diff --git a/docs/threatprevention/7.4/admin/overview_1.md b/docs/threatprevention/7.4/admin/Tags.md
similarity index 100%
rename from docs/threatprevention/7.4/admin/overview_1.md
rename to docs/threatprevention/7.4/admin/Tags.md
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/clearqueue.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/clearqueue.md
index 13b4f9ace9..7809d1fcf7 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/clearqueue.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/clearqueue.md
@@ -12,8 +12,11 @@ SQLite Agent Queue option dumps the queue and all pending events are lost.
Follow the steps to clear the SQLite Agent queue for an Agent:
-**CAUTION:** These events are permanently deleted and are not processed by the Enterprise Manager on
+:::warning
+These events are permanently deleted and are not processed by the Enterprise Manager on
reconnection. This option is for diagnostic and troubleshooting purposes only.
+:::
+
**Step 1 –** Click Agents in the left pane to launch the Agents interface.
@@ -26,10 +29,13 @@ to connect to the target machine and query information about shares. A local Adm
on the target machine should have access to the system shares. Click **OK** after entering the
credentials.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
**Step 4 –** On the Access Verification window, the given credentials either succeed or fail during
a prerequisites or verification check.
@@ -38,8 +44,11 @@ a prerequisites or verification check.
of prior to the next attempt.
- Success – Click **Next** to begin clearing the SQLite Agent Queue
-**NOTE:** Closing the Administration Console while this action is in process causes problems with
+:::note
+Closing the Administration Console while this action is in process causes problems with
data collection.
+:::
+
**Step 5 –** The Clear Agent Queue window displays the task in progress and then its status as
either:
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/harden.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/harden.md
index 9d5de3718e..374fd010b5 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/harden.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/harden.md
@@ -22,10 +22,13 @@ to connect to the target machine and query information about shares. A local Adm
on the target machine should have access to the system shares. Click **OK** after entering the
credentials.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
**Step 4 –** On the Access Verification window, the given credentials either succeed or fail during
a prerequisites or verification check.
@@ -34,8 +37,11 @@ a prerequisites or verification check.
of prior to the next attempt.
- Success – Click **Next** to begin hardening the Agent.
-**NOTE:** Closing the Administration Console while this action is in process causes problems with
+:::note
+Closing the Administration Console while this action is in process causes problems with
data collection.
+:::
+
**Step 5 –** The Harden Agent window displays the task in progress and then its status as either:
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/removeserver.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/removeserver.md
index 5b8b6aafb5..31f870f266 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/removeserver.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/removeserver.md
@@ -10,8 +10,11 @@ The Agents Interface displays a list of servers where the Agent has been deploye
remove a server from this list for any reason, such as when the Agent is no longer required on the
server.
-**NOTE:** If the server has a deployed Agent, it will be added back to the list the next time the
+:::note
+If the server has a deployed Agent, it will be added back to the list the next time the
Agent sends information to the Enterprise Manager.
+:::
+
Follow the steps to remove a server from the list on the Agents Interface.
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/soften.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/soften.md
index cfee34fb8d..c5a2b3ffcb 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/soften.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/soften.md
@@ -22,10 +22,13 @@ to connect to the target machine and query information about shares. A local Adm
on the target machine should have access to the system shares. Click **OK** after entering the
credentials.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
**Step 4 –** On the Access Verification window, the given credentials either succeed or fail during
a prerequisites or verification check.
@@ -34,8 +37,11 @@ a prerequisites or verification check.
of prior to the next attempt.
- Success – Click **Next** to begin softening the Agent.
-**NOTE:** Closing the Administration Console while this action is in process causes problems with
+:::note
+Closing the Administration Console while this action is in process causes problems with
data collection.
+:::
+
**Step 5 –** The Soften Agent window displays the task in progress and then its status as either:
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/start.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/start.md
index 5ba9b441b3..f86015ac16 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/start.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/start.md
@@ -22,10 +22,13 @@ to connect to the target machine and query information about shares. A local Adm
on the target machine should have access to the system shares. Click **OK** after entering the
credentials.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
**Step 4 –** On the Start Agent window, the Agent will be started. One of two status messages
display:
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md
index 343e1f0f48..d243a4c60b 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md
@@ -13,11 +13,14 @@ Prevention administrator must start the Active Directory module. See the
[Agent Safe Mode](/docs/threatprevention/7.4/admin/agents/safemode.md)
topic for additional information.
-**_RECOMMENDED:_** If multiple DCs are in the Start Pending Modules state, this means one of the
+:::info
+If multiple DCs are in the Start Pending Modules state, this means one of the
monitored system DLLs was changed from when the Agent was last run. This could impact the operation
of the Agent. It is recommended to enable the pending modules on one DC initially and verify that
Threat Prevention is collecting events as expected from this specific DC and that the DC appears to
be stable before starting the pending modules on additional DCs.
+:::
+
Follow the steps to start pending modules on a server.
diff --git a/docs/threatprevention/7.4/admin/agents/agentmanagement/stop.md b/docs/threatprevention/7.4/admin/agents/agentmanagement/stop.md
index 75d3ad2fbf..ed1d3a2d4d 100644
--- a/docs/threatprevention/7.4/admin/agents/agentmanagement/stop.md
+++ b/docs/threatprevention/7.4/admin/agents/agentmanagement/stop.md
@@ -21,10 +21,13 @@ to connect to the target machine and query information about shares. A local Adm
on the target machine should have access to the system shares. Click **OK** after entering the
credentials.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
**Step 4 –** On the Stop Agent window, the Agent will be stopped. One of two status messages
display:
diff --git a/docs/threatprevention/7.4/admin/agents/agentswindows/agentinstallerupdate.md b/docs/threatprevention/7.4/admin/agents/agentswindows/agentinstallerupdate.md
index 1dda255113..d5ca50681b 100644
--- a/docs/threatprevention/7.4/admin/agents/agentswindows/agentinstallerupdate.md
+++ b/docs/threatprevention/7.4/admin/agents/agentswindows/agentinstallerupdate.md
@@ -39,6 +39,9 @@ currently in use to the installer downloaded.
- If the downloaded version is newer, the message displays both version numbers and provides an
option to apply the update. Click **Apply Update**.
-**NOTE:** When the Agent installer is replaced with a newer version, all Agents’ versions in the
+:::note
+When the Agent installer is replaced with a newer version, all Agents’ versions in the
Agents interface are highlighted to indicate they are not the current version. Agents should then be
updated to the new version, using the Upgrade Agent option on the right-click menu.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md b/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md
index 26c51b4fb6..0c4418a7c7 100644
--- a/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md
+++ b/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md
@@ -46,4 +46,7 @@ manually deploy the Agent. It has the following fields:
- Click **Copy** to copy the enrollment secret and enter it in the Certificates window of the Agent
Setup wizard during manual Agent installation.
-**NOTE:** Restarting the Enterprise Manager cancels the current enrollment secret.
+:::note
+Restarting the Enterprise Manager cancels the current enrollment secret.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md b/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md
index 45cbe32669..38ff519625 100644
--- a/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md
+++ b/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md
@@ -9,10 +9,13 @@ sidebar_position: 40
The Log Level Configuration window displays the current log levels for the Agents, Enterprise
Manager, and Administration Console. It also enables you to set new log levels.
-**NOTE:** Since Threat Prevention supports multiple instances of the Administration Console, each
+:::note
+Since Threat Prevention supports multiple instances of the Administration Console, each
instance has its own settings for log levels. Changing the settings only affect the respective
console instance. The Enterprise Manager and Agent log settings are global - the most recent changes
made from any console instance apply.
+:::
+
Follow the steps to set log levels.
@@ -83,13 +86,13 @@ Console log files are stored on the machine where the respective console is inst
Log files are stored in the following locations:
-Enterprise Manager Log Files
+**Enterprise Manager Log Files**
The default location is:
-…\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\logs\
+**…\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\logs\**
Administration Console Log Files
@@ -97,7 +100,10 @@ Administration Console Log Files
The default location is:
-…\Netwrix\Netwrix Threat Prevention\SIWinConsole\logs\
+**…\Netwrix\Netwrix Threat Prevention\SIWinConsole\logs\**
-**NOTE:** Log files for a remote instance of the Administration Console are available at the same
+:::note
+Log files for a remote instance of the Administration Console are available at the same
location on the respective machine.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/agents/deploy/overview.md b/docs/threatprevention/7.4/admin/agents/deploy/overview.md
index aa9912101f..e17ddfd368 100644
--- a/docs/threatprevention/7.4/admin/agents/deploy/overview.md
+++ b/docs/threatprevention/7.4/admin/agents/deploy/overview.md
@@ -11,7 +11,10 @@ The Threat Prevention Agent can be deployed through any of the following methods
- Deploy the Agent to server(s) through the Administration Console – You can deploy the Agent to one
or multiple servers through the Administration Console
- **_RECOMMENDED:_** This is the recommended method for deploying the Agent.
+ :::info
+ This is the recommended method for deploying the Agent.
+ :::
+
- Manually through the Windows Agent Setup Wizard – Run the Agent executable to launch this wizard
@@ -28,10 +31,13 @@ compatibility with other security products. See the
[Agent Server Requirements](/docs/threatprevention/7.4/requirements/agent/agent.md)
topic for additional information.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
The Deploy Agents wizard consists of four windows: Select Computers, Set Options, Prerequisites
Check, and Installing.
@@ -39,8 +45,11 @@ Check, and Installing.
Follow the steps to deploy the Agent from the Administration Console to a new or existing machine
using the Deploy Agents wizard.
-**CAUTION:** Closing the Administration Console while this action is in process causes problems with
+:::warning
+Closing the Administration Console while this action is in process causes problems with
data collection.
+:::
+
**Step 1 –** Click Agents in the left pane to launch the Agents interface.
@@ -90,11 +99,14 @@ topic for additional information.
The Agent will be listed in the table on the Agents interface.
-**NOTE:** If the server where the Agent is deployed has multiple network adapters (multi-homed),
+:::note
+If the server where the Agent is deployed has multiple network adapters (multi-homed),
then it is necessary to bind the Agent to an adapter that can communicate with the Enterprise
Manager. See the
[Bind To](/docs/threatprevention/7.4/troubleshooting/agentcommunication.md#bind-to)
topic for additional information.
+:::
+
## Update Agent Settings
diff --git a/docs/threatprevention/7.4/admin/agents/deploy/setoptions.md b/docs/threatprevention/7.4/admin/agents/deploy/setoptions.md
index 110f35c261..6160b41e18 100644
--- a/docs/threatprevention/7.4/admin/agents/deploy/setoptions.md
+++ b/docs/threatprevention/7.4/admin/agents/deploy/setoptions.md
@@ -38,9 +38,12 @@ The Set Options window provides the following options:
Enterprise Manager to the Agent(s) as long as the Agent service is enabled.
- Start Agent Service – Starts the Threat Prevention Agent service on host after installation
- **NOTE:** If the Agent Service is not started at the time of deployment, the Agent requires
+ :::note
+ If the Agent Service is not started at the time of deployment, the Agent requires
a manual start or will be started automatically after a server reboot. Until the Agent is
started, no activity is monitored or blocked.
+ :::
+
- Create Windows Firewall Rules – Creates firewall rules on the selected computers for Agent
communication
@@ -93,10 +96,13 @@ the window appears as follows:
This window displays the default selections in the Modules to Set and Additional Options areas; they
do not represent the actual current state of the Agent.
-**NOTE:** To view the current state and configured options for an Agent, hover over the Version
+:::note
+To view the current state and configured options for an Agent, hover over the Version
String column on the
[Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md)
data grid for the tool tip. The AD Agent column indicates the Agent’s mode.
+:::
+
This Set Options window is the same as discussed above, with the exception of the following:
@@ -110,6 +116,9 @@ This Set Options window is the same as discussed above, with the exception of th
This setting has no impact on the Use These Credentials and Enterprise Manager areas.
-**CAUTION:** Make sure you select the desired settings for the Agent on this window, such as the
+:::warning
+Make sure you select the desired settings for the Agent on this window, such as the
Enable DNS Host Name Resolution and Safe Mode options, even when they are currently enabled for the
Agent. Leaving them unchecked will disable those settings when the wizard completes.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/agents/overview.md b/docs/threatprevention/7.4/admin/agents/overview.md
index a5de1ddec6..d7329cace6 100644
--- a/docs/threatprevention/7.4/admin/agents/overview.md
+++ b/docs/threatprevention/7.4/admin/agents/overview.md
@@ -16,7 +16,10 @@ The Threat Prevention Agent can be deployed through any of the following methods
- Deploy the Agent to server(s) through the Administration Console – You can deploy the Agent to one
or multiple servers through the Administration Console
- **_RECOMMENDED:_** This is the recommended method for deploying the Agent.
+ :::info
+ This is the recommended method for deploying the Agent.
+ :::
+
- Manually through the Windows Agent Setup Wizard – Run the Agent executable to launch this wizard
@@ -51,20 +54,26 @@ information for an Agent:
- AD Event Latency – Time difference between when the event was detected by the Agent and when
the Enterprise Manager received it
- **NOTE:** When the **Send Latency Alerts** option is enabled in the
+ :::note
+ When the **Send Latency Alerts** option is enabled in the
[Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md),
a warning symbol appears to indicate excessive latency. This warning symbol also appears
when the Agent fails to load the instrumentation DLL into the LSASS process or when it fails
to load the instrumentation DLL to MS Exchange.
+ :::
+
- FSMO Roles – The FSMO (Flexible Single Master Operation) role(s) currently assigned to the domain
controller where the Agent is deployed. Role names are displayed as abbreviations. For example,
'SM' is displayed for the Schema Master role. Hover over data in this column to view the full
names.
- **NOTE:** You can use the FSMO roles information in combination with a policy created for the
+ :::note
+ You can use the FSMO roles information in combination with a policy created for the
[FSMO Role Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md)
to view events about which machine acquired a FSMO role and which machine relinquished it.
+ :::
+
- Operating System – Operating system for the machine where the Agent is deployed with version
information, including service pack details. For example, Windows Server 2022 Standard.. For
@@ -122,16 +131,17 @@ topic for additional information.
The following icons above the data grid enable you to perform various actions on the Agents
interface
-| Icon | Label | Action |
-| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-|  | Export Agent List… | Save the information to an XML file for export |
-|  | Refresh Agent List… | Refresh the Agent information |
-|  | Update Logging Levels… | Configure the log levels for the Agent(s). It opens the [Log Level Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md). |
-|  | Get Agent Log… | Access Agent log files. See the [Access Agent Log Files](/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md#access-agent-log-files) topic for additional information. |
-|  | Update Agent Installer | Check with Netwrix for a newer version of the Agent Installer according to the version in use. It opens the [Agent Installer Update Window](/docs/threatprevention/7.4/admin/agents/agentswindows/agentinstallerupdate.md). |
-|  | Configure Auto Deploy | If enabled, the Agent is automatically deployed to all domain controllers without an Agent. This feature requires at least one Agent to be present in the domain in order to detect additional domain controllers. It opens the [Configure Auto Deploy Window](/docs/threatprevention/7.4/admin/agents/agentswindows/configureautodeploy.md). |
-|  | Agent Enrollment Secret | Generate the enrollment secret used to deploy the Agent. Opens the [Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md). |
-|  | Deploy Agent | Deploy the Agent to selected servers. It opens the Deploy Agents wizard. See the [Deploy Agents](/docs/threatprevention/7.4/admin/agents/deploy/overview.md) topic for additional information. |
+| Icon | Label | Action |
+| --------------- | ----------------------- | -------------- |
+|  | Export Agent List… | Save the information to an XML file for export |
+|  | Refresh Agent List… | Refresh the Agent information |
+|  | Update Logging Levels… | Configure the log levels for the Agent(s). It opens the [Log Level Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md). |
+|  | Get Agent Log… | Access Agent log files. See the [Access Agent Log Files](/docs/threatprevention/7.4/admin/agents/agentswindows/loglevelconfiguration.md#access-agent-log-files) topic for additional information. |
+|  | Update Agent Installer | Check with Netwrix for a newer version of the Agent Installer according to the version in use. It opens the [Agent Installer Update Window](/docs/threatprevention/7.4/admin/agents/agentswindows/agentinstallerupdate.md). |
+|  | Configure Auto Deploy | If enabled, the Agent is automatically deployed to all domain controllers without an Agent. This feature requires at least one Agent to be present in the domain in order to detect additional domain controllers. It opens the [Configure Auto Deploy Window](/docs/threatprevention/7.4/admin/agents/agentswindows/configureautodeploy.md). |
+|  | Agent Enrollment Secret | Generate the enrollment secret used to deploy the Agent. Opens the [Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md). |
+|  | Deploy Agent | Deploy the Agent to selected servers. It opens the Deploy Agents wizard. See the [Deploy Agents](/docs/threatprevention/7.4/admin/agents/deploy/overview.md) topic for additional information. |
+
## Right-Click Menu
@@ -188,10 +198,13 @@ Below are some considerations:
Prevention administrator should check if the Agent service is set to manual start. The most likely
solution is to upgrade to the latest version of the Agent.
- **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See
+ :::info
+ Activate an email notification for the _LSASS process terminated_ alert. See
the
[Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.4/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert)
topic for additional information.
+ :::
+
- In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode.
In Safe Mode, the Agent records the version of the LSASS DLLs that it hooks into during
@@ -204,8 +217,11 @@ Below are some considerations:
[Start Pending Modules](/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md)
topic for additional information.
- **_RECOMMENDED:_** Activate an email notification for this alert. See the
+ :::info
+ Activate an email notification for this alert. See the
[Enable Agent Started in AD Monitor Pending Mode Email Alert](/docs/threatprevention/7.4/admin/agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert)
topic and the
[Agent Safe Mode](/docs/threatprevention/7.4/admin/agents/safemode.md)
topic for additional information.
+
+ :::
diff --git a/docs/threatprevention/7.4/admin/agents/safemode.md b/docs/threatprevention/7.4/admin/agents/safemode.md
index 77ea9b6e84..77d6c36851 100644
--- a/docs/threatprevention/7.4/admin/agents/safemode.md
+++ b/docs/threatprevention/7.4/admin/agents/safemode.md
@@ -18,10 +18,13 @@ LSASS process. Below are some considerations:
Prevention administrator should check if the Agent service is set to manual start. The most likely
solution is to upgrade to the latest version of the Agent.
- **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See
+ :::info
+ Activate an email notification for the _LSASS process terminated_ alert. See
the
[Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.4/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert)
topic for additional information.
+ :::
+
- In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode.
In Safe Mode, the Agent records the version of the LSASS DLLs that it hooks into during
@@ -34,16 +37,25 @@ LSASS process. Below are some considerations:
[Start Pending Modules](/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md)
topic for additional information.
- **_RECOMMENDED:_** Activate an email notification for this alert. See the
+ :::info
+ Activate an email notification for this alert. See the
[Enable Agent Started in AD Monitor Pending Mode Email Alert](#enable-agent-started-in-ad-monitor-pending-mode-email-alert)
topic for additional information.
+ :::
+
-_Remember,_ in Safe Mode, Threat Prevention does not terminate the LSASS process; it only prevents
+:::tip
+Remember, in Safe Mode, Threat Prevention does not terminate the LSASS process; it only prevents
the Active Directory monitoring/blocking module from loading on the Agent machine every time key
LSASS DLLs are changed.
+:::
+
-**NOTE:** Most Microsoft Security Bulletins that alter LSASS will not interfere with Agent
+:::note
+Most Microsoft Security Bulletins that alter LSASS will not interfere with Agent
instrumentation.
+:::
+
Active Directory monitoring/blocking will not resume until the pending modules are started. To
determine if the LSASS changes will conflict with the Agent instrumentation, start the pending
@@ -63,9 +75,12 @@ are overwritten with the current versions.
Follow the steps to enable email notifications for the Agent Started in AD Monitor pending mode
Operations alert.
-**NOTE:** These steps require the Threat Prevention administrator role. They also assume that the
+:::note
+These steps require the Threat Prevention administrator role. They also assume that the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md)
has been configured and email alerts have been enabled.
+:::
+
**Step 1 –** Clck **Configuration** > **Alerts** on the menu. The Netwrix Threat Prevention System
Alerting window opens.
diff --git a/docs/threatprevention/7.4/admin/alerts/alertscleanup.md b/docs/threatprevention/7.4/admin/alerts/alertscleanup.md
index 0a28e5b62b..a1bed72c75 100644
--- a/docs/threatprevention/7.4/admin/alerts/alertscleanup.md
+++ b/docs/threatprevention/7.4/admin/alerts/alertscleanup.md
@@ -10,9 +10,12 @@ You can clear alert data displayed on the
[Alerts Interface](/docs/threatprevention/7.4/admin/alerts/overview.md)
as well as schedule cleanups for this data.
-**_RECOMMENDED:_** Export alert data before using the Clear option. See the
+:::info
+Export alert data before using the Clear option. See the
[Alerts Export Window](/docs/threatprevention/7.4/admin/alerts/alertsexport.md)
topic for additional information.
+:::
+
Follow the steps to clear the alerts data.
diff --git a/docs/threatprevention/7.4/admin/alerts/overview.md b/docs/threatprevention/7.4/admin/alerts/overview.md
index 6e6cc39e26..05e58d361b 100644
--- a/docs/threatprevention/7.4/admin/alerts/overview.md
+++ b/docs/threatprevention/7.4/admin/alerts/overview.md
@@ -96,10 +96,13 @@ Below are some considerations:
Prevention administrator should check if the Agent service is set to manual start. The most likely
solution is to upgrade to the latest version of the Agent.
- **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See
+ :::info
+ Activate an email notification for the _LSASS process terminated_ alert. See
the
[Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.4/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert)
topic for additional information.
+ :::
+
- In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode.
In Safe Mode, the Agent records the version of the LSASS DLLs that it hooks into during
@@ -112,8 +115,11 @@ Below are some considerations:
[Start Pending Modules](/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md)
topic for additional information.
- **_RECOMMENDED:_** Activate an email notification for this alert. See the
+ :::info
+ Activate an email notification for this alert. See the
[Enable Agent Started in AD Monitor Pending Mode Email Alert](/docs/threatprevention/7.4/admin/agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert)
topic and the
[Agent Safe Mode](/docs/threatprevention/7.4/admin/agents/safemode.md)
topic for additional information.
+
+ :::
diff --git a/docs/threatprevention/7.4/admin/alerts/policycomparison.md b/docs/threatprevention/7.4/admin/alerts/policycomparison.md
index 6ecd03ba14..d30336b52a 100644
--- a/docs/threatprevention/7.4/admin/alerts/policycomparison.md
+++ b/docs/threatprevention/7.4/admin/alerts/policycomparison.md
@@ -29,8 +29,11 @@ File Comparison Tool window opens. In the Path to Comparison Tool box, provide t
comparison tool location in quotations. Next, add **%1 %2** after the quoted location path. for
example, _cmd.exe /K fc.exe %1 %2_. Click **OK** to close the window.
-**NOTE:** By default, fc.exe is specified as the path but it is recommended to replace this with a
+:::note
+By default, fc.exe is specified as the path but it is recommended to replace this with a
path to a Windows based comparison tool such as Beyond Compare for best results.
+:::
+
**Step 5 –** On the Policy Comparison window, click **Run Difference Tool** to run the specified
compare command using the third party comparison tool.
diff --git a/docs/threatprevention/7.4/admin/analytics/baduseridsourcehost.md b/docs/threatprevention/7.4/admin/analytics/baduseridsourcehost.md
index 2e28c4fd9f..501c8afecd 100644
--- a/docs/threatprevention/7.4/admin/analytics/baduseridsourcehost.md
+++ b/docs/threatprevention/7.4/admin/analytics/baduseridsourcehost.md
@@ -15,7 +15,10 @@ expires. After the time expires, any additional attempt will generate a new inci
for a report on the number of times a particular host used bad user accounts to try to login during
the time frame.
-**_RECOMMENDED:_** Configure the day limit to 30 days.
+:::info
+Configure the day limit to 30 days.
+:::
+
| Bad User ID (by source host) | |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -24,7 +27,7 @@ the time frame.
| Trigger | Any number of failed authentication attempts using non-existing accounts made from a specific host |
| Recommended Settings | Bad User ID (by source host) groups attacks by where failed authentication attempts by non-existing accounts are coming from to trigger analytic hits. The user-configurable parameter is based on time, where time is used to visualize how often an attempt is made to authenticate using a non-existing account from an individual system. Netwrix recommends setting the default value to 30 days. If a failed authentication attempt using a non-existing account occurs from the same host after the 30 day time period, a new analytic hit will be produced rather than incrementing the previous hit count. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -50,7 +53,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -61,7 +64,7 @@ number of attempts through the limit of days set here, e.g. 30 days. After this
elapsed from the first attempt, a new incident will be triggered for any additional attempt with a
new count.
-Policy Tab
+**Policy Tab**
@@ -81,9 +84,12 @@ The Policy tab for configuring analytics consists of three sub-tabs:
- _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -91,9 +97,12 @@ The Policy tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
diff --git a/docs/threatprevention/7.4/admin/analytics/baduseriduser.md b/docs/threatprevention/7.4/admin/analytics/baduseriduser.md
index 7e158eb684..46c5d6fbc0 100644
--- a/docs/threatprevention/7.4/admin/analytics/baduseriduser.md
+++ b/docs/threatprevention/7.4/admin/analytics/baduseriduser.md
@@ -15,16 +15,19 @@ expires. After the time expires, any additional attempt will generate a new inci
for a report on the number of times a particular bad user account tried to login during the time
frame.
-**_RECOMMENDED:_** Configure the day limit to 30 days.
+:::info
+Configure the day limit to 30 days.
+:::
-| Bad User ID (by user) | |
-| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Pre-authentication failures using one or more non-existing user IDs |
+
+| Bad User ID (by user) | |
+| --------------------- | ------------- |
+| Definition | Pre-authentication failures using one or more non-existing user IDs |
| Example | Malware or a bad-actor is attempting to obtain access by guessing a user ID and password but has provided a user ID that does not exist. Most operating systems and devices have default administrative accounts such as “administrator” or “admin”. Because the account name is known, if left unchanged, the account becomes vulnerable to attack. To prevent this, most organizations change the name of these accounts. In the case where the account has been renamed, a perpetrator attempting to hack a well-known account will actually be attempting to authenticate against an account that does not exist and will be detected by this analytic. This analytic looks for attacks, regardless of source, against non-existing accounts. |
-| Trigger | Any number of failed authentication attempts made by a non-existing account |
-| Recommended Settings | Bad User ID (by user) groups attacks by account name where every new non-existing account will generate an analytic hit. The user-configurable parameter is based on time, where time is used to visualize how often an attempt is made to authenticate using the same non-existing account name. Netwrix recommends setting the default value to 30 days. If an attempt to use that same non-existing account name occurs after the 30 day time period, a new analytic hit will be produced rather than incrementing the previous hit count. |
+| Trigger | Any number of failed authentication attempts made by a non-existing account |
+| Recommended Settings | Bad User ID (by user) groups attacks by account name where every new non-existing account will generate an analytic hit. The user-configurable parameter is based on time, where time is used to visualize how often an attempt is made to authenticate using the same non-existing account name.
Netwrix recommends setting the default value to 30 days. If an attempt to use that same non-existing account name occurs after the 30 day time period, a new analytic hit will be produced rather than incrementing the previous hit count. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -49,7 +52,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -59,7 +62,7 @@ additional attempt for the same bad user account will be added to the total numb
through the limit of days set here, e.g. 30 days. After this number of days has elapsed from the
first attempt, a new incident will be triggered for any additional attempt with a new count.
-Policy Tab
+**Policy Tab**
@@ -79,9 +82,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- *Optional:* Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -89,9 +95,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
diff --git a/docs/threatprevention/7.4/admin/analytics/breachedpassword.md b/docs/threatprevention/7.4/admin/analytics/breachedpassword.md
index c78d7374da..f0d952e346 100644
--- a/docs/threatprevention/7.4/admin/analytics/breachedpassword.md
+++ b/docs/threatprevention/7.4/admin/analytics/breachedpassword.md
@@ -16,7 +16,7 @@ successful authentication in the specified time frame.
| Trigger | X failed authentication attempts from the same account followed by a successful authentication in Y hours |
| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if Threat Prevention monitors at least 30 failed authentication attempts from the same account followed by a successful authentication in 4 hours. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -41,7 +41,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -55,7 +55,7 @@ triggered, an incident record is saved to the database along with the events tha
incident. Raw authentication event data that did not contribute to an incident are purged from
memory once they are more than 24 hours old.
-Policy Tab
+**Policy Tab**
@@ -74,9 +74,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- Scope the protocol to be monitored on the Authentication Protocol filter. If enabling the
analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -86,9 +89,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
@@ -114,7 +120,10 @@ The top data grid includes the following information for each incident:
- Attacked Account Name – Security principal of the account affected by the event
- **NOTE:** The name will be red if the attacking account is the Administrator account.
+ :::note
+ The name will be red if the attacking account is the Administrator account.
+ :::
+
- Attacked Account SID – Security Identifier of the account used in the event that was attacked
- First Failed Attempt – Date timestamp of the first monitored event that triggered the incident.
diff --git a/docs/threatprevention/7.4/admin/analytics/bruteforceattacks.md b/docs/threatprevention/7.4/admin/analytics/bruteforceattacks.md
index 827bf3f815..d861c06654 100644
--- a/docs/threatprevention/7.4/admin/analytics/bruteforceattacks.md
+++ b/docs/threatprevention/7.4/admin/analytics/bruteforceattacks.md
@@ -9,8 +9,11 @@ sidebar_position: 40
The **Brute Force Attacks** analytic type identifies failed attempts from a single host to access a
given host.
-**_RECOMMENDED:_** Configure a subset of servers to be monitored in order to avoid the excessive
+:::info
+Configure a subset of servers to be monitored in order to avoid the excessive
volume of event activity from monitoring all servers.
+:::
+
| Brute Force Attacks | |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -19,7 +22,7 @@ volume of event activity from monitoring all servers.
| Trigger | X failed logins from a single host against a single host in Y minutes |
| Recommended Settings | Configure this analytic to trigger a hit if Threat Prevention monitors at least 40 failed logins from a single host against a single host in 3 minutes. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -44,7 +47,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -63,7 +66,7 @@ Click the **Configure Hosts** link to open the **Policy** > **Event Type** > **H
If checked, the **Ignore failed logins for unresolved user names** option will exclude bad user IDs
from contributing to Brute Force Attacks incidents.
-Policy Tab
+**Policy Tab**
@@ -82,18 +85,24 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- Scope the servers to be included in or excluded from monitoring on the IP Addresses (from)
filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts (to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- *Alternatively:* Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
- _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ Scope the accounts to include in or exclude from being monitored on the AD
Perpetrator filter.
diff --git a/docs/threatprevention/7.4/admin/analytics/concurrentlogins.md b/docs/threatprevention/7.4/admin/analytics/concurrentlogins.md
index a6db451614..a3dbdb7dcb 100644
--- a/docs/threatprevention/7.4/admin/analytics/concurrentlogins.md
+++ b/docs/threatprevention/7.4/admin/analytics/concurrentlogins.md
@@ -9,8 +9,11 @@ sidebar_position: 50
The **Concurrent Logins** analytic type identifies same account logins from multiple locations
within the specified time frame.
-**_RECOMMENDED:_** Configure a subset of accounts and/or servers to be monitored in order to avoid
+:::info
+Configure a subset of accounts and/or servers to be monitored in order to avoid
the excessive volume of event activity from monitoring all.
+:::
+
| Concurrent Logins | |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -19,7 +22,7 @@ the excessive volume of event activity from monitoring all.
| Trigger | Successful and failed authentications using the same account from at least X hosts in Y minutes |
| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if Threat Prevention monitors either successful or failed authentications using the same account from at least 3 hosts in 1 hour. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -44,7 +47,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -58,7 +61,7 @@ triggered, an incident record is saved to the database along with the events tha
incident. Raw authentication event data that did not contribute to an incident are purged from
memory once they are more than 24 hours old.
-Policy Tab
+**Policy Tab**
@@ -77,9 +80,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -89,9 +95,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
@@ -117,7 +126,10 @@ The top data grid includes the following information for each incident:
- Attacking Account Name – Security principal of the account that triggered the incident
- **NOTE:** The name will be red if the attacking account is the Administrator account.
+ :::note
+ The name will be red if the attacking account is the Administrator account.
+ :::
+
- Attacking Account SID – Security Identifier of the account used in the event that triggered the
incident
diff --git a/docs/threatprevention/7.4/admin/analytics/filesystemattacksuser.md b/docs/threatprevention/7.4/admin/analytics/filesystemattacksuser.md
index 4de6aea692..81daaec5e3 100644
--- a/docs/threatprevention/7.4/admin/analytics/filesystemattacksuser.md
+++ b/docs/threatprevention/7.4/admin/analytics/filesystemattacksuser.md
@@ -21,7 +21,7 @@ If desired, the analytic can be configured to lockdown the monitored file system
| Trigger | X number of files changed by an account in Y minutes |
| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if Threat Prevention monitors 500 files affected in 3 minutes. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -47,7 +47,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -73,7 +73,7 @@ Type: File System Lockdown** > **AD Perpetrator (for Lockdown)** filter. As inci
perpetrators of the triggering events will be added to the AD Perpetrators (for Lockdown) filter
list and blocked from initiating future events.
-Policy Tab for Monitoring Only
+**Policy Tab for Monitoring Only**
@@ -93,14 +93,20 @@ The **Policy** tab for configuring analytics consists of the following sub-tabs:
Multiple paths and/or collections can be included and excluded, along with the option to
monitor sub-folders.
- _Remember,_ if no path is provided, an error message displays when the analytic policy is
+ :::tip
+ Remember, if no path is provided, an error message displays when the analytic policy is
enabled: The “File System Analytic” policy must have at least one path to monitor defined.
+ :::
+
- _Optional:_ Scope the operations being monitored on the File System filter. The default is to
monitor Write and Rename operations.
- **_RECOMMENDED:_** Do not scope to include Read operations due to the quantity of files read
+ :::info
+ Do not scope to include Read operations due to the quantity of files read
within an organization.
+ :::
+
- _Optional:_ Scope the monitoring Agents to use for monitoring on the Additional Agents filter.
- _Optional:_ Scope the accounts to include in or exclude from being monitored on the AD
@@ -116,7 +122,7 @@ The **Policy** tab for configuring analytics consists of the following sub-tabs:
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md)
to configure Email and SIEM alerts.
-Policy Tab for Monitoring & Lockdown
+**Policy Tab for Monitoring & Lockdown**
@@ -146,8 +152,11 @@ The **Policy** tab for configuring analytics consists of the following sub-tabs:
- _Optional:_ Scope the accounts to block additional perpetrators.
- _Optional:_ Remove accounts that are being blocked from the list.
- **NOTE:** Perpetrators manually removed from the list may be automatically re-added if
+ :::note
+ Perpetrators manually removed from the list may be automatically re-added if
they trigger another incident
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
@@ -173,7 +182,10 @@ The top data grid includes the following information for each incident:
- Attacking Account Name – Security principal of the account that triggered the incident
- **NOTE:** The name will be red if the attacking account is the Administrator account.
+ :::note
+ The name will be red if the attacking account is the Administrator account.
+ :::
+
- Attacking Account SID – Security Identifier of the account used in the event
- First Attempt – Date timestamp of the first monitored event Hover over the data in this column to
diff --git a/docs/threatprevention/7.4/admin/analytics/forgedpac.md b/docs/threatprevention/7.4/admin/analytics/forgedpac.md
index ee20bed999..df91145838 100644
--- a/docs/threatprevention/7.4/admin/analytics/forgedpac.md
+++ b/docs/threatprevention/7.4/admin/analytics/forgedpac.md
@@ -11,14 +11,14 @@ modified PAC. By manipulating the PAC, a field in the Kerberos ticket that conta
authorization data (in Active Directory, this is group membership), an attacker is able to grant
themselves elevated privileges.
-| Forged PAC | |
-| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Kerberos tickets with modified Privilege Account Certificate (PAC) |
-| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. A known vulnerability exists where PAC part of a ticket can be modified to include groups the user is not a member of. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
-| Trigger | PAC of the ticket contains RIDs that are not TokenGroups attribute. |
-| Recommended Settings | No additional configuration needed |
+| Forged PAC | |
+| -------------------- | ---------------- |
+| Definition | Kerberos tickets with modified Privilege Account Certificate (PAC) |
+| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network.
A known vulnerability exists where PAC part of a ticket can be modified to include groups the user is not a member of. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
+| Trigger | PAC of the ticket contains RIDs that are not TokenGroups attribute. |
+| Recommended Settings | No additional configuration needed |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -43,7 +43,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -61,7 +61,7 @@ for a mismatch to trigger the incident.
monitored for modifications.
- The **Remove** (**x**) button removes the selected item(s) from the incident criteria.
-Policy Tab
+**Policy Tab**
@@ -80,9 +80,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- Scope the servers to be included in or excluded from monitoring on the IP Addresses (from)
filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts (to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- _Alternatively:_ Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -90,9 +93,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
enabling the analytic on a domain controller, also scope the login type. The Authentication
Protocol filter is hard coded to ensure the Kerberos protocol is monitored.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ Scope the accounts to include in or exclude from being monitored on the AD
Perpetrator filter.
diff --git a/docs/threatprevention/7.4/admin/analytics/goldenticket.md b/docs/threatprevention/7.4/admin/analytics/goldenticket.md
index 6d92ad2c65..9d507d45a1 100644
--- a/docs/threatprevention/7.4/admin/analytics/goldenticket.md
+++ b/docs/threatprevention/7.4/admin/analytics/goldenticket.md
@@ -12,14 +12,14 @@ authenticates, the ticket is checked against the maximum ticket lifetime and max
configured within this analytic type. Any ticket that exceeds either ‘maximum’ will trigger an
incident.
-| Golden Tickets | |
-| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Definition | Kerberos tickets with modified maximum lifetimes for a user ticket and maximum lifetimes for a user ticket renewal |
-| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. On TGT expiry, the user account is checked for validity (password, enabled/disabled, group memberships, etc.) and a new TGT is granted. A known vulnerability exists where a domain admin could forge the TGT renewal time, creating an indefinite “golden” ticket. This could be accomplished, and then the underlying account removed, allowing the user to obtain admin access forever with an account that no longer exists. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
-| Trigger | Maximum lifetime for a user ticket > than X hours OR Maximum lifetime for a user ticket renewal > Y days |
-| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if the maximum lifetime for a user ticket is greater than 24 hours or the maximum lifetime for a user ticket renewal is greater than 30 days. |
+| Golden Tickets | |
+| -------------------- | --------------- |
+| Definition | Kerberos tickets with modified maximum lifetimes for a user ticket and maximum lifetimes for a user ticket renewal |
+| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network.
On TGT expiry, the user account is checked for validity (password, enabled/disabled, group memberships, etc.) and a new TGT is granted. A known vulnerability exists where a domain admin could forge the TGT renewal time, creating an indefinite “golden” ticket. This could be accomplished, and then the underlying account removed, allowing the user to obtain admin access forever with an account that no longer exists. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
+| Trigger | Maximum lifetime for a user ticket > than X hours
OR
Maximum lifetime for a user ticket renewal > Y days |
+| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if the maximum lifetime for a user ticket is greater than 24 hours or the maximum lifetime for a user ticket renewal is greater than 30 days. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -44,7 +44,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -54,7 +54,7 @@ tickets is ten hours, and the renewal period is seven days. This analytic policy
ticket that requests authentication against the values set in this analytic policy. Any time a
ticket exceeds either of these values, an incident is triggered.
-Policy Tab
+**Policy Tab**
@@ -70,14 +70,20 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
[Authentication Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationmonitoring.md)
is hard coded, and the Success filter cannot be modified.
- **_RECOMMENDED:_** Do not configure any filters for this analytic type.
+ :::info
+ Do not configure any filters for this analytic type.
+ :::
+
- _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- \_Optional:\_Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -87,9 +93,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
diff --git a/docs/threatprevention/7.4/admin/analytics/horizontalmovementattacks.md b/docs/threatprevention/7.4/admin/analytics/horizontalmovementattacks.md
index 0a84da6443..2aba35cf7b 100644
--- a/docs/threatprevention/7.4/admin/analytics/horizontalmovementattacks.md
+++ b/docs/threatprevention/7.4/admin/analytics/horizontalmovementattacks.md
@@ -9,8 +9,11 @@ sidebar_position: 90
The **Horizontal Movement Attacks** analytic type identifies security principals that are accessing
more than the threshold of resources during the specified time interval.
-**_RECOMMENDED:_** Configure a subset of accounts and/or servers to be monitored in order to avoid
+:::info
+Configure a subset of accounts and/or servers to be monitored in order to avoid
the excessive volume of event activity from monitoring all.
+:::
+
| Horizontal Movement Attacks | |
| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -19,7 +22,7 @@ the excessive volume of event activity from monitoring all.
| Trigger | Successful or failed authentications of a given account across X number of resources in Y minutes |
| Recommended Settings | Configure this analytic to trigger a hit if Threat Prevention monitors successful or failed authentications of a given account across 10 resources in 3 minutes. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -45,7 +48,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -62,7 +65,7 @@ memory once they are more than 24 hours old.
If checked, the Ignore failed logins for unresolved user names option will exclude bad user IDs from
contributing to Horizontal Movement Attacks incidents.
-Policy Tab
+**Policy Tab**
@@ -82,9 +85,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- \_Optional:\_Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- \_Optional:\_Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -92,9 +98,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
@@ -120,7 +129,10 @@ The top data grid includes the following information for each incident:
- Attacking Account Name – Security principal of the account that triggered the incident
- **NOTE:** The name will be red if the attacking account is the Administrator account.
+ :::note
+ The name will be red if the attacking account is the Administrator account.
+ :::
+
- Attacking Account SID – Security Identifier of the account used in the event
- First Attempt – Date timestamp of the first monitored event that triggered the incident. Hover
diff --git a/docs/threatprevention/7.4/admin/analytics/impersonationlogins.md b/docs/threatprevention/7.4/admin/analytics/impersonationlogins.md
index 43d85b5437..1605aa13e8 100644
--- a/docs/threatprevention/7.4/admin/analytics/impersonationlogins.md
+++ b/docs/threatprevention/7.4/admin/analytics/impersonationlogins.md
@@ -9,8 +9,11 @@ sidebar_position: 100
The **Impersonation Logins** analytic type identifies multiple authenticated accounts from a single
system within the specified time frame.
-**_RECOMMENDED:_** Configure a subset of accounts and/or servers to be monitored in order to avoid
+:::info
+Configure a subset of accounts and/or servers to be monitored in order to avoid
the excessive volume of event activity from monitoring all.
+:::
+
| Impersonation Logins | |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -19,7 +22,7 @@ the excessive volume of event activity from monitoring all.
| Trigger | X different authenticated accounts from a single system in Y hours |
| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if Threat Prevention monitors 3 different authenticated accounts from a single system in 2 hours. |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -44,7 +47,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -58,7 +61,7 @@ triggered, an incident record is saved to the database along with the events tha
incident. Raw authentication event data that did not contribute to an incident are purged from
memory once they are more than 24 hours old.
-Policy Tab
+**Policy Tab**
@@ -77,9 +80,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- _Optional:_ Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional:_ – Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -89,9 +95,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
diff --git a/docs/threatprevention/7.4/admin/analytics/kerberosweakencryption.md b/docs/threatprevention/7.4/admin/analytics/kerberosweakencryption.md
index 5843486fa3..32468ec6e7 100644
--- a/docs/threatprevention/7.4/admin/analytics/kerberosweakencryption.md
+++ b/docs/threatprevention/7.4/admin/analytics/kerberosweakencryption.md
@@ -10,14 +10,14 @@ The **Kerberos Weak Encryption** analytic type identifies Kerberos tickets with
encryption by detecting the use of weak encryption. Various attack methods utilize weak Kerberos
encryption cyphers, including Overpass-the-Hash.
-| Kerberos Weak Encryption | |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Kerberos tickets with RC4_HMAC_MD5 encryption. |
-| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. If RC4_HMAC_MD5 encryption is used then it makes possible to obtain password value using Kerberoasting attack. If a user on the network were to attempt to use such a ticket, this analytic would detect this ticket and generate an alert. |
-| Trigger | Ticket uses RC4_HMAC_MD5 encryption. |
-| Recommended Settings | No additional configuration is needed |
+| Kerberos Weak Encryption | |
+| ------------------------ | ---------------- |
+| Definition | Kerberos tickets with RC4_HMAC_MD5 encryption. |
+| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network.
If RC4_HMAC_MD5 encryption is used then it makes possible to obtain password value using Kerberoasting attack. If a user on the network were to attempt to use such a ticket, this analytic would detect this ticket and generate an alert. |
+| Trigger | Ticket uses RC4_HMAC_MD5 encryption. |
+| Recommended Settings | No additional configuration is needed |
-Analytic Workflow
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -41,7 +41,7 @@ The Configure Analytics window has one tab:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Policy Tab
+**Policy Tab**
@@ -60,9 +60,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- Scope the servers to be included in or excluded from monitoring on the IP Addresses (from)
filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts (to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- *Alternatively:* Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -70,9 +73,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
enabling the analytic on a domain controller, also scope the login type. The Authentication
Protocol filter is hard coded to ensure the Kerberos protocol is monitored.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional_ – Scope the accounts to include in or exclude from being monitored on the AD
Perpetrator filter.
diff --git a/docs/threatprevention/7.4/admin/analytics/overview.md b/docs/threatprevention/7.4/admin/analytics/overview.md
index 9f9175cb9e..7127563af2 100644
--- a/docs/threatprevention/7.4/admin/analytics/overview.md
+++ b/docs/threatprevention/7.4/admin/analytics/overview.md
@@ -39,8 +39,11 @@ In the middle of the interface, you can view a list of the analytic types, numbe
identified in the last 24 hours per type, the ability to enable or disable monitoring, access to the
analytic configuration, and a tool tip with a brief summary of the analytic.
-**_RECOMMENDED:_** For most analytics, configure at least one filter before enabling an analytic
+:::info
+For most analytics, configure at least one filter before enabling an analytic
type.
+:::
+
The Refresh button on the Analytics ribbon repopulates both the graphical display and the analytic
list.
diff --git a/docs/threatprevention/7.4/admin/analytics/useraccounthacking.md b/docs/threatprevention/7.4/admin/analytics/useraccounthacking.md
index 77878d3a68..c7bb73067e 100644
--- a/docs/threatprevention/7.4/admin/analytics/useraccounthacking.md
+++ b/docs/threatprevention/7.4/admin/analytics/useraccounthacking.md
@@ -9,17 +9,20 @@ sidebar_position: 120
The **User Account Hacking** analytic type identifies multiple bad passwords provided for a given
valid user account in the specified time interval.
-**_RECOMMENDED:_** Configure a subset of accounts to be monitored in order to avoid the excessive
+:::info
+Configure a subset of accounts to be monitored in order to avoid the excessive
volume of event activity from monitoring all accounts.
+:::
-| User Account Hacking | |
-| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Definition | Repeated failed logins below lockout thresholds and/or over extended periods |
-| Example | Malware or a bad actor on the network is attempting to compromise an account by guessing the account’s password repeatedly until access is granted. To circumvent built-in lockout policies in Active Directory, the malware or bad actor will only guess so many times before backing off, making sure not to lockout the account. After a period of time has expired, it will continue its routine until the password is guessed correctly. This type of attack is easily automated using a script. The quiet nature of this type of attack often results in the attack going undetected. \*The Enterprise Admin account (SID ending in -500) in Active Directory cannot be locked out making it vulnerable to hacking and eventual breach. While Active Directory will show the account is locked out on the object itself, as soon as the correct password is supplied, the account will be automatically unlocked, giving the perpetrator “God-rights” to the enterprise. |
-| Trigger | (X1 failed login attempts from an individual user account in Y1 minutes) OR (X2 failed login attempts from an individual user account in Y3 minutes) OR … |
-| Recommended Settings | Set the number of attempts 1 or 2 increments below the organization’s Active Directory lockout policy settings. |
-Analytic Workflow
+| User Account Hacking | |
+| -------------------- | ---------------------- |
+| Definition | Repeated failed logins below lockout thresholds and/or over extended periods |
+| Example | Malware or a bad actor on the network is attempting to compromise an account by guessing the account’s password repeatedly until access is granted. To circumvent built-in lockout policies in Active Directory, the malware or bad actor will only guess so many times before backing off, making sure not to lockout the account. After a period of time has expired, it will continue its routine until the password is guessed correctly. This type of attack is easily automated using a script. The quiet nature of this type of attack often results in the attack going undetected.
\*The Enterprise Admin account (SID ending in -500) in Active Directory cannot be locked out making it vulnerable to hacking and eventual breach. While Active Directory will show the account is locked out on the object itself, as soon as the correct password is supplied, the account will be automatically unlocked, giving the perpetrator “God-rights” to the enterprise. |
+| Trigger | (X1 failed login attempts from an individual user account in Y1 minutes) OR (X2 failed login attempts from an individual user account in Y3 minutes) OR … |
+| Recommended Settings | Set the number of attempts 1 or 2 increments below the organization’s Active Directory lockout policy settings. |
+
+**Analytic Workflow**
1. Configure the analytic policy
2. Enable the analytic policy
@@ -44,7 +47,7 @@ The Configure Analytics window has two tabs:
- Policy – Where filters can be added, additional actions configured, a custom schedule set, and the
policy enabled
-Settings Tab
+**Settings Tab**
@@ -71,7 +74,7 @@ Perpetrator** filter.
If checked, the **Ignore failed logins for unresolved user names** option will exclude bad user IDs
from contributing to User Account Hacking incidents.
-Policy Tab
+**Policy Tab**
@@ -91,9 +94,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
- _Optional_: Scope the protocol to be monitored on the Authentication Protocol filter. If
enabling the analytic on a domain controller, also scope the login type.
- **NOTE:** The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
+ :::note
+ The Exclude failed authentications with ‘N-2’ passwords option requires a GPO
within the organization be configured to ‘Enforce password history’ with a setting of a
minimum of ‘3 passwords remembered’ or it will not have an effect.
+ :::
+
- _Optional_: Scope the domains to be included in or excluded from monitoring on the
Domains/Servers filter.
@@ -101,9 +107,12 @@ The **Policy** tab for configuring analytics consists of three sub-tabs:
Addresses (from) filter, the IP Addresses (to) filter, the Hosts (from) filter, or the Hosts
(to) filter.
- **NOTE:** Some authentication events may return only a host name (NetBIOS or FQDN), others
+ :::note
+ Some authentication events may return only a host name (NetBIOS or FQDN), others
may return only an IP address. It is recommended to take this into account when entering
filter values.
+ :::
+
- Actions tab – Configured the same way a regular policy’s
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
@@ -129,7 +138,10 @@ The top data grid includes the following information for each incident:
- Attacked Account Name – Security principal of the account that triggered the incident
- **NOTE:** The name will be red if the attacking account is the Administrator account.
+ :::note
+ The name will be red if the attacking account is the Administrator account.
+ :::
+
- Attacked Account SID – Security Identifier of the account used in the event
- First Attempt – Date timestamp of the first monitored event that triggered the incident. Hover
diff --git a/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md b/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md
index 2eecf0f337..1694307c21 100644
--- a/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md
+++ b/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md
@@ -57,14 +57,17 @@ following requirements:
Example table entry for domain:
-ExampleDomain
+**ExampleDomain**
Example table entry for server:
-ExampleServer
+**ExampleServer**
-**NOTE:** Threat Prevention creates an empty table with the required prefix and schema if the [Table
+:::note
+Threat Prevention creates an empty table with the required prefix and schema if the [Table
name] entered does not exist in the NVMonitorConfig database.
+:::
+
## Dynamic Objects Collection Table Requirements
@@ -81,10 +84,13 @@ requirements:
Example table entry:
-CN=User,DC=Domain,DC=Local
+**CN=User,DC=Domain,DC=Local**
-**NOTE:** Threat Prevention creates an empty table with the required prefix and schema if the [Table
+:::note
+Threat Prevention creates an empty table with the required prefix and schema if the [Table
name] entered does not exist in the NVMonitorConfig database.
+:::
+
## Dynamic Perpetrators Collections Table Requirements
@@ -95,19 +101,23 @@ must meet the following requirements:
- Table Naming Convention – Must have a prefix of ‘dc*perpetrators*’
- Table Schema – Must have the following columns:
-| Column Name | Column Type | Column Description |
-| -------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AccountName | NVARCHAR (1024) | Distinguished name of the account. Cannot be null. |
-| AccountSid | NVARCHAR (184) | SDDL form of the account Security ID. Cannot be null. |
-| AccountType | INT | Account type using the following values: - 0 = none - 1 = user - 2 = group - 3 = context - 4 = orgRole - 5 = sidtype - 6 = other - 7 = dynamic - 8 = dynamic_group Cannot be null. |
-| IncludeSubtree | INT | Indicates if child containers should be used: - 0 = Child containers NOT included - 1 = Child containers included Cannot be null. |
+| Column Name | Column Type | Column Description |
+| -------------- | --------------- | ---------------------- |
+| AccountName | NVARCHAR (1024) | Distinguished name of the account. Cannot be null. |
+| AccountSid | NVARCHAR (184) | SDDL form of the account Security ID. Cannot be null. |
+| AccountType | INT | Account type using the following values: - 0 = none
- 1 = user
- 2 = group
- 3 = context
- 4 = orgRole
- 5 = sidtype
- 6 = other
- 7 = dynamic
- 8 = dynamic_group
Cannot be null. |
+| IncludeSubtree | INT | Indicates if child containers should be used: - 0 = Child containers NOT included
- 1 = Child containers included
Cannot be null. |
+
Example table entry:
-CN=User,DC=Domain,DC=Local | S-1-5-21-1004336348-1177238915-682003330-500 | 3 | 0
+**CN=User,DC=Domain,DC=Local | S-1-5-21-1004336348-1177238915-682003330-500 | 3 | 0**
-**NOTE:** Threat Prevention creates an empty table with the required prefix and schema if the [Table
+:::note
+Threat Prevention creates an empty table with the required prefix and schema if the [Table
name] entered does not exist in the NVMonitorConfig database.
