akeHPR^NqF!^I>3o zF!pJ*LRaCdwhzNT5lgOt!IrlA65i{Fk;>3J`eTMWF=hg#^TB$ltS|qKCJEMu4 z9ZAbjMdMchEXEt&WRg|zNmsdDA$<$Al_^F~pLCksFo2$3CRC1k3Ha$rISF>2f!Dsq z4!F}~ixA(v)G95Zzx|*4+ckEZGgH!tGY@l;CAi|KE{KCX$85FWz4MBJroMK*PRLVn8Cvd^veXEAC( z*{HHdM-9fJ~%4ZjKa9TwN)W$@W4w6V9S^%FkSJ;2Xi9g zAr|0+RZA5bdUsy-DX6N^HY$+WW*K0UFw9Kr<1c;bipBeLSPD;`NVGN-8VbmVi6o8~ z2_0>8@A1tY6#N21c-VKaekMYsH`@{ zPvKkoFQIGTJIczGKob7X?}(Kt6%krLv5q8ztRtS zgmce)6ZTmWj^0Jr2&Oe#gN(Pz&$UCn?yJ5)S7QLW=xlj*&A}cTm9MP(+0hPjqt<*Jm9*O z+|R%79NuJ;oT!ixSCS}1jo?e|VUJg&+*D$-uKK@o2z8!Ph-sNhX&mmN2Y4pdE5cp{ z9Wyktn{G|8S#6CFa@`4FE;ptDRFLlY*?KedUmkmqs?b)}pq0Ut(r*=q?-`HOci=_h z!%7v40>=@F;6XS{uWJeksZwLT3a8yBlIALiXh0GAzi6TwMNX%+0qLgSdXSn<)_k&B z^Z~Dw<%TP7lxlh6Z6Te%(fId6sFW)zLbANO2#4w1c!ds=z_>2supARG`26~9YPchI zN!@Lm;XkIm__fn$RRY_@`B z|8A#LNF%l$Y0j`x z^8Lb2A>199X-GXMUowq6tGOBeZ>K%icanBNgfx6x&c*crBrVp?u+p*{11Nhb9g`%< zv3ArTtJ?efHIcjZ!)QgCI^l=1_D(TDs=!RQvmCHW$=LeMKCucdObkT+{yIm(@KgFL zR*jB&;JTYmp$Pn7LP2U&w+xWx*XoQ&WS~@>OK+{4NZOg*b|3%21#$`zY4mMRPo4(J zxL@B(RcOxdS)wDdA>EgrCw1yv7K_16ehe8DvMK@R#Qc6G^xdtoTUnuQBuRpU{_gKP z0mLy&28+WDISh`%_-bkqG`JjRR8t#=x_6A2Cl*$lrEUN_2q@n1Q8wwx@2J0QqUnn8 z45~ew0wzs|gPfwLrH1IVaC~5ovuU)GN=>by0~sV@+SjYGDlo_WF)GAvy>-nfnqeYf z)YR6YZ4-?HsvVG)p`ALA0;cl|BE6gs6tX0CYrqCVT3G z9{>3#9HPIW^W9at?(ei|JJWg9{<}ZX_H2sQk49x41s`5ROB9TwMe)9ms;2#S0|%Fk zg?KAd7>%^D4c!(4@dDw}unreYaRC+fO@jp+Jcx7r7}y}=7pHFnH_lrF%bmw zgrmQbV%Y^}zZf>eQ4-zn%-9SyxUTNurjqvLf z3ZgTA?u2hm8yQF;AtABgj4Gl(e{P#C`Op75`_JX0o~r;(_VWS!*ZmjPbIT1^NB26y zn4Y`o5Bl%+wBhQ=t0Ro*vYY;Zzgk;D*0k1y>^Wr#*>l#CkZrg+^6C=Cbl**XpmhDS zH?^sCCO|L&)|CLCx?TY517HELWsdw0yQqu!qHTO*C;_Sfkd1SMzv&nK(__ijIi6%2 zVE|o)swDIgaR;wFjyv zrTnD_v1GtwY#J#nv51&uYdx+y6yih_PCa|Y^lUObB4&5TOdD2X%A|miLFgiVvkhUW_H>bM~H(}&DIYfswl~`OvPB$n4*WF8UGYyg8P# zRpr`!{skI=w@3X8T=#e(Ckhqs7hDRbwh zYD+Kvoxy^gncNo;i`N`>s!ZP*@sY~>b+9)s8I|-)A`t{xDz;tp!oM*{bev2yXKk7N zJ9yDd+)vg3Xo)pPFgmV6^h+WUituP&m8n~)P&(*ti^%p|&qTx?$`rY~K$(y!NdM;$ z2xMU(okc1=jk;En+_s6nKRcJ>8Ez%LU}#7+ztEqVG9-k5y%+v1z(9SORSGew`xRy{ zv$-7d$cR7WdToI|!_aY}Lxm79E+J+`@=h9Jv4vMt+^eq&q>M;hP2`o++35%4B;r~c z`*Q1igQ^r{ICTbb7K5*r1Js$h`<@@XQ$S2?3S59}$FPP@u`pj!jApa@sGbxS}F845zgCF)k9`D!d;vjiaHEGa2| zDe6*0nd-UiI?W@f=S1(>Jv#_*t7|_a?ip#Tk|+XK6~b25oFLPZWjjJmDnfc(sZfoG z3U}__Fr_r;maj(Tu51xsb~oSWs+0yMmCji{N5o9OxyWHWh$TJ9=bjPLOxa-t+^_3r z@#IR#ZeRD0r4t;5VQ?9~+}s}{Hs*Q_D>*7mCf)pbX1V|oduw{{ujfQL0x$WH@lbH2 zBi6vG;jC`bcl8??=Sakz_cbhErl(3KKc+99M?`1n2=9@Rk*AyTOHn4#eOR1y^ZD;X zrhh2YKvXVsdv!rV|yu{9Ic2$j>;m;7BPp%p`iddWPtT ze3f-v+f}<+tX{FP^s*WawUh}F*R068XMcYLu!|?k_Df6m;zi!dhlAW7<0?V}HKiLG zD8VlU-V?j}*Q&|(@Nmy=JOE)abdkf960{G+K=!AJA}Z;yQ-g>lrWt~HTi%Xhmkwcm zp)84)aT&x}494y+s$Q<@M|_f5hk8zw1uR0tY3Y-dVohq(c^@)&ny$cA_`UEK5@-<; z`)5W3_SN`Tls(+FnKaAMm3Rv*VwU|$usu=kN*M8f$^I}x>_x%(WLm63?rYdp`dyWh zq{F}6Qa-GmTlS>@&hV4jg0c>K;_$FgL?Xk2n4Yl;^$n{$8lfk z2L84x0Pt~&nEZ1X7G&Q_+J;$@h+kU}BN?9V)I}V#?z%}S;~^UOS&@`$J5fG+ z2E_s{GO>z~yHePg{G*gIq61x9j+o2ysglcdYPMs?_y7gO)Bcnb&@%&|3YG^$RF%?4 z5%cWdZW$rEPNab4!W9dMS7Rv5#9gY0AY5VbK%~YuP?{r1wu{jQ5yy%a^!{m7#VS$yP-AzhqjBmknT^5^8^|&P|cW>hX)mv zF0R4$4$R6$;Ip5!xrotpqIk9{n4{_p5mij&Rx*(<7<4q2?az?UkK z$5L-k^R96)VUEJyj%I}O3x5T128s@2Mf3w+(TD}S@K#6EKbkJDxXG7ST&`iVIppbl zi4!?P-C<$ZxPi1F;>T&D7_Dw=euTVA`mgt*U@Py5ZA}X*wt!SQ!l4sQgvyiI4C`v8 zkt1@*htkzz&&&6`r0L3}<~rl40;XC~#oe}j>=9OjY1Pt(5cPhOzkyYIS5Ocyz?CS)n$!XBt*7m3M!we$kujY` zi1?v!1#m3U2gNQWSHx)X^nk%X_37a?a zmfM9Sd$5}k#IFA;psx4$>%iwdqlmC)2PGB4;-AWX0JN)_US=D`8|)vKt`m8myk}~S z$E(CvC9mdOJVNXgu8?}Jgf+#pyOwE4va64t<~|h4QJi7Fzg7xcc`RUY9ixTfE5Mc5 zy5Y?>h@JAlhUt8PGLa}9&+#qOiQ~-erbWb`y{DhNOWYZ3uFkz?(ydMIg*X$6;uRZ8 zXt=qV2Ow^@z^V5J%HS_ad6GZU?9&|hq0s6&QLodYUdKf)*2f7&+)0K^f@`Ahitp#N zF|Xh1i4?&=5`-r&cb}I%OG~zb>dmuE;LdZMHV?r{!@oQ6$V4n_*x_gyB8 zTVDXMnh`gza949%qKo>4%bauPU{k5KhcVQJ$nj7b-{bwfh(r!E?hFSj5y(_hcF8%-y&(ewWjRv_0~N4#Bs+KK9#Xt~nai?oaAjw<<5B1Uh` zk?;Z85FwWV^1yV*FtgjDa3{S!pF}o@@zL(gc?QF~oT6S4(r(Vh6A9F9h1tV5fSe((uMOFhZQ@THSi;8% z$>h~Eer$smo$h;*e)299;juFlPCak@`FoqXRg9cyi1i>@9>}^!#nt13zNy{uhh?qCzzgTkIPf8-h+Z1eG#SLJfn| z4|0%=5*{R(MAcVWK`317EMeq)cWecn?r2o_AD=z;egdihpt64ecMz4+B%x{4uPrn5rmI6H$X4;y{QrPG~@cY6eY1qVUaYv!sJpv?)EBNJ``Y#t?L2 z^d%$}RD}@gBFkP6c zh&9wf1io~3BCenV0RriGJw$2*%?9R8SPyA}P;ZZ$87y`M7+*pS5DrhMo#^8>MhI)E z6ZCOwCAvO6q|6hn|8WOMq>PqCn()nmO6)XJ?>s37hxrjB_fiA;{z0rxw?+CQk|C&y zh6o$_2S$H2H;^t3sPvn7+oC9zICcXrRYH6bqU`+Z2DOJU7-C5+8Nd?&wGhP`s$r0m zkak2)zqhTqGTaT69F0z=Dw^#VgyAy6DcpSF^x(&;55EjUf52BDijy+T`?&RkAX9IJ zoxpoQ7}7vI?&K2ki**t)AYBQUVaN#91HzCF;t%v~_ZJ-H{aO~`=->0^^b~}E9LLU? zGfU=k^uI^NoAWN(08Lbx3=)+kvshNRY@f?Ap|Do1WY{DoxY!DRS+v!^u@l4wrg^Ge&+duH zKH`ZE4o-@9U+jctsDC&Foldp#SFquGr~+X4K~eM|Z1{r5#pSFFHGtttt?vh;?kFw5 zKxH<4xlpna1EX`b;>Dp2^=P(g|Wc^s4QtY+>6aC%RC16M@H^< z_o=AA5jzC*7{bwjdsosOjp`p;F*Gg48p?`fDf9IG1k7dyI4`GC*6>i;2vM)-#o%tA z)BM}bgavcvs2@orx=ceDQEY@91qijqMNU7hfyAM=YRXLRFOvLz1^Id5uneKX(V*v5 zL;eLDHVoHSzuVQHt+>AVpH&GULJ!wf17TFk8EOIpyrM55y>>yUrrs5bZ|K~Z;q0|XDpti5nLhy<~RPb_@%`0H`ItPey?xT7x!M-;nTD&d=- z|JfpLZ1rdM1YDH)ol`3ziYu56Jg$5R?R&fB)!^M3VC$olS2&dHGYk|DN)}Z<%KV#Q z{!w*-uKxuM;MlP)!{7|w=Ba(F;R~9@H{|hxr&d46n5u-R3WACl+hv!JTOUa6L=MC7 zgCZ9T2Uj=tW-uJLC^l^{G_8eix9OU^I|fHTTid#ElY^`5G~RN!PaFvt-P;XHtUF1g3jN7%I41&sJO8OV-ZmaIHPv~ z!?%MMyA?X(7d3^&)CZ#Hq+H>q+7`vLoqyF3Xpidko!ObKPaEH-wbVRvj!2b3v@RQO znH}M20EflK?1H$PcnXdi=#&%coqlgKvqgv;K2mBN7KinJRQgMOvk3_+pylxi3HfOf zlvx2X5TJx+^-5*`K;R01;{5rw^nKc)mLk`!bnH{`g8dmHnpRB?v2|c5%F8Vq(8m^Y(f{p=c0*>dKjiri ziRir(4p-n%V$dWA^{1wV=o2~j5%KKtr3@vcU&hF`lnj7NXlC1Nq)a;g+uSgWS!M|pgEQ`%~7bzhY;_-@s8ByCMX@z2=-Rn!V!|c27?>k4s z)@@^B-;|-6XCs`|=IF<`vicy~Gi^1n@6W$)VEg%x|3Ur}z;ji$gK(!qjmP zv}CpCJG7KgfTA{AWM^3G$!Hl8;2F-XAXo4emtJ7;zCUIa;F9jy z|Bm`wH1|pNc*_ocAJcMR;PBD=c3UEQHVH} zRvO%DSR4!_J}@TnE!NY_RR$D=oRORZ%Vg97idSS_5(Ad(c}g+If!k&8UR{xw7Z@(a z&Y10M%6nu}9SXUZv~wi`51N?Sb(xIxD-~fhRvXso-;g4fk;lSvNGsetjk?ao<+5jaRm;7b|^xTx4YZWVu z$yAzQahfF)V?y(dDxe$Iz&o*}qeBi)=fm#9ikGfdHALsVRZDWm~3YpBk&QF=( zfTEDYk^X_QjnyF7h1H(^FzD0@4iI_<9MhKzfB1{Pk$E7F#2u!x8h!E*^< zIkF{-h>-ELVt{#u^N7GD!yp-`sCgS{UU)`lIx}{FrEgus&30Ky<&gMp*^EU*ScC>l z;yW@K1&mTsa|dA8!Ojzi0p3S%%XXM+KP?1=!>lTM77-!i7bam8lj75g>gLu>4=|#s? zKE%kn8R@?`4|dxTX`k7Rb& zwcr5H&4wx_I1h}pf3L8#t!r`ovMw}PMq^3{X+hS@&p7y$edc11i{FQd$tuya8MI|f?4zn_@uvEY}I5F6}t62QNm#t$g!=t5XteW zAiRTJ+vKr{L@`Nhf7WgUku|?&wgks^*)dl)QBkO`)v!3eYPO7cUMqMOBt`zfZ0T^l z%T=uW{KRZIq3B?AX2JQWn zF0&^MP-ePtrSHc59g3+X-nU%WFQt@~8~5lbuucetTrfL@%12ejJH`^S$2ZNlhU|-7 z?z2M0c}ssN8*%i!)H{JpRbONFO_gp4WJsTvzI95AT#joeo#=eDVWJ~^+7Q_EQc77` zp?Z5Bgk65aY#H#l@e3Y1Yi65ZXH**8YFNhfNU7_Pck>Dl^C-x2Y0g{G89L(_m(p5v zs)t(eM(68sW0#+F<~)}toU%aL+NqaTcsN%Dw6Op6@f#R_lTy|nnX9BVF2KF%1creS z{nGj)+@R^j_~Trj=|}@K#?lNmIJ{JUj;420ftl1DlZ|semIdPxZ4U2JOy*X3H}4Tz z`^srR$13%L-XohvLd9;2c^NErk#6mT0OJA-Usv`tH^SBxo%MR0?86NXy<8|{)2w(Q z@gp8>KM_C`6HEz(gj8x6BqdM-CIrY}U;I45{00$U1~1TJD(9%7kVeWCe&P18aCyN6CX{u{1T~oz?