SQL Server

Sharing Links by User Drive

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Details

Summary

This report capitalizes on the ability of version 4.0 to scan your OneDrive for Business storage. Individuals within your company may be sharing out your companies IP with little regard for security.  This report is limited to the list of all sharing links located with discovered User OneDrive for Business drives, and does not include Direct Access permissions.

 

File Extensions by Category

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Details

This report combines file extensions in to categories. The report uses the srs.current_fs_scandata database view which limits the scope to current scans only. The scope is further limited by the sd.fullpath LIKE portion of the sql where clause. If you remove it, the report will run across all current scan_data.

This recipes comes in two versions, a Detailed version and a Summary version.

You will need to modify the path line 32 of the desired query.

 

Duplicate file across the tenant

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Summary

This report utilizes the new added Microsoft 365 scanning features of version 4.0.  The 4.0 tenant scan prompts the new Agent365 to collect a hash of the file content and store the hash in the database where it can be use to compare against other files that match in content.

This query is designed to show show the different joins work together to get the desired data.

 

Duplicates in OneDrive for Business (users)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Summary

New with version 4.0 is ability to scan your Microsoft 365 tenant for SharePoint Online document libraries, OneDrive for Business drives, and Teams document libraries.  This query helps you located duplicate files across user OneDrives.  The with impact version also shows the wasted space.

The purpose for including some queries to provide examples that can be used to make queries that better suit the needs of the administrators.

Content Hashed Duplicate File Report

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Summary

This report utilizes the new added file content hash feature of version 4.0.  The 4.0 scan policy definition gives a new option to Generate file content hashes for All Files or Files uploaded since the last scan.  This option prompts the AgentFS to generate a SHA256 hash of the file content and store the hash in the database where it can be compared against other files that match in content.

Details

Line 10 contains the paths to be reported against.  Modify these paths appropriate to your environment.

Suspect Permissions: An evaluation of direct user-assigned trustees in NCP.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Summary

Create a report to locate all of the directly assigned user permissions in a particular NCP scan target.

Back Story

The customer has a number of volumes where the trustees should only ever be assigned granted via groups. They need a report to locate any permissions that have been granted to the individual user object, so that it can be evaluated.

Information

The scope of the query to limited to NCP trustees in the desired scan target. The scan_target will need to be modified to make it work based on the environment.

Current NTFS ACES Without Inheritance

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Summary

How when using the srs.current_ntfs_aces view can I report on the ACES without inheritance?

Explaination

The srs.current_ntfs_aces view includes a field called ace_flags which is a value mask. If this ace_flags value when ANDed with the a decimal value of 16 is equal to 16 than the ACE is inherited. If we therefore mask off that bit mask we can filter off the inherited values.

Current NCP Trustees

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Summary

Create a report that will display all NCP Trustees in eDirectory.

Back Story

The customer wanted to create a catalog of the NCP trustees for reference purposes.

Information

The scope of the query is eDirectory Tree wide, but can be limited to a particular path by adding a simple where clause.

*Starting in version 2.6.0, the "srs.active_ncp_trustees" database view has been renamed to "srs.current_ncp_trustees". While the "active" version will still with version 3.0 work it has been deprecated.

Pages