dev to main

.github/workflows/claude-issue-labeler.yml

@@ -115,9 +115,9 @@ jobs:
             exit 0
           fi
 
-          # Skip codeowner notification for KB PR review tracking issues
-          if echo "$LABELS" | grep -q "kb/review"; then
-            echo "Issue has kb/review label — skipping codeowner notification"
+          # Skip codeowner notification for KB Operations tracking issues (any kb/ label)
+          if echo "$LABELS" | grep -q "^kb/"; then
+            echo "Issue has kb/ label — skipping codeowner notification"
             exit 0
           fi
 

docs/auditor/10.8/configuration/azurefiles/overview.md

@@ -12,7 +12,7 @@ It supports two types of monitored items for Azure Files:
  - **Azure Subscription**: monitoring [actions](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/monitoredobjects) on all shares of all **storage accounts** of the specified **Azure Files subscription**
 
 
-> **Note:** For all **"data storage accounts"** used in the preceding list, you must configure [Diagnostic settings](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#diagnostic-settings)
+> **Note:** For all **"data storage accounts"**, you must configure [Diagnostic settings](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#diagnostic-settings)
 to save audit events on **"log storage accounts"**. Ensure you have the necessary access ([API permissions](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#configure-api-permissions), [IAM Roles](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#assign-identity-and-access-management-iam-roles-to-the-app)) for [application](https://docs.netwrix.com/docs/auditor/10_8/configuration/azurefiles/overview#azure-application-registration) to read these events and access storage accounts metadata.
 
 > **Note:** Azure activity logs may take 3 to 20 minutes to become available for analysis after an event occurs. This is an [Azure platform limitation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-ingestion-time#azure-metrics-resource-logs-activity-log) that applies to all services consuming Azure activity logs. As a result, some file share activities may appear in Netwrix Auditor reports with a delay. When generating reports shortly after activity occurs, extend the report time range by at least 20 minutes to capture events still in transit.
@@ -28,7 +28,7 @@ to save audit events on **"log storage accounts"**. Ensure you have the necessar
 
    - One for audit logs — Create a storage account [Create a storage account (Microsoft Learn)](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?utm_source=chatgpt.com&tabs=azure-portal)
 
-- [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) is configured for data storage account in Azure Files
+- [Azure Files identity-based access](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview) configured for the data storage account in Azure Files
 
   Supported options:
    - Active Directory Domain Services (AD DS)
@@ -48,7 +48,7 @@ to save audit events on **"log storage accounts"**. Ensure you have the necessar
 
 ## Azure Application Registration
 
-You should register an application so Netwrix Auditor can authenticate to Azure and read audit logs
+Register an application so Netwrix Auditor can authenticate to Azure and read audit logs.
 
 ### Step 1: Create the App Registration
 
@@ -97,20 +97,25 @@ Netwrix Auditor uses the **App ID** + **Client Secret** for authentication
 
 ### Step 1: Add Permissions
 
+The Purpose column references Microsoft Graph API endpoints that Netwrix Auditor calls to perform each resolution task.
+
 | Permission | Purpose |
 |------------|---------|
 | `User.Read` | Basic user information. Sign in and read user profile. *(default)* |
-| `User.Read.All` | Read all users' profiles. Required to resolve SIDs into usernames in reports |
+| `User.Read.All` | Read all users' full profiles. Required to resolve user security identifiers (SIDs) into display names and User Principal Names (UPNs), and to map access control entries (ACEs) from group membership via the Microsoft Graph endpoint `/users/{id}/transitiveMemberOf` |
+| `Group.Read.All` | Resolve groups and search by SID from discretionary access control lists (DACLs). Required to expand group membership via the Microsoft Graph endpoint `/groups/{id}/transitiveMembers` and filter groups by `securityIdentifier` |
 
 
 1. In your app in EntraID, go to **Manage > API permissions > + Add a permission**.
 2. Select **Microsoft Graph > Application permissions**
 3. Add:
    - **User.Read (default)**
    - **User.Read.All**
+   - **Group.Read.All**
 