_(~a%sUb%7*2o!HFiLY`J%Uqp9(h#7c~8LS zrEQtiBQqH_j<{jDetEugN#goZ2I-hzHe1rjxkL|B@s6RSV$YBZ<`xe7+7h!GmHnoI z)Q}^#V7yLZEKR3%*f?J%Z&h*UwsN@yu&(5jam56ut}L@nffdz%QXC9q3TdP)HCd_a zHPtaIoud_|Nu=uEltOBsy~w(nDJY+PvDMG;e3|XFs_-yA6(V&VRzK)Q@R>LvU2!RL zE|!+G{K!IM!F6hde3LaXW;5lIsKv|$(=W^lWxmYi5*+O7+{(VGhA{Jh)BE@FWIm_k zA7Iblcc1^rvm+ex0dkEs&2i^(>~`)i+VHP#=li^Jm`8rPW1rzoJBjTuWaa)|=lZuR z+jn^*)a?2G!hXjtS91P{(ROG1?=!lIm~DNE?^e!w`1Q4nn?dHKTZx~wkUVQM|54|Ux@msM%x0bkI|znnw_eF;lVd-z zeWgo@69oHOoh?V^GVAbJq}0wngeJmuN8R!;AC{%PxK<$E=YjA=!$xYQqHlyr?PAU+ znFEFFCMga^z6COXQbHjCH4IWDPy;4pu{R%MWxHhDWEvSVd8^86kX24;s>q`TwUi^6 z_>=Wa$t>>!S1g+tdmf`r`H(E3UkYjnJOaIw&5WDtLxvsHxi}xW=55)m8Ab{(ebPM5 zbw`=ZLv9aY&PeG}Uu1E(=jOa!HTesbK4}2WvKl6y(M97pVHOkR?S7G2cWT(@l0Adb z9v`vkSGjE;y)Hc(VYjutrjkPlO{94h0cAK+Z_?G4*l@`UBUXvwJ|2@2V|Z;`!I7)E zKl@hEPxj}{bnEo~y*a}1ui)|t@^Rymj$J>%5&n|VTk6s-oW>B6@E7FM`xmk_fM`D# zE8FMf_=Y8Ac6pW=CG;{vG3}0JC+zLhhUEc6Rf)O^07+edC7d}s?gq!6o!RbR zC--&d7d3U9{poWUvtcju(DjYblY4XeBREw$U#NLI@R++F{NRpvVaIQohmyV$vw?ro zX&m{q%WY&jY@RYdii@YMpcclBz1U|PY_?8qT&iIJi+ctvWA->n$aFSS6e^0k+EbmI zv+b#mfX~%szMMp@#ioya2!*FBGdknl_%tno;9Oj>a$Q-6Neu$(yg)0+qy9v3i|J5) zz{%>@7GYE7VCG9P^2+`#3IZq@3Vrl`(#%QB7@$;Y7$hXPrst!6b6PZY05p=OX-o-% zKiZZjEY%`AEk5G5e|~<7|H78(r~mVbu5wD`1s*l%r5p-8fU0LwW;t-gG6Z;YGiD^D z*P@4hs<tR}=(&ib?~!?bm(`3r(bX6^v4};Yhtn zSzl!?#&s0q0Jx9Gl*AZa8^*)uSEbj+bI$1^15hbiDd|M9qUQ(`xo&b|i7lEBD#|JgOiRZt}o z+}jI>CgO3mIF=8he~#^|-nJwt(#ddj!s$qKDGm5j#UT zN>f6ib9J7@L8xJnl;9?W?~j?Pj>P7+dILOn*n5#xPKvz1qXsQQ6l6V!2QgQn2FR$2ebA_`E-(ljQe=w?r5hAnkQEKHfE~r%ZI2k(aw{0D4#B z`0pe^%pqy4PwSIcd+g#UJ_p=(a79BCsa^%34M*xtI4j8o_wkriR|9H8U=Jwv(S&YU zuw4Jtm3w>#n_eLREeU@?&gvitLW7YLhrQ!pWTo9ZL1AUAl-Uwc`8L)HC5wJoFxzy? zia7?*u4JJ~Bv=wlb2Skk?}Y=4)1#O%0LM`3{3a_&^dTw~3AqM0#`%r*={pF+h5!%C zX3t87O^1J1vgXY>E-j}#;qJ*CPzTWo4qtM%czz&QA-Qt{*oEh;Pu<_;qu%w0J;EW4 z<(_goGaYM*$K@(up3p?-wWzsS_L{Qz_^Qq~*pn#%T?oeu#mM@lI}|8cY8=_+ zF!V4;j+b2OFnGpiE|!+l{((-XIP|%VR{^DR?XW1LI1#@tj5B{FdvGbCCKRvc{$LI&K z(a+WI?tOiUpM9(5eZJe-&G6Ix#^4}ZV5p!>`e7>6#-$nt5YCc+xFbM$c!HT9qYbP% zUDwNwOLn+JtiE-Q(t%(B48+uL3)4(1s)RrfarJuBW+=$0SDA#vgcF%ibvd zFoJAZqvzBSPWkIN$6xI--@d&^1TBf!pp~UTA)B&8c7)R+dvlK1^iqfg?g9jySsl51 zlXZKtM@fYA+hHYfj_(VzK$Qp?Tv3q6%lLT|(%2XD0AE3a(Ny!h-af)l!C@!{f{Ngk zC&ctgiK*pkSY5e)2Q>uPVaoG?!A{~&=iCANfIrUv&%I6X75YP=p$}$%DWdOq=7-w2 zRKoy1l(KIl(YrhLM_qW#AraQ;Ybl^%x+dRl`ig@T`5l(Jp=utqd>m*iX;jSDbv8yY ziHlF51_&4}X!J#1*Sqpy3_T2z5_~~9)KLPCLJnOM>tilsc6j zEW?1o<|kNB!tJ1WbZYTa&eEQ3v+~2_XELN)5f4xHRLc2v3c4>`WLliEII3keM}Sv> zMHk@|Uh84N551xvuvgJ{sG|)>>I*!-L~QIkb@uT9?&C3qv9$qvU>*|irE`BSdT1eA z_R}5v)SeuE-R2z)K}jMWhhJ)LmWGPmg8aoF=QhPA`!9U$VKgFLv2SN7?o$tK44fFV zf1;gHLb`Kx9>lJDi%R}HHB6dBa$0*+0>Q}=GrOiSAv$V3BpgrWH82s z>yBED-;+SgdyLY2VO||4at*xM!iO?$o>aZ*d-exkm}jOj8sefao&;Zc&g1mCaXdd1 z#QmjnojtexB2Vwm?$g`#<}YszFpoa?tj5s0*3a1GGA|r6xV*g&&iePdt9!K82|#UJ zs$l@v9hG!AfnTy+eErRiuGw^=Q1FjkQAjiFa`2ClMYyP3t`) z&Fuud@?Y~{V#H^vo(fJKmxLEoe{B)SPpJeP3SFBy5EU~RQ&1{33}Okzu>`3-RgkI< zqmaY&*-nyx-}735yNB>3l*m(a;H!Su@BJn}PjO_32|R+VXJM$Z3KeyCLH4VneC#b^~4tC${^fZl*yb&#tAgbYLcL<6xNR3 z<+gkr1mvImd($j5k?K_-O3{WR^+unv-UQo2E9B7WWLW|@*`ow-ACE~4uZ<6rdr}{E zJdfL}46ba$owxLT-W`H$**~xmde-Mpf(IzTDL+58>2snb{pNcxAD3>7S8qB?^B-VQ znZ-nraVFyzD`4>QQe($0A1N+0vW*>}omfaf&yE=b0lq3WsTp)~B>T|5agY=`SE@vg ztqnnDk2D>;-O#_WWP1aA+4L)oImUJzby*Fp6K9bVd2_rO+KD)PIOGvc8XVyasby(l z#7^YFl7$CWJ>D4?*BvFb-4B+zpH@?haiR`+`~&39?{<6hxN)!{&Uot=qmg-xxWDGb zJ|4$CkChjD9)dH6*uM_HP=BA(`2YKDf4=irdAlt8HKc@Yn< z3ScO-jOi$OC8ScrAe2y+^+Z(%15VfM<(zEkEo}~V*`X)$5x)v7)4%TrlT}WMJoiz9 zCqq!+S!iTEi$jfN01I0ff4k))#UXrLme?O5*?aPvt{d+uc>l4i@=?rXMK)%>ud|*6 zUIs6%U(N-?kH}OC;T#!@qgqyDgh>BwVBDqcx$}c^bHCMPet+xi|HJ&M49{)he{*##4_mkLs?Puc%1tg_szMb#DSYo0gk0fK$#byCh(5AdRHvQ?x8k&%-33< zYLV_^Bcd|8AQ*h$I^8JEi~?@OAp<9qdja65i{ClH?3* z{3MH`Sysb*`a7(SG=_qgZLUs3xDQ$UWHari@5cR|Ika|y=2b+Lq6|lBj?kT5ZV$&f zOEcurQv?A2@tDGd+OYm;96S#h;-Q6Z*{j}g{Unx=oBK(xOpZ>hrwj`u}Psd|*{Y<6^^b+%`*m7{yLYT=-~Q z2CV}UmuEmVf1pXcP(b2Z7^Ne7bBU`m0Sko`snjq?N}#FZa)qnlo2129O+{@{Qie!@ z=hw4-EhAEf*NMLhB^v8>;_o_`-|zb_V0TPLx2)y_-H}uYmm?12@~T^Ucw#upHLP*Y z5r<;$gahQ(T zjx^vtX+fCT^|4koi~H`#Lu`dF^6=~S-v9YNhZrV9y0wfTZ}xphCuT}C&30id=(uW1 zbrz@M!8Uj3T$`=q&&~a*UpecAkl}c-DEbV16N%Vw`gdtwXTG>UZ{hPg?P>qJG7P<1 zmNy)smh6&|&RGY)BMneCG|xvRUp^o6EDrtnM(6*0>x)AJLX~{WEEDkQ=<&!u!zUo* zb>`V${l4>;|9{^n{rT;i8Ye@BXxS@9d|h7a|Mv>{bacD+lc2Y46Eth==jE2QpVylK z{O5m=|G^yT*PCGIi$nkPST z(gS-P>xGV`dph3-9k8+CV3SIulA@|wr%K9~=i`fAW7LVg4xHkcr@rPFx#t(Z#}}U{ z-P1RillY^n&b`6+Bh4t0N{R|=o!Te|Z>&1SB?)EdlsLL-qmuXU=QG<=Zhjq5od z)L?Rn)S%X>d~)R~3vAl)PpYnLYKhdM)~S24!4f+bzVZe$OQasPPSumku2PnmR$bP- z5~)kAQ}N{BDvN9yJ*Vnm(@LZ^wNAa0jc=eVGQGh@vr42swLXn722La=ERB)1aYz&n z=M5*_9F{U*k_SbI)YK%2K@uJiS>BLR7A=YcB}Qu4So=WP09mB}Y`j3tJl6!735}F; z6k(+?hEiJL_QFmoy0?bgtT&{GJ!Ly^BXswPAsSq5e$h*V`7L^RHn$m)zW98sX=rRa5 z6yQAYT0{3=u=9-tB+n}gjHy~RlX5oH%ffr4{T^Z_K53lH1e4we@ny(ZKM+gVH}$lVh+P|m$Wgik! zWw2?M(;>-Y?|cFs&VW!c;-UzlkV*I%+GIsl>6OQytVJHDV>RTUkFN6sG%0cv^jek= z>s1m0B(JU|!E}>3&%X(Hj?GV5g2%%9V4r#e^JcsB%6rGf&ckj4zeIW&;qEXCu8%RZ zG$x7K+y&l-aie_E&T+fWjLG$Z3;=XbnMK$ACVAT$SB;OtNEXZ7R! zb+Z_kDg?~B*Of&5;MrQf=fl~>n=W&Ea*`1aXqU=t#z4w_J+ihC}8u8n1$ z5HmCMDGZNxNl5$kgieC&1UQk7$m}#AJ$wEFlOpLKH+9SrBq-><5an@o&QABr<>0*z ze8~+VuC4WOSZnJ;V4o&Ojx3)WXzVd;kq15!`XuQ6>5cL>e9&J8mP$d?xew-+NGBK2 z{U=ujIftZm6I+MQjK&(5L|q=|9yfa9GtyNKNiT{kI2v6V2E1*JAV`U=Q#MNx+H9B5 z0r$GgfvY6J9n)fRPDXJDaCD@cDPm@5<Z_LOTYIMc@|%DKRN4>q?dehI zNY3vlviIWaw-*D*8*Vg-`hhPNe zgQ`m)Tvy!C%_G~*xg^3=GtX>DosN0D7k+ZO;m(wpdW2<`PGeQ&|8J^q|EakK*AY5L zBcV=v$M2CEa3~PjbF|3mnhVD3b3s?eHG)#sa41%#5zf%~_~7Z8s?BgV&2r0T92t+R z;FQS0E^m3k1e1Z!*gCx&uqg73tYb|QQmIY42ZPT6^~0SnO}-iPpGTad!`)=SD5CfT z|8@%icaWd|hhJ?o-_5#`hE-yG>XL02V&5w+A3#@X`1;G(Bcrw!MfBE^awp{2*e&_E z1zFX=E0J(}omh~Pk;Jq19dbeZCSd!xt4_((=7k%^g>uF3h{k9l%j9Wmgj=4lqZDMr zDAi8%KBx|O#%L3qD?xn=_DzfAf@9?;q)LrbF_&3kKvA@&6h}wOIbbAmKvViz6Y=&_ zLd57<%|05KAvOE>Ov)KC4hMcy$npTo3+Xq%p)Hb*((&8IZ6v<^O);QMI&^Qu_g-*` zL{SQwlH#ahkO}trY_+m1w+=4a??{ArJ62y)VM?)Uu%(av8%f$pyIpE4s^s>bvRy<@ zSUX}$jHNw^Nw!DN10CIBYHGc%(Js5Gn%>UK|5_PRVJQRX$7>( zd8sWXcPjae%p&P9G&MLnoJ|J(9GFEE$@Y^l%O>;L9Q{Xipq|S03EM47^~kL@i00Wh zKY0p9^W0!$xoJO9{^&+tiA0&{al1+iNX^VU%j`7}2QqXSNDzE>637o;7qPu!)}7!E zDJ&xtvPrfFu#S6oVd+0{fVU*JkaiKadF>O84S*P<_ONFKkAi-`6TC_tvb^mE!~50O z3YL0YDCIx+6vJVb`F5|$^VVpSI|T;?=AC#gM|&*|pmU}2=|M&$7aS}9WGuZ8sz#dF zDjJJx933sk@2A&2PC%;I6-&OsR+T!rHoLOklv{y`ux^PG1S!ob*ApuQRkgINd{=Y?`X1{d2lKXsjMHZ(j*kw zymX0ICqiqUrFE%y>8|om(-{ct9QCJ?