From f3d0c1008d6d827b68f98de08223469335f019b7 Mon Sep 17 00:00:00 2001 From: Hil-Ram-NWX <212961752+hilram7@users.noreply.github.com> Date: Tue, 2 Jun 2026 19:53:42 -0400 Subject: [PATCH 01/15] fix(ci): broaden kb/ label skip in codeowner notification step (#1057) --- .github/workflows/claude-issue-labeler.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/claude-issue-labeler.yml b/.github/workflows/claude-issue-labeler.yml index f2c2a3f4e1..4895659b6a 100644 --- a/.github/workflows/claude-issue-labeler.yml +++ b/.github/workflows/claude-issue-labeler.yml @@ -115,9 +115,9 @@ jobs: exit 0 fi - # Skip codeowner notification for KB PR review tracking issues - if echo "$LABELS" | grep -q "kb/review"; then - echo "Issue has kb/review label — skipping codeowner notification" + # Skip codeowner notification for KB Operations tracking issues (any kb/ label) + if echo "$LABELS" | grep -q "^kb/"; then + echo "Issue has kb/ label — skipping codeowner notification" exit 0 fi From 70a173c5e082b49c245fc867a85ebafa30def539 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 20:40:26 -0400 Subject: [PATCH 02/15] chore(deps): bump postcss from 8.5.9 to 8.5.15 (#1040) Bumps [postcss](https://github.com/postcss/postcss) from 8.5.9 to 8.5.15. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.9...8.5.15) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.15 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 12be23ef3b..299ee66cf2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17062,9 +17062,9 @@ } }, "node_modules/nanoid": { - "version": "3.3.11", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", - "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", + "version": "3.3.12", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz", + "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==", "funding": [ { "type": "github", @@ -18162,9 +18162,9 @@ } }, "node_modules/postcss": { - "version": "8.5.9", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz", - "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==", + "version": "8.5.15", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz", + "integrity": "sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==", "funding": [ { "type": "opencollective", @@ -18181,7 +18181,7 @@ ], "license": "MIT", "dependencies": { - "nanoid": "^3.3.11", + "nanoid": "^3.3.12", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, From 1c6c586606a20e11e3272d2746218a4d8b1bdc3d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 20:41:01 -0400 Subject: [PATCH 03/15] chore(deps): bump fast-uri from 3.0.6 to 3.1.2 (#1039) Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.0.6 to 3.1.2. - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](https://github.com/fastify/fast-uri/compare/v3.0.6...v3.1.2) --- updated-dependencies: - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 299ee66cf2..4d6544689a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11855,9 +11855,9 @@ "license": "MIT" }, "node_modules/fast-uri": { - "version": "3.0.6", - "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.6.tgz", - "integrity": "sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", "funding": [ { "type": "github", From 51c4ccfab4d9ba2e0fdd70098285f639aa8a52f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 20:51:58 -0400 Subject: [PATCH 04/15] chore(deps): bump @babel/plugin-transform-modules-systemjs (#1006) Bumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.27.1 to 7.29.7. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs) --- updated-dependencies: - dependency-name: "@babel/plugin-transform-modules-systemjs" dependency-version: 7.29.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 126 +++++++++++++++++++++++----------------------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/package-lock.json b/package-lock.json index 4d6544689a..ff6200cbca 100644 --- a/package-lock.json +++ b/package-lock.json @@ -317,12 +317,12 @@ } }, "node_modules/@babel/code-frame": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz", - "integrity": "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz", + "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==", "license": "MIT", "dependencies": { - "@babel/helper-validator-identifier": "^7.27.1", + "@babel/helper-validator-identifier": "^7.29.7", "js-tokens": "^4.0.0", "picocolors": "^1.1.1" }, @@ -370,13 +370,13 @@ } }, "node_modules/@babel/generator": { - "version": "7.28.0", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.28.0.tgz", - "integrity": "sha512-lJjzvrbEeWrhB4P3QBsH7tey117PjLZnDbLiQEKjQ/fNJTjuq4HSqgFA+UNSwZT8D7dxxbnuSBMsa1lrWzKlQg==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz", + "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==", "license": "MIT", "dependencies": { - "@babel/parser": "^7.28.0", - "@babel/types": "^7.28.0", + "@babel/parser": "^7.29.7", + "@babel/types": "^7.29.7", "@jridgewell/gen-mapping": "^0.3.12", "@jridgewell/trace-mapping": "^0.3.28", "jsesc": "^3.0.2" @@ -468,9 +468,9 @@ } }, "node_modules/@babel/helper-globals": { - "version": "7.28.0", - "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz", - "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz", + "integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==", "license": "MIT", "engines": { "node": ">=6.9.0" @@ -490,27 +490,27 @@ } }, "node_modules/@babel/helper-module-imports": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz", - "integrity": "sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz", + "integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==", "license": "MIT", "dependencies": { - "@babel/traverse": "^7.27.1", - "@babel/types": "^7.27.1" + "@babel/traverse": "^7.29.7", + "@babel/types": "^7.29.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-module-transforms": { - "version": "7.27.3", - "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.27.3.tgz", - "integrity": "sha512-dSOvYwvyLsWBeIRyOeHXp5vPj5l1I011r52FM1+r1jCERv+aFXYk4whgQccYEGYxK2H3ZAIA8nuPkQ0HaUo3qg==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz", + "integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==", "license": "MIT", "dependencies": { - "@babel/helper-module-imports": "^7.27.1", - "@babel/helper-validator-identifier": "^7.27.1", - "@babel/traverse": "^7.27.3" + "@babel/helper-module-imports": "^7.29.7", + "@babel/helper-validator-identifier": "^7.29.7", + "@babel/traverse": "^7.29.7" }, "engines": { "node": ">=6.9.0" @@ -532,9 +532,9 @@ } }, "node_modules/@babel/helper-plugin-utils": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.27.1.tgz", - "integrity": "sha512-1gn1Up5YXka3YYAHGKpbideQ5Yjf1tDa9qYcgysz+cNCXukyLl6DjPXhD3VRwSb8c0J9tA4b2+rHEZtc6R0tlw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.29.7.tgz", + "integrity": "sha512-G7sHYigPY17oO5SYWnfD/0MTBwVR781S/JI643e/JhUYgVgWE/61SoW3NH9KWUKyKq5LVh3npif99Wkt6j86Jw==", "license": "MIT", "engines": { "node": ">=6.9.0" @@ -588,18 +588,18 @@ } }, "node_modules/@babel/helper-string-parser": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz", - "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz", + "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==", "license": "MIT", "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-validator-identifier": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.27.1.tgz", - "integrity": "sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz", + "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==", "license": "MIT", "engines": { "node": ">=6.9.0" @@ -728,12 +728,12 @@ } }, "node_modules/@babel/parser": { - "version": "7.28.0", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.0.tgz", - "integrity": "sha512-jVZGvOxOuNSsuQuLRTh13nU0AogFlw32w/MT+LV6D3sP5WdbW61E77RnkbaO2dUvmPAYrBDJXGn5gGS6tH4j8g==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz", + "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==", "license": "MIT", "dependencies": { - "@babel/types": "^7.28.0" + "@babel/types": "^7.29.7" }, "bin": { "parser": "bin/babel-parser.js" @@ -1318,15 +1318,15 @@ } }, "node_modules/@babel/plugin-transform-modules-systemjs": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.27.1.tgz", - "integrity": "sha512-w5N1XzsRbc0PQStASMksmUeqECuzKuTJer7kFagK8AXgpCMkeDMO5S+aaFb7A51ZYDF7XI34qsTX+fkHiIm5yA==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.7.tgz", + "integrity": "sha512-TM2ZcQLoG2/y4HODiStCo10DibYhWhGWAwVv+EQKmG/7GFl0N+AAmUiXOMKM+aiJ9XBJ9AHVZBvTzMnJ2sM3cQ==", "license": "MIT", "dependencies": { - "@babel/helper-module-transforms": "^7.27.1", - "@babel/helper-plugin-utils": "^7.27.1", - "@babel/helper-validator-identifier": "^7.27.1", - "@babel/traverse": "^7.27.1" + "@babel/helper-module-transforms": "^7.29.7", + "@babel/helper-plugin-utils": "^7.29.7", + "@babel/helper-validator-identifier": "^7.29.7", + "@babel/traverse": "^7.29.7" }, "engines": { "node": ">=6.9.0" @@ -1992,31 +1992,31 @@ } }, "node_modules/@babel/template": { - "version": "7.27.2", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz", - "integrity": "sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz", + "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==", "license": "MIT", "dependencies": { - "@babel/code-frame": "^7.27.1", - "@babel/parser": "^7.27.2", - "@babel/types": "^7.27.1" + "@babel/code-frame": "^7.29.7", + "@babel/parser": "^7.29.7", + "@babel/types": "^7.29.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/traverse": { - "version": "7.28.0", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.0.tgz", - "integrity": "sha512-mGe7UK5wWyh0bKRfupsUchrQGqvDbZDbKJw+kcRGSmdHVYrv+ltd0pnpDTVpiTqnaBru9iEvA8pz8W46v0Amwg==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz", + "integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==", "license": "MIT", "dependencies": { - "@babel/code-frame": "^7.27.1", - "@babel/generator": "^7.28.0", - "@babel/helper-globals": "^7.28.0", - "@babel/parser": "^7.28.0", - "@babel/template": "^7.27.2", - "@babel/types": "^7.28.0", + "@babel/code-frame": "^7.29.7", + "@babel/generator": "^7.29.7", + "@babel/helper-globals": "^7.29.7", + "@babel/parser": "^7.29.7", + "@babel/template": "^7.29.7", + "@babel/types": "^7.29.7", "debug": "^4.3.1" }, "engines": { @@ -2024,13 +2024,13 @@ } }, "node_modules/@babel/types": { - "version": "7.28.2", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.2.tgz", - "integrity": "sha512-ruv7Ae4J5dUYULmeXw1gmb7rYRz57OWCPM57pHojnLq/3Z1CK2lNSLTCVjxVk1F/TZHwOZZrOWi0ur95BbLxNQ==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz", + "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==", "license": "MIT", "dependencies": { - "@babel/helper-string-parser": "^7.27.1", - "@babel/helper-validator-identifier": "^7.27.1" + "@babel/helper-string-parser": "^7.29.7", + "@babel/helper-validator-identifier": "^7.29.7" }, "engines": { "node": ">=6.9.0" From 265659710bebaef6a5e4368131bcba6c4e64a3ce Mon Sep 17 00:00:00 2001 From: nbudeev-netwrix Date: Wed, 3 Jun 2026 14:47:34 +0200 Subject: [PATCH 05/15] docs(auditor): update AFA Azure Files API permissions [US 439213] (#1047) * docs(auditor): update AFA Azure Files API permissions per US 439213 Add Group.Read.All and Application.Read.All to the minimum required Graph API permissions for the AFA collector, verified by live SIT testing. Fix Dale linting issues: passive voice, positional references, wordiness, undefined UPN acronym, and broken anchor for Account Types references. Generated with AI Co-Authored-By: Claude Code * docs: apply editorial fixes from PR review - Restore noun-phrase pattern for identity-based access prerequisite - Soften "to let" phrasing in Azure Application Registration intro - Spell out SIDs, ACEs, and DACLs on first use - Note that Purpose column references Microsoft Graph endpoints - Extend "Why this is required" rationale to cover Group.Read.All and Application.Read.All Co-Authored-By: Claude * fix(azurefiles): remove Application.Read.All from API permissions Generated with AI Co-Authored-By: Claude Code * fix(vale): auto-fix style issues (Vale + Dale) --------- Co-authored-by: Claude Code Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Claude --- .../10.8/configuration/azurefiles/overview.md | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/auditor/10.8/configuration/azurefiles/overview.md b/docs/auditor/10.8/configuration/azurefiles/overview.md index 42c3adfd12..eaab999a2e 100644 --- a/docs/auditor/10.8/configuration/azurefiles/overview.md +++ b/docs/auditor/10.8/configuration/azurefiles/overview.md @@ -12,7 +12,7 @@ It supports two types of monitored items for Azure Files: - **Azure Subscription**: monitoring [actions](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/monitoredobjects) on all shares of all **storage accounts** of the specified **Azure Files subscription** -> **Note:** For all **"data storage accounts"** used in the preceding list, you must configure [Diagnostic settings](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#diagnostic-settings) +> **Note:** For all **"data storage accounts"**, you must configure [Diagnostic settings](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#diagnostic-settings) to save audit events on **"log storage accounts"**. Ensure you have the necessary access ([API permissions](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#configure-api-permissions), [IAM Roles](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#assign-identity-and-access-management-iam-roles-to-the-app)) for [application](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#azure-application-registration) to read these events and access storage accounts metadata. > **Note:** Azure activity logs may take 3 to 20 minutes to become available for analysis after an event occurs. This is an [Azure platform limitation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-ingestion-time#azure-metrics-resource-logs-activity-log) that applies to all services consuming Azure activity logs. As a result, some file share activities may appear in Netwrix Auditor reports with a delay. When generating reports shortly after activity occurs, extend the report time range by at least 20 minutes to capture events still in transit. @@ -28,7 +28,7 @@ to save audit events on **"log storage accounts"**. Ensure you have the necessar - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal) -- [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) is configured for data storage account in Azure Files +- [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) configured for the data storage account in Azure Files