From 1f0c510856bbc495342a567a6265104be72c57e5 Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Thu, 17 Jul 2025 16:34:58 +0500 Subject: [PATCH 01/15] sidebar --- .../monitorweakpasswords.md | 2 +- .../preventweakpasswords.md | 2 +- .../7.4/{overview => }/gettingstarted.md | 2 +- docs/threatprevention/7.4/index.md | 32 ------------------- .../7.4/install/firstlaunch/firstlaunch.md | 2 +- .../install/reportingmodule/firstlaunch.md | 4 +-- .../7.4/install/reportingmodule/overview.md | 2 +- .../7.4/install/upgrade/overview.md | 2 +- .../7.4/{overview => }/overview.md | 2 +- .../7.4/overview/_category_.json | 10 ------ .../7.4/reportingmodule/overview.md | 2 +- .../{overview => }/solutions/_category_.json | 2 +- .../solutions/activedirectory.md | 0 .../7.4/{overview => }/solutions/epe.md | 0 .../7.4/{overview => }/solutions/exchange.md | 0 .../{overview => }/solutions/filesystem.md | 0 .../7.4/{overview => }/solutions/ldap.md | 0 .../7.4/{overview => }/solutions/overview.md | 10 +++--- .../7.4/{overview => }/whatsnew.md | 2 +- 19 files changed, 17 insertions(+), 59 deletions(-) rename docs/threatprevention/7.4/{overview => }/gettingstarted.md (99%) delete mode 100644 docs/threatprevention/7.4/index.md rename docs/threatprevention/7.4/{overview => }/overview.md (99%) delete mode 100644 docs/threatprevention/7.4/overview/_category_.json rename docs/threatprevention/7.4/{overview => }/solutions/_category_.json (87%) rename docs/threatprevention/7.4/{overview => }/solutions/activedirectory.md (100%) rename docs/threatprevention/7.4/{overview => }/solutions/epe.md (100%) rename docs/threatprevention/7.4/{overview => }/solutions/exchange.md (100%) rename docs/threatprevention/7.4/{overview => }/solutions/filesystem.md (100%) rename docs/threatprevention/7.4/{overview => }/solutions/ldap.md (100%) rename docs/threatprevention/7.4/{overview => }/solutions/overview.md (77%) rename docs/threatprevention/7.4/{overview => }/whatsnew.md (99%) diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md index 0f135099fb..1ebc2d35f5 100644 --- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md +++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/monitorweakpasswords.md @@ -13,7 +13,7 @@ creation of weak passwords in your environment. [Prevent Weak Passwords Use Case](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md) topic for instructions on creating a policy to block weak passwords, which requires the Threat Prevention -for[ Enterprise Password Enforcer](/docs/threatprevention/7.4/overview/solutions/epe.md) +for[ Enterprise Password Enforcer](/docs/threatprevention/7.4/solutions/epe.md) solution. Follow the steps to configure a policy to monitor the creation of weak passwords. diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md index 67da2b7395..95acc100a0 100644 --- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md +++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/passwordenforcement/preventweakpasswords.md @@ -11,7 +11,7 @@ weak passwords in your environment. **NOTE:** The Threat Prevention Enterprise Password Enforcement solution includes an EPE User Feedback module. See the -[ Enterprise Password Enforcer](/docs/threatprevention/7.4/overview/solutions/epe.md) +[ Enterprise Password Enforcer](/docs/threatprevention/7.4/solutions/epe.md) topic for additional information. Follow the steps to configure a policy to block the creation of weak passwords. diff --git a/docs/threatprevention/7.4/overview/gettingstarted.md b/docs/threatprevention/7.4/gettingstarted.md similarity index 99% rename from docs/threatprevention/7.4/overview/gettingstarted.md rename to docs/threatprevention/7.4/gettingstarted.md index 41f0d284ea..d2a53870f1 100644 --- a/docs/threatprevention/7.4/overview/gettingstarted.md +++ b/docs/threatprevention/7.4/gettingstarted.md @@ -1,7 +1,7 @@ --- title: "Getting Started" description: "Getting Started" -sidebar_position: 10 +sidebar_position: 2 --- # Getting Started diff --git a/docs/threatprevention/7.4/index.md b/docs/threatprevention/7.4/index.md deleted file mode 100644 index 23b244b7ec..0000000000 --- a/docs/threatprevention/7.4/index.md +++ /dev/null @@ -1,32 +0,0 @@ -# Threat Prevention 7.4 - -> Proactive security firewall for critical IT infrastructure - -Threat Prevention 7.4 acts as an intelligent firewall around your most critical systems including Active Directory, Exchange, and file systems. This solution intercepts and blocks malicious activities in real-time, overcoming the limitations of native Windows security controls to provide comprehensive protection against both internal and external threats while maintaining detailed audit trails for compliance and forensics. - -## Key Features - -- **Active Threat Interception**: Monitor and block suspicious activities at the source before damage occurs -- **Automated Remediation**: Instantly disable compromised accounts and reverse unauthorized changes -- **Policy-Based Protection**: Define granular security policies for different systems and user groups -- **Comprehensive Forensics**: Capture detailed audit trails of all activities for investigation - -## Benefits - -- **Stop Attacks in Progress**: Block malicious activities in real-time, not after the fact -- **Protect Critical Assets**: Safeguard Active Directory, Exchange, and file systems from compromise -- **Reduce Security Incidents**: Prevent attacks rather than just detecting them -- **Simplify Compliance**: Maintain detailed audit trails for regulatory requirements - -## What's New in Version 7.4 - -- Enhanced machine learning algorithms for threat detection -- Improved SIEM integration with QRadar and Splunk -- New policy templates for common attack scenarios -- Performance optimizations for large-scale deployments - -```mdx-code-block -import DocCardList from '@theme/DocCardList'; - - -``` diff --git a/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md b/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md index a0877cdd78..97af1c6406 100644 --- a/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md +++ b/docs/threatprevention/7.4/install/firstlaunch/firstlaunch.md @@ -59,5 +59,5 @@ manage the Agent. topic. See the -[Getting Started ](/docs/threatprevention/7.4/overview/gettingstarted.md)topic for +[Getting Started ](/docs/threatprevention/7.4/gettingstarted.md)topic for the next steps. diff --git a/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md b/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md index d831c974ae..d19e2e4608 100644 --- a/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md +++ b/docs/threatprevention/7.4/install/reportingmodule/firstlaunch.md @@ -40,7 +40,7 @@ The built-in ADMIN account password is now set. If the Enable MFA option is set to OFF, no additional configuration is required and the Netwrix Threat Manager Reporting Module Console opens. See the -[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module) +[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module) topic for initial configuration information. If the Enable MFA option is set to ON, registration of an MFA authenticator is required. Proceed to @@ -67,5 +67,5 @@ of codes to access for account recovery, if needed. Once MFA is configured for this account, the Netwrix Threat Manager Reporting Module console opens. See the -[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module) +[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module) topic for the next steps. diff --git a/docs/threatprevention/7.4/install/reportingmodule/overview.md b/docs/threatprevention/7.4/install/reportingmodule/overview.md index 31db6b939b..54842cbd8c 100644 --- a/docs/threatprevention/7.4/install/reportingmodule/overview.md +++ b/docs/threatprevention/7.4/install/reportingmodule/overview.md @@ -93,5 +93,5 @@ launcher opens. You can now install the following components on the same server: topic for additional information. After completing the first launch, it is time to complete the initial configuration. See the -[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module) +[Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module) topic for additional information. diff --git a/docs/threatprevention/7.4/install/upgrade/overview.md b/docs/threatprevention/7.4/install/upgrade/overview.md index 129efc92d3..f5b41ccede 100644 --- a/docs/threatprevention/7.4/install/upgrade/overview.md +++ b/docs/threatprevention/7.4/install/upgrade/overview.md @@ -20,7 +20,7 @@ Templates?” Click **Yes** to import or **No** to skip. See the topic for instructions on importing these templates if you selected **No** during the upgrade process. -See the [What's New](/docs/threatprevention/7.4/overview/whatsnew.md) topic for +See the [What's New](/docs/threatprevention/7.4/whatsnew.md) topic for details on new and improved features included with each release. ## Considerations diff --git a/docs/threatprevention/7.4/overview/overview.md b/docs/threatprevention/7.4/overview.md similarity index 99% rename from docs/threatprevention/7.4/overview/overview.md rename to docs/threatprevention/7.4/overview.md index 2c29191ac3..c2f60d9915 100644 --- a/docs/threatprevention/7.4/overview/overview.md +++ b/docs/threatprevention/7.4/overview.md @@ -1,7 +1,7 @@ --- title: "Netwrix Threat Prevention v7.4 Documentation" description: "Netwrix Threat Prevention v7.4 Documentation" -sidebar_position: 10 +sidebar_position: 1 --- # Netwrix Threat Prevention v7.4 Documentation diff --git a/docs/threatprevention/7.4/overview/_category_.json b/docs/threatprevention/7.4/overview/_category_.json deleted file mode 100644 index 7c0e8c54cf..0000000000 --- a/docs/threatprevention/7.4/overview/_category_.