@x2h%e|E&8NK+CVo!Gbq;9=H9C&tLT)@AFu#@M;HjP`Xcc03d21Hg4Ss+~+6j&Tq45 zZ#*eS^nNbWW1nBfsx#!Zhl66J9v8|z=)Rv=6R|zqIY)lChHKl3wP0&vqj7X1wH=(I zQi>RnTyUJC^uWi|c_zdyC7SngZ0nVaqvPaIERLG}LBb;=T}C*kW|je(C#SQql+C1^ z6BB#@kRc1tw%^L*{sbhoAya8LwEwH(cXy;Ld#imn9Z+K7#vmb;QYue9*uaS>3tU)@ zmSiuwt&P4RP1z-K>rfKV*iSEW)@4x3(kJL>oQL+Ja8Sx7pR^@L zt2DW2g4Q4$(EX@nMPyON(kiEJwm`=vM0$3p3mjR{XAr!VAImMW0QO%2t=E*)t{INr zKV0214$3WR>c9=B{z~takA@GLqld@WLYZo>jZaa2%Dg9^aDw{WtfH;9FmpbLS0ZC@ zBetW=@g(m`;RI?VE)=Ym;FFKr5ke4t=(u+uR$qzHl9lac&TA5cMkL;KW-a=0O8I5m zQ@cQ^Kf5_i*^i9I=0=4|J#Lg$Lu_Ey-2<;%!&)h+xJg&2O)CDbZ0G$+d+h!+{h^$A$`PA4_NS^i6REriEs>*i6bfA$~@YQFSDCG^%H-m1P%A zuvg;8z0iJowr5lN8+8voQS4|&ck)3YAw9_X9Y>)IyRH4(clGt@Ovgrj_5ycH`?tub zCWt1~>5PM0hw|hW6{vt>gg?b$yZ?lv8z;&pO}_4N%)b!kzKbC0QW4ZTC=+2%Xb6>b zwxQL);?P2!9tc+jtv<4GSP?>*)|ycXZo!BI`UM&?6n`EJ)t`sZWzxqoLJW0<(XD*Y z%Fhl)p#ijkZX^wopJ})Uk(<@)=1l=u1L*X{F)BKF@9^lvdtRmj=*7_i2RUT#O~UdyM2bKA&$e_+p-L$ocl2(LquG4y6Jt+=Dsfbm{t{IW&=F-$7XZKZoLN7)Ujzb; znF^TF0>Lmgl2tNHU$eUU(c1FWA;w-2-GYr>4v>pC{5%-+927Pw>Jv)D|^Ss~i5B5kE6wz z7%{7+-_~)@hR3b3Iudyxt?|)`iZq0}NRbM`QS#}fE9A*2ZX!s@LKi%X49o!I{X@mv zxYGr98`ql6q?{I&W|>?plvhLK}2+{x1lL5FsN?yKO-i5p?+0P?Ew6UA{@ zKzm~VunsT?S-v;{QSsf4Ti|L8c@x&eX5uGVlhY#cB%~7E^xI>26dBzhcd81ZOlwW6 zq-g_G%CHO`MH}{)vNjMbisV)2O)m$xa$2Cd$0&i4=0fRXWk!Z9_b@x)dMW)!y@ze$ z%)ZWUc9%dR`_)DhpDX98dhc6rZEf|ZHMHg!@rk~_27m6v2vr1>F5oVWk#oh$*IM}X z|AeVVY40hY-V%oUm!Ghs)Ooi?`3Y$Cl^W6}MT(>cu9-lIR0)od&oE@U68O9=EYx{h zw2tS?2TP(Z0jS|BB|(1}EnFt$yif}o?TsZ~0r)vC7+EzI;*e*Fr32Q<-kDL#b?$4n z@c=?alNo~KlYzWA4u!y2igF3CclsnPJs~~p109G60`A+2Q+0&TkH=bMDUv=G{^hK` zp<>*lS`k8-tE-MtNz=!|1FC1}5|mbxd5r}Ayy*qTnOPt?o#605G>T-hi8x8i@-mVQM+nOphR!lSJQrk!?c?0qtIeBr|RGnFuRpASqEB9(&U6kR>;Noyxz z@xw6_Iuszz+rmMdw*?;k*q-DzJL*R4mon0g$+9)_fMryg=H;BG z6wU}8q7=;6K)?ggwH|XnPk#_G@)_=rllK$HVFCF4joXN$xJDQfLgtLMWIOqUPh-%D z*w6<9zV0F^IcgU~L8bRZTf%j?S#nBt_tkI(3%Gk|$XM`y7(((;ukU(@#|5)^<@;(YbPQ zTq#vPK9;Nf3rRLTfwp;T(qsM|*$<${rbLx4v}X#RK4%mHn)hABytQ5FVfeYRH)W`# z0~?g~1?f5HOJ=CpX}89hvC#`gEUnSTyF9-VX6MxgN~B6~tfFL7bQIVS4xX5VubPB9 zZwmu`-WKcMM#ql9neguLms>hHI#dZRlX7DC!sP6ggkWj2wyP52J?4V;F@O8T{(<`Y zG*9{YGX1`18RWb>6ca1g@(~<^T$^+IlXuIM@q-bCaVQ7u$!{H{Y5?X%(m0DhV(0}mE*Ks0P=Kf^5pGH%yqKnb3+RTuZk9F zq>4Jgu)aQ3w*4w_ylT3SG!H9#E))SNXmO}{hix!$?T%K)XrLMRSUQ6R!TRVZosoch zfowfO+TRC7U5zZ*H@=nceX`J_;5v^q@8F3X9yH5d2yWx^ z_Y$6DO%Cts#dO{laD-{rU{-_I9?EMD*Dv{;W{liKy2P;8ZP7X9#?o#&XMjz$!mzKs z{_;`LC(v%)l#R{BXl_jRkkZgFJH73us$Opk(?!_)l36IJxU+7J@JNX^)|$(XF&%IZ z(~2aP58*}9!SRYlMWrQmoO+Ogbx4B(Iu@rt%$>KTD2k7~x-1x^Me7fDZm1E$KaDHF zWKvEH`s4{H0&HtGL(1QX2B_yur6J^P%Ba(V9aPAimKxs~zzR{M$5F*$`qkNckTWsnq&+Jd-vtmi}Y3*728G zFCvBC-O@-E)h%R5jfkweHCQbgTbC1q(Z$co7?oM05peB}RK}=e7_~h*x;3MhH*h~E zpl$aEgFF;EU-C6^D<88%RE*_=b;FrA|HvW;>`&sjix$g%$5@g2m%0`<%K<0Bk#c%9 zoi`jF6S{4UQflp;NlN5zL&i6^Wq_E*bSK99et{Uz0F z?e&Ih9os!BQoqvWv|Gd1ENE#7n@1OeWGxC0)KqFjl@YB2JqK!!OtE1l zxz1?R%-A=KYiGaF!pswh?WOa)m5i9|;pFHIgU%d@TOun=@eY9!xBvg&uA}p<6p(Ry ziMNN)8tCXmwPoh~zLuSXqq>WXo|SP!@X{$+7WH+n^bLu>5xmiuqp9E!i}${#z@8b? z%XP2vWrKy@PsYRsb4p~XQdhc76V@nq7A=ytjEkkTabeHP>&8-}vBVIU4oBUam&BLl zN&k2+Z1`u_Z{0KJ_Z{t6d}yqE6R!&^Z^W*PXB+`{TTjjFE=&xer>qjtX?&_(|5ror z?a=GSsuZ5)?({o)Ziq$IG1nd~9j7mJ{0ib%2FrejwYONWTh@MFZwBV`dYdty*BhAq zyxtnk=k=y*KCicP^Le{bn9tiS$b8;zZr1a5+cclI8?yDh-Rh0!ZX)dGZcpI99sS4u zl*oSWZq$Ch2mbT_7W~Jk#yMX;j&$BXDQo8eXB*q+aCnCGSY*J)dHC9`uf=6V?|r2dx#Q7wvK}InwXll#=&*I60h7SYOZ_ zw^pQH#{FKVj`Vw3u&;F?=5o9YH6oFKAApR+L^k-xpd(df#bN5Z{Md>+6K|1nm@;YICL319pqV&>pT^txA_M&6(7S(o4s6*>R-nzLUau9eAv* z6V?|rr&23IFY)Vw=1A8aEv4}~q*+=gtS@NJrBZO#k+ux}s?B8B2|JO*IePvvm zP17&#E-esfp-6FeibE(`f=jXD?(R;pBEg|Za4GImq_{f-g0;96FMiVdxu0|15AUb* zCBMk*?96{>XXe_>?haYo6DrE{dJ9lgv((mvR7PoYgjXvT(Hh*0kPIFgTbuu*MTVX{ ziYFxOW#r!ahQllaVby~pZAb1%22`ql2p=N-m`*gy1c|i=?ki1bk4vKTA6P1jMAMd+ z)2b%AFfOD*&V=*YeuU8QDDPrhO3ei%w9v6ViRnMfX8u`Jom^}QdbW+-ZdfS&l-;irdrp8on+G}3m!(U~qdQW6l-f^_+rawiTj?d4HavsAPX@n= zPsuGVZs{ER8HvdfZC>GP3&4CPU-A_pKHVl>jRRTS%}dW9kDa}AOHl3PPxRL{GR4v)BK81-i$l% z!AA4q=-ONJJWIho=AP4*trqXtVu0T1ICzxhpWrs_zneu|8tN78GZT-ZklYN@;+MgMRQ+Acj-W?t7PcN zjJ=kuob>`fghJ3*#VaaL@KGNn5XBZc?WLeaav%M6c$(G9i%cupR)6_C2?O|J=8IXo z5Gv}*YHE6Lq&|w^28LeXTkvua-pD&YtOjl13LheEeB!NvkN()+a{KgGg3H@p#Fc2X z+;chEY7y{v7@9{6QMc8)5XSTr6zap_MQeXk3OP~99q|UkZe*&NVneU;LvvLkD}x>d zq3x|PF#31eNq9T0r?_va6nyT1+TxhabE(a>}OrvXWg^l;NK;T8e$vs(5@I^UTd&kz+WizqBPxa~*r5$A21 z=rHxuP;W)O&FegqKKr~-YNbBI>kRdXyP!6&vt=kO*pGUyYZP1vp02?kqh0Rpm#EfY z@A-~4!bjR(1ISNl2Ucn-*$DW! z|9H}~c!qCU^Y|9W2e*s~MO0-y?%;-A9=?gm+{q8-2O~T7B|7=n7WZQM(#+6-N&9ro1wwaLFjmE$5=EU5iFH`7v#ML{& z*OiH`9cSDKN=%f7QOc-hKV6Ea1ZM8wh;Y6vmf8G#FJoS7~7Ge|_eLd8PZo$J%Uv=17Cv*Q59vC@8UCYamTl(#7AE`)EHdP8!E%wF>y zlkZ;)r6rpHHNP0AcgqwE`^?(()xOMnLf#o2?O7v;$9XB)L)C+W12yNI&<7}rIz+_% zC+3@=&r;dlh90v*;azgw1rdK7kbM(u!pjn&5iS=vc&%#e%h>M(!6N3Zc6SGvef zQ?5nS4`WQk(=}8k$Tq}Vd1U4Z%1(bCAlUj}qrjA0=a_Tk%al?_V# zcD=M!SEq0|y##)deYa!=_zUd1`-^Ptf6r?T+M<((M8j5`%c$Joz zOFszF@MhA1a=a$sBx5Qg_%mpV^oWa<^qHFdCkK-X|%=lTA-fl7_G zreV+P1u{>~R?HAn9?_5V3rQxLy?M+jDSSp>XI5?0)PaBm+%ZemPn>FMGz1MS@@LNc z4v}vgmVn1*MGONT2+xV!9wYkieROe%-(Vo4D0{6C=p`Ll+;CsJJ@fqXQdMH9E)eyW zCp$_Sk1?^ZzT34haAhod@Kh(~QCy*I$R^ihDcf)WOW$7NDVr*Tg(!k@graq+GW_gm zxRE*R?J(<`$RDZBNa>+yR*$M*qOIjBntkvV1{WodPv#Q<6bjRM-O31 zrWS4So)yX@V zomIPy3k#);|9qpnQWP?^{D^pHW?@U8LGX_F_v^BVl2?`ZU*5$wvBq;sOoips53A$T zF-iW=V5n}sI;@+#PFUiLbg3QxOtZWsYC3D0XP!F?7Q0Rp;>%G;bg|H=q6=vUy|U*H zH*q)9e;MSw!)VUeZbsa@7%Sh@H+IYrqTyECgo?Vma#lz1*tIw< zTGN#ND}Lt|^OaxOq~{M;Y3*SI-1M6;Dn54$VY0c5b4N`_RB20K`crH%?UQ18Zo^!A zBXF6@Lq;EyBX#h}l(Qk1Bc^qZ9mDR=E^PgfpIJ!hMA!1sT_wexU=4IFQ?QpqPTug_ z{Gn^=@r#w~L}K{n3(ZloWN(3k_fyAO(3Wr2%h~>meD~lz!h44X1vie|&75a$2G9L* zsURlMQDpX0l!8E<4w7bKdLk{*6_=y*T8C=r_uA=|%!H1u522VL^{$-r`!l zqLKzN2jIgENIlT9G&1}`i{(I6h!5BJ_}+(0LsJ1;Qz5L_<_38$FoO;1HQWraaY4ZW zDlnr&oGQ#fgHv(5KM3D{hK>|`lx=bL%t0f-kEid$A>cK!l2;?;_RkGdqst>gyC}~R zy$JQmMB-5kvMCXUXFhxqDF@pM?NmY+uoZ4ntH zL_?6;63f7tn$xTtr2lHu=ruav0r|dB`oqml=H%CYL1f(Ni+Ay99u6^tm#9~YA~%TA zBjwKvY$ksLKJ6oC8w}~hiq>vISMgtjCs{a-+@4Rhdn$7T-mn!Z^?_UHGi{U$kGZ#_ z70p6C?(tOVTiK`3pIrSORr{v;fy*jOBkbncs%Rq#zd^2> zI-@~~TIQqtNR!Zh&!D>sfA4}*1{yJbg@j_#xrHKAI|pG=P*x4jFt;#T+(rh8j_z6k z7&aF0LT)4j)R=^I0xZjSF0#H0*U}@H$bbxcG+>J^h;>rlqa-(sGcK`;dY?iW1RtSj zv+;Uzeb$K~;H7L_fMH)A&8SF=a|w3D-RF%3tzWm66S~%ufdFPnSVk^mzub1DFa*2(PH4`ohX`*)uP^)0 z#&hI-uaoc={RvY7xZ(piTAXFCGOY)O*1NWwAvJ}Cm=6cY`m(9}r!bG7VKfujtav{C z=YBPKrX}yQErC#bU(<@J`1)fhY#ic z*z}TX6M-QX&Kov+?%4YAy&MHmw=*061TGg#**OH-cgO-xTm?JRxnK&u3qqhUp$G zF%2&qYpA?QB+UV5ZD?q#KXmTeXKu(sNTYW;rBMY3LZ;q%eI$s}TmIZvW*3U4ZKuN3 z_WAdvpdO?Cyux>>dwmRe8mNZBN(YZpjmTzS#YTq8tPvwu5uRv|4H5JQ0$5+!_`>UL zlJ%B{aV^!A@e01%nvlF`OeGE-L3?eC>~9Wr`}*H_)RS{9#yFm&+t`Q#=8^l!G@=nF zi!