Supported options: - Active Directory Domain Services (AD DS) @@ -48,7 +48,7 @@ to save audit events on **"log storage accounts"**. Ensure you have the necessar ## Azure Application Registration -You should register an application so Netwrix Auditor can authenticate to Azure and read audit logs +Register an application so Netwrix Auditor can authenticate to Azure and read audit logs. ### Step 1: Create the App Registration @@ -97,10 +97,13 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication ### Step 1: Add Permissions +The Purpose column references Microsoft Graph API endpoints that Netwrix Auditor calls to perform each resolution task. + | Permission | Purpose | |------------|---------| | `User.Read` | Basic user information. Sign in and read user profile. *(default)* | -| `User.Read.All` | Read all users' profiles. Required to resolve SIDs into usernames in reports | +| `User.Read.All` | Read all users' full profiles. Required to resolve user security identifiers (SIDs) into display names and User Principal Names (UPNs), and to map access control entries (ACEs) from group membership via the Microsoft Graph endpoint `/users/{id}/transitiveMemberOf` | +| `Group.Read.All` | Resolve groups and search by SID from discretionary access control lists (DACLs). Required to expand group membership via the Microsoft Graph endpoint `/groups/{id}/transitiveMembers` and filter groups by `securityIdentifier` | 1. In your app in EntraID, go to **Manage > API permissions > + Add a permission**. @@ -108,9 +111,11 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication 3. Add: - **User.Read (default)** - **User.Read.All** + - **Group.Read.All** - *User.Read* – "Sign in and read user profile." *(default)* - *User.Read.All* – "Read all users' full profiles" +- *Group.Read.All* – "Read all groups" ### Step 2: Grant Admin Consent @@ -119,9 +124,10 @@ Click **Grant admin consent for TenantName** **Why this is required:** - By default, applications can't query Microsoft Graph for directory-wide information -- Admin consent allows the app to use **User.Read.All** -- This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names** -- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful +- Admin consent allows the app to use **User.Read.All** and **Group.Read.All** +- **User.Read.All** lets Netwrix Auditor query Microsoft Entra ID and resolve **user SIDs → user accounts → display names** +- **Group.Read.All** lets Netwrix Auditor resolve groups from DACLs and expand group membership so reports show which users inherit access through group ACEs +- Without admin consent, audit logs will only show unresolved SIDs and object IDs instead of usernames and group names, making reports incomplete and less useful **At the end of this step, your app has granted Microsoft Graph API permissions** @@ -153,7 +159,7 @@ You should assign Azure IAM roles so that Netwrix Auditor can: - "View everything, but not make any changes" 5. Click **Next** 6. Under **Members**, click **+ Select members** -7. In the search window, find and select the **App you registered earlier** +7. In the search window, select the **App you registered earlier** 8. Click **Select → Review + assign** @@ -238,7 +244,7 @@ Azure Files now archives audit logs into your **Log Storage Account** ## Checklist - [Azure Application registered](#azure-application-registration) with App ID + Secret -- [API permissions](#configure-api-permissions) (User.Read, User.Read.All) granted +- [API permissions](#configure-api-permissions) (User.Read, User.Read.All, Group.Read.All) granted - [IAM roles assigned](#assign-identity-and-access-management-iam-roles-to-the-app) (Reader, Storage File Data Privileged Reader, Storage Blob Data Reader) - [Diagnostic Settings configured](#diagnostic-settings) to log to a Log Storage Account From 00ab3b3eeb53ecc6b7cd278f6bdd1eaa74005937 Mon Sep 17 00:00:00 2001 From: Claudia Manjarres Date: Wed, 3 Jun 2026 12:02:54 -0500 Subject: [PATCH 06/15] Scope added --- docs/platgovsalesforce/tools/system_permission_tracking.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/platgovsalesforce/tools/system_permission_tracking.md b/docs/platgovsalesforce/tools/system_permission_tracking.md index 802f10ba4e..cf49becb28 100644 --- a/docs/platgovsalesforce/tools/system_permission_tracking.md +++ b/docs/platgovsalesforce/tools/system_permission_tracking.md @@ -10,6 +10,10 @@ sidebar_position: 112 System Permission Tracking monitors and detects changes in System Permissions across Permission Sets and Profiles in your Salesforce environment. Each scan compares the selected permissions against previous snapshots and generates a Change Log for any detected differences. When a permission changes—either because a Permission Set/Profile is modified or because a user gains or loses an assignment—the system records the impact at the user level, creating an individual Change Log entry for every affected user. +### Tracked permissions scope + +System Permission Tracking only monitors permissions listed under the System section of Salesforce's System Permissions page. Permissions grouped under the Users section (such as Assign Permission Sets, Manage Roles, and others) are not currently included in change detection or the generated Change Log. + ## Accessing System Permission Tracking Navigate to: **Tools** > **Access** > **System Permission Tracking** From 01bef8f448a02107fdd4c81a340ba366fc7cac47 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 3 Jun 2026 17:14:25 +0000 Subject: [PATCH 07/15] fix(vale): auto-fix style issues (Vale + Dale) --- .../tools/system_permission_tracking.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/platgovsalesforce/tools/system_permission_tracking.md b/docs/platgovsalesforce/tools/system_permission_tracking.md index cf49becb28..7660834f93 100644 --- a/docs/platgovsalesforce/tools/system_permission_tracking.md +++ b/docs/platgovsalesforce/tools/system_permission_tracking.md @@ -12,7 +12,7 @@ System Permission Tracking monitors and detects changes in System Permissions ac ### Tracked permissions scope -System Permission Tracking only monitors permissions listed under the System section of Salesforce's System Permissions page. Permissions grouped under the Users section (such as Assign Permission Sets, Manage Roles, and others) are not currently included in change detection or the generated Change Log. +System Permission Tracking only monitors permissions listed under the System section of Salesforce's System Permissions page. System Permission Tracking excludes permissions grouped under the Users section (such as Assign Permission Sets, Manage Roles, and others) from change detection and the generated Change Log. ## Accessing System Permission Tracking @@ -49,17 +49,17 @@ You can enable Email Notifications to receive reports showing System Permission #### Email Frequency & Timing -Choose whether the report should be sent daily, weekly, or monthly, and configure the corresponding delivery time or date. +Choose whether to send the report daily, weekly, or monthly, and configure the corresponding delivery time or date. #### Recipients -Add users to receive notification emails. Recipients must have the required Permission Set to access the internal components used by this feature. After