+:::
+
## Dynamic IP Addresses Collection Table Requirements
@@ -126,8 +136,11 @@ Example table entry:
192.168.1.3
-**NOTE:** Threat Prevention creates an empty table with the required prefix and schema if the [Table
+:::note
+Threat Prevention creates an empty table with the required prefix and schema if the [Table
name] entered does not exist in the NVMonitorConfig database.
+:::
+
## Dynamic Hosts Collection Table Requirements
@@ -149,18 +162,21 @@ requirements:
Example table entry with all fields populated:
-host | host.dc.com | 10.0.10.19 | fe80::4d72:80e9:72cf:425f%10
+**host | host.dc.com | 10.0.10.19 | fe80::4d72:80e9:72cf:425f%10**
Example table entry tjat excludes IP v6 Address:
-host | host.dc.com | 10.0.10.19 | [null]
+**host | host.dc.com | 10.0.10.19 | [null]**
Example table entry that excludes IP v4 Address:
-host | host.dc.com | [null] | fe80::4d72:80e9:72cf:425f%10
+**host | host.dc.com | [null] | fe80::4d72:80e9:72cf:425f%10**
-**NOTE:** Threat Prevention creates an empty table with the required prefix and schema if the [Table
+:::note
+Threat Prevention creates an empty table with the required prefix and schema if the [Table
name] entered does not exist in the NVMonitorConfig database.
+:::
+
## Dynamic File Paths Collection Table Requirements
@@ -171,18 +187,22 @@ requirements:
- Table Naming Convention – Must have a prefix of 'dc*file_path*'
- Table Schema – Must have the following columns:
-| Column Name | Column Type | Column Description |
-| -------------- | --------------- | ------------------------------------------------------------------------------------ |
-| Path | NVARCHAR (1024) | File path to the desired folder. Cannot be null. |
-| IncludeSubtree | INT | Indicates whether or not subfolders are processed: - 0 = Not Included - 1 = Included |
-| TargetAgent | NVARCHAR (1024) | Agent that monitors the target server. Cannot be null. |
+| Column Name | Column Type | Column Description |
+| -------------- | --------------- | ---------------------------------------------------------------------------------------------------------- |
+| Path | NVARCHAR (1024) | File path to the desired folder. Cannot be null. |
+| IncludeSubtree | INT | Indicates whether or not subfolders are processed: - 0 = Not Included
- 1 = Included
|
+| TargetAgent | NVARCHAR (1024) | Agent that monitors the target server. Cannot be null. |
+
Example table entry:
-c:\Windows | 0 | ExampleFSserver
+**c:\Windows | 0 | ExampleFSserver**
-**NOTE:** Threat Prevention creates an empty table with the required prefix and schema if the [Table
+:::note
+Threat Prevention creates an empty table with the required prefix and schema if the [Table
name] entered does not exist in the NVMonitorConfig database.
+:::
+
Two tables are created during the installation/upgrade process for the File Path collections:
diff --git a/docs/threatprevention/7.4/admin/configuration/collectionmanager/listcollections.md b/docs/threatprevention/7.4/admin/configuration/collectionmanager/listcollections.md
index 2d7a67930d..c4dfae5c0c 100644
--- a/docs/threatprevention/7.4/admin/configuration/collectionmanager/listcollections.md
+++ b/docs/threatprevention/7.4/admin/configuration/collectionmanager/listcollections.md
@@ -115,9 +115,12 @@ settings.
**Step 1 –** Select a collection on the List of Collections window and click **Remove**.
-**NOTE:** You cannot delete a collection that is assigned to an active policy, as indicated in the
+:::note
+You cannot delete a collection that is assigned to an active policy, as indicated in the
Dependency Count column. Remove a collection from all policies it has been assigned to before
deleting it.
+:::
+
diff --git a/docs/threatprevention/7.4/admin/configuration/collectionmanager/overview.md b/docs/threatprevention/7.4/admin/configuration/collectionmanager/overview.md
index 6350ec4d46..f664a4f77c 100644
--- a/docs/threatprevention/7.4/admin/configuration/collectionmanager/overview.md
+++ b/docs/threatprevention/7.4/admin/configuration/collectionmanager/overview.md
@@ -51,49 +51,50 @@ Select a collection category and click **Manage…** i to open the
Threat Prevention has the following pre-configured Collections:
-| Collection Type | Name |
-| --------------------- | --------------------------------------------------------- |
-| Domains and Servers | SBServers |
-| Objects | Administrator Accounts |
-| Objects | Administrator Groups |
-| Objects | Sensitive Groups |
-| Objects | Service Accounts |
-| Perpetrators | Administrative Accounts |
-| Perpetrators | Domain Administrators |
-| Perpetrators | Failed Authentications |
-| Perpetrators | Service Accounts |
-| Perpetrators | Successful Authentications |
-| Perpetrators | Successful HIPPAA PHI Account Authentications |
-| Perpetrators | System Accounts |
-| Lockdown Perpetrators | Allow Perpetrators |
-| Lockdown Perpetrators | Critical GPO - Allow Perpetrators |
-| Lockdown Perpetrators | DNS Records - Allow Perpetrators |
-| Lockdown Perpetrators | GPOs - Allow Perpetrators |
-| Lockdown Perpetrators | Group Lockdown - Allow Perpetrators |
+| Collection Type | Name |
+| --------------------- | ------------------- |
+| Domains and Servers | SBServers |
+| Objects | Administrator Accounts |
+| Objects | Administrator Groups |
+| Objects | Sensitive Groups |
+| Objects | Service Accounts |
+| Perpetrators | Administrative Accounts |
+| Perpetrators | Domain Administrators |
+| Perpetrators | Failed Authentications |
+| Perpetrators | Service Accounts |
+| Perpetrators | Successful Authentications |
+| Perpetrators | Successful HIPPAA PHI Account Authentications |
+| Perpetrators | System Accounts |
+| Lockdown Perpetrators | Allow Perpetrators |
+| Lockdown Perpetrators | Critical GPO - Allow Perpetrators |
+| Lockdown Perpetrators | DNS Records - Allow Perpetrators |
+| Lockdown Perpetrators | GPOs - Allow Perpetrators |
+| Lockdown Perpetrators | Group Lockdown - Allow Perpetrators |
| Lockdown Perpetrators | Group User OU Object Delete and Move - Allow Perpetrators |
-| Lockdown Perpetrators | Object Permissions - Allow Perpetrators |
-| Lockdown Perpetrators | OU Structure - Allow Perpetrators |
-| Lockdown Perpetrators | Root Object - Allow Perpetrators |
-| Lockdown Perpetrators | User Lockdown - Allow Perpetrators |
-| Classes | Exclude Classes |
-| Classes | Threat Manager - AD Excluded Classes |
-| Attributes | Exclude Attributes |
-| Attributes | Exclude User Attributes |
-| Attributes | Property Set: DNS-Host-Name-Attributes |
-| Attributes | Property Set: Domain-Other-Parameters |
-| Attributes | Property Set: Domain-Password |
-| Attributes | Property Set: General-Information |
-| Attributes | Property Set: Membership |
-| Attributes | Property Set: Personal-Information |
-| Attributes | Property Set: Private-Information |
-| Attributes | Property Set: Public-Information |
-| Attributes | Property Set: RAS-Information |
-| Attributes | Property Set: Terminal-Server-License-Server |
-| Attributes | Property Set: User-Account-Restrictions |
-| Attributes | Property Set: User-Login |
-| Attributes | Property Set: Web-Information |
-| Attributes | Threat Manager - AD Excluded Attributes |
-| Hosts | Domain Controllers |
-| Hosts | Exchanges Servers |
-| File Paths | Folders with Sensitive Data. If you |
-| File Paths | Open Shares |
+| Lockdown Perpetrators | Object Permissions - Allow Perpetrators |
+| Lockdown Perpetrators | OU Structure - Allow Perpetrators |
+| Lockdown Perpetrators | Root Object - Allow Perpetrators |
+| Lockdown Perpetrators | User Lockdown - Allow Perpetrators |
+| Classes | Exclude Classes |
+| Classes | Threat Manager - AD Excluded Classes |
+| Attributes | Exclude Attributes |
+| Attributes | Exclude User Attributes |
+| Attributes | Property Set: DNS-Host-Name-Attributes |
+| Attributes | Property Set: Domain-Other-Parameters |
+| Attributes | Property Set: Domain-Password |
+| Attributes | Property Set: General-Information |
+| Attributes | Property Set: Membership |
+| Attributes | Property Set: Personal-Information |
+| Attributes | Property Set: Private-Information |
+| Attributes | Property Set: Public-Information |
+| Attributes | Property Set: RAS-Information |
+| Attributes | Property Set: Terminal-Server-License-Server |
+| Attributes | Property Set: User-Account-Restrictions |
+| Attributes | Property Set: User-Login |
+| Attributes | Property Set: Web-Information |
+| Attributes | Threat Manager - AD Excluded Attributes |
+| Hosts | Domain Controllers |
+| Hosts | Exchanges Servers |
+| File Paths | Folders with Sensitive Data. If you |
+| File Paths | Open Shares |
+
diff --git a/docs/threatprevention/7.4/admin/configuration/databasemaintenance/enable.md b/docs/threatprevention/7.4/admin/configuration/databasemaintenance/enable.md
index 1583e37105..a1cc03f165 100644
--- a/docs/threatprevention/7.4/admin/configuration/databasemaintenance/enable.md
+++ b/docs/threatprevention/7.4/admin/configuration/databasemaintenance/enable.md
@@ -9,8 +9,11 @@ sidebar_position: 10
Database maintenance can be enabled for all or specific event types, analytics, and/or policies. It
can be enabled for any combination of event type data, analytic data, and policy data.
-_Remember,_ the Event Type maintenance settings take precedence over Policy maintenance settings
+:::tip
+Remember, the Event Type maintenance settings take precedence over Policy maintenance settings
where the selected policy employs that event type.
+:::
+
Follow the steps to enable database maintenance.
diff --git a/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md b/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md
index d268d5fe4c..34e32ba717 100644
--- a/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md
+++ b/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md
@@ -12,9 +12,12 @@ per Event Type, per Analytics, and/or per Policy. While all three options can be
different operations and retention periods, the Event Type maintenance settings take precedence over
Policy maintenance settings where the selected policy employs that event type.
-_Remember,_ See the Database Maintenance Permission details in the
+:::tip
+Remember, See the Database Maintenance Permission details in the
[Database Maintenance Feature Requirements](/docs/threatprevention/7.4/requirements/sqlserver/dbmaintenance.md)
topic for additional information.
+:::
+
See the
[Stored Procedures](/docs/threatprevention/7.4/admin/configuration/databasemaintenance/storedprocedures.md)
@@ -77,12 +80,15 @@ topic for additional information.
**Step 5 –** Click **Save** to save the changes.
-**_RECOMMENDED:_** The SQL Server databases should be configured to use 'Simple Recovery Mode' in
+:::info
+The SQL Server databases should be configured to use 'Simple Recovery Mode' in
the
[SQL Server Requirements](/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md).
This configuration has a direct impact on the size of the transaction log during database
maintenance delete tasks. If Simple Recovery Mode is not configured on the databases, the
transaction log may get quite large during delete tasks.
+:::
+
## Event Type Tab
diff --git a/docs/threatprevention/7.4/admin/configuration/databasemaintenance/storedprocedures.md b/docs/threatprevention/7.4/admin/configuration/databasemaintenance/storedprocedures.md
index a5dd510660..af6a2c09ba 100644
--- a/docs/threatprevention/7.4/admin/configuration/databasemaintenance/storedprocedures.md
+++ b/docs/threatprevention/7.4/admin/configuration/databasemaintenance/storedprocedures.md
@@ -11,16 +11,17 @@ databases. See the
[Database Maintenance Window](/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md)
topic for additional information.
-| Name | When Threat Prevention Uses the Procedure | What the Stored Procedure Does |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| DeleteAuthAnalytics | Called from the SQLAgent job if the “Delete” operation is selected for database maintenance for Authentication Analytics. | This stored procedure deletes “old” data from the database in the following tables: - A_Login - A_Login2Policy - AR_BruteForceAttacks - AR_UserAccountHackingAttacks - AR_HorizontalMovementAttacks - AR_BadUserIdByUser - AR_BadUserIdByHost - AR_BreachedPassword - AR_ConcurrentLogins - AR_DiamondPAC - AR_EventTracker - AR_ImpersonationLogins - AR_GoldenTickets - AR_KerberosWeakEncryption |
-| DeleteByPolicy | Called from the SQLAgent job if the “Delete” operation is selected for database maintenance for selected policies. | This stored procedure deletes “old” data from the database in the following tables: - NvEvent - NvEvent_EventTracker - AttributeValue - OldAttributeValue - EventPolicy - E_LDAP - E_LDAP_EventTracker - E_LDAP2Policy |
-| DeleteFSAnalytics | Called from the SQLAgent job if the “Delete” operation is selected for database maintenance File System Analytics. | This stored procedure deletes “old” data from the database in the following tables: - A_FS - A_FS2Policy - AR_FilesPerUser - AR_EventTracker |
-| Delete LDAP | Called from the SQL Agent job if the “Delete” operation is selected for database maintenance for the LDAP Event Type. | This stored procedure deletes “old” data from the database in the following tables: - E_LDAP - E_LDAP_EventTracker - E_LDAP2Policy |
-| DeleteNvEventByEventType | Called from the SQL Agent job if the “Delete” operation is selected for database maintenance for all Event Types except LDAP. | This stored procedure deletes “old” data from the database in the following tables: - NvEvent - NvEvent_EventTracker - AttributeValue - OldAttributeValue - EventPolicy |
-| MoveAuthAnalytics | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for Authentication Analytics. | This stored procedure moves “old” data from one database to another in the following tables: - A_Login - A_Login2Policy - AR_BruteForceAttacks - AR_UserAccountHackingAttacks - AR_HorizontalMovementAttacks - AR_BadUserIdByUser - AR_BadUserIdByHost - AR_BreachedPassword - AR_ConcurrentLogins - AR_DiamondPAC - AR_EventTracker - AR_ImpersonationLogins - AR_GoldenTickets - AR_KerberosWeakEncryption |
-| MoveByPolicy | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for selected policies. | This stored procedure moves “old” database from one database to another in the following tables: - NvEvent - NvEvent_EventTracker - AttributeValue - OldAttributeValue - EventPolicy - E_LDAP - E_LDAP_EventTracker - E_LDAP2Policy |
-| MoveFSAnalytics | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for File System Analytics. | This stored procedure moves “old” data from one database into another in the following tables: - A_FS - A_FS2Policy - AR_FilesPerUser - AR_EventTracker |
-| Move LDAP | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for LDAP Event Type. | This stored procedure moves “old” data from one database into another in the following tables: - E_LDAP - E_LDAP_EventTracker - E_LDAP2Policy |
-| MoveNvEventsByEventType | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for all Event Types except LDAP. | This stored procedure moves “old” data from one database to another in the following tables: - NvEvent - NvEvent_EventTracker - AttributeValue - OldAttributeValue - EventPolicy |
-| RdbPolicyCopy | Called from the SQLAgent job if the “Move” operation is selected for database maintenance. | This stored procedure creates a copy of the RdbPolicy table in the target database. |
+| Name | When Threat Prevention Uses the Procedure | What the Stored Procedure Does |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| DeleteAuthAnalytics | Called from the SQLAgent job if the “Delete” operation is selected for database maintenance for Authentication Analytics. | This stored procedure deletes “old” data from the database in the following tables: - A_Login
- A_Login2Policy
- AR_BruteForceAttacks
- AR_UserAccountHackingAttacks
- AR_HorizontalMovementAttacks
- AR_BadUserIdByUser
- AR_BadUserIdByHost
- AR_BreachedPassword
- AR_ConcurrentLogins
- AR_DiamondPAC
- AR_EventTracker
- AR_ImpersonationLogins
- AR_GoldenTickets
- AR_KerberosWeakEncryption
|
+| DeleteByPolicy | Called from the SQLAgent job if the “Delete” operation is selected for database maintenance for selected policies. | This stored procedure deletes “old” data from the database in the following tables: - NvEvent
- NvEvent_EventTracker
- AttributeValue
- OldAttributeValue
- EventPolicy
- E_LDAP
- E_LDAP_EventTracker
- E_LDAP2Policy
|
+| DeleteFSAnalytics | Called from the SQLAgent job if the “Delete” operation is selected for database maintenance File System Analytics. | This stored procedure deletes “old” data from the database in the following tables: - A_FS
- A_FS2Policy
- AR_FilesPerUser
- AR_EventTracker
|
+| Delete LDAP | Called from the SQL Agent job if the “Delete” operation is selected for database maintenance for the LDAP Event Type. | This stored procedure deletes “old” data from the database in the following tables: - E_LDAP
- E_LDAP_EventTracker
- E_LDAP2Policy
|
+| DeleteNvEventByEventType | Called from the SQL Agent job if the “Delete” operation is selected for database maintenance for all Event Types except LDAP. | This stored procedure deletes “old” data from the database in the following tables: - NvEvent
- NvEvent_EventTracker
- AttributeValue
- OldAttributeValue
- EventPolicy
|
+| MoveAuthAnalytics | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for Authentication Analytics. | This stored procedure moves “old” data from one database to another in the following tables: - A_Login
- A_Login2Policy
- AR_BruteForceAttacks
- AR_UserAccountHackingAttacks
- AR_HorizontalMovementAttacks
- AR_BadUserIdByUser
- AR_BadUserIdByHost
- AR_BreachedPassword
- AR_ConcurrentLogins
- AR_DiamondPAC
- AR_EventTracker
- AR_ImpersonationLogins
- AR_GoldenTickets
- AR_KerberosWeakEncryption
|
+| MoveByPolicy | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for selected policies. | This stored procedure moves “old” database from one database to another in the following tables: - NvEvent
- NvEvent_EventTracker
- AttributeValue
- OldAttributeValue
- EventPolicy
- E_LDAP
- E_LDAP_EventTracker
- E_LDAP2Policy
|
+| MoveFSAnalytics | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for File System Analytics. | This stored procedure moves “old” data from one database into another in the following tables: - A_FS
- A_FS2Policy
- AR_FilesPerUser
- AR_EventTracker
|
+| Move LDAP | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for LDAP Event Type. | This stored procedure moves “old” data from one database into another in the following tables: - E_LDAP
- E_LDAP_EventTracker
- E_LDAP2Policy
|
+| MoveNvEventsByEventType | Called from the SQLAgent job if the “Move” operation is selected for database maintenance for all Event Types except LDAP. | This stored procedure moves “old” data from one database to another in the following tables: - NvEvent
- NvEvent_EventTracker
- AttributeValue
- OldAttributeValue
- EventPolicy
|
+| RdbPolicyCopy | Called from the SQLAgent job if the “Move” operation is selected for database maintenance. | This stored procedure creates a copy of the RdbPolicy table in the target database. |
+
diff --git a/docs/threatprevention/7.4/admin/configuration/epesettings.md b/docs/threatprevention/7.4/admin/configuration/epesettings.md
index 02a49fea16..b787a40581 100644
--- a/docs/threatprevention/7.4/admin/configuration/epesettings.md
+++ b/docs/threatprevention/7.4/admin/configuration/epesettings.md
@@ -31,7 +31,10 @@ the environment:
Prior to deploying the HIBP database, consider the pros and cons when choosing its deployment
location. It can be deployed on the Threat Prevention Agent and/or the Enterprise Manager machine.
-_Remember,_ both the Agent and the Enterprise Manager can be in one environment.
+:::tip
+Remember, both the Agent and the Enterprise Manager can be in one environment.
+:::
+
If the HIBP database is copied to and stored on the Agent:
@@ -64,7 +67,10 @@ If the HIBP database is kept only on the Enterprise Manager:
Click **Configuration > EPE Settings** on the menu to open the EPE Settings window.
-**NOTE:** The EPE Settings window is only available to Threat Prevention administrators.
+:::note
+The EPE Settings window is only available to Threat Prevention administrators.
+:::
+
@@ -78,16 +84,22 @@ Manager for the first time. It displays the source from where the database was d
version, and the number of hashes it contains. It also shows a thumbprint value that changes
whenever the content of the Hash DB changes.
-_Remember,_ the HIBP dataset is updated at random intervals by its publisher. It can go weeks or
+:::tip
+Remember, the HIBP dataset is updated at random intervals by its publisher. It can go weeks or
even months with no changes.
+:::
+
### Check for Update Options
The Check for Update options area specifies when the Netwrix website is checked for a new version of
the HIBP database.
-**NOTE:** These options are enabled after the HIBP database has been deployed to Enterprise Manager
+:::note
+These options are enabled after the HIBP database has been deployed to Enterprise Manager
for the first time.
+:::
+
Configure the following options:
@@ -100,7 +112,10 @@ Configure the following options:
HIBP database. If only this option is selected, then an alert is generated in the Administration
Console when a new version is detected.
- **NOTE:** This checkbox does not automatically download the new HIBP database version.
+ :::note
+ This checkbox does not automatically download the new HIBP database version.
+ :::
+
- Update pwned DB on new version – Checks the Netwrix website for HIBP updates and then updates the
Enterprise Manager server if a new version is detected
@@ -113,18 +128,24 @@ intervals.
Threat Prevention utilizes the Passwords Hash database to check if users’ new and pending password
(i.e. during a password reset) matches the hash of a compromised password from a data breach.
-**NOTE:** First-time configuration of this window requires downloading the HIBP database from the
+:::note
+First-time configuration of this window requires downloading the HIBP database from the
Netwrix website. If the Administration Console does not have internet access, see the
[Download and Configure the Have I Been Pwnd Hash List](#download-and-configure-the-have-i-been-pwnd-hash-list)
topic for instructions.
+:::
+
-**CAUTION:** Ensure the initial update of the database occurs during non-office hours. Due to the
+:::warning
+Ensure the initial update of the database occurs during non-office hours. Due to the
size of the hash file, this download takes up a significant amount of CPU and download time.
+:::
+
- Passwords Hash Database Folder (path on Threat Prevention Server) – Central location of the Pwned
database on the application server. The default path is:
- …\Netwrix\Netwrix Treat Prevention\SIEnterpriseManager\PwnedStore
+**…\Netwrix\Netwrix Treat Prevention\SIEnterpriseManager\PwnedStore**
- Update Type:
@@ -133,10 +154,13 @@ size of the hash file, this download takes up a significant amount of CPU and do
instead of downloading the full HIBP database. This option is enabled after a full download of
the HIBP database has completed.
- **NOTE:** Only the full HIBP database file obtained from the Netwrix website has version
+ :::note
+ Only the full HIBP database file obtained from the Netwrix website has version
information. That full HIBP database file can be obtained using the Website option.
Alternately, the HIBP database can be obtained outside of the application by downloading it
directly from the Netwrix website using an FTP connection:
+ :::
+
- [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip)
- [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt)
@@ -184,7 +208,10 @@ messages regardless of their location. Supported languages include:
- Spanish
- Thai
-_Remember,_ the module must be deployed to end user computers.
+:::tip
+Remember, the module must be deployed to end user computers.
+:::
+
The User Feedback Module section has the following checkboxes:
@@ -233,8 +260,11 @@ The Password Dictionary window is a global setting used across all EPE policies.
centralized copy of the dictionary.dat file. This modifiable file contains all compromised
passwords. You can add, remove, and modify passwords in the list.
-_Remember,_ for the password to be rejected, the user pending password must match exactly to a
+:::tip
+Remember, for the password to be rejected, the user pending password must match exactly to a
password in the Password Dictionary list.
+:::
+
Click the **Modify Passwords Dictionary** button in the Rules area on the EPE Settings window. The
Password Dictionary window is displayed.
@@ -288,7 +318,10 @@ The Substitutions Editor window is a global setting used across all EPE policies
substitutions and their associated replacements are stored in this editor as rules (i.e. A = @). The
Words List Dictionary applies these rules when checking all permutations of a user entered password.
-**NOTE:** All entries in the sequence column must be unique.
+:::note
+All entries in the sequence column must be unique.
+:::
+
For example: If “Goal” is added to the Word List Dictionary and A=@ and O=0 are added to the
substitutions editor, then the pending passwords of “Go@l” and “G0al” will be blocked.
@@ -306,7 +339,10 @@ The Substitutions Editor has the following options:
installation. Any modifications are discarded.
- Insert – Displays a custom row for the user to enter Sequence and Replacement values
- **NOTE:** The new row is inserted underneath the current highlighted row.
+ :::note
+ The new row is inserted underneath the current highlighted row.
+ :::
+
- Delete – Removes a single row from the Substitutions Editor list. Only one row can be deleted at a
time.
@@ -323,15 +359,18 @@ The Pwnd Passwords Downloader is a Dotnet tool used to download all Pwned Passwo
save them offline so they can be used without a dependency on the k-anonymity API. Use this tool to
get the latest breached hashes from the Have I Been Pwnd (HIBP) database.
-**NOTE:** The
+:::note
+The
[](https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader)[Pwnd Passwords Downloader](https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader)
is a third party, open source tool, created by the HaveIBeenPwned team and distributed under a BSD
3-Clause License. You might experience issues during the hash download process, depending on your
threading settings or the load on the CloudFlare backend. The Pwnd Passwords Downloader tool will
automatically retry to continue downloading the hashes until it fully completes the download
process.
+:::
+
-Prerequisites
+**Prerequisites**
The Pwnd Passwords Downloader has the following prerequisite:
@@ -343,7 +382,7 @@ The Pwnd Passwords Downloader has the following prerequisite:
The Have I Been Pwnd database (HIBP) hashes can take up to 30 GB. Make sure that you have enough
free space on your disk.
-Install the Pwnd Passwords Downloader
+**Install the Pwnd Passwords Downloader**
Follow the steps to install the Pwnd Passwords Downloader.
@@ -360,7 +399,7 @@ dotnet tool install --global haveibeenpwned-downloader
**Step 3 –** Close the command prompt.
-Update an Installed Pwnd Passwords Downloader
+**Update an Installed Pwnd Passwords Downloader**
Follow the steps to update an installed Pwnd Passwords Downloader.
@@ -374,7 +413,7 @@ dotnet tool update --global haveibeenpwned-downloader
-Download NTML Hashes with the Pwnd Passwords Downloader
+**Download NTML Hashes with the Pwnd Passwords Downloader**
Follow the steps to download NTLM hashes.
diff --git a/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md b/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md
index 5beeaccf99..a3bcf25ffa 100644
--- a/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md
+++ b/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md
@@ -10,7 +10,10 @@ The Event Filtering Configuration window enables you to exclude specific Active
Authentication events from being monitored. A latency threshold can be set to generate alerts for AD
events.
-**NOTE:** This window is only available to Threat Prevention administrators.
+:::note
+This window is only available to Threat Prevention administrators.
+:::
+
Follow the steps to enable event filtering.
@@ -27,11 +30,17 @@ To disable a filter for diagnostic purposes, simply uncheck its checkbox and cli
Click the Help icon (?) for an option in the AD Global Pre Filters area to view the type of “noise”
events being filtered.
-**NOTE:** All Authentication Global Pre Filters options require configuration before they can be
+:::note
+All Authentication Global Pre Filters options require configuration before they can be
enabled.
+:::
+
-**_RECOMMENDED:_** Enable all the AD Global Pre Filters options as well as the Exclude Logins from
+:::info
+Enable all the AD Global Pre Filters options as well as the Exclude Logins from
Machine Accounts option in the Authentication Global Pre Filters section.
+:::
+
When activated, the Agent filters out the event data according to configurations defined in the
filters.json file located in the installation directory of the Enterprise Manager.
@@ -108,7 +117,7 @@ Select one of the following radio buttons to apply to the list of account names:
Repeat the process until all machine accounts to be included or excluded from Authentication event
data have been entered in the list. Then click **OK**.
-Usage Tip
+**Usage Tip**
Windows Server 2012 introduced gMSA (Group Managed Service Accounts). gMSA accounts include
“$” in their names, so by default Threat Prevention filters out authentication traffic generated by these accounts because they ‘look’ like machine accounts which prior to Server 2012 were the only account names ending in “$”.
@@ -145,7 +154,7 @@ The Exclude Authentication Events from Selected Accounts option is disabled by d
requires configuration before it can be enabled. Click the selected accounts link to open the Edit
Collection window.
-
+
The Exclude Authentication Events from Selected Accounts collection is only accessible through the
Event Filtering Configuration window. Use the **Add** (+) button to open the
diff --git a/docs/threatprevention/7.4/admin/configuration/filemonitorsettings.md b/docs/threatprevention/7.4/admin/configuration/filemonitorsettings.md
index a9c99daf8c..a0c58df547 100644
--- a/docs/threatprevention/7.4/admin/configuration/filemonitorsettings.md
+++ b/docs/threatprevention/7.4/admin/configuration/filemonitorsettings.md
@@ -76,8 +76,11 @@ to browse for and select AD accounts.
Any accounts added to the list are excluded globally from File System activity.
-**NOTE:** If the **Exclude selected processes** option is checked, any file activity generated by
+:::note
+If the **Exclude selected processes** option is checked, any file activity generated by
the processes added will have their File System activity ignored.
+:::
+
## Select Local Processes to Exclude
diff --git a/docs/threatprevention/7.4/admin/configuration/systemalerting/email.md b/docs/threatprevention/7.4/admin/configuration/systemalerting/email.md
index 797c29d0d6..6e74f9d591 100644
--- a/docs/threatprevention/7.4/admin/configuration/systemalerting/email.md
+++ b/docs/threatprevention/7.4/admin/configuration/systemalerting/email.md
@@ -53,7 +53,10 @@ recipients of the selected Message Profiles.
Follow the steps to configure the SMTP host information for email alerting.
-_Remember,_ this is a one-time setting to enable email alerts from the Administration Console.
+:::tip
+Remember, this is a one-time setting to enable email alerts from the Administration Console.
+:::
+
@@ -82,8 +85,11 @@ checkbox and provide a username and password in the boxes that appear.
Message Profiles are associated with events for email alerting. Follow the steps to create a Message
Profile.
-**NOTE:** When the Message Profile is modified for an alert, all policies referencing the alert use
+:::note
+When the Message Profile is modified for an alert, all policies referencing the alert use
the updated information.
+:::
+
@@ -95,7 +101,10 @@ Alerting window opens.
**Step 3 –** In the Message Profiles area, click the **Add** (+) button to create a Message Profile.
The default profile name (New Email Notification) is displayed.
-**_RECOMMENDED:_** Provide a unique and descriptive name for this new email notification profile.
+:::info
+Provide a unique and descriptive name for this new email notification profile.
+:::
+
**Step 4 –** Choose between **Plain Text** and **HTML** email options. The Email Template window
displays when selecting either radio button.
@@ -163,9 +172,12 @@ The available Event Data Fields and their associated tokens are:
| Old Attribute Values | %OLD_ATTRIBUTE_VALUE% |
| Attribute Operations | %OPERATION% |
-**CAUTION:** The tokens used within the message Body, the information between and including the %
+:::warning
+The tokens used within the message Body, the information between and including the %
symbols (e.g. %TIME_STAMP%), must be present to retrieve that event data from the database. Tokens
can be removed, but partial tokens do not retrieve data from the database.
+:::
+
**Step 9 –** Click **OK** to save the settings.
diff --git a/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md b/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md
index 154053ccf1..30e4b29fb3 100644
--- a/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md
+++ b/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md
@@ -14,7 +14,7 @@ manage all alerting avenues. Click **Configuration** > **Alerts** on the menu to
Alerts can be sent to recipients via email, to Windows Event Log, and to SIEM products. Alerts are
grouped into five types:
-Threat Prevention Security events
+**Threat Prevention Security events**
The Security type provides alerts on things that impact:
@@ -22,21 +22,21 @@ The Security type provides alerts on things that impact:
- The ability to collect the data
- Changes to who can access it
-Threat Prevention Operations events
+**Threat Prevention Operations events**
The Operations type provides alerts on internal operations of the product that are not directly
influenced by a user.
-Threat Prevention Configuration events
+**Threat Prevention Configuration events**
The Configuration type provides alerts on changes to general configuration settings.
-Analytic incidents
+**Analytic incidents**
The Analytics type provides alerts when an analytic incident is triggered. These alerts are not
available for Event Log alerts.
-Policy events
+**Policy events**
The Policies type provides alerts when a policy monitors or blocks an event. These alerts are not
available for Event Log alerts.
@@ -87,10 +87,13 @@ Below are some considerations:
Prevention administrator should check if the Agent service is set to manual start. The most likely
solution is to upgrade to the latest version of the Agent.
- **_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See
+ :::info
+ Activate an email notification for the _LSASS process terminated_ alert. See
the
[Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.4/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert)
topic for additional information.
+ :::
+
- In addition to the LSASS process termination check, the Agent can be configured for a Safe Mode.
In Safe Mode, the Agent records the version of the LSASS DLLs that it hooks into during
@@ -103,8 +106,11 @@ Below are some considerations:
[Start Pending Modules](/docs/threatprevention/7.4/admin/agents/agentmanagement/startpendingmodules.md)
topic for additional information.
- **_RECOMMENDED:_** Activate an email notification for this alert. See the
+ :::info
+ Activate an email notification for this alert. See the
[Enable Agent Started in AD Monitor Pending Mode Email Alert](/docs/threatprevention/7.4/admin/agents/safemode.md#enable-agent-started-in-ad-monitor-pending-mode-email-alert)
topic and the
[Agent Safe Mode](/docs/threatprevention/7.4/admin/agents/safemode.md)
topic for additional information.
+
+ :::
diff --git a/docs/threatprevention/7.4/admin/configuration/systemalerting/siem.md b/docs/threatprevention/7.4/admin/configuration/systemalerting/siem.md
index 79218c4dc2..35cef84982 100644
--- a/docs/threatprevention/7.4/admin/configuration/systemalerting/siem.md
+++ b/docs/threatprevention/7.4/admin/configuration/systemalerting/siem.md
@@ -64,7 +64,10 @@ Alerting window opens.
**Step 2 –** In the SIEM Profiles area, click the Add (+) button to create a new SIEM profile. To
rename the default text, select the name string and enter the new profile name.
-**_RECOMMENDED:_** For each profile, use a unique name for easy identification.
+:::info
+For each profile, use a unique name for easy identification.
+:::
+
**Step 3 –** Use the Protocol drop-down menu to select either protocol:
@@ -105,7 +108,7 @@ of a policy or the
[Actions Tab](/docs/threatprevention/7.4/admin/templates/configuration/actions.md) of a
policy template.
-IBM QRadar Integration
+**IBM QRadar Integration**
Netwrix has created a custom app for integration between Threat Prevention and QRadar. See the
[Active Directory App for QRadar](/docs/threatprevention/7.4/siemdashboard/qradar/overview.md)
@@ -114,7 +117,7 @@ data from either Threat Prevention or Netwrix Activity Monitor. See the
[Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor)
for additional information.
-Splunk Integration
+**Splunk Integration**
Netwrix has created custom apps for integration between Threat Prevention and Splunk. See the
[Active Directory App for Splunk](/docs/threatprevention/7.4/siemdashboard/activedirectory/overview.md)
@@ -131,7 +134,7 @@ Custom SIEM mapping files can be added. First create the mapping file, and save
that the Administration Console can access. The default mapping files are stored in the following
folder:
-…\Netwrix\Netwrix Threat Prevention\SIWinConsole\SIEMTemplates\
+**…\Netwrix\Netwrix Threat Prevention\SIWinConsole\SIEMTemplates\**
Follow the steps to add a custom SIEM mapping file.
diff --git a/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md b/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md
index 71f4f98c92..51f8441eb4 100644
--- a/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md
+++ b/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md
@@ -10,7 +10,7 @@ The Netwrix Threat Manager Configuration window is a global setting to enable in
Threat Prevention and Threat Manager. This window is only available to Threat Prevention
administrators.
-Threat Manager App Token
+**Threat Manager App Token**
The Threat Manager App Token authenticates connection between Threat Prevention and Threat Manager.
This token is generated in Threat Manager:
@@ -42,7 +42,10 @@ and port in the following format. The default port for Threat Manager is **10001
- For an example with the host name – amqp://ExampleHost:10001
- For an example with the host address – amqp://192.168.9.52:10001
-**CAUTION:** Do not use localhost for the hostname or 127.0.0.1 for the IP address.
+:::warning
+Do not use localhost for the hostname or 127.0.0.1 for the IP address.
+:::
+
**Step 4 –** In the App Token box, enter the App Token generated on the App Tokens page in Threat
Manager.
@@ -64,9 +67,12 @@ The following is displayed for each policy:
All real-time event data from the selected Threat Prevention policies is now being sent to Threat
Manager.
-**NOTE:** The Threat Manager URI configuration can also be used to send Threat Prevention policy
+:::note
+The Threat Manager URI configuration can also be used to send Threat Prevention policy
data to the Activity Monitor host and port (example: amqp://localhost:4499). Threat Prevention can
only send to either Threat Manager or the Activity Monitor.
+:::
+
## Honey Token Tab
diff --git a/docs/threatprevention/7.4/admin/configuration/userroles/add.md b/docs/threatprevention/7.4/admin/configuration/userroles/add.md
index 9ef282c92b..c4142b9e2b 100644
--- a/docs/threatprevention/7.4/admin/configuration/userroles/add.md
+++ b/docs/threatprevention/7.4/admin/configuration/userroles/add.md
@@ -26,10 +26,13 @@ or Group list.
Operator, are displayed. Select the checkbox for a role to assign it to the user. Checking
Administrator automatically checks the Console Operator role.
-_Remember,_ the Report User role was a legacy role for the IIS-based SI Reporting Console and does
+:::tip
+Remember, the Report User role was a legacy role for the IIS-based SI Reporting Console and does
not apply to the Netwrix Threat Manager Reporting Module console. See the
[User Access Page](/docs/threatprevention/7.4/reportingmodule/configuration/interface/useraccess.md)
topic for information on granting report access.
+:::
+
**Step 5 –** _(Optional)_ Create as many users as required before clicking OK.
diff --git a/docs/threatprevention/7.4/admin/configuration/userroles/overview.md b/docs/threatprevention/7.4/admin/configuration/userroles/overview.md
index 89459bf675..eb65606d87 100644
--- a/docs/threatprevention/7.4/admin/configuration/userroles/overview.md
+++ b/docs/threatprevention/7.4/admin/configuration/userroles/overview.md
@@ -15,7 +15,10 @@ Click **Configuration** > **Users** on the menu to open the Users and Roles wind
-**NOTE:** This window is only available to Threat Prevention administrators.
+:::note
+This window is only available to Threat Prevention administrators.
+:::
+
The user account that ran the installation is automatically set with the administrator role. This is
the only active user until more are added. This ensures that no unauthorized accounts can open the
@@ -29,12 +32,15 @@ There are two roles that can be applied to a Threat Prevention user:
the [Administrator Permissions](#administrator-permissions) topic for additional information.
- Console Operator – Can create and run policies, and view event data.
-**NOTE:** The Report User role was a legacy feature for the IIS-based Reporting Console and is no
+:::note
+The Report User role was a legacy feature for the IIS-based Reporting Console and is no
longer applicable. See the
[Reporting Module](/docs/threatprevention/7.4/reportingmodule/overview.md)
topic for information on the new reporting console.
+:::
+
-Administration Console Rights
+**Administration Console Rights**
| | Administrator | Console Operator |
| ----------------------------------------------------------- | ------------------------------- | ------------------------------- |
diff --git a/docs/threatprevention/7.4/admin/investigate/datagrid.md b/docs/threatprevention/7.4/admin/investigate/datagrid.md
index 265d775f9c..dd01114185 100644
--- a/docs/threatprevention/7.4/admin/investigate/datagrid.md
+++ b/docs/threatprevention/7.4/admin/investigate/datagrid.md
@@ -65,7 +65,10 @@ event:
- File System monitoring/blocking – Original path of the affected file or folder
- Authenticate – DN of the user object making the request
- **NOTE:** For LDAP bind/monitoring/blocking, Affected Object Path is not used
+ :::note
+ For LDAP bind/monitoring/blocking, Affected Object Path is not used
+ :::
+
- Agent: Domain – Active Directory domain where the Agent that monitored/blocked the event is
deployed
diff --git a/docs/threatprevention/7.4/admin/investigate/filters.md b/docs/threatprevention/7.4/admin/investigate/filters.md
index dd03943aa6..c81eebf1c8 100644
--- a/docs/threatprevention/7.4/admin/investigate/filters.md
+++ b/docs/threatprevention/7.4/admin/investigate/filters.md
@@ -18,7 +18,7 @@ button to repopulate the data grid with the current information for the selected
Filter categories are discussed below.
-Policy
+**Policy**
To filter by Policy, check the checkboxes for the desired policy. Protected policies that the
current user does not have rights to view are grayed-out.
@@ -28,7 +28,7 @@ current user does not have rights to view are grayed-out.
are included in the filter. By default, event data from deleted policies is not included with the
investigation results.
-Who
+**Who**
To filter by Who, check the Perpetrator box to filter for a particular security principal committing
the change and/or check the Affected Object box to filter for a particular object being affected by
@@ -50,7 +50,7 @@ For the Affected Object option, select the option button for either:
Then enter the who in the textbox. Filter criteria can be a partial match.
-When
+**When**
Filtering by When provides several options, including the option between using Local Time or UTC
time.
@@ -64,7 +64,7 @@ time.
- To filter for Events for Last [number] Hours, check this box and set the number of hours to be
used as the filter
-Where
+**Where**
To filter by Where, check the box(es) for the desired filter type(s):
@@ -78,7 +78,7 @@ To filter by Where, check the box(es) for the desired filter type(s):
- To This Computer – Select the radio button for either Name or IP and then enter the computer in
the textbox
- Filter criteria can be a partial match
+**Filter criteria can be a partial match**
What
@@ -87,7 +87,7 @@ To filter by What, check the box(es) for the desired filter type(s):
- Event – Select the option button for either Success or Fail
- Action Type – Select the option button for either Blocked or Not Blocked
-Other
+**Other**
To filter by Other, check the box(es) for the desired filter type(s):
@@ -101,9 +101,12 @@ To filter by Other, check the box(es) for the desired filter type(s):
Filter criteria can be a partial match.
-**CAUTION:** The Full Text Search is not driven by indexes. Unless other indexed criteria are
+:::warning
+The Full Text Search is not driven by indexes. Unless other indexed criteria are
selected, the full text search could result in a scan of the entire SQL database which could be very
slow for large databases.
+:::
+
- Full Text Search – Queries the entire SQL database for the entered attribute. If the attribute
displays anywhere in the event, it is displayed in the data grid.
diff --git a/docs/threatprevention/7.4/admin/investigate/summaryfolders.md b/docs/threatprevention/7.4/admin/investigate/summaryfolders.md
index c4605f7421..e8329f46f5 100644
--- a/docs/threatprevention/7.4/admin/investigate/summaryfolders.md
+++ b/docs/threatprevention/7.4/admin/investigate/summaryfolders.md
@@ -48,7 +48,7 @@ available below the report name:
displays when an export option is selected. Provide a name for the report and save to a specified
location.
-Parameter Window
+**Parameter Window**
diff --git a/docs/threatprevention/7.4/admin/navigation/datagrid.md b/docs/threatprevention/7.4/admin/navigation/datagrid.md
index 60a6c8f208..c9a81ee0b5 100644
--- a/docs/threatprevention/7.4/admin/navigation/datagrid.md
+++ b/docs/threatprevention/7.4/admin/navigation/datagrid.md
@@ -63,22 +63,25 @@ per column.
- Pin Icon [D] – Opens a filtration dialog that provides multiple types of filtration options such
as column values, text filters, and date filters associated with the column data
-Auto Filter Row
+**Auto Filter Row**
The Auto Filter row is located between the header row and the first event of the data grid. Typing a
single attribute in any of these boxes or selecting an attribute from a dropdown menu filters the
data grid for matches within that column and the selected comparison operator.
-**NOTE:** The Alerts grid does not display the Auto Filter Row by default. It must be selected
+:::note
+The Alerts grid does not display the Auto Filter Row by default. It must be selected
through the grid’s Show Auto Filter Row option from the right-click menu.
+:::
-Filter Statement Bar
+
+**Filter Statement Bar**
When a filter is enabled, the filter statement bar is displayed at the bottom of the display area.
The X to the left of the bar clears the filter. The checkbox for the filter on the left affects the
scoping of the filter.
-Filter Editor
+**Filter Editor**
Notice the Edit Filter option on the right side of the filter statement bar. Click it to open the
Filter Editor window, where you can build complex filter statements. It can employ multiple
@@ -86,7 +89,7 @@ comparison operators and/or multiple column filters.
-Pin Icon
+**Pin Icon**
A small pin icon is displayed in the upper-right corner while hovering over a column header or if an
Auto Filter Row filter is enabled.
@@ -135,7 +138,10 @@ The data grids provide an option to export data.
- Clicking the Export button from the Investigate interface or the Recent Events tab of a policy
opens the Export window.
-**NOTE:** Ensure that all desired filters are set on the data grid before export.
+:::note
+Ensure that all desired filters are set on the data grid before export.
+:::
+
@@ -157,7 +163,10 @@ Locally and/or Email to and populate the required fields.
distribution lists, or a combination. Use either a comma (,) or a semi-colon (;) to separate
multiple recipients. Click Export to export the data.
-**NOTE:** The Email to action requires the SMTP host Information to be configured. This can only be
+:::note
+The Email to action requires the SMTP host Information to be configured. This can only be
done by a Threat Prevention administrator through the
[Email Tab](/docs/threatprevention/7.4/admin/configuration/systemalerting/email.md)
of the System Alerting window.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/navigation/licensemanager.md b/docs/threatprevention/7.4/admin/navigation/licensemanager.md
index 5d7b0ade73..d462905a13 100644
--- a/docs/threatprevention/7.4/admin/navigation/licensemanager.md
+++ b/docs/threatprevention/7.4/admin/navigation/licensemanager.md
@@ -10,8 +10,11 @@ The License Manager window displays the Threat Prevention modules that you are l
under an Enterprise license, it also displays an expiration date. On license expiry, the Enterprise
Manager will refuse events from all Agents.
-_Remember,_ if events are not received and displayed in the Administration Console, check if your
+:::tip
+Remember, if events are not received and displayed in the Administration Console, check if your
license has expired.
+:::
+
Click **Help > License Manager** on the menu. The Netwrix Threat Prevention License Manager window
is displayed.
@@ -24,20 +27,23 @@ Prevention solution.
Following is a list of the solutions with their respective modules. You can also view the event
types available with each module.
-**NOTE:** The Password Enforcement module is available under all licenses for monitoring weak
+:::note
+The Password Enforcement module is available under all licenses for monitoring weak
passwords. However, you need the Enterprise Password Enforcer solution license to block weak
passwords.
+:::
+
## Active Directory Solution
The Active Directory solution comes with the following licensed modules:
-| Licensed Module | Available Event Type |
-| ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Active Directory Changes | Active Directory Changes Active Directory Read Monitoring AD Replication Monitoring Authentication Monitoring Effective Group Membership FSMO Role Monitoring LSASS Guardian – Monitor |
-| Active Directory Lockdown \*Requires Active Directory Changes Module | Active Directory Lockdown AD Replication Lockdown Authentication Lockdown LSASS Guardian – Protect |
-| GPO Lockdown \*Requires Active Directory Changes Module \*\*Requires File System Module | GPO Setting Lockdown |
-| GPO Setting Changes \*Requires Active Directory Changes Module \*\*Requires File System Module | GPO Setting Changes |
+| Licensed Module | Available Event Type |
+| --------------------- | ------------------------------------- |
+| Active Directory Changes | Active Directory Changes
Active Directory Read Monitoring
AD Replication Monitoring
Authentication Monitoring
Effective Group Membership
FSMO Role Monitoring
LSASS Guardian – Monitor |
+| Active Directory Lockdown
\*Requires Active Directory Changes Module | Active Directory Lockdown
AD Replication Lockdown
Authentication Lockdown
LSASS Guardian – Protect |
+| GPO Lockdown
\*Requires Active Directory Changes Module
\*\*Requires File System Module | GPO Setting Lockdown |
+| GPO Setting Changes
\*Requires Active Directory Changes Module
\*\*Requires File System Module | GPO Setting Changes |
See the following topics for additional information:
@@ -74,7 +80,7 @@ The Exchange solution comes with the following licensed modules:
| Licensed Module | Available Event Type |
| ---------------------------------------------------------- | -------------------- |
| Exchange Events Module | Exchange Changes |
-| Exchange Lockdown Module \*Requires Exchange Events Module | Exchange Lockdown |
+| Exchange Lockdown Module
\*Requires Exchange Events Module | Exchange Lockdown |
See the following topics for additional information:
@@ -87,7 +93,7 @@ The File System solution comes with the following licensed modules:
| Licensed Module | Available Event Type |
| ------------------ | ----------------------------------------------------------------------- |
-| File System Module | File System Changes File System Lockdown File System Enterprise Auditor |
+| File System Module | File System Changes
File System Lockdown
File System Enterprise Auditor |
The File System Changes event type and File System Lockdown event type only generate event
monitoring and blocking data for Threat Prevention. The File System Enterprise Auditor event type
@@ -101,16 +107,16 @@ See the following topics for additional information:
– For Windows file servers and/or NAS devices
- [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md)
– For Windows file servers
-- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md)
+- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md)
– For Windows file servers
## LDAP Solution
The LDAP solution comes with the following licensed modules:
-| Licensed Module | Available Event Type |
-| ----------------------------------------------------------------- | -------------------------------------------------- |
-| LDAP Monitoring Module \*Requires Active Directory Changes Module | LDAP Lockdown LDAP Monitoring LDAP Bind Monitoring |
+| Licensed Module | Available Event Type |
+| --------------- | ---------- |
+| LDAP Monitoring Module
\*Requires Active Directory Changes Module | LDAP Lockdown
LDAP Monitoring
LDAP Bind Monitoring |
See the following topics for additional information:
diff --git a/docs/threatprevention/7.4/admin/navigation/overview.md b/docs/threatprevention/7.4/admin/navigation/overview.md
index f8cb1871b9..94630d1081 100644
--- a/docs/threatprevention/7.4/admin/navigation/overview.md
+++ b/docs/threatprevention/7.4/admin/navigation/overview.md
@@ -78,14 +78,17 @@ interface. The following interface options are available:
- [Analytics Interface](/docs/threatprevention/7.4/admin/analytics/overview.md)
- [Policies Interface](/docs/threatprevention/7.4/admin/policies/overview.md)
- [Templates Interface](/docs/threatprevention/7.4/admin/templates/overview.md)
-- [Tags Node](/docs/threatprevention/7.4/admin/overview_1.md)
+- [Tags Node](/docs/threatprevention/7.4/admin/Tags.md)
Several right-click menus and additional features are available within these interfaces.
-_Remember,_ the Investigate, Analytics, Policies, Templates, and TAGS nodes in the Navigation pane
+:::tip
+Remember, the Investigate, Analytics, Policies, Templates, and TAGS nodes in the Navigation pane
can be expanded and collapsed.
+:::
-Agents
+
+**Agents**
The Agents interface provides data about the Agents within the environment. This includes what
domain the Agent is in, what machine it is deployed on, its current status, and other details. This
@@ -93,26 +96,26 @@ interface also indicates if a domain controller does NOT have an Agent deployed
interface, Agents can be deployed, updated, and managed; logging levels can be configured; logs can
be accessed; and Agent information can be exported.
-Alerts
+**Alerts**
The Alerts interface provides information on the Threat Prevention Security events, Operations
events, and Configuration events. All events are displayed by default. However, they can be
filtered, sorted, and searched.
-Investigate
+**Investigate**
The Investigate interface is a reporting tool for the Administration Console. It provides
information on recent events monitored or blocked by any enabled policy. By default, all events
recently monitored or blocked are available. However, they can be filtered to particular policies,
perpetrators, time frames, domains, servers, computers, events, etc.
-Analytics
+**Analytics**
The Analytics interface is a front-line warning tool for detecting incidents in real-time based on
patterns within collected event data indicative of potential security risk. It provides information
on incidents identified by the analytic policies.
-Policies
+**Policies**
The Policies interface provides a central location for creating and configuring all policies. On
selecting the Policy node, the policies are listed in the Display area. In the Navigation pane, the
@@ -126,14 +129,14 @@ A folder can be protected, which controls access to any policy within the folder
cannot be viewed, edited, or deleted by other Administration Console users without explicit
permissions being granted.
-Templates
+**Templates**
The Templates interface provides a central location for creating and configuring all policy
templates. On selecting the Templates node, a list of all policy templates available is displayed in
the Display area. Policy templates must also be stored within a folder. There are pre-created policy
templates which can be imported.
-TAGS
+**TAGS**
The TAGS node provides an organizational feature for templates. Many preconfigured templates have
tags which enable users to quickly find a desired template though various groupings. Tags do not
diff --git a/docs/threatprevention/7.4/admin/navigation/rightclickmenus.md b/docs/threatprevention/7.4/admin/navigation/rightclickmenus.md
index 9c05d97a4e..26cc3aa05e 100644
--- a/docs/threatprevention/7.4/admin/navigation/rightclickmenus.md
+++ b/docs/threatprevention/7.4/admin/navigation/rightclickmenus.md
@@ -9,7 +9,7 @@ sidebar_position: 10
In the Navigation pane, the Policies node, Templates node, folders, policies, and templates have
different right-click commands available.
-Alerts Node
+**Alerts Node**
From the Agents node, the right-click menu can be used to install the Agent.
@@ -19,7 +19,7 @@ From the Agents node, the right-click menu can be used to install the Agent.
| ------------------- | ----------------------------------------------------------------------------------------------------------------- |
| Install Agent | Opens the [Deploy Agents Wizard](/docs/threatprevention/7.4/admin/agents/deploy/overview.md#deploy-agents-wizard) |
-Saved ‘Filtered Investigate’ Nodes
+**Saved ‘Filtered Investigate’ Nodes**
From the node of a saved ‘Filtered Investigate’ view, the right-click menu allows you to delete the
saved view.
@@ -30,7 +30,7 @@ saved view.
| ------------------- | --------------------------------------------- |
| Delete | Deletes the saved ‘Filtered Investigate’ view |
-Policies and Templates Nodes
+**Policies and Templates Nodes**
From the Policies and Templates nodes, the right-click menu is limited to adding new folders to the
selected section.