|`ZX?)LL6+R&!ZEWqsrtv3NdNVvOof`Xtwi3|4HixHh=QXK?Mgex0LmU!ZB`+v; z%~d!Dor(^_ny=Fa<4dP;^ zdndyC6%X9y`Qrq2<--X-iu$*cJyVM`t4gKOh1BZ~$+-DiL;ZhZ7WI4Wq&iKQ1l86} z;V69jfh8XbKNI=bEW%dLC&p}xRjSWiw(SMkQ3(ks(j?=9m8F1BZh0Qrhq>7O&)ZS%?hx=KCu zLu4B~O7ly&F*_Ag!GL1h8cRIwIDbc{uIbbHS`W34T)ka4rGj1i5K~r_QnaBXrOj)A z->m<=5Jd-r#wS*$#LKR?elUw{zsTsJvw`ycV)OCL9?LY3S<5$}&`<)E(FY8>^S zmCjdkIMi)Bod%9Gu-oHQ&|hP|{}_z_c%7kEr52sXQ8W&Ha6eRm+J6v49u5+JQr;c5 zqqwl&ttq&;a|;W21ec(q=FWCNwJ>_6ur0-duS@svj^lB> zU@tAiV2OLi;8)^{~)Q3%Q?Adkpxp{`XGSG%;1R$8u5Z%ja`t_&K^Q=r@YPc z1`7({<+gvJUMy=&{WxQ2CbAs)~KoH?}~mp(QPEwd6w4 zGW*^GQ!(EnC9JIgxoYKju~PF>NGRi6zcZ8hAGHYx!AHIqhC>po%k$E)7w@}WBZIqn zzeM=@{-U6woqegmbdkD0^zo(SSLZYVHzrYsmOKu@?H{oD_ita}X|SzXhB}UvH@ifQ zmsp}~y)zeRKz8#PE5!?A5*-*a|8u4ZSzHb;Hq)@iZzzX%@59UxoX?Iem#Z|BM84wj!z1WmYx);$DMv( z?it8resmp|tgMrMOvvc;vj}WCgha2?_i5-)D1Ue5BCh3mdQ(yY-4;$qU8f*}o6;05 zyB$k^42{#%_@4M-7Ah=5!THx%sUCUOZy00fH`UN4#NG_ZD@kmyA37g(cMh0xG*dYi(@v+7REg901{J&Y&`D}1t#-f^JM%|XwLhEowS*icacWfgGEzmLFN1h)oIk~Tef$pYZ)JC>YZf4SH@8I|9ongIvT-bTU0e#SiPvx<)*Z@ z=62(rkUx`_$`SCjFzpqO8MAv~Cz2~pkk7(Qxmt(f!ItR5V&}|4y~>x?Y|&r3RYFVe zJM9H`tk|%AlA-9xS1 zk$T5BYJu0s!)s5;_FS;Q&f~SGdxyD@69WY4ZYL#4$)@OD~h@79Y9UdrI zj5g5zvB(P>d{uI}gDbd;+LnKil42_&N)|`e(@akK?pm-&0DnM;W2y`P?(N8YPQX*( zPmHc$rj6P`rcQ5z3Gd+R&iF%Do|qvxqlMCde;6?d!x?Rce#{k5O|+K#t*m_;FRHRX z-tInueVJ16G52{~Zb$Fv@z{5cR9 zG%oPjS^^7_R(^O4u#;_*g!?;T&Thz*l!xJW>Dg{Xi`N%aFm0fZ2iXhzpq>?SR-mA0 zzqG96Q}A+d<7sc>VIDjIrkvzvi|PI04%`a=ksPLOj&LVvv0k@p4qc)tkYT;|wi1uX z^f`+bl_zoUKu!^0tPygaJK=sOMIp{*rJ#y9N$iLBNy1MFTvg;?Hm1Ed4~&e1kk2B}-_1ZEvCN z3EWDibRmJr5YBb3eYHnZuiZ)UZk>TAHE&{9Z%#&;rOfwl?uz&S)qp7(h zg!L~qI=!^KH>n+08!__EnRw^pu zvc3!t>)NI}3T%w}s~C}WFTiXSbXLN3MsKqGDZIXW1>5U1mYeSr$*`5Ndf}M^N|Uk- z$Zej#2p^2z*B088tMjXv#6AYRKp3$Z32^7*o~_0ES@)E?jjR^oTHplGD?^t&PL%TuVM@(6a&G3U;JVN*s|zOhK1 z?w%=N{e$~U=a1=4g}8uK1B%GcDERCoR_lkWs+fothDJ8SxFUlv`I4q*$M8JZ`s2$Z zE7>NyOzai`o$mg(OMRU10S6;KAJ{A?1;KT6e=HTRc7Da{urZA`oj0WHQNBNhND>*4 z1G>Pj7jw6q^Dfrn8#tc+VX;P@V(JNDzF7^_NcgJyA)qulY&P}!Dcl?^Eps~5^7VIG z2tRDyOPP$;P9(^$|V(3fA9zFjjzmj!APR^mYg^?-Hl8dZeE@DD2^H|D{zzUJ8pA3Q=YBFOtL7IJM0 z=4eJG6Ans)aWXjlD!HEiYaRJ@Y~$VK*M-%i(Yv`EP-K%Fpy^mrUBvVg&uMIQZ96E=HE3gJ zG7)oL8N2Nzuyu@8*>^zl5?u&-u-Bwe>grpj;$xHP6XA%?6%^ z5RRSjovYeYqN7e=cu*oM>%{wH+R+8_yusJ~mDu+{n)mW$Ga*D>W7@A1Q*TBYVnv{8 zY3w}gA2RI0C-2^OzBRLITGp=yzsWC8Ax2`CsH^p7XX!~9D4>bs^@J$!zbqOVWt8ps z?%TmYwu6^|sr>UDGpEr-h%&Xxw50EsBXy44$Cb7}63=D28#f)E6mKrD5R{(CC#S3z zt{?{aKhl#M=SDLf57qJ|BM|Qaq>&Q2N#1eF+i1GkZ9F4qn5?GM2YNsLnmj4oqNZ3obT z@xRJ7(2QEiLEAlEvtxF~&}o^WU&HpQXCEBe*s2*Kx%2jBf)@5(Rf{g`_>&&r&y{_6 z^-57+9_mJ-gH61Qd@)EGmpf9~tNRY?Y%XoWEP_mV)ZDi6krF+p>AeMPI=iXC{#{uz zYeU)3m;g#DicJeXEh4c^?Z$b~NxFq`U9-(0)E4>t&k zSj?=j6ybDwe$1Gwkk^W5jgh12UT^u8)~YzvpJB|$X{#q^=#^Ju88QYi%L+S%W;UoF z(ji}<^+z93yQ<X!c)|N83(a`c<_irj{M#`1?-_hZ6#@{^%kvOVHY zh&7FJfs1!Db{o$UPzDHvw3V#ThXb=}+<>p$m~mAq@y4|LXJt1vUNxvVh^ReOvm_zf zdK*IR9I;E$LH1vy7P(;F3DJ^TEOWj6o@Wm(IaYGw_@#L?^}fmt)U@Kl5CDD3NOAXxqEUQja{|E#j^ zdxaMX(h_fXu^53`huK=aBK2#BH(vO^A^z!JDyQuzp zWH1M%*tO>ilXLZ8es`biVAt@M8br>_eYo4yCGHX>G7xMh(z63wEf>FifMFLu$1RSP z4gXp)1KaE___nA;uI##5JsNBf8xKn$C#dbF@-}KwLqJ>dSDf2<}8j6oRO!h*Uq6t^#gEChfN&cHRh|w%~z9p|Tw`-cce| zP`3Dj)11kHk~Try`87rTK3^Jq&3MOeMk6j-W~9D%Q~{aVCs3%{J~gv*cCGP8M5>&y7QE7Tgd8NKTiO;YFa_bCmsOrB0{ zyY-TjiJvQ~3Uj-f&8MH)w6NWV)+5vE1bk?-Fi}ET&xU+v%UGne5qI8@Smc_A&$6Ev zF4E~na5HOnCYcZg2mK0L0^f^hGa@|5XGA`-BZA ze*4*NnZc;-8Tvf=$RL;CiSni75wjqjD@auiZI&3vY`{KVS#CN0bB?sEF1R1qS-G7J z5c%L)vH<+bT~v|#7Z+7AJ0{DELKVE8Vke&vJlxmXblP_*gt>G*o-bsEvLR>N`AB$f zRI@qgWf*RaAp}zk(scDKiJ+dW`28SP0fm*1B&lhjOe$Mj`BWIsfd-O*ZGm4q6J|Yx zUu$}Et55mBCO!YY`#nu|3XrL?OD&>3y!)aFK6%FX?XoRhe)LXI>T`;@*yj7;4xP{C zOdotXbl1Wag!`uGiI~DUbO_?K5LK50Qigoe(x?c8=+Hrf%SctSbWzI+pBt;D8tQ(Z zTHk-zk#CVj?G!Qf+4zoaQe4c^@4F@Q2FKIE;kxT$()WX+P*l=h8QWx@L8 zA*VX;&SQl|mT59*{>?5hqbvN}TkUPN=#hkI4IeqhJ>Dl*R>6SLED*}Xb$o9(ZfH=F zi^5^&{I5ylO>-m*`@wsgS@*I1ckdNf53SeE>=4`ZJ`(^7CuQCk$>2u5UN>+QDMp5y znYkdLMSF)}6u{(Gf8p)^f z2zEilxD28Xe}!kqdvNDIQ$Fpjzhv<~h?VKun%-z7Wa9Mk*Kwk3LZu3fyeP*OCYUMe zN<-Qj7*)#<%1f~?ar8hegv&LZ<_SbyfR!2=I>x{N%-zSA*BH*p!L+)Ehp?T->&~*( zq8mQao?G+Zs$?%$sDW3_v}zT0{cmEgw8W>IHop)PlVlv@vU6 zjt#aO)-P zKHg-2uVgQIUb&#gvDCn49fyfYSI@UXiDSuLkiF>>S%xbKfAhZZj@zq3<@xZzkLeo; z2Ksf8-?Zu?3`A#&RZHs$U7ap$k&4k+VSg)z^4P(XAN&7&3%6u3FJ2IGx|{U89t)rHq7qiw}iZ< zKx%SCcb?%Vx3^v;{*&+l=&g1$?kI$*G(Cxp>$VT6;Upn8E$Z7Uov)>u%}bgoikpZD zRx@#p?=_{G{>Pp*kK2c5G6T_iW4|DekP}8|9B{oN5QZh^Rj_Qp~U4_yW z>qN+vD*491#?WpR-Mi1^s=V*VzIp`)-F?YH>u`feUL?gPuZSc_mC;iCs!8jMR5oct zrit_XjeXJn6FBx{lBErmFrSf5cLf^_u1Q!aUZ(t7XlBG$DLdR z6f#;%tG3NGZ1;BU_048uqUnK=tf$83D?~i5^|}>J@;X{|C$UMXQ6nM{U5)iPEWa*! zRIej)+DiqsPt4spg`A&1%#S3Bc?vsX8Mx2K_ENZuN`ASUmQ9n< z6Q+0q>r3GUOvAU=i=$-u+7zPD-J_knCJWEY2$nvbU?oc>Z}O^%p{o1Ow>-WUhMpz` zyr;2RxCRca!$W_#{1Jx~uWrT?tl)A?>dzgfZdx$jGySln3)U50`ft&HwwIb5e;mx0nmE@D}WBTypZxEk61#Bce1+bnQ_rG_c z7WfG;r*-z9V6MiEm^-fNBY8qxgql$)gWEx^*#NxMZdmEZi7Fhq4F?VOU53xJPH=M9 z`+mX}K+0%q?N1DNv+Y%G7nBp=wu=Lh{6EcG|7~s+-wk6N9j|Jwygkjzx|&oL?^lQo zxb-h5w;O(%qR2_JPWlrOf6hj(ERCuXUyPWJahY|W{QyoSv9^t2ba4W&ur2wiOrf$9 zCb4pcikZjiUF$Q5elK{4_->L%Hlg}T@98w#vR zzZohBtS5m4n4MhaaE;#>)2n=XxS#Ba>Y;BR5Q_tD%RGBcrYZzBy zOj@*vaUnvsTcWDrc9atc<#dVOIK6w$=wQ1tru7q`sLjdD2it7bHbe+?j-H zfU1JG$m-)1_Tb#heez}olQP%fnrp6!wv$+&n>2L+PowcP#(5DQXIgZVBqo5!ideg> z$e5nKs+phzzNXgM*DE03`(mmF!iYC-<=A?>5OQPRWDE)mGLw+;yuP%oDY7ResvWt^ zrfIAivqaH1bKPeQAEYu4lJy_o&o@(4zV#5W0lB6HIP>}(Sg3EMDmE-ki4e*hlbK@= zTcLS5Y6uLivv8*6TNBwefC8F|14Vlr1hao!k^bnbtOyLF6-!tSQh^K0?%X(cj?*=U z0RTW`2|$5t;DJGdE1!k3>CZpEJT+kxnIXLt;xa|tY;T;a3!20%Iq*ToHGMhzUYkN3 zYf3%%?(JT7g~8ZJDORhX=wG}xPJp;@yxJ|oiZetCn$u7=b1>RGV!6Z3=GN8#nm3(P z{7^;_{n^F-{?POnK9adq32Vvp!dMx%lR}F*ApU0V0_aOAo+{{VM$(0w3}f6RN`lf6 zdxCrdn2zvD{)~MbnB8XkO!F*lxgjEuSq(3DE9cwLZMxQaCNRwk8siqeEUv3LdC8YU z4HYFz71nl3*w>q0bhhS9;&b~l$4@UYx3u;-#3fmBk;Kx99OZ#qxW7o5_Vd6_;WdU% z_D|W*?O3|UvV<~wZg%m=Pk^=q6+ ze-fh>E7u!&07#Y0BaYMTuPROYX_L&WI!Zjt=MJ+LxC9$_>2!x-(_u&7wPc{xqH_)k z^8LZAtNm{gAKmOYUy#{UT$65Px%V1yl3RV?iGNu{UD3%HhLaONZjx89K6HS`xU8n$ z4U2=$t`jw#JQslSoDoQ>t7lAQuOE*WAqu;|g z>A4~I zu0W3Lg#7(Gk~;>iyKtYVOX7E~uB^&6Y)yTQK{5+`Uv|_XAN8S-P3OQ1t-P zTe-&z*#xFpyePqKkAgO$0CXY@^c<{^uj8R9*$M+6632~0+x_SXBm{|C;W;s7&Q==?Oz z!z3055K9@epc|m+AoJlXgwx6@MoU7cxa`D^2f(y46O$Mb0+NL+ehSG{U`^)%a;$ErJ@{R zgQ1{8ZPUV|CvO*E9Ik{GzOU9oge|Ua_PwkoreF4w0rlIztS<}k(IMI3%i?yR$fjU(fAd~(6S{fHYigc1re6nc+Vz5~?7MeEinhmJ>mZfQdiW1Bx zj$=RH+y7yap?SNcle-*AJ(S=W`KK3%-?V7)!~S1OMXTpK6V(|`%|wE4D}(H?cSaED z_YMJU&ET;{)-3%7=w8HpX{Y>Uas_@aL$}8`A(8zmS8=2~z}c-x{co5?bbCr#rtZ`* z#bbZ}-DZd(8Fc>M_(4V=@*MfF%vn@(@B3~SXjGzy2(`7inRATw^s?_W3=UuG6`F$M z(|fRT?