 - *User.Read* – "Sign in and read user profile." *(default)*
 - *User.Read.All* – "Read all users' full profiles"
+- *Group.Read.All* – "Read all groups"
 
 
 ### Step 2: Grant Admin Consent
@@ -119,9 +124,10 @@ Click **Grant admin consent for TenantName**
 
 **Why this is required:**
 - By default, applications can't query Microsoft Graph for directory-wide information
-- Admin consent allows the app to use **User.Read.All**
-- This lets Netwrix Auditor query Azure AD and resolve **user SIDs → user accounts → display names**
-- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful
+- Admin consent allows the app to use **User.Read.All** and **Group.Read.All**
+- **User.Read.All** lets Netwrix Auditor query Microsoft Entra ID and resolve **user SIDs → user accounts → display names**
+- **Group.Read.All** lets Netwrix Auditor resolve groups from DACLs and expand group membership so reports show which users inherit access through group ACEs
+- Without admin consent, audit logs will only show unresolved SIDs and object IDs instead of usernames and group names, making reports incomplete and less useful
 
 **At the end of this step, your app has granted Microsoft Graph API permissions**
 
@@ -153,7 +159,7 @@ You should assign Azure IAM roles so that Netwrix Auditor can:
    - "View everything, but not make any changes"
 5. Click **Next**
 6. Under **Members**, click **+ Select members**
-7. In the search window, find and select the **App you registered earlier**
+7. In the search window, select the **App you registered earlier**
 8. Click **Select → Review + assign**
 
 
@@ -238,7 +244,7 @@ Azure Files now archives audit logs into your **Log Storage Account**
 ## Checklist
 
 - [Azure Application registered](#azure-application-registration) with App ID + Secret
-- [API permissions](#configure-api-permissions) (User.Read, User.Read.All) granted
+- [API permissions](#configure-api-permissions) (User.Read, User.Read.All, Group.Read.All) granted
 - [IAM roles assigned](#assign-identity-and-access-management-iam-roles-to-the-app) (Reader, Storage File Data Privileged Reader, Storage Blob Data Reader)
 - [Diagnostic Settings configured](#diagnostic-settings) to log to a Log Storage Account
 

docs/changetracker/8.2/integration/netwrixproducts/activitymonitor.md

@@ -7,17 +7,18 @@ sidebar_position: 20
 # Netwrix Activity Monitor Integration
 
 Netwrix Change Tracker can use the **Netwrix Activity Monitor** (via its `SBTService` Windows
-service) as an alternative data source for file change attribution on Windows. When this
-integration is enabled, the Gen 7 Agent reads user and process information from log files written
-by Activity Monitor instead of relying on the built-in kernel mini-filter driver (`NNTInfo.sys`).
+service, which appears as **Netwrix Windows File Monitoring Service** in `services.msc`) as an
+alternative data source for file change attribution on Windows. When you enable this integration,
+the Gen 7 Agent reads user and process information from log files that Activity Monitor produces
+instead of relying on the built-in kernel mini-filter driver (`NNTInfo.sys`).
 
-This is useful in environments where the kernel driver cannot be loaded, for example systems
+This is useful in environments where the kernel driver can't load, for example systems
 with strict kernel security policies (Secure Boot / HVCI), certain hypervisor configurations, or
-where Activity Monitor is already deployed and you want a single audit trail for file activity.
+where you already deploy Activity Monitor and want a single audit trail for file activity.
 