@@ -41,7 +41,7 @@ selected section.
| --------------------- | --------------------------------------------- |
| New — Folder (Crtl+F) | Creates a new folder in the selected location |
-Folder Node
+**Folder Node**
From a Folder node, the right-click menu contains these commands.
@@ -56,12 +56,14 @@ From a Folder node, the right-click menu contains these commands.
| Remove | Deletes the selected folder |
| Paste | Pastes a copied policy/template into the selected folder |
-**NOTE:** If the logged in user does not have the **Manage Policies** permissions for a protected
+:::note
+If the logged in user does not have the **Manage Policies** permissions for a protected
policy, these options are grayed-out. See the
[Policies Interface](/docs/threatprevention/7.4/admin/policies/overview.md)
topic for additional information on protection.
+:::
-`` and `` Nodes
+**<Policy Name> and <Template Name>**
From the node for a specific policy or template, the right-click menu contains these commands.
@@ -76,12 +78,15 @@ From the node for a specific policy or template, the right-click menu contains t
| Copy | Copies the selected policy/template |
| Cut | Copies the selected policy/template. Then it deletes the selected policy/template when the copy is pasted to a new folder. |
-**NOTE:** If the logged in user does not have the Manage Policies permissions for a protected
+:::note
+If the logged in user does not have the Manage Policies permissions for a protected
policy, these options are grayed-out. See the
[Policies Interface](/docs/threatprevention/7.4/admin/policies/overview.md)
topic for additional information on protection.
+:::
-Tags Node
+
+**Tags Node**
From the Tags node, the right-click menu contains these commands.
@@ -91,7 +96,7 @@ From the Tags node, the right-click menu contains these commands.
| ------------------- | -------------------------------------------------------------------------------------------------------- |
| Refresh | Refreshes the tag folders to display any new tags or any templates newly associated with an existing tag |
-`` Node under Tags
+**<Template Name> Node under Tags**
From the template within a folder under the Tags node, the right-click menu contains these commands.
diff --git a/docs/threatprevention/7.4/admin/overview.md b/docs/threatprevention/7.4/admin/overview.md
index edabf016bf..a3218ebe94 100644
--- a/docs/threatprevention/7.4/admin/overview.md
+++ b/docs/threatprevention/7.4/admin/overview.md
@@ -29,22 +29,22 @@ activity on a network:
- Threat Prevention Agents deployed across the environment
- Netwrix Threat Manager Reporting Module
-Threat Prevention Architecture
+**Threat Prevention Architecture**
-Threat Prevention Enterprise Manager
+**Threat Prevention Enterprise Manager**
The Threat Prevention Enterprise Manager stores and maintains policies and policy templates, as well
as receives and processes all captured events. Only one Enterprise Manager is needed for any
environment.
-Threat Prevention Administration Console
+**Threat Prevention Administration Console**
The Threat Prevention Administration Console is used to create and manage policies and their
associated alerts and actions. Multiple instances of the Administration Console are supported.
-Threat Prevention Agents
+**Threat Prevention Agents**
The Threat Prevention Agents retrieve configuration data from the Enterprise Manager, monitor
network activity, and report events to the Enterprise Manager. The events collected by an Agent are
@@ -55,7 +55,7 @@ topic for information on where to deploy Agents and supported platforms. See the
[Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md)
section for deployment procedures.
-Netwrix Threat Manager Reporting Module
+**Netwrix Threat Manager Reporting Module**
The Netwrix Threat Manager Reporting Module application provides a way to generate and to view
reports for the event data that is collected by the Agent and stored in the event database. Reports
@@ -96,7 +96,7 @@ where on a network that policy applies, and when it is active. See the
[Policy Configuration](/docs/threatprevention/7.4/admin/policies/configuration/configuration.md)
topic for additional information.
-General
+**General**
General components include the name and description of the policy, policy creation and modification
information, policy schedule, whether or not the policy is sending alerts, and whether or not the
@@ -106,7 +106,7 @@ The schedule controls when the policy is active. For example, if it is desired t
be more closely monitored outside of regular business hours, then a policy can be created and
scheduled to be active only outside of regular business hours.
-Event Type
+**Event Type**
Event Type components indicate what kind of events are to be monitored or blocked by the policy. A
single policy can contain multiple event types, even from different event sources. For example, a
@@ -115,7 +115,7 @@ policy might monitor the creation of user accounts in Active Directory.
Each event type has an optional set of filters associated with it. The available filters vary
depending on the event source.
-Actions
+**Actions**
Actions components are used to process and respond to events once they have been captured. A policy
can include one or more actions (or event consumers). It can also have no actions, but this is not
@@ -154,13 +154,13 @@ Manager. See the
[Application Server Install](/docs/threatprevention/7.4/install/application.md)
topic for additional information.
-NVMonitorConfig Database
+**NVMonitorConfig Database**
This database contains configuration information for the Threat Prevention product. The Threat
Prevention Enterprise Manager maintains and shares this information with the Agents, primarily
policy configuration information. .
-NVMonitorData Database
+**NVMonitorData Database**
This database contains the event activity data captured by Threat Prevention policies. Agents
capture these events, as defined by policies, and send them to the Enterprise Manager. The
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/actions/file.md b/docs/threatprevention/7.4/admin/policies/configuration/actions/file.md
index aec2bb46e4..3b0abd6c06 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/actions/file.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/actions/file.md
@@ -28,7 +28,7 @@ window.
- By default, the file is created at the following location:
- …\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\output\file
+**…\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\output\file**
- The name can include a full UNC path to place the file at a desired location.
@@ -37,9 +37,12 @@ window.
- Comma Delimited (CSV)
- Adjust the File Size Limit and Minimum disk space required for reporting values as desired
- **NOTE:** Set thresholds for file event consumers to maximize performance and minimize
+ :::note
+ Set thresholds for file event consumers to maximize performance and minimize
individual file sizes. When a file reaches its maximum size, it continues to record data but the
oldest data in the file is deleted to make room for the newest.
+ :::
+
The default file size settings are the following:
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/actions/netscript.md b/docs/threatprevention/7.4/admin/policies/configuration/actions/netscript.md
index 8cc23132d2..8b970d7ac2 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/actions/netscript.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/actions/netscript.md
@@ -73,16 +73,22 @@ The Tools menu contains the following options:
for run time. See note below explaining why only a plain text string, information in thae script
between quote marks (“), should be encrypted.
-_Remember,_ when testing a script in the Script Editor, the **Run** option executes the script in
+:::tip
+Remember, when testing a script in the Script Editor, the **Run** option executes the script in
the context of the user logged into the Administration Console. In production, when this script is
run as part of a policy, it will run in the context of the account configured for the Enterprise
Manager. If the script depends on specific user/account rights, then that should be taken into
account when using the **Run** option to test the script.
+:::
-**CAUTION:** The Tools > Encrypt option is used to obfuscate plain text strings, e.g. credentials,
+
+:::warning
+The Tools > Encrypt option is used to obfuscate plain text strings, e.g. credentials,
within the script. Encrypting functions or other commands result in the script not working. Only a
literal string should be encrypted, between the quote marks (“). The quote marks themselves should
not be included in the encryption.
+:::
+
## Default Visual Basic Script
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md b/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md
index 9cb987bf72..3434810d8a 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md
@@ -58,9 +58,12 @@ notifications from the drop-down menu. Only SIEM profiles previously created are
selection. This action can also be assigned within the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
-**NOTE:** To enable this feature, a Threat Prevention administrator must first establish a
+:::note
+To enable this feature, a Threat Prevention administrator must first establish a
connection with the SIEM server and configure the mapping file through the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
+:::
+
## Send to Netwrix Threat Manager
@@ -69,15 +72,21 @@ specific to integration with a full version deployment of Netwrix Threat Manager
Manager Reporting Module uses the NVMonitorData database (Send to Events DB option) for reporting
purposes.
-**NOTE:** To enable this feature, the Web Request Action Module (Netwrix Threat Manager URI) must be
+:::note
+To enable this feature, the Web Request Action Module (Netwrix Threat Manager URI) must be
created and configured by a Threat Prevention administrator through the
[Event Sink Tab](/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md#event-sink-tab)
on the Netwrix Threat Manager Configuration window.
+:::
+
## Email Notifications
-**CAUTION:** Email notifications should not be used on highly active policies. Please reserve this
+:::warning
+Email notifications should not be used on highly active policies. Please reserve this
feature for policies where immediate notification of an event is needed.
+:::
+
To enable email notifications, select the desired message profile to be recipient of the email
notifications from the drop-down menu. Only message profiles previously created are available for
@@ -118,9 +127,12 @@ Two hours later, when another event is captured against that same policy, Threat
send an email notification for it. If more events are captured within the next five minutes, email
notifications will not be generated.
-**NOTE:** To enable email notifications, the SMTP gateway must first be configured and message
+:::note
+To enable email notifications, the SMTP gateway must first be configured and message
profiles created by a Threat Prevention administrator, which is done through the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
+:::
+
## Custom Scripts
@@ -142,7 +154,10 @@ See the following topics for additional information:
- Optionally, custom scripts can be provided through a Netwrix Statement of Work.
-**NOTE:** There are custom scripts created by Netwrix Engineers that execute the notification
+:::note
+There are custom scripts created by Netwrix Engineers that execute the notification
emails. See the
[Custom Scripts](/docs/threatprevention/7.4/admin/templates/folder/actions/actions.md#custom-scripts)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorychanges.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorychanges.md
index 4e0e46537d..f1f865d61e 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorychanges.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorychanges.md
@@ -60,10 +60,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Context Filter
@@ -83,7 +86,7 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-Sub Tree
+**Sub Tree**
@@ -123,7 +126,7 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-Attribute, Operator and Value
+**Attribute, Operator and Value**
When an attribute is selected, it is added to the filter and a drop-down menu is displayed in the
Operation column with **Any Value** selected. You can further scope the attributes to enable the
@@ -154,10 +157,13 @@ When you select another attribute, a new row is added, where you can specify an
for that attribute. Each row is treated as an “OR” statement. If any event matches any of the
attribute filters, then the event data includes all attributes in the list.
-**NOTE:** You cannot specify more than one value for an attribute and you cannot select the same
+:::note
+You cannot specify more than one value for an attribute and you cannot select the same
attribute twice. To use the same attribute again, you have to add the same event type again to the
policy, select that event type and then select a previously used attribute to include in the Add
Attributes filter.
+:::
+
When the userAccountControl attribute is included or excluded in the filter, selecting the Any Value
dropdown opens the
@@ -180,10 +186,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Perpetrator Filter
@@ -203,12 +212,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
-Sub Tree
+
+**Sub Tree**
@@ -232,10 +244,13 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
@@ -254,10 +269,13 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Success Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorylockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorylockdown.md
index 356a4496ec..abbd198ae0 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorylockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectorylockdown.md
@@ -25,8 +25,11 @@ The event filters for the Active Directory Lockdown event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
## AD Event Filter
@@ -68,12 +71,15 @@ areas to edit the lists.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
@@ -101,10 +107,13 @@ Use the buttons in the Classes and Attributes areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Perpetrator Filter
@@ -116,11 +125,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -131,10 +143,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectoryreadmonitoring.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectoryreadmonitoring.md
index beb9303804..c7e1db6e11 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectoryreadmonitoring.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/activedirectoryreadmonitoring.md
@@ -26,10 +26,13 @@ The event filters for the Active Directory Read Monitoring event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** This event type monitors all specified domain controller Read events. Use this event
+:::warning
+This event type monitors all specified domain controller Read events. Use this event
type with significant filters or else it can adversely impact overall system performance and
significantly increase the size of the Event Database. Limit the policy to specific attributes in
order to avoid overwhelming the database with a high volume of unnecessary events.
+:::
+
## Domains/Servers Filter
@@ -47,10 +50,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Classes Filter
@@ -84,10 +90,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Context Filter
@@ -107,7 +116,7 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-Sub Tree
+**Sub Tree**
@@ -132,12 +141,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
-Sub Tree
+
+**Sub Tree**
@@ -177,10 +189,13 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Rule Preview Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md
index 1539ddd5ba..5b4a06a1bf 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md
@@ -23,8 +23,11 @@ The event filters for the AD Replication Lockdown event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
Since Windows cannot detect if a sync request is coming from a legitimate domain controller, this
event type is designed to block requests from computers that are not ‘allowed’ by the policy.
@@ -47,12 +50,18 @@ of the following methods:
- Add domain controllers to the Exclude list
- Any domain controller not excluded is blocked from syncing/replication
-**CAUTION:** Not allowing ALL domain controllers to sync has negative impacts on Active Directory.
+:::warning
+Not allowing ALL domain controllers to sync has negative impacts on Active Directory.
+:::
+
If no filters are applied, saving the policy configuration displays a warning message.
-**NOTE:** The AD Replication Lockdown event type internally looks for use of the GetNCChanges() API
+:::note
+The AD Replication Lockdown event type internally looks for use of the GetNCChanges() API
and blocks the API call when it is invoked by a machine outside the scope of the policy filters.
+:::
+
## AD Perpetrator Filter
@@ -64,11 +73,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -79,10 +91,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Permissions Filter
@@ -121,10 +136,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
@@ -144,7 +162,10 @@ Use the buttons in the Include Hosts and Include Collections areas to edit the l
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md
index debe124c21..1b67dfd357 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md
@@ -50,9 +50,12 @@ policy. It is necessary for the policy to be configured to exclude domain contro
If no filters are applied, saving the policy configuration displays a warning message.
-**NOTE:** The AD Replication Monitoring event type internally looks for use of the GetNCChanges()
+:::note
+The AD Replication Monitoring event type internally looks for use of the GetNCChanges()
API and reports an event when this API is invoked by a machine outside the scope of the policy
filters.
+:::
+
## AD Perpetrator Filter
@@ -72,12 +75,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
@@ -121,10 +127,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
@@ -143,7 +152,10 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationlockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationlockdown.md
index 8373c78a3b..182e0b4648 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationlockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationlockdown.md
@@ -22,8 +22,11 @@ The event filters for the Authentication Lockdown event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
The Authentication Lockdown event type blocks authentication requests made through Kerberos and
NTLM. These requests are used to access resources such as remote shares, establish RDP sessions,
@@ -37,11 +40,14 @@ Hosts (from) filter does not block authentications for these RDP sessions. Since
host to information is available to Threat Prevention with this mode of RDP session, use the AD
Perpetrator for lockdown filter and the Hosts (to) filter to block authentications.
-**NOTE:** When the Authentication Monitoring or Lockdown event type is assigned to a policy outside
+:::note
+When the Authentication Monitoring or Lockdown event type is assigned to a policy outside
of the Analytic policies, then all collected authentication event data is stored in the database,
not in memory as it is for the Analytic policies. However, it does consolidate the authentication
events which occur every minute, resulting in up to a one minute delay between the event and the
reporting of the event.
+:::
+
## Authentication Protocol Filter
@@ -57,22 +63,31 @@ being locked down.
- Kerberos (TGT and/or TGS)
- NTLM
- **CAUTION:** Saving all TGT and/or TGS authentication data results in the bloating of the Threat
+ :::warning
+ Saving all TGT and/or TGS authentication data results in the bloating of the Threat
Prevention database. Configure policy filters and use Database Maintenance while monitoring
these protocols to retain data for the necessary timeframe. See the
[Database Maintenance Window](/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md)
topic for additional information.
+ :::
+
+
+ :::info
+ Save only a few days' worth of TGT and TGS data at a time.
+ :::
- **_RECOMMENDED:_** Save only a few days' worth of TGT and TGS data at a time.
- The Login Type options apply only to domain controllers. Use them to scope for **All** login types
or only **Local** or **Remote** logins to the selected domain controllers.
## AD Perpetrator Filter
-**NOTE:** When the Block filter is used with this event type, it blocks the specified security
+:::note
+When the Block filter is used with this event type, it blocks the specified security
principals from logging in or gaining access to resources through Active Directory authentication.
When the Allow filter is used, it allows only the specified security principals to authenticate.
+:::
+
Use the AD Perpetrator filter for lockdown to set the scope of the policy to lockdown specific
security principals committing changes or to exclude specific security principals committing changes
@@ -82,11 +97,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -97,10 +115,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationmonitoring.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationmonitoring.md
index e351409316..1059bb2e23 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationmonitoring.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/authenticationmonitoring.md
@@ -25,11 +25,14 @@ The event filters for the Authentication Monitoring event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**NOTE:** When the Authentication Monitoring or Lockdown event type is assigned to a policy outside
+:::note
+When the Authentication Monitoring or Lockdown event type is assigned to a policy outside
of the Analytic policies, then all collected authentication event data is stored in the database,
not in memory as it is for the Analytic policies. However, it does consolidate the authentication
events which occur every minute, resulting in up to a one minute delay between the event and the
reporting of the event.
+:::
+
## Authentication Protocol Filter
@@ -89,10 +92,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Success Filter
@@ -126,12 +132,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
-Sub Tree
+
+**Sub Tree**
@@ -155,10 +164,13 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## IP Addresses (to) Filter
@@ -177,10 +189,13 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
@@ -199,10 +214,13 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (to) Filter
@@ -221,7 +239,10 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/effectivegroupmembership.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/effectivegroupmembership.md
index ce81940b89..2d650287bb 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/effectivegroupmembership.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/effectivegroupmembership.md
@@ -52,12 +52,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
-Sub Tree
+
+**Sub Tree**
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangechanges.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangechanges.md
index b93d90dfeb..833a11e8c0 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangechanges.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangechanges.md
@@ -168,10 +168,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Rule Preview Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md
index 7b6e6b2925..e66742bde0 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md
@@ -22,8 +22,11 @@ The event filters for the Exchange Lockdown event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
After enabling an Exchange login blocking policy, mail clients with existing connections to Outlook,
OWA, PowerShell, EWS, ECP, and ActiveSync will not be blocked while the existing connection remains.
@@ -31,10 +34,13 @@ See the
[Exchange Lockdown Considerations](/docs/threatprevention/7.4/troubleshooting/exchangelockdown.md)
topic for information on resolving this.
-**NOTE:** There are additional factors to consider in order to block delegations through Outlook.
+:::note
+There are additional factors to consider in order to block delegations through Outlook.
See the
[Troubleshooting FAQs](/docs/threatprevention/7.4/troubleshooting/overview.md#troubleshooting-faqs)
topic for additional information.
+:::
+
## Exchange Event Filter
@@ -179,10 +185,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Rule Preview Filter
diff --git a/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md
similarity index 92%
rename from docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md
rename to docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md
index 51ffa701a2..e1101cf31a 100644
--- a/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md
@@ -1,3 +1,9 @@
+---
+title: "File System Enterprise Auditor Event Type"
+description: "File System Enterprise Auditor Event Type"
+sidebar_position: 125
+---
+
# File System Enterprise Auditor Event Type
The File System Enterprise Auditor event type is used to send File System activity to Netwrix Access
@@ -35,7 +41,7 @@ File System Enterprise Auditor event type is used by the same policy.
Use the File System Enterprise Auditor filter to set the scope of the policy to only monitor
specific file system paths or to exclude specific file system paths from being monitored.
-
+
The Include Paths section defines the top level folder or individual files for monitoring. Use the
Exclude Paths section to refine and remove any child items from being monitored. Any files or
@@ -52,12 +58,15 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Folder
+**Sub Folder**
@@ -80,14 +89,20 @@ Agents/Domains list on the right displays Agents and domains included in the pol
- The single arrow buttons will move the selected item to the other list.
- The double arrows will move all items to the other list.
-**NOTE:** There is no impact if a selected path does not exist on the server where an Agent resides.
+:::note
+There is no impact if a selected path does not exist on the server where an Agent resides.
+:::
+
When a domain is added to the Selected Agents\Domains list, all Agents deployed in that domain are
included in the policy. If a domain is specified, then any Agent later installed in that domain is
also included in this policy.
-**NOTE:** There must be at least one Agent in the Selected Agents/Domains list for policies using
+:::note
+There must be at least one Agent in the Selected Agents/Domains list for policies using
the File System Enterprise Auditor Event Type.
+:::
+
## Processes and Configuration Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md
index 8f76a2c2a1..1eba185fbe 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md
@@ -27,8 +27,11 @@ target file system. The policy monitors the path/collection from the Agent used
Agent is indicated in the parenthesis after the path/collection. The path/collection can be
monitored by other Agents that you can select on the Additional Agents filter.
-**NOTE:** Any files or folders to be excluded need to be a subset of a folder identified in the
+:::note
+Any files or folders to be excluded need to be a subset of a folder identified in the
Include Paths section.
+:::
+
If no path is provided, an error message is displayed when the policy is enabled: The policy must
have at least one path defined.
@@ -67,7 +70,7 @@ by the policy.
-Access Operations area
+**Access Operations area**
In the Access Operations area, check the **All** box at the top to include all operations or select
specific operations:
@@ -78,7 +81,7 @@ specific operations:
- Delete
- Rename
-Property Operations area
+**Property Operations area**
In the Property Operations area, check the **All** box at the top to include all operations or
select specific operations:
@@ -88,7 +91,7 @@ select specific operations:
- Audit (SACL)
- Owner
-Share Operations area
+**Share Operations area**
In the Share Operations area, check the **All** box at the top to include all operations or select
specific operations:
@@ -98,7 +101,7 @@ specific operations:
- Update
- Permission change
-I/O Type area
+**I/O Type area**
In the I/O Type area, check the **All** box at the top to include all types or select specific
types:
@@ -112,18 +115,21 @@ types:
- Only applies to Read and Create Access Operations
-Wildcards area
+**Wildcards area**
The **Wildcards** boxes are to scope the policy using an asterisk (\*) or question mark (?) as the
wildcard. Files that match the wildcard in the include box are monitored. Files that match the
wildcard in the exclude box are ignored.
-_Remember,_ adding an include filter scopes the policy to monitor only matching files. Adding an
+:::tip
+Remember, adding an include filter scopes the policy to monitor only matching files. Adding an
exclude filter scopes the policy to monitor all files that do not match. If both include and exclude
filters are applied to a single policy, the exclude filter takes precedence. If the boxes are left
blank, all files are monitored according to all the policy filter selections.
+:::
+
-Enable Automatic Lockdown option
+**Enable Automatic Lockdown option**
Adding a wildcard to the policy allows the policy to use the **Enable Automatic Lockdown** option.
When checked, perpetrators of this policy are locked down, i.e. denied access to files and folders
@@ -160,12 +166,15 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Folder
+**Sub Folder**
@@ -188,7 +197,10 @@ Agents/Domains list on the right displays Agents and domains included in the pol
- The single arrow buttons will move the selected item to the other list.
- The double arrows will move all items to the other list.
-**NOTE:** There is no impact if a selected path does not exist on the server where an Agent resides.
+:::note
+There is no impact if a selected path does not exist on the server where an Agent resides.
+:::
+
When a domain is added to the Selected Agents\Domains list, all Agents deployed in that domain are
included in the policy. If a domain is specified, then any Agent later installed in that domain is
@@ -212,12 +224,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/nasdevice.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/nasdevice.md
index baedb7e9cf..f15cf265d7 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/nasdevice.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/nasdevice.md
@@ -11,10 +11,13 @@ deployed and configured to monitor the device. A Threat Prevention Agent must be
same Windows server hosting the Activity agent. Once monitoring begins, follow the steps to
configure a Threat Prevention policy to monitor file system changes.
-**NOTE:** The Threat Prevention policy does not change what the Activity Monitor agent is
+:::note
+The Threat Prevention policy does not change what the Activity Monitor agent is
monitoring. It reads information collected by the Activity Monitor and applies any additional
filters defined in the policy. Therefore, it is necessary for the Activity Monitor agent to be
configured to monitor the desired activity.
+:::
+
Follow the steps to monitor NAS devices.
@@ -26,8 +29,11 @@ Follow the steps to monitor NAS devices.
in the Include Paths area to open the
[Select File System Objects Window](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/selectfilesystemobjects.md).
-_Remember,_ any files or folders to be excluded need to be a subset of a folder identified in the
+:::tip
+Remember, any files or folders to be excluded need to be a subset of a folder identified in the
Include Paths area.
+:::
+
**Step 4 –** Connect to the Threat Prevention Agent deployed to a Windows server hosting the
Activity agent. The local drives of the Windows server and all NAS devices being monitored by the
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md
index 2236e2392c..c3d51cd3bb 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md
@@ -20,8 +20,11 @@ The event filters for the File System Lockdown event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
It is necessary to select paths/collections to be locked down on the File System filter. The policy
will lockdown the path/collection from the SI Agent used to select it for the filter which is
@@ -67,7 +70,7 @@ to exclude specific file system paths from being locked down.
-Access Operations area
+**Access Operations area**
In the Access Operations area, check the **All** box at the top to include all operations or select
specific operations:
@@ -78,13 +81,13 @@ specific operations:
- Delete
- Rename
-Permissions area
+**Permissions area**
In the Permissions area, select the following option to block changes to the ACL or DACL:
- Security Descriptor
-I/O Type area
+**I/O Type area**
In the I/O Type area, check the **All** box at the top to include all types or select specific
types:
@@ -98,7 +101,7 @@ types:
- Only applies to Read and Create Access Operations
-Paths and Path Collections areas
+**Paths and Path Collections areas**
The Paths section defines the top level folder or individual files for lockdown. Use the buttons in
the Paths and Path Collections areas to edit the lists.
@@ -110,12 +113,15 @@ the Paths and Path Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Folder
+**Sub Folder**
@@ -138,7 +144,10 @@ Agents/Domains list on the right displays Agents and domains included in the pol
- The single arrow buttons will move the selected item to the other list.
- The double arrows will move all items to the other list.
-**NOTE:** There is no impact if a selected path does not exist on the server where an Agent resides.
+:::note
+There is no impact if a selected path does not exist on the server where an Agent resides.
+:::
+
When a domain is added to the Selected Agents\Domains list, all Agents deployed in that domain are
included in the policy. If a domain is specified, then any Agent later installed in that domain is
@@ -154,11 +163,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -169,10 +181,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Rule Preview Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md
index f2332f0053..0a29ece161 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md
@@ -80,10 +80,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Perpetrator Filter
@@ -103,12 +106,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md
index cf4591e7e2..c7d59ef6f3 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md
@@ -61,12 +61,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
-Sub Tree
+
+**Sub Tree**
@@ -83,7 +86,7 @@ Filter statements can be added to the Include condition and Exclude condition bo
pre-defined logical and comparison operators to create filter criteria for the scan. Conditions can
be singular or grouped by a logical operator.
-Logical Operator
+**Logical Operator**
The logical operator displays as left aligned red text. To apply more filters to the set or start a
new group of filters, click the **Add** (+) icon. To change the logical operator, click on it to
@@ -100,16 +103,16 @@ open a menu with the following options:
On clicking the **Add** (+) icon, a new row is inserted that displays a column (attribute), a
comparison operator, and a Value box.
-Column Selection
+**Column Selection**
The selected column is displayed in blue text. Click on it to open a menu with all available columns
from the GPO Setting Changes Recent Events data grid.
-Comparison Operator
+**Comparison Operator**
The comparison operator is displayed in green text. To change it, click on it to open a menu with
options that associate with the data in the GPO Setting Changes Recent Events data grid.
-Filter Criteria
+**Filter Criteria**
Specify a filter criteria into the `` textbox.
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md
index 72ffdd351f..08a1ba1b5b 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md
@@ -24,8 +24,11 @@ If setting a filter to “Exclude” a domain from this blocking policy, this se
”Block” user filters. This means that in order to block a user, you must not “Exclude” the domain
where that user resides.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
## AD Group Policy Object Filter
@@ -65,10 +68,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Perpetrator Filter
@@ -80,11 +86,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -95,7 +104,10 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapbindmonitoring.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapbindmonitoring.md
index 89ef4fdf27..8de0373c08 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapbindmonitoring.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapbindmonitoring.md
@@ -21,8 +21,6 @@ The event filters for the LDAP Bind Monitoring event type are:
- IP Addresses (from)
- Hosts (from)
-
-
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
@@ -67,10 +65,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Success Filter
@@ -104,12 +105,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
@@ -133,10 +137,13 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
@@ -155,7 +162,10 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldaplockdown.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldaplockdown.md
index 8f622266bd..d78348e199 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldaplockdown.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldaplockdown.md
@@ -24,8 +24,11 @@ The event filters for the LDAP Monitoring event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
+
This event type can only be used in a policy by itself or with another LDAP event type. This means
that:
@@ -78,10 +81,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Perpetrator Filter
@@ -93,11 +99,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -108,10 +117,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## LDAP Query Filter
@@ -127,9 +139,12 @@ Select the **Block** or **Allow** option button and then edit the list.
- Block – From the list of strings you specify in the LDAP Queries area, if at least one is found as
substring in a candidate LDAP query, then thequery will be blocked
-**CAUTION:** Users should fully understand the blocking rule summary displayed in the Rule Preview
+:::warning
+Users should fully understand the blocking rule summary displayed in the Rule Preview
filter in order to understand the scope of what will be blocked. Blocking more than the intended
queries will adversely impact the LDAP environment.
+:::
+
Enter a query in the LDAP Queries box. You can type a string in the textbox. Alternatively, use the
buttons in the respective sections.
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapmonitoring.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapmonitoring.md
index d0a5565395..f2f144abf3 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapmonitoring.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapmonitoring.md
@@ -107,10 +107,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Success Filter
@@ -144,12 +147,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
@@ -221,10 +227,13 @@ areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Rule Preview Filter
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapping.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapping.md
index 01b5a451d2..aac6f698e9 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapping.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapping.md
@@ -31,7 +31,7 @@ The primary use case for LDAP Ping monitoring and blocking is to detect queries
exist or don't exist in your environment. Since LDAP Ping queries are anonymous, they could come
from a malicious user.
-LDAP Nom Nom Security Threat
+**LDAP Nom Nom Security Threat**
LDAP Nom Nom is a known attack tool that takes advantage of this security weakness. Current versions
of LDAP Nom Nom will generate a query that begins with:
@@ -43,11 +43,17 @@ Nom security threat:
- `user=` – Including this filter string will report any query asking about the existence of a user
- **NOTE:** A drawback of this filter string is that it may return queries that are automatically
+ :::note
+ A drawback of this filter string is that it may return queries that are automatically
generated by Windows and not a security threat.
+ :::
+
- `(&(NtVer=0x6)(AAC=16)(User='` – Including this filter string will return only those queries
generated by the currently-known version of LDAP Nom Nom
- **NOTE:** The LDAP Nom Nom version could change, so `User=` will provide the best detection
+ :::note
+ The LDAP Nom Nom version could change, so `User=` will provide the best detection
despite the risk of returning false positives such as native Windows activity.
+
+ :::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapsearch.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapsearch.md
index c2fa7db517..324991574b 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapsearch.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/ldapsearch.md
@@ -20,7 +20,7 @@ selected configurations and scope of the LDAP query.
-Secure configurations
+**Secure configurations**
This setting determines if events should be captured for an LDAP operation based on the security
protocol used by that operation.
@@ -36,7 +36,7 @@ protocol(s) are used.
- Signed and Sealed
- None – To capture events for an LDAP operation that did not use any of the secure protocols
-Search scopes
+**Search scopes**
Select the All checkbox to search all scopes, or select specific scoping levels:
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/threatmanagerldap.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/threatmanagerldap.md
index dd40034dc0..0175253486 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/threatmanagerldap.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/ldapmonitoring/threatmanagerldap.md
@@ -48,6 +48,8 @@ select the other **LDAP Monitoring** event type in the list above.
**Step 8 –** Select the line below the last existing query filter and paste the string copied from
Threat Manager.
-_Remember,_ the Honeytoken tab of the
+:::tip
+Remember, the Honeytoken tab of the
[Netwrix Threat Manager Configuration Window](/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md)
must be configured in order to successfully send LDAP monitoring data to Threat Manager.
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianmonitor.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianmonitor.md
index 578cdaaadb..55bfb5da33 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianmonitor.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianmonitor.md
@@ -22,8 +22,11 @@ The event filters for the LSASS Guardian – Monitor event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**_RECOMMENDED:_** Add exclusion process filters for undesired processes that make changes to LSASS,
+:::info
+Add exclusion process filters for undesired processes that make changes to LSASS,
e.g. third-party malware applications.
+:::
+
## AD Perpetrator Filter
@@ -43,12 +46,15 @@ Collections areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
-Sub Tree
+**Sub Tree**
@@ -71,18 +77,24 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Processes Filter
magUse the Processes filter to set the scope of the policy to only monitor specific processes or
exclude specific processes from being monitored.
-**_RECOMMENDED:_** Add undesired processes that make changes to LSASS, e.g. third-party malware
+:::info
+Add undesired processes that make changes to LSASS, e.g. third-party malware
applications, to the Exclude Process list.
+:::
+
@@ -92,12 +104,15 @@ buttons in the respective areas to edit the lists.
- The Process **Add** (+) button adds a textbox to the list to add an additional process.
- The Remove (x) button deletes the selected item(s) from that box.
-**CAUTION:** In a production environment, only exclude processes using the Exclude Process area.
+:::warning
+In a production environment, only exclude processes using the Exclude Process area.
While there is an option to include processes, it is NOT recommended in a policy that is monitoring
a production environment. Adding a process in the Include Process area limits the policy to only
monitoring that process. Unknown malicious processes would not be monitored by the policy. In a
sandbox environment, the Include Process option can be useful for testing/capturing the LSASS
activity for specific processes to see what access they are requesting.
+:::
+
## Open Process Flags Filter
@@ -118,4 +133,7 @@ request for an LSASS handle contains one or more of the selected process flags.
- Uncheck this checkbox to not generate an event if the calling process, such as an application,
requests LSASS memory read access.
-**_RECOMMENDED:_** Leave these filters enabled. Do not deselect these options.
+:::info
+Leave these filters enabled. Do not deselect these options.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianprotect.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianprotect.md
index 0d3b0ccf85..4ce0613c1a 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianprotect.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/lsassguardianprotect.md
@@ -23,11 +23,17 @@ The event filters for the LSASS Guardian – Protect event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
-**_RECOMMENDED:_** Add exclusion process filters for undesired processes that make changes to LSASS,
+
+:::info
+Add exclusion process filters for undesired processes that make changes to LSASS,
e.g. third-party malware applications.
+:::
+
## AD Perpetrator Filter
@@ -39,11 +45,14 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the
+:::note
+For the
[Password Enforcement Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md),
selecting **Allow** means that this policy will not validate the new passwords for the accounts
listed here. Selecting **Block** means that this policy will validate the new passwords for the
accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -54,10 +63,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Domains/Servers Filter
@@ -75,18 +87,24 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Processes Filter
Use the Processes filter to set the scope of the policy to only lockdown specific processes or
exclude specific processes from being locked down.
-**_RECOMMENDED:_** Add undesired processes that make changes to LSASS, e.g. third-party malware
+:::info
+Add undesired processes that make changes to LSASS, e.g. third-party malware
applications, to the Allow list.
+:::
+
@@ -97,7 +115,10 @@ Type the process in the textbox. Use the buttons above the box to edit the list.
- The **Add** (+) button adds a textbox to the list to add an additional process.
- The Remove (x) button deletes the selected item(s) from that box.
-**CAUTION:** Leave this filter blank:
+:::warning
+Leave this filter blank:
+:::
+
- While you can select to **Block** processes, it is _not recommended_ for locking down LSASS.
Adding a process block filter will limit the policy to only block that process. Unknown malicious
@@ -122,8 +143,14 @@ the requesting process.
- Among other things, this would prevent the creation of an LSASS dump file by Task Manager or
other processes.
-**_RECOMMENDED:_** Leave these filters enabled. Do not deselect these options.
+:::info
+Leave these filters enabled. Do not deselect these options.
+:::
-**NOTE:** LSASS Guardian Protect does not fully block an operation like other lockdown policies. It
+
+:::note
+LSASS Guardian Protect does not fully block an operation like other lockdown policies. It
allows the handle request to complete, but the handle returned will have the specified flags
removed.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md
index 7b2cd78da3..6766e7e90f 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md
@@ -25,9 +25,12 @@ topic for additional information.
Check the box for the desired event type and click **OK**. The corresponding event filters show at
the bottom of the Event Type tab. Multiple event types can be assigned to a policy.
-**_RECOMMENDED:_** Create different policies for different event types for reporting purposes.
+:::info
+Create different policies for different event types for reporting purposes.
Otherwise, one report will have a mix of different types of data. There are a few exceptions to this
feature.
+:::
+
Once the event type to be monitored by the policy is selected, use the filters to scope the policy.
@@ -50,7 +53,7 @@ See the following topics for additional details:
- [Exchange Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md)
- [File System Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md)
- [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md)
-- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md)
+- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md)
- [FSMO Role Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md)
- [GPO Setting Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md)
- [GPO Setting Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md)
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md
index 0f135099fb..f8d1ee958a 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md
@@ -9,12 +9,15 @@ sidebar_position: 10
Any Threat Prevention license can use the Password Enforcement Event type to monitor for the
creation of weak passwords in your environment.
-**NOTE:** See the
+:::note
+See the
[Prevent Weak Passwords Use Case](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md)
topic for instructions on creating a policy to block weak passwords, which requires the Threat
Prevention
-for[ Enterprise Password Enforcer](/docs/threatprevention/7.4/overview/solutions/epe.md)
+for[ Enterprise Password Enforcer](/docs/threatprevention/7.4/solutions/epe.md)
solution.
+:::
+
Follow the steps to configure a policy to monitor the creation of weak passwords.
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md
index 23fd3b50c9..502d14fcca 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/passwordenforcement.md
@@ -24,13 +24,19 @@ The event filters for the Password Enforcement event type are:
Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank is treated
like an "ALL" for that filter set.
-**CAUTION:** Lockdown/blocking policies with blank filters result in everything being locked down or
+:::warning
+Lockdown/blocking policies with blank filters result in everything being locked down or
blocked.
+:::
-**NOTE:** Blocking mode requires the Password Enforcement license that comes with the for Enterprise
+
+:::note
+Blocking mode requires the Password Enforcement license that comes with the for Enterprise
Password Enforcer solution. See the
[License Manager Window](/docs/threatprevention/7.4/admin/navigation/licensemanager.md)
topic for additional information.
+:::
+
The Password Enforcement event type locks down or monitors password creation/modification so that
known, compromised passwords are not accepted.
@@ -55,7 +61,7 @@ You can add the Password Enforcement event type multiple times to a policy or cr
policies to define different sets of password rules, and different sets of Active Directory accounts
and/or Active Directory Perpetrators.
-Example
+**Example**
The goal is to create a password enforcement policy for the organization’s users. However, senior
executives require a different or stronger set of password rules. To achieve this goal, you can
@@ -95,10 +101,13 @@ Use the buttons in the Include and Exclude areas to edit the lists.
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## AD Account Filter
@@ -112,8 +121,11 @@ Select the **Block** or **Allow** option button and then edit the list.
- Allow – The list will not have new passwords validated by this policy
- Block – The list will have new passwords validated by this policy
-**CAUTION:** Selecting Block with no accounts, groups, or containers specified applies the filter
+:::warning
+Selecting Block with no accounts, groups, or containers specified applies the filter
rule to all accounts, groups, and organizational units in the environment.
+:::
+
Use the buttons in the Accounts, Account Collections, Containers, and Groups areas to edit the
lists. The following windows are displayed when you click the Add (+) button:
@@ -131,19 +143,22 @@ lists. The following windows are displayed when you click the Add (+) button:
The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
-Sub Tree
+
+**Sub Tree**
When contexts are added, a Sub-Tree checkbox displays. Check it to apply the filter to the parent
and all child contexts. Uncheck it to apply the filter to the listed context only.
-Block if user's group(s) is not resolved checkbox
+**Block if user's group(s) is not resolved checkbox**
When applying EPE rules based on group membership, it may happen that at runtime, Threat Prevention
cannot determine the groups the user making a password change is a member of. It is here that the
@@ -163,9 +178,12 @@ from being locked down.
Select the **Block** or **Allow** option button and then edit the list.
-**NOTE:** For the Password Enforcement Event Type, selecting **Allow** means that this policy will
+:::note
+For the Password Enforcement Event Type, selecting **Allow** means that this policy will
not validate the new passwords for the accounts listed here. Selecting **Block** means that this
policy will validate the new passwords for the accounts listed here.
+:::
+
Use the buttons in the Perpetrators and Collections of Perpetrators areas to edit the lists.
@@ -176,10 +194,13 @@ Use the buttons in the Perpetrators and Collections of Perpetrators areas to edi
to the appropriate Collection category.
- The Remove (x) button deletes the selected item(s) from that box.
-**NOTE:** To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
+:::note
+To enable a Dynamic Policy, use the Collection button to select the desired Dynamic
Collection. See the
[Dynamic Collections](/docs/threatprevention/7.4/admin/configuration/collectionmanager/dynamic.md)
topic for additional information.
+:::
+
## Hosts (from) Filter
@@ -209,13 +230,16 @@ Use the Password Rules filter to set the scope of the policy to check user enter
against custom rules. These rules apply to the account, configured in the AD Account filter, whose
password is being changed.
-**NOTE:** These Password Rules are only applied to passwords that pass any Windows password
+:::note
+These Password Rules are only applied to passwords that pass any Windows password
policies. Password values that fail to meet the Windows complexity checks are rejected by Windows
before Threat Prevention Enterprise Password Enforcer can evaluate them.
+:::
+
-Mode Section
+**Mode Section**
Select the **Monitoring** or **Blocking** button to monitor or block the event when a password fails
any of the checked criteria of the Password Rules filter.
@@ -223,11 +247,14 @@ any of the checked criteria of the Password Rules filter.
- Monitoring – Only reports the password that failed the criteria check
- Blocking – Blocks the failed password from being used
-**_RECOMMENDED:_** Use the Test Password Rules button to open the
+:::info
+Use the Test Password Rules button to open the
[Test Passwords Window](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/testpasswords.md),
where you can test your set of rules.
+:::
+
-Passwords Section
+**Passwords Section**
These settings authenticate passwords against a default `dictionary.dat` file of known weak and/or
compromised passwords. Additional passwords can be manually added or uploaded via a TXT file.
@@ -239,17 +266,20 @@ and the
[Substitutions Editor Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#substitutions-editor-window)
topics for additional information.
-_Remember,_ the
+:::tip
+Remember, the
[Password Dictionary Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#password-dictionary-window)
is always used to validate the password, so there is no 'check box' for it on the Password Rules
tab. Hence, matched passwords will always be blocked. You must have at least one line in the
dictionary but you can remove all others if you do not want the default entries to be used.
+:::
+
- Capture Rejected Password – Collects the password value which triggered the event. You can view
the rejected password values in the Attributes section of the data grids on the Recent Events tab
and the Investigate interface.
-Pwned DB Section
+**Pwned DB Section**
When a password is changed, this setting authenticates pending user password hashes against the Have
I Been Pwned? database, which contains compromised password hashes from world-wide data breaches.
@@ -257,12 +287,15 @@ I Been Pwned? database, which contains compromised password hashes from world-wi
- Block if password hash in Pwned DB – If the pending password matches a password hash from the
Pwned database, the user is blocked from using the password
-_Remember,_ the Pwned database must be initially deployed to the Enterprise Manager. Once it is
+:::tip
+Remember, the Pwned database must be initially deployed to the Enterprise Manager. Once it is
stored, Agent(s) can be configured to obtain and use a local copy of this database. See the
[EPE Settings Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md)
topic for additional information.
+:::
-Character Substitution Section
+
+**Character Substitution Section**
These settings prevent the use of character substitutions in passwords. They ignore or monitor/block
certain types of characters substitutions from being included in a password string. Additional
@@ -273,12 +306,15 @@ scoping can be enabled:
[Words List Dictionary Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#words-list-dictionary-window)
topic for additional information.
- _Remember,_ the substitutions themselves are kept in the Character Substitution list.
+ :::tip
+ Remember, the substitutions themselves are kept in the Character Substitution list.
+ :::
+
- Case sensitive – Differentiates between lowercase and capital text
- Reversed text also – Password patterns typed in backwards is blocked
-Username in Password Section
+**Username in Password Section**
These settings ignore or monitor/block certain types of usernames from being included in a password
string. If the corresponding string value is less than the number chosen in the “Ignore values less
@@ -305,7 +341,7 @@ When a username format is chosen, additional scoping options are available:
[Substitutions Editor Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#substitutions-editor-window)
topic for additional information.
-Repeating Patterns Section
+**Repeating Patterns Section**
These settings prevent individual repeating character patterns. Any passwords that contain repeating
patterns equal or exceeding the chosen minimum pattern length are blocked. Additional scoping can be
@@ -325,7 +361,7 @@ enabled:
[Substitutions Editor Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#substitutions-editor-window)
topic for additional information.
-Sequential Characters Section
+**Sequential Characters Section**
These settings prevent passwords with numbers or characters that follow each other in sequence. Any
sequence that equals or exceeds the number chosen in the Minimum sequence size textbox is blocked.
@@ -346,15 +382,18 @@ Additional scoping can be enabled:
[Substitutions Editor Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#substitutions-editor-window)
topic for additional information.
-Defined Text Section
+**Defined Text Section**
These settings block passwords that contain the string(s) specified in the text box. For multiple
strings, add one entry per line.
-**NOTE:** This filter blocks passwords that contain the text box content anywhere within the
+:::note
+This filter blocks passwords that contain the text box content anywhere within the
password length. The list in the
[Password Dictionary Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#password-dictionary-window)
blocks the entire password as entered or uploaded.
+:::
+
Additional scoping can be enabled:
@@ -370,7 +409,7 @@ Additional scoping can be enabled:
[Substitutions Editor Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md#substitutions-editor-window)
topic for additional information.
-Keyboard Layout Sequence Section
+**Keyboard Layout Sequence Section**
These settings prevent passwords that align with the order of keys on a keyboard. Any sequence that
equals or exceeds the number chosen in the Minimum sequence size textbox is blocked. Additional
@@ -381,12 +420,12 @@ scoping can be enabled:
- Minimum sequence size – Type or use the arrows to choose the number of characters the filter will
count up to. The default is three.
- For Example: “QWERTY” is blocked, “ADGJL” is allowed
+**For Example: “QWERTY” is blocked, “ADGJL” is allowed**
- Reverse order also – Standard order is reversed and blocked in keeping with the minimum
sequence size.
-Character Rules Section
+**Character Rules Section**
These settings work independently of one another. This filter looks for specific rules or
characteristics within a password to be blocked or allowed. Additional scoping can be enabled:
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md
index 67da2b7395..ed4f420e27 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md
@@ -9,19 +9,25 @@ sidebar_position: 20
Any Threat Prevention license can use the Password Enforcement Event type to prevent the creation of
weak passwords in your environment.
-**NOTE:** The Threat Prevention Enterprise Password Enforcement solution includes an EPE User
+:::note
+The Threat Prevention Enterprise Password Enforcement solution includes an EPE User
Feedback module. See the
-[ Enterprise Password Enforcer](/docs/threatprevention/7.4/overview/solutions/epe.md)
+[ Enterprise Password Enforcer](/docs/threatprevention/7.4/solutions/epe.md)
topic for additional information.
+:::
+
Follow the steps to configure a policy to block the creation of weak passwords.
-**NOTE:** It is a best practice to create and enable a monitoring policy prior to creating and
+:::note
+It is a best practice to create and enable a monitoring policy prior to creating and
enabling a blocking policy. See the
[Monitor Weak Passwords Use Case](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md)
topic for additional information.
+:::
+
**Step 1 –** (Must be completed by an administrator) Configure the global EPE settings for your
environment.
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/perpetrators.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/perpetrators.md
index d8ce03277c..3391948157 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/perpetrators.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/perpetrators.md
@@ -26,5 +26,8 @@ topic for additional information.
The selection is displayed in the appropriate box of the AD Account filter, the AD Perpetrator
filter, the Exchange Perpetrators filter, or the Perpetrators to Exclude filter.
-**NOTE:** For information on the well-known SID types, see the Microsoft article
+:::note
+For information on the well-known SID types, see the Microsoft article
[Well-known SIDs](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids).
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/selectcomputers.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/selectcomputers.md
index 3e16279c1e..8e403d885f 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/selectcomputers.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/selectcomputers.md
@@ -25,8 +25,11 @@ topic for additional information.
The selection is displayed in the appropriate box of the Hosts (from) filter or the Hosts (to)
filter.
-**NOTE:** If the selected Agent is not configured to "Enable DNS Host Name Resolution," then the
+:::note
+If the selected Agent is not configured to "Enable DNS Host Name Resolution," then the
Results pane may not include the DNS name or IP address for computer identification purposes. See
the
[DNS Host Name Resolution ](/docs/threatprevention/7.4/admin/agents/deploy/setoptions.md#dns-host-name-resolution)topic
for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/testpasswords.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/testpasswords.md
index 473e2f5f38..96a08038d2 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/testpasswords.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/testpasswords.md
@@ -23,10 +23,10 @@ This window has the following options:
- Results – Displays whether the tested password failed or passed the complexity requirements set on
the Password Rules filter
-Password Test Result - Passed
+**Password Test Result - Passed**
-Password Test Result - Does Not Pass
+**Password Test Result - Does Not Pass**
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/trustees.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/trustees.md
index 58e12e262a..e0b3e00a18 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/trustees.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/window/trustees.md
@@ -28,5 +28,8 @@ topic for additional information.
The selection is displayed in the appropriate box of the Exchange Trustees filter.
-**NOTE:** For information on the well-known SID types, see the Microsoft article
+:::note
+For information on the well-known SID types, see the Microsoft article
[Well-known SIDs](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids).
+
+:::
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/general.md b/docs/threatprevention/7.4/admin/policies/configuration/general.md
index fb7620bba4..efd22e8565 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/general.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/general.md
@@ -10,7 +10,7 @@ The General tab is for editing the basic attributes of the policy.
-Policy Status
+**Policy Status**
It indicates whether or not the policy is enabled. Click the toggle button at the top to enable or
disable the policy. On the
@@ -18,14 +18,14 @@ disable the policy. On the
an enabled policy is represented with a green dot and a disabled policy is represented with a gray
dot.
-Name
+**Name**
The name should be unique and descriptive. This name is displayed for a policy in the list on the
[Policies Interface](/docs/threatprevention/7.4/admin/policies/overview.md).
Event data can be filtered by policy; therefore, a descriptive name can be very useful to users of
the Netwrix Threat Manager Reporting Module.
-Description
+**Description**
The description is optional but recommended. Since each policy can be configured to be as broad or
narrow as desired, the name combined with the description should clearly explain what objects and
@@ -50,10 +50,11 @@ occurred (Modified on).
The schedule is for setting the time period for an enabled policy to monitor or block events.
-| Icon | Label | Represents |
-| ------------------------------------------------------------------------------------------------------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-|  | Always Active | Indicates the policy will be active at all times when enabled. This is the default setting |
-|  | Active at Specified Times | Indicates the policy will be active only at the specified times when enabled. There are two options for setting the specified times: - Local Server Time – Schedule is set according to the local server’s time - UTC Time – Schedule is set according to the Universal Time (UTC) |
+| Icon | Label | Represents |
+| ------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|  | Always Active | Indicates the policy will be active at all times when enabled. This is the default setting |
+|  | Active at Specified Times | Indicates the policy will be active only at the specified times when enabled. There are two options for setting the specified times: - Local Server Time – Schedule is set according to the local server’s time
- UTC Time – Schedule is set according to the Universal Time (UTC)
|
+
Any new policy created from a template automatically applies the template’s setting, which can then
be modified as desired. Schedule details are displayed for a policy in the list on the
@@ -61,7 +62,7 @@ be modified as desired. Schedule details are displayed for a policy in the list
Active at Specified Times is represented by a clock icon, and Always Active is represented with no
icon, or blank.
-Weekly Calendar
+**Weekly Calendar**
The weekly calendar at the bottom of the schedule section is where the schedule is set.
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/recentevents/executepsscript.md b/docs/threatprevention/7.4/admin/policies/configuration/recentevents/executepsscript.md
index e630dd0eb5..d7432f1951 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/recentevents/executepsscript.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/recentevents/executepsscript.md
@@ -9,7 +9,7 @@ sidebar_position: 30
The Execute PS script right-click option in the Recent Events tab of a policy opens a Windows
Explorer window to the scripts folder within the Threat Preventionfile system.
-…\ Netwrix\Netwrix Threat Prevention\SIWinConsole\scripts
+**…\ Netwrix\Netwrix Threat Prevention\SIWinConsole\scripts**
You can execute Windows PowerShell scripts stored in this folder for the selected event. Select a
script to execute it.
@@ -18,8 +18,11 @@ An example script has been placed in this folder. The example PowerShell script
the _si_eventdata.txt_ file on the C:\ drive. The example script also contains all the parameters
needed for working with the selected event data.
-**NOTE:** For a PowerShell script to reference the selected event data, it is necessary to use the
+:::note
+For a PowerShell script to reference the selected event data, it is necessary to use the
_$helper.[class]_ with the data parameter. This is Threat Prevention specific. For example:
+:::
+
```
$sw.WriteLine(("EventName: " + $helper.EventName))
diff --git a/docs/threatprevention/7.4/admin/policies/configuration/recentevents/overview.md b/docs/threatprevention/7.4/admin/policies/configuration/recentevents/overview.md
index 40c70c30f0..6702038b30 100644
--- a/docs/threatprevention/7.4/admin/policies/configuration/recentevents/overview.md
+++ b/docs/threatprevention/7.4/admin/policies/configuration/recentevents/overview.md
@@ -72,7 +72,10 @@ below in the default order of the data grid columns:
- File System monitoring/blocking – Original path of the affected file or folder
- Authenticate – DN of the user object making the request
- **NOTE:** For LDAP bind/monitoring/blocking, Affected Object Path is not used
+ :::note
+ For LDAP bind/monitoring/blocking, Affected Object Path is not used
+ :::
+
- Agent: Domain – Active Directory domain where the Agent that monitored/blocked the event is
deployed
diff --git a/docs/threatprevention/7.4/admin/policies/dataprotection.md b/docs/threatprevention/7.4/admin/policies/dataprotection.md
index 45dc58fcd5..8a85729340 100644
--- a/docs/threatprevention/7.4/admin/policies/dataprotection.md
+++ b/docs/threatprevention/7.4/admin/policies/dataprotection.md
@@ -40,8 +40,11 @@ it:
- [Investigate Interface](/docs/threatprevention/7.4/admin/investigate/overview.md)
data
-**NOTE:** These protections only apply to viewing event data within the Administration Console, and
+:::note
+These protections only apply to viewing event data within the Administration Console, and
do not carry-over to the Netwrix Threat Manager Reporting Module application.