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "label": "Netwrix Threat Prevention v7.4 Documentation", - "position": 10, - "collapsed": true, - "collapsible": true, - "link": { - "type": "doc", - "id": "overview" - } -} \ No newline at end of file diff --git a/docs/threatprevention/7.4/reportingmodule/overview.md b/docs/threatprevention/7.4/reportingmodule/overview.md index fc01905b77..dc1dbf1965 100644 --- a/docs/threatprevention/7.4/reportingmodule/overview.md +++ b/docs/threatprevention/7.4/reportingmodule/overview.md @@ -17,7 +17,7 @@ Threat Manager Reporting Module, configure the integration, and grant access to following topics: - [Reporting Module Server Requirements](/docs/threatprevention/7.4/requirements/reportingserver.md) -- [Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/overview/gettingstarted.md#set-up-the-threat-manager-reporting-module) +- [Set Up the Threat Manager Reporting Module](/docs/threatprevention/7.4/gettingstarted.md#set-up-the-threat-manager-reporting-module) - [Reporting Module Installation](/docs/threatprevention/7.4/install/reportingmodule/overview.md) - [Configuration Menu ](/docs/threatprevention/7.4/reportingmodule/configuration/overview.md) - [Investigations Interface](/docs/threatprevention/7.4/reportingmodule/investigations/overview.md) diff --git a/docs/threatprevention/7.4/overview/solutions/_category_.json b/docs/threatprevention/7.4/solutions/_category_.json similarity index 87% rename from docs/threatprevention/7.4/overview/solutions/_category_.json rename to docs/threatprevention/7.4/solutions/_category_.json index 61e3258ec2..812ae631c7 100644 --- a/docs/threatprevention/7.4/overview/solutions/_category_.json +++ b/docs/threatprevention/7.4/solutions/_category_.json @@ -1,6 +1,6 @@ { "label": "Solutions", - "position": 30, + "position": 4, "collapsed": true, "collapsible": true, "link": { diff --git a/docs/threatprevention/7.4/overview/solutions/activedirectory.md b/docs/threatprevention/7.4/solutions/activedirectory.md similarity index 100% rename from docs/threatprevention/7.4/overview/solutions/activedirectory.md rename to docs/threatprevention/7.4/solutions/activedirectory.md diff --git a/docs/threatprevention/7.4/overview/solutions/epe.md b/docs/threatprevention/7.4/solutions/epe.md similarity index 100% rename from docs/threatprevention/7.4/overview/solutions/epe.md rename to docs/threatprevention/7.4/solutions/epe.md diff --git a/docs/threatprevention/7.4/overview/solutions/exchange.md b/docs/threatprevention/7.4/solutions/exchange.md similarity index 100% rename from docs/threatprevention/7.4/overview/solutions/exchange.md rename to docs/threatprevention/7.4/solutions/exchange.md diff --git a/docs/threatprevention/7.4/overview/solutions/filesystem.md b/docs/threatprevention/7.4/solutions/filesystem.md similarity index 100% rename from docs/threatprevention/7.4/overview/solutions/filesystem.md rename to docs/threatprevention/7.4/solutions/filesystem.md diff --git a/docs/threatprevention/7.4/overview/solutions/ldap.md b/docs/threatprevention/7.4/solutions/ldap.md similarity index 100% rename from docs/threatprevention/7.4/overview/solutions/ldap.md rename to docs/threatprevention/7.4/solutions/ldap.md diff --git a/docs/threatprevention/7.4/overview/solutions/overview.md b/docs/threatprevention/7.4/solutions/overview.md similarity index 77% rename from docs/threatprevention/7.4/overview/solutions/overview.md rename to docs/threatprevention/7.4/solutions/overview.md index b2b54ed469..ffbe2ad480 100644 --- a/docs/threatprevention/7.4/overview/solutions/overview.md +++ b/docs/threatprevention/7.4/solutions/overview.md @@ -9,7 +9,7 @@ sidebar_position: 30 Threat Prevention offers the following pre-defined solutions for protecting your IT environment. The solutions and associated licensed modules are: -[Active Directory](/docs/threatprevention/7.4/overview/solutions/activedirectory.md) +[Active Directory](/docs/threatprevention/7.4/solutions/activedirectory.md) - Active Directory Changes @@ -29,16 +29,16 @@ solutions and associated licensed modules are: - GPO Lockdown - GPO Setting Changes -[ Enterprise Password Enforcer](/docs/threatprevention/7.4/overview/solutions/epe.md) +[ Enterprise Password Enforcer](/docs/threatprevention/7.4/solutions/epe.md) - Password Enforcement -[Exchange](/docs/threatprevention/7.4/overview/solutions/exchange.md) +[Exchange](/docs/threatprevention/7.4/solutions/exchange.md) - Exchange Events - Exchange Lockdown -[File System](/docs/threatprevention/7.4/overview/solutions/filesystem.md) +[File System](/docs/threatprevention/7.4/solutions/filesystem.md) - File System @@ -46,7 +46,7 @@ solutions and associated licensed modules are: - Includes Monitoring for supported NAS devices - Includes Monitoring file system for integration with Access Analyzer -[LDAP](/docs/threatprevention/7.4/overview/solutions/ldap.md) +[LDAP](/docs/threatprevention/7.4/solutions/ldap.md) - LDAP Monitoring diff --git a/docs/threatprevention/7.4/overview/whatsnew.md b/docs/threatprevention/7.4/whatsnew.md similarity index 99% rename from docs/threatprevention/7.4/overview/whatsnew.md rename to docs/threatprevention/7.4/whatsnew.md index 7fb946d777..9bb387df56 100644 --- a/docs/threatprevention/7.4/overview/whatsnew.md +++ b/docs/threatprevention/7.4/whatsnew.md @@ -1,7 +1,7 @@ --- title: "What's New" description: "What's New" -sidebar_position: 20 +sidebar_position: 3 --- # What's New From 0bbd6e11e37ef26d5858362e036d48162f5fa25f Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Thu, 17 Jul 2025 17:14:00 +0500 Subject: [PATCH 02/15] sidebar --- docs/threatprevention/7.4/requirements/adminconsole.md | 6 +++--- docs/threatprevention/7.4/requirements/overview.md | 2 +- docs/threatprevention/7.4/solutions/epe.md | 4 +--- docs/threatprevention/7.5/requirements/adminconsole.md | 4 ++-- docs/threatprevention/7.5/requirements/overview.md | 2 +- 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/threatprevention/7.4/requirements/adminconsole.md b/docs/threatprevention/7.4/requirements/adminconsole.md index a192432bf2..39a468c0e0 100644 --- a/docs/threatprevention/7.4/requirements/adminconsole.md +++ b/docs/threatprevention/7.4/requirements/adminconsole.md @@ -1,10 +1,10 @@ --- -title: "Remote Administration Console Machine Requirements" -description: "Remote Administration Console Machine Requirements" +title: "Remote Administration Console Requirements" +description: "Remote Administration Console Requirements" sidebar_position: 40 --- -# Remote Administration Console Machine Requirements +# Remote Administration Console Requirements This topic lists the requirements for the machine where you want to install a remote instance of the Threat Prevention Administration Console. diff --git a/docs/threatprevention/7.4/requirements/overview.md b/docs/threatprevention/7.4/requirements/overview.md index 68606399a0..520e461fe6 100644 --- a/docs/threatprevention/7.4/requirements/overview.md +++ b/docs/threatprevention/7.4/requirements/overview.md @@ -53,7 +53,7 @@ Optional Components See the following topics for additional information: -- [Remote Administration Console Machine Requirements](/docs/threatprevention/7.4/requirements/adminconsole.md) +- [Remote Administration Console Requirements](/docs/threatprevention/7.4/requirements/adminconsole.md) - [EPE Rest Site Requirements](/docs/threatprevention/7.4/requirements/eperestsite.md) Target Environment Considerations diff --git a/docs/threatprevention/7.4/solutions/epe.md b/docs/threatprevention/7.4/solutions/epe.md index 0c879a3f6a..7e12a6ddcb 100644 --- a/docs/threatprevention/7.4/solutions/epe.md +++ b/docs/threatprevention/7.4/solutions/epe.md @@ -4,9 +4,7 @@ description: "Enterprise Password Enforcer" sidebar_position: 20 --- -# - -Enterprise Password Enforcer +# Enterprise Password Enforcer Attackers often use dictionaries of previously breached passwords or knowledge of well-known passwords to compromise accounts. To mitigate this risk and the likelihood of generic or known diff --git a/docs/threatprevention/7.5/requirements/adminconsole.md b/docs/threatprevention/7.5/requirements/adminconsole.md index 5fbfbc0733..e9e10e5a01 100644 --- a/docs/threatprevention/7.5/requirements/adminconsole.md +++ b/docs/threatprevention/7.5/requirements/adminconsole.md @@ -1,6 +1,6 @@ --- -title: "Remote Administration Console Machine Requirements" -description: "Remote Administration Console Machine Requirements" +title: "Remote Administration Console Requirements" +description: "Remote Administration Console Requirements" sidebar_position: 40 --- diff --git a/docs/threatprevention/7.5/requirements/overview.md b/docs/threatprevention/7.5/requirements/overview.md index b8df8bc507..d6cc33eb1f 100644 --- a/docs/threatprevention/7.5/requirements/overview.md +++ b/docs/threatprevention/7.5/requirements/overview.md @@ -55,7 +55,7 @@ See the following topics for additional information: See the following topics for additional information: -- [Remote Administration Console Machine Requirements](/docs/threatprevention/7.5/requirements/adminconsole.md) +- [Remote Administration Console Requirements](/docs/threatprevention/7.5/requirements/adminconsole.md) - [EPE Rest Site Requirements](/docs/threatprevention/7.5/requirements/eperestsite.md) **Target Environment Considerations** From e97d2d66d625fc3a9fb306ed38b1e5988690a077 Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Thu, 17 Jul 2025 17:36:51 +0500 Subject: [PATCH 03/15] sidebar --- docs/threatprevention/7.5/requirements/adminconsole.