saving, the recipients are automatically subscribed to the System Permission Change Log report. +Add users to receive notification emails. Recipients must have the required Permission Set to access the internal components used by this feature. After you save, the system automatically subscribes the recipients to the System Permission Change Log report. ![Weekly Report Example](/images/platgovsalesforce/sys_perm_tracking/Report_Weekly.webp) ### In-App Notifications -If In-App Notifications are enabled, each scan creates a record in the Downloaded Files component on the Netwrix Dashboard. This provides links to reports showing all detected System Permission changes. An Export Attachment record is also created, but users typically don't need to access it directly. +If In-App Notifications are enabled, each scan creates a record in the Downloaded Files component on the Netwrix Dashboard. This provides links to reports showing all detected System Permission changes. The system also creates an Export Attachment record, but users typically don't need to access it directly. **Example of a System Permission Change in Downloaded Files:** @@ -140,7 +140,7 @@ Export change logs for further analysis or compliance reporting: - Tracking too many permissions can increase scan times - Some Salesforce permissions may behave differently depending on org configuration -- Historical data is limited to the period since tracking was enabled +- Historical data covers only the period since you enabled tracking - Change detection requires at least two scans to establish a baseline ## Troubleshooting @@ -162,9 +162,9 @@ Export change logs for further analysis or compliance reporting: **Solutions**: - Ensure Email Notifications are enabled -- Verify at least one valid recipient is added +- Verify you have added at least one valid recipient - Check that recipients have the required Permission Set ('Netwrix Grant Permissions') -- Ensure a valid schedule is configured +- Ensure you have configured a valid schedule - Verify email addresses are correct in Salesforce - Check spam/junk folders for notification emails @@ -195,11 +195,11 @@ Export change logs for further analysis or compliance reporting: **Issue**: Change logs contain entries that don't match expected changes **Solutions**: -- Verify the baseline scan was completed successfully +- Verify the baseline scan completed successfully - Check for bulk permission changes or user assignments - Review the time range of the changes - Ensure no other administrators made concurrent changes -- Validate that the tracked permissions are correctly configured +- Validate that you have correctly configured the tracked permissions ## Related Topics From bb12f8a94784bed1e835742eb8d0fbc51f88f951 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 3 Jun 2026 17:19:21 +0000 Subject: [PATCH 08/15] docs: add Salesforce navigation path to Tracked permissions scope Updated line 15 with the writer's preferred wording, which includes the Setup > Users > Profiles navigation path so readers can locate the Salesforce System Permissions page. Co-Authored-By: Claude --- docs/platgovsalesforce/tools/system_permission_tracking.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/platgovsalesforce/tools/system_permission_tracking.md b/docs/platgovsalesforce/tools/system_permission_tracking.md index 7660834f93..5fd6d85e74 100644 --- a/docs/platgovsalesforce/tools/system_permission_tracking.md +++ b/docs/platgovsalesforce/tools/system_permission_tracking.md @@ -12,7 +12,7 @@ System Permission Tracking monitors and detects changes in System Permissions ac ### Tracked permissions scope -System Permission Tracking only monitors permissions listed under the System section of Salesforce's System Permissions page. System Permission Tracking excludes permissions grouped under the Users section (such as Assign Permission Sets, Manage Roles, and others) from change detection and the generated Change Log. +System Permission Tracking only monitors permissions listed under the **System** section of the Salesforce **System Permissions** page (**Setup** > **Users** > **Profiles** > select a profile > **System Permissions**). System Permission Tracking excludes permissions grouped under the **Users** section (such as Assign Permission Sets, Manage Roles, and others) from change detection and the generated Change Log. ## Accessing System Permission Tracking From 6c221f9b5ad0183255cbf0d44aab5358863c1ae8 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 3 Jun 2026 17:22:14 +0000 Subject: [PATCH 09/15] docs: define definitive Users-section exclusion scope Replace the open-ended "such as ... and others" parenthetical with a definitive statement that all permissions under the Users section are excluded, so readers know the scope without ambiguity. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/platgovsalesforce/tools/system_permission_tracking.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/platgovsalesforce/tools/system_permission_tracking.md b/docs/platgovsalesforce/tools/system_permission_tracking.md index 5fd6d85e74..9115def475 100644 --- a/docs/platgovsalesforce/tools/system_permission_tracking.md +++ b/docs/platgovsalesforce/tools/system_permission_tracking.md @@ -12,7 +12,7 @@ System Permission Tracking monitors and detects changes in System Permissions ac ### Tracked permissions scope -System Permission Tracking only monitors permissions listed under the **System** section of the Salesforce **System Permissions** page (**Setup** > **Users** > **Profiles** > select a profile > **System Permissions**). System Permission Tracking excludes permissions grouped under the **Users** section (such as Assign Permission Sets, Manage Roles, and others) from change detection and the generated Change Log. +System Permission Tracking only monitors permissions listed under the **System** section of the Salesforce **System Permissions** page (**Setup** > **Users** > **Profiles** > select a profile > **System Permissions**). System Permission Tracking excludes all permissions listed under the **Users** section from change detection and the generated Change Log. ## Accessing System Permission Tracking From 05a1831b3027f7694d0a5630e4ee4cda16e05677 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 3 Jun 2026 17:24:13 +0000 Subject: [PATCH 10/15] docs: cross-reference Tracked permissions scope from Limitations Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/platgovsalesforce/tools/system_permission_tracking.