+:::
+
## Protect Policies
@@ -63,9 +66,12 @@ is displayed.
**Step 3 –** On the Select User window, select the user to be granted permission on this folder and
the policies within it.
-**NOTE:** Only users with rights assigned in the
+:::note
+Only users with rights assigned in the
[Users and Roles Window](/docs/threatprevention/7.4/admin/configuration/userroles/overview.md)
are available in the list.
+:::
+
**Step 4 –** The window closes and the user is displayed in the Permissions list with the View Data
permission granted by default. To add the Manage Policies permission, check the box for that user.
diff --git a/docs/threatprevention/7.4/admin/policies/overview.md b/docs/threatprevention/7.4/admin/policies/overview.md
index e89cf20014..9675d7aa68 100644
--- a/docs/threatprevention/7.4/admin/policies/overview.md
+++ b/docs/threatprevention/7.4/admin/policies/overview.md
@@ -20,14 +20,17 @@ The columns are (left to right):
- Policy State – Indicates whether the policy is enabled (green) or disabled (gray)
- **NOTE:** This only displays the state of the policy. It does not change its state.
+ :::note
+ This only displays the state of the policy. It does not change its state.
+ :::
+
- Customized Schedule Icon – A clock symbol displays when the policy has been customized
- Name – Name of the policy
- Path – Folder and sub-folder location of the policy within the Navigation pane
- Description – The description provided on the General tab of the policy
-Policies Node
+**Policies Node**
Under the Policies node in the Navigation pane, folders are used to organize the policies. Folders
can be created at the top level or as sub-folders. Threat Prevention supports unlimited levels for
@@ -66,7 +69,10 @@ It contains the following options:
| Export | Exports the selected policy’s configuration to an XML file through the [Export Policies and Templates Window](/docs/threatprevention/7.4/admin/policies/exportpoliciestemplates.md) |
| Remove | Deletes the selected policy |
-**NOTE:** If the selected policy is protected and the current user does not have the Manage Policies
+:::note
+If the selected policy is protected and the current user does not have the Manage Policies
permission for it, these options are grayed-out. See the
[Data Protection](/docs/threatprevention/7.4/admin/policies/dataprotection.md)
topic for additional information on protection.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/templates/configuration/actions.md b/docs/threatprevention/7.4/admin/templates/configuration/actions.md
index 818e3dfcb3..ae94dadaf6 100644
--- a/docs/threatprevention/7.4/admin/templates/configuration/actions.md
+++ b/docs/threatprevention/7.4/admin/templates/configuration/actions.md
@@ -58,9 +58,12 @@ notifications from the drop-down menu. Only SIEM profiles previously created are
selection. This action can also be assigned within the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
-**NOTE:** To enable this feature, a Threat Prevention administrator must first establish a
+:::note
+To enable this feature, a Threat Prevention administrator must first establish a
connection with the SIEM server and configure the mapping file through the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
+:::
+
## Send to Netwrix Threat Manager
@@ -69,15 +72,21 @@ specific to integration with a full version deployment of Netwrix Threat Manager
Manager Reporting Module uses the NVMonitorData database (Send to Events DB option) for reporting
purposes.
-**NOTE:** To enable this feature, the Web Request Action Module (Netwrix Threat Manager URI) must be
+:::note
+To enable this feature, the Web Request Action Module (Netwrix Threat Manager URI) must be
created and configured by a Threat Prevention administrator through the
[Event Sink Tab](/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md#event-sink-tab)
on the Netwrix Threat Manager Configuration window.
+:::
+
## Email Notifications
-**CAUTION:** Email notifications should not be used on highly active policies. Please reserve this
+:::warning
+Email notifications should not be used on highly active policies. Please reserve this
feature for policies where immediate notification of an event is needed.
+:::
+
To enable email notifications, select the desired message profile to be recipient of the email
notifications from the drop-down menu. Only message profiles previously created are available for
@@ -118,9 +127,12 @@ Two hours later, when another event is captured against that same policy, Threat
send an email notification for it. If more events are captured within the next five minutes, email
notifications will not be generated.
-**NOTE:** To enable email notifications, the SMTP gateway must first be configured and message
+:::note
+To enable email notifications, the SMTP gateway must first be configured and message
profiles created by a Threat Prevention administrator, which is done through the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
+:::
+
## Custom Scripts
@@ -142,7 +154,10 @@ See the following topics for additional information:
- Optionally, custom scripts can be provided through a Netwrix Statement of Work.
-**NOTE:** There are custom scripts created by Netwrix Engineers that execute the notification
+:::note
+There are custom scripts created by Netwrix Engineers that execute the notification
emails. See the
[Custom Scripts](/docs/threatprevention/7.4/admin/templates/folder/actions/actions.md#custom-scripts)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md b/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md
index fc767dca85..fa34593a72 100644
--- a/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md
+++ b/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md
@@ -25,9 +25,12 @@ topic for information.
Check the box for the desired event type and click **OK**. The corresponding event filters show at
the bottom of the Event Type tab. Multiple event types can be assigned to a policy.
-**_RECOMMENDED:_** Create different policies for different event types for reporting purposes.
+:::info
+Create different policies for different event types for reporting purposes.
Otherwise, one report will have a mix of different types of data. There are a few exceptions to this
feature.
+:::
+
Once the event type to be monitored by the policy is selected, use the filters to scope the policy.
@@ -50,7 +53,7 @@ See the following topics for additional details:
- [Exchange Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md)
- [File System Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md)
- [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md)
-- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md)
+- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md)
- [FSMO Role Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md)
- [GPO Setting Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md)
- [GPO Setting Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md)
diff --git a/docs/threatprevention/7.4/admin/templates/configuration/general.md b/docs/threatprevention/7.4/admin/templates/configuration/general.md
index a936da5956..9af88948f1 100644
--- a/docs/threatprevention/7.4/admin/templates/configuration/general.md
+++ b/docs/threatprevention/7.4/admin/templates/configuration/general.md
@@ -10,12 +10,12 @@ The General tab is for editing the basic attributes of the template.
-Name
+**Name**
The name should be unique and descriptive. It is displayed for a template in the list on the
[Templates Interface](/docs/threatprevention/7.4/admin/templates/overview.md).
-Description
+**Description**
The description is optional but recommended. Since each policy can be configured to be as broad or
narrow as desired, the name combined with the description should clearly explain what objects and
@@ -33,7 +33,7 @@ create a duplicate template, but rather display the template in different folder
node. Multiple tags can be identified for a template with a comma-separated list. New tags can be
created, which create a new folder under the TAGS node. Use the right-click Refresh option on the
TAGS node in the Navigation pane to display new tags and/or display template-tag modifications. See
-the [Tags Node](/docs/threatprevention/7.4/admin/overview_1.md) topic
+the [Tags Node](/docs/threatprevention/7.4/admin/Tags.md) topic
for additional information.
## History
@@ -41,7 +41,8 @@ for additional information.
History details in the center of the General tab are automatically populated on creation or
modification.
-
+
+
It contains read-only information on who created the template (Added by), when the template was
created (Added on), who made the latest modification (Modified by), and when the latest modification
@@ -51,10 +52,11 @@ occurred (Modified on).
The schedule is for setting the time period for an enabled policy to monitor or block events.
-| Icon | Label | Represents |
-| ------------------------------------------------------------------------------------------------------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-|  | Always Active | Indicates the policy will be active at all times when enabled. This is the default setting |
-|  | Active at Specified Times | Indicates the policy will be active only at the specified times when enabled. There are two options for setting the specified times: - Local Server Time – Schedule is set according to the local server’s time - UTC Time – Schedule is set according to the Universal Time (UTC) |
+| Icon | Label | Represents |
+| ------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|  | Always Active | Indicates the policy will be active at all times when enabled. This is the default setting |
+|  | Active at Specified Times | Indicates the policy will be active only at the specified times when enabled. There are two options for setting the specified times: - Local Server Time – Schedule is set according to the local server’s time
- UTC Time – Schedule is set according to the Universal Time (UTC)
|
+
Any new policy created from a template automatically applies the template’s setting, which can then
be modified as desired. Schedule details are displayed for a template in the list on the
@@ -62,11 +64,11 @@ be modified as desired. Schedule details are displayed for a template in the lis
Active at Specified Times is represented by a clock icon, and Always Active is represented with no
icon, or blank.
-Weekly Calendar
+**Weekly Calendar**
The weekly calendar at the bottom of the schedule section is where the schedule is set.
-
+
When the schedule is set to Always Active, the weekly calendar is grayed-out.
diff --git a/docs/threatprevention/7.4/admin/templates/createpolicy.md b/docs/threatprevention/7.4/admin/templates/createpolicy.md
index 4c5fd1767e..226a37091e 100644
--- a/docs/threatprevention/7.4/admin/templates/createpolicy.md
+++ b/docs/threatprevention/7.4/admin/templates/createpolicy.md
@@ -31,15 +31,21 @@ Follow the steps to customize a policy that was created from a template.
[General Tab](/docs/threatprevention/7.4/admin/policies/configuration/general.md)
select the Active At Specified Times option and then set the schedule.
-**CAUTION:** Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
+:::warning
+Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
being locked down or blocked.
+:::
+
**Step 3 –** On the
[Event Type Tab](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md),
configure the Event Filters that are specific to each environment.
-_Remember,_ Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank
+:::tip
+Remember, Each filter tab acts like an "AND" statement for the filter. Any filter tab left blank
is treated like an "ALL" for that filter set.
+:::
+
**Step 4 –** If desired, on the
[Actions Tab](/docs/threatprevention/7.4/admin/policies/configuration/actions/overview.md)
diff --git a/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md b/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md
index 906b04171d..2bdbb7c4d4 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/activedirectory.md
@@ -9,25 +9,25 @@ sidebar_position: 40
The **Templates** > **Microsoft** > **Active Directory** folder in the Navigation pane contains the
following templates:
-Authentication Folder
-
-| Subfolder | Template | Description | TAGS |
-| ----------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| | AD: Failed Account Authentications | Gathers Failed AD Authentications. Utilizes built-In “Failed Authentications” – Include Perpetrators Collection to define which accounts will be monitored for failed authentications. Add accounts to be monitored to this collection. | None |
-| | AD: Successful Account Authentications | Gathers Successful AD Authentications. Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection. | None |
-| | AD: Successful Account Logons | No customizations required. Most common modification: specify a list of users (AD Objects) to be included or excluded. Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy.Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is _Off_ for this policy. | None |
-| Administrative Accounts | AD: Domain Administrators Logons to Non Domain Controllers | Gathers logon events of Domain Administrator accounts to non-domain controller computes. Utilizes built-In “Domain Administrators” – Include Perpetrators Collection to define which accounts will be monitored for logons. Add accounts which have domain administrator rights to be monitored to this collection. Also utilizes built-In “Domain Controllers” – Hosts Collection to define which hosts will NOT be monitored for logons. Add domain controllers to be ignored to this collection. | None |
-| Administrative Accounts | AD: Failed Administrator Account Authentications | Gathers AD: Failed Administrator Account Authentications. Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for failed authentications. | None |
-| Administrative Accounts | AD: Successful Administrator Account Authentications | Gathers Successful AD Authentications for Administrators. Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for successful authentications. Add accounts with administrative rights to be monitored to this collection. | None |
-| Administrative Accounts | AD: Successful Administrator Account Logons | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy | None |
-| Service Accounts | AD: Failed Service Account Authentications | Gathers Failed AD Authentications for service accounts. Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for failed authentications. Add service accounts to be monitored to this collection | None |
-| Service Accounts | AD: Successful Service Account Authentications | Gathers Successful AD Authentications for service accounts. Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for successful authentications. Add service accounts to be monitored to this collection | None |
-| Service Accounts | AD: Successful Service Account Logons | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md) is Off for this policy. | None |
-
-Groups Folder
-
-| Subfolder | Template | Description | TAGS |
-| ----------------------- | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- |
+**Authentication Folder**
+
+| Subfolder | Template | Description | TAGS |
+| ------------- | --------------- | ---------------- | ---- |
+| | AD: Failed Account Authentications | Gathers Failed AD Authentications.
Utilizes built-In “Failed Authentications” – Include Perpetrators Collection to define which accounts will be monitored for failed authentications. Add accounts to be monitored to this collection. | None |
+| | AD: Successful Account Authentications | Gathers Successful AD Authentications.
Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection. | None |
+| | AD: Successful Account Logons | No customizations required. Most common modification: specify a list of users (AD Objects) to be included or excluded.
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy.Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is _Off_ for this policy. | None |
+| Administrative Accounts | AD: Domain Administrators Logons to Non Domain Controllers | Gathers logon events of Domain Administrator accounts to non-domain controller computes.
Utilizes built-In “Domain Administrators” – Include Perpetrators Collection to define which accounts will be monitored for logons. Add accounts which have domain administrator rights to be monitored to this collection.
Also utilizes built-In “Domain Controllers” – Hosts Collection to define which hosts will NOT be monitored for logons. Add domain controllers to be ignored to this collection. | None |
+| Administrative Accounts | AD: Failed Administrator Account Authentications | Gathers AD: Failed Administrator Account Authentications.
Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for failed authentications. | None |
+| Administrative Accounts | AD: Successful Administrator Account Authentications | Gathers Successful AD Authentications for Administrators.
Utilizes built-In “Administrative Accounts” – Include Perpetrators Collection to define which administrative accounts will be monitored for successful authentications. Add accounts with administrative rights to be monitored to this collection. | None |
+| Administrative Accounts | AD: Successful Administrator Account Logons | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy | None |
+| Service Accounts | AD: Failed Service Account Authentications | Gathers Failed AD Authentications for service accounts.
Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for failed authentications. Add service accounts to be monitored to this collection | None |
+| Service Accounts | AD: Successful Service Account Authentications | Gathers Successful AD Authentications for service accounts.
Utilizes built-In “Service Accounts” – Include Perpetrators Collection to define which service accounts will be monitored for successful authentications. Add service accounts to be monitored to this collection | None |
+| Service Accounts | AD: Successful Service Account Logons | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection
Make sure the Exclude 'Noise' Events option on the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md) is Off for this policy. | None |
+
+**Groups Folder**
+
+| Subfolder | Template | Description | TAGS |
+| ----------------------- | ---------------------- | ------------------------ | ---- |
| | AD Group Creations | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| | AD Group Deletions | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| | AD: Group Membership Changes | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
@@ -43,58 +43,62 @@ Groups Folder
| Administrative Groups | AD: Group Membership Changes to Administrator Groups | Utilizes the built-in “Administrator Groups” – Objects Collection. Add administrator groups to be monitored to this collection | None |
| Administrative Groups | AD: Moves or Renames of Administrator Groups | Utilizes the built-in “Administrator Groups” – Objects Collection. Add administrator groups to be monitored to this collection | None |
-Lockdown Folder
+**Lockdown Folder**
-**CAUTION:** Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
+:::warning
+Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
being locked down or blocked.
+:::
-| Template | Description | TAGS |
-| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
+
+| Template | Description | TAGS |
+| --------------------- | ------------------ | ---- |
| AD Generic Lockdown | Set the appropriate AD event type(s) to be blocked. Then select the desired AD Objects and Containers, AD Classes and Attributes, and AD Perpetrators to be allowed or denied | None |
-| Auth Generic Lockdown | Set the appropriate AD Perpetrator(s) and/or Host(s) to be blocked | None |
+| Auth Generic Lockdown | Set the appropriate AD Perpetrator(s) and/or Host(s) to be blocked | None |
-Organizational Unit Folder
+**Organizational Unit Folder**
-| Template | Description | TAGS |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------- | ---- |
+| Template | Description | TAGS |
+| ---------------------------- | ------------------------ | ---- |
| AD OU Creations | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| AD OU Deletions | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| AD OU Modifications | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| AD OU Moves or Renames | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| AD OU Security Modifications | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
-Password Enforcement Folder
+**Password Enforcement Folder**
-| Template | Description | TAGS |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
+| Template | Description | TAGS |
+| -------------------- | ------------------------ | ---- |
| Password Enforcement Monitoring | No customizations required. Prevents users from changing a password to any value in the Threat Prevention dictionary of known compromised passwords | None |
-Replication Folder
+**Replication Folder**
+
+| Template | Description | TAGS |
+| ------------------------- | -------------------------- | ---- |
+| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: - Allow Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers
- Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers
See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None |
+| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored.
Alternatively, add legitimate domain controllers to be ignored in one of the following ways: - Exclude Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers
- Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers
See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None |
-| Template | Description | TAGS |
-| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: - Allow Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers - Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None |
-| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored. Alternatively, add legitimate domain controllers to be ignored in one of the following ways: - Exclude Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers - Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None |
-Server-Workstation Folder
+**Server-Workstation Folder**
-| Template | Description | TAGS |
-| ---------------------------------- | -------------------------------------------------------------------------------------------------------- | ---- |
+| Template | Description | TAGS |
+| --------------------- | ------------------ | ---- |
| AD: Computer Account Creations | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| AD: Computer Account Deletions | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
| AD: Computer Account Modifications | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
-Users Folder
-
-| Subfolder | Template | Description | TAGS |
-| ----------------------- | ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| | AD: User Account Creations | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
-| | AD: User Account Deletions | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
-| | AD: User Account Lockouts | No customizations required. Most common modifications: specify AD Objects to be included or excluded | None |
-| | AD: User Account Modifications | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
-| | AD: User Account Moves and Renames | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
-| | AD: User Account Password Set | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
-| Administrative Accounts | AD: Deletions of Administrator Accounts | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection | None |
+**Users Folder**
+
+| Subfolder | Template | Description | TAGS |
+| -------------- | --------------- | ----------------------- | ---- |
+| | AD: User Account Creations | No customizations required. Most common modifications: specify AD Perpetrator to be included or excluded | None |
+| | AD: User Account Deletions | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
+| | AD: User Account Lockouts | No customizations required. Most common modifications: specify AD Objects to be included or excluded | None |
+| | AD: User Account Modifications | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
+| | AD: User Account Moves and Renames | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
+| | AD: User Account Password Set | No customizations required. Most common modifications: specify AD Objects and/or AD Perpetrator to be included or excluded | None |
+| Administrative Accounts | AD: Deletions of Administrator Accounts | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection | None |
| Administrative Accounts | AD: Modifications of Administrator Accounts | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection | None |
| Administrative Accounts | AD: Moves and Renames of Administrator Accounts | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection | None |
| Administrative Accounts | AD: Password Set on Administrator Accounts | Utilizes built-in “Administrator Accounts” – Objects Collection. Add accounts with administrator rights to be monitored to this collection | None |
@@ -106,7 +110,7 @@ Users Folder
| Administrative Accounts | AD: User Modifications NOT by Administrators | Utilizes the built-in “Administrative Accounts” – Perpetrator Collection. Add accounts with administrative rights to NOT be monitored to this collection | None |
| Administrative Accounts | AD: User Moves and Renames by Administrators | Utilizes built-in "Administrative Accounts" – Perpetrator Collection. Add accounts with administrative rights to be monitored to this collection | None |
| Administrative Accounts | AD: User Moves and Renames NOT by Administrators | Utilizes the built-in “Administrative Accounts” – Perpetrator Collection. Add accounts with administrative rights to NOT be monitored to this collection | None |
-| Service Accounts | AD: Deletions of Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
-| Service Accounts | AD: Modifications of Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
-| Service Accounts | AD: Moves and Renames of Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
-| Service Accounts | AD: Password Set on Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
+| Service Accounts | AD: Deletions of Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
+| Service Accounts | AD: Modifications of Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
+| Service Accounts | AD: Moves and Renames of Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
+| Service Accounts | AD: Password Set on Service Accounts | Utilizes built-in "Service Accounts" – Objects Collection. Add service accounts to be monitored to this collection | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/bestpractices.md b/docs/threatprevention/7.4/admin/templates/folder/bestpractices.md
index 4a18cf5013..896e9fe997 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/bestpractices.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/bestpractices.md
@@ -8,41 +8,48 @@ sidebar_position: 20
The Best Practices folder contains the following templates:
-Active Directory Folder
+**Active Directory Folder**
-| Template | Description | TAGS |
-| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| All AD Changes | Gathers all AD changes. Utilizes the built-in “Exclude Class” – Classes Collection and “Exclude Attribute” – Attributes Collection to restrict unwanted events. Add classes and attributes which will NOT be monitored to these collections | None |
-| All GPO Setting Changes | No customizations required to monitor all GPO setting changes | None |
+| Template | Description | TAGS |
+| ----------------------- | ------------------ | ---- |
+| All AD Changes | Gathers all AD changes.
Utilizes the built-in “Exclude Class” – Classes Collection and “Exclude Attribute” – Attributes Collection to restrict unwanted events. Add classes and attributes which will NOT be monitored to these collections | None |
+| All GPO Setting Changes | No customizations required to monitor all GPO setting changes | None |
-Exchange Folder
+**Exchange Folder**
-**CAUTION:** Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
+:::warning
+Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
being locked down or blocked!
+:::
-| Template | Description | TAGS |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| Non-Owner Logon Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Specify the Exchange Mailboxes and Containers to lockdown. Optionally, add Exchange Perpetrators to be allowed or denied. | None |
-File System Folder
+| Template | Description | TAGS |
+| ------------------------ | ------------- | ---- |
+| Non-Owner Logon Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Specify the Exchange Mailboxes and Containers to lockdown. Optionally, add Exchange Perpetrators to be allowed or denied. | None |
-| Template | Description | TAGS |
-| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| File Owner Changes | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | None |
-| File System Monitoring | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Reads are left out due to the potential high volume of data that could be gathered; recommended only for highly sensitive content. | None |
+**File System Folder**
-Object Lockdown Folder
+| Template | Description | TAGS |
+| ---------------------- | ------------------------------- | ---- |
+| File Owner Changes | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | None |
+| File System Monitoring | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded.
Reads are left out due to the potential high volume of data that could be gathered; recommended only for highly sensitive content. | None |
-**CAUTION:** Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
+**Object Lockdown Folder**
+
+:::warning
+Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
being locked down or blocked!
+:::
+
+
+| Template | Description | TAGS |
+| ----------------- | -------------------- | ---- |
+| AD Object Permissions Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “Object Permissions - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
+| AD Root Object Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “Root Object - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
+| Critical GPO Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “Critical GPO - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired GPOs to protect. | None |
+| DNS Record Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “DNS Records - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in collection. | None |
+| Group Lockdown of Delete, Move, Rename, and Membership Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “Group Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Groups to protect. | None |
+| Group, User, and OU Lockdown of Delete, Move, and Rename Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “Group User OU Object Delete and Move - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
+| OU Structure Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “OU Structure - >Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired OUs to protect. | None |
+| User Lockdown of Delete, Move, Rename and Modify Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Utilizes the built-in “User Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection.
Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in Allow Lockdown Perpetrator Collection, and add the desired Users to protect. | None |
-| Template | Description | TAGS |
-| --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| AD Object Permissions Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Object Permissions - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
-| AD Root Object Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Root Object - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
-| Critical GPO Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Critical GPO - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired GPOs to protect. | None |
-| DNS Record Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “DNS Records - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in collection. | None |
-| Group Lockdown of Delete, Move, Rename, and Membership Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Group Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Groups to protect. | None |
-| Group, User, and OU Lockdown of Delete, Move, and Rename Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “Group User OU Object Delete and Move - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired Objects to protect. | None |
-| OU Structure Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “OU Structure - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, fill in the built-in collection, and add the desired OUs to protect. | None |
-| User Lockdown of Delete, Move, Rename and Modify Events | USE CAUTION WITH ALL LOCKDOWN TEMPLATES Utilizes the built-in “User Lockdown - Allow Perpetrators” – Lockdown Perpetrators Collection. Change the AD Perpetrator tab to ALLOW instead of BLOCK, and fill in the built-in Allow Lockdown Perpetrator Collection, and add the desired Users to protect. | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/dns.md b/docs/threatprevention/7.4/admin/templates/folder/dns.md
new file mode 100644
index 0000000000..e3a7c84e74
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/dns.md
@@ -0,0 +1,13 @@
+---
+title: "DNS Folder Templates"
+description: "DNS Folder Templates"
+sidebar_position: 45
+---
+
+# DNS Folder Templates
+
+The **Templates** > **Microsoft** > **DNS** folder contains the following template:
+
+| Template | Description | TAGS |
+| ------------------ | ------------- | ---- |
+| DNS Record Changes | No customizations required | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md b/docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md
new file mode 100644
index 0000000000..3e653109e8
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md
@@ -0,0 +1,16 @@
+---
+title: "Domain Persistence Folder Templates"
+description: "Domain Persistence Folder Templates"
+sidebar_position: 25
+---
+
+# Domain Persistence Folder Templates
+
+The Domain Persistence folder contains the following templates:
+
+| Template | Description | TAGS |
+| ----------- | ------------------- | -------------------- |
+| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. | - NEW 5.1 TEMPLATES
- Domain Persistence
- Privileged Accounts
- Privilege Escalation
- AD Security
- Unauthorized changes
|
+| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | - NEW 5.1 TEMPLATES
- GPO Security
- AD Security
- Unauthorized changes
|
+| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. | |
+
diff --git a/docs/threatprevention/7.4/admin/templates/folder/exchange.md b/docs/threatprevention/7.4/admin/templates/folder/exchange.md
index 2891ab20f4..d3df31c204 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/exchange.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/exchange.md
@@ -9,7 +9,7 @@ sidebar_position: 50
The **Templates** > **Microsoft** > **Exchange** folder in the Navigation pane contains the
following templates:
-Managed Folders Folder
+**Managed Folders Folder**
| Template | Description | TAGS |
| --------------------------------------------------------- | -------------------------- | ---- |
@@ -17,7 +17,7 @@ Managed Folders Folder
| EX: Managed Folder Configuration Changes | No customizations required | None |
| EX: Managed Folder Mailbox Policies Configuration Changes | No customizations required | None |
-Organization Folder
+**Organization Folder**
| Subfolder | Template | Description | TAGS |
| ------------- | ---------------------------------------------------- | -------------------------- | ---- |
@@ -35,7 +35,7 @@ Organization Folder
| Mailbox | EX: Retention Policy Tag Changes | No customizations required | None |
| Mailbox | EX: Sharing Policy Changes | No customizations required | None |
-Recipient Folder
+**Recipient Folder**
| Subfolder | Template | Description | TAGS |
| ------------------ | ---------------------------------------------------- | -------------------------- | ---- |
@@ -45,13 +45,13 @@ Recipient Folder
| Mail Contact | EX: Mail User Configuration Changes | No customizations required | None |
| Mailbox | EX: Mailbox Configuration Changes | No customizations required | None |
-Role Based Access Control Folder
+**Role Based Access Control Folder**
| Template | Description | TAGS |
| --------------------------------------------- | -------------------------- | ---- |
| EX: Administrative Role Configuration Changes | No customizations required | None |
-Server Folder
+**Server Folder**
| Subfolder | Template | Description | TAGS |
| ------------- | ----------------------------------------------------------- | -------------------------- | ---- |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/filesystem.md b/docs/threatprevention/7.4/admin/templates/folder/filesystem.md
index 817f6c5289..647ed9086b 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/filesystem.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/filesystem.md
@@ -9,8 +9,11 @@ sidebar_position: 60
The **Templates** > **Microsoft** > **File System** folder in the Navigation pane contains the
following templates:
-**CAUTION:** ‘Reads’ are left out due to the potential high volume of data that could be gathered;
+:::warning
+‘Reads’ are left out due to the potential high volume of data that could be gathered;
recommended only for highly sensitive content.
+:::
+
| Subfolder | Template | Description | TAGS |
| ---------- | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- |
@@ -25,7 +28,7 @@ recommended only for highly sensitive content.
| | WinFS: Video File Access | Specify the files and/or folders to be monitored. Optionally, add any AD Perpetrators to be included or excluded | None |
| Access | WinFS Access: Creates | Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
| Access | WinFS Access: Deletes | Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
-| Access | WinFS Access: Reads | USE CAUTION WITH THIS TEMPLATE Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
+| Access | WinFS Access: Reads | USE CAUTION WITH THIS TEMPLATE
Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
| Access | WinFS Access: Renames | Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
| Access | WinFS Access: Writes | Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
| Properties | WinFS Property: Attribute Modifications | Specify the files and/or folders to be monitored. Optionally, add any ‘Wildcards’ and/or AD Perpetrators to be included or excluded | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/grouppolicyobjects.md b/docs/threatprevention/7.4/admin/templates/folder/grouppolicyobjects.md
index bded80e6db..22706c1805 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/grouppolicyobjects.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/grouppolicyobjects.md
@@ -9,8 +9,11 @@ sidebar_position: 70
The **Templates** > **Microsoft** > **Group Policy Objects** folder in the Navigation pane contains
the following templates:
-**CAUTION:** Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
+:::warning
+Use cation with _all Lockdown/Blocking Templates_! Blank filters result in _everything_
being locked down or blocked.
+:::
+
| Subfolder | Template | Description | TAGS |
| --------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/hipaa.md b/docs/threatprevention/7.4/admin/templates/folder/hipaa.md
index 2a07d26fee..48fe48e079 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/hipaa.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/hipaa.md
@@ -8,7 +8,7 @@ sidebar_position: 30
The HIPAA folder contains the following templates:
-164.306 – Security Standards Folder
+**164.306 – Security Standards Folder**
| Template | Description | TAGS |
| --------------------------------------- | -------------------------- | ---- |
@@ -16,7 +16,7 @@ The HIPAA folder contains the following templates:
| HIPAA: AD Group Type Modifications | No customizations required | None |
| HIPAA: GPO Creations | No customizations required | None |
-164.308 (a)(1)(i) – Security Management Process Folder
+**164.308 (a)(1)(i) – Security Management Process Folder**
| Template | Description | TAGS |
| ----------------------------------- | -------------------------- | ---- |
@@ -30,7 +30,7 @@ The HIPAA folder contains the following templates:
| HIPAA: OU Creations | No customizations required | None |
| HIPPA: OU Deletions | No customizations required | None |
-164.308 (a)(1)(ii) – Implementation Specifications Folder
+**164.308 (a)(1)(ii) – Implementation Specifications Folder**
| Template | Description | TAGS |
| ---------------------------------- | -------------------------- | ---- |
@@ -39,7 +39,7 @@ The HIPAA folder contains the following templates:
| HIPAA: OU Moves or Renames | No customizations required | None |
| HIPAA: OU Security Modifications | No customizations required | None |
-164.308 (a)(3)(i) – Workforce Security Folder
+**164.308 (a)(3)(i) – Workforce Security Folder**
| Template | Description | TAGS |
| ----------------------------------- | -------------------------- | ---- |
@@ -48,52 +48,52 @@ The HIPAA folder contains the following templates:
| HIPAA: AD Group Membership Changes | No customizations required | None |
| HIPAA: AD User Creations | No customizations required | None |
-164.308 (a)(3)(ii) – Authorization and Supervision Folder
+**164.308 (a)(3)(ii) – Authorization and Supervision Folder**
-| Template | Description | TAGS |
-| ----------------------------------------- | ------------------------------------------------ | ---- |
+| Template | Description | TAGS |
+| ------------------------ | ------------------- | ---- |
| HIPAA: WinFS PHI Audit Modifications | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Owner Modifications | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Permission Modifications | Specify the files and/or folders to be monitored | None |
-164.308 (a)(4) – Information Access Management Folder
+**164.308 (a)(4) – Information Access Management Folder**
-| Template | Description | TAGS |
-| ------------------------ | ------------------------------------------------------------------------------- | ---- |
+| Template | Description | TAGS |
+| ----------- | -------------------------- | ---- |
| HIPAA: WinFS PHI Creates | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Deletes | Specify the files and/or folders to be monitored | None |
-| HIPAA: WinFS PHI Reads | USE CAUTION WITH THIS TEMPLATE Specify the files and/or folders to be monitored | None |
+| HIPAA: WinFS PHI Reads | USE CAUTION WITH THIS TEMPLATE
Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Renames | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Writes | Specify the files and/or folders to be monitored | None |
-164.308 (a)(5)(ii)(C) – Log-In Monitoring Folder
+**164.308 (a)(5)(ii)(C) – Log-In Monitoring Folder**
-| Template | Description | TAGS |
-| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| HIPAA: AD Account Logons | No customizations required. Make sure the Configuration > Event Filtering > Exclude 'Noise' Events option is Off for this policy | None |
-| HIPAA: Successful Account Authentications | Gathers successful AD authentications. Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection | None |
+| Template | Description | TAGS |
+| ---------- | -------------- | ---- |
+| HIPAA: AD Account Logons | No customizations required. Make sure the Configuration > Event Filtering > Exclude 'Noise' Events option is Off for this policy | None |
+| HIPAA: Successful Account Authentications | Gathers successful AD authentications.
Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection | None |
-164.308 (a)(5)(ii)(D) – Password Management Folder
+**164.308 (a)(5)(ii)(D) – Password Management Folder**
| Template | Description | TAGS |
| ----------------------------------- | -------------------------- | ---- |
| HIPAA: AD User Account Password Set | No customizations required | None |
-164.312 (a)(1) – Access Control Folder
+**164.312 (a)(1) – Access Control Folder**
-| Template | Description | TAGS |
-| ----------------------------------------- | ------------------------------------------------ | ---- |
+| Template | Description | TAGS |
+| -------------- | ------------ | ---- |
| HIPAA: AD Group Membership Changes | No customizations required | None |
| HIPAA: WinFS PHI Owner Modifications | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Permission Modifications | Specify the files and/or folders to be monitored | None |
-164.312 (b) – Audit Controls Folder
+**164.312 (b) – Audit Controls Folder**
-| Template | Description | TAGS |
-| ------------------------------------ | ------------------------------------------------ | ---- |
+| Template | Description | TAGS |
+| ------------ | ------------ | ---- |
| HIPAA: WinFS PHI Audit Modifications | Specify the files and/or folders to be monitored | None |
-164.312 (c) – Integrity Folder
+**164.312 (c) – Integrity Folder**
| Template | Description | TAGS |
| ------------------------ | ------------------------------------------------ | ---- |
@@ -101,9 +101,9 @@ The HIPAA folder contains the following templates:
| HIPAA: WinFS PHI Deletes | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Renames | Specify the files and/or folders to be monitored | None |
-164.312 (d) – Authentication Folder
+**164.312 (d) – Authentication Folder**
-| Template | Description | TAGS |
-| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| HIPAA: AD PHI User Account Logons | No customizations required. Make sure the Configuration > Event Filtering > Exclude 'Noise' Events option is Off for this policy | None |
-| HIPAA: Successful AD PHI Account Authentications | Gathers Successful AD Authentications. Utilizes built-In “Successful HIPAA PHI Account Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection | None |
+| Template | Description | TAGS |
+| -------------- | ---------------- | ---- |
+| HIPAA: AD PHI User Account Logons | No customizations required. Make sure the Configuration > Event Filtering > Exclude 'Noise' Events option is Off for this policy | None |
+| HIPAA: Successful AD PHI Account Authentications | Gathers Successful AD Authentications.
Utilizes built-In “Successful HIPAA PHI Account Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md b/docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md
deleted file mode 100644
index 5476cb46b0..0000000000
--- a/docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md
+++ /dev/null
@@ -1,24 +0,0 @@
-# Infrastructure Templates
-
-This section contains templates for monitoring and protecting infrastructure components.
-
-## LDAP Monitoring {#ldap}
-
-The LDAP folder contains the following templates:
-
-| Template | Description | TAGS |
-| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| LDAP: Sensitive Accounts | This policy will detect LDAP queries targeting sensitive accounts, such as Administrator. Add to and delete from this list of accounts in the LDAP Query filter as per specific requirements | None |
-| LDAP: Sensitive Containers | This policy will detect LDAP queries targeting sensitive containers, such as Domain Controllers. Add to and delete from this list of containers in the LDAP Query filter per specific requirements | None |
-| LDAP: Sensitive Groups | This policy will detect LDAP queries targeting sensitive groups, such as Domain Admins, Enterprise Admins, and Schema Admins. Add to and delete from this list of groups in the LDAP Query filter per specific requirements | None |
-| LDAP: Sensitive SPNs | This policy will detect LDAP queries targeting sensitive Service Principal Names, such as Exchange and SQL Servers. Add to and delete from this list of SPNs in the LDAP Query filter per specific requirements | None |
-| LDAP: Service Principal Names | Detects attempts to obtain a list of SPN values | None |
-
-## Threat Manager Integration {#threat-manager}
-
-The Threat Manager folder contains the following templates:
-
-| Template | Description | TAGS |
-| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- |
-| Threat Manager for AD | This is the recommended policy for sending AD Events captured by Threat Prevention to Threat Manager. This policy includes: Authentication Monitoring, Active Directory Changes, AD Replication Monitoring, and LSASS Guardian - Monitor. | - Threat Manager - NEW v6.1 TEMPLATES |
-| Threat Manager for AD LDAP | This is the recommended policy for sending LDAP events captured by Threat Prevention to Threat Manager for detecting signature queries of LDAP reconnaissance tools. Policy 1: Suspicious Queries Policy 2: Suspicious Attributes Returned | - Threat Manager - NEW v7.1 TEMPLATES |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/ldap.md b/docs/threatprevention/7.4/admin/templates/folder/ldap.md
new file mode 100644
index 0000000000..d723c8612f
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/ldap.md
@@ -0,0 +1,17 @@
+---
+title: "LDAP Folder Templates"
+description: "LDAP Folder Templates"
+sidebar_position: 35
+---
+
+# LDAP Folder Templates
+
+The LDAP folder contains the following templates:
+
+| Template | Description | TAGS |
+| ----------- | --------------- | ---- |
+| LDAP: Sensitive Accounts | This policy will detect LDAP queries targeting sensitive accounts, such as Administrator. Add to and delete from this list of accounts in the LDAP Query filter as per specific requirements | None |
+| LDAP: Sensitive Containers | This policy will detect LDAP queries targeting sensitive containers, such as Domain Controllers. Add to and delete from this list of containers in the LDAP Query filter per specific requirements | None |
+| LDAP: Sensitive Groups | This policy will detect LDAP queries targeting sensitive groups, such as Domain Admins, Enterprise Admins, and Schema Admins. Add to and delete from this list of groups in the LDAP Query filter per specific requirements | None |
+| LDAP: Sensitive SPNs | This policy will detect LDAP queries targeting sensitive Service Principal Names, such as Exchange and SQL Servers. Add to and delete from this list of SPNs in the LDAP Query filter per specific requirements | None |
+| LDAP: Service Principal Names | Detects attempts to obtain a list of SPN values | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/lsass.md b/docs/threatprevention/7.4/admin/templates/folder/lsass.md
new file mode 100644
index 0000000000..f9295a0ea3
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/lsass.md
@@ -0,0 +1,16 @@
+---
+title: "LSASS Folder Templates"
+description: "LSASS Folder Templates"
+sidebar_position: 80
+---
+
+# LSASS Folder Templates
+
+The **Templates** > **Microsoft** > **LSASS** folder contains the following templates:
+
+| Template | Description | TAGS |
+| ---------------- | --------------------- | ---- |
+| LSASS Guardian - Monitor | No customizations required. Detects attempts by other processes to alter the LSASS process | None |
+| LSASS Guardian - Protect | No customizations required. Prevents attempts by other processes to alter the LSASS process | None |
+
+
diff --git a/docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md b/docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md
deleted file mode 100644
index 2721ea787b..0000000000
--- a/docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md
+++ /dev/null
@@ -1,20 +0,0 @@
-# Microsoft Platform Templates
-
-This section contains templates for monitoring and protecting Microsoft platform components.
-
-## DNS Monitoring {#dns}
-
-The **Templates** > **Microsoft** > **DNS** folder contains the following template:
-
-| Template | Description | TAGS |
-| ------------------ | -------------------------- | ---- |
-| DNS Record Changes | No customizations required | None |
-
-## LSASS Protection {#lsass}
-
-The **Templates** > **Microsoft** > **LSASS** folder contains the following templates:
-
-| Template | Description | TAGS |
-| ------------------------ | ------------------------------------------------------------------------------------------- | ---- |
-| LSASS Guardian - Monitor | No customizations required. Detects attempts by other processes to alter the LSASS process | None |
-| LSASS Guardian - Protect | No customizations required. Prevents attempts by other processes to alter the LSASS process | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/overview.md b/docs/threatprevention/7.4/admin/templates/folder/overview.md
index dca03bef5d..05544d4266 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/overview.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/overview.md
@@ -90,18 +90,21 @@ these steps.
**Step 2 –** In the **Select Import File** box, click the ellipsis (**…**) to open the browser
window. The location of the default templates is:
-…\Netwrix\Netwrix Threat Prevention\SIWinConsole
+**…\Netwrix\Netwrix Threat Prevention\SIWinConsole**
**Step 3 –** To import all the available Threat Prevention policy templates, select the
`SI_Templates_All.xml` file. Click **Open**.
-
+
**Step 4 –** The Import window auto-fills with the import file details. Do not change the defaults
settings. Click **Import**.
-**NOTE:** The import process can take a few minutes to complete as there are several hundred
+:::note
+The import process can take a few minutes to complete as there are several hundred
templates to import and configure.
+:::
+
**Step 5 –** When the operation is complete, click **OK**.
diff --git a/docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md b/docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md
new file mode 100644
index 0000000000..d5bef5a11e
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md
@@ -0,0 +1,17 @@
+---
+title: "Privilege EscalationFolder Templates"
+description: "Privilege Escalation Folder Templates"
+sidebar_position: 100
+---
+
+# Privilege Escalation Folder Templates
+
+The Privilege Escalation folder contains the following templates:
+
+| Template | Description | TAGS |
+| ------------ | ----------- | ------------ |
+| AD: Administrator Escalation | Indicates that an unprivileged account has had its ACLs changed to a value that allows it to obtain administrative privileges (directly or transitively). | - NEW 5.1 TEMPLATES
- Privileged Accounts
- Privilege Escalation
- AD Security
- Unauthorized changes
|
+| AD: Modifications of Administrator Accounts | Utilizes the built-in Administrator Accounts – Objects Collection.
Add accounts with administrative rights to be monitored to this collection | - NEW 5.1 TEMPLATES
- Privileged Accounts
- Privilege Escalation
- AD Security
- Unauthorized changes
|
+| AD: SID History Tampering | SID History is an attribute that supports migration scenarios. Every user account has an associated Security Identifier (SID) that is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user's SID is added to DomainB's user account's SID History attribute. This ensures that DomainB user can still access resources in DomainA.
To detect SID History account escalation, this policy monitors users with data in the SID History attribute and flag the ones which include SIDs in the same domain that have changed | - NEW 5.1 TEMPLATES
- Privileged Accounts
- Privilege Escalation
- Persistence
- AD Security
- Unauthorized changes
|
+| Ntds.dit File Hijacking | Protects users from stealing Ntds.dit file which contains the Active Directory database. Attackers can use Volume Shadow Copy to copy this file, but this will prevent and log any activity based on configuration. | - NEW 5.2 TEMPLATES
- Privileged Accounts
- Privilege Escalation
- Persistence
- AD Security
- Unauthorized changes
|
+
diff --git a/docs/threatprevention/7.4/admin/templates/folder/ransomware.md b/docs/threatprevention/7.4/admin/templates/folder/ransomware.md
new file mode 100644
index 0000000000..ca4a45bfed
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/ransomware.md
@@ -0,0 +1,14 @@
+---
+title: "Ransomware Folder Templates"
+description: "Ransomware Folder Templates"
+sidebar_position: 110
+---
+
+# Ransomware Folder Templates
+
+The Ransomware folder contains the following templates:
+
+| Template | Description | TAGS |
+| ------------------ | -------------- | ---- |
+| Ransomware Extensions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of files related to the actual encrypting of the data during a Ransomware attack, and trigger an alert | None |
+| Ransomware Instructions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of warning file created by a Ransomware attack, and trigger an alert | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md b/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md
index 1ce57a02fe..b2ac18fcd9 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md
@@ -1,20 +1,20 @@
---
title: "Reconnaissance Folder Templates"
description: "Reconnaissance Folder Templates"
-sidebar_position: 80
+sidebar_position: 120
---
# Reconnaissance Folder Templates
The Reconnaissance folder contains the following templates:
-| Template | Description | TAGS |
-| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------- |
-| BloodHound Detection | BloodHound is a tool that is used to reveal hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. https://github.com/BloodHoundAD/BloodHound This policy will detect the latest BloodHound/Sharphound and Ingestor generated queries in your environment | - NEW 5.1 TEMPLATES - Reconnaissance - Bloodhound - LDAP |
-| Directory Read: Malicious DPAPI Secret Reveal | This secret should only be retrieved by NTAuthority System on a domain controller thus any activity by a user or computer should be considered a threat. | - NEW 7.1 TEMPLATES - DPAPI |
-| LDAP: Account Reconnaissance | This is the recommended policy for detecting signature queries of LDAP reconnaissance tools. | - NEW 7.1 TEMPLATES - LDAP - Reconnaissance |
-| LDAP: Admin Accounts | This Policy will detect LDAP queries targeting sensitive accounts, such as Administrator. You can add and delete to this list under the LDAP Query tab as per your specific requirements | - NEW 5.1 TEMPLATES - LDAP - Reconnaissance - Privileged Accounts |
-| LDAP: GMSA Password | Detects when the password for a Group Managed Service Account is read \* This policy should exclude the computer accounts used that are allowed to retrieve the password | - NEW 7.1 TEMPLATES - GMSA - Password |
-| LDAP: LAPS Security & Active Directory LAPS Configuration Recon | Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. Since LAPS requires the computer attributes to be present, attackers can check to see if LAPS is “installed” in Active Directory by checking for the presence of the LAPS attributes in AD. This policy will identify attempts to query AD for attributes that associated with the presence of LAPS | - NEW 5.1 TEMPLATES - LAPS - Reconnaissance |
-| LDAP: Managed Service Accounts Recon | This policy can be configured to detect attempts to discover managed service accounts. It looks for LDAP queries of cn=msDS-ManagedServiceAccount | - NEW 5.1 TEMPLATES - LDAP - Reconnaissance - Privileged Accounts - Managed Service Accounts |
-| LDAP: Service Accounts Recon | If intruders attack a service that uses a highly privileged System account, they might be able to conduct further exploits under that account's context. Many organizations use common cosmetic naming conventions to denote service accounts or maintain a list of service accounts. This policy can be configured to detect attempts to discover service accounts. | - NEW 5.1 TEMPLATES - LDAP - Reconnaissance - Service Accounts |
+| Template | Description | TAGS |
+| --------------- | ------------- | --------- |
+| BloodHound Detection | BloodHound is a tool that is used to reveal hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. https://github.com/BloodHoundAD/BloodHound
This policy will detect the latest BloodHound/Sharphound and Ingestor generated queries in your environment | - NEW 5.1 TEMPLATES
- Reconnaissance
- Bloodhound
- LDAP
|
+| Directory Read: Malicious DPAPI Secret Reveal | This secret should only be retrieved by NTAuthority System on a domain controller thus any activity by a user or computer should be considered a threat. | |
+| LDAP: Account Reconnaissance | This is the recommended policy for detecting signature queries of LDAP reconnaissance tools. | - NEW 7.1 TEMPLATES
- LDAP
- Reconnaissance
|
+| LDAP: Admin Accounts | This Policy will detect LDAP queries targeting sensitive accounts, such as Administrator. You can add and delete to this list under the LDAP Query tab as per your specific requirements | - NEW 5.1 TEMPLATES
- LDAP
- Reconnaissance
- Privileged Accounts
|
+| LDAP: GMSA Password | Detects when the password for a Group Managed Service Account is read
\* This policy should exclude the computer accounts used that are allowed to retrieve the password | - NEW 7.1 TEMPLATES
- GMSA
- Password
|
+| LDAP: LAPS Security & Active Directory LAPS Configuration Recon | Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. Since LAPS requires the computer attributes to be present, attackers can check to see if LAPS is “installed” in Active Directory by checking for the presence of the LAPS attributes in AD. This policy will identify attempts to query AD for attributes that associated with the presence of LAPS | - NEW 5.1 TEMPLATES
- LAPS
- Reconnaissance
|
+| LDAP: Managed Service Accounts Recon | This policy can be configured to detect attempts to discover managed service accounts. It looks for LDAP queries of cn=msDS-ManagedServiceAccount | - NEW 5.1 TEMPLATES
- LDAP
- Reconnaissance
- Privileged Accounts
- Managed Service Accounts
|
+| LDAP: Service Accounts Recon | If intruders attack a service that uses a highly privileged System account, they might be able to conduct further exploits under that account's context. Many organizations use common cosmetic naming conventions to denote service accounts or maintain a list of service accounts. This policy can be configured to detect attempts to discover service accounts. | - NEW 5.1 TEMPLATES
- LDAP
- Reconnaissance
- Service Accounts
|
diff --git a/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md b/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md
index a7fca62bef..97627bb47d 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md
@@ -1,39 +1,40 @@
---
title: "Schema and Configuration Folder Templates"
description: "Schema and Configuration Folder Templates"
-sidebar_position: 90
+sidebar_position: 120
---
# Schema and Configuration Folder Templates
The Schema and Configuration folder contains the following templates:
-| Subfolder | Template | Description | TAGS |
-| ------------------ | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| | Attribute Added to the Global Catalog | When the GC flag for an attribute is changed | - NEW 7.0.1 TEMPLATES |
-| | Extended Rights Added | When a new extended right is added. Extended rights grant permissions to carry an operation such as change/reset password or send/receive as is it not an individual attribute rather an operation. | - NEW 7.0.1 TEMPLATES |
-| | Global Catalog Server Added | DC is promoted to a global catalog server | - NEW 7.0.1 TEMPLATES |
-| | Global Catalog Server Removed | DC is no longer a global catalog server | - NEW 7.0.1 TEMPLATES |
-| | Naming Context Added | When a domain or application partition is added | - NEW 7.0.1 TEMPLATES |
-| | Naming Context Removed | When a domain or application partition is removed | - NEW 7.0.1 TEMPLATES |
-| | Property Set Added | When a new property set is added. Personal or Private information is a property set that contains multiple attributes | - NEW 7.0.1 TEMPLATES |
-| | UPN Suffix Added or Removed | When suffixes are added or removed for a user principle name like @domain.com as part of the logon name | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema Attribute Disabled | When a schema attribute is disabled | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema Attribute Enabled | When a schema attribute is enabled | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema Extension – Attribute Added | When a new attribute is added to the schema | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema Extension – Object Class Added | When a new class is added to the schema | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema object class is enabled | When a schema class is enabled | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema Object Disabled | When a schema object is disabled | - NEW 7.0.1 TEMPLATES |
-| Schema Changes | Schema Version Changed | When the schema version number changes. This usually occurs during an upgrade where new objects or attributes are added | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | New Server Added/Removed from a Site in AD | Domain controller added or removed from an AD site | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Added/Removed from Site Link | Site added or removed from an existing site link | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Added/Removed from Site Link Bridge | Site added or removed from a site link bridge | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Added/Removed from Subnet | Subnet added or removed from a site. | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Link Added | Detect the creation of a new site link | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Link Bridge Added | Detect the creation of a new site link bridge | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Link Bridge Removed | Site link bridge deleted | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Link Cost Changed | Cost on a site link changed | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Link Replication Interval Modified | Replication interval for link changed | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Site Link Schedule Modified | Site link schedule changed | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Subnet Added | New subnet added | - NEW 7.0.1 TEMPLATES |
-| Sites and Services | Subnet Removed | Subnet removed | - NEW 7.0.1 TEMPLATES |
+| Subfolder | Template | Description | TAGS |
+| ------------------ | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
+| | Attribute Added to the Global Catalog | When the GC flag for an attribute is changed | |
+| | Extended Rights Added | When a new extended right is added. Extended rights grant permissions to carry an operation such as change/reset password or send/receive as is it not an individual attribute rather an operation. | |
+| | Global Catalog Server Added | DC is promoted to a global catalog server | |
+| | Global Catalog Server Removed | DC is no longer a global catalog server | |
+| | Naming Context Added | When a domain or application partition is added | |
+| | Naming Context Removed | When a domain or application partition is removed | |
+| | Property Set Added | When a new property set is added. Personal or Private information is a property set that contains multiple attributes | |
+| | UPN Suffix Added or Removed | When suffixes are added or removed for a user principle name like @domain.com as part of the logon name | |
+| Schema Changes | Schema Attribute Disabled | When a schema attribute is disabled | |
+| Schema Changes | Schema Attribute Enabled | When a schema attribute is enabled | |
+| Schema Changes | Schema Extension – Attribute Added | When a new attribute is added to the schema | |
+| Schema Changes | Schema Extension – Object Class Added | When a new class is added to the schema | |
+| Schema Changes | Schema object class is enabled | When a schema class is enabled | |
+| Schema Changes | Schema Object Disabled | When a schema object is disabled | |
+| Schema Changes | Schema Version Changed | When the schema version number changes. This usually occurs during an upgrade where new objects or attributes are added | |
+| Sites and Services | New Server Added/Removed from a Site in AD | Domain controller added or removed from an AD site | |
+| Sites and Services | Site Added/Removed from Site Link | Site added or removed from an existing site link | |
+| Sites and Services | Site Added/Removed from Site Link Bridge | Site added or removed from a site link bridge | |
+| Sites and Services | Site Added/Removed from Subnet | Subnet added or removed from a site. | |
+| Sites and Services | Site Link Added | Detect the creation of a new site link | |
+| Sites and Services | Site Link Bridge Added | Detect the creation of a new site link bridge | |
+| Sites and Services | Site Link Bridge Removed | Site link bridge deleted | |
+| Sites and Services | Site Link Cost Changed | Cost on a site link changed | |
+| Sites and Services | Site Link Replication Interval Modified | Replication interval for link changed | |
+| Sites and Services | Site Link Schedule Modified | Site link schedule changed | |
+| Sites and Services | Subnet Added | New subnet added | |
+| Sites and Services | Subnet Removed | Subnet removed | |
+
diff --git a/docs/threatprevention/7.4/admin/templates/folder/security-templates.md b/docs/threatprevention/7.4/admin/templates/folder/security-templates.md
deleted file mode 100644
index f5b23a4ad7..0000000000
--- a/docs/threatprevention/7.4/admin/templates/folder/security-templates.md
+++ /dev/null
@@ -1,33 +0,0 @@
-# Security Templates
-
-This section contains templates for detecting and preventing various security threats.