_%=1)!X(u#I1u7+2~kyf2wSW5(6%lN$3CY3W`}x%2JO2`#U<@ zD>DmcLsubpea>z5RXIQENp5vH;l~Q*N9w6okSI*Hsa7A=Xi29SStQ0>6e`s@4ZwF8 z6@3+ZHJu^tYp#LWDTw9JQL(;0TdRzEBG61eaaJ(btL+OCb`$2Wp}^=tmAoQ;h4;|1 zaX9T^5G`F_9Mb+(B=6sm{%d}s0Lp|GxAUl?e>EXYgl8K$ix@6Z--ZC({TH zL_xW%u5iZ%h^b{ycNkh=9Bc*Mpsj;}ofF|%XReX@zYauw5I)7{#~t5Ibe2-BHh~=7 zG~DK|QTsB@5q_qC_+~H%HgW2y8~slpT0 zpmsoGNvq-qGRp?<=AKLTdDxTtYLC;m@8*POVap$JO{X9KVv(C+C~T7u+y+KS;Y&`QgSG0`GUfymY0U+ zB|Z{pR4G$aJ2Yso*lsEU0~S_2As)P*`@|dYe||0JYC8nVEBs9sd?Dls{3$vr4JWY- z6ngk0X9c=0>v0Net3{K>yRpKir*RB2qKtzv7Q_Am2U>7X(q5n-@K^v|P zl7F(Z0HV81pC?;sW?dbwevc`mh`ajEJTCG)q5oNjm7>C6jPQdy$FZKW###4TQ#JxU zA+O*&ZQnX`A=gjqu7fVL_XZgNz?hw{k{HZ7?bL-q`jvP=KWBIo(FNm)-#*r9pU*W$X?OMfcAD-TXY@D@=dBkfDuAw{6X-_!-r6c#Lp3u#28Nnw^g4106oo+2MW z$^g(`kE5WX)cj@&X2%3pp~QtOaN+{2nl#J^CI6>xL`aQ9yjbt~WnTmf+wZ>}YJzvF zhAtO=NLExKk*^j41lcwyh;b^_G7No#|D=U3x9lD}qe%^7l7vKg$K?p!8>*_yB_3Cu z0!PaysQ(eRIzsVNpJz|ddDIFimQA#sqrU)_uprhq(}uaTgN>vmY>QzTGD^jVCACClr<`+jE_}6E+IEWgeU3_nX$_E7ukW{b! zc*G-=e_drHkeE-_CqTsb-2$Kw>hvvx)?U7-201DKLmAYYOf^mo?-J5LZyDqh=gG!D z36D%eOV!*36cBuG)EZ6q=?x*6>f99k8MRc9fSVaw4#+PRplJnHW}h1v(g+GaacJ=K zV?yhPS#|yo;yNmb&&>>aM{H{8p9B$dO)XQ6|8Q<{7od>4CH90|#TTV{#W5%iTdkT6 zc*Nep6pb#p_2kE`_EdmH^JFRM@h%Pg($?n9l_ZW&TI*#g14lyWX%9vpL;3 zP|QA~oGnCQ9>$1t1XDB@>Hz*M9&s^_x3C+uYVqB7J>>?pC4=CMnUv&&^!{PY7I11< zu=SgQuc(_+c{zUC>t@ChYjv1WCvKXu7(!VU$E*oY-M@QsOgnqUWvczdi}Bd-P9{-= zJg#cM3U3w^zW~(iYM*uqes&U2klW-d9|`(LI(U!%`6A?~a7=su!L;bWVQ%Z@gq|6z z8l;IdHXVCRwhdFPX4zB$3Uu+qGX57ToEx~udZa1 zPF9Gh#{Z%G^i1?GWgnc<>@OuDPzni}&B2NQ z{1B6ND!c2T5xEAa00)lcdf2bq_Q9;?$G87~SEjz6iFd=DH{0F`a8ump5&w7KD*5*A z8o4`7&$F{7IM>&5E)?Z?Fb5QJk^>5Oa+pPI6F@*{Yku*&Re)_y{VzG{^Un#Zq0v$) zdpFK@F1@(RKN$nHpp>r`(x?C`*1#Ev#c6CrM=V-rm_!_ZBLJd+CSR^*O=%to?6-T3 zkCJ3l^C15vvy+G7oSPX0pc-(9-EreL;zYVs3i1Gi#~@q#mc8rivCA`tgl>QEnLEmv zhR^HI&^-hXQ!rDz(Ub$k$yp-vNI}ofn4fyj0nY8iUv9Y`bT$y_L$0^r_k~qDbr=DUbc5^IZNbTJI%jn|2 zVl@rpAw%k5{=TGu!NOzuOg4?0=}kB*tLq8IGwy>1tG}!=36|SD!rn7~TM&FxKJ(Kq zKO_z>O?+Rn-V^va4HORDlkhOTJa9J0|HWtjlF@aJLQY20C!0;HX8NyG|6yg*VAW6r zBh%E2&~6w6Q$)^Q6HUHgS=uwcO@77eYYASnVuw?7!YRlCpe1vH=}l=r>}ug1rHb!c z!#fHk=7aDXNkYLh$<9K4KN4paMy z(Mo>Y+4qkYaJc?z0lB$d68e*|c{E^E)WFn;!XbE%!o)GTKHJ$BP=$?fDe7Sf0=Kps-c=(|`Bma}^{Hu&)lU$Hud#_V-o zEeU-cBAGwN^)QVdw*LB_Me(@G*QBFaQ3Pi63!&(`xSMPZP@8kcL4@|jw>_VD{3Tu$ zTlPka0CyY4E%VRNX)?gg3;8q}qojx1XWaJV@if!;ETLP0q}bK#rU|aW*Co$DAkxn@ z&Vx_CSRmqZ&rZ&cvhG6X=5y%24J`t#ZPd4!hZF2_C&%^hlP<`%q+X!NnfQ` zNC<+2k^&+ybcZ0NFf`IF-JK2{3P=n+fOO0d(nv@nAl=<1IVd17fb{v{bzjeO|IfSg ze|g^U8F0Jz`mWk*_Fil4B+l!Uhn}~r9UZO2iX|7${KvVPU*9)dioDsy7+GwgA5eVB zAM-iI?dg%IMm}bje6=NGv+v+zhI2Wp>&3WJ`9S)Ep@fXWeFUMV4}Qn3a@NPsAHPkY zms*Hy45mdKCUm})vvR`dv4~dxnA$X^up@IXnB3DfF-!eOoth5G2YlK#t$2kz2S}+c z;JQxf-Ps)>I2lJ+zZMNCK6mEl%aewT&H0jN`Bte%8{uyTeI~XOqD<#9cu!%FdaD;p zk+(sP5KOMC=uH;eddC{}IjpYifkCQd=S58#$86@4mU>KUEPD_V@%|RfC;F00_?_F7mOFSY zelDy5k5q7>^2omr+l{}R*EBSo2Kga(D3(zg6F8q=lCMbQ)nm#sX4stcV0G2*DHnSw ze%_#$Xx7j@I{sy5$OCURN^Lpu6ZrsbZ^j1dYlV(<9u zpz>*ft(uf|7F3$*a+QBO4x2P|$QSULg1cH}FJlX=T?_3}uli8-I#h?{gNRhtONzAx z*#=v06>b$c-(w_+<9H^i=?0B2yme}fzLb=Rv$EQJ#ogtL*7%g|Bk_DN$CkslELWB9 zy58s3+$M4?Lo0Jq0Za027w%`o!<8wj0gc}knNxmQm3>wS?T}YT!fP*s1kl^!ZT8PN zE@)_fU$?H<8AKgf4sSAg+0ERF9=eyP?#kK1dCwW2f4KVY6`>=i$!1~JEZvx`If;`m zE!bv}93NC<&FcXe0u4hl7_fwB*^@6%YsXR)|B)gQ9nyah0Xg;xJ|wFZTw|LpTB*$2!P1!wlIIPK|o$QZvCbR;pRh!!U&VCQ>%Nbnf_AWi7aN+HGC3sC1_fFEQJkJXuL;_~2!C*kT?RF;4%0A1odG!f~mp%~KE zu>N-8Jn5a&HjS1w*Oy~*ipt`gbFAsDdQ1fCid=hKgyJ@{!~%&W38`Wj#)2uk-eXn% z*>|lZe4T9fnSqe*#J=n^hWTc$RPUg5%li#M>LG$9NoXHz*`Dz^| zFlTJBZS^bn7FHin0$-U_x=?r>L2iC@|3-?W5=O)!abcXOD^=RP&46)sdIs3|+!X-K zZsNayX~F>4VQPJlx(~hg+@DAYxsU>Y>H^I2d7F8mwdGP;qs`WP+>2xUHT{eM!0S$Q z?*3?;i9cmum(s)#FQY|-)ymzNfgXS3QbnRiK2Y`f=)v|U=7+r{4{Z#2^o5?8?Q5vs z0JkmH)3(=FjfnyGH})AR14J4o^%6UAv6w%j`pk{6Xy#-ex51yGRb9Ns!h>POO(cI+ zrnmX4r$M@adRl)+nVFm=ZoT9eWVZ-WmtnqAEWkm2nV!z%>NNb3`I^Z^=`pXFEp(f+ zg$0lj3nNz-&6I0mK#+Q|2^^JwOH6Nw_)R@Z-X-NbqGJE&;k9~SAbi+t5t-$A`Wl^U zOWNfai$k)wHpj0@y&mgG_`?qjSU`POTu^O#(*g9ezhT8OKYe0LnOXrkHS5-6xnJ#n zMN=XU;W}I`NK}k}=LAw>+Tmc?PZawNF*o2;+7HALsw>#(vma0+*Pjnp3c!7qOwKh% z!P7!Mc#QyI0@7d=Su^I9ku$(K{-_4{^CYM)rTIQsx#6Gf4?hl78wY);raw<=D`GlmQ!6~A{Sfz>qt>r?%i3wps+@}G7P$_3D*Pp%P%uMVAuS09@g7L`V1z3VT$_Go`oDIr+h7D@DhWOFHg2AU~tG0$laF=h+^4TvyGn!j#E>@<8fBK_E%w z3=d!tDaU+_*;p2JB<&N@%k+hZ@^$KvaVl(~OhZkmhUuF`yb-HVeSIk=SqB~tefRDSNFlzgWVKn6qp4<@nvjr<&jM?y%x z&<79!bd7fKnzz9p#aqTQvPPdLxn;!+7GY7xD@7#ev?dl`U0pAbgr((tY!ulW)=6XW zbt||w1MfJhhyu_RMl`G^4LUkFbT4RLp)~0*SpK;BC6rBOqPp9anNxUclexHH`nVm@ z&N{oj!G@BB!gQD>rs^SaHP`K`f|Be!Mi`;e>9$e9OK&KDv)(BIZ@Mw>8IxvSp)&_V zav1O!QIq=Lpo7@cW3%jQ9VpL5hlHEVffT3}Z9y4F?#(vfk1E7v5ghZzA>4tjk_q~f zTj!KuP0jVkKJgw{s>?Ibne6FK+{0$Rj(K!e(*rAYbv3vib}a|6xxA; zS^GHac?PhF;N;A1vRdR*F6s5dPuTCpPpfG19-OibXKa2R$LERc>&f2a+7)DlaLH_r zX3zLs&gB7yOXaFJZWEcl-N&BoVZJ7O**&IT4cc|}-C_BpbMH{)8M-n4rj8h*q+ee9 z4(dJ2Sw)b<+q?@5WIG}!v>rDO`2`QlP z@$`E6?DIzlHp<_$E7kVS?6d42II@I3?Tmtd8Gpr(_EBhk@1O<%{b1QQQE}_Ti-V@l zn@d;UdTUIuz~*Tf;^dInU0fbWMR=)tkLx-w@-ffRw@_ZwUOD_(?#l8=%{xgQ94LXA29wd5$Up&-HR z`6R+jKgp~3zb^s@5w3~iN_~p6YPwTBDs>k!J9vV4Pq0uqOFv~Su0c^g^K@O5KSmyq zP25loA#____^aJ`$L$Km7U0tyVjmT>Ua&5Wg&l8fnd3cXuNFlVLz4zP$w=X>k1E?$nFQ zFc5p`PSQTInB{RBT5H24uiqGFJaDak`1enh3w$}a+;1Dq!d!STrCu#}W>P82OV>#b_`l;e`-xl?Vxs?Dj zwxd+gZ@le9_i(dKwh-I4sR0e%_~FiRk`d*1Yw!$}#Cr4G=6Id1d0*H-d3Xs~}RQM@$zoxU5!0ziBnF zR3oqysZB*a#C2~vH|L%qWZXUu91kp{75e64H{>)OsoWwokcEP$1LYzPQR2x9q_wNl zKFrjsjfqAd_#-i6yQ_&`@(#^Q?L(pYw$Q*H5`L%HdyN9*H~Tw%igzz;R4Gl z|3MV?+_Ay~V8siZ*Jc0mYw>I79a(SxAYy3^0K%*82tT}O+0%w6sy(OKY)s6Oq`W&U zxsw7Qvzge&$u&C%U=~{siqQjokURAnFs3!+%rW9_AxmH)GpL&L9hU?>tzq<6O7jTs zk2KR%7c>CbPuZHC6_o&{?{+ZzmtE$z{%0~4&~@ypTL>U@gBD0{I*Qx=TxN1gF*ZW| zV@W(flGfyb2_Ur8rv_K?)UT&9)p}a?5wt_V2kchhL*IDj*yMgD3VQ?4w*Na@IDy{& zZ;G4VpQ{77*J3orI>f--Kh?dXF)V6@Ao0X691N<@V4&OB;H|TN%ye z=szHrHo(A}M)1d#=+7sXPS6~Chd)b4`o>$`M2+CEm7$uuKjzvS{#hz80RBkb7#7-s zZsMOxmAFGmdOH0c_~*eqd%4;4$I~edJkWA_Q|FJmz(DRsa7YWE2spk0*-R(B11(l3 zE?}Lu~HkU6FJ2{`!6-7Ijv;SBNui^eO&o#S|H#Pk02G0 zt_B(yx9Rk^fPSrQDwzZ47z>{sZcKJTDX+3%_4g$kUXrO_)K^Ns0I+7y^nsgT!?vWuOnRP5k;5Qxu&N|fw93@mUO^+C9tSJR;^i$sZ@n#tH`Zw_}(deCgzMF zn5yd|W$5sTX8zooCCE^Tw*&O;ayUuo@$vU>ItLW(JLNa!gzEEqdW(L*EjC}S$*bmm zR6b}|sYaQ#-rbNy#&R-*d%VcLf3)WCy4&EJJv>fo;Zt7sZQEz|!^{t`K(HddYs$SI zfze~vGr6)~VGBmOeeVvS`pMh(r&NPVO%l~>mrE;Vw0^-{h2{@3#A9}(aRRw~wk?ev zYy`mfoMLyW?>A}*6#oeAeHO$zl|5sV;X*{$u4Y~E7rh^6JE#5 zTlJIDoQ6s-V*{2(KB~9wx_hz*w^PfH6peoxi<$#h!yRz0lQp8N78{NiaDuY#9a3ba zCz~%eiXLA_8te)va(W^%ItWM9W46y0-io2mGoQS7;cy!*9WZ%vHLi<7ER|DkVa&3~ z$!Mr?#&dtp8Z+f@2L1S%)ZalQIj|4)2$&TzTv}PcscwIIyS*g2C+OZ}a z+CAI##X_;6h1mYHsdEojvJGITlG!