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/platgovsalesforce/tools/system_permission_tracking.md b/docs/platgovsalesforce/tools/system_permission_tracking.md index 9115def475..88dd27c2d5 100644 --- a/docs/platgovsalesforce/tools/system_permission_tracking.md +++ b/docs/platgovsalesforce/tools/system_permission_tracking.md @@ -138,6 +138,7 @@ Export change logs for further analysis or compliance reporting: ## Limitations +- Tracking is limited to the **System** section of the Salesforce **System Permissions** page; permissions in the **Users** section are excluded (see [Tracked permissions scope](#tracked-permissions-scope)) - Tracking too many permissions can increase scan times - Some Salesforce permissions may behave differently depending on org configuration - Historical data covers only the period since you enabled tracking From 69abb8fc3632050cf6b49e001b65b5252a068e64 Mon Sep 17 00:00:00 2001 From: Hil-Ram-NWX <212961752+hilram7@users.noreply.github.com> Date: Wed, 3 Jun 2026 13:46:52 -0400 Subject: [PATCH 11/15] fix(search): emit product-version "current" for SaaS products and align version filter values (#1046) (#1062) ProductMetaTags now recognizes "current" in URL paths and falls back to "current" for single-version products with no version segment, so Algolia indexes product_version:"current" instead of an empty string. The search version filter now uses v.version (the actual config value) instead of v.label, so the facet query matches the indexed value. --- src/components/ProductMetaTags/index.js | 14 ++++++++++++-- src/theme/SearchBar/index.js | 2 +- src/theme/SearchPage/index.js | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/components/ProductMetaTags/index.js b/src/components/ProductMetaTags/index.js index 3a459a7346..f85b7a2f7e 100644 --- a/src/components/ProductMetaTags/index.js +++ b/src/components/ProductMetaTags/index.js @@ -1,7 +1,7 @@ import React from 'react'; import Head from '@docusaurus/Head'; import { useLocation } from '@docusaurus/router'; -import { createProductMap } from '@site/src/config/products.js'; +import { createProductMap, PRODUCTS } from '@site/src/config/products.js'; const productMap = createProductMap(); @@ -34,16 +34,26 @@ export default function ProductMetaTags() { let versionFromUrl = pathParts[productIndex + 1]; // Check if it looks like a version (e.g., "13_5", "2_0", "v2", "saas", etc.) // Regex now accepts underscores in version numbers - if (/^(v?\d+(_\d+)*|saas)$/i.test(versionFromUrl)) { + if (/^(v?\d+(_\d+)*|saas|current)$/i.test(versionFromUrl)) { versionFromUrl = versionFromUrl.replace(/^v/i, ''); // Remove 'v' prefix if present if (versionFromUrl.toLowerCase() === 'saas') { productVersion = 'saas'; + } else if (versionFromUrl.toLowerCase() === 'current') { + productVersion = 'current'; } else { // Convert underscores back to periods for the meta tag content productVersion = versionFromUrl.replace(/_/g, '.'); } } } + + // Fallback for single-version "current" products with no version segment in the URL + if (!productVersion) { + const product = PRODUCTS.find(p => productName === p.name); + if (product && product.versions.length === 1 && product.versions[0].version === 'current') { + productVersion = 'current'; + } + } } // Only render meta tags if we have a product name diff --git a/src/theme/SearchBar/index.js b/src/theme/SearchBar/index.js index 39c8b547d6..9401478ec4 100644 --- a/src/theme/SearchBar/index.js +++ b/src/theme/SearchBar/index.js @@ -307,7 +307,7 @@ function getVersionsForProducts(selectedProducts) { selectedProducts.forEach(productName => { const product = PRODUCTS.find(p => p.name === productName); if (product && product.versions) { - product.versions.forEach(v => versionsSet.add(v.label)); + product.versions.forEach(v => versionsSet.add(v.version)); } }); return Array.from(versionsSet).sort(); diff --git a/src/theme/SearchPage/index.js b/src/theme/SearchPage/index.js index c60863c86b..47f7e59a33 100644 --- a/src/theme/SearchPage/index.js +++ b/src/theme/SearchPage/index.js @@ -41,7 +41,7 @@ function getVersionsForProducts(selectedProducts) { const source = isAll ? PRODUCTS : selectedProducts.map(name => PRODUCTS.find(p => p.name === name)).filter(Boolean); source.forEach(product => { if (product.versions) { - product.versions.forEach(v => versionsSet.add(v.label)); + product.versions.forEach(v => versionsSet.add(v.version)); } }); return Array.from(versionsSet).sort(); From 4e98eef220f83f3733e3fa0a286a437232095267 Mon Sep 17 00:00:00 2001 From: Dan Piazza <220388267+DanPiazza-Netwrix@users.noreply.github.com> Date: Thu, 4 Jun 2026 09:45:47 -0400 Subject: [PATCH 12/15] docs: fix Activity Monitor integration page for Change Tracker 8.2 Correct config file path, service name, default log directory, and mutual-exclusion behavior. Add SBTService display name for discoverability in services.msc. Generated with AI Co-Authored-By: Claude Code --- .../netwrixproducts/activitymonitor.md | 80 ++++++++++--------- 1 file changed, 42 insertions(+), 38 deletions(-) diff --git a/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md b/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md index 43e7696b29..6929f37a6f 100644 --- a/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md +++ b/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md @@ -7,17 +7,18 @@ sidebar_position: 20 # Netwrix Activity Monitor Integration Netwrix Change Tracker can use the **Netwrix Activity Monitor** (via its `SBTService` Windows -service) as an alternative data source for file change attribution on Windows. When this -integration is enabled, the Gen 7 Agent reads user and process information from log files written -by Activity Monitor instead of relying on the built-in kernel mini-filter driver (`NNTInfo.sys`). +service, displayed as **Netwrix Windows File Monitoring Service** in `services.msc`) as an +alternative data source for file change attribution on Windows. When you enable this integration, +the Gen 7 Agent reads user and process information from log files that Activity Monitor produces +instead of relying on the built-in kernel mini-filter driver (`NNTInfo.sys`). -This is useful in environments where the kernel driver cannot be loaded, for example systems +This is useful in environments where the system cannot load the kernel driver, for example systems with strict kernel security policies (Secure Boot / HVCI), certain hypervisor configurations, or -where Activity Monitor is already deployed and you want a single audit trail for file activity. +where you already deploy Activity Monitor and want a single audit trail for file activity. :::note This feature applies to **Windows only** and to **file integrity monitoring (FIM) with live -tracking**. Linux devices are unaffected. +tracking**. This feature does not affect Linux devices. ::: ## Prerequisites @@ -31,28 +32,28 @@ tracking**. Linux devices are unaffected. ## How it works -When the integration is enabled: +When you enable the integration: 1. The Gen 7 Agent automatically generates a configuration file (`SBTFileMon.ChangeTracker.ini`) in the Activity Monitor configuration directory whenever it receives a FIM policy from the Hub. This file instructs Activity Monitor which paths to monitor and in what format to log events. 2. Activity Monitor's `SBTService` writes file change events, including the user account and - process name responsible, to a daily JSON log file on the local disk. Files are named - `{hostname}_CT_Log_{YYYYMMDD}.json`. + process name responsible, to a daily JSON log file on the local disk. The service names these + files `{hostname}_CT_Log_{YYYYMMDD}.json`. 