-
-## Ransomware Protection {#ransomware}
-
-The Ransomware folder contains the following templates:
-
-| Template | Description | TAGS |
-| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| Ransomware Extensions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of files related to the actual encrypting of the data during a Ransomware attack, and trigger an alert | None |
-| Ransomware Instructions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of warning file created by a Ransomware attack, and trigger an alert | None |
-
-## Domain Persistence Protection {#domain-persistence}
-
-The Domain Persistence folder contains the following templates:
-
-| Template | Description | TAGS |
-| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
-| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. | - NEW 5.1 TEMPLATES - Domain Persistence - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
-| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | - NEW 5.1 TEMPLATES - GPO Security - AD Security - Unauthorized changes |
-| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. | - NEW 5.1 TEMPLATES |
-
-## Privilege Escalation Protection {#privilege-escalation}
-
-The Privilege Escalation folder contains the following templates:
-
-| Template | Description | TAGS |
-| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------- |
-| AD: Administrator Escalation | Indicates that an unprivileged account has had its ACLs changed to a value that allows it to obtain administrative privileges (directly or transitively). | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
-| AD: Modifications of Administrator Accounts | Utilizes the built-in Administrator Accounts – Objects Collection. Add accounts with administrative rights to be monitored to this collection | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes |
-| AD: SID History Tampering | SID History is an attribute that supports migration scenarios. Every user account has an associated Security Identifier (SID) that is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user's SID is added to DomainB's user account's SID History attribute. This ensures that DomainB user can still access resources in DomainA. To detect SID History account escalation, this policy monitors users with data in the SID History attribute and flag the ones which include SIDs in the same domain that have changed | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - Persistence - AD Security - Unauthorized changes |
-| Ntds.dit File Hijacking | Protects users from stealing Ntds.dit file which contains the Active Directory database. Attackers can use Volume Shadow Copy to copy this file, but this will prevent and log any activity based on configuration. | - NEW 5.2 TEMPLATES - Privileged Accounts - Privilege Escalation - Persistence - AD Security - Unauthorized changes |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/siem.md b/docs/threatprevention/7.4/admin/templates/folder/siem.md
index b2d3e44cf7..2c6cfa2637 100644
--- a/docs/threatprevention/7.4/admin/templates/folder/siem.md
+++ b/docs/threatprevention/7.4/admin/templates/folder/siem.md
@@ -1,22 +1,22 @@
---
title: "SIEM Folder Templates"
description: "SIEM Folder Templates"
-sidebar_position: 100
+sidebar_position: 140
---
# SIEM Folder Templates
The SIEM folder contains the following templates:
-| Template | Description | TAGS |
-| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- |
-| Domain Admin Activity | Monitors for all activity performed by objects that have Domain Admin privileges. Utilizes the built-in “Domain Administrators” – Perpetrator Collection. Add accounts with domain administrator rights to be monitored to this collection | None |
-| Enabled and Disabled Accounts | Monitors when accounts are enabled or disabled. No customizations required | None |
-| Failed Authentications | Monitors for all Failed Authentications. No customizations required | None |
-| GPO Setting Changes | Monitors all GPO setting changes. No customizations required | None |
-| OU Moved or Renamed | Monitors for all OU moves or renames. No customizations required | None |
-| Password Changes | Monitors for password changes. No customizations required | None |
-| Sensitive Group Modifications | Gathers Successful AD Authentications. Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add desired accounts to be monitored to this collection | None |
+| Template | Description | TAGS |
+| ----------- | ----------------- | ---- |
+| Domain Admin Activity | Monitors for all activity performed by objects that have Domain Admin privileges.
Utilizes the built-in “Domain Administrators” – Perpetrator Collection. Add accounts with domain administrator rights to be monitored to this collection | None |
+| Enabled and Disabled Accounts | Monitors when accounts are enabled or disabled.
No customizations required | None |
+| Failed Authentications | Monitors for all Failed Authentications.
No customizations required | None |
+| GPO Setting Changes | Monitors all GPO setting changes.
No customizations required | None |
+| OU Moved or Renamed | Monitors for all OU moves or renames.
No customizations required | None |
+| Password Changes | Monitors for password changes.
No customizations required | None |
+| Sensitive Group Modifications | Gathers Successful AD Authentications.
Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add desired accounts to be monitored to this collection | None |
| Successful Logons | To minimize database growth, this policy is not set to send events to the reporting database, IT ONLY SENDS its information to SIEM. Make sure the Configuration > Event Filtering > Exclude 'Noise' Events option is Off for this policy. No customizations required. | None |
-| SYSVOL Tampering | Monitors for changes to critical files under SYSVOL. Specify the SYSVOL folders for all the servers to be monitored. | None |
-| User Lockouts | Monitors for user lockouts. No customizations required. | None |
+| SYSVOL Tampering | Monitors for changes to critical files under SYSVOL.
Specify the SYSVOL folders for all the servers to be monitored. | None |
+| User Lockouts | Monitors for user lockouts.
No customizations required. | None |
diff --git a/docs/threatprevention/7.4/admin/templates/folder/threatmanager.md b/docs/threatprevention/7.4/admin/templates/folder/threatmanager.md
new file mode 100644
index 0000000000..3fd83f5972
--- /dev/null
+++ b/docs/threatprevention/7.4/admin/templates/folder/threatmanager.md
@@ -0,0 +1,16 @@
+---
+title: "Threat Manager FolderFolder Templates"
+description: "Threat Manager Folder Templates"
+sidebar_position: 90
+---
+
+# Threat Manager Folder Templates
+
+The Threat Manager folder contains the following templates:
+
+| Template | Description | TAGS |
+| ----------------- | ----------------- | ------------------ |
+| Threat Manager for AD | This is the recommended policy for sending AD Events captured by Threat Prevention to Threat Manager. This policy includes: Authentication Monitoring, Active Directory Changes, AD Replication Monitoring, and LSASS Guardian - Monitor. | - Threat Manager
- NEW v6.1 TEMPLATES
|
+| Threat Manager for AD LDAP | This is the recommended policy for sending LDAP events captured by Threat Prevention to Threat Manager for detecting signature queries of LDAP reconnaissance tools.
Policy 1: Suspicious Queries
Policy 2: Suspicious Attributes Returned | - Threat Manager
- NEW v7.1 TEMPLATES
|
+
+
diff --git a/docs/threatprevention/7.4/admin/templates/overview.md b/docs/threatprevention/7.4/admin/templates/overview.md
index 5227b2cb1c..6e22cedc22 100644
--- a/docs/threatprevention/7.4/admin/templates/overview.md
+++ b/docs/threatprevention/7.4/admin/templates/overview.md
@@ -21,7 +21,7 @@ The list of templates can be sorted alphanumerically ascending or descending by
header. An arrow appears in the right corner of the column header indicating the type of sorting.
You can also right-click a template to get a right-click menu.
-Templates Node
+**Templates Node**
Under the Templates node in the Navigation pane, folders are used to organize the templates. Folders
can be created at the top level or as sub-folders since Threat Prevention supports unlimited levels
diff --git a/docs/threatprevention/7.4/admin/tools/import.md b/docs/threatprevention/7.4/admin/tools/import.md
index 02158e04d1..c4a297855c 100644
--- a/docs/threatprevention/7.4/admin/tools/import.md
+++ b/docs/threatprevention/7.4/admin/tools/import.md
@@ -36,7 +36,10 @@ structure in the Navigation pane for saving the policies and/or templates import
file. For policies, you can specify a folder under the Policies node in the navigation pane. For
templates, you can specify a folder under the Templates node.
-**NOTE:** You cannot create new folder locations.
+:::note
+You cannot create new folder locations.
+:::
+
Select one of the following option buttons:
diff --git a/docs/threatprevention/7.4/api/collections.md b/docs/threatprevention/7.4/api/collections.md
index ff6661773a..69cf41c97e 100644
--- a/docs/threatprevention/7.4/api/collections.md
+++ b/docs/threatprevention/7.4/api/collections.md
@@ -37,7 +37,7 @@ in the `Get-SICollection` command. The following parameter is required:
Example of a remove collection command:
-Remove-SICollection –CollectionID “222”
+**Remove-SICollection –CollectionID “222”**
## Add or Modify Collections
@@ -61,11 +61,11 @@ The following parameter(s) are required:
Example of multiple collection exports that are displayed in the PowerShell Console:
-Export-SICollection –CollectionIDs “222,131,44”
+**Export-SICollection –CollectionIDs “222,131,44”**
Example of a single collection export to a file:
-Export-SICollection –CollectionIDs “222” >>c:\Import\ExampleExport1.xml
+**Export-SICollection –CollectionIDs “222” >>c:\Import\ExampleExport1.xml**
### Import Collections from an XML File
@@ -85,10 +85,16 @@ against the GUIDs in the XML file. One of the following actions occur:
XML parameters. It is created with a Threat Prevention system generated GUID and Collection ID;
the system discards the GUID and Collection ID from the source XML.
-**NOTE:** If an existing collection and a new collection in the pending XML import file share the
+:::note
+If an existing collection and a new collection in the pending XML import file share the
same collection name, an error is displayed and the existing collection remains unchanged.
+:::
+
+
+:::info
+Provide a unique, descriptive name for any new collections.
+:::
-**_RECOMMENDED:_** Provide a unique, descriptive name for any new collections.
The following parameter is required:
@@ -96,13 +102,15 @@ The following parameter is required:
Example of adding an import XML file:
-Import-SICollection –FileName “c:\Import\ExampleImport2.xml”
+**Import-SICollection –FileName “c:\Import\ExampleImport2.xml”**
The API returns as output the CollectionID, GUID, and Collection Name of the collection that has
been updated or created. If a new collection was created, it is up to the user to capture the
Collection ID and Collection GUID assigned by Threat Prevention in order to later access that
collection.
-_Remember,_ the Collection ID and Collection GUID are not the same as those in the source XML file.
+:::tip
+Remember, the Collection ID and Collection GUID are not the same as those in the source XML file.
Use the `Get-SICollection` API call to find the newly created collection and its associated GUID and
Collection ID by name.
+:::
diff --git a/docs/threatprevention/7.4/api/epe.md b/docs/threatprevention/7.4/api/epe.md
index 7c3bee6791..70c14e17fb 100644
--- a/docs/threatprevention/7.4/api/epe.md
+++ b/docs/threatprevention/7.4/api/epe.md
@@ -40,7 +40,7 @@ The following parameters are required:
Example of a password validation command:
-Test-ValidatePassword –Server “domain\server” –User “Username” –Password “Passwordvalue”
+**Test-ValidatePassword –Server “domain\server” –User “Username” –Password “Passwordvalue”**
## Import Character Substitutions
@@ -55,7 +55,7 @@ The following parameter is required:
Example of adding an import xml file:
-Import-SICharacterSubstitution -FileName "c:\Import\CharacterSubstitution.txt"
+**Import-SICharacterSubstitution -FileName "c:\Import\CharacterSubstitution.txt"**
## Export Character Substitutions
@@ -65,7 +65,7 @@ used by the Enterprise Manager. The content exported is the same as displayed in
Example:
-Export-SICharacterSubstitution
+**Export-SICharacterSubstitution**
## Import Character Substitution Words
@@ -80,7 +80,7 @@ The following parameter is required:
Example of adding an import xml file:
-Import-SICharacterSubstitutionWords -FileName "C:\Import\CharacterSubstitutionWords.xml"
+**Import-SICharacterSubstitutionWords -FileName "C:\Import\CharacterSubstitutionWords.xml"**
## Export Character Substitution Words
@@ -91,7 +91,7 @@ displayed in the
Example:
-Export-SICharacterSubstitutionWords
+**Export-SICharacterSubstitutionWords**
## Import Passwords Dictionary
@@ -112,7 +112,7 @@ by the Enterprise Manager. The content exported is the same as displayed in the
Example:
-Export-SIPasswordsDictionary
+**Export-SIPasswordsDictionary**
## Set the Pwned Database
@@ -125,4 +125,4 @@ The following parameter is required:
Example of adding an import xml file:
-Set-SIPwnedDB -FileName "c:\pwned_db.txt"
+**Set-SIPwnedDB -FileName "c:\pwned_db.txt"**
diff --git a/docs/threatprevention/7.4/api/loadmodule.md b/docs/threatprevention/7.4/api/loadmodule.md
index 0224a2819a..9e2d12befc 100644
--- a/docs/threatprevention/7.4/api/loadmodule.md
+++ b/docs/threatprevention/7.4/api/loadmodule.md
@@ -9,8 +9,11 @@ sidebar_position: 10
The following steps are provided to load the Threat Prevention PowerShell module. These steps are
required with each PowerShell session before running the available APIs.
-**NOTE:** The command below assumes the Threat Prevention installation directory is in the C drive
+:::note
+The command below assumes the Threat Prevention installation directory is in the C drive
on the server where the PowerShell console resides.
+:::
+
**Step 1 –** Run the following command to load the module into PowerShell. The highlighted part of
the command assumes the default installation directory, but a custom path can be used.
@@ -21,8 +24,11 @@ Prevention\SIEnterpriseManager\SI.SIMonitor.PowerShell.dll”
**Step 2 –** Connect to the Enterprise Manager using the `Connect-SIEnterpriseManager` command. The
following parameters may be used:
-**NOTE:** If PowerShell is running on a separate machine to the Enterprise Manager, at least the
+:::note
+If PowerShell is running on a separate machine to the Enterprise Manager, at least the
address is required.
+:::
+
- Address [String] – Enterprise Manager IP address, default is 127.0.0.1
- Port [String] – Enterprise Manager port, default is 3740
@@ -30,11 +36,11 @@ address is required.
Example of `Connect-SIEnterpriseManager` without any parameters (PS and EM are on the same server):
-Connect-SIEnterpriseManager
+**Connect-SIEnterpriseManager**
Example of `Connect-SIEnterpriseManager` using two of the above parameters:
-Connect-SIEnterpriseManager -A 192.168.189.57 -R 1
+**Connect-SIEnterpriseManager -A 192.168.189.57 -R 1**
PowerShell is now ready to manage Threat Prevention policies, collections, EPE settings, and
integration settings with Netwrix Threat Manager.
diff --git a/docs/threatprevention/7.4/api/overview.md b/docs/threatprevention/7.4/api/overview.md
index d6929b9774..b79c418bc8 100644
--- a/docs/threatprevention/7.4/api/overview.md
+++ b/docs/threatprevention/7.4/api/overview.md
@@ -15,10 +15,13 @@ Enterprise Manager is not located. The following PowerShell APIs can be used:
- Connect-SIEnterpriseManager
- Informative APIs
- **NOTE:** These APIs do not require any additional configuration. They display Agent status from
+ :::note
+ These APIs do not require any additional configuration. They display Agent status from
the
[Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md)
and a list of available PowerShell APIs the user can utilize.
+ :::
+
- Get-SIAgentStatus – Displays Agent status from the Agent grid columns on the
[Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md)
@@ -62,7 +65,7 @@ The following prerequisites must be met before using the APIs:
PowerShell. This module is stored in the installation directory within the Enterprise Manager
folder:
- …\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\
+**…\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\**
To disallow the use of the PowerShell module, remove the module from the Enterprise Manager
folder.
diff --git a/docs/threatprevention/7.4/api/policy.md b/docs/threatprevention/7.4/api/policy.md
index 1c95b010cf..7b33c25b1a 100644
--- a/docs/threatprevention/7.4/api/policy.md
+++ b/docs/threatprevention/7.4/api/policy.md
@@ -35,11 +35,11 @@ the `Get-SIPolicy` command. Both the following parameters are required:
Example of an enable policy command:
-Enable-SIPolicy -PolicyID "255" –Enable 1
+**Enable-SIPolicy -PolicyID "255" –Enable 1**
Example of a disable policy command:
-Enable-SIPolicy -PolicyID "255" -Enable 0
+**Enable-SIPolicy -PolicyID "255" -Enable 0**
## Delete a Policy
@@ -50,7 +50,7 @@ The `Remove-SIPolicy` command is used to delete a policy using the policy ID ret
Example of a delete policy command:
-Remove-SIPolicy -PolicyID "255"
+**Remove-SIPolicy -PolicyID "255"**
## Add or Modify Policies
@@ -74,11 +74,11 @@ The following parameter(s) are required:
Example of multiple policy exports that are displayed in the PowerShell Console:
-Export-SIPolicy -PolicyIDs "111,222,33,555"
+**Export-SIPolicy -PolicyIDs "111,222,33,555"**
Example of a single policy export to a file:
-Export-SIPolicy -PolicyIDs "255" >>c:\Import\ExampleExport1.xml
+**Export-SIPolicy -PolicyIDs "255" >>c:\Import\ExampleExport1.xml**
### Import Policies from an XML File
@@ -98,10 +98,16 @@ GUIDs in the XML file. One of the following actions occur:
parameters. It is created with a system generated GUID and Policy ID; the system discards the GUID
and Policy ID from the source XML.
-**NOTE:** If an existing policy and a new policy in the pending XML import file share the same
+:::note
+If an existing policy and a new policy in the pending XML import file share the same
policy name, an error is displayed and the existing policy remains unchanged.
+:::
+
+
+:::info
+Provide a unique, descriptive name for any new policies.
+:::
-**_RECOMMENDED:_** Provide a unique, descriptive name for any new policies.
The following parameter is required:
@@ -117,12 +123,14 @@ required along with the FileName:
Example of adding an import XML file:
-Import-SIPolicy -FileName "c:\Import\ExampleImport2.xml"
+**Import-SIPolicy -FileName "c:\Import\ExampleImport2.xml"**
The API returns as output the PolicyID, GUID, and Policy Name of the policy that has been updated or
created. If a new policy was created, it is up to the user to capture the Policy ID and Policy GUID
assigned by Threat Prevention in order to later access that policy.
-_Remember,_ the Policy ID and Policy GUID is not the same as those in the source XML file. Use the
+:::tip
+Remember, the Policy ID and Policy GUID is not the same as those in the source XML file. Use the
`Get-SIPolicy` API call to find the newly created policy and its associated GUID and Policy ID by
the name.
+:::
diff --git a/docs/threatprevention/7.4/api/threatmanager.md b/docs/threatprevention/7.4/api/threatmanager.md
index 2a9a4ff495..5b941c95df 100644
--- a/docs/threatprevention/7.4/api/threatmanager.md
+++ b/docs/threatprevention/7.4/api/threatmanager.md
@@ -36,7 +36,10 @@ There are three methods available for data output:
[Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor)
for additional information.
- _Remember,_ the port number for Activity Monitor is 4498.
+ :::tip
+ Remember, the port number for Activity Monitor is 4498.
+ :::
+
The following parameter(s) are required:
@@ -79,8 +82,11 @@ The `Set-SILdapDeception` command changes the settings on the
[Honey Token Tab](/docs/threatprevention/7.4/admin/configuration/threatmanagerconfiguration.md#honey-token-tab)
of the Netwrix Threat Manager Configuration window.
-_Remember,_ these settings must be an exact match to the configuration set up in the Threat Manager
+:::tip
+Remember, these settings must be an exact match to the configuration set up in the Threat Manager
Honey Token threat.
+:::
+
The following parameter(s) are required:
diff --git a/docs/threatprevention/7.4/eperestsite/accountmanagement.md b/docs/threatprevention/7.4/eperestsite/accountmanagement.md
index b36ed2d7d9..c4ff78091a 100644
--- a/docs/threatprevention/7.4/eperestsite/accountmanagement.md
+++ b/docs/threatprevention/7.4/eperestsite/accountmanagement.md
@@ -19,12 +19,12 @@ Service:
This API returns a list of internal accounts stored in the EpeUsers database.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Basic authentication. Any valid account such as a local account for this
machine or a domain account that can be verified on this machine should work.
-Example
+**Example**
@@ -32,11 +32,11 @@ Example
This API creates a new internal account in the EpeUsers database.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Basic authentication
-Required Input Parameters
+**Required Input Parameters**
```
{
@@ -48,7 +48,7 @@ Required Input Parameters
}
```
-Example
+**Example**
@@ -57,11 +57,11 @@ Example
This API returns information about an internal account stored in the EpeUsers database with the User
Id value as the input parameter.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Basic authentication
-Example
+**Example**
@@ -70,11 +70,11 @@ Example
This API returns information about an internal account stored in the EpeUsers database with the User
Name value as the input parameter.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Basic authentication
-Example
+**Example**
@@ -83,11 +83,11 @@ Example
This API deletes an internal account stored in the EpeUsers database with the User Name value as the
input parameter.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Basic authentication
-Example
+**Example**
diff --git a/docs/threatprevention/7.4/eperestsite/checkpassword.md b/docs/threatprevention/7.4/eperestsite/checkpassword.md
index 17585f2a88..d3cbcc578f 100644
--- a/docs/threatprevention/7.4/eperestsite/checkpassword.md
+++ b/docs/threatprevention/7.4/eperestsite/checkpassword.md
@@ -16,17 +16,20 @@ You can use APIs to check a candidate password against the EPE rules defined on
Create a JSON file with a request. This file should contain the account name and the password you
want to test.
-**NOTE:** The EPE Rest service only checks the password; it does not change it.
+:::note
+The EPE Rest service only checks the password; it does not change it.
+:::
+
## POST api/Epe/CheckPassword (Basic)
This API verifies the password value.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Basic
-Input Parameters
+**Input Parameters**
```
{
@@ -38,7 +41,7 @@ Input Parameters
The “username” and “password” parameters are required. The “server” parameter is optional.
-Example
+**Example**
@@ -46,11 +49,11 @@ Example
This API verifies the password value.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Digest
-Input Parameters
+**Input Parameters**
```
{
@@ -62,7 +65,7 @@ Input Parameters
The “username” and “password” parameters are required. The “server” parameter is optional.
-Required Header Input Parameters
+**Required Header Input Parameters**
```
"User”:
@@ -70,7 +73,7 @@ Required Header Input Parameters
"Hash":
```
-Example
+**Example**
@@ -78,11 +81,11 @@ Example
This API verifies the password value.
-Authentication required – Yes
+**Authentication required – Yes**
Authentication Type – Bearer
-Input Parameters
+**Input Parameters**
```
{
@@ -94,13 +97,13 @@ Input Parameters
The “username” and “password” parameters are required. The “server” parameter is optional.
-Required Header Input Parameters
+**Required Header Input Parameters**
```
"User”:
"Authorization”:”Bearer ”
```
-Example
+**Example**
diff --git a/docs/threatprevention/7.4/eperestsite/login.md b/docs/threatprevention/7.4/eperestsite/login.md
index 4673897ce9..b95a845dc6 100644
--- a/docs/threatprevention/7.4/eperestsite/login.md
+++ b/docs/threatprevention/7.4/eperestsite/login.md
@@ -20,7 +20,7 @@ This operation returns a session hash value in the body of the response, that ca
api/Epe/CheckPassword requests. To use this value in an api/Epe/CheckPassword request, provide it in
the header of the request.
-Authentication required – No
+**Authentication required – No**
Required Input Parameters
@@ -31,7 +31,7 @@ Required Input Parameters
}
```
-Example
+**Example**
@@ -41,7 +41,7 @@ This API is used to log off from a specified session.
This operation makes session for the specified account and the hash value is not valid anymore.
-Authentication required – Digest
+**Authentication required – Digest**
Required Header Input Parameters
@@ -51,7 +51,7 @@ Required Header Input Parameters
"Hash":
```
-Example
+**Example**
@@ -63,7 +63,7 @@ This operation returns an access_token value in the body of the response, that c
api/Epe/CheckPassword requests. To use this value in an api/Epe/CheckPassword request, provide it in
the header of the request.
-Authentication required – Bearer
+**Authentication required – Bearer**
Required Input Parameters (TEXT Format)
@@ -71,6 +71,6 @@ Required Input Parameters (TEXT Format)
userName=&password=&grant_type=password&client_Id=self
```
-Example
+**Example**
diff --git a/docs/threatprevention/7.4/overview/gettingstarted.md b/docs/threatprevention/7.4/gettingstarted.md
similarity index 94%
rename from docs/threatprevention/7.4/overview/gettingstarted.md
rename to docs/threatprevention/7.4/gettingstarted.md
index 41f0d284ea..31a4fcfff1 100644
--- a/docs/threatprevention/7.4/overview/gettingstarted.md
+++ b/docs/threatprevention/7.4/gettingstarted.md
@@ -1,7 +1,7 @@
---
title: "Getting Started"
description: "Getting Started"
-sidebar_position: 10
+sidebar_position: 2
---
# Getting Started
@@ -52,20 +52,29 @@ enable policies to begin monitoring your organization’s environment. Do either
On enabling and saving a policy configuration, the Agent is automatically sent the necessary
information to begin monitoring.
-**CAUTION:** Use extreme caution when enabling lockdown policies to ensure that the required events
+:::warning
+Use extreme caution when enabling lockdown policies to ensure that the required events
do not unintentionally get blocked.
+:::
-**_RECOMMENDED:_** Start with monitoring the environment before enabling lockdown policies. For
+
+:::info
+Start with monitoring the environment before enabling lockdown policies. For
example, first configure a monitoring policy for the events to be blocked. Watch the captured events
to ensure the filters are returning the expected events. Once assured, create the lockdown policy to
block those events.
+:::
+
-**_RECOMMENDED:_** After configuring a new policy, navigate to either the
+:::info
+After configuring a new policy, navigate to either the
[Recent Events Tab](/docs/threatprevention/7.4/admin/policies/configuration/recentevents/overview.md)
in the policy's configuration or to the
[Investigate Interface](/docs/threatprevention/7.4/admin/investigate/overview.md)
to confirm that the intended events being monitored are intended. Refresh the data to view the
recent events.
+:::
+
### View Event Data
@@ -91,7 +100,7 @@ topic for additional information.
## Set Up the Threat Manager Reporting Module
-Prerequisites
+**Prerequisites**
- See the
[Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md)
@@ -100,7 +109,7 @@ Prerequisites
[Netwrix Threat Manager Reporting Module Ports](/docs/threatprevention/7.4/requirements/ports.md#netwrix-threat-manager-reporting-module-ports)
topic for a list of firewall ports used.
-Installation
+**Installation**
Install the Netwrix Threat Manager Reporting Module application. Typically, this is done on the same
server where Threat Prevention resides, but it can be on any server within the same environment.
@@ -108,14 +117,14 @@ This application needs access to the Threat Prevention database. See the
[Reporting Module Installation](/docs/threatprevention/7.4/install/reportingmodule/overview.md)
topic for additional information.
-First Launch
+**First Launch**
On launching Netwrix Threat Manager Reporting Module for the first time, you will set the password
for the builtin Administrator account, and optionally enable MFA for that account. See the
[First Launch](/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md)
topic for additional information.
-Initial Configuration
+**Initial Configuration**
Configure the following:
diff --git a/docs/threatprevention/7.4/index.md b/docs/threatprevention/7.4/index.md
index 23b244b7ec..c2f60d9915 100644
--- a/docs/threatprevention/7.4/index.md
+++ b/docs/threatprevention/7.4/index.md
@@ -1,32 +1,37 @@
-# Threat Prevention 7.4
-
-> Proactive security firewall for critical IT infrastructure
-
-Threat Prevention 7.4 acts as an intelligent firewall around your most critical systems including Active Directory, Exchange, and file systems. This solution intercepts and blocks malicious activities in real-time, overcoming the limitations of native Windows security controls to provide comprehensive protection against both internal and external threats while maintaining detailed audit trails for compliance and forensics.
-
-## Key Features
-
-- **Active Threat Interception**: Monitor and block suspicious activities at the source before damage occurs
-- **Automated Remediation**: Instantly disable compromised accounts and reverse unauthorized changes
-- **Policy-Based Protection**: Define granular security policies for different systems and user groups
-- **Comprehensive Forensics**: Capture detailed audit trails of all activities for investigation
-
-## Benefits
-
-- **Stop Attacks in Progress**: Block malicious activities in real-time, not after the fact
-- **Protect Critical Assets**: Safeguard Active Directory, Exchange, and file systems from compromise
-- **Reduce Security Incidents**: Prevent attacks rather than just detecting them
-- **Simplify Compliance**: Maintain detailed audit trails for regulatory requirements
-
-## What's New in Version 7.4
-
-- Enhanced machine learning algorithms for threat detection
-- Improved SIEM integration with QRadar and Splunk
-- New policy templates for common attack scenarios
-- Performance optimizations for large-scale deployments
-
-```mdx-code-block
-import DocCardList from '@theme/DocCardList';
-
-
-```
+---
+title: "Netwrix Threat Prevention v7.4 Documentation"
+description: "Netwrix Threat Prevention v7.4 Documentation"
+sidebar_position: 1
+---
+
+# Netwrix Threat Prevention v7.4 Documentation
+
+Netwrix Threat Prevention safeguards an organization from internal and external threats by acting
+like a firewall around the critical systems and applications: Active Directory, Exchange, and file
+systems. It empowers organizations to overcome limitations in native Windows logging and security
+controls with features such as:
+
+- Active Monitoring – Threat Prevention intercepts all critical activity at the source, actively
+ monitors user behavior and alerts on suspicious activities, thus generating security intelligence
+ that provides visibility and security over your business assets.
+- Proactive Remediation – When a suspicious pattern of activity is identified, Threat Prevention
+ issues an alert along with immediate remediation, such as blocking the compromised user account
+ from further authentications. In this way, it protects business critical systems and sensitive
+ data from threats such as malware and ransomware.
+- Real-time alerts – Provides inspection, alerting, and policy enforcement, serving as a security
+ enhancement that protects sensitive assets and eliminates downtime from careless error.
+- Audit Trail – Provides administrators and auditors detailed records of every change, access, and
+ authentication activity.
+- Third-party Integration – Threat Prevention seamlessly integrates with SIEM dashboards that an
+ organization is currently leveraging. It sends SIEM reliable, insightful and context laden data in
+ real-time to SIEM dashboards, removing the need for native logs.
+- Modern Architecture – With a FIPS 104-2 compliant architecture, Threat Prevention has been built
+ specifically for the modern security landscape.
+
+Organizations can benefit from Threat Prevention in many ways, such as:
+
+- Catch suspicious authentication events
+- Proactively prevent unauthorized changes
+- Block the riskiest actions
+- Accelerate investigation and harden security
+- Tighten security and compliance practices
diff --git a/docs/threatprevention/7.4/install/adminconsole.md b/docs/threatprevention/7.4/install/adminconsole.md
index 48de5aa81d..1c7a49c238 100644
--- a/docs/threatprevention/7.4/install/adminconsole.md
+++ b/docs/threatprevention/7.4/install/adminconsole.md
@@ -64,11 +64,14 @@ to communicate with the other Threat Prevention components.
- Enterprise Manager port for Console and PowerShell API Communications – 3740
-**NOTE:** As a prerequisite for using custom managed certificates, you must provide the Enterprise
+:::note
+As a prerequisite for using custom managed certificates, you must provide the Enterprise
Manager server DNS name, hostname, or FQDN (instead of the IP address) when installing Threat
Prevention server, remote instance of the Administration Console, and the Agent. See the
[Administration Console and Agent Not Communicating with the Enterprise Manager ](/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md)topics
for additional information.
+:::
+
Checking the **Create Windows Firewall Rules** box automatically sets the Windows firewall rules
needed to open these ports on the server during the installation process. If using a third party
@@ -91,8 +94,11 @@ Wizard page displays the **Run .NET 4.7 installation package** checkbox. Check i
You can also cancel the built-in download of .NET Framework 4.7 and install it manually.
-**NOTE:** If the .NET Framework installation does not complete, run the installer through an
+:::note
+If the .NET Framework installation does not complete, run the installer through an
Administrative command prompt.
+:::
+
**Step 8 –** Click Finish on the Completed the Netwrix Threat Prevention Server Setup Wizard page.
@@ -115,8 +121,11 @@ CertsInfo folder path on the remote Administration Console machine:
`…\Netwrix\Netwrix Threat Prevention\SIWinConsole\CertsInfo\`
-**CAUTION:** Never copy all files from the Certsinfo folder on the server to a machine where the
+:::warning
+Never copy all files from the Certsinfo folder on the server to a machine where the
Enterprise Manager is not installed. Doing so exposes the Enterprise Manager private keys, which
undermines security.
+:::
+
The remote Administration Console is now ready to be launched.
diff --git a/docs/threatprevention/7.4/install/agent/manual/customcert.md b/docs/threatprevention/7.4/install/agent/manual/customcert.md
index 053a1060f6..b0780c88d6 100644
--- a/docs/threatprevention/7.4/install/agent/manual/customcert.md
+++ b/docs/threatprevention/7.4/install/agent/manual/customcert.md
@@ -11,11 +11,14 @@ If "custom-managed" is selected for the CA certificate configuration during
use the `SIAgentCert.exe` command line utility to facilitate the creation of certificates for each
Agent.
-**NOTE:** As a prerequisite for using custom managed certificates, you must provide the Enterprise
+:::note
+As a prerequisite for using custom managed certificates, you must provide the Enterprise
Manager server DNS name, hostname, or FQDN (instead of the IP address) when installing Threat
Prevention server, remote instance of the Administration Console, and the Agent. See the
[Administration Console and Agent Not Communicating with the Enterprise Manager ](/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md)topics
for additional information.
+:::
+
The `SIAgentCert.exe` utility is located in the following folder:
@@ -37,8 +40,11 @@ generates an `agent-key.pem` file and an `agent-csr.pem` and places them in the
**Step 2 –** The `SIAgentCert.exe` utility prompts you to sign the certificate using the generated
`agent-csr.pem` file.
-**NOTE:** It is the customer's responsibility to supply the `agent-csr.pem` file to their
+:::note
+It is the customer's responsibility to supply the `agent-csr.pem` file to their
certificate authority to create a signed file.
+:::
+
**Step 3 –** Copy the `agent-crt.pem` file created and signed by the customer's certificate
authority to the CertsInfo folder on the machine where the Agent is deployed:
@@ -53,8 +59,11 @@ is deployed, which will enroll the `agent-crt.pem` file.
**Step 6 –** Start the Agent service. This service has display name as _Netwrix Threat Prevention
Windows Agent_ and service name as _SIWindowsAgent_.
-**NOTE:** After Agent deployment, you can configure and upgrade the Agent through the Administration
+:::note
+After Agent deployment, you can configure and upgrade the Agent through the Administration
Console. Upgrades and configuration changes will continue to use the existing certificate.
+:::
+
See the
[Upgrade Procedure](/docs/threatprevention/7.4/install/upgrade/overview.md)
diff --git a/docs/threatprevention/7.4/install/agent/manual/manual.md b/docs/threatprevention/7.4/install/agent/manual/manual.md
index 31839d0e53..54f10a78d8 100644
--- a/docs/threatprevention/7.4/install/agent/manual/manual.md
+++ b/docs/threatprevention/7.4/install/agent/manual/manual.md
@@ -15,7 +15,10 @@ The Threat Prevention Agent can be deployed through any of the following methods
- Deploy the Agent to server(s) through the Administration Console – You can deploy the Agent to one
or multiple servers through the Administration Console
- **_RECOMMENDED:_** This is the recommended method for deploying the Agent.
+ :::info
+ This is the recommended method for deploying the Agent.
+ :::
+
- Manually through the Windows Agent Setup Wizard – Run the Agent executable to launch this wizard
@@ -27,41 +30,44 @@ topic for additional information to deploy the Agent through the Administration
Follow the steps to manually deploy the Agent.
-**NOTE:** Manually deploying the Agent requires an Enrollment Secret, which is a limited-life (1
+:::note
+Manually deploying the Agent requires an Enrollment Secret, which is a limited-life (1
hour) password generated by the Enterprise Manager. The Agent Installer uses it to ensure that the
Agent is connected to a legitimate Enterprise Manager. Prior to launching the Threat Prevention
Windows Agent Setup wizard, note the values for the enrollment secret and the EM certificate. See
the
[Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md)
topic for additional information.
+:::
+
**Step 1 –** From the Threat Prevention server, copy the Agent executable (
`...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\Setup\SI Agent.exe`) to the machine where
you want to install the Agent. Then run the executable. The Netwrix Threat Prevention Windows Agent
Setup wizard opens.
-
+
**Step 2 –** On the Welcome page, click **Install**. The Setup Progress page is displayed, followed
by another Welcome page.
-
+
**Step 3 –** Click **Next**.
-
+
**Step 4 –** On the End-User License Agreement page, check the **I accept the terms in the License
Agreement** box and click **Next**.
-
+
**Step 5 –** _(Optional)_ On the Destination Folder page, change the installation directory
location.
- To change the default installation directory location, click **Change…**.
-
+
> > - Use the Look In field to select the desired installation folder.
> > - When the Folder name is as desired, click **OK**. The wizard returns to the Destination Folder
@@ -71,7 +77,7 @@ location.
> To use the default installation directory location, skip the previous step and click **Next** on
> the Destination Folder page.
-
+
**Step 6 –** On the CA Certificate Configuration page, select one of the following options for the
certificate and click **Next**:
@@ -95,23 +101,32 @@ product to enable communication with it.
Manager service is located
- For Activity Monitor – Enter the path to the activity agent configuration file for this host.
- _Remember,_ the Activity Monitor activity agent must already be deployed on the domain
+ :::tip
+ Remember, the Activity Monitor activity agent must already be deployed on the domain
controller and enabled before installing the AD agent. The default path is:
`…\Netwrix\Netwrix Threat Prevention\SIWindowsAgent\SAMConfig.xml`
+ :::
- **NOTE:** As a prerequisite for using custom managed certificates, you must provide the
+
+ :::note
+ As a prerequisite for using custom managed certificates, you must provide the
Enterprise Manager server DNS name, hostname, or FQDN (instead of the IP address) when
installing Threat Prevention server, remote instance of the Administration Console, and the
Agent. See the
[Administration Console and Agent Not Communicating with the Enterprise Manager ](/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md)topics
for additional information.
+ :::
+
- The default Enterprise Manager port is 3741. Modify if necessary. The port configuration only
applies to the Enterprise Manager Host option.
- **NOTE:** On selecting the **Enterprise Manger host or IP address** option button and providing
+ :::note
+ On selecting the **Enterprise Manger host or IP address** option button and providing
valid information for the Enterprise Manager in the **Address or Path** and **Port** boxes, the
Agent automatically connects to the Enterprise Manager.
+ :::
+
- Configure additional Agent options as desired:
@@ -123,10 +138,13 @@ product to enable communication with it.
installation, the Agent requires a manual start or needs to be started automatically after a
server reboot. Until the Agent is started, no activity monitoring or blocking occurs.
- **NOTE:** If **Custom-managed** is selected on the CA Certificate Configuration page, the
+ :::note
+ If **Custom-managed** is selected on the CA Certificate Configuration page, the
**Start Agent Service** checkbox is disabled because Agent installer does not obtain a
signed certificate from Enterprise Manager in the custom-managed mode. After installing the
Agent, you must create and provide certificates signed by your certificate authority.
+ :::
+
- Create Windows Firewall Rules – This option creates the rules needed to open this port during
the installation process. If using a third party firewall, uncheck this option and manually
@@ -141,16 +159,22 @@ the same value displayed in the
[Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md)
in the Administration Console.
-**NOTE:** This page is not displayed when "Custom-managed" is selected on the CA Certificate
+:::note
+This page is not displayed when "Custom-managed" is selected on the CA Certificate
Configuration wizard page .It is also not displayed when the Agent is reinstalled on a machine and
the Certsinfo folder was not manually deleted, in which case the original certificates are re-used.
The Certsinfo folder is located at: …\Netwrix\Netwrix Threat Prevention\SIWindowsAgent\CertsInfo\
+:::
+
- Approve certificates – Select this checkbox to approve the thumbprint, which will then enable the
Enrollment Secret box. Enter the enrollment secret obtained from the
[Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md).
- **NOTE:** If the enrollment secret has expired, you can generate a new one.
+ :::note
+ If the enrollment secret has expired, you can generate a new one.
+ :::
+
@@ -177,13 +201,13 @@ being deployed. Click **Next**.
- NetApp Security Event Log – Available for legacy versions. Option should be grayed-out.
- Workstation Events – Available for legacy versions. Option should be grayed-out.
-
+
**Step 10 –** On the Ready to install Threat Prevention Windows Agent page, click **Install**. The
Setup wizard displays the installation status. When the installation completes, the Operation
Successful page is displayed.
-
+
**Step 11 –** When installation is complete, click **Close**.
diff --git a/docs/threatprevention/7.4/install/agent/overview.md b/docs/threatprevention/7.4/install/agent/overview.md
index d76fa412fc..aa75155665 100644
--- a/docs/threatprevention/7.4/install/agent/overview.md
+++ b/docs/threatprevention/7.4/install/agent/overview.md
@@ -42,7 +42,7 @@ the Threat Prevention solutions:
- Deploy Agents on all domain controllers with the Windows AD Events module
-WMI Requirement
+**WMI Requirement**
The Agent server has the following requirement:
@@ -66,13 +66,13 @@ list.
The Agent tracks all events occurring in Active Directory in real-time. The Agent must be installed
on all domain controllers within the domains to be monitored.
-Supported Platforms for Microsoft Active Directory
+**Supported Platforms for Microsoft Active Directory**
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
-Netwrix Activity Monitor Integration
+**Netwrix Activity Monitor Integration**
Both Activity Monitor and Threat Prevention can monitor the same domain controller. Deploy agents
from both products to the server. Activity Monitor identifies the Windows host as being “Managed by
@@ -82,7 +82,7 @@ control the configuration for that monitored host. However, Activity Monitor can
provide multiple outputs for a host, e.g. for Netwrix Access Analyzer (formerly Enterprise Auditor),
Netwrix Threat Manager, or SIEM products. Add a new output for the same host to the Monitored Host
tab in the Activity Monitor console to be used by the other product. See the
-[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/threatprevention.md)
+[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md)
topic for additional information.
## Exchange Servers
@@ -97,23 +97,26 @@ on all domain controllers within the domains to be monitored.
If only gathering Exchange event data for mailbox permission changes and mailbox logins, then the
Agent must also be installed on one domain controller, which can be read only.
-Supported Platforms for Microsoft Exchange
+**Supported Platforms for Microsoft Exchange**
- Exchange Server 2019
- Exchange Server 2016
- Exchange Server 2013
- Exchange Server 2010
-**NOTE:** The Exchange Server Monitoring module is not started on an Agent if newer Exchange Server
+:::note
+The Exchange Server Monitoring module is not started on an Agent if newer Exchange Server
updates are detected at run time, and a corresponding message displays in the Agent log file and the
Agents interface.
+:::
+
## Windows File Servers
The Agent monitors all events occurring in the file system in real-time. The Agent must be installed
on all Windows file servers within the domains to be monitored.
-Netwrix Activity Monitor Integration
+**Netwrix Activity Monitor Integration**
Both Activity Monitor and Threat Prevention can monitor the same Windows server. Deploy agents from
both products to the server. Activity Monitor identifies the Windows host as being “Managed by
@@ -123,5 +126,5 @@ control the configuration for that monitored host. However, Activity Monitor can
provide multiple outputs for a host, e.g. for Netwrix Access Analyzer (formerly Enterprise Auditor),
Netwrix Threat Manager, or SIEM products. Add a new output for the same host to the Monitored Host
tab in the Activity Monitor console to be used by the other product. See the
-[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/threatprevention.md)
+[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md)
topic for additional information.
diff --git a/docs/threatprevention/7.4/install/agent/silent.md b/docs/threatprevention/7.4/install/agent/silent.md
index dc18646a7c..a1644e181c 100644
--- a/docs/threatprevention/7.4/install/agent/silent.md
+++ b/docs/threatprevention/7.4/install/agent/silent.md
@@ -10,7 +10,7 @@ You can use command line options to install the Agent silently. These options ca
deploy the Agent via custom batch files, login scripts, or for integrating with third-party software
distribution solutions that an organization may already have in their environment.
-MSI Compliant Command-Line Options
+**MSI Compliant Command-Line Options**
The WiX installer application for Agent runs under control of Windows installer component (MSI).
Therefore, standard MSI command-line options can be used with the
@@ -25,36 +25,39 @@ Two of the more useful options are:
- Silent installation option – `/q`
- Logging option – `/log "file_for_logging.log"`
-All Properties for the Agent Installer
+**All Properties for the Agent Installer**
The following table details all properties that can be specified to the Agent installer via the
command line.
-| Property Name | Description | Default Value |
-| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| CUSTOM_CA | If this property is set to True, then the custom-managed certificate mode is enabled. This mode uses certificates that are signed by the customer's external certificate authority. In this mode, the installer will not generate certificates and will not start the Agent Service at the end of the installation. | FALSE |
-| EMCERTIFICATE | Enterprise Manager Certificate Thumbprint | This value can be found in the [Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md). This value is not used for high security mode. |
-| ENROLLMENTSECRET **Required for enrolling new Agent** | Agent Enrollment Secret | This value can be found in the [Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md). This is a required field if using auto security mode. It is not used for high security mode. |
-| SAFEMODE | Start Agent Service in safe mode | FALSE |
-| STARTAGENTSERVICE | Start Agent Service on successful installation | FALSE |
-| ADDFWRULES | Create firewall rules for the Agent Service | TRUE |
-| INSTALLFOLDER | Agent installation path | …\Program Files \Netwrix\Netwrix Threat Prevention\SIWindowsAgent |
-| PORTNUMBER | Enterprise Manager port value | 3741 |
-| ENTMGR_IPADDRESS Required | Enterprise Manager IP address | 127.0.0.1 |
-| FILE_MONITOR_INSTALL | Windows File System feature | FALSE |
-| AD_MONITOR_INSTALL | Windows Active Directory Events feature | FALSE |
-| EXCHANGE_MONITOR_INSTALL | Exchange Server Monitoring feature | FALSE |
-| DNSLOOKUPS | ‘dnsLookups’ in the SIWindowsAgent.exe file | TRUE |
-| CONFIGPARAMS | Key value pairs used in SIWindowsAgent.exe.config Example Value: Key=value&SDEventFormat=PROTOBUF | |
-| LOCALPWNEDDB | HaveIBeenPwned (HIBP) hash Database mode for Agent or Enterprise Manager | FALSE |
-
-Command Line Configuration Examples
+| Property Name | Description | Default Value |
+| ------------- | ------------------- | ------------- |
+| CUSTOM_CA | If this property is set to True, then the custom-managed certificate mode is enabled. This mode uses certificates that are signed by the customer's external certificate authority. In this mode, the installer will not generate certificates and will not start the Agent Service at the end of the installation. | FALSE |
+| EMCERTIFICATE | Enterprise Manager Certificate Thumbprint | This value can be found in the [Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md). This value is not used for high security mode. |
+| ENROLLMENTSECRET
**Required for enrolling new Agent** | Agent Enrollment Secret | This value can be found in the [Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.4/admin/agents/agentswindows/enrollmentsecretconfiguration.md). This is a required field if using auto security mode. It is not used for high security mode. |
+| SAFEMODE | Start Agent Service in safe mode | FALSE |
+| STARTAGENTSERVICE | Start Agent Service on successful installation | FALSE |
+| ADDFWRULES | Create firewall rules for the Agent Service | TRUE |
+| INSTALLFOLDER | Agent installation path | …\Program Files \Netwrix\Netwrix Threat Prevention\SIWindowsAgent |
+| PORTNUMBER | Enterprise Manager port value | 3741 |
+| ENTMGR_IPADDRESS Required | Enterprise Manager IP address | 127.0.0.1 |
+| FILE_MONITOR_INSTALL | Windows File System feature | FALSE |
+| AD_MONITOR_INSTALL | Windows Active Directory Events feature | FALSE |
+| EXCHANGE_MONITOR_INSTALL | Exchange Server Monitoring feature | FALSE |
+| DNSLOOKUPS | ‘dnsLookups’ in the SIWindowsAgent.exe file | TRUE |
+| CONFIGPARAMS | Key value pairs used in SIWindowsAgent.exe.config
Example Value:
Key=value&SDEventFormat=PROTOBUF | |
+| LOCALPWNEDDB | HaveIBeenPwned (HIBP) hash Database mode for Agent or Enterprise Manager | FALSE |
+
+**Command Line Configuration Examples**
The following examples show some standard scenarios for Agent installations.
-**NOTE:** Parameters with TRUE or FALSE are case sensitive. In the examples, EMCERTIFICATE and
+:::note
+Parameters with TRUE or FALSE are case sensitive. In the examples, EMCERTIFICATE and
ENROLLMENTSECRET have been generated and are unique to each install. These need to be retrieved from
the Administration Console.
+:::
+
Installing a new Agent to monitor Active Directory and File Events Example
@@ -62,7 +65,7 @@ Installing a new Agent to monitor Active Directory and File Events Example
“SI Agent.exe” /q ENTMGR_IPADDRESS=10.0.21.1 FILE_MONITOR_INSTALL=TRUE AD_MONITOR_INSTALL=TRUE EMCERTIFICATE=261730F6D0E6400ECB3E4A09DD38B10C8BCA494F ENROLLMENTSECRET=E2401994866965EB
```
-Upgrading an Agent Installation Example
+**Upgrading an Agent Installation Example**
```
“SI Agent.exe” /q ENTMGR_IPADDRESS=10.0.21.1 FILE_MONITOR_INSTALL=TRUE AD_MONITOR_INSTALL=TRUE
diff --git a/docs/threatprevention/7.4/install/application.md b/docs/threatprevention/7.4/install/application.md
index 9f699749b0..43848043a7 100644
--- a/docs/threatprevention/7.4/install/application.md
+++ b/docs/threatprevention/7.4/install/application.md
@@ -11,9 +11,12 @@ Follow the steps to install Threat Prevention.
**Step 1 –** From the Threat Prevention Installer package, run the server executable
(threatprevention-server-7.4.0.xxx.msi). The Threat Prevention Server Setup wizard opens.
-**NOTE:** Run the msi via the command prompt with elevated privileges (domain admin rights) on a
+:::note
+Run the msi via the command prompt with elevated privileges (domain admin rights) on a
domain-joined machine. Else the installer runs and completes without errors, though no components
are installed.
+:::
+
@@ -31,7 +34,7 @@ happens:
**Step 3 –** On the End-User License Agreement page, check the **I accept the terms in the License
Agreement** box and click **Next**.
-
+
**Step 4 –** The Custom Setup page displays the components that are installed by default. These
components require the following hard drive space for installation:
@@ -65,11 +68,14 @@ to communicate with the other Threat Prevention components.
- Enterprise Manager port for Agent Communications – 3741
- Enterprise Manager port for Console and PowerShell API Communications – 3740
-**NOTE:** As a prerequisite for using custom managed certificates, you must provide the Enterprise
+:::note
+As a prerequisite for using custom managed certificates, you must provide the Enterprise
Manager server DNS name, hostname, or FQDN (instead of the IP address) when installing Threat
Prevention server, remote instance of the Administration Console, and the Agent. See the
[Administration Console and Agent Not Communicating with the Enterprise Manager ](/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md)topics
for additional information.
+:::
+
Checking the **Create Windows Firewall Rules** box automatically sets the Windows firewall rules
needed to open these ports on the server during the installation process. If using a third party
@@ -95,8 +101,11 @@ connection.
- For SQL Server authentication, provide SQL credentials in the **Login ID** and **Password**
boxes.
- **NOTE:** The account used for authentication, either a Windows or SQL account, requires a
+ :::note
+ The account used for authentication, either a Windows or SQL account, requires a
minimum of the following permissions on the SQL Server:
+ :::
+
- Create schema
- Read
@@ -107,9 +116,12 @@ connection.
- If using Windows authentication, continue with the next step.
- If using SQL Server authentication, skip the next step.
- **NOTE:** In case of SQL Server authentication, the credentials are tested on clicking
+ :::note
+ In case of SQL Server authentication, the credentials are tested on clicking
**Next**. If the credential authentication fails, the setup does not proceed and a pop-up
window displays failure details.
+ :::
+
@@ -119,14 +131,20 @@ connection.
Manager service will impersonate when connecting to the database. These credentials must have
elevated privileges with rights to create and modify the database.
- **NOTE:** Windows authentication uses an Active Directory account. Local Windows accounts are
+ :::note
+ Windows authentication uses an Active Directory account. Local Windows accounts are
not supported.
+ :::
+
- Click **Next**.
- **NOTE:** For Windows authentication, the credentials are tested on clicking **Next**. If the
+ :::note
+ For Windows authentication, the credentials are tested on clicking **Next**. If the
credential authentication fails, the setup does not proceed and a pop-up window displays failure
details.
+ :::
+
@@ -141,8 +159,11 @@ Wizard page displays the **Run .NET 4.7 installation package** checkbox. Check i
You can also cancel the built-in download of .NET Framework 4.7 and install it manually.
-**NOTE:** If the .NET Framework installation does not complete, run the installer through an
+:::note
+If the .NET Framework installation does not complete, run the installer through an
Administrative command prompt.
+:::
+
**Step 10 –** The installation process begins and the wizard displays the installation status. When
installation is complete, click **Finish**.
diff --git a/docs/threatprevention/7.4/install/certificatemanagementwizard.md b/docs/threatprevention/7.4/install/certificatemanagementwizard.md
index 7b6f7f9efa..31159112ef 100644
--- a/docs/threatprevention/7.4/install/certificatemanagementwizard.md
+++ b/docs/threatprevention/7.4/install/certificatemanagementwizard.md
@@ -12,13 +12,16 @@ certificate authority. This provides customers with the option to use certificat
certificate authority instead of the default certificate authority in Threat Prevention Enterprise
Manager.
-**NOTE:** As a prerequisite for using custom managed certificates, you must provide the Enterprise
+:::note
+As a prerequisite for using custom managed certificates, you must provide the Enterprise
Manager server DNS name, hostname, or FQDN (instead of the IP address) when installing Threat
Prevention server, remote instance of the Administration Console, and the Agent. See the
[Administration Console and Agent Not Communicating with the Enterprise Manager ](/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md)topics
for additional information.
+:::
-How to use the Certificate Management Wizard
+
+**How to use the Certificate Management Wizard**
The Certificate Management Wizard must be run twice to perform two actions.
@@ -28,12 +31,12 @@ The Certificate Management Wizard must be run twice to perform two actions.
The Certificate Manager Wizard application, `SICertMgr.exe`, is available in the following folder:
-...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager
+**...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager**
The Threat Prevention installer generates default certificates, that are located in the following
folder:
-...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\CertsInfo
+**...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\CertsInfo**
## Create a Certificate Signing Request
@@ -83,7 +86,10 @@ request has been created. Click **Finish**.