|Xs5Q&hi}0GOp?XnrnYcUFtiKW5KM<9Rx+$5s zElJ9R3$2!iZ7mG;|NOa2UT_wuB*^)1MddfDe1);hIh%;fZZ|NZv-*~r-ak5U59%t^ z{~-28Y{K>TSzhf1RIr*7zHy~c(L3I^gR%TJHyrwkl&ajXk-1Jw`l)fxs?5C7HY@iJE1gxvFSu=_P_L*UK7civo~5CG=0rTV2oJ1Fll zTMGu&M~!UJ$R&qivUoL&uCNF7E3!?{qOugM{8Lu|b&fW)PG}eu;wmL+xX%2{Q`F^| z`bn$0C#Jclq&@8VA;a;anW;D>O+H1~0|BPB+;y4wQ}PhOaZt$VJZMd*IYZ@s-b|c* zw;0!lF_(eO4*S9uUF9VPIKLvxz`q<{p*qoy}bZ`GNfENm?x zY8bd)j!y7NZ4tOFI&OaM$z)_)N{#NoEBqJGA)w{M&(5+)Zj3y(2Scs2&0(p=$Rr=H zs8Uc^kA^GYI3=sr!q~C%on1%opBLKt{>RQE3XGqxH*gwlY^dA5M~R6NX`K$^D?NZK z4MslN==`RZf!TT;%wXaw>myi=U;n5^XFB|72RUM%Gksqafk&&OC~U|-%m1qGvHl$t zoEY|#UitHlPbH^Kmq7a}O^WUnN_{wTE`2j6`Gx(qP9w z2H1ZLipUKlN1v)tosdmNszEnMy%B>{W`l4e-m>yE=z#3VbE37!O;x|L=%?@Bk7FZw zMojJ}w;X<&Qoq_J4|q(xQwn(SrNzhm#k&$Z+B`mr&F_R}MBsDFGNd32qjo6dvN>-w za}E^3;IG^d=uGAB9Yud(DBws?xzKyS1$Bl>ercqas6&YWKogH0f%RzW2jBRGPGCEH z_9+Ow%{D?jAUvKWfrDns(|OT(<7-p&Xhi7zt9G>Z=LFLoK?sI^ra#>vtC-K@du!Pq zG%yxAN;^m|f`h&69`h6Z1c0C9fBQ^4FOkO_cDm%_3mBSX_8> zsnO4b$7ejsEu)*pE-;Odo%EMLoPhj81h5UojukF|>$UvY?lTNCcsxUiu=pj<^GQqW z!f2ldc3mK!793t{>p06FUehMv=;j{cqfKxVDZZBI*m(=ulbe-i}kiK6&hXXdwP8w|)f#yBn|;6MgWglfM^e_3nqUA9c< zVJ(Q4`(H|G+-lpeo(*iYfyWbxj-}m2{lGpS3S{+~-ZQ~<18Dsc4oxT;>Obmxy%=R1x!!mr3Wn?1K}XnsgzDj61UX!u^Tb}(9)Cyd}46^g??A_%h*PNfnUM2 z#UaB)wKQ)@1wt~oo69GTk^U4-dH}AOE)O<%z%d4V6N(o% zpY$#1%Wh9=PYu#rU@7{G1@&5HM|ZLfnieRlJhfhht00prTCIk|;qSPu-%(H16)Jn% zHK20#@W!YHmNCWzWMWtbmJeOO|V;xSOH)P!l7oQ+ZH}=DK20d?cFDHwhNhp zyL>rhZ~?xTZ9Y7(xwg`w*fGb2xf}X!C1Q_Is?M1)HqB5>L8rAeg4P!zSh}jm!j9Wv zf{Ls$ne=vihko&AI-rsEc?-9~9}np|Mi4{4r)?JGcphe0=DjdMi0f7kA$n%2>b|M( z0e%z72i_~=Z87<}RzDkQI!OaH>jkhuvqP9ezS^8FCf+zzO%*I4NQ-pW6OifrBrv?! z5Gy#5{>A)oZHTK-B(O6KTRKGmQQ6}JzWGr*==d?4n9#wv&h!96(~elvF1oJ%8E>Ro zS|TzxTx+xgekZIMX?-63TSB5q#~Ond=ZL@Lz9s05!9 zVmVDc&j3KpQ?{A!QF-Ie(AIp5UKPkkb9kqAewDB9KITBpNg976nr&!u7vn?%>Ne)h z!?GE@snoU94zhbS0c-_i6460K!>yH$jmiqH*usOP)Hn%w`ElIE|-{?0#P(Le@)IH=9H`U;{bevE@9n25ZeS7&9y|B%N#os@fm)x#q4R}n zLC2B4VB@pMpNxZ3y?moF=Pz0E0V8WjtU45>O^3xO|C~RxHBcDdF)D3Q40I}*)DFAu z1e(87qsa0>kOOF1)I^m$Qn$98L-1?H26Vr6z6mv{(U_>SUgTV58VXFM+?{&6tee0C zL7Iz7bUa-dbG`kvM)1nVS`)f#keuz$_sx36>i3)wcfe`cqip|)F6))y!xut$e#0C% z+3xP}?L|T0R|}uvvZq-M5v$ftZyIlZn0wxm{ZC>Q?b^U?0G$YsVs*7N{U>e}I9-Sw zY2mYb^&ZI407(FG3>NN9tSB4}@NEyD|B={-Vt5=tFM{eTg!D-Zg2z5>+A`aQANHL1 zFbaKm-UYi7Y_(nA_@wr=X%YjK{#B;*Q(i(wYx+-?ubY`_BnK&zf#nA$wYvjb+M~Xk z(%^|yU)zG6VUUj^LeG|Bx#7!sw^zCF)Ow1NQVeM_GCV%;sg#ka<8-Bt0A+C@p9lW4NASoJ$ghZL8PnL>N)S{CO?aq zc`og;Hv3nRT4$V_!7@e5l#dk%Gw)N-tlbVd;LMqI51Owv|!BBq+H;bd!}?uppl52 zGN`3O@qpAJC-+0daxI4yBVUokhHsrH?fYLIa_iZMiP0ei&gbBD^f=O~qhXsbyl#9K zS@|;}kr&_EsRZvtd$-bJrE<^cpan6x0vb$<#LUrLl7e!GSI@rq^rjEp?|;*f)VnIwyB( zN7KlsVB7|4coXYhRL<5v#IZZ8otx!}H~B>miJwH5 z>FGw|KVq&HCG3Ar^T14i@g|&h{o+LP?CTpylwY3db8@z2^4{th2SR)+W(od zCNCnjN-EKj6WdurIT^U^u$A|40 zcn~el_Nex*|Ei>nMtje#r?(RN^ONf>bY~+)W+lioK~#HCh3^Nx(3)nx{>@D*l=6fQ zP>|QRs960P0;b6*`BE^xVXfxf(W{!5tU6V|+Y3YL79hvztqKFk zxRY-O1uRDA{;yzRB(p^l1>vl9tk`(gI-0+_T!}2!Xoa{!KYxNtGC&_&eZoI{kzcpC5l?R^*&*{sYxEZi*C+gq8(d#w&sy>KGDp&q9t7@iO0QyY&8Ly zs%AdQwKJnN6SWDx*RO$RtpKO?V)V%WLPN0MoTU~}UTPb<;^+3yl3+2%!#3>2`mY>a z;@z=N0Brwvo8bH*#TDUQO8SFFAP0TqHjV5`C|z&Vovj^6Z4?Xto0ndM1wa^W<3+ zV=j`SMs4acjybOzND>tiP-SyewYJ`$HR=#LW%aFQ&tyR! z*lt#&1@(dY|4wNMOv!67{+ey>mpsq`FY}s`-30#pL-edjTC|lm+bj5-%WxB_Dghc6 z3~Lqhg(v%prg9*2$)itj3HnY+ z?=eaQ{-nkVtnUo0A18&(joA7X-B{B+$zw2HqWxtq@n*u<=gbq#oFoKPePO)KB}i6( zL^%}TzMLP+2NDw)%V<$cNlp>5RP>p`J7Fv~zI|UE9X-~;lE%EOqdyfnYIB-?%;}#Y zh5Y>Q%q({^yUitvC(wWEuzlR;B%WPiuk)Ej>t8nHCP39mhUTa|0S=qraoD1o`C4mW zzR%W?NB%wtD%z4qrBa0xZPoVTV7y0xS3w!Sd)Y?9(HQ&dVJ%W+3J=wF5+4=%TYop7 z!EP7m@qKU$(Jhv-;lCX6P7&8kP;)TjJ_TR;PA*iId;oj*h}tj$w<#$G4T120_>e2k zI7XykrB*yX8OLEzfW5Oges~ z{%yHvFc~$f!0S7n9oRjm13TEhpjD7_xWnZHuov+hP9%pks1~9u+{_OL_{M?!oTPb* zsPJ&}*kl+?xKL0wGXR+D1Ta^Yks_2y9~fG&nIG4p2FzQKi6wsEj*48?gU(rs@jXN*{TbLMf8=M78@?ByJ=~~)xuyE#Q!!~ghYJ5LOwe;F+ zIn-@r$%dm^sL}d&vt@o(lUl&(5L&i>db{^03i+?ZrS{FA-5a zeAyn+2CB>~h&OO>Tm!sf-e1W8Wa%g7w2%&$x}6f&VD$6rKhDae4uiwff%^wcxBvux zXjM?ivL5pi0`I#UhyTL&GcjE4NlS`T6A$Z4Q5JkzSs@?=5(oTKrjgRw$|sF?zt`P4 z1%F=ga4@bqMS+Jhbf;wlW(ylu!Rs6wQwB2f-;bp=jd}4+Ou!C@3(gj!fyW?;2k#~( z)esI}R#Zs^BYz>dscDuroJhmT$rhuX-Z&!w8i1Bb01eNrIR)E1SPEQ56-t%hr@s&} z`sV*bZDlIbw!fYMNbHWvX~ESEME!k@y?ArCdSF_PBzK3GvrQIK0KC{)kwy_6RN+g?weCw zRQRj}*L3+i(#=h1{%5sk-(TtM!JL;Guf<;MgWaWkSw89U8(rLgU=s?ntzj4WFSaZ0 zgFg%@RTPwpD7XowJ(ySI<}06>^o}x*qS;Wy|ik{^&h$33Cu7$k&oeEb_ia zjy8|x(|?U-_2C+e9i5Xm6&7jyhfOX*{pqRVSqUO}HF9lynVhUoYEo>XCXVe2B)-aw z`O1@JXX5{(DBXY2^#Y?ah(#mosmjE|cxh@<{_-J*OykEdix_=)+P@05S7>N#U~zml zelh>dpVP2tr-i>`U}=Y{^)@};dLJy|?&7-v!%Y1)+QIShr zPKS@QB7wS@?LQe*SmN7{Lq-}J#@wCKfnRyWwzUaIfNE;KugptL#t^t=?bmk8jgQqYg>039JYaeWp9gum9*=O!IQI^qSI>}ah zCP|Qiz2eKQ6tBc26!~Q?-O&AcN*_m&&FQIL^`u|%{l4s>!q-!AqXlYNR`B2VWk*=> zW6A0T`fKWN!X4t5#PK~oJm8&&x}`;440&U*w|uKrvvfrqK5K0lo`&~WR_|v@>qEv@ zmLWi8oon(&#~&xy?;k`(Jw<(~C?XDIVn_@ttVC@KGTZcB9oo37jxJ~?YxY#Gv!tN8 zugGu!HI^^=^?jbF?bprye7r?UOG=k;^9N6k5wLL*n^k)QI?Fi7aenp; z+9ofKiy@U3@yGNhJbS;FhiX3BNvSy{*Z`Te85vBDy- zqc&9Zh@6`fQ=q7IXe0s&ci(h8Zl21yWBY}0$S#jQ1M#Cmd7sE+)NC&N)JKRHFZHei zMGIpox#w&?h6Aarx`KehU*1;%ydQ5b50PXWBBX8+d~nia4JOdP?<@3FR_P4FdY|T~ ztJEG|N>lMeIHbOiZZ!?BV#_WW2GaxBS$N#3zaWatBw^gI5LYI76AXGO? zdP0QPR8Fzccl`oLc=}u1;OT)|PU|u390=8QrE?8D|IZgM2*^mLGXD2ls*`sB4@rCI zpXD)pUuZYZEoU;F&P4TlyOk}8f?LiIBUJa(u|}GnTxpW@8zQ`1q$`LnAJ(N@$-tE&=bN&+PZ)NJ`Mx3YeG)j9+f zKM*T-i&K_MaHsEK&)}HWRDXh&3{}G-qzFHc*4x3dNhaJgbpGwC$|AyCP*|M(1cMXJ zdjH`K7S~fD`bM`_s+#nly}9srenPy(wY9!Az1BJ80v?~ysI-D&FbEL{ zf4CuS_QPX<5qRz?qg?(06C^J-$fZZPqQ+P`uPA1^L*=;0Ctxa|-(F@3Rs10!4sK|EOA!R&)NM z3U#p%W*>2mf|h^*Q}LPi&R-_s-H(PRn zz2Ff;HmldP;A0nG0IfVXG9v@Idi^Qz7pocWI zD^2lgabT!!u_K-KU+|O>|6(Tvup5LszPo#zUF@DY{?dx*c-CwBuE5p(*Mw@crn)9_ z6bIO9NtMexKd){UoC9TVXPCTm?cvS6-(5k>UyCF+ubE%sR_`Np2)f=KkVkWtI+RfkI_8EQMPoonZx%nMcbF2_b zSA5Ge%KW{xHzb3k$nAyulWo=Ic;Lzk;bG|~r0{XlTys;&XG}U>scIWwfxTr>c3r40 z5=>?Sw|o907*?Kk#00NTMlNAI8BZZorn)&N;OtcsTVCwBQmm zR6t)DUH!df`p+)aXQR!IPtjee`^PlSjrjk1fa2VFK>8DUQPmo!qX6*vB0k01ckcpq zT!|!s$ED6p-36(gp+_Ao6Ow@7mv@X|#GOjhgF~GCd5RHf-OCltQ+(-0n4JSS$drbI z(aN=$FhKk;3DN|F4M9wHF*hpbBWY|2xFLSLGer&1{a0}X8~NLq#q7h2T|LW9em3J9 zedUAo=CF&L8)2y=KICWIol!O4Rw@cH6AO!3rkp@P<nx9qW(O)2!fdJTcPkoVCLS)z|&Fi-6g@+W65wDh{J70ckXycYxk1mR-0dEVaDQ(n+$CqSPaPfTLMel4`o4 ziw`-fc{Q55SMn_HgQp{`+3wntDRR9s=(HQ{KX4$$d&@j_XVV)mImqLOw?0L|UPXmt z-KU@48Ln7YKWHb=vYX{qh`o`)ouv!qmzeBhVLXfTBUb^-tuQ+a%;CBF-&{Z20IZd8 z;6Q$6F*hO?TMRJ?IOls}eiZo`I;=4x0|cf4G+}&@!>p85Z{YEOCN);TAv0Nz_b6-b zG5$JtvhY~vM!BuxLI-mVD(Eq<@Mt*Z98 z#}I+GI2Ct3ZbC(Q-%_natD~Qg zYyInX0Gk^tpP$!X2)Y3Tg*U3U8Vsv(=4Wq6M(P;HGdl+cb>xB-G~F{rkAf^U)3!Ka z9Td5*Veii=alFt(JRJFtgj|mTeh9OpwY9lYxhgo-pyd64d_N2wO~IG+6@W#Dj+Up0LPkc-mO#MWE#_HJ&FLpIj)Gl__9M zzoA7b$KY_K1jrB=fcwVUKoLvSk(c6aoEtj-tFJsjw@QJ5lIv_U4G?yC5Zol+Uy$vD4k6VOG# zB;BF)MtV}fSq&!3=2osSq?w1(_^n@UnVxKtyo7)Q1*7b3UdH!