 :::note
 This feature applies to **Windows only** and to **file integrity monitoring (FIM) with live
-tracking**. Linux devices are unaffected.
+tracking**. This feature doesn't affect Linux devices.
 :::
 
 ## Prerequisites
@@ -31,63 +32,64 @@ tracking**. Linux devices are unaffected.
 
 ## How it works
 
-When the integration is enabled:
+When you enable the integration:
 
 1. The Gen 7 Agent automatically generates a configuration file (`SBTFileMon.ChangeTracker.ini`)
    in the Activity Monitor configuration directory whenever it receives a FIM policy from the Hub.
    This file instructs Activity Monitor which paths to monitor and in what format to log events.
 2. Activity Monitor's `SBTService` writes file change events, including the user account and
-   process name responsible, to a daily JSON log file on the local disk. Files are named
-   `{hostname}_CT_Log_{YYYYMMDD}.json`.
+   process name responsible, to a daily JSON log file on the local disk. The service names these
+   files `{hostname}_CT_Log_{YYYYMMDD}.json`.
 3. The Gen 7 Agent continuously reads these log files and caches attribution data keyed by file
    path.
-4. When a file change is detected by the agent's file system watcher, the cached attribution data
-   is attached to the event before it is sent to the Hub.
+4. When the agent's file system watcher detects a file change, it attaches the cached attribution
+   data to the event before sending it to the Hub.
 
-The agent and the kernel driver are mutually exclusive as attribution sources. If both are
-configured, Activity Monitor takes precedence and the kernel driver is not loaded.
+The agent and the kernel driver are mutually exclusive as attribution sources. If you configure
+both, Activity Monitor takes precedence and the agent doesn't load the kernel driver.
 
 ## Configuration
 
-Activity Monitor integration is configured in the Gen 7 Agent's `app.config` file, located at:
+Configure Activity Monitor integration in the Gen 7 Agent's configuration file, located at:
 
 ```
-%PROGRAMDATA%\NNT\gen7agent.service\app.config
+C:\Program Files\NNT Change Tracker Suite\Gen7Agent (NetCore)\Gen7Agent.App.NetCore.dll.config
 ```
 
 Add or update the following keys in the `<appSettings>` section:
 
 | Key | Value | Description |
 |---|---|---|
 | `useActivityMonitorChangeSource` | `true` | Enables Activity Monitor as the attribution source. Set to `false` (or omit) to use the default kernel driver. |
-| `activityMonitorChangeSourceDirectory` | Path to log directory | The folder where Activity Monitor writes its `_CT_Log_` JSON files. Must match the `LOG_FILE` directory in the generated INI (see below). |
-| `changeSourceFileFormat` | `json` (default) or `tsv` | Log file format written by Activity Monitor. Leave as `json` unless Activity Monitor is explicitly configured for TSV output. |
+| `activityMonitorChangeSourceDirectory` | Path to log directory | The folder where Activity Monitor writes its log files. The default is `C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs`. Must match the `LOG_FILE` directory in the [auto-generated INI file](#auto-generated-ini-file). |
+| `changeSourceFileFormat` | `json` (default) or `tsv` | Log file format that Activity Monitor writes. Leave as `json` unless you explicitly configure Activity Monitor for TSV output. |
+| `loaddriver` | `true` (default) or `false` | Controls whether the agent loads the kernel mini-filter driver (`NNTInfo.sys`) for file change attribution. Mutually exclusive with `useActivityMonitorChangeSource`. When both are `true`, Activity Monitor takes precedence and the agent doesn't load the driver. |
 
 Example `<appSettings>` entries:
 
 ```xml
 <add key="useActivityMonitorChangeSource" value="true" />
-<add key="activityMonitorChangeSourceDirectory" value="C:\ProgramData\Netwrix\ActivityMonitor\CTLogs" />
+<add key="activityMonitorChangeSourceDirectory" value="C:\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs" />
 <add key="changeSourceFileFormat" value="json" />
 ```
 
-:::warning
-Do not set both `useActivityMonitorChangeSource=true` and `loaddriver=true`. These are mutually
-exclusive. If both are present, Activity Monitor will be used and the kernel driver will be
-disabled automatically, but it is best practice to explicitly set `loaddriver=false` to avoid
-ambiguity.
+:::note
+The `useActivityMonitorChangeSource` and `loaddriver` settings are mutually exclusive as
+attribution sources. If you set both to `true`, the agent automatically uses Activity Monitor
+and disables the kernel driver. You don't need to explicitly set `loaddriver=false`, but you
+can do so to make the configuration clearer.
 :::
 
-**Step 1 –** Open `app.config` in a text editor with administrator privileges and add the keys
-above with the appropriate values for your environment.
+**Step 1 –** Open `Gen7Agent.App.NetCore.dll.config` in a text editor with administrator
+privileges and add the preceding keys with the appropriate values for your environment.
 