**Step 8 –** Copy the signed certificates from the SI-CSR-Files folder to your certificate authority
and generate the signed certificates.
-**NOTE:** The procedure to sign the certificates will vary based on the certificate authority used.
+:::note
+The procedure to sign the certificates will vary based on the certificate authority used.
+:::
+
**Step 9 –** Copy the signed certificates from your certificate authority and paste them to any
folder on the Threat Prevention server.
diff --git a/docs/threatprevention/7.4/install/dbconnectionmanager.md b/docs/threatprevention/7.4/install/dbconnectionmanager.md
index f027c94567..9502b7ab2f 100644
--- a/docs/threatprevention/7.4/install/dbconnectionmanager.md
+++ b/docs/threatprevention/7.4/install/dbconnectionmanager.md
@@ -12,13 +12,16 @@ initial install of the Enterprise Manager package. See the
[Application Server Install](/docs/threatprevention/7.4/install/application.md)
topic for additional information.
-_Remember,_ the host, port, and user for the NVMonitorConfig and NVMonitorData databases are
+:::tip
+Remember, the host, port, and user for the NVMonitorConfig and NVMonitorData databases are
displayed on the
[Events Database Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventsdatabaseconfiguration.md).
The current Archive Database settings are located on the Archive DB tab of the Database Maintenance
window. See the
[Archive Data](/docs/threatprevention/7.4/admin/configuration/databasemaintenance/archive.md)
topic for additional information.
+:::
+
Follow the steps to manage database settings on the DB Connection Manager Wizard.
@@ -37,7 +40,7 @@ Connection Manager wizard.
ellipsis (...) to locate the configuration file if it is not available at the default location.
The default location is:
- ...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\SIEnterpriseManager.exe.config
+**...\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager\SIEnterpriseManager.exe.config**
The Database Connection Manager application generates a new connection string to either the
NVMonitorConfig/NVMonitorData database or the Archive database. To update either of these strings,
diff --git a/docs/threatprevention/7.4/install/eperestsite.md b/docs/threatprevention/7.4/install/eperestsite.md
index 30f1cb1844..4b05a0242a 100644
--- a/docs/threatprevention/7.4/install/eperestsite.md
+++ b/docs/threatprevention/7.4/install/eperestsite.md
@@ -11,7 +11,10 @@ Prevention Enterprise Password Enforcer (EPE) solution. It allows third-party ap
a candidate password to check whether it complies with the current EPE rules defined on the
[EPE Settings Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md).
-**NOTE:** This interface does not change the password; it only validates it against the EPE rules.
+:::note
+This interface does not change the password; it only validates it against the EPE rules.
+:::
+
When you install the EPE Rest Site, the following happens:
@@ -21,8 +24,11 @@ When you install the EPE Rest Site, the following happens:
Follow the steps to install the EPE Rest Site.
-**NOTE:** Install the EPE Rest Site on a server with IIS installed, which is accessible to
+:::note
+Install the EPE Rest Site on a server with IIS installed, which is accessible to
third-party applications that have to use the REST API.
+:::
+
**Step 1 –** From the Threat Prevention Installer package, run the server executable
(threatprevention-server-7.4.0.xxx.msi). The Threat Prevention Server Setup wizard opens.
@@ -92,8 +98,11 @@ the installer will create a database for the EPE Rest Site.
- For SQL Server authentication, provide SQL credentials in the **Login ID** and **Password**
boxes.
- **NOTE:** The account used for authentication, either a Windows or SQL account, requires a
+ :::note
+ The account used for authentication, either a Windows or SQL account, requires a
minimum of the following permissions on the SQL Server:
+ :::
+
- Create schema
- Read
@@ -104,9 +113,12 @@ the installer will create a database for the EPE Rest Site.
- If using Windows authentication, continue with the next step.
- If using SQL Server authentication, skip the next step.
- **NOTE:** In case of SQL Server authentication, the credentials are tested on clicking
+ :::note
+ In case of SQL Server authentication, the credentials are tested on clicking
**Next**. If the credential authentication fails, the setup does not proceed and a pop-up
window displays failure details.
+ :::
+
@@ -117,9 +129,12 @@ the installer will create a database for the EPE Rest Site.
credentials must have elevated privileges with rights to create and modify the database.
- Click **Next**.
- **NOTE:** For Windows authentication,the credentials are tested on clicking **Next**. If the
+ :::note
+ For Windows authentication,the credentials are tested on clicking **Next**. If the
credential authentication fails, the setup does not proceed and a pop-up window displays failure
details.
+ :::
+
diff --git a/docs/threatprevention/7.4/install/epeuserfeedback.md b/docs/threatprevention/7.4/install/epeuserfeedback.md
index f490d45822..d24e9324d7 100644
--- a/docs/threatprevention/7.4/install/epeuserfeedback.md
+++ b/docs/threatprevention/7.4/install/epeuserfeedback.md
@@ -13,8 +13,11 @@ only provides feedback to end users by listing the reasons EPE rejected a candid
While rejecting a password, EPE displays the reasons for rejected to the user. If no reasons are
shown, then the password was rejected by the OS prior to being evaluated by EPE.
-**NOTE:** For multilingual support, you must uninstall a previous version of the Credential Provider
+:::note
+For multilingual support, you must uninstall a previous version of the Credential Provider
and reinstall the Credential Provider that comes with Threat Prevention 7.4.
+:::
+
## Credential Provider Server Requirements
@@ -46,8 +49,11 @@ This msi file is available in the following folder on the Threat Prevention serv
These msi files are located in the `…\Netwrix\Netwrix Threat Prevention\SIWinConsole\Setup` folder
on the Threat Prevention server.
-**NOTE:** To uninstall this module, use Programs & Features in Control Panel to select the
+:::note
+To uninstall this module, use Programs & Features in Control Panel to select the
SICredentialProviderx64 or x32.
+:::
+
## Configure Static User Text for the Windows Login Screen
@@ -59,7 +65,7 @@ a new password.
Edit the Enterprise Password Enforcer GPO to modify the text displayed to the end-users. You can
change up to ten lines of text.
-Access the Enterprise Password Enforcer GPO
+**Access the Enterprise Password Enforcer GPO**
**Step 1 –** Launch the Group Policy Management console (gpmc.msc).
diff --git a/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md b/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md
index a0877cdd78..97af1c6406 100644
--- a/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md
+++ b/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md
@@ -59,5 +59,5 @@ manage the Agent.
topic.
See the
-[Getting Started ](/docs/threatprevention/7.4/overview/gettingstarted.md)topic for
+[Getting Started ](/docs/threatprevention/7.4/gettingstarted.md)topic for
the next steps.
diff --git a/docs/threatprevention/7.4/install/firstlaunch/licenseimport.md b/docs/threatprevention/7.4/install/firstlaunch/licenseimport.md
index d95217ba93..55728bdd1f 100644
--- a/docs/threatprevention/7.4/install/firstlaunch/licenseimport.md
+++ b/docs/threatprevention/7.4/install/firstlaunch/licenseimport.md
@@ -12,12 +12,15 @@ Follow the steps to import a license key file to continue using the product.
**Step 1 –** Contact your Netwrix Sales Representative and request for a license key.
-**NOTE:** The .key file from sales must contain 'stealthintercept in its name for Threat Prevention
+:::note
+The .key file from sales must contain 'stealthintercept in its name for Threat Prevention
to recognize it and convert it to a .lic file.
+:::
+
**Step 2 –** Save the license key file to the following folder:
-…\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager
+**…\Netwrix\Netwrix Threat Prevention\SIEnterpriseManager**
diff --git a/docs/threatprevention/7.4/install/migrateemserver.md b/docs/threatprevention/7.4/install/migrateemserver.md
index 39650c9db9..00c652e1fa 100644
--- a/docs/threatprevention/7.4/install/migrateemserver.md
+++ b/docs/threatprevention/7.4/install/migrateemserver.md
@@ -9,15 +9,21 @@ sidebar_position: 100
Follow the steps to move the Threat Prevention7.4 Enterprise Manager to a different server when
using default certificates.
-**CAUTION:** Do not remove the Enterprise Manager from the current machine until the migration
+:::warning
+Do not remove the Enterprise Manager from the current machine until the migration
process is complete.
+:::
+
**Step 1 –** Install the Enterprise Manager to the new machine. See the
[Application Server Install](/docs/threatprevention/7.4/install/application.md)
topic for additional information.
-_Remember,_ point to the existing SQL Server for the NVMonitorData and NVConfig databases on the
+:::tip
+Remember, point to the existing SQL Server for the NVMonitorData and NVConfig databases on the
Database Login Information page of the wizard during installation.
+:::
+
After the installation completes, go to the Services console (services.msc) on the new machine and
stop the Threat Prevention Enterprise Manager service.
@@ -42,7 +48,10 @@ Then, follow these steps to migrate the “secret.dpapi” file (do not copy).
By default, "myOutFile" is created at `C:\Windows\SysWOW64`.
- **NOTE:** SecretMgr.exe knows to look for the `\certsinfo\Secret.dpapi` folder and file.
+ :::note
+ SecretMgr.exe knows to look for the `\certsinfo\Secret.dpapi` folder and file.
+ :::
+
2. Manually copy “myOutFile” on the new Enterprise Manager machine in a secure way.
3. On the new Enterprise Manager machine: “SecretMgr.exe –i myOutFile”
@@ -69,21 +78,27 @@ follow these steps to update the Enterprise Manager info for each Agent.
At this point, the Agents should get displayed in the Administration Console on the new Enterprise
Manager machine.
-**NOTE:** If you cannot use the Administration Console on the original Enterprise Manager machine,
+:::note
+If you cannot use the Administration Console on the original Enterprise Manager machine,
then on each machine where the Agent is deployed, you can manually edit the
“SIWindowsAgent.exe.config” file to update the following entry with the IP address or name of the
new Enterprise Manager.
Example:
You will find the SIWindowsAgent.exe.config file at:
`…\Netwrix\Netwrix Threat Prevention\SIWindowsAgent`
+:::
+
**Step 5 –** Once all Agents are displayed in the Administration Console on the new Enterprise
Manager machine, you can decommission the original Enterprise Manager machine and/or uninstall the
Netwrix Threat Prevention server.
-**NOTE:** If Netwrix Threat Prevention is configured to use customer supplied certificates. It is
+:::note
+If Netwrix Threat Prevention is configured to use customer supplied certificates. It is
recommended that you uninstall, then re-enroll and re-install all Agents with new certificates. This
is because customer supplied certificates usually have the FQDN info of the Enterprise Manager and
the new Enterprise Manager machine would typically have a different DNS name. See the
[Create Custom Managed Certificates for Each Agent](/docs/threatprevention/7.4/install/agent/manual/customcert.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/install/overview.md b/docs/threatprevention/7.4/install/overview.md
index a3e6c34a44..38a4b80aa1 100644
--- a/docs/threatprevention/7.4/install/overview.md
+++ b/docs/threatprevention/7.4/install/overview.md
@@ -16,12 +16,15 @@ network.
Password Enforcer (EPE) solution
- Netwrix Threat Manager Reporting Module that is installed with a separate installation package
-**NOTE:** With SteathINTERVEPT v7.3.5 through 7.3.9, you could only install one instance of the
+:::note
+With SteathINTERVEPT v7.3.5 through 7.3.9, you could only install one instance of the
Administration Console, and that too on the same machine as the Enterprise Manager. Threat
Prevention v7.4 supports the deployment of remote Administration Console, enabling you to install
additional consoles on standalone machines, like administrator or user workstations. In this way,
users can launch the Administration Console on their workstations, as an alternate to using it on
the Enterprise Manager server only.
+:::
+
The following components are installed by the Threat Prevention installation package:
@@ -69,7 +72,7 @@ The following files are available for download:
Occasionally, an organization’s anti-virus program may shut down the processes launched by Threat
Prevention. The processes that may be impacted are listed below.
-Threat Prevention Server
+**Threat Prevention Server**
Files located within the Threat Prevention installation directory:
`…\Netwrix\Netwrix Threat Prevention`
@@ -80,7 +83,7 @@ Files located within the Threat Prevention installation directory:
- SI.Services.Schedule.Host.exe
- SIWindowsAgent.exe
-Agent Server
+**Agent Server**
Files located within the Threat Prevention Agent installation directory:
`…\Netwrix\Netwrix Threat Prevention\SIWindowsAgent`
@@ -99,7 +102,7 @@ The following file in the directory: `…\Netwrix\StealthAudit\FSAC`
- SBTService.exe
-Client Machines
+**Client Machines**
If you are using Threat Prevention's Enterprise Password Enforcer (EPE) User Feedback module for
client machines, the following file should be excluded:
@@ -109,7 +112,7 @@ client machines, the following file should be excluded:
If this file is blocked by antivirus software, the reasons for rejecting a candidate password will
not be displayed to the end-user, but all EPE rules will be fully enforced.
-Domain Controllers
+**Domain Controllers**
- PPE.dll – If PPE.dll does not load, the password policy will not get enforced
@@ -118,7 +121,7 @@ Domain Controllers
If you are using Netwrix Password Policy Enforcer, the processes that may be impacted are listed
below.
-Client Machines
+**Client Machines**
The following DLLs on the client machines (all computers, mostly end user desktops/laptops) will not
work if they get blocked by antivirus software:
@@ -126,7 +129,7 @@ work if they get blocked by antivirus software:
- PPEClt.dll
- APRClt.dll
-Netwrix Password Reset Server
+**Netwrix Password Reset Server**
If you are using Netwrix Password Reset, then make sure the antivirus program does not block the
following files on the Netwrix Password Reset server:
diff --git a/docs/threatprevention/7.4/install/reportingmodule/application.md b/docs/threatprevention/7.4/install/reportingmodule/application.md
index 54cfdae8af..ef7801bb95 100644
--- a/docs/threatprevention/7.4/install/reportingmodule/application.md
+++ b/docs/threatprevention/7.4/install/reportingmodule/application.md
@@ -12,19 +12,25 @@ while installing the application.
Follow the steps to install the application.
-**CAUTION:** The PostgreSQL database application must be installed before the application is
+:::warning
+The PostgreSQL database application must be installed before the application is
installed.
+:::
-**NOTE:** These steps assume you have launched the installer through the Netwrix Setup Launcher
+
+:::note
+These steps assume you have launched the installer through the Netwrix Setup Launcher
(`Netwrix_Setup.exe`). If you are not using it, right-click on `NetwrixThreatManagerReporting.exe`
and select Run as administrator. Then skip to Step 2.
+:::
+
**Step 1 –** Click **Netwrix Threat Manager Reporting**. The Netwrix Threat Manager Reporting Setup
wizard opens.
-
+
**Step 2 –** Click **Install**.
@@ -33,7 +39,7 @@ wizard opens.
**Step 3 –** Read the End User License Agreement and select the I accept the license agreement
checkbox. Click **Next**.
-
+
**Step 4 –** By default, the installation directory is set to:
diff --git a/docs/threatprevention/7.4/install/reportingmodule/database.md b/docs/threatprevention/7.4/install/reportingmodule/database.md
index 5b31e0bdd4..876eae7989 100644
--- a/docs/threatprevention/7.4/install/reportingmodule/database.md
+++ b/docs/threatprevention/7.4/install/reportingmodule/database.md
@@ -12,11 +12,17 @@ be provided while installing the application.
Follow the steps to install the PostgreSQL database application.
-**CAUTION:** The PostgreSQL database application must be installed before the application.
+:::warning
+The PostgreSQL database application must be installed before the application.
+:::
-**NOTE:** These steps assume you have launched the installer through the Netwrix Setup Launcher
+
+:::note
+These steps assume you have launched the installer through the Netwrix Setup Launcher
`(Netwrix_Setup.exe`). If you are not using the launcher, right-click on `NetwrixPostgreSQL14.exe`
and select Run as administrator. Then skip to Step 2.
+:::
+
@@ -26,7 +32,7 @@ and select Run as administrator. Then skip to Step 2.
**Step 2 –** Click Install.
-
+
**Step 3 –** Read the End User License Agreement and select the I accept the license agreement
checkbox. Click Next.
diff --git a/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md b/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md
index d831c974ae..d19e2e4608 100644
--- a/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md
+++ b/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md
@@ -40,7 +40,7 @@ The built-in ADMIN account password is now set.
If the Enable MFA option is set to OFF, no additional configuration is required and the Netwrix
Threat Manager Reporting Module Console opens. See the
-[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module)
+[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module)
topic for initial configuration information.
If the Enable MFA option is set to ON, registration of an MFA authenticator is required. Proceed to
@@ -67,5 +67,5 @@ of codes to access for account recovery, if needed.
Once MFA is configured for this account, the Netwrix Threat Manager Reporting Module console opens.
See the
-[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module)
+[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module)
topic for the next steps.
diff --git a/docs/threatprevention/7.4/install/reportingmodule/overview.md b/docs/threatprevention/7.4/install/reportingmodule/overview.md
index 31db6b939b..82c8828e7d 100644
--- a/docs/threatprevention/7.4/install/reportingmodule/overview.md
+++ b/docs/threatprevention/7.4/install/reportingmodule/overview.md
@@ -13,21 +13,24 @@ topic.
The Netwrix Threat Manager Reporting Module installer is packaged with three executable files.
-**CAUTION:** The PostgreSQL database must be installed before installing Netwrix Threat Manager
+:::warning
+The PostgreSQL database must be installed before installing Netwrix Threat Manager
Reporting Module.
+:::
-Netwrix_Setup.exe
+
+**Netwrix_Setup.exe**
This executable starts a setup launcher containing buttons to install the PostgreSQL database and
the application. The launcher installs these components on the same server. See the installation
details for each components below.
-NetwrixPostgreSQL14.exe
+**NetwrixPostgreSQL14.exe**
This executable is for installing the PostgreSQL database on a different server from the
application.
-NetwrixThreatManagerReporting.exe
+**NetwrixThreatManagerReporting.exe**
This executable is for installing the application and its services:
@@ -93,5 +96,5 @@ launcher opens. You can now install the following components on the same server:
topic for additional information.
After completing the first launch, it is time to complete the initial configuration. See the
-[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module)
+[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module)
topic for additional information.
diff --git a/docs/threatprevention/7.4/install/reportingmodule/secure.md b/docs/threatprevention/7.4/install/reportingmodule/secure.md
index 6124541b65..e569f11e50 100644
--- a/docs/threatprevention/7.4/install/reportingmodule/secure.md
+++ b/docs/threatprevention/7.4/install/reportingmodule/secure.md
@@ -20,9 +20,12 @@ Complete the steps to create or obtain a certificate and import it.
Module server and import it into the Windows Certificate LocalMachine Personal store on the Netwrix
Threat Manager Reporting Module server machine.
-**CAUTION:** Be very careful with the encoding of the thumbprint especially when copy/pasting the
+:::warning
+Be very careful with the encoding of the thumbprint especially when copy/pasting the
thumbprint from certmgr.msc. This can often cause encoding issues so ensure ANSI encoding when
editing the configuration files discussed in this topic.
+:::
+
**Step 2 –** Copy the thumbprint of the certificate as you will need to utilize it while editing
the configuration files.
@@ -34,7 +37,7 @@ Follow the steps to configure the Web Service Configuration file.
**Step 1 –** Open the Web Service configuration file on the Netwrix Threat Manager Reporting
Module server.
-C:\Program Files\STEALTHbits\StealthDEFEND\WebService\appsettings.json
+**C:\Program Files\STEALTHbits\StealthDEFEND\WebService\appsettings.json**
**Step 2 –** Append the **WebService** and **ADService** sections to the end of the file. Remember
to add a trailing comma after the `“EncryptRecording”:false` line.
@@ -62,7 +65,10 @@ to add a trailing comma after the `“EncryptRecording”:false` line.
}
```
-**CAUTION:** Do not modify the Jwt section of the appsettings.json file.
+:::warning
+Do not modify the Jwt section of the appsettings.json file.
+:::
+
**Step 3 –** In the WebService and ADService sections, ports are set to 8080 and 55556
respectively. Make sure these ports are available on your machine.
@@ -91,7 +97,7 @@ Follow the steps to configure the Active Directory Service Configuration file.
**Step 1 –** Open the Active Directory Service configuration file on the Netwrix Threat Manager
Reporting Module server:
-C:\Program Files\STEALTHbits\StealthDEFEND\ActiveDirectoryService\appsettings.json
+**C:\Program Files\STEALTHbits\StealthDEFEND\ActiveDirectoryService\appsettings.json**
**Step 2 –** Append the **WebService** section to the end of the file. Remember to add a trailing
comma after the `“EncryptRecording”:false` line in the file.
@@ -113,7 +119,10 @@ comma after the `“EncryptRecording”:false` line in the file.
}
```
-**CAUTION:** Do not modify the Jwt section of the appsettings.json file.
+:::warning
+Do not modify the Jwt section of the appsettings.json file.
+:::
+
**Step 3 –** In the WebService section, the port is set to 55556. Make sure it is available on
your machine.
diff --git a/docs/threatprevention/7.4/install/upgrade/agent.md b/docs/threatprevention/7.4/install/upgrade/agent.md
index fc55819d1a..b02aa418cd 100644
--- a/docs/threatprevention/7.4/install/upgrade/agent.md
+++ b/docs/threatprevention/7.4/install/upgrade/agent.md
@@ -8,8 +8,11 @@ sidebar_position: 20
The Threat Prevention Agent is updated from the Agents interface.
-**NOTE:** If you are using an Endpoint Detection and Response (EDR) solution to protect LSASS, you
+:::note
+If you are using an Endpoint Detection and Response (EDR) solution to protect LSASS, you
must create an exclusion for Threat Prevention using any of these methods:
+:::
+
- Add the path or names of the files listed under Agent Server in the
[Antivirus Software Considerations](/docs/threatprevention/7.4/install/overview.md#antivirus-software-considerations)
@@ -35,16 +38,22 @@ opens.
Threat Prevention Agent**. The green bar indicates the progress of checking the Agent for a newer
version. If a new version is available, click **Apply Update**.
-_Remember,_ when an Agent is out-of-date, the Version String column on the Agents interface has an
+:::tip
+Remember, when an Agent is out-of-date, the Version String column on the Agents interface has an
orange background.
+:::
+
**Step 4 –** Right-click an out-of-date Agent and select **Upgrade Agent** on the right-click menu.
The Access Verification window opens.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
@@ -56,8 +65,11 @@ this link to bring back the focus to the wizard.
- If some but not all items fail, it is possible to click **Next** to continue the action on those
where access verification was successful.
-**NOTE:** Closing the Administration Console while this action is in process causes problems with
+:::note
+Closing the Administration Console while this action is in process causes problems with
data collection.
+:::
+
diff --git a/docs/threatprevention/7.4/install/upgrade/overview.md b/docs/threatprevention/7.4/install/upgrade/overview.md
index 129efc92d3..df374d2bd3 100644
--- a/docs/threatprevention/7.4/install/upgrade/overview.md
+++ b/docs/threatprevention/7.4/install/upgrade/overview.md
@@ -9,9 +9,12 @@ sidebar_position: 110
This topic provides the basic steps needed to upgrade StealthINTERCEPT 7.3.7+. For older versions,
please reach out to [Netwrix Support](https://www.netwrix.com/support.html) for assistance.
-**NOTE:** By design, the Threat Prevention 7.4 server (Enterprise Manager) will not accept
+:::note
+By design, the Threat Prevention 7.4 server (Enterprise Manager) will not accept
connections from pre 7.3.9 Agents. Existing customers must upgrade to 7.3.9 first. Else pre 7.3.9
Agents will be orphaned.
+:::
+
Typically a new release includes new policy templates. The Templates Update window displays the
following message after an update: “Changes to Default Templates Detected. Do you want to update
@@ -20,7 +23,7 @@ Templates?” Click **Yes** to import or **No** to skip. See the
topic for instructions on importing these templates if you selected **No** during the upgrade
process.
-See the [What's New](/docs/threatprevention/7.4/overview/whatsnew.md) topic for
+See the [What's New](/docs/threatprevention/7.4/whatsnew.md) topic for
details on new and improved features included with each release.
## Considerations
@@ -30,8 +33,11 @@ installed as well as all systems where the Agent is deployed. For deploying Agen
[Agents Interface](/docs/threatprevention/7.4/admin/agents/overview.md)
topic.
-**_RECOMMENDED:_** It is a best practice to export policies for backup prior to performing an
+:::info
+It is a best practice to export policies for backup prior to performing an
upgrade.
+:::
+
For NAS file system monitoring, Threat Prevention works in conjunction with the Activity Monitor.
Hence, the agent versions for the two products must be compatible. See the
@@ -87,8 +93,11 @@ topic for additional information. See the
[Manual Uninstall on the Agent Server](/docs/threatprevention/7.4/install/upgrade/uninstallagent.md#manual-uninstall-on-the-agent-server)
topic for information on removing the Agent from the server where it was deployed.
-**NOTE:** If you are running a previous version of the Agent, you must first upgrade it to 7.3.9 and
+:::note
+If you are running a previous version of the Agent, you must first upgrade it to 7.3.9 and
then to 7.4.
+:::
+
## Infrastructure Upgrade Procedure for 7.3.7 to 7.3.9
diff --git a/docs/threatprevention/7.4/install/upgrade/policytemplates.md b/docs/threatprevention/7.4/install/upgrade/policytemplates.md
index 38cc346661..b6000f277e 100644
--- a/docs/threatprevention/7.4/install/upgrade/policytemplates.md
+++ b/docs/threatprevention/7.4/install/upgrade/policytemplates.md
@@ -10,10 +10,13 @@ When new or updated policy templates are available with a Threat Prevention upgr
automatically imported when you install the latest version. The Import feature can be used to update
templates and import new templates.
-_Remember,_ use these steps when the Templates Update window option was selected as **No** during
+:::tip
+Remember, use these steps when the Templates Update window option was selected as **No** during
the
[Upgrade Procedure](/docs/threatprevention/7.4/install/upgrade/overview.md)
process.
+:::
+
Follow the steps to upgrade policy templates and import new templates.
@@ -21,7 +24,7 @@ Follow the steps to upgrade policy templates and import new templates.
**Step 2 –** In the Select Import File field, use the ellipsis (…) to browse to:
-…\Netwrix\Netwrix Threat Prevention\SIWinConsole
+**…\Netwrix\Netwrix Threat Prevention\SIWinConsole**
**Step 3 –** To import all new templates, select the **SI_Template_All** XML file. Click **Open**.
@@ -37,7 +40,10 @@ Choose between:
**Step 6 –** Check the Apply to All box option to apply the selection to all duplicates found.
-**NOTE:** To only import new templates, check the **Apply to All** box and select **Skip**.
+:::note
+To only import new templates, check the **Apply to All** box and select **Skip**.
+:::
+
**Step 7 –** When the Operation Completed message us displayed, click **OK**.
diff --git a/docs/threatprevention/7.4/install/upgrade/reportingmodule.md b/docs/threatprevention/7.4/install/upgrade/reportingmodule.md
index 4762d36aac..ae679f6b2d 100644
--- a/docs/threatprevention/7.4/install/upgrade/reportingmodule.md
+++ b/docs/threatprevention/7.4/install/upgrade/reportingmodule.md
@@ -63,7 +63,7 @@ Manager Reporting Module. The following message is displayed:
**Step 3 –** Click **OK** to upgrade. The Netwrix Threat Manager Reporting Setup wizard opens.
-
+
**Step 4 –** To follow through the steps of the wizard for upgrade, see the
[Install the Netwrix Threat Manager Reporting Module](/docs/threatprevention/7.4/install/reportingmodule/application.md)
diff --git a/docs/threatprevention/7.4/install/upgrade/uninstallagent.md b/docs/threatprevention/7.4/install/upgrade/uninstallagent.md
index 6ebc1cec70..53bb561a1a 100644
--- a/docs/threatprevention/7.4/install/upgrade/uninstallagent.md
+++ b/docs/threatprevention/7.4/install/upgrade/uninstallagent.md
@@ -25,10 +25,13 @@ to connect to the target machine and query information about shares. A local Adm
on the target machine should have access to the system shares. Click **OK** after entering the
credentials.
-**NOTE:** The wizard does not block access to the Administration Console and can be minimized while
+:::note
+The wizard does not block access to the Administration Console and can be minimized while
actions are in progress. If this wizard is hidden by clicking outside of the dialog box, a flashing
blue link displays on the upper right corner of the interface with the action name displayed. Click
this link to bring back the focus to the wizard.
+:::
+
**Step 4 –** On the Access Verification window, the given credentials either succeed or fail during
a prerequisites or verification check.
@@ -39,8 +42,11 @@ a prerequisites or verification check.
- If some but not all items fail, you can click **Next** to continue the action on those where
access verification was successful.
-**NOTE:** Closing the Administration Console while this action is in process causes problems with
+:::note
+Closing the Administration Console while this action is in process causes problems with
data collection.
+:::
+
**Step 5 –** The Uninstall Agent window displays whether the Agent was successfully uninstalled or
not.
@@ -68,6 +74,9 @@ uninstall process:
- Netwrix Threat Prevention Group Policy Service (for monitoring GPOs)
- Netwrix Threat Prevention Exchange Monitoring Service (for Threat Prevention for Exchange)
-**_RECOMMENDED:_** Deploy the Agent to a server using the Deploy Agents wizard. See the
+:::info
+Deploy the Agent to a server using the Deploy Agents wizard. See the
[Deploy Agents](/docs/threatprevention/7.4/admin/agents/deploy/overview.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/overview/_category_.json b/docs/threatprevention/7.4/overview/_category_.json
deleted file mode 100644
index 7c0e8c54cf..0000000000
--- a/docs/threatprevention/7.4/overview/_category_.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
- "label": "Netwrix Threat Prevention v7.4 Documentation",
- "position": 10,
- "collapsed": true,
- "collapsible": true,
- "link": {
- "type": "doc",
- "id": "overview"
- }
-}
\ No newline at end of file
diff --git a/docs/threatprevention/7.4/overview/overview.md b/docs/threatprevention/7.4/overview/overview.md
deleted file mode 100644
index 2c29191ac3..0000000000
--- a/docs/threatprevention/7.4/overview/overview.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: "Netwrix Threat Prevention v7.4 Documentation"
-description: "Netwrix Threat Prevention v7.4 Documentation"
-sidebar_position: 10
----
-
-# Netwrix Threat Prevention v7.4 Documentation
-
-Netwrix Threat Prevention safeguards an organization from internal and external threats by acting
-like a firewall around the critical systems and applications: Active Directory, Exchange, and file
-systems. It empowers organizations to overcome limitations in native Windows logging and security
-controls with features such as:
-
-- Active Monitoring – Threat Prevention intercepts all critical activity at the source, actively
- monitors user behavior and alerts on suspicious activities, thus generating security intelligence
- that provides visibility and security over your business assets.
-- Proactive Remediation – When a suspicious pattern of activity is identified, Threat Prevention
- issues an alert along with immediate remediation, such as blocking the compromised user account
- from further authentications. In this way, it protects business critical systems and sensitive
- data from threats such as malware and ransomware.
-- Real-time alerts – Provides inspection, alerting, and policy enforcement, serving as a security
- enhancement that protects sensitive assets and eliminates downtime from careless error.
-- Audit Trail – Provides administrators and auditors detailed records of every change, access, and
- authentication activity.
-- Third-party Integration – Threat Prevention seamlessly integrates with SIEM dashboards that an
- organization is currently leveraging. It sends SIEM reliable, insightful and context laden data in
- real-time to SIEM dashboards, removing the need for native logs.
-- Modern Architecture – With a FIPS 104-2 compliant architecture, Threat Prevention has been built
- specifically for the modern security landscape.
-
-Organizations can benefit from Threat Prevention in many ways, such as:
-
-- Catch suspicious authentication events
-- Proactively prevent unauthorized changes
-- Block the riskiest actions
-- Accelerate investigation and harden security
-- Tighten security and compliance practices
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md
index 5e38b085a1..5e2d8f5652 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md
@@ -38,12 +38,15 @@ Directory Sync in the navigation pane.
## Add an Active Directory Sync Policy
-**NOTE:** Prior to adding an Active Directory Sync policy, you must first configure a Credential
+:::note
+Prior to adding an Active Directory Sync policy, you must first configure a Credential
Profile with credentials properly provisioned for running the sync operation for the domain. See the
[Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md)
topic for the permissions. See the
[Credential Profile Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md)
topic for additional information on creating a profile.
+:::
+
Follow the steps to add a domain/Active Directory sync policy.
@@ -187,16 +190,22 @@ represented by the domain for which it is created. Select a domain.
**Step 2 –** The Domain Configuration tab opens, where you can make the desired modification.
-_Remember,_ the domain cannot be modified.
+:::tip
+Remember, the domain cannot be modified.
+:::
+
**Step 3 –** To change the Credential Profile, select the Credential Profile by name from the
drop-down menu. This was pre-created in the Credential Profiles page.
-**NOTE:** If you change the Credential Profile for a domain, click **Test Connection** to ensure
+:::note
+If you change the Credential Profile for a domain, click **Test Connection** to ensure
connection to the domain. This will take a moment. Then a message will appear in the upper right
corner of the console indicating a successful or failed connection.
+:::
+
**Step 4 –** Click the toggle to change the Enabled/Disabled state of the policy.
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md
index be2d9cdec1..9c0eddaf0d 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md
@@ -24,7 +24,7 @@ See the
[Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md)
topic for a list of permission requirements for each type of task.
-Best Practice Recommendation
+**Best Practice Recommendation**
It is a best practice to:
@@ -76,7 +76,7 @@ view a list of the already created Credential Profiles, if any.
**Step 8 –** Select a Credential Profile from the table or the navigation pane to view its details.
-
+
Select the profile from the list to see modification optionsThe following information is displayed
for a Credential Profile:
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/email.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/email.md
index 9a518a75d7..7e92d78ca2 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/email.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/email.md
@@ -44,7 +44,7 @@ menu. Then select **Integrations** to open the Integrations interface.
**Step 2 –** On the Integrations interface, click **Email** in the navigation pane.
-
+
**Step 3 –** Toggle the Enabled button to **ON**, which enables the Send Test Email button.
@@ -68,9 +68,12 @@ menu. Then select **Integrations** to open the Integrations interface.
- URL – Enter the URL to the application console to be included in the email as a link. By default,
this is set to `http://localhost:8080/`.
-**_RECOMMENDED:_** When first configuring email notification, enter your email in the Send Alerts To
+:::info
+When first configuring email notification, enter your email in the Send Alerts To
field for the connection test completed in Step 4. Once the test is successful, replace your email
with the desired recipients.
+:::
+
**Step 5 –** Click **Send Test Email** to send a test notification to the configured email
address(es). Validate the email was sent by checking that the recipient received the email.
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/foldersettings.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/foldersettings.md
index 0512860053..19d35493fc 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/foldersettings.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/foldersettings.md
@@ -34,7 +34,7 @@ The Shared Folders table has the following columns:
- Last Time tested – Date timestamp when the the shared folder was tested to ensure it is configured
correctly
-Additional Options
+**Additional Options**
When you hover over a row within the Shared Folders table, three additional options are displayed:
@@ -65,10 +65,13 @@ Investigation exports will now be saved to the designated local folder on the ap
## Add a Shared Folder
-**NOTE:** Prior to adding a shared folder, you must first configure a Credential Profile with Write
+:::note
+Prior to adding a shared folder, you must first configure a Credential Profile with Write
access to the shared folder. See the
[Credential Profile Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md)
topic for creating a profile.
+:::
+
You can specify a shared folder for exporting investigations data from subscriptions through the
Integrations menu. Follow the steps to add a shared folder.
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/netwrixintegrations.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/netwrixintegrations.md
index 434f37c0f3..6a05d7b1e4 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/netwrixintegrations.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/netwrixintegrations.md
@@ -34,12 +34,15 @@ Netwrix Integrations in the navigation pane.
## Add a Netwrix Integration
-**NOTE:** Prior to adding a Netwrix Integration, you must first configure a Credential Profile with
+:::note
+Prior to adding a Netwrix Integration, you must first configure a Credential Profile with
credentials properly provisioned for connecting to the database. See the
[Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md)
topic for the permissions. See the
[Credential Profile Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/credentialprofile.md)
topic for additional information on creating a profile.
+:::
+
Follow the steps to add a Netwrix product for integration.
@@ -89,8 +92,11 @@ error and repeat this step until a successful connection is established.
The Netwrix Integration is listed in the Integrations navigation pane.
-**NOTE:** For integration with Netwrix Threat Prevention, you can add both the main `NVMonitorData`
+:::note
+For integration with Netwrix Threat Prevention, you can add both the main `NVMonitorData`
database and the archive database, if one has been configured.
+:::
+
## Netwrix Integration Details
@@ -104,7 +110,7 @@ view a list of the already integrated Netwrix products.
**Step 9 –** Select a product from the table or the navigation pane to view the integration details.
-
+
The following information is displayed:
@@ -201,15 +207,21 @@ Netwrix Integration.
**Step 4 –** To modify the Credential Profile, select the Credential Profile by name from the
drop-down menu. This was pre-created in the Credential Profiles page.
-**NOTE:** If you modify the Credential Profile for a domain, click **Test Connection** to ensure
+:::note
+If you modify the Credential Profile for a domain, click **Test Connection** to ensure
connection to the database. This will take a moment. Then a message will appear in the upper right
corner of the console indicating a successful or failed connection.
+:::
+
**Step 5 –** For the Configuration Catalog Name, modify the value by typing in the textbox.
**Step 6 –** For the Catalog Name, modify the value by typing in the textbox.
-_Remember,_ the Integration Service URL value should not be modified.
+:::tip
+Remember, the Integration Service URL value should not be modified.
+:::
+
**Step 7 –** Check or uncheck the Show Deleted Policies box as desired.
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/page/saml.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/page/saml.md
index ce9e8090cb..a3c71ed239 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/page/saml.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/page/saml.md
@@ -30,7 +30,7 @@ The details page for a SAML authentication provider has two tabs:
- Configuration
- Users/Groups
-Prerequisites
+**Prerequisites**
For users to be able to use SAML, "SMTP" must be set up and an email address must be stored with the
respective users.
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/tagmanagement.md b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/tagmanagement.md
index ead49c3b41..51844be73a 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/integrations/tagmanagement.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/integrations/tagmanagement.md
@@ -79,7 +79,7 @@ a list of tags.
**Step 8 –** Select a tag from the table or the navigation pane to view its details.
-
+
This page provides the following information:
@@ -99,7 +99,10 @@ This page provides the following information:
On the tag details window, click the Type drop-down menu to apply a filter.
-**_RECOMMENDED:_** Apply the desired Type filters when searching for objects to tag.
+:::info
+Apply the desired Type filters when searching for objects to tag.
+:::
+
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/interface/systemjobs.md b/docs/threatprevention/7.4/reportingmodule/configuration/interface/systemjobs.md
index 10a3a0a58d..777b860ef5 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/interface/systemjobs.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/interface/systemjobs.md
@@ -27,7 +27,7 @@ health details.
-Settings Tab
+**Settings Tab**
The Settings tab has the following configurable settings:
@@ -43,7 +43,7 @@ The Settings tab has the following configurable settings:
happening at the currently configured interval. By default, this is set to midnight, 12:00 AM. Use
the clock menu to select the desired time.
-Health Tab
+**Health Tab**
The Health tab displays the following information:
diff --git a/docs/threatprevention/7.4/reportingmodule/configuration/interface/useraccess.md b/docs/threatprevention/7.4/reportingmodule/configuration/interface/useraccess.md
index ec2f4ef0cd..da7b483e0a 100644
--- a/docs/threatprevention/7.4/reportingmodule/configuration/interface/useraccess.md
+++ b/docs/threatprevention/7.4/reportingmodule/configuration/interface/useraccess.md
@@ -20,13 +20,19 @@ Roles are assigned by the following methods:
- Group Membership – Members of the group will be given the role assigned
- **NOTE:** If a user is a member of multiple assigned groups, the group with the highest level of
+ :::note
+ If a user is a member of multiple assigned groups, the group with the highest level of
privilege is assigned
+ :::
+
- Direct User Assignment – Assigns a role directly to a user
- **NOTE:** If a user is assigned a role directly, it takes priority over any group membership
+ :::note
+ If a user is assigned a role directly, it takes priority over any group membership
roles that have been assigned
+ :::
+
The User Access page has the following sections:
@@ -49,8 +55,11 @@ The table displays the following information:
- Access rule type – Indicates the access type as _Allow_, which enables console access, or _Deny_,
which disables console access
- **NOTE:** Disabling a user or group disables that level of access. It does not block the user or
+ :::note
+ Disabling a user or group disables that level of access. It does not block the user or
group from logging into the console if they have access through another role assignment.
+ :::
+
- Login name – The NTStyle domain name for the user or group account
- Display name – The display name for the user or group account
@@ -114,9 +123,12 @@ The following roles can be assigned to users and groups:
- Can export any investigation
- Can create or modify any subscription
-**NOTE:** For Netwrix Threat Manager Reporting Module, the Responders and Reviewers roles provide
+:::note
+For Netwrix Threat Manager Reporting Module, the Responders and Reviewers roles provide
the same capabilities. The Responders role has additional permissions in a full Threat Manager
deployment.
+:::
+
### Authentication Types Defined
@@ -137,10 +149,13 @@ topic for additional information.
### Add Console Access
-**NOTE:** Verify that an Active Directory Sync has completed to ensure that user and group
+:::note
+Verify that an Active Directory Sync has completed to ensure that user and group
information is updated. See the
[Active Directory Sync Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md)
for additional information.
+:::
+
Follow the steps to add console access for a user or group.
@@ -157,8 +172,11 @@ populate as you type with available options. Select a user or group from the men
**Step 4 –** Select an authentication type from the **Authentication Type** drop-down menu.
-_Remember,_ authentication provider profile types are displayed after an integration has been
+:::tip
+Remember, authentication provider profile types are displayed after an integration has been
configured on the Authentication Provider page of the Integrations interface.
+:::
+
**Step 5 –** Select a role to assign it to the user or group from the **Role** drop-down menu.
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/auditcompliance.md b/docs/threatprevention/7.4/reportingmodule/investigations/auditcompliance.md
index 192f8bc09f..af5242c060 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/auditcompliance.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/auditcompliance.md
@@ -33,16 +33,17 @@ topic for additional information.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| --------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AD Changes | All Active Directory changes | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Change |
-| AD Changes by Domain Admins | All Active Directory changes by Domain Admins | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Change AND - Attribute 2 = Tag (Effective) - Operator 2 = Equals - Filter 2 = Domain Admin |
-| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Authentication |
-| All Events | New Investigation | No filters set |
-| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Authentication AND - Attribute 2 = Success - Operator 2 = Equals - Filter 2 = false |
-| LDAP Search | All LDAP search events | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = LDAP Search |
-| Privileged Account Activity | All activity by privileged accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Privileged |
-| Service Account Activity | All activity by service accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Service Account |
-| Watchlist User Activity | All activity by watchlist users | One filter statement set: - Attribute = Tag (Effective) - Operator = Equals - Filter = Watchlist |
+| Investigation | Description | Filters |
+| ------------------- | ------------------------ | ---------------- |
+| AD Changes | All Active Directory changes | One filter statement set: - Attribute = Event Operation
- Operator = Equals
- Filter = Active Directory Change
|
+| AD Changes by Domain Admins | All Active Directory changes by Domain Admins | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Change
AND- Attribute 2 = Tag (Effective)
- Operator 2 = Equals
- Filter 2 = Domain Admin
|
+| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: - Attribute = Event Operation
- Operator = Equals
- Filter = Active Directory Authentication
|
+| All Events | New Investigation | No filters set |
+| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Authentication
AND- Attribute 2 = Success
- Operator 2 = Equals
- Filter 2 = false
|
+| LDAP Search | All LDAP search events | One filter statement set: - Attribute = Event Operation
- Operator = Equals
- Filter = LDAP Search
|
+| Privileged Account Activity | All activity by privileged accounts | One filter statement set: - Attribute = Tag (Direct)
- Operator = Equals
- Filter = Privileged
|
+| Service Account Activity | All activity by service accounts | One filter statement set: - Attribute = Tag (Direct)
- Operator = Equals
- Filter = Service Account
|
+| Watchlist User Activity | All activity by watchlist users | One filter statement set: - Attribute = Tag (Effective)
- Operator = Equals
- Filter = Watchlist
|
+
You can save additional investigations to this folder.
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md b/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md
index 8f328f3a66..b28575dffa 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md
@@ -28,14 +28,10 @@ Click an investigation to open it.
There is an empty star icon beside the name of an investigation not identified as a favorite.
-
-
Click the star to add the investigation to your Favorites list.
## Remove an Investigation from Your Favorites
There is a yellow star icon beside the name of an investigation identified as a favorite.
-
-
Click the yellow star to remove the investigation from your Favorites list.
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/newinvestigation.md b/docs/threatprevention/7.4/reportingmodule/investigations/newinvestigation.md
index 0732053a3e..ef0ba48f4b 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/newinvestigation.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/newinvestigation.md
@@ -25,8 +25,11 @@ See the
[Investigation Reports](/docs/threatprevention/7.4/reportingmodule/investigations/reports/reports.md)
topic for additional information.
-**NOTE:** If you run a query without applying filters, the report sections display all activity by
+:::note
+If you run a query without applying filters, the report sections display all activity by
all users for the designated timeframe, which is set by default to _Last Hour_.
+:::
+
The report generated by a New Investigation can be exported. The Schedule Export option is not
available from the New Investigation page. See the
@@ -40,8 +43,11 @@ The Save option allows you to save your configured filters to run the investigat
To retain filter configuration after running a query and confirming the desired report data is
displayed, follow the steps to save an investigation.
-**NOTE:** This option is available only to users with the Administrator or the Response Managers
+:::note
+This option is available only to users with the Administrator or the Response Managers
roles.
+:::
+
**Step 1 –** On the New Investigation page, click **Save** in the upper right corner. The Save
Investigation window opens.
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/options/export.md b/docs/threatprevention/7.4/reportingmodule/investigations/options/export.md
index 32e8a024a7..77b1045403 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/options/export.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/options/export.md
@@ -24,11 +24,17 @@ drop-down menu:
- Export as JSON – Generates and downloads the report as a JSON file to your Downloads folder
- Send as Email – Opens the Send as Email window to send the report to recipients
- **NOTE:** This option requires an email server to be configured.
+ :::note
+ This option requires an email server to be configured.
+ :::
+
- Schedule Export – Opens the Schedule export window to save a copy of the report to a shared folder
- **NOTE:** This option requires a shared folder to be configured.
+ :::note
+ This option requires a shared folder to be configured.
+ :::
+
Reports will be downloaded to the Downloads folder on your local machine, according to your browser
settings. You can configure a folder on the application server to place copies of all exported
@@ -40,10 +46,13 @@ topic for additional information.
## Send as Email
-**NOTE:** This option requires an email server to be configured. If this requirement is not met, a
+:::note
+This option requires an email server to be configured. If this requirement is not met, a
message will appear in the window. See
the[Email Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/email.md)
topic for additional information.
+:::
+
You can send the report data of an investigation as an attachment to an email. The attachment can be
any of the file formats available for download. Follow the steps to send a report as an email
@@ -75,10 +84,13 @@ The recipients will receive the report as an attachment to an email.
## Scheduled Export
-**NOTE:** This option requires a shared folder to be configured.If this requirement is not met, a
+:::note
+This option requires a shared folder to be configured.If this requirement is not met, a
message will appear in the window. See the
[Folder Settings Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/foldersettings.md)
section for additional information.
+:::
+
You can schedule to save the report data of an investigation to a shared folder. The file format can
be any of the formats available for download. Follow the steps to schedule a report export.
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/options/filters.md b/docs/threatprevention/7.4/reportingmodule/investigations/options/filters.md
index c43a7bc652..20917e91a5 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/options/filters.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/options/filters.md
@@ -66,10 +66,13 @@ clock and a calendar for setting a custom range:
- Custom timeframe – Specified by the start and end date and time range set in the clock / calendar
section
-**NOTE:** The timeframe property is saved with the investigation filters. However, it can be
+:::note
+The timeframe property is saved with the investigation filters. However, it can be
modified to run a query ad hoc with the same filter statement but a different timeframe.
+:::
-Configure a Custom Timeframe Range
+
+**Configure a Custom Timeframe Range**
Follow the steps to configure a custom timeframe range.
@@ -193,8 +196,11 @@ populate in a drop-down menu as you type. Select the desired value from the drop
value you type is not available in the drop-down menu, use the Add button to add it to the Filter
box.
-**NOTE:** Adding additional values in the same Filter box will add an OR statement for the
+:::note
+Adding additional values in the same Filter box will add an OR statement for the
attribute. For example:
+:::
+
- When:
@@ -216,7 +222,10 @@ and repeat steps 4-6. The AND operator is automatically applied to group multipl
- Then the query will return activity for all domain admins except nwxtech\ad.bruce.wayne
-**NOTE:** Click the X at the end of a row to remove it from the statement.
+:::note
+Click the X at the end of a row to remove it from the statement.
+:::
+
Once the filter is set, you can generate the report ad hoc by clicking **Run Query**. The allows you
to test if your filter statement is working as desired. Save the investigation for reuse. You can
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/options/overview.md b/docs/threatprevention/7.4/reportingmodule/investigations/options/overview.md
index a986654e49..1576d4e98d 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/options/overview.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/options/overview.md
@@ -51,8 +51,11 @@ Every investigation has the following options at the top of the page:
[Filters Section](/docs/threatprevention/7.4/reportingmodule/investigations/options/filters.md)
topic for additional information.
-**NOTE:** For an investigations to return information on user display names, groups, or email
+:::note
+For an investigations to return information on user display names, groups, or email
addresses, the StealthDEFEND Active Directory Service must be running to collect Active Directory
data prior to running an investigation. See the
[Active Directory Sync Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md)
topic for additional information.
+
+:::
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/options/subscription.md b/docs/threatprevention/7.4/reportingmodule/investigations/options/subscription.md
index 3471ba3c11..3c46c43bd8 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/options/subscription.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/options/subscription.md
@@ -18,10 +18,13 @@ receive this report as an email attachment in a specified format.
-**NOTE:** This option requires an email server to be configured.If this requirement is not met, a
+:::note
+This option requires an email server to be configured.If this requirement is not met, a
message will appear in the window. See
the[Email Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/email.md)
topic for additional information.
+:::
+
## Subscribe to an Investigation
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/predefinedinvestigations.md b/docs/threatprevention/7.4/reportingmodule/investigations/predefinedinvestigations.md
index 06c16a6ec8..d80b04d9eb 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/predefinedinvestigations.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/predefinedinvestigations.md
@@ -40,13 +40,14 @@ as the Predefined Investigations page, scoped to the investigations within that
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| ------------------------- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Computer Added | Created when a computer is added | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Create AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Deleted | Created when a computer is deleted | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Delete AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Disabled | Created when a computer is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Disabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Enabled | Created when a computer is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Enabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Password Changed | Created when a computer password is changed | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
+| Investigation | Description | Filters |
+| ------------------------- | ------------------------------ | --------------------------- |
+| Computer Added | Created when a computer is added | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Create
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Deleted | Created when a computer is deleted | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Delete
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Disabled | Created when a computer is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Disabled
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Enabled | Created when a computer is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Enabled
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Password Changed | Created when a computer password is changed | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Password Changed
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+
You can save additional investigations to this folder.
@@ -54,13 +55,14 @@ You can save additional investigations to this folder.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| -------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Group Added | Occurs when a group of any type is created | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Create AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Deleted | Created when a group is removed / deleted | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Delete AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Member Added | Created when a member is added to a group | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Group Members Added AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Member Removed | Created when one or more members of a group are removed | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Group Members Removed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Moved | Occurs when a group is moved from one container to another | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Object Move AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
+| Investigation | Description | Filters |
+| -------------------- | -------------------------- | -------------------------- |
+| Group Added | Occurs when a group of any type is created | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Create
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Deleted | Created when a group is removed / deleted | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Delete
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Member Added | Created when a member is added to a group | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Group Members Added
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Member Removed | Created when one or more members of a group are removed | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Group Members Removed
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Moved | Occurs when a group is moved from one container to another | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Object Move
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+
You can save additional investigations to this folder.
@@ -68,13 +70,14 @@ You can save additional investigations to this folder.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| ----------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| iNetOrgPeson Account Disabled | Created when an iNetOrgPerson account is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Disabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Account Enabled | Created when an iNetOrgPerson account is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Enabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Added | Created when an iNetOrgPerson User account is added | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Create AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Deleted | Created when an iNetOrgPerson is deleted | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Delete AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Password Changed | Created when the password is reset or changed by an administrator | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
+| Investigation | Description | Filters |
+| ----------------------- | ------------------ | ------------------------ |
+| iNetOrgPeson Account Disabled | Created when an iNetOrgPerson account is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Disabled
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Account Enabled | Created when an iNetOrgPerson account is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Enabled
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Added | Created when an iNetOrgPerson User account is added | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Create
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Deleted | Created when an iNetOrgPerson is deleted | Two filter statements set: - Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Delete
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Password Changed | Created when the password is reset or changed by an administrator | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Password Changed
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+
You can save additional investigations to this folder.
@@ -82,14 +85,15 @@ You can save additional investigations to this folder.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| ------------------------------ | ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| User Account Disabled | Created when a user account is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Disabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Account Enabled | Created when a user account is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Enabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Account Locked | Created when a user account is locked | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Locked AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Account Unlocked | Created when a user account is unlocked | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Unlocked AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Password Change | Created when a user performs a password reset | Three filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Active Directory Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user AND - Attribute 3 = Perpetrator - Operator 3 = Equals - Filter 3 = nt authority\anonymous logon |
-| User Password Reset and Change | Created when a user resets their password or when an administrator changes their password | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Primary Group Changed | Created when a user's group is changed typically from Domain Users to another group | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Primary Group Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
+| Investigation | Description | Filters |
+| ----------------------- | ----------------------- | ------------------- |
+| User Account Disabled | Created when a user account is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Disabled
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Account Enabled | Created when a user account is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Enabled
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Account Locked | Created when a user account is locked | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Locked
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Account Unlocked | Created when a user account is unlocked | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Unlocked
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Password Change | Created when a user performs a password reset | Three filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Password Changed
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
AND- Attribute 3 = Perpetrator
- Operator 3 = Equals
- Filter 3 = nt authority\anonymous logon
|
+| User Password Reset and Change | Created when a user resets their password or when an administrator changes their password | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Password Changed
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Primary Group Changed | Created when a user's group is changed typically from Domain Users to another group | Two filter statements set: - Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Primary Group Change
AND- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
-You can save additional investigations to this folder.