*Ff;} zyjg8%=esVlQrOPZp@$#TIhpfO)51`IHQ{g2RBX4RoID)zjXEQ%G(ZIN2h-$Y=nH%jbOj~MU;xF|Osua6-^O#4nE{vWFBj>n z>TtATPwBXUY6)cr5z@(SzcEDizj3p`QFUhkpp*a8NUlV ztOGLGcbzJdop35YR*?E`v4;sXWeli#(N3Eb-5n^zX`laKqe<-uO_ocHGnVGvN6|R? zlxUOQ)+0S#Q%N+oiW z^&SYPZDA&0Xx@N-lWC-0pbqF~jzcpv%JV?vlr9Tm`Xh?9bRas3|7KExZDWg&+v?U8p1;*#mviSuRRIf;{7&^|0w_#b#uN= zwdMH#e4+XqxKMrOs5Yf9JztuVkl-iP)FRe#eeGAsh_5bf0D&Goq{7OP<-z8rDCAYp zpPz(Qj%gWQ+4=NQ4h#vFXuCXLVAaHErp)wV*^WOk0EhYGz9$`JvZ1_6BIm4oGtwU`yoQTLyZ{;w6^5Fx_r_Q|!}W^M3M zpba!8;X(gZ6T`1d^@ff(RBxxcDhg7FA0sLGt(dZvSw97LmU^n1M+nge*#Lr-nFXPV zDNtHMuKE2l{;mj8Gle^mXiq3EE3%xa9Lzu9mFh<_TBV)fbaLL7+vCn?&bETB=4q81 z*04^09*qQ0u3NT0=DhEd|0M@q%0%zY0(rDDKKz$@!XtaWOAT$7*5Ai)3#rpjM3ObW zJw?wPG)KiQ4vYJf=#^9~NfB1CqDr-|xFyJZpbGO1mAb+)#LMzef^`PThYY23U)20| z^k?}m!b?qT&zelg-_|D(!KmOvbiCNSN+bndogRCaRYoGj7~w$Zs1*{8F$({5@6(pM z2P^!!0Q`Aqw1|qXGFMkWRpESQ?ORF#*P4GT9g}BM5MZGW7`Ds=PHybQUn++7cQDKu;Ws8fYEoxgt56_6!J!@^C_s!7A<_ALJ`AJ zi~{Mxy<>@L*$4uj``pD+)hw61UvW5(w5zpewAggpz5_*r79X6CzEm7ZYH~+^r)PeS zMg+tstT=b-$b!wy^8cFAf|EM`&AwitKtFy{R2P>!32&N7o||%ufjudmgOKqkM#31q zx7f83T7p~Qp46QP=^gkBd|_^AiSB>7Od1;9s0?s9BD{_lldMA-23;1E`DOuEw+>_Ks|vjD^;O$NvHRFi`D^tB%q0r?F8WlWIU6Ddh2K= z5W7YOGbTK$zA2n^@@Lw}@K(b6%0p8mJuCW_ z9b?H%l0m=z5?2=VRNzGrORKYDk5G8Z53HmkfVfL(fVl9zVIg_@mfJ4XfTWC<*uuhQ zKliMo!iSP*Cl<&E4|~=-IU;ZFYgVgxe>Ha9{+tj-9e2V{P2~IW35nsoFMk;g+j*K# z{cUplc)3);`<}(5|Lf?xnbDvQ{WfIQ+YkmqLl8;WFForoXqr!Y@?mR=FDf?HSiTB9 zKe0pMnITU-suM2h>DOq^h>Tb67UD?#sBLPg4%Vy|Fccd zaR5<39of1sJgwxvrPk-cey92A5gu#5%Yr^k_< z6xYl*=TD6vr{a{6e!PGOkso&1#qapkwOX5`^$xzG z5wE6Y5N2_Ljyu~ghApHKl1AuvwHA7n#KITqOBNzu`$RD56Q1iL?5Yig9lvsR1OY;E zuzl=@y%nhUTXCL>4tLz2Im4U5M^=y?B`V&mnBy{vgqPZ`gNPqw2ca%uO8YOPI$YT~ zSjK)Eat_yJb(uilQlPhyda^vTqG?lh*9LB)hp$WTnTZwE`Ki*35aH2Nt<0&env@yi zH5W2mSndUn83kY|qNL1tjHA2Opr+l#&Tq^$npd)+_11{8{zDgF@=MU%rlxD?{IaXaz1afpomgtyW+alth7rn{f%2tSDV7oPf5g&R z^#%_pUZ!1_i>JPfk&L=hl}Tg@zs#ad|FLbcG^e&R|1!E+J(p7IX^ViYQFak}iv1@O zR~M2ZR~sfgKGzghH)Wt@>e83ybC{7+ZWfzfc`g<^sxz@tWYYaRTMVj6qS+-JGx3^5XA)a$Z!0 z@@>!-tFKKexB7(4Ema*@zjqsGB^`($V0Wdf3VLGHZIX|c{K-m?*GQ-Nvw&>eblkEF zYo*2$+?b-VzMJ)%QGIWy@nnj)7hI&`vpK$ykU5lr$-76ASHJ{Z+FL=@e^1YhR{u!J zZo->(zu5$`QJ~2a-^Xb|R&ZO*(A-s))akV5>$p8!W|iXg0XwQMl7L z0rotlZ+iOn+I~v<@vr)FSJiAMSk;LbEl@FryS9lAbvJ zH2kcTq{5T&I)Pk1BXFc4bvVT9NjN4`|6APb;`$Wlc>k_$XV#x%t}b5=NL@3S4aw?&s|PSOeVDP)*ZWwUxVD2Loipco_qA<-^`?9 ztnV;0787A~Gj8BZq;m8ci$_hdSzKKTeQ5CCGcsS543(LXHn8N1e&)#SJg^WytJR)q zeWTv|y`5OtJEt^ewO+UjOCrUBUP(Q~#-|mZQ|)Vq{ZjRZKb06RqN8N2#y?(0m@j#n z1%OSg#l5|y=qk!+!UH^xgei3e#4En-pnq=;6uFH~w}Ey~k!M;+4IXCn2CfH)P!STk z1wu=TD(34q?-iK3wP_WX`et3hSFy=$9ww7{6ka6aHSEbt$ye3Aqz8)}R5&yFG;%|) zJXE+;3!WvHglLef!O+(ChDRSQGe}wfQ7AeSVr(2Y5n`B~So}EO)5RiQFPMjre=0q4 zd|H55}da$yJtE5RmRhYH5^iky2tw0qGC~mhKRcmZg#IazVPJ z8>yxF-0Xy2D8Z8Igd}4xYii1#eHssFr>3RoQl|PTN^)D<~GQP%wcnlGxnEwXpcV!;^jG%h?VMM zYi&UckjkvG+neRC$F)W-(!`qipt|1sZ%XmLjuGb_Z9;ij>#T$;?$~`@S8X5oy5sgj zWmDh1M4DM>2rk^)?=h@=2F8;_S&YP4D%;&+kJ{2T9o)h0?@O~{GfG*Nl*bdN1EEBi z(5urKIfcB4&2nz{-mcJAIGR68Q}mU^KzTdF#MoQ;vxu4taf)KXsHL2Cu1A27@2F!{FcocbYrexe?wq zqt+t6WCl4EosjF%pWYRDcYU7Y-?Uhln4~ADwJ%CT5FrNzAkECqC?zbUDFwml7H86M$? z3p*4fCFW%JPWX-$;)%*7IJz|PP=a-}0ETZr@e}%dT#aTvDLs9OKYvY z9`hk(O5t}9Wbhx{4H(h!(GKObBSYD&8+lrzwd}i>ug*Qmcj;g{Lp+@}|()}*2S_KvpUGX~?-d~r(D`5#1$hgA&Ja|TNv6$d{0(Vypq#rrC5i7w zJN{^wzpS~9kSck6Sk(6IckTHlM)>|{u||){l5Rd_^uUp!itZ-%oa93b_2gyT!~M;X zdH`Tskfg{QZZ7jj^4w(=lrl6J*xhpUN{2p*938PW@#|m5VE+1_ zhPFRI*f{M7j5@dCU!^lU18EdUI|`qfv^5^(3qE$`;bq^ zhKQwMWE7ewZQ*KVg^q!PYOx6Kv zZCvWRD~h+_K+>po`$TD&wXNIr$68yx-No|HHG!-2ojG!Nm19rP$Jj)rq_yXS#GtsS zQ4G8{<=X>==Ef-N4DN?3ukkj~rImJmfH!rS0iE}SioiIG4r+O4Pob=3h7jV9$V{!r zFiE@$Dqaq*ozI_OTP7!Jhva;YwufFy1`x6<>*ozAEsi~n@6On^VDF}zLxsj@&@dJc zzV0(znNcANe}}Fk07#E_r9Ypmh(w2ed>g6245Uc2)$(Z4uz^UIcwj_px*V9J@Z26y zRV;I!@L+fzGkLgcJ(J%nsKNw7bPuT3m&rL56_5Se&bam3q)WRDb#Nj35{AtZ5R=0Y z&hvX?i*ll`)ZJ4G#c7mvjK__i!fTu0P&C`0e zX!l>fRHGEzwBAA=>!O~dd;9D;o%iyt&C8byo_jdt5+np@{bki>&S?5}zw&%vD7~ z)QBtK9J6eDJ$-vpugeKyTLOG7io%t8QxPX8+oVnt_R&ERtmZb$kFW770RcyIom05b8R(K?- zjll};R~5!kB=Z(NRkk9h-FfCvHw$Eac*)S2)ndsKhsJ_XZo(CjC>SCdBg5 zBeUS0p6d{XVSYk;_`T|?js|YOANPw|hbhM=HEfqp4dr=8$Z&#mKQAg@e9;rH!1A!8 z621s~sYiD94yw6z1b(Z+Zm9ibc8YK9ewWj3?7CAdoY2j$+tu$a6!jHmcZP3> z4$-nBrv1NDlLpK@w~)|#nbd%Z^R9mNncq_5k#-zvsj5HAqycJm^}yZJ)gr8)8ft?L z?lNVlBNJY)J<;)VaD#j(H`f()&6hPvvjfc5lW?RXAgiw8Ejnl)$t)s63stjide3?NrA0tiFz^~p;SeR~&7s1S}=OAfGt#$U!*wqQZaRm>2 zh?}@w6-hDZLQ|hK@U5Ap&S@CDWYlC%XEi-rmZe69$;4n0><891+LTDOG>0@xa+3V^ zKoE%WO$Me;GLXJ0fbSig(*!3Is?#!JjDG>R1%Q(R-s4fAVw?}M=3TR*PNz|?+{e9c zB_>>-g!y~CWO>7XAB%l2uCqZ`{AFA32S}ElS#sg(iiM4|7r&`MV(y|pK!QWO?{E-{ z3a7>J^=;Bh8wFF$AQz;w>hWZMMvY{67v@b4cT^KpvIAJj;}@=m9@U+H_~ zUK6aQ9?DPfP-Qkc2{@H)m-4hSI9a%#nACLX!b`t>unVb6?T!!qcDB6y{8KfA??G3^ zTikkt>HWoBfq?q$0VbFReS47&Ge;+$f7L5idYl|b54E!0;5DykIY#7l9aN}GlTkh^PZfs~uK*s0_>MCyfjsJ;s??opsOYZl#1Zt*bbokC<)213Q5_sU^+kFV ztM@%?|6;oi>FE(PLNIm!weu&a-(dZW)8{v8yiv$i_ik{z#lx*{!pPUXp9TU)^WKbu zLU2Twy;OM|up3h{z6UUwSqo;B(=Di2=;?De%9f8dWIVy_8I7N>uQuE8FA?G zLLM%%z<(Ye@zWVk5j7gjx3Y+mNiy$!unLr0@5QYksB-{+@@?c`@TJn-CHe4fc4SYbpI@g#C9#FjxUmmSlbx~9MWzI%B!KQOq~gAioH zjDJ~9&nT8hqvXB-62y9LA5Np)6bPh+4TDUUW#nteU83mQT4j9 zJF-;@GAx46`o$Fs|2Vb|I;wdFzZ53jt)6Qk*=bGIH}KbF@PtJd%#WI+nPe}a8wOek zEECx;1&W6QzxT0T*W*lmkex-M*OMo{)xvgQzLWC4u=-B!%ba$jeqqMriRw0pS46Fi zM>-B1-ZoZ~j82gJ!Ohm>La*vf`3DRuvZLs%AD44%=_CeaoO=EG9p()3SI>)9`WSwu zo?@RYH_&2uujC%#y63*1eLF0JU*L_z^0Q`$`f_E&x;T2QVu-EH~bF)g_hHeeMSEOQsc}rB0w8BZYBcKXP zTD-YSb7(uIZ?2zO$*jw#In>s0D0)sE_&`fW))J1lDFm5t-w9_se;3qO+kJxJEqVXMoKgp*meKdgf4L%& z*N@@tUEklIChgxIF5i{L0OSpn6=nbcfU+_Wfc>a30VF7B0F+1cS7=Z${?U4mnD#&X z`Vn*fXM_5P`A|>+#E;tMQS8Ie|FQRa#DA07qx|LhKdotQ@9Y86kk@4r1o46R_y7P5 z03aR Date: Tue, 27 Jan 2026 11:54:14 +0000 Subject: [PATCH 2/5] Update products.js --- src/config/products.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/config/products.js b/src/config/products.js index 7d1679e7b7..f76d97f350 100644 --- a/src/config/products.js +++ b/src/config/products.js @@ -560,11 +560,17 @@ export const PRODUCTS = [ { version: '3.0', label: '3.0', - isLatest: true, + isLatest: false, sidebarFile: './sidebars/threatmanager/3.0.js', }, + { + version: '3.1', + label: '3.1', + isLatest: true, + sidebarFile: './sidebars/threatmanager/3.1.js', + }, ], - defaultVersion: '3.0', + defaultVersion: '3.1', }, { id: 'threatprevention', From 5c524289d1f6784024317fff8ce114c63be638a6 Mon Sep 17 00:00:00 2001 From: Luke Hunter Date: Tue, 27 Jan 2026 13:44:53 +0000 Subject: [PATCH 3/5] Fix typos --- .../configuration/integrations/activedirectorysync.md | 2 +- docs/threatmanager/3.1/administration/playbooks/overview.