|
Default Parameters for ODBSAdminActTest
This test helps in auditing administrative operations by closely monitoring administrative activities on OneDrive for Business and reporting the count of such activities. Detailed diagnostics provided by the test shed light on what administrative operations were performed on OneDrive for Business, who are the administrators who performed them, from which clients were such operations initiated, and which sites were impacted by them.
This page depicts the default parameters that need to be configured for the ODBSAdminActTest.
The TENANT parameter applies only if you want the eG agent to use Azure AD Certificate-based Authentication for accessing and monitoring an O365 tenant and its resources.
Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. When monitoring highly secure Office 365 environments, you can configure the eG agent to identify itself to a tenant using a valid X.509 certificate, so that it is allowed secure access to the tenant and its resources.
By default, the value of this parameter is none. This means that, by default, the eG agent does not use certificate-based authentication to connect to an O365 tenant.
On the other hand, if you want the eG agent to use this modern authentication technique to securely access a tenant's resources, you should do the following:
Enable Azure AD Certificate-based authentication for the target O365 tenant; this can be achieved manually, via the Office 365 portal, or automatically, using Powershell scripts we provide. For the manual procedure, refer to Manually Enabling Certificate-based Authentication For an Office 365 Tenant under Microsoft Office 365in the Monitoring Microsoft Office 365 document. For the automatic procedure, refer to Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmentunder Microsoft Office 365in the Monitoring Microsoft Office 365 document.
When enabling certificate-based authentication, an X.509 certificate will be generated for the target tenant.
Configure the Tenant Name parameter with the name of the tenant for which certificate-based authentication is enabled. Using the tenant name, the eG agent will be able to read the details of the X.509 certificate that is generated for that tenant, and use that certificate to access that tenant's resources. To determine the tenant name, do the following:
These parameters need to be configured only if the Tenant Name parameter is set to none. On the other hand, if a valid Tenant Name is configured, then you should set these parameters to none.
For execution, this test requires the privileges of an O365 user who has been assigned theService support admin and SharePoint admin roles and is vested with the View-nly Audit Logs permission. Configure the credentials of such a user against O365 USER NAME and O365 PASSWORD text boxes. Confirm the password by retyping it in the CONFIRM PASSWORD text box.
While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portalunder Microsoft Office 365in the Monitoring Microsoft Office 365 document. To know how to manually create a new user using the Office 365 portal and assign the required privileges to that user, refer to theCreating a New User in the Office 365 Portaltopic. You can also use eG's proprietary PowerShell script to automatically create a new user, or assign the required privileges to an existing user. To know how to use this script, refer to the Automatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environment topic.
These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.
In this case, in the DOMAIN text box, specify the name of the Windows domain to which the eG agent host belongs. In the DOMAIN USER NAME text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the DOMAIN PASSWORD text box and confirm that password by retyping it in the CONFIRM PASSWORD text box.
On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.
These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.
In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the PROXY USER and PROXY PORT parameters, respectively.
If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the PROXY USER NAME and PROXY PASSWORD text boxes. Confirm that password by retyping it in the CONFIRM PASSWORD text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.
On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.
By default, REPORT Top N DD parameter is set to 10, indicating that the detailed diagnostics will report the details of top-10 file operations. You can change the 'N' in Top N by specifying any number of your choice in this text box.
By default, REPORT SYSTEM ACCOUNT LOG ENTRIES flag is set to No. This means that, by default, the test ignores all operations performed by Windows System Accounts. A System Account in Windows is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.
If you want the test to monitor and report on operations performed by Windows System Accounts as well, set this flag to Yes. Note:
By default, this test does not monitor the operations of the NT AUTHORITY\SYSTEM and SHAREPOINT\system accounts. This is governed by the System_Account_Names parameter in the [ODB_Audited_Activities] section of the eg_tests.ini file (in the \manager\config directory). If required, you can exclude more Windows system accounts from monitoring. For that, do the following:
Edit the eg_tests.ini file (in the \manager\config directory). Look for the System_Account_Names parameter in the [ODB_Audited_Activities] section of the file. You will find that this parameter is by default set as follows: System_Account_Names=NT AUTHORITY\SYSTEM,SHAREPOINT\system To exclude more Windows system accounts from monitoring, you need to modify the System_Account_Names parameter by appending more system accounts to the comma-separated list. Finally, save the file.
When changing default configurations of tests, the values with “$” indicate variables that will be replaced by the eG system according to the specific server being managed - for instance, $hostName is the host/nickname of the target host, $port is the port number of the server being monitored. E.g., for a server xyz:80, $hostName will be changed automatically by the eG manager to “xyz*” and $port will be changed to “80” when configuring a test.
|