+
+You can save additional investigations to this folder.
\ No newline at end of file
diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/reports/reports.md b/docs/threatprevention/7.4/reportingmodule/investigations/reports/reports.md
index 1208220a99..9a5b4a07d2 100644
--- a/docs/threatprevention/7.4/reportingmodule/investigations/reports/reports.md
+++ b/docs/threatprevention/7.4/reportingmodule/investigations/reports/reports.md
@@ -17,11 +17,14 @@ A report generated by an investigation query displays the following information:
associated with the events matching the criteria specified for the investigation. See the
[Top Resources Tab](#top-resources-tab) topic for additional information.
-**NOTE:** For an investigations to return information on user display names, groups, or email
+:::note
+For an investigations to return information on user display names, groups, or email
addresses, the StealthDEFEND Active Directory Service must be running to collect Active Directory
data prior to running an investigation. See the
[Active Directory Sync Page](/docs/threatprevention/7.4/reportingmodule/configuration/integrations/activedirectorysync.md)
topic for additional information.
+:::
+
Click **Investigate** in the application header bar to open the Investigations interface. Then
create a new investigation or click a folder in the navigation pane to access a saved investigation.
@@ -94,7 +97,7 @@ The tab contains two tables:
- Top Perpetrators
- Top Targets
-Top Perpetrators Table
+**Top Perpetrators Table**
The Top Perpetrators table displays information about the perpetrators associated with the events.
@@ -108,7 +111,7 @@ Click the link to view perpetrator details. See the
[User Details Page](/docs/threatprevention/7.4/reportingmodule/investigations/reports/user.md)
topic for additional information.
-Top Targets Table
+**Top Targets Table**
The Top Targets table displays information about targets associated with the events.
diff --git a/docs/threatprevention/7.4/reportingmodule/overview.md b/docs/threatprevention/7.4/reportingmodule/overview.md
index fc01905b77..dc1dbf1965 100644
--- a/docs/threatprevention/7.4/reportingmodule/overview.md
+++ b/docs/threatprevention/7.4/reportingmodule/overview.md
@@ -17,7 +17,7 @@ Threat Manager Reporting Module, configure the integration, and grant access to
following topics:
- [Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md)
-- [Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module)
+- [Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module)
- [Reporting Module Installation](/docs/threatprevention/7.4/install/reportingmodule/overview.md)
- [Configuration Menu ](/docs/threatprevention/7.4/reportingmodule/configuration/overview.md)
- [Investigations Interface](/docs/threatprevention/7.4/reportingmodule/investigations/overview.md)
diff --git a/docs/threatprevention/7.4/requirements/adminconsole.md b/docs/threatprevention/7.4/requirements/adminconsole.md
index a192432bf2..f40c3cf680 100644
--- a/docs/threatprevention/7.4/requirements/adminconsole.md
+++ b/docs/threatprevention/7.4/requirements/adminconsole.md
@@ -1,15 +1,15 @@
---
-title: "Remote Administration Console Machine Requirements"
-description: "Remote Administration Console Machine Requirements"
+title: "Remote Administration Console Requirements"
+description: "Remote Administration Console Requirements"
sidebar_position: 40
---
-# Remote Administration Console Machine Requirements
+# Remote Administration Console Requirements
This topic lists the requirements for the machine where you want to install a remote instance of the
Threat Prevention Administration Console.
-Windows Requirements
+**Windows Requirements**
The Windows Server can be physical or virtual. The following Windows Server operating systems are
supported:
@@ -26,7 +26,7 @@ Additionally the server or workstation must meet these requirements:
- US English language installation
- Domain member
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
| | |
| ---------- | ----- |
@@ -34,14 +34,14 @@ RAM, CPU, and Disk Space
| Cores | 4 CPU |
| Disk Space | 4 GB |
-Additional Platform Requirements
+**Additional Platform Requirements**
The following are additional requirements for the Threat Prevention Administration Console machine:
- .NET 4.7.x or .NET 4.8.x installed. If the installer does not find it already installed, it will
install .NET Framework 4.7.
-Permissions for Installation and Application Use
+**Permissions for Installation and Application Use**
The following permissions are required to install and use the application:
diff --git a/docs/threatprevention/7.4/requirements/agent/threatprevention.md b/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md
similarity index 91%
rename from docs/threatprevention/7.4/requirements/agent/threatprevention.md
rename to docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md
index 1860fec270..52754ec476 100644
--- a/docs/threatprevention/7.4/requirements/agent/threatprevention.md
+++ b/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md
@@ -12,14 +12,20 @@ Directory Activity reporting. This is accomplished by configuring Threat Prevent
Netwrix Activity Monitor, which in turn creates the activity log files that Access Analyzer
collects.
-**NOTE:** Threat Prevention can only be configured to send event data to one Netwrix application,
+:::note
+Threat Prevention can only be configured to send event data to one Netwrix application,
either Netwrix Activity Monitor or Netwrix Threat Manager but not both. However, the Activity
Monitor can be configured with outputs for Access Analyzer and Threat Manager
+:::
+
Follow these steps to configure this integration.
-**_RECOMMENDED:_** It is a best practice to use the API Server option of the Activity Monitor for
+:::info
+It is a best practice to use the API Server option of the Activity Monitor for
this integration between Threat Prevention and Access Analyzer.
+:::
+
**Step 1 –** In the Threat Prevention Administration Console, click **Configuration** > **Netwrix
Threat Manager Configuration** on the menu. The Netwrix Threat Manager Configuration window opens.
diff --git a/docs/threatprevention/7.4/requirements/agent/agent.md b/docs/threatprevention/7.4/requirements/agent/agent.md
index e9a8b8c999..d7930dd35f 100644
--- a/docs/threatprevention/7.4/requirements/agent/agent.md
+++ b/docs/threatprevention/7.4/requirements/agent/agent.md
@@ -19,7 +19,7 @@ The supported Exchange Servers are:
- Exchange Server 2013
- Exchange Server 2010
-RAM, Cores, and Disk Space
+**RAM, Cores, and Disk Space**
These depend on the amount of activity expected:
@@ -35,7 +35,7 @@ The disk space requirement covers the following:
- Agent Queues – In the event of a network outage, the agent will cache up to 40 GB of event data
- Diagnostic Logging – 1 GB
-Additional Enterprise Password Enforcer Solution Requirements
+**Additional Enterprise Password Enforcer Solution Requirements**
The Have I Been Pwnd (HIBP) database, which is an optional feature of the Enterprise Password
Enforcer solution, can be deployed on the server where the Agent resides to improve performance. It
@@ -48,7 +48,7 @@ with the copy installed on the Enterprise Manager server. See the
[EPE Settings Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md)
topic for additional information.
-Additional Server Requirements
+**Additional Server Requirements**
The following are additional requirements for the Agent server:
@@ -57,20 +57,26 @@ The following are additional requirements for the Agent server:
article
- WMI enabled on the machine, which is optional but required for centralized Agent maintenance
-Permissions for Installation
+**Permissions for Installation**
The following permission is required to install the Agent:
- Membership in the local Administrators group
- **NOTE:** Membership in the Domain Administrators group for a domain controller.
+ :::note
+ Membership in the Domain Administrators group for a domain controller.
+ :::
+
## Agent Compatibility with Non-Netwrix Security Products
The following products conflict with the agent:
-**CAUTION:** Do not install these products on a server where an agent is deployed. Do NOT install an
+:::warning
+Do not install these products on a server where an agent is deployed. Do NOT install an
agent on a server where these products are installed.
+:::
+
- Quest Change Auditor (aka Dell ChangeAuditor)
- PowerBroker Auditor for Active Directory by BeyondTrust
@@ -83,5 +89,8 @@ thereby prevent monitoring Active Directory events:
- Specifically the “Avast self-defense module”
-**NOTE:** These products and other similar products can be configured via a whitelist to allow the
+:::note
+These products and other similar products can be configured via a whitelist to allow the
agent to operate.
+
+:::
diff --git a/docs/threatprevention/7.4/requirements/agent/agentnas.md b/docs/threatprevention/7.4/requirements/agent/agentnas.md
index 846211b181..0c4a65d91c 100644
--- a/docs/threatprevention/7.4/requirements/agent/agentnas.md
+++ b/docs/threatprevention/7.4/requirements/agent/agentnas.md
@@ -26,29 +26,29 @@ See the
[Netwrix Activity Monitor Documentation](https://helpcenter.netwrix.com/category/activitymonitor)
for additional information.
-Dell Celerra® & VNX
+**Dell Celerra® & VNX**
- Celerra 6.0+
- VNX 7.1
- VNX 8.1
-Dell Isilon/PowerScale
+**Dell Isilon/PowerScale**
- 7.0+
-Dell Unity
+**Dell Unity**
Hitachi
- 11.2+
-Nasuni Nasuni Edge Appliances
+**Nasuni Nasuni Edge Appliances**
- 8.0+
-NetApp Data ONTAP
+**NetApp Data ONTAP**
- 7-Mode 7.3+
- Cluster-Mode 8.2+
-Panzura
+**Panzura**
diff --git a/docs/threatprevention/7.4/requirements/application.md b/docs/threatprevention/7.4/requirements/application.md
index 8c3e8b5644..a992bca90e 100644
--- a/docs/threatprevention/7.4/requirements/application.md
+++ b/docs/threatprevention/7.4/requirements/application.md
@@ -9,7 +9,7 @@ sidebar_position: 10
This topic lists the requirements for the Threat Prevention server, where Enterprise Manager has to
be installed.
-Windows Server Requirements
+**Windows Server Requirements**
The Windows Server can be physical or virtual. The following Windows Server operating systems are
supported:
@@ -23,41 +23,48 @@ Additionally the server must meet these requirements:
- US English language installation
- Domain member
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
These depend on the size of the target environment and whether Analytics will be used.
-| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
-| ----------- | ------------------------------ | ------------------------------ | --------------------------- | --------------------------- |
+| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
+| ----------- | ------------------ | --------- | ------------------ | -------------- |
| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects |
-| RAM | 128+ GB | 32 GB | 32 GB | 16 GB |
-| Cores | 4+ CPU | 4 CPU | 4 CPU | 4 CPU |
-| Disk Space | 67 GB | 67 GB | 67 GB | 35 GB |
+| RAM | 128+ GB | 32 GB | 32 GB | 16 GB |
+| Cores | 4+ CPU | 4 CPU | 4 CPU | 4 CPU |
+| Disk Space | 67 GB | 67 GB | 67 GB | 35 GB |
-**_RECOMMENDED:_** For large environments with Analytics, a physical machine is strongly
+
+:::info
+For large environments with Analytics, a physical machine is strongly
recommended.
+:::
+
+
+:::note
+The disk space calculation formula is: Enterprise Manager GBs + 2(RAM size):
+:::
-**NOTE:** The disk space calculation formula is: Enterprise Manager GBs + 2(RAM size):
- 1 GB minimum for the Enterprise Manager / Administration Console
- Double the RAM size for log files (e.g. if 64 GB RAM, then 124 GB disk space)
- Minimum needed disk space: 1 GB + 124 GB = 125 GB disk space
-Additional Enterprise Password Enforcement Solution Requirements
+**Additional Enterprise Password Enforcement Solution Requirements**
The Have I Been Pwnd (HIBP) database, which is an optional feature of the Enterprise Password
Enforcement solution, is deployed on the server where the Enterprise Manager resides. It requires:
- Additional 66 GB of disk space to deploy
-Additional Server Requirements
+**Additional Server Requirements**
The following are additional requirements for the Threat Prevention server:
- .NET 4.7.x or .NET 4.8.x installed. If the installer does not find it already installed, it will
install .NET Framework 4.7.
-Additional Server Considerations
+**Additional Server Considerations**
The following are recommended for the Administration Console server:
@@ -67,10 +74,13 @@ The following are recommended for the Administration Console server:
Manager can generate a high volume of SQL activity, which is directly proportional to the volume
of events the Enterprise Manager receives from all Agents.
- **_RECOMMENDED:_** Install the Threat Prevention Enterprise Manager and Microsoft SQL Server on
+ :::info
+ Install the Threat Prevention Enterprise Manager and Microsoft SQL Server on
different machines.
+ :::
+
-Permissions for Installation and Application Use
+**Permissions for Installation and Application Use**
The following permissions are required to install and use the application:
diff --git a/docs/threatprevention/7.4/requirements/eperestsite.md b/docs/threatprevention/7.4/requirements/eperestsite.md
index 67cfb4ad25..54ad8857b4 100644
--- a/docs/threatprevention/7.4/requirements/eperestsite.md
+++ b/docs/threatprevention/7.4/requirements/eperestsite.md
@@ -31,7 +31,10 @@ The EPE Rest Site database can reside on the same instance of the SQL Server as
Prevention database or a separate instance (such as a free instance of SQL Express) that can be
installed locally on the machine where the EPE Rest Site is installed.
-**NOTE:** The “EpeUsers” database is not created during the installation, but when you create the
+:::note
+The “EpeUsers” database is not created during the installation, but when you create the
first “internal” account.
+:::
+
The database is not deleted when you uninstall the EPE Rest Site.
diff --git a/docs/threatprevention/7.4/requirements/overview.md b/docs/threatprevention/7.4/requirements/overview.md
index 68606399a0..5496f3692b 100644
--- a/docs/threatprevention/7.4/requirements/overview.md
+++ b/docs/threatprevention/7.4/requirements/overview.md
@@ -15,7 +15,7 @@ all exceptions are covered.
The following servers are required to install the application:
-Core Component
+**Core Component**
- Threat Prevention Application Server – The following v7.4 application components are installed
here:
@@ -38,7 +38,7 @@ See the following topics for additional information:
- [Agent Server Requirements](/docs/threatprevention/7.4/requirements/agent/agent.md)
- [Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md)
-Optional Components
+**Optional Components**
- Remote Administration Console Instances – The Administration Console can be deployed remotely on
additional machines. As a prerequisite, the Threat Prevention server must already be provisioned.
@@ -48,15 +48,18 @@ Optional Components
the
[EPE Settings Window](/docs/threatprevention/7.4/admin/configuration/epesettings.md).
- **NOTE:** This interface does not change the password; it only validates it against the EPE
+ :::note
+ This interface does not change the password; it only validates it against the EPE
rules.
+ :::
+
See the following topics for additional information:
-- [Remote Administration Console Machine Requirements](/docs/threatprevention/7.4/requirements/adminconsole.md)
+- [Remote Administration Console Requirements](/docs/threatprevention/7.4/requirements/adminconsole.md)
- [EPE Rest Site Requirements](/docs/threatprevention/7.4/requirements/eperestsite.md)
-Target Environment Considerations
+**Target Environment Considerations**
The target environment encompasses all servers, devices, or infrastructure to be monitored and/or
protected by Threat Prevention:
diff --git a/docs/threatprevention/7.4/requirements/ports.md b/docs/threatprevention/7.4/requirements/ports.md
index 1dcfd3785a..057e06778d 100644
--- a/docs/threatprevention/7.4/requirements/ports.md
+++ b/docs/threatprevention/7.4/requirements/ports.md
@@ -18,52 +18,63 @@ or in step 7 of a
then Threat Prevention will create the necessary Windows firewall rules. If using a third party
firewall, it will be necessary to manually set these.
-**NOTE:** SIEM ports are configured when SIEM alerting is enabled in Threat Prevention. See the
+:::note
+SIEM ports are configured when SIEM alerting is enabled in Threat Prevention. See the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md)
topic for additional information.
+:::
+
## Enterprise Manager Firewall Rules
The following firewall settings are required for communication with the Enterprise Manager:
-| Communication Direction | Protocol | Ports | Description |
-| --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | --------------------------- | ---------------------------------------------------- |
-| (For versions 7.3.5 and later Agents using auto security mode) Agents to Enterprise Manager | gRPC / TCP | 3741 | Inbound Agent Communication |
-| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode) Agents to Enterprise Manager | gRPC / TCP | 3739 | Inbound Agent Communication |
-| Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | SQL Server Communication |
-| Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | SQL Server Communication |
-| Enterprise Manager to Agents | RPC / TCP | 135 | WMI enabled Optional: required for Agent Auto Deploy |
-| Enterprise Manager to Agents | DCOM / TCP | Dynamic Range 49152 - 65535 | WMI enabled Optional: required for Agent Auto Deploy |
+| Communication Direction | Protocol | Ports | Description |
+| ----------------- | ---------------- | ----------------- | ---------------- |
+| (For versions 7.3.5 and later Agents using auto security mode)
Agents to Enterprise Manager | gRPC / TCP | 3741 | Inbound Agent Communication |
+| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode)
Agents to Enterprise Manager | gRPC / TCP | 3739 | Inbound Agent Communication |
+| Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | SQL Server Communication |
+| Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | SQL Server Communication |
+| Enterprise Manager to Agents | RPC / TCP | 135 | WMI enabled
Optional: required for Agent Auto Deploy |
+| Enterprise Manager to Agents | DCOM / TCP | Dynamic Range 49152 | WMI enabled
Optional: required for Agent Auto Deploy |
+
## Agent Firewall Rules
The following firewall settings are required for communication with the Agent:
-| Communication Direction | Protocol | Ports | Description |
-| --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | --------------------------- | ---------------------------------------------------- |
-| (For versions 7.3.5 and later Agents using auto security mode) Agents to Enterprise Manager gRPC / TCP | gRPC / TCP | 3741 | Outbound Enterprise Manager Communication |
-| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode) Agents to Enterprise Manager | gRPC / TCP | 3739 | Outbound Enterprise Manager Communication |
-| Enterprise Manager to Agent | RPC / TCP | 135 | WMI enabled Optional: required for Agent Auto Deploy |
-| Enterprise Manager to Agent | DCOM / TCP | Dynamic Range 49152 - 65535 | WMI enabled Optional: required for Agent Auto Deploy |
+| Communication Direction | Protocol | Ports | Description |
+| ------------ | ---------- | ------------ | ------------ |
+| (For versions 7.3.5 and later Agents using auto security mode)
Agents to Enterprise Manager gRPC / TCP | gRPC / TCP | 3741 | Outbound Enterprise Manager Communication |
+| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode)
Agents to Enterprise Manager | gRPC / TCP | 3739 | Outbound Enterprise Manager Communication |
+| Enterprise Manager to Agent | RPC / TCP | 135 | WMI enabled
Optional: required for Agent Auto Deploy |
+| Enterprise Manager to Agent | DCOM / TCP | Dynamic Range 49152 | WMI enabled
Optional: required for Agent Auto Deploy |
-**NOTE:** For NAS device file activity monitoring, additional ports are required. See the
+
+:::note
+For NAS device file activity monitoring, additional ports are required. See the
[Ports for NAS Device Activity Monitoring](#ports-for-nasdevice-activity-monitoring) topic for
additional information.
+:::
+
## Admin Console Firewall Rules
The following firewall settings are required for communication with the Administration Console:
-| Communication Direction | Protocol | Ports | Description |
-| -------------------------------------------- | ---------- | ----- | ----------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------- | ---------- | ----- | ------------------- |
| Administration Console to Enterprise Manager | gRPC / TCP | 3740 | Outbound Enterprise Manager Communication |
## Database Firewall Rules
The following firewall settings are required for communication with the SQL Server:
-**NOTE:** This port requirement is specifically needed when the SQL Server is on a separate box from
+:::note
+This port requirement is specifically needed when the SQL Server is on a separate box from
the Enterprise Manager and/or the Administration Console.
+:::
+
| Communication Direction | Protocol | Ports | Description |
| -------------------------------- | ---------------- | ----- | ---------------------------------------- |
@@ -75,7 +86,7 @@ the Enterprise Manager and/or the Administration Console.
Configure appropriate firewall rules to allow connections with the Netwrix Threat Manager Reporting
Module.
-Application Console Access Firewall Rules
+**Application Console Access Firewall Rules**
The following firewall settings are required to access the Netwrix Threat Manager Reporting Module
console:
@@ -84,31 +95,34 @@ console:
| ----------------------- | -------- | ----- | ---------------------------------------- |
| Bidirectional | TCP | 8080 | Remote access to the application console |
-**NOTE:** Threat Manager requires the default dynamic port range specified by Microsoft (49152
+:::note
+Threat Manager requires the default dynamic port range specified by Microsoft (49152
through 65535) for Windows Server client/server operations. If a firewall or other appliance is
blocking these ports, this server will no longer properly respond to client requests and no longer
support standard IP Stack operations that are required for the operation of this product.
+:::
+
-Active Directory Domain Controllers Firewall Rules
+**Active Directory Domain Controllers Firewall Rules**
The following firewall settings are required for communication between the Netwrix Threat Manager
Reporting Module server and Active Directory domain controllers:
-| Communication Direction | Protocol | Ports | Description |
-| ----------------------- | -------- | ------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| Outbound | TCP | 88 | Kerberos-sec |
+| Communication Direction | Protocol | Ports | Description |
+| ----------------------- | -------- | ------- | ------------ |
+| Outbound | TCP | 88 | Kerberos-sec |
| Outbound | TCP | 135 | The endpoint mapper tells the client which randomly assigned port a service (FRS, AD replication, MAPI, etc.) is listening on |
-| Outbound | TCP | 389 | LDAP |
-| Outbound | TCP | 636 | SSL LDAP |
+| Outbound | TCP | 389 | LDAP |
+| Outbound | TCP | 636 | SSL LDAP |
| Outbound | TCP | Various | The port that 135 reports. Used to bulk translate AD object names between formats.(Ephemeral Ports) |
-Database Firewall Rules
+**Database Firewall Rules**
The following firewall settings are required to allow the Netwrix Threat Manager Reporting Module to
talk to the Threat Prevention SQL database:
-| Communication Direction | Protocol | Ports | Description |
-| ------------------------------------------------------------------ | ---------------- | ----- | -------------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------- | ---------------- | ----- | ---------------------- |
| Netwrix Threat Manager Reporting Integration Service to SQL Server | SQL Client / TCP | 1433 | Inbound Netwrix Threat Manager Communication |
| Netwrix Threat Manager Reporting Integration Service to SQL Server | SQL Client / UDP | 1434 | Inbound Netwrix Threat Manager Communication |
@@ -132,32 +146,32 @@ Dell Celerra & Dell VNX Devices Additional Firewall Rules
The following firewall settings are required for communication between the CEE server/ Activity
Monitor Activity Agent server and the target Dell device:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------- | -------- | ----------------- | ----------------- |
-| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------------ | -------- | ----------------- | ----------------- |
+| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
-Dell Isilon/PowerScale Devices Additional Firewall Rules
+**Dell Isilon/PowerScale Devices Additional Firewall Rules**
The following firewall settings are required for communication between the CEE server/ Activity
Monitor Activity Agent server and the target Dell Isilon/PowerScale device:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------- | -------- | ----------------- | ----------------- |
-| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------ | -------- | ----------------- | ----------------- |
+| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
-Dell Unity Devices Additional Firewall Rules
+**Dell Unity Devices Additional Firewall Rules**
The following firewall settings are required for communication between the CEE server/ Activity
Monitor Activity Agent server and the target Dell device:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------- | -------- | ----------------- | ----------------- |
-| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------- | -------- | ----------------- | ----------------- |
+| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
-Nasuni Edge Appliance Additional Firewall Rules
+**Nasuni Edge Appliance Additional Firewall Rules**
The following firewall settings are required for communication between the Activity Monitor Activity
Agent server and the target Nasuni Edge Appliance:
@@ -167,30 +181,33 @@ Agent server and the target Nasuni Edge Appliance:
| Agent Server to Nasuni | HTTPS | 8443 | Nasuni API calls |
| Nasuni to Activity Agent Server | AMQP over TCP | 5671 | Nasuni event reporting |
-NetApp Data ONTAP 7-Mode Device Additional Firewall Rules
+**NetApp Data ONTAP 7-Mode Device Additional Firewall Rules**
The following firewall settings are required for communication between the Activity Monitor Activity
Agent server and the target NetApp Data ONTAP 7-Mode device:
-| Communication Direction | Protocol | Ports | Description |
-| --------------------------------- | ---------------- | ------------------------------------ | ----------- |
-| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI |
-| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI |
-| Activity Agent Server to NetApp | TCP | 135, 139 Dynamic Range (49152-65535) | RPC |
-| Activity Agent Server to NetApp | TCP | 445 | SMB |
-| Activity Agent Server to NetApp | UDP | 137, 138 | RPC |
-| NetApp to Activity Agent Server | TCP | 135, 139 Dynamic Range (49152-65535) | RPC |
-| NetApp to Activity Agent Server | TCP | 445 | SMB |
-| NetApp to Activity Agent Server | UDP | 137, 138 | RPC |
+| Communication Direction | Protocol | Ports | Description |
+| --------- | ----------- | -------------------- | ----------- |
+| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI |
+| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI |
+| Activity Agent Server to NetApp | TCP | 135, 139
Dynamic Range (49152-65535) | RPC |
+| Activity Agent Server to NetApp | TCP | 445 | SMB |
+| Activity Agent Server to NetApp | UDP | 137, 138 | RPC |
+| NetApp to Activity Agent Server | TCP | 135, 139
Dynamic Range (49152-65535) | RPC |
+| NetApp to Activity Agent Server | TCP | 445 | SMB |
+| NetApp to Activity Agent Server | UDP | 137, 138 | RPC |
\*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in
Activity Monitor.
-**NOTE:** If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode
+:::note
+If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode
device must be configured manually. Also, the External Engine will not reconnect automatically in
the case of a server reboot or service restart.
+:::
-NetApp Data ONTAP Cluster-Mode Device Additional Firewall Rules
+
+**NetApp Data ONTAP Cluster-Mode Device Additional Firewall Rules**
The following firewall settings are required for communication between the Activity Monitor Activity
Agent server and the target NetApp Data ONTAP Cluster-Mode device:
@@ -204,18 +221,21 @@ Agent server and the target NetApp Data ONTAP Cluster-Mode device:
\*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options in
Activity Monitor.
-**NOTE:** If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode
+:::note
+If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode
device must be configured manually. Also, the External Engine will not reconnect automatically in
the case of a server reboot or service restart.
+:::
+
-Panzura Devices Additional Firewall Rules
+**Panzura Devices Additional Firewall Rules**
The following firewall settings are required for communication between the Activity Monitor Activity
Agent server and the target Panzura device:
-| Communication Direction | Protocol | Ports | Description |
-| ------------------------------------------ | ------------- | ----- | ----------------------- |
-| Activity Agent Server to Panzura | HTTPS | 443 | Panzura API |
+| Communication Direction | Protocol | Ports | Description |
+| ----------- | ------------- | ----- | ----------------------- |
+| Activity Agent Server to Panzura | HTTPS | 443 | Panzura API |
| Panzura filers to to Activity Agent Server | AMQP over TCP | 4497 | Panzura Event Reporting |
Protect the port with a username and password. The credentials will be configured in Panzura.
@@ -225,6 +245,6 @@ Protect the port with a username and password. The credentials will be configure
The following firewall settings are required to integrate with the full version of Netwrix Threat
Manager:
-| Communication Direction | Protocol | Ports | Description |
-| ------------------------------ | -------- | ----- | ----------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| --------------- | -------- | ----- | ----------- |
| Agent Server to Threat Manager | TCP/UDP | 10001 | Data event stream to Threat Manager |
diff --git a/docs/threatprevention/7.4/requirements/reportingserver.md b/docs/threatprevention/7.4/requirements/reportingserver.md
index 5036c53462..fc27d243b0 100644
--- a/docs/threatprevention/7.4/requirements/reportingserver.md
+++ b/docs/threatprevention/7.4/requirements/reportingserver.md
@@ -6,8 +6,11 @@ sidebar_position: 50
# Reporting Module Server Requirements
-**CAUTION:** Netwrix Threat Manager cannot be installed on the same server as Netwrix Threat Manager
+:::warning
+Netwrix Threat Manager cannot be installed on the same server as Netwrix Threat Manager
Reporting Module.
+:::
+
The Windows server can be physical or virtual. The following Windows server operating systems are
supported:
@@ -20,7 +23,7 @@ Additionally the server must meet these requirements:
- US English language installation
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
Minimum hardware requirements:
@@ -29,7 +32,7 @@ Minimum hardware requirements:
- 75 GB Disk Space
-Additional Server Requirements
+**Additional Server Requirements**
The following are additional requirements for the application server:
@@ -39,28 +42,28 @@ The following are additional requirements for the application server:
- VC++ redist v14.28.29914
- Python v3.10.8x64
-Permissions for Installation and Application Use
+**Permissions for Installation and Application Use**
The following permissions are required to install and use the application:
- Membership in the local Administrators group
-Permissions for Active Directory Sync
+**Permissions for Active Directory Sync**
The following permissions are required for the credentials used by Netwrix Threat Manager Reporting
Module for Active Directory Sync:
-| Object Type | Function | Access Requirements |
-| ----------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
-| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container |
-| Group | Retrieve all groups | Read Access to all group objects in the domain |
-| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container |
-| User | Retrieve all users | Read all user objects from the domain |
-| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container |
-| Computer | Retrieve all computer objects | Read all computer objects in the domain |
-| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain |
-| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain |
-| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory |
+| Object Type | Function | Access Requirements |
+| ----------- | ------------- | ------------------ |
+| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container |
+| Group | Retrieve all groups | Read Access to all group objects in the domain |
+| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container |
+| User | Retrieve all users | Read all user objects from the domain |
+| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container |
+| Computer | Retrieve all computer objects | Read all computer objects in the domain |
+| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain |
+| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain |
+| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory |
## Client Requirements
diff --git a/docs/threatprevention/7.4/requirements/sqlserver/dbmaintenance.md b/docs/threatprevention/7.4/requirements/sqlserver/dbmaintenance.md
index eca16b263d..ef17296e54 100644
--- a/docs/threatprevention/7.4/requirements/sqlserver/dbmaintenance.md
+++ b/docs/threatprevention/7.4/requirements/sqlserver/dbmaintenance.md
@@ -13,10 +13,13 @@ Threat Prevention installation or the Windows account configured to run the Ente
Windows Authentication to the SQL Server) must have enough rights to execute the Database
Maintenance feature.
-**NOTE:** If the account used to run Database Maintenance is changed, it is necessary to manually
+:::note
+If the account used to run Database Maintenance is changed, it is necessary to manually
delete the DBMaintenance SQL Agent Job in the SQL Server Management Studio.
+:::
-Permissions Summary
+
+**Permissions Summary**
The database user must have the following rights to run Database Maintenance:
@@ -28,7 +31,7 @@ The database user must have the following rights to run Database Maintenance:
- Execute sp_updatestats for the NVMonitorData database
- Create Server Link
-Database Permissions
+**Database Permissions**
The following rights are required to run database maintenance:
@@ -52,15 +55,18 @@ The following rights are required to run database maintenance:
- Be owner of this database
- **NOTE:** There is a least privilege option for this requirement. See the
+ :::note
+ There is a least privilege option for this requirement. See the
[Less Privilege Model for NVMonitorData Database Permission](#less-privilege-model-for-nvmonitordata-database-permission)
topic for additional information.
+ :::
+
See the
[Database Components](/docs/threatprevention/7.4/admin/overview.md#database-components)
topic for a discussion of these databases.
-Archive Database Permissions
+**Archive Database Permissions**
If the **Move** option is selected on the
[Archive Data](/docs/threatprevention/7.4/admin/configuration/databasemaintenance/archive.md)
@@ -73,9 +79,12 @@ server/database. This account must have rights to:
## Less Privilege Model for NVMonitorData Database Permission
-**NOTE:** If this less privileged model is used, then the last step in the Database Maintenance
+:::note
+If this less privileged model is used, then the last step in the Database Maintenance
process, executing sp_updatestats, will fail. However, all other steps in the process will complete
successfully and all data will be deleted/moved as configured.
+:::
+
If it is not possible to grant the ‘user’ owner rights to the NVMonitorData database, grant the
following instead:
@@ -188,9 +197,15 @@ set @q = 'ALTER AUTHORIZATION ON DATABASE::NVMonitorData TO [' + @usr + ']'
exec(@q);
```
-**CAUTION:** Errors may occur if this script designates an existing user for granting Less Privilege
+:::warning
+Errors may occur if this script designates an existing user for granting Less Privilege
Model permissions for database maintenance. This happens because the user is directed to be dropped
and subsequently recreated.
+:::
-**_RECOMMENDED:_** Rather than using this script as it is, create a dedicated role for this user
+
+:::info
+Rather than using this script as it is, create a dedicated role for this user
with required permission based on the recommended best practices.
+
+:::
diff --git a/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md b/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md
index 2c7625fa28..ff160cdb8b 100644
--- a/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md
+++ b/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md
@@ -17,35 +17,39 @@ The server must meet this requirement:
[Virtual Environment Recommendations](/docs/threatprevention/7.4/requirements/application.md#virtual-environment-recommendations)topic
for additional information.
-**_RECOMMENDED:_** It is a best practice and strongly recommended to have a dedicated database
+:::info
+It is a best practice and strongly recommended to have a dedicated database
server.
+:::
-RAM, CPU, and Disk Space
+
+**RAM, CPU, and Disk Space**
These depend on the size of the target environment.
-| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
-| ------------------------ | ------------------------------ | ------------------------------ | --------------------------- | --------------------------- |
-| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects |
-| RAM | 32 GB | 16 GB | 16 GB | 8 GB |
-| Cores | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
-| Number of Disks | 4 | 4 | 4 | 1-4 |
-| Operating System Disk | 10 GB | 10 GB | 10 GB | 10 GB |
-| SQL Database Disk | 500 GB | 300 GB | 150 GB | 100 GB |
-| SQL Transaction Log Disk | 80 GB | 80 GB | 40 GB | 20 GB |
-| SQL TEMP DB Disk | 160 GB | 160 GB | 80 GB | 40 GB |
+| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
+| --------------- | ------------------------ | ------------- | -------------- | ------------------ |
+| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects |
+| RAM | 32 GB | 16 GB | 16 GB | 8 GB |
+| Cores | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
+| Number of Disks | 4 | 4 | 4 | 1-4 |
+| Operating System Disk | 10 GB | 10 GB | 10 GB | 10 GB |
+| SQL Database Disk | 500 GB | 300 GB | 150 GB | 100 GB |
+| SQL Transaction Log Disk | 80 GB | 80 GB | 40 GB | 20 GB |
+| SQL TEMP DB Disk | 160 GB | 160 GB | 80 GB | 40 GB |
+
The disk sizes for the three SQL Server databases can be reduced if not utilizing all Threat
Prevention solutions.
-Additional SQL Server Requirements
+**Additional SQL Server Requirements**
The following are additional requirements for the SQL Server:
- All SQL Server databases must be configured to use ‘Simple Recovery Model’.
- SQL Agent Service is needed to use the Database Maintenance feature in Threat Prevention.
-Additional SQL Server Considerations
+**Additional SQL Server Considerations**
The following additional considerations are recommended for the SQL Server:
@@ -54,29 +58,41 @@ The following additional considerations are recommended for the SQL Server:
can occur. If this option is employed, please speak with a Netwrix engineer to determine an
appropriate setting for best performance.
- **_RECOMMENDED:_** In the SQL Server Management Studio, set the Database Properties' File Growth
+ :::info
+ In the SQL Server Management Studio, set the Database Properties' File Growth
Autogrowth setting for the NVMonitorData database to a few hundred MB instead of the default
setting of 1MB. Use 10 percent of the database size to avoid unwanted fragmentation for indexes
due to a small default setting for database growth.
+ :::
+
- When using separate machines for the SQL Server and the Threat Prevention Enterprise Manager, both
machines should be on the same subnet with high speed connectivity between them. The Enterprise
Manager can generate a high volume of SQL activity, which is directly proportional to the volume
of events the Enterprise Manager receives from all Agents.
- **_RECOMMENDED:_** Install the Threat Prevention Enterprise Manager and Microsoft SQL Server on
+ :::info
+ Install the Threat Prevention Enterprise Manager and Microsoft SQL Server on
different machines.
+ :::
-**_RECOMMENDED:_** For large environments with Analytics, an SQL cluster is recommended for both
+
+:::info
+For large environments with Analytics, an SQL cluster is recommended for both
performance and fault tolerance.
+:::
+
-**NOTE:** For SQL Server 2012+, it is necessary to restrict the maximum server memory value to
+:::note
+For SQL Server 2012+, it is necessary to restrict the maximum server memory value to
60-70% of the total physical RAM to avoid a situation where SQL Server will starve other
applications of memory. See the
[Restrict SQL Server Maximum Server Memory](/docs/threatprevention/7.4/troubleshooting/sqlserver.md)
topic for additional information.
+:::
+
-Database Permissions
+**Database Permissions**
The following permissions are required on the databases:
diff --git a/docs/threatprevention/7.4/siemdashboard/activedirectory/overview.md b/docs/threatprevention/7.4/siemdashboard/activedirectory/overview.md
index b74aa6e6bf..9fc362a13d 100644
--- a/docs/threatprevention/7.4/siemdashboard/activedirectory/overview.md
+++ b/docs/threatprevention/7.4/siemdashboard/activedirectory/overview.md
@@ -30,10 +30,13 @@ from the [Splunkbase](https://splunkbase.splunk.com/). Then follow the
[Splunk Add-ons](http://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons)
guide provided by Splunk to install the app.
-**NOTE:** In order to use the User Behavior Analytics dashboard in the app, install
+:::note
+In order to use the User Behavior Analytics dashboard in the app, install
[Splunk User Behavior Analytics](https://www.splunk.com/en_us/products/premium-solutions/user-behavior-analytics.html)
(any version) and the [Machine Learning Toolkit](https://splunkbase.splunk.com/app/2890/) app for
Splunk (version 2.0.0+).
+:::
+
The Netwrix Active Directory tab will appear in the Splunk web interface.
@@ -44,8 +47,11 @@ Threat Prevention.
Follow the steps to configure Splunk to receive data from Threat Prevention.
-_Remember,_ prior to using the Active Directory App for Splunk, the relevant Netwrix product must be
+:::tip
+Remember, prior to using the Active Directory App for Splunk, the relevant Netwrix product must be
configured to send data to Splunk.
+:::
+
**Step 1 –** Determine the IP address of the Splunk console. If Splunk is hosted on a UNIX machine,
run ``. If Splunk is hosted on a Windows machine, run ``. This IP address is
diff --git a/docs/threatprevention/7.4/siemdashboard/qradar/navigate/settings.md b/docs/threatprevention/7.4/siemdashboard/qradar/navigate/settings.md
index 09ddf17757..1e19ff8a26 100644
--- a/docs/threatprevention/7.4/siemdashboard/qradar/navigate/settings.md
+++ b/docs/threatprevention/7.4/siemdashboard/qradar/navigate/settings.md
@@ -15,7 +15,7 @@ Click the gear icon next to the Search box to open the Settings interface.
The More information link opens the IBM Knowledge Center with information on generating the QRadar
SEC token. Once the token is generated, copy and paste it here and click Save.
-Honey Accounts
+**Honey Accounts**
An additional feature is to add Honey Accounts to be monitored.
diff --git a/docs/threatprevention/7.4/siemdashboard/qradar/overview.md b/docs/threatprevention/7.4/siemdashboard/qradar/overview.md
index 76619d0d24..5f0aa8db2a 100644
--- a/docs/threatprevention/7.4/siemdashboard/qradar/overview.md
+++ b/docs/threatprevention/7.4/siemdashboard/qradar/overview.md
@@ -53,8 +53,11 @@ topic for additional information.
Follow the steps to configure QRadar to receive data from Threat Prevention.
-_Remember,_ prior to using the Active Directory app for QRadar, Threat Prevention must be configured
+:::tip
+Remember, prior to using the Active Directory app for QRadar, Threat Prevention must be configured
to send data to QRadar.
+:::
+
**Step 1 –** Determine the IP address of the QRadar console. If QRadar is hosted on a UNIX machine,
run ``. If QRadar is hosted on a Windows machine, run ``. This IP address is
diff --git a/docs/threatprevention/7.4/siemdashboard/threathunting/overview.md b/docs/threatprevention/7.4/siemdashboard/threathunting/overview.md
index eab8ffaed0..4ae04d8061 100644
--- a/docs/threatprevention/7.4/siemdashboard/threathunting/overview.md
+++ b/docs/threatprevention/7.4/siemdashboard/threathunting/overview.md
@@ -41,8 +41,11 @@ Threat Prevention or Netwrix File Activity Monitor.
Follow the steps to configure Splunk to receive data from either Threat Prevention or Netwrix
Netwrix Activity Monitor.
-_Remember,_ prior to using the Netwrix Threat Hunting App for Splunk, the relevant Netwrix product
+:::tip
+Remember, prior to using the Netwrix Threat Hunting App for Splunk, the relevant Netwrix product
must be configured to send data to Splunk.
+:::
+
**Step 1 –** Determine the IP address of the Splunk console. If Splunk is hosted on a UNIX machine,
run ``. If Splunk is hosted on a Windows machine, run ``. This IP address is
diff --git a/docs/threatprevention/7.4/overview/solutions/_category_.json b/docs/threatprevention/7.4/solutions/_category_.json
similarity index 87%
rename from docs/threatprevention/7.4/overview/solutions/_category_.json
rename to docs/threatprevention/7.4/solutions/_category_.json
index 61e3258ec2..812ae631c7 100644
--- a/docs/threatprevention/7.4/overview/solutions/_category_.json
+++ b/docs/threatprevention/7.4/solutions/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Solutions",
- "position": 30,
+ "position": 4,
"collapsed": true,
"collapsible": true,
"link": {
diff --git a/docs/threatprevention/7.4/overview/solutions/activedirectory.md b/docs/threatprevention/7.4/solutions/activedirectory.md
similarity index 100%
rename from docs/threatprevention/7.4/overview/solutions/activedirectory.md
rename to docs/threatprevention/7.4/solutions/activedirectory.md
diff --git a/docs/threatprevention/7.4/overview/solutions/epe.md b/docs/threatprevention/7.4/solutions/epe.md
similarity index 96%
rename from docs/threatprevention/7.4/overview/solutions/epe.md
rename to docs/threatprevention/7.4/solutions/epe.md
index 0c879a3f6a..1cd5a52eea 100644
--- a/docs/threatprevention/7.4/overview/solutions/epe.md
+++ b/docs/threatprevention/7.4/solutions/epe.md
@@ -4,9 +4,7 @@ description: "Enterprise Password Enforcer"
sidebar_position: 20
---
-#
-
-Enterprise Password Enforcer
+# Enterprise Password Enforcer
Attackers often use dictionaries of previously breached passwords or knowledge of well-known
passwords to compromise accounts. To mitigate this risk and the likelihood of generic or known
@@ -29,9 +27,12 @@ See the
[EPE User Feedback Module](/docs/threatprevention/7.4/install/epeuserfeedback.md)
topic for additional information.
-**NOTE:** The Password Enforcement module is available under all licenses for monitoring weak
+:::note
+The Password Enforcement module is available under all licenses for monitoring weak
passwords. However, you need the Enterprise Password Enforcer solution license to block weak
passwords.
+:::
+
The following event type is available for Enterprise Password Enforcer:
diff --git a/docs/threatprevention/7.4/overview/solutions/exchange.md b/docs/threatprevention/7.4/solutions/exchange.md
similarity index 100%
rename from docs/threatprevention/7.4/overview/solutions/exchange.md
rename to docs/threatprevention/7.4/solutions/exchange.md
diff --git a/docs/threatprevention/7.4/overview/solutions/filesystem.md b/docs/threatprevention/7.4/solutions/filesystem.md
similarity index 91%
rename from docs/threatprevention/7.4/overview/solutions/filesystem.md
rename to docs/threatprevention/7.4/solutions/filesystem.md
index e9c54b4c3b..9a42e6602b 100644
--- a/docs/threatprevention/7.4/overview/solutions/filesystem.md
+++ b/docs/threatprevention/7.4/solutions/filesystem.md
@@ -32,7 +32,10 @@ Some important events Threat Prevention captures within a NAS file system are:
- File Access Events (Create, Copy, Delete, Rename, Read, Update)
- Permission Changes
-**NOTE:** For NAS monitoring, Threat Prevention employs the Netwrix Activity Monitor component.
+:::note
+For NAS monitoring, Threat Prevention employs the Netwrix Activity Monitor component.
+:::
+
## File System Event Types
@@ -40,4 +43,4 @@ The following event types are available for File System:
- [File System Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md)
- [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md)
-- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md)
+- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md)
diff --git a/docs/threatprevention/7.4/overview/solutions/ldap.md b/docs/threatprevention/7.4/solutions/ldap.md
similarity index 100%
rename from docs/threatprevention/7.4/overview/solutions/ldap.md
rename to docs/threatprevention/7.4/solutions/ldap.md
diff --git a/docs/threatprevention/7.4/overview/solutions/overview.md b/docs/threatprevention/7.4/solutions/overview.md
similarity index 77%
rename from docs/threatprevention/7.4/overview/solutions/overview.md
rename to docs/threatprevention/7.4/solutions/overview.md
index b2b54ed469..508b4cd9b3 100644
--- a/docs/threatprevention/7.4/overview/solutions/overview.md
+++ b/docs/threatprevention/7.4/solutions/overview.md
@@ -9,7 +9,7 @@ sidebar_position: 30
Threat Prevention offers the following pre-defined solutions for protecting your IT environment. The
solutions and associated licensed modules are:
-[Active Directory](/docs/threatprevention/7.4/overview/solutions/activedirectory.md)
+**Active Directory**
- Active Directory Changes
@@ -29,16 +29,16 @@ solutions and associated licensed modules are:
- GPO Lockdown
- GPO Setting Changes
-[ Enterprise Password Enforcer](/docs/threatprevention/7.4/overview/solutions/epe.md)
+**Enterprise Password Enforcer**
- Password Enforcement
-[Exchange](/docs/threatprevention/7.4/overview/solutions/exchange.md)
+**Exchange**
- Exchange Events
- Exchange Lockdown
-[File System](/docs/threatprevention/7.4/overview/solutions/filesystem.md)
+**File System**
- File System
@@ -46,7 +46,7 @@ solutions and associated licensed modules are:
- Includes Monitoring for supported NAS devices
- Includes Monitoring file system for integration with Access Analyzer
-[LDAP](/docs/threatprevention/7.4/overview/solutions/ldap.md)
+**LDAP**
- LDAP Monitoring
diff --git a/docs/threatprevention/7.4/troubleshooting/agentcommunication.md b/docs/threatprevention/7.4/troubleshooting/agentcommunication.md
index c4901e5171..671d53f788 100644
--- a/docs/threatprevention/7.4/troubleshooting/agentcommunication.md
+++ b/docs/threatprevention/7.4/troubleshooting/agentcommunication.md
@@ -36,4 +36,4 @@ need to be set manually.
The default location of the `SIWindowsAgent.exe.config` file is:
-…\Netwrix\Netwrix Threat Prevention\SIWindowsAgent
+**…\Netwrix\Netwrix Threat Prevention\SIWindowsAgent**
diff --git a/docs/threatprevention/7.4/troubleshooting/agentservice.md b/docs/threatprevention/7.4/troubleshooting/agentservice.md
index 8d2ba05873..7b87e1942e 100644
--- a/docs/threatprevention/7.4/troubleshooting/agentservice.md
+++ b/docs/threatprevention/7.4/troubleshooting/agentservice.md
@@ -25,9 +25,12 @@ Follow the steps to modify the ServicesPipeTimeout value.
**Step 3 –** In the right pane, select **ServicesPipeTimeout**.
-**NOTE:** If the ServicesPipeTimeout entry does not exist, you must create it. See the
+:::note
+If the ServicesPipeTimeout entry does not exist, you must create it. See the
[Create the ServicesPipeTimeout Entry](#create-the-servicespipetimeout-entry) topic for additional
information.
+:::
+
**Step 4 –** Right-click **ServicesPipeTimeout** and click **Modify**. This opens the Edit Value
window.
diff --git a/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md b/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md
index ac928c5311..cf7e04c277 100644
--- a/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md
+++ b/docs/threatprevention/7.4/troubleshooting/enterprisemanagercommunication.md
@@ -14,11 +14,14 @@ If you use the IP address (localhost IP or corresponding IP) when installing the
Console or Agent, and then configure custom managed certificates for Enterprise Manager and the
Agent, the console and Agent will fail to connect to Enterprise Manager.
-**NOTE:** To configure custom managed certificates for the Enterprise Manager and the Agent, see the
+:::note
+To configure custom managed certificates for the Enterprise Manager and the Agent, see the
[Certificate Management Wizard](/docs/threatprevention/7.4/install/certificatemanagementwizard.md)
and
[Create Custom Managed Certificates for Each Agent](/docs/threatprevention/7.4/install/agent/manual/customcert.md)
topics respectively.
+:::
+
You must provide the Enterprise Manager server DNS name when you install the following:
diff --git a/docs/threatprevention/7.4/troubleshooting/exchangelockdown.md b/docs/threatprevention/7.4/troubleshooting/exchangelockdown.md
index 71bc7106c2..8888351a41 100644
--- a/docs/threatprevention/7.4/troubleshooting/exchangelockdown.md
+++ b/docs/threatprevention/7.4/troubleshooting/exchangelockdown.md
@@ -43,7 +43,7 @@ policy:
- Block Attributes – publicDelegates
-Impact of Lockdown Policies
+**Impact of Lockdown Policies**
When both the Exchange Lockdown policy and the Active Directory Lockdown policy are enabled,
performing delegation or folder permission changes will result in warnings.
diff --git a/docs/threatprevention/7.4/troubleshooting/lsass.md b/docs/threatprevention/7.4/troubleshooting/lsass.md
index a84bf7b5f6..6d62728231 100644
--- a/docs/threatprevention/7.4/troubleshooting/lsass.md
+++ b/docs/threatprevention/7.4/troubleshooting/lsass.md
@@ -38,12 +38,15 @@ Administration Console. In this case, the console will first check if the Agent
‘manual start’ mode. If yes, then the SI Agent service is set back to ‘automatic start’ mode and
restarted, restoring normal operation.
-**NOTE:** It is necessary to register a primary and a secondary technical contact for your
+:::note
+It is necessary to register a primary and a secondary technical contact for your
orgaization with Netwrix throughout the lifetime of Threat Prevention usage. Netwrix will issue
notifications to these registered technical contacts related to Microsoft-issued KBs affecting LSASS
and the counter patch (if one is needed). Contact the organization’s Netwrix Sales Representative or
[](mailto:support@stealthbits.com)[Netwrix Support](https://www.netwrix.com/support.html) to ensure
that these contacts have been registered.
+:::
+
Prior to Microsoft releasing a KB that alters the LSASS components in a manner that causes a
conflict with the Agent, Netwrix will first send a notification informing the registered technical
@@ -54,8 +57,11 @@ or more prior to Microsoft issuing the incompatible KB.
Since this requires the Threat Prevention administrator to take action, there is an Operations alert
specific to this event.
-**_RECOMMENDED:_** Enable the _LSASS process terminated_ alert under Operations on the
+:::info
+Enable the _LSASS process terminated_ alert under Operations on the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
+:::
+
The Agent can be enabled with a safe mode, which would prevent the Active Directory monitoring
module of the Agent from loading if any LSASS change is detected. See the
@@ -67,10 +73,13 @@ topic for additional information.
Follow the steps to enable email notifications for the _LSASS process terminated_ alert under
Operations.
-**NOTE:** These steps require the Threat Prevention administrator user role. They also assume that
+:::note
+These steps require the Threat Prevention administrator user role. They also assume that
the SMTP host information has been configured and email alerts have been enabled. See the
[Configure SMTP Host Information](/docs/threatprevention/7.4/admin/configuration/systemalerting/email.md#configure-smtp-host-information)
topic for additional information
+:::
+
**Step 1 –** Click **Configuration** > **Alerts** on the menu to open the
[System Alerting Window](/docs/threatprevention/7.4/admin/configuration/systemalerting/overview.md).
diff --git a/docs/threatprevention/7.4/troubleshooting/msilogs.md b/docs/threatprevention/7.4/troubleshooting/msilogs.md
index 8a1432780d..f2387c41d0 100644
--- a/docs/threatprevention/7.4/troubleshooting/msilogs.md
+++ b/docs/threatprevention/7.4/troubleshooting/msilogs.md
@@ -18,7 +18,7 @@ Every install process of Threat Prevention creates several log files:
Following is an example of an Agent installation console command specifying logging in the current
directory to a log file called _SIAgentLog.log_:
-SI Agent.exe” /L SIAgentLog.log
+**SI Agent.exe” /L SIAgentLog.log**
An installation of the Agent on a 64-bit system where .NET Framework 4.7 or higher is not installed
generates two log files:
@@ -26,7 +26,10 @@ generates two log files:
- Log for “SI Agent.exe” – This log file has the smallest size and is a good starting point
- Log for “SI Agent.msi” x64 version
- **NOTE:** Threat Prevention v7.4 only supports x64 version.
+ :::note
+ Threat Prevention v7.4 only supports x64 version.
+ :::
+
Open the Registry Editor (regedit) to enable Windows Installer logging, and then create or modify
the following:
@@ -42,7 +45,7 @@ to a log in the `%TEMP%` folder. Although the new log's file name will be random
three letters will be "MSI" and it will have the “.log” extension. Type the following line at a
command prompt to locate the Temp folder:
-cd %temp%
+**cd %temp%**
When performing remote Agent deployment using the Administration Console, log files can be found in
the `C:\Windows\Temp` folder on the target Agent machine. See the
diff --git a/docs/threatprevention/7.4/troubleshooting/overview.md b/docs/threatprevention/7.4/troubleshooting/overview.md
index 68b37c679b..442ee6aa23 100644
--- a/docs/threatprevention/7.4/troubleshooting/overview.md
+++ b/docs/threatprevention/7.4/troubleshooting/overview.md
@@ -11,7 +11,7 @@ consideration when using the Administration Console.
## Best Practices
-Best Practice #1 – Collect What You Need, NOT Everything
+**Best Practice #1 – Collect What You Need, NOT Everything**
While Threat Prevention is capable of collecting many events, it is recommended to carefully scope
policies, e.g. admin group membership, finance data access, or VIP mailbox non-owner logons.