3. The Gen 7 Agent continuously reads these log files and caches attribution data keyed by file path. -4. When a file change is detected by the agent's file system watcher, the cached attribution data - is attached to the event before it is sent to the Hub. +4. When the agent's file system watcher detects a file change, it attaches the cached attribution + data to the event before sending it to the Hub. -The agent and the kernel driver are mutually exclusive as attribution sources. If both are -configured, Activity Monitor takes precedence and the kernel driver is not loaded. +The agent and the kernel driver are mutually exclusive as attribution sources. If you configure +both, Activity Monitor takes precedence and the agent does not load the kernel driver. ## Configuration -Activity Monitor integration is configured in the Gen 7 Agent's `app.config` file, located at: +Configure Activity Monitor integration in the Gen 7 Agent's configuration file, located at: ``` -%PROGRAMDATA%\NNT\gen7agent.service\app.config +C:\Program Files\NNT Change Tracker Suite\Gen7Agent (NetCore)\Gen7Agent.App.NetCore.dll.config ``` Add or update the following keys in the `` section: @@ -60,34 +61,34 @@ Add or update the following keys in the `` section: | Key | Value | Description | |---|---|---| | `useActivityMonitorChangeSource` | `true` | Enables Activity Monitor as the attribution source. Set to `false` (or omit) to use the default kernel driver. | -| `activityMonitorChangeSourceDirectory` | Path to log directory | The folder where Activity Monitor writes its `_CT_Log_` JSON files. Must match the `LOG_FILE` directory in the generated INI (see below). | -| `changeSourceFileFormat` | `json` (default) or `tsv` | Log file format written by Activity Monitor. Leave as `json` unless Activity Monitor is explicitly configured for TSV output. | +| `activityMonitorChangeSourceDirectory` | Path to log directory | The folder where Activity Monitor writes its log files. The default is `C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs`. Must match the `LOG_FILE` directory in the [auto-generated INI file](#auto-generated-ini-file). | +| `changeSourceFileFormat` | `json` (default) or `tsv` | Log file format that Activity Monitor writes. Leave as `json` unless you explicitly configure Activity Monitor for TSV output. | Example `` entries: ```xml - + ``` -:::warning -Do not set both `useActivityMonitorChangeSource=true` and `loaddriver=true`. These are mutually -exclusive. If both are present, Activity Monitor will be used and the kernel driver will be -disabled automatically, but it is best practice to explicitly set `loaddriver=false` to avoid -ambiguity. +:::note +The `useActivityMonitorChangeSource` and `loaddriver` settings are mutually exclusive as +attribution sources. If you set both to `true`, the agent automatically uses Activity Monitor +and disables the kernel driver. You don't need to explicitly set `loaddriver=false`, but you +can do so to make the configuration clearer. ::: -**Step 1 –** Open `app.config` in a text editor with administrator privileges and add the keys -above with the appropriate values for your environment. +**Step 1 –** Open `Gen7Agent.App.NetCore.dll.config` in a text editor with administrator +privileges and add the keys above with the appropriate values for your environment. **Step 2 –** Restart the Gen 7 Agent service for the changes to take effect: ```powershell -Restart-Service gen7agent.service +Restart-Service Gen7AgentCore ``` -**Step 3 –** Confirm that a FIM live-tracking policy is applied to the device from the Hub. The +**Step 3 –** Confirm that the Hub applies a FIM live-tracking policy to the device. The agent generates the Activity Monitor INI file the next time it receives a device configuration update. To trigger this immediately, navigate to **Settings > Agents and Devices**, select the device, and click **Refresh Configuration**. @@ -103,23 +104,24 @@ HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters\ConfigPath ``` The INI file instructs Activity Monitor to log file events to the directory specified by -`activityMonitorChangeSourceDirectory`, using the path filters derived from the FIM policy -configured in the Hub. You do not need to edit this file manually, as it is regenerated each +`activityMonitorChangeSourceDirectory`, using the path filters that the Hub's FIM policy +defines. You don't need to manually edit this file, as the agent regenerates it each time the FIM policy changes. -If the FIM policy is removed from a device, the agent disables the corresponding section in -the INI file automatically. +If you remove the FIM policy from a device, the agent automatically disables the corresponding +section in the INI file. :::note The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main -`SBTFileMon.ini`. Other monitoring sections in the main INI are not affected. +`SBTFileMon.ini`. This file does not change other monitoring sections in the main INI. ::: ## Troubleshooting **No user attribution in events** -- Confirm `SBTService` is running: `Get-Service SBTService`. +- Confirm `SBTService` is running: `Get-Service SBTService`. This service appears as + **Netwrix Windows File Monitoring Service** in `services.msc`. - Verify the `activityMonitorChangeSourceDirectory` path exists and contains files matching the pattern `*_CT_Log_{YYYYMMDD}.json`. - Check the agent's `rolling-log.txt` for warnings from `ActivityMonitorChangeSource`. Look @@ -129,12 +131,14 @@ The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main - Check that the registry key `HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters\ConfigPath` exists and - contains a valid path. This key is created by the Activity Monitor installer; if it is + contains a valid path. The Activity Monitor installer creates this key; if it is missing, Activity Monitor may not be installed correctly. -- Confirm the FIM policy is assigned to the device in the Hub and that live tracking is - enabled in the policy template. +- Confirm that the Hub assigns the FIM policy to the device and that the policy template + enables live tracking. **Both driver and Activity Monitor appear active** -- Review `app.config` and ensure `loaddriver` is set to `false` or removed. The agent logs a - warning to `rolling-log.txt` if both settings are enabled simultaneously. +- If you set both `loaddriver` and `useActivityMonitorChangeSource` to `true` in + `Gen7Agent.App.NetCore.dll.config`, the agent automatically uses Activity Monitor and + disables the kernel driver. You can optionally set `loaddriver` to `false` to make the + configuration explicit. From 153a50ce332207ff1fdbf77756a7e382a4682ca3 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 16:22:00 +0000 Subject: [PATCH 13/15] fix(vale): auto-fix style issues (Vale + Dale) --- .../netwrixproducts/activitymonitor.