Enhanced Security Insights: New Alerts, Reports & Risk Mapping

New Alerts and Permission Reports for SharePoint Online

We have introduced four new state-in-time reports and six alerts to help users detect risky permission configurations in SharePoint Online. These new reports and alerts enhance visibility and provide actionable insights to maintain a secure SharePoint environment.

Alerts

• External User Activity – Keeps track of all actions performed by guest users.
• Sharing with Anyone Enabled on Site – Helps manage and audit when and how SharePoint sites are made accessible to users outside the organization.
• New Sharing Link with External User Access – Reports the creation of new sharing links that grant access to external users. Helps control how content is being shared externally, ensuring that external access is granted appropriately.
• Anonymous Sharing Link Created – Monitors anonymous access to ensure that only authorized users can view and interact with the content.
• High-Risk Permissions Added – Helps oversee and mitigate potential security risks by ensuring that elevated permissions are granted with proper justification.
• High-Risk Members Added – Helps to ensure that membership changes involving broad or sensitive groups are properly monitored and controlled.

Reports

• Direct User Permissions – Displays user accounts with direct permissions to specific objects, such as documents, lists, or sites. You can filter the list by object types, account status (enabled or disabled), last logon time, or if it’s a guest account.
• Broken Permissions Inheritance – Lists objects with permissions different from their parent, for example, when a folder has different permissions than the site it’s located in, which makes it harder to keep permissions manageable.
• High-Risk Permissions – Shows the permissions of Authenticated users, Anonymous logon, or domain users, including the object URL, resource type, and permission level.
• Direct Object Permissions – Displays all identities (users or groups) that have assigned permissions to specific objects, such as documents, lists, or sites.

New Alerts and Reports for Microsoft Entra ID

Thirteen new alerts and ten new activity reports are now available for Microsoft Entra ID to assist in threat detection. Seven reports and seven alerts (based on these new reports) are completely new. Six of the thirteen alerts and three of the ten reports, previously available for Active Directory, now also cover Microsoft Entra ID activities, helping users better detect and respond to potential threats.

New Microsoft Entra ID alerts and reports

• Microsoft Entra ID Role Management Permission Grant – Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. An adversary could use this permission to add a Microsoft Entra ID object to an Admin directory role and escalate privileges.
• Mail.Read Permissions Granted to Application – Detects applications that have been granted permissions to read mail in all mailboxes without a signed-in user. This can help identify applications that have been abused to gain access to mailboxes.
• MFA Rejected by User – Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using them to try and log into the account.
• (Multiple) User Removed from a Privileged Role – Detects when one or more existing admins are removed, which can be an attempt by adversaries to lock down the organization and retain sole access.
• (Multiple) Microsoft Entra ID Admin Permissions Granted – Identifies when one or more users’ permissions are changed at once.
• User Added to a Microsoft Entra ID Privileged Group – Tracks when a user is added to any of the Privileged Groups.
• User Assigned New Privileged Role – Identifies when a new eligible or active privileged role is assigned to a user.

Alerts (previously available for Active Directory)

• Account Deleted – Alerts when a user, computer, or account is deleted.
• Account Disabled – Alerts when a user, computer, or account is disabled.
• Account Enabled – Alerts when a user, computer, or account is enabled.
• Account Locked Out – Alerts when a user account is locked out due to multiple incorrect password inputs.
• Account with Password Tampered – Alerts on changes to the “Password never expires” setting.
• Multiple Failed Logons – Alerts when a user account fails to log on multiple times in a short time frame.

Reports (previously available for Active Directory)

• All Logon Activity – Helps validate compliance and analyze user activity by showing all Microsoft Entra ID logon activities.
• Failed Logons – Shows failed logon attempts.
• User Account Status Changes – Shows changes to the status (enabled, disabled, locked, or unlocked) of user accounts.

New Data Source: SQL Server Logon Reporting

SQL Server is now available as a new data source in Netwrix 1Secure, enhancing database visibility and security monitoring. The initial two reports allow users to review both successful and failed logon attempts to their SQL databases:

• All SQL Logons – Logs all SQL logon attempts, providing insights into who is accessing the database and when.
• SQL Failed Logons – Logs failed logon attempts, helping users detect potential security threats and unauthorized access attempts.

Risk Mapping with MITRE ATT&CK Matrix for Enterprise

All risks in the Netwrix 1Secure risk assessment dashboard are now categorized based on the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. This categorization helps users understand risks in the context of the cyberattack lifecycle and prioritize responses accordingly, improving their overall security posture.

Bug Fix List

See the Netwrix 1Secure Bug Fix List PDF for a list of bugs fixed in this version.