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/threatprevention/7.5/requirements/adminconsole.md b/docs/threatprevention/7.5/requirements/adminconsole.md index e9e10e5a01..c177478344 100644 --- a/docs/threatprevention/7.5/requirements/adminconsole.md +++ b/docs/threatprevention/7.5/requirements/adminconsole.md @@ -4,7 +4,7 @@ description: "Remote Administration Console Requirements" sidebar_position: 40 --- -# Remote Administration Console Machine Requirements +# Remote Administration Console Requirements This topic lists the requirements for the machine where you want to install a remote instance of the Threat Prevention Administration Console. From 578b64751365315567a0addf87e5a5dce019205f Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Thu, 17 Jul 2025 18:09:13 +0500 Subject: [PATCH 04/15] sidebar --- docs/threatprevention/7.4/{overview.md => index.md} | 0 docs/threatprevention/7.4/install/agent/overview.md | 4 ++-- .../agent/{threatprevention.md => NTPtoNAM.md} | 0 docs/threatprevention/7.4/solutions/overview.md | 10 +++++----- 4 files changed, 7 insertions(+), 7 deletions(-) rename docs/threatprevention/7.4/{overview.md => index.md} (100%) rename docs/threatprevention/7.4/requirements/agent/{threatprevention.md => NTPtoNAM.md} (100%) diff --git a/docs/threatprevention/7.4/overview.md b/docs/threatprevention/7.4/index.md similarity index 100% rename from docs/threatprevention/7.4/overview.md rename to docs/threatprevention/7.4/index.md diff --git a/docs/threatprevention/7.4/install/agent/overview.md b/docs/threatprevention/7.4/install/agent/overview.md index d76fa412fc..48353ba8db 100644 --- a/docs/threatprevention/7.4/install/agent/overview.md +++ b/docs/threatprevention/7.4/install/agent/overview.md @@ -82,7 +82,7 @@ control the configuration for that monitored host. However, Activity Monitor can provide multiple outputs for a host, e.g. for Netwrix Access Analyzer (formerly Enterprise Auditor), Netwrix Threat Manager, or SIEM products. Add a new output for the same host to the Monitored Host tab in the Activity Monitor console to be used by the other product. See the -[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/threatprevention.md) +[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md) topic for additional information. ## Exchange Servers @@ -123,5 +123,5 @@ control the configuration for that monitored host. However, Activity Monitor can provide multiple outputs for a host, e.g. for Netwrix Access Analyzer (formerly Enterprise Auditor), Netwrix Threat Manager, or SIEM products. Add a new output for the same host to the Monitored Host tab in the Activity Monitor console to be used by the other product. See the -[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/threatprevention.md) +[Getting Data from NTP for AD Activity Reporting](/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md) topic for additional information. diff --git a/docs/threatprevention/7.4/requirements/agent/threatprevention.md b/docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md similarity index 100% rename from docs/threatprevention/7.4/requirements/agent/threatprevention.md rename to docs/threatprevention/7.4/requirements/agent/NTPtoNAM.md diff --git a/docs/threatprevention/7.4/solutions/overview.md b/docs/threatprevention/7.4/solutions/overview.md index ffbe2ad480..508b4cd9b3 100644 --- a/docs/threatprevention/7.4/solutions/overview.md +++ b/docs/threatprevention/7.4/solutions/overview.md @@ -9,7 +9,7 @@ sidebar_position: 30 Threat Prevention offers the following pre-defined solutions for protecting your IT environment. The solutions and associated licensed modules are: -[Active Directory](/docs/threatprevention/7.4/solutions/activedirectory.md) +**Active Directory** - Active Directory Changes @@ -29,16 +29,16 @@ solutions and associated licensed modules are: - GPO Lockdown - GPO Setting Changes -[ Enterprise Password Enforcer](/docs/threatprevention/7.4/solutions/epe.md) +**Enterprise Password Enforcer** - Password Enforcement -[Exchange](/docs/threatprevention/7.4/solutions/exchange.md) +**Exchange** - Exchange Events - Exchange Lockdown -[File System](/docs/threatprevention/7.4/solutions/filesystem.md) +**File System** - File System @@ -46,7 +46,7 @@ solutions and associated licensed modules are: - Includes Monitoring for supported NAS devices - Includes Monitoring file system for integration with Access Analyzer -[LDAP](/docs/threatprevention/7.4/solutions/ldap.md) +**LDAP** - LDAP Monitoring From 36539c33254d92bee19e72c229d7211d7b7267fe Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Mon, 21 Jul 2025 13:17:37 +0500 Subject: [PATCH 05/15] sidebar --- .../configuration/eventtype/filesystemchanges/_category_.json | 2 +- .../configuration/eventtype/ldapmonitoring/_category_.json | 2 +- .../configuration/eventtype/passwordenforcement/_category_.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json index 3c61e0c0fe..0c5ce7183e 100644 --- a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json +++ b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/filesystemchanges/_category_.json @@ -1,5 +1,5 @@ { - "label": "File System Changes Event Type", + "label": "File System Changes", "position": 110, "collapsed": true, "collapsible": true, diff --git a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json index f970f948de..518180ac4d 100644 --- a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json +++ b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/ldapmonitoring/_category_.json @@ -1,5 +1,5 @@ { - "label": "LDAP Monitoring Event Type", + "label": "LDAP Monitoring", "position": 160, "collapsed": true, "collapsible": true, diff --git a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json index 9b94b8a5f6..015aef89e4 100644 --- a/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json +++ b/docs/threatprevention/7.5/admin/policies/configuration/eventtype/passwordenforcement/_category_.json @@ -1,5 +1,5 @@ { - "label": "Password Enforcement Event Type", + "label": "Password Enforcement", "position": 210, "collapsed": true, "collapsible": true, From 3b310d31c846b78fcc210432a5ab986c9c0c4d6a Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Mon, 21 Jul 2025 13:30:37 +0500 Subject: [PATCH 06/15] sidebar --- .../threatprevention/7.4/admin/navigation/licensemanager.md | 2 +- .../eventtype/filesystemaccessanalyzer.md | 6 ++++++ .../7.4/admin/policies/configuration/eventtype/overview.md | 2 +- .../7.4/admin/templates/configuration/eventtype.md | 2 +- docs/threatprevention/7.4/solutions/filesystem.md | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) rename docs/threatprevention/7.4/admin/policies/{ => configuration}/eventtype/filesystemaccessanalyzer.md (97%) diff --git a/docs/threatprevention/7.4/admin/navigation/licensemanager.md b/docs/threatprevention/7.4/admin/navigation/licensemanager.md index 5d7b0ade73..b1c3beff13 100644 --- a/docs/threatprevention/7.4/admin/navigation/licensemanager.md +++ b/docs/threatprevention/7.4/admin/navigation/licensemanager.md @@ -101,7 +101,7 @@ See the following topics for additional information: – For Windows file servers and/or NAS devices - [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md) – For Windows file servers -- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md) +- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md) – For Windows file servers ## LDAP Solution diff --git a/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md similarity index 97% rename from docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md rename to docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md index 51ffa701a2..af2f74a7e3 100644 --- a/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md +++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md @@ -1,3 +1,9 @@ +--- +title: "File System Enterprise Auditor Event Type" +description: "File System Enterprise Auditor Event Type" +sidebar_position: 125 +--- + # File System Enterprise Auditor Event Type The File System Enterprise Auditor event type is used to send File System activity to Netwrix Access diff --git a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md index 7b2cd78da3..2b80a091e8 100644 --- a/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md +++ b/docs/threatprevention/7.4/admin/policies/configuration/eventtype/overview.md @@ -50,7 +50,7 @@ See the following topics for additional details: - [Exchange Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md) - [File System Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md) - [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md) -- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md) +- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md) - [FSMO Role Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md) - [GPO Setting Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md) - [GPO Setting Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md) diff --git a/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md b/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md index fc767dca85..7e3c3ea133 100644 --- a/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md +++ b/docs/threatprevention/7.4/admin/templates/configuration/eventtype.md @@ -50,7 +50,7 @@ See the following topics for additional details: - [Exchange Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/exchangelockdown.md) - [File System Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md) - [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md) -- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md) +- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md) - [FSMO Role Monitoring Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/fsmorolemonitoring.md) - [GPO Setting Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettingchanges.md) - [GPO Setting Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/gposettinglockdown.md) diff --git a/docs/threatprevention/7.4/solutions/filesystem.md b/docs/threatprevention/7.4/solutions/filesystem.md index e9c54b4c3b..8435d7a7f9 100644 --- a/docs/threatprevention/7.4/solutions/filesystem.md +++ b/docs/threatprevention/7.4/solutions/filesystem.md @@ -40,4 +40,4 @@ The following event types are available for File System: - [File System Changes Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemchanges/filesystemchanges.md) - [File System Lockdown Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemlockdown.md) -- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/eventtype/filesystemaccessanalyzer.md) +- [File System Enterprise Auditor Event Type](/docs/threatprevention/7.4/admin/policies/configuration/eventtype/filesystemaccessanalyzer.md) From eaa22084f13572a6c5b63690d67fa608001b6f06 Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Mon, 21 Jul 2025 14:50:30 +0500 Subject: [PATCH 07/15] sidebar --- .../7.4/admin/templates/folder/dns.md | 13 ++++++++ .../templates/folder/domainpersistence.md | 16 +++++++++ .../folder/infrastructure-templates.md | 24 -------------- .../7.4/admin/templates/folder/ldap.md | 17 ++++++++++ .../7.4/admin/templates/folder/lsass.md | 15 +++++++++ .../templates/folder/microsoft-templates.md | 20 ----------- .../templates/folder/privilegeescalation.md | 17 ++++++++++ .../7.4/admin/templates/folder/ransomware.md | 14 ++++++++ .../admin/templates/folder/reconnaissance.md | 2 +- .../templates/folder/schemaconfiguration.md | 2 +- .../templates/folder/security-templates.md | 33 ------------------- .../7.4/admin/templates/folder/siem.md | 2 +- .../admin/templates/folder/threatmanager.md | 15 +++++++++ 13 files changed, 110 insertions(+), 80 deletions(-) create mode 100644 docs/threatprevention/7.4/admin/templates/folder/dns.md create mode 100644 docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md delete mode 100644 docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md create mode 100644 docs/threatprevention/7.4/admin/templates/folder/ldap.md create mode 100644 docs/threatprevention/7.4/admin/templates/folder/lsass.md delete mode 100644 docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md create mode 100644 docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md create mode 100644 docs/threatprevention/7.4/admin/templates/folder/ransomware.md delete mode 100644 docs/threatprevention/7.4/admin/templates/folder/security-templates.md create mode 100644 docs/threatprevention/7.4/admin/templates/folder/threatmanager.md diff --git a/docs/threatprevention/7.4/admin/templates/folder/dns.md b/docs/threatprevention/7.4/admin/templates/folder/dns.md new file mode 100644 index 0000000000..e3a7c84e74 --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/dns.md @@ -0,0 +1,13 @@ +--- +title: "DNS Folder Templates" +description: "DNS Folder Templates" +sidebar_position: 45 +--- + +# DNS Folder Templates + +The **Templates** > **Microsoft** > **DNS** folder contains the following template: + +| Template | Description | TAGS | +| ------------------ | ------------- | ---- | +| DNS Record Changes | No customizations required | None | diff --git a/docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md b/docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md new file mode 100644 index 0000000000..3e653109e8 --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/domainpersistence.md @@ -0,0 +1,16 @@ +--- +title: "Domain Persistence Folder Templates" +description: "Domain Persistence Folder Templates" +sidebar_position: 25 +--- + +# Domain Persistence Folder Templates + +The Domain Persistence folder contains the following templates: + +| Template | Description | TAGS | +| ----------- | ------------------- | -------------------- | +| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. |
  • NEW 5.1 TEMPLATES
  • Domain Persistence
  • Privileged Accounts
  • Privilege Escalation
  • AD Security
  • Unauthorized changes
| +| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. |
  • NEW 5.1 TEMPLATES
  • GPO Security
  • AD Security
  • Unauthorized changes
| +| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. |
  • NEW 5.1 TEMPLATES
| + diff --git a/docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md b/docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md deleted file mode 100644 index 5476cb46b0..0000000000 --- a/docs/threatprevention/7.4/admin/templates/folder/infrastructure-templates.md +++ /dev/null @@ -1,24 +0,0 @@ -# Infrastructure Templates - -This section contains templates for monitoring and protecting infrastructure components. - -## LDAP Monitoring {#ldap} - -The LDAP folder contains the following templates: - -| Template | Description | TAGS | -| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | -| LDAP: Sensitive Accounts | This policy will detect LDAP queries targeting sensitive accounts, such as Administrator. Add to and delete from this list of accounts in the LDAP Query filter as per specific requirements | None | -| LDAP: Sensitive Containers | This policy will detect LDAP queries targeting sensitive containers, such as Domain Controllers. Add to and delete from this list of containers in the LDAP Query filter per specific requirements | None | -| LDAP: Sensitive Groups | This policy will detect LDAP queries targeting sensitive groups, such as Domain Admins, Enterprise Admins, and Schema Admins. Add to and delete from this list of groups in the LDAP Query filter per specific requirements | None | -| LDAP: Sensitive SPNs | This policy will detect LDAP queries targeting sensitive Service Principal Names, such as Exchange and SQL Servers. Add to and delete from this list of SPNs in the LDAP Query filter per specific requirements | None | -| LDAP: Service Principal Names | Detects attempts to obtain a list of SPN values | None | - -## Threat Manager Integration {#threat-manager} - -The Threat Manager folder contains the following templates: - -| Template | Description | TAGS | -| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- | -| Threat Manager for AD | This is the recommended policy for sending AD Events captured by Threat Prevention to Threat Manager. This policy includes: Authentication Monitoring, Active Directory Changes, AD Replication Monitoring, and LSASS Guardian - Monitor. | - Threat Manager - NEW v6.1 TEMPLATES | -| Threat Manager for AD LDAP | This is the recommended policy for sending LDAP events captured by Threat Prevention to Threat Manager for detecting signature queries of LDAP reconnaissance tools. Policy 1: Suspicious Queries Policy 2: Suspicious Attributes Returned | - Threat Manager - NEW v7.1 TEMPLATES | diff --git a/docs/threatprevention/7.4/admin/templates/folder/ldap.md b/docs/threatprevention/7.4/admin/templates/folder/ldap.md new file mode 100644 index 0000000000..d723c8612f --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/ldap.md @@ -0,0 +1,17 @@ +--- +title: "LDAP Folder Templates" +description: "LDAP Folder Templates" +sidebar_position: 35 +--- + +# LDAP Folder Templates + +The LDAP folder contains the following templates: + +| Template | Description | TAGS | +| ----------- | --------------- | ---- | +| LDAP: Sensitive Accounts | This policy will detect LDAP queries targeting sensitive accounts, such as Administrator. Add to and delete from this list of accounts in the LDAP Query filter as per specific requirements | None | +| LDAP: Sensitive Containers | This policy will detect LDAP queries targeting sensitive containers, such as Domain Controllers. Add to and delete from this list of containers in the LDAP Query filter per specific requirements | None | +| LDAP: Sensitive Groups | This policy will detect LDAP queries targeting sensitive groups, such as Domain Admins, Enterprise Admins, and Schema Admins. Add to and delete from this list of groups in the LDAP Query filter per specific requirements | None | +| LDAP: Sensitive SPNs | This policy will detect LDAP queries targeting sensitive Service Principal Names, such as Exchange and SQL Servers. Add to and delete from this list of SPNs in the LDAP Query filter per specific requirements | None | +| LDAP: Service Principal Names | Detects attempts to obtain a list of SPN values | None | diff --git a/docs/threatprevention/7.4/admin/templates/folder/lsass.md b/docs/threatprevention/7.4/admin/templates/folder/lsass.md new file mode 100644 index 0000000000..59bfb5b483 --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/lsass.md @@ -0,0 +1,15 @@ +--- +title: "LSASS Folder Templates" +description: "LSASS Folder Templates" +sidebar_position: 80 +--- + +# LSASS Folder Templates + +The **Templates** > **Microsoft** > **LSASS** folder contains the following templates: + +| Template | Description | TAGS | +| ----------- | ------------------- | ---- | +| LSASS Guardian - Monitor | No customizations required. Detects attempts by other processes to alter the LSASS process | None | +| LSASS Guardian - Protect | No customizations required. Prevents attempts by other processes to alter the LSASS process | None | + diff --git a/docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md b/docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md deleted file mode 100644 index 2721ea787b..0000000000 --- a/docs/threatprevention/7.4/admin/templates/folder/microsoft-templates.md +++ /dev/null @@ -1,20 +0,0 @@ -# Microsoft Platform Templates - -This section contains templates for monitoring and protecting Microsoft platform components. - -## DNS Monitoring {#dns} - -The **Templates** > **Microsoft** > **DNS** folder contains the following template: - -| Template | Description | TAGS | -| ------------------ | -------------------------- | ---- | -| DNS Record Changes | No customizations required | None | - -## LSASS Protection {#lsass} - -The **Templates** > **Microsoft** > **LSASS** folder contains the following templates: - -| Template | Description | TAGS | -| ------------------------ | ------------------------------------------------------------------------------------------- | ---- | -| LSASS Guardian - Monitor | No customizations required. Detects attempts by other processes to alter the LSASS process | None | -| LSASS Guardian - Protect | No customizations required. Prevents attempts by other processes to alter the LSASS process | None | diff --git a/docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md b/docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md new file mode 100644 index 0000000000..d5bef5a11e --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/privilegeescalation.md @@ -0,0 +1,17 @@ +--- +title: "Privilege EscalationFolder Templates" +description: "Privilege Escalation Folder Templates" +sidebar_position: 100 +--- + +# Privilege Escalation Folder Templates + +The Privilege Escalation folder contains the following templates: + +| Template | Description | TAGS | +| ------------ | ----------- | ------------ | +| AD: Administrator Escalation | Indicates that an unprivileged account has had its ACLs changed to a value that allows it to obtain administrative privileges (directly or transitively). |
  • NEW 5.1 TEMPLATES
  • Privileged Accounts
  • Privilege Escalation
  • AD Security
  • Unauthorized changes
| +| AD: Modifications of Administrator Accounts | Utilizes the built-in Administrator Accounts – Objects Collection.