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md b/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md index 6929f37a6f..9057fa171a 100644 --- a/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md +++ b/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md @@ -7,18 +7,18 @@ sidebar_position: 20 # Netwrix Activity Monitor Integration Netwrix Change Tracker can use the **Netwrix Activity Monitor** (via its `SBTService` Windows -service, displayed as **Netwrix Windows File Monitoring Service** in `services.msc`) as an +service, which appears as **Netwrix Windows File Monitoring Service** in `services.msc`) as an alternative data source for file change attribution on Windows. When you enable this integration, the Gen 7 Agent reads user and process information from log files that Activity Monitor produces instead of relying on the built-in kernel mini-filter driver (`NNTInfo.sys`). -This is useful in environments where the system cannot load the kernel driver, for example systems +This is useful in environments where the system can't load the kernel driver, for example systems with strict kernel security policies (Secure Boot / HVCI), certain hypervisor configurations, or where you already deploy Activity Monitor and want a single audit trail for file activity. :::note This feature applies to **Windows only** and to **file integrity monitoring (FIM) with live -tracking**. This feature does not affect Linux devices. +tracking**. This feature doesn't affect Linux devices. ::: ## Prerequisites @@ -46,7 +46,7 @@ When you enable the integration: data to the event before sending it to the Hub. The agent and the kernel driver are mutually exclusive as attribution sources. If you configure -both, Activity Monitor takes precedence and the agent does not load the kernel driver. +both, Activity Monitor takes precedence and the agent doesn't load the kernel driver. ## Configuration @@ -80,7 +80,7 @@ can do so to make the configuration clearer. ::: **Step 1 –** Open `Gen7Agent.App.NetCore.dll.config` in a text editor with administrator -privileges and add the keys above with the appropriate values for your environment. +privileges and add the preceding keys with the appropriate values for your environment. **Step 2 –** Restart the Gen 7 Agent service for the changes to take effect: @@ -103,8 +103,8 @@ file. The agent discovers the correct directory by reading the registry key: HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters\ConfigPath ``` -The INI file instructs Activity Monitor to log file events to the directory specified by -`activityMonitorChangeSourceDirectory`, using the path filters that the Hub's FIM policy +The INI file instructs Activity Monitor to log file events to the directory that +`activityMonitorChangeSourceDirectory` specifies, using the path filters that the Hub's FIM policy defines. You don't need to manually edit this file, as the agent regenerates it each time the FIM policy changes. @@ -113,7 +113,7 @@ section in the INI file. :::note The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main -`SBTFileMon.ini`. This file does not change other monitoring sections in the main INI. +`SBTFileMon.ini`. This file doesn't change other monitoring sections in the main INI. ::: ## Troubleshooting @@ -125,7 +125,7 @@ The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main - Verify the `activityMonitorChangeSourceDirectory` path exists and contains files matching the pattern `*_CT_Log_{YYYYMMDD}.json`. - Check the agent's `rolling-log.txt` for warnings from `ActivityMonitorChangeSource`. Look - for messages indicating the directory or log file cannot be found. + for messages indicating the directory or log file can't be found. **INI file not generated** From 41929b851f814bf804305dba7d93f5bc0d373dc9 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 16:22:37 +0000 Subject: [PATCH 14/15] docs: apply editorial fixes from PR review - Fix word-repetition ambiguity ("system"/"systems") in intro - Add loaddriver to configuration table for missing context - Clarify Step 3 to verify policy assignment rather than action - Replace ambiguous "This file" pronoun with explicit agent subject - Link troubleshooting bullet back to Configuration section Co-Authored-By: Claude --- .../netwrixproducts/activitymonitor.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md b/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md index 9057fa171a..3640eb1a33 100644 --- a/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md +++ b/docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md @@ -12,7 +12,7 @@ alternative data source for file change attribution on Windows. When you enable the Gen 7 Agent reads user and process information from log files that Activity Monitor produces instead of relying on the built-in kernel mini-filter driver (`NNTInfo.sys`). -This is useful in environments where the system can't load the kernel driver, for example systems +This is useful in environments where the kernel driver can't load, for example systems with strict kernel security policies (Secure Boot / HVCI), certain hypervisor configurations, or where you already deploy Activity Monitor and want a single audit trail for file activity. @@ -63,6 +63,7 @@ Add or update the following keys in the `` section: | `useActivityMonitorChangeSource` | `true` | Enables Activity Monitor as the attribution source. Set to `false` (or omit) to use the default kernel driver. | | `activityMonitorChangeSourceDirectory` | Path to log directory | The folder where Activity Monitor writes its log files. The default is `C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs`. Must match the `LOG_FILE` directory in the [auto-generated INI file](#auto-generated-ini-file). | | `changeSourceFileFormat` | `json` (default) or `tsv` | Log file format that Activity Monitor writes. Leave as `json` unless you explicitly configure Activity Monitor for TSV output. | +| `loaddriver` | `true` (default) or `false` | Controls whether the agent loads the kernel mini-filter driver (`NNTInfo.sys`) for file change attribution. Mutually exclusive with `useActivityMonitorChangeSource`. When both are `true`, Activity Monitor takes precedence and the agent doesn't load the driver. | Example `` entries: @@ -88,7 +89,7 @@ privileges and add the preceding keys with the appropriate values for your envir Restart-Service Gen7AgentCore ``` -**Step 3 –** Confirm that the Hub applies a FIM live-tracking policy to the device. The +**Step 3 –** Confirm that the device has a FIM live-tracking policy assigned from the Hub. The agent generates the Activity Monitor INI file the next time it receives a device configuration update. To trigger this immediately, navigate to **Settings > Agents and Devices**, select the device, and click **Refresh Configuration**. @@ -113,7 +114,7 @@ section in the INI file. :::note The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main -`SBTFileMon.ini`. This file doesn't change other monitoring sections in the main INI. +`SBTFileMon.ini`. The agent doesn't modify other monitoring sections in `SBTFileMon.ini`. ::: ## Troubleshooting @@ -138,7 +139,7 @@ The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main **Both driver and Activity Monitor appear active** -- If you set both `loaddriver` and `useActivityMonitorChangeSource` to `true` in - `Gen7Agent.App.NetCore.dll.config`, the agent automatically uses Activity Monitor and - disables the kernel driver. You can optionally set `loaddriver` to `false` to make the - configuration explicit. +- If you set both `loaddriver` and `useActivityMonitorChangeSource` to `true` in the + `` section of `Gen7Agent.App.NetCore.dll.config` (see [Configuration](#configuration)), + the agent automatically uses Activity Monitor and disables the kernel driver. You can + optionally set `loaddriver` to `false` to make the configuration explicit. From b13d20abe7ac32704391106e80e440b8139df20b Mon Sep 17 00:00:00 2001 From: nbudeev-netwrix Date: Thu, 4 Jun 2026 18:36:43 +0200 Subject: [PATCH 15/15] docs(auditor): add KB article for Access Reviews integration limits for File Servers [Doc Task 