@@ -28,14 +28,14 @@ blocking:
- C-Level accounts and mailboxes
- Users and data that may be used or accessed suspiciously, or may be compromised
-Best Practice #2 – Database Maintenance? Use It!
+**Best Practice #2 – Database Maintenance? Use It!**
The
[Database Maintenance Window](/docs/threatprevention/7.4/admin/configuration/databasemaintenance/overview.md)
enables you to set options that automatically groom the database to optimize performance.
Whether choosing to archive or delete data, this is always a good feature to enable.
-Best Practice #3 – Analytics? Turn on One at a Time & Tune
+**Best Practice #3 – Analytics? Turn on One at a Time & Tune**
Analytics provide organizations with the ability to capture and analyze authentication or file
system traffic. The best way to employ analytics is to turn on one at a time and then ‘tune’ it to
@@ -43,14 +43,14 @@ the targeted environment before turning on another. Each environment generates u
or file system ‘noise’ that can be filtered out by adjusting triggers and filters. Once the analytic
is in tune with the environment, move to the next one desired.
-Best Practice #4 – Monitor before Blocking
+**Best Practice #4 – Monitor before Blocking**
The lockdown event types are used to block events. When configuring a blocking policy, it is always
a best practice to configure and enable a monitoring policy with the desired filters first as a
trial run. This will allow you to ensure the filters set will block events the way they were
intended. Once the desired filters are confirmed, then the blocking policy is good-to-go.
-Best Practice #5 – File System ‘Read’ Monitoring, in Moderation
+**Best Practice #5 – File System ‘Read’ Monitoring, in Moderation**
It is recommended to limit the use of monitoring Read events within a file system to those files
containing very sensitive data (e.g. super-secret blends of herbs and spices, launch codes, etc.).
@@ -61,27 +61,32 @@ The volume of Read events in most environments can fill the Threat Prevention da
The following information provides basic troubleshooting techniques and frequently asked questions
(FAQs) for the Administration Console users.
-FAQ: Microsoft just released a security bulletin that impacts LSASS. How do I know if the Microsoft
-KB will affect the Agent instrumentation?
+**FAQ: Microsoft just released a security bulletin that impacts LSASS. How do I know if the Microsoft KB will affect the Agent instrumentation?**
The Agent has been configured to monitor LSASS after a reboot (triggered by the Microsoft KB). If
LSASS stops shortly after a reboot (default within five minutes), then the Agent will be stopped and
the Agent service will be changed to manual start.
-**_RECOMMENDED:_** Reach out to [Netwrix Support](https://www.netwrix.com/support.html) prior to
+:::info
+Reach out to [Netwrix Support](https://www.netwrix.com/support.html) prior to
restarting the Agent, as a hotfix may exist which will prevent future issues with that Microsoft
Security Bulletin.
+:::
+
Threat Prevention sends the _LSASS process terminated_ alert when the LSASS process stops shortly
after a reboot. The Agent stops and all monitoring/blocking by that Agent will be stopped. To
resolve the issue, the Threat Prevention administrator should check if the Agent service is set to
manual start. The most likely solution is to upgrade to the latest version of the Agent.
-**_RECOMMENDED:_** Activate an email notification for the _LSASS process terminated_ alert. See the
+:::info
+Activate an email notification for the _LSASS process terminated_ alert. See the
[Enable the 'LSASS Process Terminated' Email Alert](/docs/threatprevention/7.4/troubleshooting/lsass.md#enable-the-lsass-process-terminated-email-alert)
topic for additional information.
+:::
+
-FAQ: The user interface is not displaying correctly and windows are cut off. What should I do?
+**FAQ: The user interface is not displaying correctly and windows are cut off. What should I do?**
If any of the dialogs in the Administration Console have buttons or other user interface (UI)
elements hidden or partially hidden, then you are advised to reduce their Windows font size. For
@@ -89,14 +94,14 @@ example, some high resolution laptops may have their system font size set to a d
In such cases it may be necessary to change this to “Small” for all dialogs in theconsole to be
displayed fully.
-FAQ: How are Active Directory and Authentication raw events handled by Threat Prevention?
+**FAQ: How are Active Directory and Authentication raw events handled by Threat Prevention?**
There are two streams of data with their own memory buffers: one for Active Directory and another
for Authentication traffic. This allows the Active Directory event data to flow without interruption
even if there is a flood of Authentication traffic. A flood in Authentication traffic could result
in a loss of Authentication event data. However, this will not impact Active Directory event data.
-FAQ: How can I prevent flooding the memory with authentication traffic?
+**FAQ: How can I prevent flooding the memory with authentication traffic?**
The options in the
[Event Filtering Configuration Window](/docs/threatprevention/7.4/admin/configuration/eventfilteringconfiguration.md)
diff --git a/docs/threatprevention/7.4/overview/whatsnew.md b/docs/threatprevention/7.4/whatsnew.md
similarity index 92%
rename from docs/threatprevention/7.4/overview/whatsnew.md
rename to docs/threatprevention/7.4/whatsnew.md
index 7fb946d777..6ea8a74387 100644
--- a/docs/threatprevention/7.4/overview/whatsnew.md
+++ b/docs/threatprevention/7.4/whatsnew.md
@@ -1,7 +1,7 @@
---
title: "What's New"
description: "What's New"
-sidebar_position: 20
+sidebar_position: 3
---
# What's New
@@ -20,7 +20,7 @@ Threat Prevention version.
This release contains the following new features and enhancements.
-Rebranding
+**Rebranding**
Netwrix StealthINTERCEPT is now Netwrix Threat Prevention. As part of rebranding:
@@ -38,14 +38,14 @@ Netwrix StealthINTERCEPT is now Netwrix Threat Prevention. As part of rebranding
| SBTService | Netwrix Windows File Monitoring Service |
| SIEnterpriseManager | Netwrix Threat Prevention Enterprise Manager |
-Remote Administration Console Instances
+**Remote Administration Console Instances**
Threat Prevention supports the deployment of remote Administration Console, enabling you to install
additional consoles on standalone machines, like administrator or user workstations. In this way,
users can launch the Administration Console on their workstations, as an alternate to using it on
the Enterprise Manager server only.
-EPE (Enterprise Password Enforcer) Updates
+**EPE (Enterprise Password Enforcer) Updates**
- EPE Multi-Language Support – EPE now offers multi-language support, ensuring users receive clear
and consistent password rejection messages regardless of their location. This simplifies password
@@ -71,13 +71,13 @@ EPE (Enterprise Password Enforcer) Updates
REST server to verify passwords against your EPE rules, ensuring consistent password strength
across all your systems.
-LDAP Bind Detection
+**LDAP Bind Detection**
A new event type, LDAP Bind, has been introduced that enables you to monitor suspicious attempts to
connect (bind) to your LDAP server, so you can promptly detect unauthorized access attempts or
malware activity.
-Improved FSMO Role Monitoring
+**Improved FSMO Role Monitoring**
Get a clear view of which domain controller holds critical FSMO roles at any given time.
@@ -90,7 +90,7 @@ In this way, you can easily track FSMO role changes to quickly identify potentia
unauthorized modifications. These additions provide comprehensive visibility into FSMO role
assignments, empowering users with real-time insights for proactive Active Directory management.
-Up-to-date IP Blocking with Automatic DNS Refresh
+**Up-to-date IP Blocking with Automatic DNS Refresh**
Regularly refreshed DNS ensures the blocking rules set in policies always have up-to-date IP
addresses.
@@ -100,37 +100,40 @@ DNS refresh, which is set to four hours. That's how often it will resolve the DN
names that are in filters for blocking rules and get fresh IP values; then send them down to the
Agents.
-More Accurate Activity Source Reporting
+**More Accurate Activity Source Reporting**
Improved attribution of actions performed through Active Directory Web Services such as when
initiated by PowerShell; the system can identify and report the true source of changes (initiating
perpetrator) rather than the proxy service (AD Web Service account).
-Streamlined Agent Management
+**Streamlined Agent Management**
- Eliminated WMI access requirement for the Soften and Harden operations for the Agent
- Improved Agent self-upgrade process, optimized for low-bandwidth connections
-Simplified Setup and Configuration
+**Simplified Setup and Configuration**
- The custom-signed certificate wizard has been unified into a single component. This consolidated
certificate management has eliminated the need for separate .key.pem and .crt.pem files.
- Removed Web Console and Web Scheduler options from DBConfig.
-Netwrix Threat Manager Policy Template Improvements
+**Netwrix Threat Manager Policy Template Improvements**
- Added more LDAP filters for BloodHound Detection
- Added options for NTDS.dit file monitoring
- Added options for DPAPI threat detection, which is an Active Directory Read monitoring policy on
the secret class and currentvalue attribute
-Security Improvements
+**Security Improvements**
Security infrastructure improvements are the primary focus of the 7.4 release.
- The Enterprise Manager (server) is backwards compatible with the 7.3.9 Agent only.
- **NOTE:** Existing customers must upgrade to SI 7.3.9 first; else pre 7.3.9 Agents are orphaned
+ :::note
+ Existing customers must upgrade to SI 7.3.9 first; else pre 7.3.9 Agents are orphaned
+ :::
+
- Replaced insecure BinaryFormatter with more secure ProtoBuf over encrypted gRPC connection. The
Enterprise Manager in v7.4 talks over the new interface in 7.3.9 Agents.
@@ -163,6 +166,6 @@ The Netwrix Threat Manager Reporting Module comes with more precise role-based a
managing reporting and investigations, ensuring that only authorized users have access to sensitive
information.
-Updated Investigations Interface
+**Updated Investigations Interface**
The Investigations interface now has an improved design for a more intuitive user experience.
diff --git a/docs/threatprevention/7.5/admin/navigation/overview.md b/docs/threatprevention/7.5/admin/navigation/overview.md
index 7978ad42ff..4ca147142a 100644
--- a/docs/threatprevention/7.5/admin/navigation/overview.md
+++ b/docs/threatprevention/7.5/admin/navigation/overview.md
@@ -40,26 +40,26 @@ The Menu contains the following selections:
-| Menu Item | Option | Description |
-| ------------- | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| File | New | Create new policies (Ctrl+P), new templates (Ctrl+T), or new folders (Ctrl+F) in the selected location of the Policy Center |
-| | Rename | Opens a textbox to rename the selected policy, template, or folder in the Policy Center |
-| | Remove | Removes the selected policy, template, or folder from the Policy Center |
-| | Exit | Exit the Administration Console |
-| Tools | Export … | Export (Alt+X) policies and templates through the [Export Policies and Templates Window](/docs/threatprevention/7.5/admin/tools/exportpoliciestemplates.md) |
-| | Import … | Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the [Import Window](/docs/threatprevention/7.5/admin/tools/import.md) |
-| Configuration | Alerts | Configure and manage all email, event log, and SEIM alerts in the [System Alerting Window](/docs/threatprevention/7.5/admin/configuration/systemalerting/overview.md) |
-| | Users | A security feature for configuring access to the Administration Console. Users are added and assigned rights through the [Users and Roles Window](/docs/threatprevention/7.5/admin/configuration/userroles/overview.md). |
-| | Database > Server | Manage the events database in the [Events Database Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventsdatabaseconfiguration.md). You can view the information, but cannot make changes. |
-| | Database > Maintenance | Use database maintenance to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the [Database Maintenance Window](/docs/threatprevention/7.5/admin/configuration/databasemaintenance/overview.md). |
-| | Collections | Manage all Microsoft Collections in the [Collection Manager Window](/docs/threatprevention/7.5/admin/configuration/collectionmanager/overview.md) |
-| | Event Filtering | Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md). |
-| | Netwrix Threat Manager Configuration | Enables integration between Threat Prevention and Threat Manager in a global setting. The Threat Manager URI is set in the [Netwrix Threat Manager Configuration Window](/docs/threatprevention/7.5/admin/configuration/threatmanagerconfiguration.md). Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to Threat Manager. |
-| | File Monitor Settings | Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for Threat Prevention file monitoring and blocking policies in a global setting. These options are set in the [File Monitor Settings Window](/docs/threatprevention/7.5/admin/configuration/filemonitorsettings.md). |
-| | EPE Settings | Manages the Have I Been Pwned password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the [EPE Settings Window](/docs/threatprevention/7.5/admin/configuration/epesettings.md). |
-| Help | Administration Console Help | Opens the internal help documentation |
-| | License Manager | Opens the Threat Prevention [License Manager Window](/docs/threatprevention/7.5/admin/navigation/licensemanager.md) where the customer name, license expiry date, and licensed modules are displayed |
-| | About Netwrix Threat Prevention Administration Console | Opens the Administration Console window where the product version, copyright, and the Netwrix website link are displayed |
+| Menu Item | Option | Description |
+| ------------- | ------------------- | ------------------- |
+| File | New | Create new policies (Ctrl+P), new templates (Ctrl+T), or new folders (Ctrl+F) in the selected location of the Policy Center |
+| | Rename | Opens a textbox to rename the selected policy, template, or folder in the Policy Center |
+| | Remove | Removes the selected policy, template, or folder from the Policy Center |
+| | Exit | Exit the Administration Console |
+| Tools | Export … | Export (Alt+X) policies and templates through the [Export Policies and Templates Window](/docs/threatprevention/7.5/admin/tools/exportpoliciestemplates.md) |
+| | Import … | Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the [Import Window](/docs/threatprevention/7.5/admin/tools/import.md) |
+| Configuration | Alerts | Configure and manage all email, event log, and SEIM alerts in the [System Alerting Window](/docs/threatprevention/7.5/admin/configuration/systemalerting/overview.md) |
+| | Users | A security feature for configuring access to the Administration Console. Users are added and assigned rights through the [Users and Roles Window](/docs/threatprevention/7.5/admin/configuration/userroles/overview.md). |
+| | Database > Server | Manage the events database in the [Events Database Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventsdatabaseconfiguration.md). You can view the information, but cannot make changes. |
+| | Database > Maintenance | Use database maintenance to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the [Database Maintenance Window](/docs/threatprevention/7.5/admin/configuration/databasemaintenance/overview.md). |
+| | Collections | Manage all Microsoft Collections in the [Collection Manager Window](/docs/threatprevention/7.5/admin/configuration/collectionmanager/overview.md) |
+| | Event Filtering | Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md). |
+| | Netwrix Threat Manager Configuration | Enables integration between Threat Prevention and Threat Manager in a global setting. The Threat Manager URI is set in the [Netwrix Threat Manager Configuration Window](/docs/threatprevention/7.5/admin/configuration/threatmanagerconfiguration.md). Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to Threat Manager. |
+| | File Monitor Settings | Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for Threat Prevention file monitoring and blocking policies in a global setting. These options are set in the [File Monitor Settings Window](/docs/threatprevention/7.5/admin/configuration/filemonitorsettings.md). |
+| | EPE Settings | Manages the Have I Been Pwned password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the [EPE Settings Window](/docs/threatprevention/7.5/admin/configuration/epesettings.md). |
+| Help | Administration Console Help | Opens the internal help documentation |
+| | License Manager | Opens the Threat Prevention [License Manager Window](/docs/threatprevention/7.5/admin/navigation/licensemanager.md) where the customer name, license expiry date, and licensed modules are displayed |
+| | About Netwrix Threat Prevention Administration Console | Opens the Administration Console window where the product version, copyright, and the Netwrix website link are displayed |
## Policy Center
diff --git a/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md b/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md
index 11bb4cac22..dc9f6c3416 100644
--- a/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md
+++ b/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md
@@ -15,8 +15,8 @@ From the Agents node, the right-click menu can be used to install the Agent.
-| Right-Click Command | Description |
-| ------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| Right-Click Command | Description |
+| ------------------- | ----------------------- |
| Install Agent | Opens the [Deploy Agents Wizard](/docs/threatprevention/7.5/admin/agents/deploy/overview.md#deploy-agents-wizard) |
**Saved ‘Filtered Investigate’ Nodes**
@@ -47,14 +47,14 @@ From a Folder node, the right-click menu contains these commands.
-| Right-Click Command | Description |
-| ----------------------- | ----------------------------------------------------------------------------------------------------- |
+| Right-Click Command | Description |
+| ----------------------- | ---------------------- |
| New — Policy (Crtl+P) | Creates a new policy in the selected location. Only available for folders under the Policies node. |
| New — Template (Crtl+T) | Creates a new template in the selected location. Only available for folders under the Templates node. |
-| New — Folder (Crtl+F) | Creates a new folder in the selected location |
-| Rename | Opens a textbox to rename the selected folder |
-| Remove | Deletes the selected folder |
-| Paste | Pastes a copied policy/template into the selected folder |
+| New — Folder (Crtl+F) | Creates a new folder in the selected location |
+| Rename | Opens a textbox to rename the selected folder |
+| Remove | Deletes the selected folder |
+| Paste | Pastes a copied policy/template into the selected folder |
:::note
If the logged in user does not have the **Manage Policies** permissions for a protected
@@ -62,20 +62,19 @@ policy, these options are grayed-out. See the [Policies Interface](/docs/threatp
for additional information on protection.
:::
-
-`` and `` Nodes
+**<Policy Name> and <Template Name>**
From the node for a specific policy or template, the right-click menu contains these commands.
-| Right-Click Command | Description |
-| ------------------- | -------------------------------------------------------------------------------------------------------------------------- |
-| Rename | Opens a textbox to rename the selected policy/template |
-| Remove | Deletes the selected policy/template |
-| Enable | Enables the selected policy. Only available for policies. |
-| Disable | Disables the selected policy. Only available for policies. |
-| Copy | Copies the selected policy/template |
+| Right-Click Command | Description |
+| ------------------- | ------------------------- |
+| Rename | Opens a textbox to rename the selected policy/template |
+| Remove | Deletes the selected policy/template |
+| Enable | Enables the selected policy. Only available for policies. |
+| Disable | Disables the selected policy. Only available for policies. |
+| Copy | Copies the selected policy/template |
| Cut | Copies the selected policy/template. Then it deletes the selected policy/template when the copy is pasted to a new folder. |
:::note
@@ -91,11 +90,11 @@ From the Tags node, the right-click menu contains these commands.
-| Right-Click Command | Description |
-| ------------------- | -------------------------------------------------------------------------------------------------------- |
+| Right-Click Command | Description |
+| ------------------- | ------------------------- |
| Refresh | Refreshes the tag folders to display any new tags or any templates newly associated with an existing tag |
-`` Node under Tags
+**<Template Name> Node under Tags**
From the template within a folder under the Tags node, the right-click menu contains these commands.
@@ -113,21 +112,21 @@ A right-click menu is also available from the column headers of a data grid.
It contains the following selections:
-| Right-Click Command | Description |
-| --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Full Expand | Expands all sections within the data grid. Only available from a grouped column header. |
-| Full Collapse | Collapses all sections within the data grid. Only available from a grouped column header. |
-| Sort Ascending | Sorts data by the selected column in ascending alphanumeric order (A-Z) |
-| Sort Descending | Sorts data by the selected column in descending alphanumeric order (Z-A) |
-| Clear Sorting / Clear All Sorting | Removes sorting from the selected column or removes sorting from all columns |
-| Sort by Summary (Count by [column] – Sort Ascending/Descending) | Sorts ‘grouped’ data by severity count in ascending or descending order. Only available from a grouped column header. |
-| Group by This Column / UnGroup/Clear Grouping | Groups data or clears grouping of data by the selected column |
-| Hide/Show Group by Box | Hides or shows the Group By box where headers can be dragged-and-dropped to group the data |
-| Group Interval | If grouped by the Time column, use this option to group by time intervals (Day, Month, Year, Smart). Only available from a grouped column header. |
-| Hide This Column | Hides the selected column from the data grid. Hidden columns can be returned to the data grid through the Column Chooser option. |
-| Column Chooser | Opens the [Customization Window](/docs/threatprevention/7.5/admin/navigation/datagrid.md#customization-window) where you can add and remove columns from the data grid |
-| Best Fit | Changes column width to fit the data within the selected column |
-| Best Fit (all columns) | Changes column width for all columns to fit the data |
-| Filter Editor | Opens the Filter Editor window (see the [Filter Data](/docs/threatprevention/7.5/admin/navigation/datagrid.md#filter-data) topic) |
-| Show / Hide Find Panel | Shows or hides the Find Panel, which is the search feature (see the [Search Data](/docs/threatprevention/7.5/admin/navigation/datagrid.md#search-data) topic) |
-| Hide / Show Auto Filter Row | Hides or shows the Auto Filter Row between the column headers and the first row of event data |
+| Right-Click Command | Description |
+| --------------------- | --------------- |
+| Full Expand | Expands all sections within the data grid. Only available from a grouped column header. |
+| Full Collapse | Collapses all sections within the data grid. Only available from a grouped column header. |
+| Sort Ascending | Sorts data by the selected column in ascending alphanumeric order (A-Z) |
+| Sort Descending | Sorts data by the selected column in descending alphanumeric order (Z-A) |
+| Clear Sorting / Clear All Sorting | Removes sorting from the selected column or removes sorting from all columns |
+| Sort by Summary (Count by [column] – Sort Ascending/Descending) | Sorts ‘grouped’ data by severity count in ascending or descending order. Only available from a grouped column header. |
+| Group by This Column / UnGroup/Clear Grouping | Groups data or clears grouping of data by the selected column |
+| Hide/Show Group by Box | Hides or shows the Group By box where headers can be dragged-and-dropped to group the data |
+| Group Interval | If grouped by the Time column, use this option to group by time intervals (Day, Month, Year, Smart). Only available from a grouped column header. |
+| Hide This Column | Hides the selected column from the data grid. Hidden columns can be returned to the data grid through the Column Chooser option. |
+| Column Chooser | Opens the [Customization Window](/docs/threatprevention/7.5/admin/navigation/datagrid.md#customization-window) where you can add and remove columns from the data grid |
+| Best Fit | Changes column width to fit the data within the selected column |
+| Best Fit (all columns) | Changes column width for all columns to fit the data |
+| Filter Editor | Opens the Filter Editor window (see the [Filter Data](/docs/threatprevention/7.5/admin/navigation/datagrid.md#filter-data) topic) |
+| Show / Hide Find Panel | Shows or hides the Find Panel, which is the search feature (see the [Search Data](/docs/threatprevention/7.5/admin/navigation/datagrid.md#search-data) topic) |
+| Hide / Show Auto Filter Row | Hides or shows the Auto Filter Row between the column headers and the first row of event data |
diff --git a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json
index 3c61e0c0fe..0c5ce7183e 100644
--- a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json
+++ b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json
@@ -1,5 +1,5 @@
{
- "label": "File System Changes Event Type",
+ "label": "File System Changes",
"position": 110,
"collapsed": true,
"collapsible": true,
diff --git a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json
index f970f948de..518180ac4d 100644
--- a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json
+++ b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json
@@ -1,5 +1,5 @@
{
- "label": "LDAP Monitoring Event Type",
+ "label": "LDAP Monitoring",
"position": 160,
"collapsed": true,
"collapsible": true,
diff --git a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json
index 9b94b8a5f6..015aef89e4 100644
--- a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json
+++ b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json
@@ -1,5 +1,5 @@
{
- "label": "Password Enforcement Event Type",
+ "label": "Password Enforcement",
"position": 210,
"collapsed": true,
"collapsible": true,
diff --git a/docs/threatprevention/7.5/admin/templates/folder/activedirectory.md b/docs/threatprevention/7.5/admin/templates/folder/activedirectory.md
index 152d23da21..babab620ed 100644
--- a/docs/threatprevention/7.5/admin/templates/folder/activedirectory.md
+++ b/docs/threatprevention/7.5/admin/templates/folder/activedirectory.md
@@ -77,7 +77,7 @@ being locked down or blocked.
| Template | Description | TAGS |
| ------------------------- | -------------------------- | ---- |
| AD Replication Lockdown | USE CAUTION WITH ALL LOCKDOWN TEMPLATES
Prevents Active Directory data synchronization requests from non-domain controllers using RPC call IDL_DRSGetNCChanges. Add legitimate domain controllers to be inored in one of the following ways to prevent them from being blocked: - Allow Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers
- Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers
See the [AD Replication Lockdown Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationlockdown.md) topic for additional information. | None |
-| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored. Alternatively, add legitimate domain controllers to be ignored in one of the following ways: - Exclude Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers
- Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers
See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None |
+| AD Replication Monitoring | Utilizes the built-in “Domain Controllers” – Hosts Collection. Add domain controllers to not be monitored.
Alternatively, add legitimate domain controllers to be ignored in one of the following ways: - Exclude Perpetrators List – Add the Users OU > Domain Controllers group and any other groups with domain controllers for a dynamic list of domain controllers
- Exclude Domains/Servers – Add specific domain controllers for a static list of domain controllers
See the [AD Replication Monitoring Event Type](/docs/threatprevention/7.5/admin/policies/configuration/eventtype/adreplicationmonitoring.md) topic for additional information. | None |
**Server-Workstation Folder**
diff --git a/docs/threatprevention/7.5/admin/templates/folder/hipaa.md b/docs/threatprevention/7.5/admin/templates/folder/hipaa.md
index 455d1e3355..2e0c1376a9 100644
--- a/docs/threatprevention/7.5/admin/templates/folder/hipaa.md
+++ b/docs/threatprevention/7.5/admin/templates/folder/hipaa.md
@@ -8,7 +8,7 @@ sidebar_position: 30
The HIPAA folder contains the following templates:
-164.306 – Security Standards Folder
+**164.306 – Security Standards Folder**
| Template | Description | TAGS |
| --------------------------------------- | -------------------------- | ---- |
@@ -16,7 +16,7 @@ The HIPAA folder contains the following templates:
| HIPAA: AD Group Type Modifications | No customizations required | None |
| HIPAA: GPO Creations | No customizations required | None |
-164.308 (a)(1)(i) – Security Management Process Folder
+**164.308 (a)(1)(i) – Security Management Process Folder**
| Template | Description | TAGS |
| ----------------------------------- | -------------------------- | ---- |
@@ -30,7 +30,7 @@ The HIPAA folder contains the following templates:
| HIPAA: OU Creations | No customizations required | None |
| HIPPA: OU Deletions | No customizations required | None |
-164.308 (a)(1)(ii) – Implementation Specifications Folder
+**164.308 (a)(1)(ii) – Implementation Specifications Folder**
| Template | Description | TAGS |
| ---------------------------------- | -------------------------- | ---- |
@@ -39,7 +39,7 @@ The HIPAA folder contains the following templates:
| HIPAA: OU Moves or Renames | No customizations required | None |
| HIPAA: OU Security Modifications | No customizations required | None |
-164.308 (a)(3)(i) – Workforce Security Folder
+**164.308 (a)(3)(i) – Workforce Security Folder**
| Template | Description | TAGS |
| ----------------------------------- | -------------------------- | ---- |
@@ -48,7 +48,7 @@ The HIPAA folder contains the following templates:
| HIPAA: AD Group Membership Changes | No customizations required | None |
| HIPAA: AD User Creations | No customizations required | None |
-164.308 (a)(3)(ii) – Authorization and Supervision Folder
+**164.308 (a)(3)(ii) – Authorization and Supervision Folder**
| Template | Description | TAGS |
| ------------------------ | ------------------- | ---- |
@@ -56,7 +56,7 @@ The HIPAA folder contains the following templates:
| HIPAA: WinFS PHI Owner Modifications | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Permission Modifications | Specify the files and/or folders to be monitored | None |
-164.308 (a)(4) – Information Access Management Folder
+**164.308 (a)(4) – Information Access Management Folder**
| Template | Description | TAGS |
| ----------- | -------------------------- | ---- |
@@ -66,20 +66,20 @@ The HIPAA folder contains the following templates:
| HIPAA: WinFS PHI Renames | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Writes | Specify the files and/or folders to be monitored | None |
-164.308 (a)(5)(ii)(C) – Log-In Monitoring Folder
+**164.308 (a)(5)(ii)(C) – Log-In Monitoring Folder**
| Template | Description | TAGS |
| ---------- | -------------- | ---- |
| HIPAA: AD Account Logons | No customizations required. Make sure the Configuration > Event Filtering > Exclude 'Noise' Events option is Off for this policy | None |
| HIPAA: Successful Account Authentications | Gathers successful AD authentications.
Utilizes built-In “Successful Authentications” – Include Perpetrators Collection to define which accounts will be monitored for successful authentications. Add accounts to be monitored to this collection | None |
-164.308 (a)(5)(ii)(D) – Password Management Folder
+**164.308 (a)(5)(ii)(D) – Password Management Folder**
| Template | Description | TAGS |
| ----------------------------------- | -------------------------- | ---- |
| HIPAA: AD User Account Password Set | No customizations required | None |
-164.312 (a)(1) – Access Control Folder
+**164.312 (a)(1) – Access Control Folder**
| Template | Description | TAGS |
| -------------- | ------------ | ---- |
@@ -87,13 +87,13 @@ The HIPAA folder contains the following templates:
| HIPAA: WinFS PHI Owner Modifications | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Permission Modifications | Specify the files and/or folders to be monitored | None |
-164.312 (b) – Audit Controls Folder
+**164.312 (b) – Audit Controls Folder**
| Template | Description | TAGS |
| ------------ | ------------ | ---- |
| HIPAA: WinFS PHI Audit Modifications | Specify the files and/or folders to be monitored | None |
-164.312 (c) – Integrity Folder
+**164.312 (c) – Integrity Folder**
| Template | Description | TAGS |
| ------------------------ | ------------------------------------------------ | ---- |
@@ -101,7 +101,7 @@ The HIPAA folder contains the following templates:
| HIPAA: WinFS PHI Deletes | Specify the files and/or folders to be monitored | None |
| HIPAA: WinFS PHI Renames | Specify the files and/or folders to be monitored | None |
-164.312 (d) – Authentication Folder
+**164.312 (d) – Authentication Folder**
| Template | Description | TAGS |
| -------------- | ---------------- | ---- |
diff --git a/docs/threatprevention/7.5/install/agent/silent.md b/docs/threatprevention/7.5/install/agent/silent.md
index d8e03e9cde..dd5ab8f04c 100644
--- a/docs/threatprevention/7.5/install/agent/silent.md
+++ b/docs/threatprevention/7.5/install/agent/silent.md
@@ -30,23 +30,23 @@ Two of the more useful options are:
The following table details all properties that can be specified to the Agent installer via the
command line.
-| Property Name | Description | Default Value |
-| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| CUSTOM_CA | If this property is set to True, then the custom-managed certificate mode is enabled. This mode uses certificates that are signed by the customer's external certificate authority. In this mode, the installer will not generate certificates and will not start the Agent Service at the end of the installation. | FALSE |
-| EMCERTIFICATE | Enterprise Manager Certificate Thumbprint | This value can be found in the [Agents Interface](/docs/threatprevention/7.5/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.5/admin/agents/agents-windows/enrollmentsecretconfiguration.md). This value is not used for high security mode. |
-| ENROLLMENTSECRET (Required for enrolling new Agent) | Agent Enrollment Secret | This value can be found in the [Agents Interface](/docs/threatprevention/7.5/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.5/admin/agents/agents-windows/enrollmentsecretconfiguration.md). This is a required field if using auto security mode. It is not used for high security mode. |
-| SAFEMODE | Start Agent Service in safe mode | FALSE |
-| STARTAGENTSERVICE | Start Agent Service on successful installation | FALSE |
-| ADDFWRULES | Create firewall rules for the Agent Service | TRUE |
-| INSTALLFOLDER | Agent installation path | …\Program Files \Netwrix\Netwrix Threat Prevention\SIWindowsAgent |
-| PORTNUMBER | Enterprise Manager port value | 3741 |
-| ENTMGR_IPADDRESS Required | Enterprise Manager IP address | 127.0.0.1 |
-| FILE_MONITOR_INSTALL | Windows File System feature | FALSE |
-| AD_MONITOR_INSTALL | Windows Active Directory Events feature | FALSE |
-| EXCHANGE_MONITOR_INSTALL | Exchange Server Monitoring feature | FALSE |
-| DNSLOOKUPS | ‘dnsLookups’ in the SIWindowsAgent.exe file | TRUE |
-| CONFIGPARAMS | Key value pairs used in SIWindowsAgent.exe.config
Example Value:
Key=value&SDEventFormat=PROTOBUF | |
-| LOCALPWNEDDB | HaveIBeenPwned (HIBP) hash Database mode for Agent or Enterprise Manager | FALSE |
+| Property Name | Description | Default Value |
+| ------------ | ---------------- | --------------------- |
+| CUSTOM_CA | If this property is set to True, then the custom-managed certificate mode is enabled. This mode uses certificates that are signed by the customer's external certificate authority. In this mode, the installer will not generate certificates and will not start the Agent Service at the end of the installation. | FALSE |
+| EMCERTIFICATE | Enterprise Manager Certificate Thumbprint | This value can be found in the [Agents Interface](/docs/threatprevention/7.5/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.5/admin/agents/agents-windows/enrollmentsecretconfiguration.md). This value is not used for high security mode. |
+| ENROLLMENTSECRET (Required for enrolling new Agent) | Agent Enrollment Secret | This value can be found in the [Agents Interface](/docs/threatprevention/7.5/admin/agents/overview.md) by clicking the Agent Enrollment Secret icon to open the [Enrollment Secret Configuration Window](/docs/threatprevention/7.5/admin/agents/agents-windows/enrollmentsecretconfiguration.md). This is a required field if using auto security mode. It is not used for high security mode. |
+| SAFEMODE | Start Agent Service in safe mode | FALSE |
+| STARTAGENTSERVICE | Start Agent Service on successful installation | FALSE |
+| ADDFWRULES | Create firewall rules for the Agent Service | TRUE |
+| INSTALLFOLDER | Agent installation path | …\Program Files \Netwrix\Netwrix Threat Prevention\SIWindowsAgent |
+| PORTNUMBER | Enterprise Manager port value | 3741 |
+| ENTMGR_IPADDRESS Required | Enterprise Manager IP address | 127.0.0.1 |
+| FILE_MONITOR_INSTALL | Windows File System feature | FALSE |
+| AD_MONITOR_INSTALL | Windows Active Directory Events feature | FALSE |
+| EXCHANGE_MONITOR_INSTALL | Exchange Server Monitoring feature | FALSE |
+| DNSLOOKUPS | ‘dnsLookups’ in the SIWindowsAgent.exe file | TRUE |
+| CONFIGPARAMS | Key value pairs used in SIWindowsAgent.exe.config
Example Value:
Key=value&SDEventFormat=PROTOBUF | |
+| LOCALPWNEDDB | HaveIBeenPwned (HIBP) hash Database mode for Agent or Enterprise Manager | FALSE |
**Command Line Configuration Examples**
diff --git a/docs/threatprevention/7.5/requirements/adminconsole.md b/docs/threatprevention/7.5/requirements/adminconsole.md
index 5fbfbc0733..c177478344 100644
--- a/docs/threatprevention/7.5/requirements/adminconsole.md
+++ b/docs/threatprevention/7.5/requirements/adminconsole.md
@@ -1,10 +1,10 @@
---
-title: "Remote Administration Console Machine Requirements"
-description: "Remote Administration Console Machine Requirements"
+title: "Remote Administration Console Requirements"
+description: "Remote Administration Console Requirements"
sidebar_position: 40
---
-# Remote Administration Console Machine Requirements
+# Remote Administration Console Requirements
This topic lists the requirements for the machine where you want to install a remote instance of the
Threat Prevention Administration Console.
diff --git a/docs/threatprevention/7.5/requirements/application.md b/docs/threatprevention/7.5/requirements/application.md
index 370331fafc..369548207c 100644
--- a/docs/threatprevention/7.5/requirements/application.md
+++ b/docs/threatprevention/7.5/requirements/application.md
@@ -29,11 +29,11 @@ Additionally the server must meet these requirements:
These depend on the size of the target environment and whether Analytics will be used.
| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
-| ----------- | ------------------------------ | ------------------------------ | --------------------------- | --------------------------- |
+| ----------- | ------- | ------------- | ------------- | --------- |
| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects |
-| RAM | 128+ GB | 32 GB | 32 GB | 16 GB |
-| Cores | 4+ CPU | 4 CPU | 4 CPU | 4 CPU |
-| Disk Space | 67 GB | 67 GB | 67 GB | 35 GB |
+| RAM | 128+ GB | 32 GB | 32 GB | 16 GB |
+| Cores | 4+ CPU | 4 CPU | 4 CPU | 4 CPU |
+| Disk Space | 67 GB | 67 GB | 67 GB | 35 GB |
:::info
For large environments with Analytics, a physical machine is strongly
diff --git a/docs/threatprevention/7.5/requirements/overview.md b/docs/threatprevention/7.5/requirements/overview.md
index b8df8bc507..d6cc33eb1f 100644
--- a/docs/threatprevention/7.5/requirements/overview.md
+++ b/docs/threatprevention/7.5/requirements/overview.md
@@ -55,7 +55,7 @@ See the following topics for additional information:
See the following topics for additional information:
-- [Remote Administration Console Machine Requirements](/docs/threatprevention/7.5/requirements/adminconsole.md)
+- [Remote Administration Console Requirements](/docs/threatprevention/7.5/requirements/adminconsole.md)
- [EPE Rest Site Requirements](/docs/threatprevention/7.5/requirements/eperestsite.md)
**Target Environment Considerations**
diff --git a/docs/threatprevention/7.5/requirements/ports.md b/docs/threatprevention/7.5/requirements/ports.md
index 80f3a8b58f..61c00eb9ef 100644
--- a/docs/threatprevention/7.5/requirements/ports.md
+++ b/docs/threatprevention/7.5/requirements/ports.md
@@ -26,21 +26,21 @@ information.
The following firewall settings are required for communication with the Enterprise Manager:
-| Communication Direction | Protocol | Ports | Description |
-| ------------------------------------------------------------------------ | ---------------- | ---------- | ------------------------------------------------------ |
-| Inbound Netwrix Threat Prevention Enterprise Manager Agent Communication | gRPC / TCP | 3741 | Inbound Agent Communication |
-| Inbound Netwrix Threat Prevention Enterprise Manager Remote Console | gRPC / TCP | 3740 | Inbound Remote Console Communication |
-| Outbound Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | SQL Server Communication |
-| Outbound Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | SQL Server Communication |
-| Outbound Enterprise Manager to Agents | RPC / TCP | 135 | WMI enabled (optional): required for Agent Auto Deploy |
-| Outbound Enterprise Manager to Agents | DCOM / TCP | 1024-65535 | WMI enabled (optional): required for Agent Auto Deploy |
+| Communication Direction | Protocol | Ports | Description |
+| -------------- | ---------------- | ---------- | ---------- |
+| Inbound Netwrix Threat Prevention Enterprise Manager Agent Communication | gRPC / TCP | 3741 | Inbound Agent Communication |
+| Inbound Netwrix Threat Prevention Enterprise Manager Remote Console | gRPC / TCP | 3740 | Inbound Remote Console Communication |
+| Outbound Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | SQL Server Communication |
+| Outbound Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | SQL Server Communication |
+| Outbound Enterprise Manager to Agents | RPC / TCP | 135 | WMI enabled (optional): required for Agent Auto Deploy |
+| Outbound Enterprise Manager to Agents | DCOM / TCP | 1024-65535 | WMI enabled (optional): required for Agent Auto Deploy |
## Agent Firewall Rules
The following firewall settings are required for communication with the Agent:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------------------- | ---------- | ------------ | ----------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| ---------------------- | ---------- | ------------ | ---------- |
| Outbound Netwrix Threat Prevention Windows Agent to Enterprise Manager | gRPC / TCP | 3741 | Outbound Enterprise Manager Communication |
| Outbound Netwrix Threat Prevention Windows Agent to Threat Manager | TCP | 10000, 10001 | Outbound Threat Manager Communication |
@@ -54,8 +54,8 @@ NAS Device Activity Monitoring topic for additional information.
The following firewall settings are required for communication with the Administration Console:
-| Communication Direction | Protocol | Ports | Description |
-| -------------------------------------------- | ---------- | ----- | ----------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------- | ---------- | ----- | ----------------- |
| Administration Console to Enterprise Manager | gRPC / TCP | 3740 | Outbound Enterprise Manager Communication |
## Remote Admin Console Firewall Rules
@@ -63,8 +63,8 @@ The following firewall settings are required for communication with the Administ
The following firewall settings are required for communication with the remote Administration
Console:
-| Communication Direction | Protocol | Ports | Description |
-| --------------------------------------------------- | ---------- | ----- | ----------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| -------------- | ---------- | ----- | ---------------- |
| Remote Administration Console to Enterprise Manager | gRPC / TCP | 3740 | Outbound Enterprise Manager Communication |
## Database Firewall Rules
@@ -77,8 +77,8 @@ the Enterprise Manager and/or the Administration Console.
:::
-| Communication Direction | Protocol | Ports | Description |
-| -------------------------------- | ---------------- | ----- | ---------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| -------------------------------- | ---------------- | ----- | ----------------------------- |
| Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | Inbound Enterprise Manager Communication |
| Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | Inbound Enterprise Manager Communication |
@@ -109,21 +109,21 @@ support standard IP Stack operations that are required for the operation of this
The following firewall settings are required for communication between the Netwrix Threat Manager
Reporting Module server and Active Directory domain controllers:
-| Communication Direction | Protocol | Ports | Description |
-| ----------------------- | -------- | ------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| Outbound | TCP | 88 | Kerberos-sec |
+| Communication Direction | Protocol | Ports | Description |
+| ----------------------- | -------- | ------- | -------------------------------------- |
+| Outbound | TCP | 88 | Kerberos-sec |
| Outbound | TCP | 135 | The endpoint mapper tells the client which randomly assigned port a service (FRS, AD replication, MAPI, etc.) is listening on |
-| Outbound | TCP | 389 | LDAP |
-| Outbound | TCP | 636 | SSL LDAP |
-| Outbound | TCP | Various | The port that 135 reports. Used to bulk translate AD object names between formats.(Ephemeral Ports) |
+| Outbound | TCP | 389 | LDAP |
+| Outbound | TCP | 636 | SSL LDAP |
+| Outbound | TCP | Various | The port that 135 reports. Used to bulk translate AD object names between formats.(Ephemeral Ports) |
**Database Firewall Rules**
The following firewall settings are required to allow the Netwrix Threat Manager Reporting Module to
talk to the Threat Prevention SQL database:
-| Communication Direction | Protocol | Ports | Description |
-| ------------------------------------------------------------------ | ---------------- | ----- | -------------------------------------------- |
+| Communication Direction | Protocol | Ports | Description |
+| ---------------------- | ---------------- | ----- | -------------------------- |
| Netwrix Threat Manager Reporting Integration Service to SQL Server | SQL Client / TCP | 1433 | Inbound Netwrix Threat Manager Communication |
| Netwrix Threat Manager Reporting Integration Service to SQL Server | SQL Client / UDP | 1434 | Inbound Netwrix Threat Manager Communication |
@@ -147,9 +147,9 @@ article.
The following firewall settings are required for communication between the CEE server/ Activity
Monitor Activity Agent server and the target Dell device:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------- | -------- | ----------------- | ----------------- |
-| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
+| Communication Direction | Protocol | Ports | Description |
+| -------------------------- | -------- | ----------------- | ----------------- |
+| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
**Dell Isilon/PowerScale Devices Additional Firewall Rules**
@@ -157,9 +157,9 @@ Monitor Activity Agent server and the target Dell device:
The following firewall settings are required for communication between the CEE server/ Activity
Monitor Activity Agent server and the target Dell Isilon/PowerScale device:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------- | -------- | ----------------- | ----------------- |
-| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication |
+| Communication Direction | Protocol | Ports | Description |
+| ------------------------------- | -------- | ----------------- | ----------------- |
+| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
**Dell Unity Devices Additional Firewall Rules**
@@ -167,9 +167,9 @@ Monitor Activity Agent server and the target Dell Isilon/PowerScale device:
The following firewall settings are required for communication between the CEE server/ Activity
Monitor Activity Agent server and the target Dell device:
-| Communication Direction | Protocol | Ports | Description |
-| ---------------------------------------------------------- | -------- | ----------------- | ----------------- |
-| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
+| Communication Direction | Protocol | Ports | Description |
+| ---------------------------- | -------- | ----------------- | ----------------- |
+| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication |
| CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data |
**Nasuni Edge Appliance Additional Firewall Rules**
@@ -191,10 +191,10 @@ Agent server and the target NetApp Data ONTAP 7-Mode device:
| --------------------------------- | ---------------- | ------------------------------------ | ----------- |
| Activity Agent Server to NetApp\* | HTTP (optional) | 80 | ONTAPI |
| Activity Agent Server to NetApp\* | HTTPS (optional) | 443 | ONTAPI |
-| Activity Agent Server to NetApp | TCP | 135, 139 Dynamic Range (49152-65535) | RPC |
+| Activity Agent Server to NetApp | TCP | 135, 139
Dynamic Range (49152-65535) | RPC |
| Activity Agent Server to NetApp | TCP | 445 | SMB |
| Activity Agent Server to NetApp | UDP | 137, 138 | RPC |
-| NetApp to Activity Agent Server | TCP | 135, 139 Dynamic Range (49152-65535) | RPC |
+| NetApp to Activity Agent Server | TCP | 135, 139
Dynamic Range (49152-65535) | RPC |
| NetApp to Activity Agent Server | TCP | 445 | SMB |
| NetApp to Activity Agent Server | UDP | 137, 138 | RPC |
diff --git a/docs/threatprevention/7.5/requirements/reportingserver.md b/docs/threatprevention/7.5/requirements/reportingserver.md
index 0c90a82b67..e9ea7f54b5 100644
--- a/docs/threatprevention/7.5/requirements/reportingserver.md
+++ b/docs/threatprevention/7.5/requirements/reportingserver.md
@@ -53,17 +53,17 @@ The following permissions are required to install and use the application:
The following permissions are required for the credentials used by Netwrix Threat Manager Reporting
Module for Active Directory Sync:
-| Object Type | Function | Access Requirements |
-| ----------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
-| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container |
-| Group | Retrieve all groups | Read Access to all group objects in the domain |
-| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container |
-| User | Retrieve all users | Read all user objects from the domain |
-| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container |
-| Computer | Retrieve all computer objects | Read all computer objects in the domain |
-| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain |
-| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain |
-| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory |
+| Object Type | Function | Access Requirements |
+| ----------- | ---------------------- | ---------------- |
+| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container |
+| Group | Retrieve all groups | Read Access to all group objects in the domain |
+| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container |
+| User | Retrieve all users | Read all user objects from the domain |
+| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container |
+| Computer | Retrieve all computer objects | Read all computer objects in the domain |
+| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain |
+| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain |
+| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory |
## Client Requirements
diff --git a/docs/threatprevention/7.5/requirements/sqlserver/sqlserver.md b/docs/threatprevention/7.5/requirements/sqlserver/sqlserver.md
index b590c5977e..2f6755d127 100644
--- a/docs/threatprevention/7.5/requirements/sqlserver/sqlserver.md
+++ b/docs/threatprevention/7.5/requirements/sqlserver/sqlserver.md
@@ -27,16 +27,16 @@ server.
These depend on the size of the target environment.
-| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
-| ------------------------ | ------------------------------ | ------------------------------ | --------------------------- | --------------------------- |
-| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects |
-| RAM | 32 GB | 16 GB | 16 GB | 8 GB |
-| Cores | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
-| Number of Disks | 4 | 4 | 4 | 1-4 |
-| Operating System Disk | 10 GB | 10 GB | 10 GB | 10 GB |
-| SQL Database Disk | 500 GB | 300 GB | 150 GB | 100 GB |
-| SQL Transaction Log Disk | 80 GB | 80 GB | 40 GB | 20 GB |
-| SQL TEMP DB Disk | 160 GB | 160 GB | 80 GB | 40 GB |
+| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics |
+| ---------- | ---------- | --------- | --------- | --------- |
+| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects |
+| RAM | 32 GB | 16 GB | 16 GB | 8 GB |
+| Cores | 4 CPU | 4 CPU | 4 CPU | 4 CPU |
+| Number of Disks | 4 | 4 | 4 | 1-4 |
+| Operating System Disk | 10 GB | 10 GB | 10 GB | 10 GB |
+| SQL Database Disk | 500 GB | 300 GB | 150 GB | 100 GB |
+| SQL Transaction Log Disk | 80 GB | 80 GB | 40 GB | 20 GB |
+| SQL TEMP DB Disk | 160 GB | 160 GB | 80 GB | 40 GB |
The disk sizes for the three SQL Server databases can be reduced if not utilizing all Threat
Prevention solutions.
diff --git a/docs/threatprevention/7.5/troubleshooting/overview.md b/docs/threatprevention/7.5/troubleshooting/overview.md
index 2b53c45402..8fd984da46 100644
--- a/docs/threatprevention/7.5/troubleshooting/overview.md
+++ b/docs/threatprevention/7.5/troubleshooting/overview.md
@@ -11,7 +11,7 @@ consideration when using the Administration Console.
## Best Practices
-Best Practice #1 – Collect What You Need, NOT Everything
+**Best Practice #1 – Collect What You Need, NOT Everything**
While Threat Prevention is capable of collecting many events, it is recommended to carefully scope
policies, e.g. admin group membership, finance data access, or VIP mailbox non-owner logons.
@@ -34,7 +34,7 @@ The [Database Maintenance Window](/docs/threatprevention/7.5/admin/configuration
you to set options that automatically groom the database to optimize performance.
Whether choosing to archive or delete data, this is always a good feature to enable.
-Best Practice #3 – Analytics? Turn on One at a Time & Tune
+**Best Practice #3 – Analytics? Turn on One at a Time & Tune**
Analytics provide organizations with the ability to capture and analyze authentication or file
system traffic. The best way to employ analytics is to turn on one at a time and then ‘tune’ it to
@@ -49,7 +49,7 @@ a best practice to configure and enable a monitoring policy with the desired fil
trial run. This will allow you to ensure the filters set will block events the way they were
intended. Once the desired filters are confirmed, then the blocking policy is good-to-go.
-Best Practice #5 – File System ‘Read’ Monitoring, in Moderation
+**Best Practice #5 – File System ‘Read’ Monitoring, in Moderation**
It is recommended to limit the use of monitoring Read events within a file system to those files
containing very sensitive data (e.g. super-secret blends of herbs and spices, launch codes, etc.).
@@ -60,8 +60,7 @@ The volume of Read events in most environments can fill the Threat Prevention da
The following information provides basic troubleshooting techniques and frequently asked questions
(FAQs) for the Administration Console users.
-FAQ: Microsoft just released a security bulletin that impacts LSASS. How do I know if the Microsoft
-KB will affect the Agent instrumentation?
+**FAQ: Microsoft just released a security bulletin that impacts LSASS. How do I know if the Microsoft KB will affect the Agent instrumentation?**
The Agent has been configured to monitor LSASS after a reboot (triggered by the Microsoft KB). If
LSASS stops shortly after a reboot (default within five minutes), then the Agent will be stopped and
@@ -87,7 +86,7 @@ topic for additional information.
:::
-FAQ: The user interface is not displaying correctly and windows are cut off. What should I do?
+**FAQ: The user interface is not displaying correctly and windows are cut off. What should I do?**
If any of the dialogs in the Administration Console have buttons or other user interface (UI)
elements hidden or partially hidden, then you are advised to reduce their Windows font size. For
@@ -95,14 +94,14 @@ example, some high resolution laptops may have their system font size set to a d
In such cases it may be necessary to change this to “Small” for all dialogs in theconsole to be
displayed fully.
-FAQ: How are Active Directory and Authentication raw events handled by Threat Prevention?
+**FAQ: How are Active Directory and Authentication raw events handled by Threat Prevention?**
There are two streams of data with their own memory buffers: one for Active Directory and another
for Authentication traffic. This allows the Active Directory event data to flow without interruption
even if there is a flood of Authentication traffic. A flood in Authentication traffic could result
in a loss of Authentication event data. However, this will not impact Active Directory event data.
-FAQ: How can I prevent flooding the memory with authentication traffic?
+**FAQ: How can I prevent flooding the memory with authentication traffic?**
The options in the
[Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md)
diff --git a/static/img/product_docs/threatprevention/7.4/admin/templates/import.webp b/static/img/product_docs/threatprevention/7.4/admin/templates/import.webp
new file mode 100644
index 0000000000..e659825739
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/admin/templates/import.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/Welcome_1.webp b/static/img/product_docs/threatprevention/7.4/install/agent/Welcome_1.webp
new file mode 100644
index 0000000000..4c7a85e229
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/Welcome_1.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/cacertconfig.webp b/static/img/product_docs/threatprevention/7.4/install/agent/cacertconfig.webp
new file mode 100644
index 0000000000..ca09adc397
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/cacertconfig.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/changedestination.webp b/static/img/product_docs/threatprevention/7.4/install/agent/changedestination.webp
new file mode 100644
index 0000000000..43cfcc892e
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/changedestination.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/destinationfolder.webp b/static/img/product_docs/threatprevention/7.4/install/agent/destinationfolder.webp
new file mode 100644
index 0000000000..590397a651
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/destinationfolder.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/license.webp b/static/img/product_docs/threatprevention/7.4/install/agent/license.webp
new file mode 100644
index 0000000000..cb8325ad4d
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/license.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/readytoinstall.webp b/static/img/product_docs/threatprevention/7.4/install/agent/readytoinstall.webp
new file mode 100644
index 0000000000..fcb84a349d
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/readytoinstall.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/success.webp b/static/img/product_docs/threatprevention/7.4/install/agent/success.webp
new file mode 100644
index 0000000000..e122f1d3f5
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/success.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/agent/welcome2.webp b/static/img/product_docs/threatprevention/7.4/install/agent/welcome2.webp
new file mode 100644
index 0000000000..b2e25e81ff
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/agent/welcome2.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/reportingmodule/eula_1.webp b/static/img/product_docs/threatprevention/7.4/install/reportingmodule/eula_1.webp
new file mode 100644
index 0000000000..96df3e2705
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/reportingmodule/eula_1.webp differ
diff --git a/static/img/product_docs/threatprevention/7.4/install/reportingmodule/install.webp b/static/img/product_docs/threatprevention/7.4/install/reportingmodule/install.webp
new file mode 100644
index 0000000000..cdc9199af2
Binary files /dev/null and b/static/img/product_docs/threatprevention/7.4/install/reportingmodule/install.webp differ