Add accounts with administrative rights to be monitored to this collection |
  • NEW 5.1 TEMPLATES
  • Privileged Accounts
  • Privilege Escalation
  • AD Security
  • Unauthorized changes
| +| AD: SID History Tampering | SID History is an attribute that supports migration scenarios. Every user account has an associated Security Identifier (SID) that is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user's SID is added to DomainB's user account's SID History attribute. This ensures that DomainB user can still access resources in DomainA.
To detect SID History account escalation, this policy monitors users with data in the SID History attribute and flag the ones which include SIDs in the same domain that have changed |
  • NEW 5.1 TEMPLATES
  • Privileged Accounts
  • Privilege Escalation
  • Persistence
  • AD Security
  • Unauthorized changes
| +| Ntds.dit File Hijacking | Protects users from stealing Ntds.dit file which contains the Active Directory database. Attackers can use Volume Shadow Copy to copy this file, but this will prevent and log any activity based on configuration. |
  • NEW 5.2 TEMPLATES
  • Privileged Accounts
  • Privilege Escalation
  • Persistence
  • AD Security
  • Unauthorized changes
| + diff --git a/docs/threatprevention/7.4/admin/templates/folder/ransomware.md b/docs/threatprevention/7.4/admin/templates/folder/ransomware.md new file mode 100644 index 0000000000..ca4a45bfed --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/ransomware.md @@ -0,0 +1,14 @@ +--- +title: "Ransomware Folder Templates" +description: "Ransomware Folder Templates" +sidebar_position: 110 +--- + +# Ransomware Folder Templates + +The Ransomware folder contains the following templates: + +| Template | Description | TAGS | +| ------------------ | -------------- | ---- | +| Ransomware Extensions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of files related to the actual encrypting of the data during a Ransomware attack, and trigger an alert | None | +| Ransomware Instructions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of warning file created by a Ransomware attack, and trigger an alert | None | diff --git a/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md b/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md index 1ce57a02fe..8b1559a926 100644 --- a/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md +++ b/docs/threatprevention/7.4/admin/templates/folder/reconnaissance.md @@ -1,7 +1,7 @@ --- title: "Reconnaissance Folder Templates" description: "Reconnaissance Folder Templates" -sidebar_position: 80 +sidebar_position: 110 --- # Reconnaissance Folder Templates diff --git a/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md b/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md index a7fca62bef..9a67dd8147 100644 --- a/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md +++ b/docs/threatprevention/7.4/admin/templates/folder/schemaconfiguration.md @@ -1,7 +1,7 @@ --- title: "Schema and Configuration Folder Templates" description: "Schema and Configuration Folder Templates" -sidebar_position: 90 +sidebar_position: 120 --- # Schema and Configuration Folder Templates diff --git a/docs/threatprevention/7.4/admin/templates/folder/security-templates.md b/docs/threatprevention/7.4/admin/templates/folder/security-templates.md deleted file mode 100644 index f5b23a4ad7..0000000000 --- a/docs/threatprevention/7.4/admin/templates/folder/security-templates.md +++ /dev/null @@ -1,33 +0,0 @@ -# Security Templates - -This section contains templates for detecting and preventing various security threats. - -## Ransomware Protection {#ransomware} - -The Ransomware folder contains the following templates: - -| Template | Description | TAGS | -| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | -| Ransomware Extensions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of files related to the actual encrypting of the data during a Ransomware attack, and trigger an alert | None | -| Ransomware Instructions | Ransomware is a type of malware that systematically encrypts files on a user's system, and forces payment to get the data back. This policy is meant to detect the creation of warning file created by a Ransomware attack, and trigger an alert | None | - -## Domain Persistence Protection {#domain-persistence} - -The Domain Persistence folder contains the following templates: - -| Template | Description | TAGS | -| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -| AD: AdminSDHolder Monitoring | AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don't match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Altering AdminSDHolder is an effective method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group. | - NEW 5.1 TEMPLATES - Domain Persistence - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes | -| AD: Group Policy Objects Security Monitoring | Use this policy to specify a list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. Specify the list of AD Group Policy Objects to be monitored. Optionally, add any AD Perpetrators to be included or excluded. | - NEW 5.1 TEMPLATES - GPO Security - AD Security - Unauthorized changes | -| DCShadow detection | This policy will detect when a non-DC adds a SPN value to any computer starting with GC/ for the global catalog service. | - NEW 5.1 TEMPLATES | - -## Privilege Escalation Protection {#privilege-escalation} - -The Privilege Escalation folder contains the following templates: - -| Template | Description | TAGS | -| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------- | -| AD: Administrator Escalation | Indicates that an unprivileged account has had its ACLs changed to a value that allows it to obtain administrative privileges (directly or transitively). | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes | -| AD: Modifications of Administrator Accounts | Utilizes the built-in Administrator Accounts – Objects Collection. Add accounts with administrative rights to be monitored to this collection | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - AD Security - Unauthorized changes | -| AD: SID History Tampering | SID History is an attribute that supports migration scenarios. Every user account has an associated Security Identifier (SID) that is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another. This is extremely useful to ensure users retain access when moved (migrated) from one domain to another. Since the user's SID changes when the new account is created, the old SID needs to map to the new one. When a user in Domain A is migrated to Domain B, a new user account is created in DomainB and DomainA user's SID is added to DomainB's user account's SID History attribute. This ensures that DomainB user can still access resources in DomainA. To detect SID History account escalation, this policy monitors users with data in the SID History attribute and flag the ones which include SIDs in the same domain that have changed | - NEW 5.1 TEMPLATES - Privileged Accounts - Privilege Escalation - Persistence - AD Security - Unauthorized changes | -| Ntds.dit File Hijacking | Protects users from stealing Ntds.dit file which contains the Active Directory database. Attackers can use Volume Shadow Copy to copy this file, but this will prevent and log any activity based on configuration. | - NEW 5.2 TEMPLATES - Privileged Accounts - Privilege Escalation - Persistence - AD Security - Unauthorized changes | diff --git a/docs/threatprevention/7.4/admin/templates/folder/siem.md b/docs/threatprevention/7.4/admin/templates/folder/siem.md index b2d3e44cf7..b2a9ee066f 100644 --- a/docs/threatprevention/7.4/admin/templates/folder/siem.md +++ b/docs/threatprevention/7.4/admin/templates/folder/siem.md @@ -1,7 +1,7 @@ --- title: "SIEM Folder Templates" description: "SIEM Folder Templates" -sidebar_position: 100 +sidebar_position: 130 --- # SIEM Folder Templates diff --git a/docs/threatprevention/7.4/admin/templates/folder/threatmanager.md b/docs/threatprevention/7.4/admin/templates/folder/threatmanager.md new file mode 100644 index 0000000000..7714f7fe45 --- /dev/null +++ b/docs/threatprevention/7.4/admin/templates/folder/threatmanager.md @@ -0,0 +1,15 @@ +--- +title: "Threat Manager FolderFolder Templates" +description: "Threat Manager Folder Templates" +sidebar_position: 90 +--- + +# Threat Manager Folder Templates + +The Threat Manager folder contains the following templates: + +| Template | Description | TAGS | +| -------------- | -------------------- | --------------- | +| Threat Manager for AD | This is the recommended policy for sending AD Events captured by Threat Prevention to Threat Manager. This policy includes: Authentication Monitoring, Active Directory Changes, AD Replication Monitoring, and LSASS Guardian - Monitor. |
  • Threat Manager
  • NEW v6.1 TEMPLATES
| +| Threat Manager for AD LDAP | This is the recommended policy for sending LDAP events captured by Threat Prevention to Threat Manager for detecting signature queries of LDAP reconnaissance tools.