 **Step 2 –** Restart the Gen 7 Agent service for the changes to take effect:
 
 ```powershell
-Restart-Service gen7agent.service
+Restart-Service Gen7AgentCore
 ```
 
-**Step 3 –** Confirm that a FIM live-tracking policy is applied to the device from the Hub. The
+**Step 3 –** Confirm that the device has a FIM live-tracking policy assigned from the Hub. The
 agent generates the Activity Monitor INI file the next time it receives a device configuration
 update. To trigger this immediately, navigate to **Settings > Agents and Devices**, select the
 device, and click **Refresh Configuration**.
@@ -102,39 +104,42 @@ file. The agent discovers the correct directory by reading the registry key:
 HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters\ConfigPath
 ```
 
-The INI file instructs Activity Monitor to log file events to the directory specified by
-`activityMonitorChangeSourceDirectory`, using the path filters derived from the FIM policy
-configured in the Hub. You do not need to edit this file manually, as it is regenerated each
+The INI file instructs Activity Monitor to log file events to the directory that
+`activityMonitorChangeSourceDirectory` specifies, using the path filters that the Hub's FIM policy
+defines. You don't need to manually edit this file, as the agent regenerates it each
 time the FIM policy changes.
 
-If the FIM policy is removed from a device, the agent disables the corresponding section in
-the INI file automatically.
+If you remove the FIM policy from a device, the agent automatically disables the corresponding
+section in the INI file.
 
 :::note
 The `SBTFileMon.ChangeTracker.ini` file is separate from Activity Monitor's main
-`SBTFileMon.ini`. Other monitoring sections in the main INI are not affected.
+`SBTFileMon.ini`. The agent doesn't modify other monitoring sections in `SBTFileMon.ini`.
 :::
 
 ## Troubleshooting
 
 **No user attribution in events**
 
-- Confirm `SBTService` is running: `Get-Service SBTService`.
+- Confirm `SBTService` is running: `Get-Service SBTService`. This service appears as
+  **Netwrix Windows File Monitoring Service** in `services.msc`.
 - Verify the `activityMonitorChangeSourceDirectory` path exists and contains files matching
   the pattern `*_CT_Log_{YYYYMMDD}.json`.
 - Check the agent's `rolling-log.txt` for warnings from `ActivityMonitorChangeSource`. Look
-  for messages indicating the directory or log file cannot be found.
+  for messages indicating the directory or log file can't be found.
 
 **INI file not generated**
 
 - Check that the registry key
   `HKLM\SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters\ConfigPath` exists and
-  contains a valid path. This key is created by the Activity Monitor installer; if it is
+  contains a valid path. The Activity Monitor installer creates this key; if it is
   missing, Activity Monitor may not be installed correctly.
-- Confirm the FIM policy is assigned to the device in the Hub and that live tracking is
-  enabled in the policy template.
+- Confirm that the Hub assigns the FIM policy to the device and that the policy template
+  enables live tracking.
 
 **Both driver and Activity Monitor appear active**
 
-- Review `app.config` and ensure `loaddriver` is set to `false` or removed. The agent logs a
-  warning to `rolling-log.txt` if both settings are enabled simultaneously.
+- If you set both `loaddriver` and `useActivityMonitorChangeSource` to `true` in the
+  `<appSettings>` section of `Gen7Agent.App.NetCore.dll.config` (see [Configuration](#configuration)),
+  the agent automatically uses Activity Monitor and disables the kernel driver. You can
+  optionally set `loaddriver` to `false` to make the configuration explicit.