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md index a31b507cba..125e05d900 100644 --- a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md +++ b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md @@ -7,7 +7,7 @@ sidebar_position: 10 # Active Directory Sync Page The Active Directory Sync page within the Integrations interface lists the domains that are synced -to theThreat Manager database. The sync operation gets all information about an Active Directory +to the Threat Manager database. The sync operation gets all information about an Active Directory environment (users, groups, hosts, etc).See the [Permissions for Active Directory Sync ](/docs/threatmanager/3.1/requirements/permissions/adsync.md) topic for additional information about the permissions required for Active Directory syncing. diff --git a/docs/threatmanager/3.1/administration/playbooks/overview.md b/docs/threatmanager/3.1/administration/playbooks/overview.md index 52972c30e8..55f38b8aef 100644 --- a/docs/threatmanager/3.1/administration/playbooks/overview.md +++ b/docs/threatmanager/3.1/administration/playbooks/overview.md @@ -111,8 +111,8 @@ The step is added to the playbook. ### Follow-Up Tab Follow-Up Playbooks can be configured on the Follow-Up tab. Follow-Up playbooks allow additional -playbooks to run once the playbook has completed. This allows a (Undefined variable: SD.Product -Short Name) administrator to sequence a series of playbooks together as part of a threat response. +playbooks to run once the playbook has completed. This allows a Threat Manager administrator to +sequence a series of playbooks together as part of a threat response. ![followuptab](/images/threatmanager/3.0/administration/playbooks/followuptab.webp) From 07052e34c7800de0a77f85ae712895e6d850bd50 Mon Sep 17 00:00:00 2001 From: Luke Hunter Date: Tue, 27 Jan 2026 16:26:10 +0000 Subject: [PATCH 4/5] Fix typos --- .../configuration/integrations/activedirectorysync.md | 2 +- .../3.1/administration/configuration/integrations/email.md | 2 +- docs/threatmanager/3.1/administration/investigations/reports.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md index 125e05d900..11ff46ef69 100644 --- a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md +++ b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md @@ -8,7 +8,7 @@ sidebar_position: 10 The Active Directory Sync page within the Integrations interface lists the domains that are synced to the Threat Manager database. The sync operation gets all information about an Active Directory -environment (users, groups, hosts, etc).See the +environment (users, groups, hosts, etc). See the [Permissions for Active Directory Sync ](/docs/threatmanager/3.1/requirements/permissions/adsync.md) topic for additional information about the permissions required for Active Directory syncing. diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/email.md b/docs/threatmanager/3.1/administration/configuration/integrations/email.md index 0a2135258b..6bc4dd02ac 100644 --- a/docs/threatmanager/3.1/administration/configuration/integrations/email.md +++ b/docs/threatmanager/3.1/administration/configuration/integrations/email.md @@ -24,7 +24,7 @@ The page has the following information: - Password – The password for the credentials that will be used when TLS is enabled - Send From Address – The email address that will be listed as the sender of notifications - Send Alerts To – The email address(es) that will receive alert notifications, use a semicolon as a - seperator + separator - Subject – The subject line of the alert notification, which can contain data variables. For example, [Threat Type] detected by Threat Manager, which would replace the [Threat Type] variable with the type of threat detected. diff --git a/docs/threatmanager/3.1/administration/investigations/reports.md b/docs/threatmanager/3.1/administration/investigations/reports.md index f0770d845a..cd1a60fe6d 100644 --- a/docs/threatmanager/3.1/administration/investigations/reports.md +++ b/docs/threatmanager/3.1/administration/investigations/reports.md @@ -124,5 +124,5 @@ It contains the following columns: - Users – The number of users who generated events - Actions – The number of events generated by all users on the target -Click the link to view target details.See the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) topic +Click the link to view target details. See the [Host Details Page](/docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md) topic for additional information. From fa3789ff59770f09f7d40fa347a9bdf012fa4200 Mon Sep 17 00:00:00 2001 From: Kevin Joyce <44587322+kdejoyce@users.noreply.github.com> Date: Tue, 27 Jan 2026 14:29:30 -0500 Subject: [PATCH 5/5] Revise Service Accounts dashboard description Updated the description of the Service Accounts dashboard to clarify its purpose and functionality. --- docs/threatmanager/3.1/administration/serviceaccounts.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/threatmanager/3.1/administration/serviceaccounts.md b/docs/threatmanager/3.1/administration/serviceaccounts.md index 9e764baa32..0936cd97a8 100644 --- a/docs/threatmanager/3.1/administration/serviceaccounts.md +++ b/docs/threatmanager/3.1/administration/serviceaccounts.md @@ -6,9 +6,7 @@ sidebar_position: 50 # Service Accounts -In Threat Manager v3.1 is a dashboard for organizations to understand the Service Accounts in their environment. It includes accounts that have a defined servicePrincipalName, account type reflective of a service account, or repeated authentication patterns. - -The dashboard identifies service accounts with machine learning to identify pattern-based authentication. +The Service Accounts dashboard provides visibility into service account usage across the environment, enabling organizations to identify, classify, and assess non-human accounts that operate outside typical user authentication behavior. It includes accounts that have a defined servicePrincipalName, account type reflective of a service account, or repeated authentication patterns. The dashboard identifies service accounts with machine learning to identify pattern-based authentication. ![Netwrix Threat Manager Service Accounts Dashboard](/images/threatmanager/3.1/administration/serviceaccounts/dashboard.webp)