Policy 1: Suspicious Queries
Policy 2: Suspicious Attributes Returned |
  • Threat Manager
  • NEW v7.1 TEMPLATES
| + From 1ec09e9aae1d29e83ff99e55108ecdbfb8bb869e Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Mon, 21 Jul 2025 16:35:11 +0500 Subject: [PATCH 08/15] sidebar --- .../7.4/admin/{overview_1.md => Tags.md} | 0 .../7.4/admin/navigation/overview.md | 2 +- .../admin/templates/configuration/general.md | 2 +- .../investigations/favorites.md | 4 -- .../7.4/requirements/application.md | 8 +-- .../7.4/requirements/ports.md | 64 ++++++++--------- .../7.4/requirements/reportingserver.md | 22 +++--- .../7.4/requirements/sqlserver/sqlserver.md | 20 +++--- .../7.5/admin/navigation/overview.md | 40 +++++------ .../7.5/admin/navigation/rightclickmenus.md | 70 +++++++++---------- .../7.5/install/agent/silent.md | 34 ++++----- .../7.5/requirements/application.md | 8 +-- .../7.5/requirements/ports.md | 66 ++++++++--------- .../7.5/requirements/reportingserver.md | 22 +++--- .../7.5/requirements/sqlserver/sqlserver.md | 20 +++--- 15 files changed, 189 insertions(+), 193 deletions(-) rename docs/threatprevention/7.4/admin/{overview_1.md => Tags.md} (100%) diff --git a/docs/threatprevention/7.4/admin/overview_1.md b/docs/threatprevention/7.4/admin/Tags.md similarity index 100% rename from docs/threatprevention/7.4/admin/overview_1.md rename to docs/threatprevention/7.4/admin/Tags.md diff --git a/docs/threatprevention/7.4/admin/navigation/overview.md b/docs/threatprevention/7.4/admin/navigation/overview.md index f8cb1871b9..973f3bead6 100644 --- a/docs/threatprevention/7.4/admin/navigation/overview.md +++ b/docs/threatprevention/7.4/admin/navigation/overview.md @@ -78,7 +78,7 @@ interface. The following interface options are available: - [Analytics Interface](/docs/threatprevention/7.4/admin/analytics/overview.md) - [Policies Interface](/docs/threatprevention/7.4/admin/policies/overview.md) - [Templates Interface](/docs/threatprevention/7.4/admin/templates/overview.md) -- [Tags Node](/docs/threatprevention/7.4/admin/overview_1.md) +- [Tags Node](/docs/threatprevention/7.4/admin/Tags.md) Several right-click menus and additional features are available within these interfaces. diff --git a/docs/threatprevention/7.4/admin/templates/configuration/general.md b/docs/threatprevention/7.4/admin/templates/configuration/general.md index a936da5956..7fccbe386d 100644 --- a/docs/threatprevention/7.4/admin/templates/configuration/general.md +++ b/docs/threatprevention/7.4/admin/templates/configuration/general.md @@ -33,7 +33,7 @@ create a duplicate template, but rather display the template in different folder node. Multiple tags can be identified for a template with a comma-separated list. New tags can be created, which create a new folder under the TAGS node. Use the right-click Refresh option on the TAGS node in the Navigation pane to display new tags and/or display template-tag modifications. See -the [Tags Node](/docs/threatprevention/7.4/admin/overview_1.md) topic +the [Tags Node](/docs/threatprevention/7.4/admin/Tags.md) topic for additional information. ## History diff --git a/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md b/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md index 8f328f3a66..b28575dffa 100644 --- a/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md +++ b/docs/threatprevention/7.4/reportingmodule/investigations/favorites.md @@ -28,14 +28,10 @@ Click an investigation to open it. There is an empty star icon beside the name of an investigation not identified as a favorite. -![Empty star showing that investigation is not a favorite](/img/product_docs/threatprevention/7.4/reportingmodule/investigations/favoriteselectedtm.webp) - Click the star to add the investigation to your Favorites list. ## Remove an Investigation from Your Favorites There is a yellow star icon beside the name of an investigation identified as a favorite. -![Favorite investigation star icon selected](/img/product_docs/threatprevention/7.4/reportingmodule/investigations/favoriteselectedtm.webp) - Click the yellow star to remove the investigation from your Favorites list. diff --git a/docs/threatprevention/7.4/requirements/application.md b/docs/threatprevention/7.4/requirements/application.md index 8c3e8b5644..0717fa05d7 100644 --- a/docs/threatprevention/7.4/requirements/application.md +++ b/docs/threatprevention/7.4/requirements/application.md @@ -28,11 +28,11 @@ RAM, CPU, and Disk Space These depend on the size of the target environment and whether Analytics will be used. | Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics | -| ----------- | ------------------------------ | ------------------------------ | --------------------------- | --------------------------- | +| ------- | ----------- | ----------- | --------- | ---------- | | Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects | -| RAM | 128+ GB | 32 GB | 32 GB | 16 GB | -| Cores | 4+ CPU | 4 CPU | 4 CPU | 4 CPU | -| Disk Space | 67 GB | 67 GB | 67 GB | 35 GB | +| RAM | 128+ GB | 32 GB | 32 GB | 16 GB | +| Cores | 4+ CPU | 4 CPU | 4 CPU | 4 CPU | +| Disk Space | 67 GB | 67 GB | 67 GB | 35 GB | **_RECOMMENDED:_** For large environments with Analytics, a physical machine is strongly recommended. diff --git a/docs/threatprevention/7.4/requirements/ports.md b/docs/threatprevention/7.4/requirements/ports.md index 1dcfd3785a..454c99a190 100644 --- a/docs/threatprevention/7.4/requirements/ports.md +++ b/docs/threatprevention/7.4/requirements/ports.md @@ -26,25 +26,25 @@ topic for additional information. The following firewall settings are required for communication with the Enterprise Manager: -| Communication Direction | Protocol | Ports | Description | -| --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | --------------------------- | ---------------------------------------------------- | -| (For versions 7.3.5 and later Agents using auto security mode) Agents to Enterprise Manager | gRPC / TCP | 3741 | Inbound Agent Communication | -| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode) Agents to Enterprise Manager | gRPC / TCP | 3739 | Inbound Agent Communication | -| Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | SQL Server Communication | -| Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | SQL Server Communication | -| Enterprise Manager to Agents | RPC / TCP | 135 | WMI enabled Optional: required for Agent Auto Deploy | -| Enterprise Manager to Agents | DCOM / TCP | Dynamic Range 49152 - 65535 | WMI enabled Optional: required for Agent Auto Deploy | +| Communication Direction | Protocol | Ports | Description | +| ------------- | ---------------- | ---------- | ------------------- | +| (For versions 7.3.5 and later Agents using auto security mode) Agents to Enterprise Manager | gRPC / TCP | 3741 | Inbound Agent Communication | +| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode) Agents to Enterprise Manager | gRPC / TCP | 3739 | Inbound Agent Communication | +| Enterprise Manager to SQL Server | SQL Client / TCP | 1433 | SQL Server Communication | +| Enterprise Manager to SQL Server | SQL Client / UDP | 1434 | SQL Server Communication | +| Enterprise Manager to Agents | RPC / TCP | 135 | WMI enabled Optional: required for Agent Auto Deploy | +| Enterprise Manager to Agents | DCOM / TCP | Dynamic Range 49152 - 65535 | WMI enabled Optional: required for Agent Auto Deploy | ## Agent Firewall Rules The following firewall settings are required for communication with the Agent: -| Communication Direction | Protocol | Ports | Description | -| --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | --------------------------- | ---------------------------------------------------- | -| (For versions 7.3.5 and later Agents using auto security mode) Agents to Enterprise Manager gRPC / TCP | gRPC / TCP | 3741 | Outbound Enterprise Manager Communication | -| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode) Agents to Enterprise Manager | gRPC / TCP | 3739 | Outbound Enterprise Manager Communication | -| Enterprise Manager to Agent | RPC / TCP | 135 | WMI enabled Optional: required for Agent Auto Deploy | -| Enterprise Manager to Agent | DCOM / TCP | Dynamic Range 49152 - 65535 | WMI enabled Optional: required for Agent Auto Deploy | +| Communication Direction | Protocol | Ports | Description | +| ---------- | ---------- | --------------------- | ------------- | +| (For versions 7.3.5 and later Agents using auto security mode) Agents to Enterprise Manager gRPC / TCP | gRPC / TCP | 3741 | Outbound Enterprise Manager Communication | +| (For upgrading from versions prior to 7.3.5.x Agents using auto security mode, or any Agents using high security mode) Agents to Enterprise Manager | gRPC / TCP | 3739 | Outbound Enterprise Manager Communication | +| Enterprise Manager to Agent | RPC / TCP | 135 | WMI enabled Optional: required for Agent Auto Deploy | +| Enterprise Manager to Agent | DCOM / TCP | Dynamic Range 49152 - 65535 | WMI enabled Optional: required for Agent Auto Deploy | **NOTE:** For NAS device file activity monitoring, additional ports are required. See the [Ports for NAS Device Activity Monitoring](#ports-for-nasdevice-activity-monitoring) topic for @@ -54,8 +54,8 @@ additional information. The following firewall settings are required for communication with the Administration Console: -| Communication Direction | Protocol | Ports | Description | -| -------------------------------------------- | ---------- | ----- | ----------------------------------------- | +| Communication Direction | Protocol | Ports | Description | +| ------------------- | ---------- | ----- | ------------------- | | Administration Console to Enterprise Manager | gRPC / TCP | 3740 | Outbound Enterprise Manager Communication | ## Database Firewall Rules @@ -94,12 +94,12 @@ Active Directory Domain Controllers Firewall Rules The following firewall settings are required for communication between the Netwrix Threat Manager Reporting Module server and Active Directory domain controllers: -| Communication Direction | Protocol | Ports | Description | -| ----------------------- | -------- | ------- | ----------------------------------------------------------------------------------------------------------------------------- | -| Outbound | TCP | 88 | Kerberos-sec | +| Communication Direction | Protocol | Ports | Description | +| ----------------------- | -------- | ------- | ------------ | +| Outbound | TCP | 88 | Kerberos-sec | | Outbound | TCP | 135 | The endpoint mapper tells the client which randomly assigned port a service (FRS, AD replication, MAPI, etc.) is listening on | -| Outbound | TCP | 389 | LDAP | -| Outbound | TCP | 636 | SSL LDAP | +| Outbound | TCP | 389 | LDAP | +| Outbound | TCP | 636 | SSL LDAP | | Outbound | TCP | Various | The port that 135 reports. Used to bulk translate AD object names between formats.(Ephemeral Ports) | Database Firewall Rules @@ -107,8 +107,8 @@ Database Firewall Rules The following firewall settings are required to allow the Netwrix Threat Manager Reporting Module to talk to the Threat Prevention SQL database: -| Communication Direction | Protocol | Ports | Description | -| ------------------------------------------------------------------ | ---------------- | ----- | -------------------------------------------- | +| Communication Direction | Protocol | Ports | Description | +| ------------------- | ---------------- | ----- | ---------------------- | | Netwrix Threat Manager Reporting Integration Service to SQL Server | SQL Client / TCP | 1433 | Inbound Netwrix Threat Manager Communication | | Netwrix Threat Manager Reporting Integration Service to SQL Server | SQL Client / UDP | 1434 | Inbound Netwrix Threat Manager Communication | @@ -132,9 +132,9 @@ Dell Celerra & Dell VNX Devices Additional Firewall Rules The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell device: -| Communication Direction | Protocol | Ports | Description | -| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | -| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| Communication Direction | Protocol | Ports | Description | +| ------------------------ | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | | CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | Dell Isilon/PowerScale Devices Additional Firewall Rules @@ -142,9 +142,9 @@ Dell Isilon/PowerScale Devices Additional Firewall Rules The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell Isilon/PowerScale device: -| Communication Direction | Protocol | Ports | Description | -| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | -| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication | +| Communication Direction | Protocol | Ports | Description | +| ------------------ | -------- | ----------------- | ----------------- | +| Dell Isilon/PowerScale to CEE Server | TCP | TCP 12228 | CEE Communication | | CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | Dell Unity Devices Additional Firewall Rules @@ -152,9 +152,9 @@ Dell Unity Devices Additional Firewall Rules The following firewall settings are required for communication between the CEE server/ Activity Monitor Activity Agent server and the target Dell device: -| Communication Direction | Protocol | Ports | Description | -| ---------------------------------------------------------- | -------- | ----------------- | ----------------- | -| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | +| Communication Direction | Protocol | Ports | Description | +| ------------------- | -------- | ----------------- | ----------------- | +| Dell Device CEE Server | TCP | RPC Dynamic Range | CEE Communication | | CEE Server to Activity Agent Server (when not same server) | TCP | RPC Dynamic Range | CEE Event Data | Nasuni Edge Appliance Additional Firewall Rules diff --git a/docs/threatprevention/7.4/requirements/reportingserver.md b/docs/threatprevention/7.4/requirements/reportingserver.md index 5036c53462..b168bffec8 100644 --- a/docs/threatprevention/7.4/requirements/reportingserver.md +++ b/docs/threatprevention/7.4/requirements/reportingserver.md @@ -50,17 +50,17 @@ Permissions for Active Directory Sync The following permissions are required for the credentials used by Netwrix Threat Manager Reporting Module for Active Directory Sync: -| Object Type | Function | Access Requirements | -| ----------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | -| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container | -| Group | Retrieve all groups | Read Access to all group objects in the domain | -| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container | -| User | Retrieve all users | Read all user objects from the domain | -| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container | -| Computer | Retrieve all computer objects | Read all computer objects in the domain | -| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain | -| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain | -| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory | +| Object Type | Function | Access Requirements | +| ----------- | ------------- | ------------------ | +| Group | Retrieve all deleted groups | Read Access to group objects under the Deleted Objects Container | +| Group | Retrieve all groups | Read Access to all group objects in the domain | +| User | Retrieve all deleted users | Read Access to user objects under the Deleted Objects Container | +| User | Retrieve all users | Read all user objects from the domain | +| Computer | Retrieve all deleted computer objects | Read all computer objects under the Deleted Objects Container | +| Computer | Retrieve all computer objects | Read all computer objects in the domain | +| Group | Used specifically for groups that have large memberships which get automatically truncated by the query | Read Access to memberof for all group objects in the domain | +| GMSA | Retrieve all Group Managed Service Accounts | Read access to all msDS-groupmanagedserviceaccount objects in the domain | +| Secret | Retrieve all DPAPI master backup keys (Secret objects) | Read access to all secret objects in Active Directory | ## Client Requirements diff --git a/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md b/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md index 2c7625fa28..87496c5831 100644 --- a/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md +++ b/docs/threatprevention/7.4/requirements/sqlserver/sqlserver.md @@ -24,16 +24,16 @@ RAM, CPU, and Disk Space These depend on the size of the target environment. -| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics | -| ------------------------ | ------------------------------ | ------------------------------ | --------------------------- | --------------------------- | -| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects | -| RAM | 32 GB | 16 GB | 16 GB | 8 GB | -| Cores | 4 CPU | 4 CPU | 4 CPU | 4 CPU | -| Number of Disks | 4 | 4 | 4 | 1-4 | -| Operating System Disk | 10 GB | 10 GB | 10 GB | 10 GB | -| SQL Database Disk | 500 GB | 300 GB | 150 GB | 100 GB | -| SQL Transaction Log Disk | 80 GB | 80 GB | 40 GB | 20 GB | -| SQL TEMP DB Disk | 160 GB | 160 GB | 80 GB | 40 GB | +| Environment | Large with Analytics | Large without Analytics | Small with Analytics | Small without Analytics | +| ----------- | ----------- | ---------- | ---------- | ----------- | +| Definition | 2,000 - 15,000 AD user objects | 2,000 - 15,000 AD user objects | Up to 2,000 AD user objects | Up to 2,000 AD user objects | +| RAM | 32 GB | 16 GB | 16 GB | 8 GB | +| Cores | 4 CPU | 4 CPU | 4 CPU | 4 CPU | +| Number of Disks | 4 | 4 | 4 | 1-4 | +| Operating System Disk | 10 GB | 10 GB | 10 GB | 10 GB | +| SQL Database Disk | 500 GB | 300 GB | 150 GB | 100 GB | +| SQL Transaction Log Disk | 80 GB | 80 GB | 40 GB | 20 GB | +| SQL TEMP DB Disk | 160 GB | 160 GB | 80 GB | 40 GB | The disk sizes for the three SQL Server databases can be reduced if not utilizing all Threat Prevention solutions. diff --git a/docs/threatprevention/7.5/admin/navigation/overview.md b/docs/threatprevention/7.5/admin/navigation/overview.md index 7978ad42ff..4ca147142a 100644 --- a/docs/threatprevention/7.5/admin/navigation/overview.md +++ b/docs/threatprevention/7.5/admin/navigation/overview.md @@ -40,26 +40,26 @@ The Menu contains the following selections: ![Administration Console - Menu](/img/product_docs/threatprevention/7.5/admin/navigation/menu.webp) -| Menu Item | Option | Description | -| ------------- | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| File | New | Create new policies (Ctrl+P), new templates (Ctrl+T), or new folders (Ctrl+F) in the selected location of the Policy Center | -| | Rename | Opens a textbox to rename the selected policy, template, or folder in the Policy Center | -| | Remove | Removes the selected policy, template, or folder from the Policy Center | -| | Exit | Exit the Administration Console | -| Tools | Export … | Export (Alt+X) policies and templates through the [Export Policies and Templates Window](/docs/threatprevention/7.5/admin/tools/exportpoliciestemplates.md) | -| | Import … | Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the [Import Window](/docs/threatprevention/7.5/admin/tools/import.md) | -| Configuration | Alerts | Configure and manage all email, event log, and SEIM alerts in the [System Alerting Window](/docs/threatprevention/7.5/admin/configuration/systemalerting/overview.md) | -| | Users | A security feature for configuring access to the Administration Console. Users are added and assigned rights through the [Users and Roles Window](/docs/threatprevention/7.5/admin/configuration/userroles/overview.md). | -| | Database > Server | Manage the events database in the [Events Database Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventsdatabaseconfiguration.md). You can view the information, but cannot make changes. | -| | Database > Maintenance | Use database maintenance to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the [Database Maintenance Window](/docs/threatprevention/7.5/admin/configuration/databasemaintenance/overview.md). | -| | Collections | Manage all Microsoft Collections in the [Collection Manager Window](/docs/threatprevention/7.5/admin/configuration/collectionmanager/overview.md) | -| | Event Filtering | Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md). | -| | Netwrix Threat Manager Configuration | Enables integration between Threat Prevention and Threat Manager in a global setting. The Threat Manager URI is set in the [Netwrix Threat Manager Configuration Window](/docs/threatprevention/7.5/admin/configuration/threatmanagerconfiguration.md). Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to Threat Manager. | -| | File Monitor Settings | Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for Threat Prevention file monitoring and blocking policies in a global setting. These options are set in the [File Monitor Settings Window](/docs/threatprevention/7.5/admin/configuration/filemonitorsettings.md). | -| | EPE Settings | Manages the Have I Been Pwned password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the [EPE Settings Window](/docs/threatprevention/7.5/admin/configuration/epesettings.md). | -| Help | Administration Console Help | Opens the internal help documentation | -| | License Manager | Opens the Threat Prevention [License Manager Window](/docs/threatprevention/7.5/admin/navigation/licensemanager.md) where the customer name, license expiry date, and licensed modules are displayed | -| | About Netwrix Threat Prevention Administration Console | Opens the Administration Console window where the product version, copyright, and the Netwrix website link are displayed | +| Menu Item | Option | Description | +| ------------- | ------------------- | ------------------- | +| File | New | Create new policies (Ctrl+P), new templates (Ctrl+T), or new folders (Ctrl+F) in the selected location of the Policy Center | +| | Rename | Opens a textbox to rename the selected policy, template, or folder in the Policy Center | +| | Remove | Removes the selected policy, template, or folder from the Policy Center | +| | Exit | Exit the Administration Console | +| Tools | Export … | Export (Alt+X) policies and templates through the [Export Policies and Templates Window](/docs/threatprevention/7.5/admin/tools/exportpoliciestemplates.md) | +| | Import … | Import (Alt+I) policies/templates, collections, and event consumers/alerts from an exported file through the [Import Window](/docs/threatprevention/7.5/admin/tools/import.md) | +| Configuration | Alerts | Configure and manage all email, event log, and SEIM alerts in the [System Alerting Window](/docs/threatprevention/7.5/admin/configuration/systemalerting/overview.md) | +| | Users | A security feature for configuring access to the Administration Console. Users are added and assigned rights through the [Users and Roles Window](/docs/threatprevention/7.5/admin/configuration/userroles/overview.md). | +| | Database > Server | Manage the events database in the [Events Database Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventsdatabaseconfiguration.md). You can view the information, but cannot make changes. | +| | Database > Maintenance | Use database maintenance to automatically groom the database to optimize performance by archiving and/or deleting data aged beyond a specified threshold. This can be configured to run by Event Type, Analytic, or Policy. It is configured in the [Database Maintenance Window](/docs/threatprevention/7.5/admin/configuration/databasemaintenance/overview.md). | +| | Collections | Manage all Microsoft Collections in the [Collection Manager Window](/docs/threatprevention/7.5/admin/configuration/collectionmanager/overview.md) | +| | Event Filtering | Filters Active Directory events to remove “noise” from collected event data and/or exclude logins from machine accounts. Both settings are ON by default. It also allows authentication events from selected hosts or from selected accounts to be excluded, which require configuration before being enabled. A latency threshold can be set to generate alerts when the delivery of AD Events are delayed beyond the threshold. These options are configured in the [Event Filtering Configuration Window](/docs/threatprevention/7.5/admin/configuration/eventfilteringconfiguration.md). | +| | Netwrix Threat Manager Configuration | Enables integration between Threat Prevention and Threat Manager in a global setting. The Threat Manager URI is set in the [Netwrix Threat Manager Configuration Window](/docs/threatprevention/7.5/admin/configuration/threatmanagerconfiguration.md). Choose policies through the Policy checkboxes in this window or the Actions tab of each policy for sending event data to Threat Manager. | +| | File Monitor Settings | Manages the log retention, inherited permissions filtering, disables office file filtering, and the ability to exclude AD accounts and processes for Threat Prevention file monitoring and blocking policies in a global setting. These options are set in the [File Monitor Settings Window](/docs/threatprevention/7.5/admin/configuration/filemonitorsettings.md). | +| | EPE Settings | Manages the Have I Been Pwned password hash database configuration and update options as well as global Password Rules filter configurations. These options are configured in the [EPE Settings Window](/docs/threatprevention/7.5/admin/configuration/epesettings.md). | +| Help | Administration Console Help | Opens the internal help documentation | +| | License Manager | Opens the Threat Prevention [License Manager Window](/docs/threatprevention/7.5/admin/navigation/licensemanager.md) where the customer name, license expiry date, and licensed modules are displayed | +| | About Netwrix Threat Prevention Administration Console | Opens the Administration Console window where the product version, copyright, and the Netwrix website link are displayed | ## Policy Center diff --git a/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md b/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md index 11bb4cac22..b494abcddb 100644 --- a/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md +++ b/docs/threatprevention/7.5/admin/navigation/rightclickmenus.md @@ -15,8 +15,8 @@ From the Agents node, the right-click menu can be used to install the Agent. ![Agents node - Right-click Menu](/img/product_docs/threatprevention/7.5/admin/navigation/agentsmenu.webp) -| Right-Click Command | Description | -| ------------------- | ----------------------------------------------------------------------------------------------------------------- | +| Right-Click Command | Description | +| ------------------- | ----------------------- | | Install Agent | Opens the [Deploy Agents Wizard](/docs/threatprevention/7.5/admin/agents/deploy/overview.md#deploy-agents-wizard) | **Saved ‘Filtered Investigate’ Nodes** @@ -47,14 +47,14 @@ From a Folder node, the right-click menu contains these commands. ![Folder Node - Right-click Menu](/img/product_docs/threatprevention/7.5/admin/navigation/foldermenu.webp) -| Right-Click Command | Description | -| ----------------------- | ----------------------------------------------------------------------------------------------------- | +| Right-Click Command | Description | +| ----------------------- | ---------------------- | | New — Policy (Crtl+P) | Creates a new policy in the selected location. Only available for folders under the Policies node. | | New — Template (Crtl+T) | Creates a new template in the selected location. Only available for folders under the Templates node. | -| New — Folder (Crtl+F) | Creates a new folder in the selected location | -| Rename | Opens a textbox to rename the selected folder | -| Remove | Deletes the selected folder | -| Paste | Pastes a copied policy/template into the selected folder | +| New — Folder (Crtl+F) | Creates a new folder in the selected location | +| Rename | Opens a textbox to rename the selected folder | +| Remove | Deletes the selected folder | +| Paste | Pastes a copied policy/template into the selected folder | :::note If the logged in user does not have the **Manage Policies** permissions for a protected @@ -69,13 +69,13 @@ From the node for a specific policy or template, the right-click menu contains t ![`` and `