419090] (#1048) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docs(auditor): add KB article for Access Reviews integration limits for File Servers [Doc Task 419090] Generated with AI Co-Authored-By: Claude Code * docs(auditor): clarify SQL Server memory error note in Access Reviews KB article Generated with AI Co-Authored-By: Claude Code * fix(kb): use pathname:// for cross-version link to avoid build error * fix(kb): apply KB review updates — title, structure, keywords, prose * fix(kb): apply editorial review — structure, formatting, and link corrections * fix(kb): clarify approximate nature of memory data and update tool link Reworded memory consumption table intro to indicate values are approximate. Corrected 600K RAM figure and updated estimation tool download URL. Generated with AI Co-Authored-By: Claude Code * fix(kb): reword permission upload limit — default 200K, max 800K via support Removed config file reference and per-data-source mentions. Clarified that the default limit is 200,000 and users must contact support to increase it up to 800,000. Generated with AI Co-Authored-By: Claude Code * fix(kb): rename file to match sidebar label and remove resolved TODO comment --------- Co-authored-by: Claude Code Co-authored-by: hilram7 <212961752+hilram7@users.noreply.github.com> --- ...ews-integration-limits-for-file-servers.md | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 docs/kb/auditor/configuration-and-setup/file-server-auditing/managing-access-reviews-integration-limits-for-file-servers.md diff --git a/docs/kb/auditor/configuration-and-setup/file-server-auditing/managing-access-reviews-integration-limits-for-file-servers.md b/docs/kb/auditor/configuration-and-setup/file-server-auditing/managing-access-reviews-integration-limits-for-file-servers.md new file mode 100644 index 0000000000..57731d7be3 --- /dev/null +++ b/docs/kb/auditor/configuration-and-setup/file-server-auditing/managing-access-reviews-integration-limits-for-file-servers.md @@ -0,0 +1,101 @@ +--- +description: >- + Describes the current limits and system requirements for the Access Reviews + integration with Windows File Servers in Netwrix Auditor, including maximum + permission count and memory consumption. +keywords: + - Access Reviews + - file servers + - integration limits + - AIC + - permissions + - memory requirements + - Netwrix Auditor + - SQL Server + - AIC Resource Estimation Tool + - NwxFileStorageAicManager.acinc + - packet size + - file server auditing +products: + - auditor +sidebar_label: Managing Access Reviews Integration Limits for File Servers +tags: + - kb +title: "Managing Access Reviews Integration Limits for File Servers" +--- + +# Managing Access Reviews Integration Limits for File Servers + +## Overview + +This article describes the current limits and system requirements for the Access Reviews integration when collecting permission data from Windows File Servers in Netwrix Auditor. + +The Access Reviews integration collects permission data from monitored file servers and uploads it to the Access Reviews (AIC) database. The volume of permission data directly affects memory consumption on both the Auditor host and the SQL Server instance. + +Review the [Considerations & Limitations](pathname:///docs/auditor/10_8/accessreviews#considerations--limitations) section for general integration constraints. + +## Instructions + +### Permission Upload Limit + +The default limit for permissions uploaded to the Access Reviews database in a single data collection is **200,000**. To increase this limit, contact [Netwrix Support](https://www.netwrix.com/support.html). The current maximum that can be configured is **800,000** permissions. + +If the number of permissions exceeds this limit, the upload fails with a connection error due to SQL Server packet size restrictions. + +> **NOTE:** SQL Server imposes the 800,000 permission limit as a hard constraint. Attempting to upload more than 820,000 permissions results in a `maximum packet count exceeded` error that cannot be resolved through SQL Server configuration changes. + +### System Requirements by Permission Count + +The following table shows approximate **memory consumption** observed during data collection for different permission counts. Testing used Auditor 10.8 with a dedicated SQL Server instance. + +| Permissions | Auditor host (RAM) | SQL instance (RAM) | +|---|---|---| +| 200,000 | 3.2 GB | 6.5 GB | +| 400,000 | 4.1 GB | 12 GB | +| 500,000 | 5 GB | 15.5 GB | +| 600,000 | 5.6 GB | 19 GB | +| 800,000 | 6.5 GB | 24 GB | + +> **NOTE:** If the SQL Server host does not have enough available RAM for the permission count being processed, the upload fails with an `insufficient system memory in resource pool` error. + +### Count Permissions Before Enabling Integration + +1. Verify that the total number of permissions per data source does not exceed the 800,000 limit. +2. Download and copy the AIC Resource Estimation Tool to the machine where Auditor is installed. + + Download the [AIC Resource Estimation Tool](https://releases.netwrix.com/products/auditor/10.8/auditor-aic-estimation-tool-tool-1.0.1.zip), a Netwrix permission-counting utility. + + The executing account must have: + - Local administrator rights. + - Read access to the Auditor reporting databases. To authenticate with a specific SQL account, use `--sqluser`. + +3. Run the tool: + + ``` + AicResourceEstimationTool.exe + AicResourceEstimationTool.exe --countall + AicResourceEstimationTool.exe --html + ``` + + | Parameter | Description | + |---|---| + | `--countall` | Count permissions for all File Server Auditing (FSA) plans, including plans without Access Reviews enabled | + | `--html` | Save results as an HTML report and open it in the default browser | + | `--csv` | Save results as a CSV file | + | `--depth N` | Override the AIC depth level for every plan (0 = shares only, 1 = shares + one subfolder level) | + | `--sqluser USERNAME` | Authenticate to SQL Server with a specific account (SQL or Windows) | + | `--help` | Display help and exit | + + > **NOTE:** The tool reads the Auditor configuration automatically and discovers all FSA monitoring plans. By default, it only counts permissions for plans with **Send Data for Access Reviews** enabled. Use the `--countall` parameter to include all FSA plans. + +### Recommendations + +1. **Verify permission counts before enabling the integration.** + - If a file server has more than 800,000 unique permissions across all monitored shares, consider splitting the data source into multiple monitoring plans. +2. **Allocate sufficient SQL Server memory.** + - For environments with 400,000+ permissions, ensure the SQL Server host has at least 16 GB of RAM dedicated to the SQL instance. + - For 600,000+ permissions, allocate at least 24 GB. +3. **Monitor the Auditor host.** + - Auditor services hold allocated memory until the upload completes. Ensure the Auditor host has enough available RAM to accommodate the peak usage listed in the [System Requirements by Permission Count](#system-requirements-by-permission-count) table. +4. **Check the Health Log for errors.** + - The Netwrix Auditor Health Log records upload failures. These failures do not affect the status of monitored items or data sources in the Auditor console.